|
Wireless LANs are intrinsically more vulnerable than wired LANS; in the words of hacker Johnny Cache, WiFi device drivers “. . .have the distinction of exposing a connectionless layer 2 attack surface to all devices in close proximity.” A survey of networking and business technology organizations released in July 2006 by Gartner showed that “60 percent of respondents do not believe they have adequate security for their wireless environment.” But the explosive popularity of WiFi indicates that for many users the trade-off is worth it. And the trade-off may not be as bad as people apparently fear.
As with so many security issues, the vast bulk of realworld WiFi vulnerabilities are due to lack of basic hygiene. A wireless network that properly implements the authentication and encryption provided by 802.11i is effectively immune to casual attacks.
But the mobile working style encouraged by WiFi means that PCs must be able to connect to the corporate LAN from anywhere on the Internet. This requirement is amplified by Fixed-Mobile Convergence, with the expectation that you will be able to make a voice call through the corporate PBX no matter where you are in the world on any WiFi network. Similarly, it makes sense for a corporation to let visitors access the Internet through the campus WLAN. This implies some kind of open access facility for corporate WiFi networks. Furthermore, in this day of increasing outsourcing of IT functions, your corporate IT services are as likely to be located on a server farm in Oregon as on your company premises, so the concept of a “Local” area network is being diluted on the services side as well.
Putting these notions together, we come up with a seductive notion: all our client devices have to be hardened to the point where they can safely sit on the open Internet, and the internals of our corporate LAN have to be hardened to the point where it can handle potentially hostile devices on the premises. Our servers may not be on our premises, and our services may not be on our servers. So isn’t it redundant to shelter our corporate LAN from the Internet with a secure perimeter?
This is the radical idea proposed by the Open Group’s Jericho Forum (www.opengroup. org/jericho/index.tpl). Needless to say, it is a highly controversial proposal. But the Jericho Forum has an impressive list of members, some of whom who have already started to walk the talk. For example, in February 2006 BP (British Petroleum) reported that it had moved 18,000 of its 85,000 client PCs to this “deperimeterized” model, leaving them connected directly to the Internet even when they are located in the office. The movement is also influencing corporations that are not formal members of the Jericho Forum. Toyota Europe is on the record as an advocate of deperimeterization.
The obvious counterargument to the idea of deperimeterization is to combine the hardened clients and hardened server farms with the hardened perimeter and get the best of both worlds, with “strength in depth.” But this brings us back to the realm of trade-offs. The most zealous advocates of deperimeterization point out that firewalls promote a false sense of security, that they are a barrier to rapid service deployment, expensive to maintain, and that if each network node is adequately secured, then firewalls constitute redundant system complexity.
It will be interesting to see how it pans out. Market forces are making it an increasingly urgent issue. WiFi equipped notebook computers are rapidly displacing desktops, and dual mode phones will soon add hundreds of millions of wireless clients to enterprise networks worldwide. All these clients will be highly mobile, and expect full access to corporate services via the Internet.
Michael Stanford has been an entrepreneur and strategist in Voiceover- IP for over a decade. His strengths are technical depth, business analytic skills and the ability to communicate clearly. Michael has founded, run, and successfully sold two software companies. The first (Lucid Corporation) developed software for hand-held computers; the second (Algo Communications) developed application software for telephony. Algo was ultimately acquired by Intel, where he subsequently spent six years as a senior manager, ending up as the Director of VoIP Strategy for the Digital Enterprise Group.
In his current consulting practice, Michael specializes in Voice over IP on wireless networks, both WiFi and WiMAX. The October, 2006 issue of Internet Telephony Magazine recognized him as one of “The Top 100 Voices of IP Communications,” and the November 2006 issue of VoIP News named him one of “The 50 Most Influential People in VoIP”.
|
