by Dr. Tina Bird - Security Architect, InfoExpress - Monday, 25 April 2005.

Offering convenience and ease of use that have revolutionized the way people use computers and networks, wireless networks have also complicated endpoint management and security. Wireless networks have earned a reputation for being difficult to monitor and administer, exposing organizations to a higher rate of infection from Trojans and viruses and incurring greater support costs than anticipated.

Today, the term “wireless security� usually means technologies that prevent unauthorized or malicious users from connecting to a wireless network. Wireless security technologies inspire heated discussions about key negotiation and data encryption, as well as user and host authentication. While these mechanisms are vital components of a secure wireless architecture, they do little to guarantee the configuration and patch levels of the machines joining the wireless network, and little to reduce the likelihood of a legitimate user’s infected machine using the wireless connection to spread chaos throughout the production infrastructure.

The real world limitations of “traditional� wireless security have been made abundantly clear during the past two years by the Blaster and the associated Windows RPC attacks, Sasser, the Agobot/Phatbot family of Trojans and other notorious Windows security incidents. As organizations quickly learned, neither encryption nor strong authentication defends an organization against Blaster and its ilk. In fact, relying solely on these mechanisms may actually make the organizational exposure worse because once these machines are authenticated, they typically have access to file shares and other network resources which can be leveraged by malicious code to spread infections. And if VPNs are used to provide access to remote users across public, insecure networks, they often unwittingly become the channel these mindless destructive exploits usurp to bypass firewalls and other perimeter defenses.

New challenges also bring new opportunities. Many security architects and network administrators are using the rapid adoption of wireless connectivity to reduce these mobile computing risks, by supplementing their native wireless security mechanisms with endpoint configuration management and enforcement tools. These systems secure wireless networks by blocking access to the production environment until an endpoint has passed a security audit which validates the endpoint’s patch level, the presence and state of security tools and a variety of system configuration details. The endpoints gain access to production systems only after their compliance to security policy requirements has been verified by the audit.

A number of commercial endpoint policy management and enforcement systems manage network access control levels dynamically, using the results of scans or agent-based audits, allowing administrators to easily apply the same endpoint security requirements across many different types of network access methods including wireless, VPN/remote access and traditional LAN switches. Administrators can use these systems to display and verify many details about the endpoint configuration, including the registry settings, operating system and application versions, anti-virus signatures and running network services and processes. In addition to access control, these offerings typically support a variety of configurable endpoint remediation options, ranging from message pop-ups on the endpoint system to redirecting the user to a Web server to automated patching without any user intervention. This powerful combination of endpoint visibility and audit mechanisms, dynamic access enforcement and transparent remediation significantly reduces the chances that a rogue or infected PC will be able to compromise a production network through wireless (and other) links.

While all network topologies will benefit from policy enforcement technologies, wireless networks gain some of the most significant advantages. Even relatively simple checks – like verifying that the anti-virus process is up to date and running – can greatly reduce the chances of a virus or Trojan penetrating the wireless infrastructure. And an enforcement mechanism that requires all laptops to have critical patches, up-to-date and running anti-virus programs, no file sharing and encrypted storage for corporate documents will greatly reduce the chances of a laptop leaking sensitive data when connecting to the corporate network wirelessly from hotspots at an airport lounge or coffee shop.

Thus, the new wireless security paradigm starts at the endpoint, combining inspection and remediation tools with network-based dynamic access controls to let colleagues take full advantage of wireless network ease and convenience, while keeping competitors and other digital vermin out.