Take advantage of the latest security tools and keep your users informed if you want to achieve wire-free bliss.

Reader ROI

• How new wireless security technologies can eliminate old fears about Wi-Fi
• Policies you need for wireless implementation
• How other CIOs deal with wireless security issues

Oliver Tsai sees it every quarter. Fresh-faced medical students, new to Sunnybrook and Women's College Health Sciences Centre and armed with the latest Wi-Fi-enabled laptops, see no reason why they shouldn't be able to hop right onto Sunnybrook's wireless network with those shiny new laptops they just bought.

The same scenario plays out with doctors and office managers and anyone else whose new gadget automatically sniffs the airwaves and picks up signals from Tsai's wireless LAN, or WLAN. "They can see what's available, but because of the security, they can't access the network until the device is properly configured," says Tsai, the director of IT at the academic health sciences centre in Toronto. It's a look-but-don't-touch situation that can frustrate users - but, Tsai says, it's a necessary, if temporary, frustration.

Whether they're medical students, CEOs or cube dwellers, today's mobile phone and BlackBerry-equipped workers are clamouring for even greater wireless access while on the job. It's nearly certain that their company-issued laptop has a Wi-Fi chip built-in, and they see no reason to be shackled to their desks any more.

Yet IT executives are still distrustful of wireless LANs because of perceived security nightmares such as wireless denial-of-service attacks and network breaches. "They are scared," says Nick Selby, an enterprise security analyst at The 451 Group. A December 2005 Forrester Research report echoes Selby's take: Security is the number-one obstacle when acquiring wireless technologies, regardless of industry.

But some of those fears may be based on old news. "Most of the security problems that have scared away early adopters have been solved," says Selby. New authentication and encryption schemes (such as 802.1x for user access and 802.11i advanced encryption standard, or AES) are more vigorous. And vendors now offer intrusion-detection products and architectural schemes that make enterprise wireless networks just as safe as wired ones.

"Most of the things you'll need to do [for security] will come from the vendor. It's just a question of turning it on," adds Selby. Last year, Gartner went so far as to say that Wi-Fi was one of the most over-hyped IT security threats.

So for 2006 and beyond, here are the five security areas that will help you and your users get the most from a wireless LAN - without all the nightmares.

Start Planning

First questions first: Why do you need a WLAN? Who's going to use it and for what purpose? And what are the necessary internal and external safeguards? By answering those questions early, CIOs can also determine just how much security their WLAN will need.

IS director Bill Tomcsanyi's initial plan last year was to implement a wireless network beginning in the emergency department at Torrance Memorial Medical Centre. The more he looked at then-current security safeguards, the efficiencies his clinicians and administrators could realize, and the relatively low cost to install the network, the more he thought of enveloping the entire hospital and other buildings on campus, which is what he did. "[Wireless] is absolutely an integral part of our five-year information technology plan," says Tomcsanyi. "In the end we're providing faster patient care and eliminating all of the things that could lead to errors."

Once CIOs have an idea of what they want, the next challenge is to quantify the capital outlay and the expected benefits - but don't expect to produce hard numbers. "We haven't been able to quantify why these networks are worth making the investment," says Joel Conover, a research director with research firm Current Analysis. Instead, the benefits are mostly soft, such as increased productivity and efficiency because users can go anywhere (conference rooms, outdoor patios, the cafeteria) and tap into the network if there's a wireless access point (AP) in range. And even without hard ROI, some CIOs find adequate value. "[Our users] can stay connected to Lotus Notes and the CRM and ERP packages, and can cleanly and easily move and stay connected consistently," says Steve McDonald, VP of IT of Optimus Solutions, an integrator and reseller of software and hardware. McDonald has covered some 23,000 square metres of space with nine APs using 802.11b/g networking capabilities.

But Ellen Daley, principal analyst with Forrester Research, sums up the consensus of today's WLAN deployments: "For primary data access to every network in the enterprise, [Wi-Fi] is really an additive - not a replacement [for the wired network]. And it's an additive cost." Payback figures from WLAN vendors are a bit rosier. On a typical installation using 802.11a, b or g, for example, Nortel claims that organizations can realize a 2 percent to 3 percent productivity improvement for users and a payback on the WLAN investment in a year's time.

Write the Book

The industrious cube dweller or visiting contractor who plugs his wireless router into an Ethernet port probably doesn't have evil intentions. But it's up to you to make it clear to every user how bad such behaviour can be: This rogue access point now sits behind the outward-facing protection of the firewall and can't be detected by most intrusion-detection systems, and somebody sniffing the air with a simple, inexpensive handheld device or wireless-enabled notebook could lock on to the signal and have full access to the corporate network. "You have to define the policy for your wireless LAN: when people can use it, the restrictions on use, or guest-access use for consultants and partners," says Daley.

CIOs cannot overestimate the amount of user education needed for a wireless LAN policy. Users don't need to know how to tell a MAC address from an SSID, but they do need to know right from wrong. For example, they need to know about being tricked into accessing a wrong (and potentially malicious) access point that doesn't belong to their organization. "It really requires that awareness of a new set of risks that this freedom permits," Selby says.

Next, CIOs all agree that any new wireless policy must dovetail with the existing wired policy. "You have to follow the same rules of the road for wireless that we follow in the wired environment," says Bryon Fessler, CIO and VP of IS for the University of Portland in Oregon. Since last year, Fessler has rolled out 50 access points in three buildings on campus, with plans for at least 25 more in the future. He takes every opportunity (face-to-face discussions, e-mails and other get-togethers) to ensure that the 4500 students, faculty and university members understand the reasons behind his wireless LAN policies - why, for example, student laptops have to be quarantined, inspected for viruses and credentialled before they can connect to the WLAN.