Wireless Security
I have been asked a lot recently about wireless networks, and how to secure them. On this subject there is good news and bad news. Sadly sometimes its the same news. So let's do some FAQ's here, and see if I can clear up a few questions.
Q: Is a wi-fi network as secure as a wired network?
A: Nope. All of your traffic is broadcast via radio waves, which means that anyone with a wireless card can tune in. Using a laptop to troll for unsecured wireless networks is called wardriving. Ten minutes in the parking lot of any medium sized medical office complex will provide a wardriver with a half-dozen networks just laid out for the asking.
Q: Can wi-fi be made more secure?
A: Yep. Jeff at HIPAA blog has some excellent suggestions here. Your basic security concern with any network, wireless or not, is to conform to what security experts call the CIA model-- Confidentiality, Integrity, and Accessibility. You want your information to be confidential--- meaning that it stays off of the phosphor of the bad guys, have integrity, meaning that the bad guys haven't changed it, and accessible to the folks who need it, but not accessible to those who don't.
Q: Okay, then. Let's talk about confidentiality and how to achieve it.
A: To start with, encryption is your friend. It is possible to encrypt/decrypt your information without the user having to do anything--- we call this transparency. Use a protocol like WEP to keep the blackhats out. Make certain that the default names and passwords have been changed on your wireless router. And try to limit the range of your wireless broadcast to the offices you are in. Wardrivers love to be able to sit in a car in your parking lot, and crack your system at leisure.
Q: Integrity seems important.
A: It is! One of the favorite tricks of malicious users is to change stuff around, which is pretty funny unless it is your customer information, patient health records, or your website being changed. A strong password policy is the least you can do. Couple this with biometrics like fingerprint scanners or tokens like smartcards and you will be killing two birds with one implementation--- your personnel will have access and non-personnel won't.
Q: Fine. So how do I do all this?
A: Here is one of my favorite sources--- The Unofficial 802.11 Security Web Page. If this seems too much for you, consider hiring a consultant. Your network can be hardened by a pro in a surprisingly short time, and the cost of the hired gun is far less that you might think. Especially if someone gets into your system and changes your order forms so they point to something that would make your Marine Corps DI blush.
posted by Art @ 10:25 AM
0 Comments:
Post a Comment
<< Home