Wireless networking has great potential for improving access to services within an organisation. For this reason, there has been a rapid uptake in its use. However, like many new technologies, many implementations have been completed without attention to issues of security and authentication.

As a result, many wireless networks are set up so that anyone with the right equipment can access insecure organisations networks; eavesdrop on traffic, view users passwords as well as other data, without physically being in the building.

Tools and information about how to tap nearby wireless networks are widely available on the market. Indeed, within the last five years, a whole subculture involving people going around, scanning for open wireless nodes, and publicizing them to people who want free wireless access or trying to circumvent your network just for the fun of it has sprung up.

The underlying problem with wireless networking is that without adequate security in place, anyone in the vicinity of your building can eavesdrop on everything that happens on the network. They can also use the network for themselves.

When implementing a wireless network key considerations should be made to ensure only authorised people can use the wireless network, and that no-one can view your communications. Maintaining access and privacy (confidentiality) on your network must be the key priority

End to end encryption can be used to attain privacy while special gateway systems and strong authentication devices can be used for access control and authentication, thereby improving security on the network.

Encryption ensures that data intercepted during transmission can't be easily used. Application-level encryption can also be added and it usually involves RSA or Wireless Transport Layer Security (WTLS) between the device and wireless gateway. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) can be used between the wireless gateway and the Web server.

A common concern in wireless technologies which presents certain security risks is the WAP gap. This is the point in the WAP gateway where content is decrypted from WTLS and re-encrypted into SSL. The data is unencrypted for a split second and only in gateway server memory.

However, most WAP gateways are typically kept under high security and this is why the WAP gap is an insignificant security concern for most organisations

Organisations that cannot accept that risk, should consider advanced techniques such as WTLS tunneling. WTLS tunneling keeps data encrypted between the device and enterprise and requires the implementation of WAP gateways within the enterprise demilitarized zone (DMZ). Thus, encrypted data passes the carrier gateways and enters the enterprise network before being decrypted.

Authentication can be improved by using two-factor authentication such as RSA SecureID, which requires the user to enter a randomly generated PIN in addition to the username and password.

However before implementing a wireless network as a starting point, a cost-benefit analysis and comprehensive risk assessment needs to be carried out identifying risks as well as adequate methods and countermeasures to mitigate them.

At Zylt Consulting our services include.

• Risk assessment of your proposed or existing wireless network
• Recommending controls to mitigate any risks
• Providing a comprehensive tailor made report for your network