Securing teleworker wireless LANs

More about Lisa

For years, companies have wrestled with security risks introduced by teleworkers. According to ITAC, one in five U.S. employees spent some time working from home in 2001. Growth is being accelerated by residential broadband services -- In-Stat/MDR estimates that 14% of U.S. homes now have cable modem or DSL. High-speed, always-on connections make working from home more palatable, but they also increase risk by adding new territory that must be defended from abuse and attack.

Today, residential wireless LANs are tossing fresh fuel on this smoldering fire. According to In-Stat/MDR, six million Wi-Fi home nodes were sold in 2002, projected to reach 33 million by 2006. Wireless LANs make Internet connection, printer and file sharing among PCs in the home much easier. But when one of those nodes is a teleworker desktop or laptop, securing the WLAN becomes a corporate concern.

Expanding the security gap

1. War drivers can use unprotected home WLANs to freeload on company-paid broadband connections. Freeloaders can tap spare capacity -- or use your link to send spam, porn or even to attack someone else, leaving you holding the liability bag.

2. By eavesdropping on wireless traffic, attackers can gather server identities, user credentials and confidential payload -- for example, recording email messages, hashed logins for offline dictionary analysis or valid frames to be used in replay attacks.

3. Personal traffic on home WLANs can inadvertently leave expose company resources. For example, a teleworker that shares a printer on the WLAN becomes vulnerable to NetBIOS probes and attacks by anyone within a few hundred feet of the household access point.

4. Teleworkers equipped with perimeter defense measures like SOHO firewalls or desktop firewall software can open wireless back-doors without realizing it. For example, an AP dropped inside a home WLAN, behind a firewall/VPN appliance, could ride a tunnel from the appliance into the company network.

Filling that gap

1. Educate teleworkers about the inherent risks associated with wireless. Awareness is growing, but many otherwise-savvy users are still in the dark.

2. Define an acceptable use policy that explains permissible use of company resources on residential WLANs, acceptable configurations and recommended or required security measures.

3. Actively promote safer home WLANs. For example:
   1. Recommend a list of approved wireless routers and supply secure network topology diagrams and set-up instructions for them, or
   2. Let teleworkers requisition a pre-configured wireless router from your IT department (i.e., extend your process for supplying secure PCs to teleworkers), or
   3. Outfit teleworkers with appliances that you can manage remotely – for example, the Colubris CN100 is a firewall/VPN client/AP for teleworkers.

4. Choose the right hardware for the job. Terminology can be confusing, and many teleworkers don't understand the difference between a wireless AP and router, or between a router with an integrated VPN gateway or VPN pass-through.

5. Enable basic 802.11 security. MAC access control lists, shared key authentication, and WEP aren't perfect, but they are still useful as a first line of defense. In a small, self-contained WLAN, shared keys and ACLs are manageable. Supply guidance on how to pick good SSID and key values, when to update keys, etc.

6. Harden wireless devices. Teach teleworkers to change or disable unused listening ports and configure hard-to-guess passwords. Connect only with known APs, disabling Windows XP's ability to connect to any non-preferred network.

7. Extend existing desktop security measures. For example, reconfigure VPN client policies to also apply to wireless adapters, and identify wireless router VPN pass-throughs that are compatible with your VPN client.

8. If you don't use VPN on the WLAN, consider other options to increase protection for sensitive traffic. For example, use SSL webmail instead of POP or encrypted screen sharing instead of cleartext remote desktop access.

9. Rethink home network trust. Sharing printers and files may be acceptable on a residential Ethernet that's protected from the Internet by a firewall/router. Doing so over wireless probably is not. Help teleworkers to identify new sources of risk.

10. If you haven't already, get started now. Home WLAN adoption is now growing faster than enterprise WLAN use. If your workers carry laptops or have PCs at home, odds are excellent that you already have at least a few teleworkers using wireless.
    

    Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Endpoint security management tools The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance User passwords and network permissions 20 days to a more secure enterprise Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.