Protect Yourself Against Wi-Fi Bandwidth Vampires

They come by night -- and, for that matter, by day -- furtively sucking the lifeblood from unprotected Wi-Fi networks wherever they find them. They're wireless bandwidth vampires.

It isn't difficult to find an unprotected wireless access these days, whether it's from a home user's wireless router or a small business or departmental access point. You need only flip open your laptop in most major cities to find a list of available networks named "default" or "linksys." And if they have they're set to their default settings, you can be sure that you'll have all the access you need.

Unprotected wireless networks that are open to all and sundry bandwidth suckers are really more of a problem for small organizations than large ones, says Forrester Research principal analyst Ellen Daley. The Wi-Fi market has bifurcated, and large enterprises have gotten smarter, and the access hardware targeted to their needs has become more secure.

"The problem is the cheap devices you can buy from places like Circuit City," Daley says. "A wireless router costs $60 today. Small business will buy them, but they come with no security enabled out of the box."

And the small business user often won't dig too deeply to set the device up for Wi-Fi Protected Access (WPA) authentication or Wire Equivalence Protection (WEP). The whole point of wireless networking for many companies, Daley says, is convenience, and one of the big attractions of mass-market Wi-Fi is its plug-and-play simplicity, regardless of the security dangers.Lest large enterprises smugly sit back on their security laurels, consider this: the same errors of convenience can afflict even the biggest corporations at the departmental level. After all, air-tight security policies and the latest enterprise-grade, hardened access points only protect an organization if the IT department deploys all of its hardware. However, the small department that sets up its own Wi-Fi with a consumer router can open the enterprise to all kinds of trouble from wireless vampires.

"Large enterprises tend to have the acts together," Daley says. "But the rogue employees who just buy an access point and plug it into a port in the wall can be a real problem."

In fact, it can be a really big problem, says Rohip Mehra, director of wireless product management for 3Com. "If a department goes and buys its own unsecured access point, in the process it open up the whole enterprise network, both wired and wireless, to everybody," he says. "That's where the problems come in."If all you had to worry about was the odd networking trade journalist looking for a free ride on the information highway in midtown Manhattan because he's too cheap to pay for access to a T-Mobile hotspot, then it wouldn't be so bad. As irritating as bandwidth bloodsuckers might be, neither Daley nor Mehra think that stolen network time is the real danger.

The real danger is that unauthorized access points can open up the enterprise network to all kinds of viruses, malware and the deliberate actions of black hat hackers. In this age of obsessive due diligence and Sarbanes-Oxeley, it's amazing that unsecured access points are so common, Daley says.

"It's just like having an Ethernet cable ten yards outside your office that anyone can plug into and get into your network," she says. "That would be a New York Times headline."Part of the answer is to simply enable your access point's security features. "You need to authenticate," Mehra says. "It's that simple. Companies also have to encrcypt traffic and segment the wireless network using VLANs (virtual local area networks)."

Daley points out that networking vendors have woken up to the idea that security should be the default setting while open to all-and-sundry should be the option. "It's not as simple as a push-button on the router yet," she says. "But the big push has been to get vendors to make a security setting the default. We're starting to see that."

Some routers come out of the box with media access control (MAC) address security, WPA or WEP already enabled. Moreover, consumer wireless product documentation has become better at documenting how and why home and small business users should use security features.

The solutions are a bit more complicated for large enterprises looking to crack down on rogue access points. But even here, Mehra says, there is technology available to keep the enterprise network gates locked tight. "The industry is using sensors that look at the RF domain for foreign and rogue devices," he says. "If a department sets up a rogue access point, the moment that it comes onto the network and starts broadcasting its SSID (Service Set Identifier), the sensors will pick it up and notify the network administrator."

That rogues could be anything from an innocent do-it-yourself departmental wireless router or a traveling journalist to a malicious hacker with a wireless device sitting in the parking lot. But enterprise network administrators can take immediate steps to bring out their digital garlic and wolfsbane and shut the vampires down . . .just like Buffy would do.0