Broadband wireless networking has become a technically feasible alternative for enterprise-wide IT systems. Compared to traditional wide-area networking, it offers an increasingly flexible and cost-effective approach. Plus, the costs for the deployment of broadband wireless systems are on the decrease. Meanwhile, speeds are rising to near-gigabit performance. Now, broadband wireless stands toe to toe with wireline networking. This technology is capable of making today's enterprises swifter and more agile.
Wireless networking, like its wired cousin, isn't without its challenges. The "air" that's traversed by wireless-network data is inherently unsecured. Network managers and their security-management peers therefore face important enterprise issues that must be addressed. Such issues include information protection, confidentiality, and authenticity between trusted networks.
The advantages of wireless wide networking include quicker installation cycles, operation in geographically troubling areas, reduced operating cost, and—typically—better overall performance. These strengths create the flexibility that's needed to make networking changes while avoiding the logistical and costly roadblocks that prevent traditional wired networking. This point is especially valid in cases that involve older or leased buildings as well as areas where laying cable is neither cost effective nor feasible. Aside from flexibility, a wireless-networking solution boasts a much faster implementation time. It can run days instead of months.
These advantages bestow a number of direct business benefits upon today's enterprises. They provide lower labor and implementation costs along with increased workforce productivity. In addition, consider the agility and flexibility that wireless networking offers. In many ways, it begins to look like a first-choice networking option.
Yet even though wireless enables significant productivity-enhancing and cost-cutting potential, the issue of security still looms. In general, network and security managers must keep unauthorized individuals from gaining access to confidential or critical business information. Wireless networking adds another wrinkle: the physical space in which unauthorized activity can affect the network.
For wired networks, that space is restricted to the physical office space. That's where the network sits and the data traverses wired lines. For wireless networks, that space expands geometrically to anywhere that the wireless signal can be intercepted. A significant additional risk is placed on those network and security managers who manage wireless wide-area networks for their enterprises.
Each year, billions of dollars are spent on storing mission-critical data, managing disaster-recovery scenarios, securing intranets, and restricting access to important IT assets. In spite of this vast expenditure, relatively little thought is given to what happens to the network data that's in motion between enterprise offices. Such data is on its way to a client, partner, or another trusted network. Whether the "line" is wired or wireless, data passing unencrypted across a network is neither secure nor protected.
Increasing this risk are some fundamental misconceptions in today's network-security market. These misconceptions involve a variety of questions, such as: Is a wireless wide-network system protected from eavesdropping or data manipulation? Are virtual private networks protected from unauthorized access? Do firewalls and intrusion-detection systems do anything to protect network data in transit? The answers to these questions offer a peek into the soft underbelly of virtually all current, unencrypted wireless-network systems.
Three major misconceptions about wireless-network security are listed below. See if any of these situations rings true in your enterprise:
- Misconception #1: "Our point-to-point wireless system is safe. Only our enterprise is aware of the network connections." While most wireless-networking systems have basic proprietary security protocols, no sophisticated standard exists to enforce the overall protection of the payload and headers while the data is in motion. Additionally, the wireless-network architecture influences the probability of theft. The size of the spectrum varies according to distance and location. As a result, transmission paths are vulnerable to unscrupulous individuals. Such thieves often employ sensitive "listening" equipment to intercept the data.
- Misconception #2: "Our VPNs are secure." No network is truly secure if data can be interpreted by anyone who manages to intercept it. VPNs do provide logical traffic-separation techniques while ensuring quality of service. But they fail to protect the data once it's actually in transit. Truly secure private networks require the use of data encryption, such as the Internet Protocol Security (IPSec) protocol. This protocol makes data useless to those who don't have the key to decode it.
- Misconception #3: "Our system has a firewall. We're already protected." Firewalls are excellent for their purpose, which is to keep unauthorized users and hackers out of an organization's secure intranet. But they don't protect wireless data once an intruder has gained entry. Firewalls and intrusion-detection systems can prevent a threat to a network. But they cannot protect the data once it has entered the trusted environment. Broadband wireless networks exist behind the firewall. By supplementing an existing firewall with an encryption appliance, one can improve both the performance and the security of any intranet.
The security gap that's created by these misconceptions makes it necessary to look at wireless-network security from a new point of view. No one can be certain that unencrypted wireless data is secure. Billions can be spent in time, effort, and money to achieve "secure" wireless systems. Yet network and security managers may be overlooking another option at their disposal: They can make the data on their lines useless to anyone outside the organization. It's one thing to know that your data is safe behind your enterprise doors. But it's quite another to transmit that data back and forth unsecured.
IPSec encryption eliminates the need to trust standard network components for complete security. Basically, IPSec is the encryption of traffic on an Internet-protocol (IP) network. It provides a simple and cost-effective solution for many of the security deficits that are found in today's broadband-wireless-network traffic. IPSec encryption promises to bestow the essential elements of confidentiality, authentication, and integrity upon secure network data traffic.
