Contact:[email protected]
by William Sieglein, Senior Security Engineer, Fortrex Technologies [ November 28, 2000 ] Q: I wish to know more about the security threats in the wireless area, and I also want to know how dangerous these threats are. What types of skill sets are required to deal with wireless security threats? I wish to pursue a career in this area. What should one learn in order to become a wireless security professional? - Vivek Kashyap A: You're either the pioneering type, or you're thinking this is the next big wave and you want to get rich as a wireless security consultant. Actually you might be both. Wireless technology is not brand-new; neither are the threats associated with it. We've all heard about cases of cell phone cloning and the incredible costs this brings to the industry. But now we're talking about sending data over wireless networks -- potentially sensitive data. We're opening up our trusted intranets to the public Internet. Of course, we're already doing that over the wire-based Internet. But our mobile friends need it via the airwaves. Is wireless any more dangerous than traditional wire-based networking? The definitive answer is yes, it very possibly is. Wireless is just another medium for getting data packets from point A to point B. The wireless architecture provides possible points of attack against the portable device (phone, PDA, laptop and so on), the wireless network and the wireless gateway. Portable devices are vulnerable to DoS attacks, malicious code, theft and compromise. Their packets, in transit over the wireless network, are vulnerable to interception, modification and replay or fabrication. Finally, the wireless gateways are potentially vulnerable to DoS attacks and compromise. Does this mean there are "whackers" (wireless hackers) looming in the shadows, waiting to pounce? Although there are no well-known incidents of major attacks against wireless technology to date, there are ongoing discoveries by research organizations and development companies that expose weaknesses. So far, wireless technology providers have been less than serious about closing these holes, primarily because the demand for wireless technology is still modest. But rest assured that as wireless picks up steam, these attacks will increase and the technology firms will provide more solutions. You must keep this in mind as you educate yourself about wireless security: Nothing in the real world happens in a vacuum. You can't just look at a single solution to solve your security issues. You have to consider the entire IT infrastructure when designing security solutions. Putting up a WAP gateway is much like putting up a Web-based application server. It usually exposes some portion of your back-end, trusted infrastructure. So you must consider the entire solution, end to end, and ensure that security addresses these vulnerabilities at all points. Merely encrypting the link or requiring the user to authenticate is not enough. You must consider intrusion detection, anti-virus, firewall configuration, DMZ architecture, user authorization, access controls and logging. I recommend that you become proficient in information security, with an emphasis on wireless security technology. Wireless certainly holds promise but, like all technologies, it will be superseded by another, even cooler technology before you know it. Back to the Index