Controlled Airspace

In the future, Frequency Selective Surface panels from the likes of BAE Systems might be able to keep your wireless traffic in-house and wireless intruders out. But until this so-called stealth wallpaper - which blocks specific radio frequencies - becomes commercially available, you'll need to approach wireless security with more mundane techniques.

First off, most Wi-Fi devotees say that CIOs shouldn't fight Wi-Fi. The technology's low cost and simplicity make outright bans impossible to enforce. Therefore, developing a sound strategy to control Wi-Fi's proliferation is all the more critical for CIOs. "We knew wireless was coming. We knew it was a legitimate business need. We knew we had to do something," says Fredricksen. "But out-of-the-box wireless is absolutely contrary to the security controls we have put in place." So Fredricksen went back to the basics. "We applied the same security baselines to the wireless initiative that we apply to all of our other projects," he says.

Alternate Routes

Regarding the denial-of-service flaw, Fredricksen says, "There would always be an alternate way to get the business done," whether users would have to switch to a wired connection or go to an offsite kiosk. But, he concedes, you have to ask yourself one tough question: "If you had a branch become 100 percent wireless, how devastating could [an attack] be?"

To mitigate that scenario, a thorough and well-understood wireless policy is critical. "From the CIO perspective, you have to have the appropriate staff and technology solutions," says Ollie Whitehouse, technical director of @Stake's United Kingdom division. "You also have to have a policy and procedure to back it all up. If not, the first two are useless in the end." That policy should at the very least cover network and device management, as well as monitoring and enforcement mechanisms. CIOs also need to weigh the risks involved with placing your company's most sensitive information up on a Wi-Fi network - for example, consider the health-care, government and financial sectors. If the information is mission-critical to the business or if your company operates in a heavily regulated industry, security becomes even more paramount.

New Management

CIOs need to make certain that attackers cannot get to the hardwired corporate network through a WLAN hole. "You always have to be thinking about how you can narrow the aperture of the target space without hurting your business," says Tim Keanini, CTO of nCircle, a network security vendor. "You have to assume an opponent is actively trying to find your flaws." That means unauthorized access points need to be found and terminated, and authorized access points need to be situated in areas where the radio frequency footprint isn't extending beyond your offices. Default security settings on Wi-Fi-enabled laptops and handhelds need to be cranked up to your company's standard security levels. Those devices also need to be running, at the very least, these security programs: For user authentication, use Media Access Control (MAC) filtering; for Radius authentication and authorization, use Kerberos or smart keys; and for encryption, use Wi-Fi Protected Access (WPA) or virtual private network (VPN). Also, make sure th at ad hoc or peer-to-peer Wi-Fi connections are not permitted on mobile users' laptops.

"The Wi-Fi communications medium can be made secure," says Whitehouse. "You can make the transfer of data through the air secure."

Rigid Enforcement

One of the more crucial steps in ensuring Wi-Fi security is monitoring your company's airwaves. And it's also the one on which most companies trip. For those companies that say "No Wi-Fi", security experts offer a test: Scan your building for Wi-Fi access points using a sniffer tool, and most likely, you'll find some hot spots. "How do you really know [you don't have rogue Wi-Fi users] if you aren't monitoring your systems?" asks Anil Khatod president and CEO of AirDefense, a wireless security vendor. "How do you enforce the policies?" He says that around a third of the companies using AirDefense's wireless monitoring products have a policy of no WLANs; they're simply trying to enforce the policy.

Wireless intrusion detection systems now being offered by a handful of vendors - including AirDefense, AirMagnet, AirWave Wireless and Internet Security Systems - can provide another layer of Wi-Fi security. These systems can detect attackers, rogue access points, unusual network occurrences and, as Whitehouse terms it, allow a certain level of compliance assurance. "This compliance assurance comes from such things as allowing enterprises to detect misconfigured devices that may expose the wired enterprise network to attackers," he says.

So Looi's denial-of-service discovery lingers in the Wi-Fi world, unfixed. But many users claim that they will deal with this problem as they have dealt with other Wi-Fi vulnerabilities - with proven security practices, communication with users and hopefully a bit of luck.