Encryption isn't new. Numeric encryption has been around since the ancient Greeks. Modern encryption systems had their beginnings when the telegraph and radio brought electronic data transmission into play. The transmissions created the need to keep that data secret from those who might listen in.
In the 1970s, the Data Encryption Standard (DES) algorithm was introduced. This standard broke data into pieces and then encrypted and decrypted each piece. It used a 56-b key to perform mathematical transformations on those pieces. DES was widely used until computers became powerful enough that a brute-force method became possible. Then, people simply applied all of the possible keys to decrypt the data.
DES was followed by the current standard, Triple DES (3DES). This standard uses three 56-b keys and three DES operations. The result is the equivalent of one 168-b key. 3DES is a much more secure method. With the same methods, it literally requires billions of times longer to break.
In anticipation of the need for stronger encryption methods, newer standards are already being developed. An example is the Advanced Encryption Standard (AES), which uses 128-, 192-, or 256-b keys. It was developed via an open competition that was initiated by the National Institute of Standards and Technologies (NIST). AES provides another considerable jump in encryption security.
Encryption alone can make data in transit un-interpretable to anyone who might intercept it. At the same time, complementary technologies do exist. They improve the overall security that's provided by any encryption system (SEE FIGURE).
One such technology is authentication—the capability to ensure that data senders and receivers are identifiable. It's important to know that your data is going to or coming from a trusted source. One of the most popular forms of authentication is Public Key Infrastructure (PKI). It's used to verify the sender and receiver of data. As a result, both parties know with whom they're communicating.
Once communication with a trusted source is established, it's equally important to ensure that the data hasn't been tampered with in transit. A class of cyberattack, dubbed the "man in the middle attack," causes unsecured data to be subject to alteration. That alteration is done by a malicious third party while the data is in transit on unsecured lines.
The industry-standard algorithms to solve this issue are known as the MD5 and SHA-1 Message Authentication Codes. They create a unique fingerprint for each packet of data based on its contents. Only the sender and receiver can correctly calculate this fingerprint. The fingerprint becomes incorrect if the packet is altered in transit.
Because each packet is examined for encryption/decryption, packet-filtering technologies can examine them right at the edge of a secure network. With the proper security policy in place, troublesome and unsecured applications can be disallowed. The resultant packets will be dropped. Examples of such applications include online gaming and music sharing.
As the areas that need encryption technology have grown and changed, the technology itself has evolved and improved. Different industries and enterprises may have unique reasons for needing IPSec encryption. But the applications themselves aren't hard to find.
Security is an ever-present concern at all levels of the enterprise and government agencies. The safety of our nation and its people requires that utmost care be taken in protecting the information that's run by federal, state, and local governments on a daily basis. IPSec encryption is an important and simple method to achieve the confidentiality requirements that are demanded by government organizations. Network security also is essential to law enforcement. Here again, IPSec can help.
Currently, identity and credit-card theft are rampant. New legislation, such as the Gramm-Leach-Bliley (GLB) Act, is adding to the security requirements that are being placed on financial institutions. IPSec encryption offers an ideal solution to these requirements. It can secure the immense number of transactions and transmissions that are a part of daily financial operations.
IPSec encryption also enables the remote-backup and disaster-recovery systems that are utilized by financial organizations. Using those systems, the organizations maintain the confidentiality of consumer information. IPSec also allows them to promote network security along the crucial network lines between national, regional, and local banking centers. If these lines weren't secure, our current system of electronic finance would be totally at risk.
In medicine, patient records, billing information, and even X-rays are now being transmitted across the Internet. This trend will only grow with time. Keeping patient confidentiality and financial security in mind, IPSec encryption can keep pace with the growing needs of the healthcare community. It also can help ensure compliance with the federal government's Health Insurance Portability and Accountability Act (HIPAA).
IPSec encryption protects our nation's vital infrastructure. Simul-taneously, it supports the 24-to-7 operations that are considered so vital to the utility industries. With the global threat of terrorism posing a constant concern, the need to protect vital operational information from outside sources is more important than ever. Available encryption systems now have the throughput to match the needs of this demanding sector. They can ensure that all communications are secure.
THE RISK RETURN
Like all business decisions, network security is a matter of evaluating the risk versus the costs involved with mitigating that risk. Can you afford to risk having your wireless critical data exposed and unprotected? Can you afford to make it available to anyone who can get it?
In the past, encryption systems could not keep up with the rapid advancements in computer speed. They were overlooked as a possible solution. Today, the situation has changed. Encryption systems now operate at full-duplex gigabit-Ethernet speeds with minimal latency. As a result, IPSec encryption can be made available to network and security managers who want to close the holes left in their broadband-wireless-network security plans.
In this increasingly real-time, data-dependent, Internet-based economy, no organization can afford to leave its wireless data unprotected. Encrypting wireless IP traffic provides an end-to-end, cost-effective, and technologically complete step toward achieving complete network security in today's wireless networked environment.
9701 Corporate Center Dr., Suite 125, Raleigh, NC 27607; (919) 865-0640, FAX: (919) 865-0679, www.cipherOptics.com.