“Protect Your Wireless Network—And Your Business” (Nov. 08, page 88) suggested a number of steps to protect wireless networks from outside monitoring and other unauthorized access. As an international consultant and a contributing editor for Wiley’s Computer Security Handbook, 5th Edition, I differ with some of the recommended measures.
Several measures give the illusion of increasing security while not actually substantially increasing it. One such measure is Step 4, “Hide Your Router Name.” Even the relatively Draconian PCI Data Security Standard (Version 1.2, Requirement 2.1.1 as of October 2008) no longer requires this step for compliance. As the article correctly notes, even with the beacon signal disabled, the router name (the “SSID” or “Service Set Identifier”) is easily obtained. The article correctly states that MAC address cloning is straightforward, and thus limiting access by MAC address is only an obstacle to a casual interloper.
Using preshared keys is not a problem when network use is limited to a small community. If the community is larger, or if visitors need to access the wireless network, a different approach is needed.
In “Safe Computing in the Age of Ubiquitous Connectivity” at the 2007 Long Island Systems Applications and Technology conference in Farmingdale, N.Y., I elaborated on an approach that I had presented since 2004 at IEEE Computer Society Chapters throughout North America. This approach uses an unprotected wireless network as a “digital dial tone” with the actual access to both the intranet and Internet allowed or disallowed by a gateway. Security in such an environment is enforced by the gateway, not the wireless access points. These concepts are the core of “Compartmented Networks,” presented at the 11th Annual New York State Cyber Security Conference in June 2008.
Virtual private network (VPN) technology is used to provide privacy in such a network. Relying on a VPN for encryption allows for more security than WiFi-only schemes such as WPA/WPA2. Higher-security users may use the maximum encryption and authentication provided by the VPN, which may be more than is available through WPA/WPA2.
Security is admittedly a complex area, but merging local access with the security precautions already in place or required for remote access would greatly simplify administration and audit.
Author’s Reply: Thank you for your feedback. My article on tips to secure a wireless network was specifically written for small to medium CPA firms (see the arrow and footnote stating my target audience in the Table of Contents on page 4 immediately under the description of my article). My article was also written with specific attention to router settings since every wireless network requires a wireless router.
I give tips designed to make a wireless router secure. The tips are for a CPA who has limited networking knowledge and are not intended to be applied at a large (enterprise-level) firm. They are also not intended to replace current network policies a company may have (such as using a VPN over a wireless network)—see my disclaimer at the end of the article.
I disagree that my tips give an “illusion” of security. These nine tips do increase security, and are common in industry for small and medium firms and for home use. One tip (hiding an SSID) that you claim creates an illusion of security is suggested in a document at the Department of Homeland Security (see “Make Your Wireless Network Invisible” ). Dozens of security articles, textbooks and study guides give the same advice.
The tips are not foolproof or all-encompassing for wireless security, something I clearly explained in the article. They are practical starting points at the router level. Of course, advanced software and hardware can be implemented at additional costs to make a network more secure as you suggest in your letter, but it is wise to deter hackers (both at the expert and novice levels) with all security safeguards available in a router rather than to do nothing at all.
James F. Leon, CPA, CISSP, Ed.D.