READER QUESTION #2
We are preparing to introduce wireless access, but we're concerned about making it totally secure. What are some of the things we are most likely to have missed in trying to secure wireless access?
Theresa Benavidez, USERS
I assume you're referring to a wireless internal network at your credit union. If so, it's critical that you take every precaution possible to ensure its security. At a minimum, you should use encryption that employs strong passwords (i.e. 21 characters, with a combination of letters, numbers and punctuation). Research your intended encryption protocol thoroughly, as there are many options available, some stronger than others. You should also employ a "default deny" policy that limits the traffic that can access your router to only those known addresses assigned to the wireless card. Your policy also should prohibit the transmission of SSID (information about your router that would help criminals gain access). Finally, recognize that a wireless network is susceptible to access by those in close proximity to your site. So you might want to limit your use of a wireless network to select applications (e.g. a training room) as opposed to using it enterprise-wide.
Tom Glatt, Jr., EVP Counter Intelligence Associates, San Juan Capistrano, Calif.
One thing many organizations in a wireless network scenario fail to do is keep track of unauthorized connections to the network - from internal locations. Stories abound of employees taking advantage of corporate WiFi networks, and with the prevalence of small WiFi devices these days you our bound to have an employee try to secretly tap into the connection. As they say, most fraud is due to lax internal controls. I suggest keeping an eye on all connected devices, as well as configuring the network to only allow approved devices a connection. Most WiFi routers and access points now have the ability to easily define a connection "whitelist". It may take you a bit more time in the set-up phase, and will require more on-going administration and maintenance, but if you are after total security it is an advisable step in locking down access.
Rick Fleming, Digital Defense, San Antonio
The introduction of any new technology should only be done after all of the risk have been determined, mitigated where possible and a management plan put in place for those that remain. This is especially true for a potentially risky endeavor involving wireless networks. Wireless access comes in many forms and for this discussion, we'll talk about two; allowing 802.11 wireless network access for members and employees from with the credit union complex and developing a user interface, usually home banking, that can be accessed by wireless devices such as mobile phones and PDAs. First, all wireless network access should be treated as hostile. As such, treat all wireless communications as if it originated on the Internet.
This should help resolve some of the problems as the authentication mechanisms in place for your wired Internet customers should also work for the customers accessing the wireless network provided in the lobby.
When you develop any wireless access points in your organization, the safest way is to make that connection outside the firewall and require all users to authenticate just like they would for wired connections. This would include employees who need internal access. They should use, even inside the credit union, a VPN connection to encrypt and protect all communications.
Second, for those credit unions that are developing a web interface that is usable by web enabled phones and PDA's, make sure to use either SSL or TLS security to encrypt the connections. While it's a bit more difficult to intercept wireless communications sent to and from phones, remember that part of that connection will travel by standard Internet connections and as such is subject to monitoring and compromise. Make sure you use encryption and don't allow any member information to be sent if encryption isn't enabled and operating properly. Given this limitation, some web phones may not work properly, but remember, you can't compromise security for the sake of convenience.
David McConney, Harland Financial
The first suggestion is to ensure your SSID is unique and that encryption is enabled. The only secure wireless application is VPN over wireless. If members are surfing the Web from your Credit Union lobby, the risk is fairly limited. Firewalls can be put in place that have two wireless entry points, one public DMZ and the other private back office.
The second suggestion is to ensure that the wireless network does not touch your back office. If it does, then using a VPN is a must. All public wireless access should be in the "DMZ" of the credit union to reduce the risk of a user inadvertently obtaining a virus.
Dan Chaney, Teres Soutions
If you are trying to make wireless network access available to employees:
* You should create a new network segment that is logically separate from your normal network. This can still be managed by your firewall.
* Use WPA encryption instead of the old WEP encryption, which can be hacked easily. This prevents eavesdropping.
* Only allow access to computers that you manually add to your access control list. They can be added by MAC address (MAC is a unique number that each network card has). This prevents unwanted computers from having access to your wireless network.
* Control computers you add to the list by forcing anti-virus rules and other security precautions you would apply to a typical wired computer.
* Change the settings on the wireless access point before you connect it to your network. Change default passwords, disable remote administration and NEVER broadcast the SSID.
* Extend your IDS (Intrusion detection system) to monitor this access.
If you are trying to make internet access available at a branch for members:
Wireless networks can be offered in a secure manner if they're controlled and managed properly.
* Access should be completely separate from your normal network and as disconnected as possible.
* Block access to any unneeded ports to prevent people from using it in unintended ways.
* You should require that the user accessing the network agrees to your usage policy.
Chris Barber, Wescorp
Currently the only practical way to securely provision wireless access is to deploy it outside the firewall. Be sure to configure all security settings in the device (e.g. WPA2 enterprise for encryption, MAC address access lists), associate your laptop or device with the wireless access point, and require a VPN to connect back to the company network. This way, your system is as secure as the user would be plugging in to a hotel or Starbucks. I would not recommend a direct-attached wireless to an internal company network in any case regardless of the perceived security of the transport protocols. Think of the analogy of placing a physical network port on the outside of your building and letting people "plug-in". What would you feel safer doing in that case - running that port to an independent DSL line or direct to your inside network?