Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

The business risks of home WiFi networks

by
5th May 2009
Save content
Have you found this content useful? Use the button above to save it to your profile.

WiFi risksWith more employees connecting to the office from their home PCs, the risks of infection and unauthorised access have increased significantly. David Hobson of Global Secure Systems (GSS) explains how to minimise those risks.

Not so long ago, anyone wanting to work from home would only be allowed to do so using a company PC and a router hardwired into a secure virtual private network (VPN) that encrypted data between the home user and the office network.

We are seeing a drift away from this situation, with many organisations allowing much freer access to their internal networks from home-based computers. This scenario presents a new set of security challenges, particularly when employees are running home wireless local area networks (WiFi).

Wireless networks replace traditional copper wires and fibre optic cables with radio signals. Early WiFi systems offered a basic level of encryption called wired equivalency protocol (WEP). But WEP was fundamentally flawed, and can be easily cracked by tools freely available on the internet. WEP is now being replaced by other security stronger protocols, most notably Wi-Fi Protected Access (WPA and its successor, WPA2), which are defined by the wireless standard IEEE 802.11i.

In a domestic environment, the biggest concern is casual piggy backing, where intruders tap into unprotected connections. While freeloading bandwidth isn't such a big loss, the real risk is from data leakage.

Corporate users need stronger protection when they access the office network from the road VPN technology makes this possible by ensuring that data is encrypted from the laptop to the remote corporate network regardless of the user's connection point or medium.

Laptops can pose security risks such as introducing malware picked up in the field to the corporate network. WiFi usually operates in what is known as an infrastructure network, where the laptop will connect to an access point and from there on to a network. There is a second type of wireless network, the ad hoc peer-to-peer network, where the wireless device will speak to another wireless device directly and not through an access point.

If a laptop has no firewall in place, hackers can use this route to gain remote control of other PCs. In one recent experiment in the US, our researcher accessed the laptop of a director of a well known physical security company.

Many companies will restrict access to the network to known, corporate PCs, which ensures that the machines are patched with the current operating system updates and antivirus software. If homes PC are allowed to connect, there is very little control of the end point. If a home PC is infected with a virus or worm, it can easily be brought into the company’s network. The virus could even evade the usual security controls if it is transmitted over a secure, encrypted VPN link.

Security is all about being aware of the risks and mitigating them as much as possible. This article has highlighted a few of these risks, but using the correct technology can mitigate them. You must ensure you are running up to date anti-virus, have a personal firewall to block unauthorised access, ensure all systems are fully patched and also run a VPN to encrypt all data between a computer and the corporate network.

Always run WEP or WPA on the access point to control access on to the network. Whilst WEP has acknowledged flaws, it is a lot better than nothing and will discourage the casual hacker.

About the author

David Hobson is managing director of Global Secure Systems (GSS), CRN's Security Reseller of the Year for 2008.

This article is an extract from an article originally published on our sister site Finance Week.
Tags:

Replies (6)

Please login or register to join the discussion.

avatar
By AnonymousUser
15th May 2009 11:43

What about 3rd party remote access services
I see the comments about vpn and mac addresses.

Does the use of a service such as logmein or gotomypc address these issues?

These make a big deal about their security.

I presume also that all of this is moot if there are keyloggers etc on your machine anyway.

So the first line must be the device itself - whether it is a work machine or home or other machine.

Thanks (0)
avatar
By hughk
07th May 2009 13:03

Forget WiFi, the internet is dangerous...
There are many rumours about the perils of open home WiFi that are mostly being spread by ISPs who don't want access being shared. If you have no home server and a flatrate connection, there is no real win about using secure WiFi.

MAC (adapter address) restriction doesn't really work. There are utilities that will change your MAC address. WEP is totally broken and takes minutes to crack leaving WPA2 with a long, random key as the only option. WPA with a short word-based key can be broken in less than an hour or so.

However, if you are connecting from home to a corporate intranet, all of this is inadequate because somebody on the internet can claim to be say xyz.com for long enough to capture traffic.

The answer is end to end encryption. For connection to a corporate intranet use VPN. This constructs a private network over a public connection that will go from your laptop all the way to the server. If implemented properly, it is difficult to compromise. The same goes for access to web based services via https/SSL such as internet banking.

So in short, *however* you access the Internet, any connection to your corp intranet must be via VPN or if just to web based services, https. If these services are compromised, say by a virus then the security may not be worth anything. Work laptops to be used on the road should be heavily locked down and then they will remain secure.

Thanks (0)
avatar
By AnonymousUser
07th May 2009 11:28

MAC address restrictions
How would one go about restricting MAC addresses Marc?

Thanks (0)
avatar
By stevebaker22
07th May 2009 11:27

Mac restriction
This is the only way to stop unauthorised access. A friend of mine spent a couple of hours at my brothers new flat and showed him he could use his neighbours internet for free whilst waiting for BT to install his.
Not sure how he did it but it took two hours and my laptop. Opened my eyes to how sensitive data could be changed on a network

Thanks (0)
avatar
By marcspillman
07th May 2009 11:09

Consider MAC address restrictions?
I find MAC address restricting is the best form of security for a wireless network (certainly on a home network). Wi-Fi users can see the network, but can never successfully connect unless they are on your approved MAC address list.

Thanks (0)
avatar
By StefC
06th May 2009 08:12

Making any network a secure, trusted network
A great article, and valuable heads-up of security exposure, thank you David.

For people with concerns about securing data and devices across any network type, readers may want to look at the link below to see how enterprise and UK government customers are keeping control over secure transmission over untrusted networks. As a software-only product, it is free to download at evaluate for up to 100 users for a month (and they will come and help you install it at no cost :).

If this sounds useful, have a look at http://netmotionwireless.com/industries/enterprise.aspx

Cheers
Stef

Thanks (0)