Muni Wi-Fi could cause headaches
Municipalities nationwide, including Chicago, Philadelphia, San Francisco, and Washington D.C., have announced plans to build citywide, public, open-access 2.4 GHz Wi-Fi networks for local government use and provide affordable high-speed Internet access to citizens. However, the large-scale deployment of muni networks could cause significant security and management heartburn for any business that handles confidential information, including financial, health care and legal firms.
“You’re in an office in San Francisco in the middle of a muni Wi-Fi network,” said Amit Sinha, chief technology officer for AirDefense. “[As an employee there with a wireless laptop,] suddenly, I can bypass completely all of the existing security and monitoring on the corporate network.”
The largest concern is the ability to compromise the security of the corporate local area network (LAN) regardless of how it is set up. “Even if you have a policy of no Wi-Fi [usage], suddenly Wi-Fi is available on the lamp pole outside. … If you’ve got wireless or not, you’re screwed. People who don’t have wireless haven’t thought through the [security] problems.”
A wireless laptop computer without adequate security software can be subverted and turned into an unprotected “bridge” between a secure corporate network and a muni Wi-Fi network, bypassing firewalls and any physical control of the network. A machine could be physically plugged into the corporate LAN with a cable, have a Wi-Fi connection enabled and then seamlessly pass corporate data traffic to and from the muni Wi-Fi network without the computer’s owner knowing about it, thereby allowing a hacker to gain access though the publicly operated Wi-Fi network.
Furthermore, a muni Wi-Fi network is going to have little security.
“These networks are designed for easy access,” Sinha said, “They have the lowest-common-denominator [for security]. Hackers know that.”
Older and/or less expensive Wi-Fi equipment likely will be used for muni networks in order to limit costs and provide affordable “dumbed down” network security, so called because it doesn’t incorporate the latest advanced authentication and encryption standards. Consequently, personal firewalls will become mandatory for businesses, said John Girard, Gartner Group vice president.
“Sure, there is a possibility of setting up a bridge condition [on a Wi-Fi-enabled laptop,]” he said. “Does the average person do it? No. Can malicious code do it? Yes.
“We tell people they have to have personal firewalls installed on any wireless device. A good personal firewall with the appropriate [setup] will only allow one network connection at a time, so you can’t be connected to a second [muni] network and the corporate network.”
A more likely problem is a powerful municipal Wi-Fi network “bleeding through” from outside a building, causing interference problems, Girard said.
“You run into channel problems as you get denser and denser [usage],” he said. “[If] you use adjacent [RF] channels, interference becomes more possible. It’s also possible the same Wi-Fi channel you want to use is suddenly in use on the pole outside.”
Muni Wi-Fi builders are aware of the potential for RF interference, and some are taking precautions so it doesn’t interfere with businesses — and possibly some of their own plans.
“You install this … mesh network, what you’re doing is chewing up the available spectrum,” said John Howard, a contractor who has built Wi-Fi networks for the city of Phoenix and other Arizona municipalities. “Not only are you going to clobber your applications, but [you are going to] potentially create interference for your corporate neighbors … You need to have an overall RF infrastructure, talk to all your business leaders and figure out what to do.”
The city of Phoenix has specified a directional broadcast philosophy rather than a mesh network in building its network to minimize interference, in part to mitigate the potential for disrupting with the city’s Wi-Fi traffic management system.
Security-conscious companies may find they already have a tool to help with interference problems.
“Any company that has invested in a wireless intrusion detection/prevention system will be able to determine if the muni network is causing interference,” Girard said. “If you have one of those products in place, one of the advantages you get is you can see all the [Wi-Fi] traffic, determine the relative traffic and where it’s coming from. It also helps to knock on your neighbor’s door to coordinate frequency usage.”
|Rogue devices||Unauthorized wireless devices-signals bleed around physical walls and firewalls|
|Associations||Accidental, malicious or peer-to-peer/ad hoc. VPN/authentication don’t help|
|Intruders or hackers||They can launch attacks (DOS, identity theft)|
|Bridging wireless laptops||Opens back doors and exposes wired network|
|Wireless phishing||This can hijack users (AirSnarf, Hotspotter, Evil Twin)|
|Muni Wi-Fi||Users connecting to “Rogue AP” or others bypassing security|