Network Computingwww.networkcomputing.com

Why should this be anything more than a passing curiosity to you? After all, corporate network managers have known for a while about the pitfalls of WLANs. Besides, gaining Internet access or, even worse, sniffing the traffic on the corporate WLAN probably would be much more difficult.

But even if we make the wild assumption that corporate WLANs are secure, the best IT department may not be able to stop a telecommuter from setting up a WLAN in his or her home.

Based on my short drive, I can tell you there are a lot of home-based consumer WLANs out there -- and few, if any, are the least bit secure. Having people gain free Internet access on these networks from their automobiles is the least of your problems. If someone used one of these WLANs to access corporate data, sniffing everything being transmitted would be a trivial matter. And if it's not happening at home, think about your branch offices, where, for mere petty cash, someone could set up a WLAN to access the Internet from a conference room or add new network connections without the help of IT. In this situation, all the corporate data on the network is fair game for another building tenant or someone sitting in the lobby or the parking lot.

Sure, you can use WEP keys and hide the SSID, for example, to thwart a casual hacker from gaining access. But the odds that a typical telecommuter or a branch office worker setting up a "midnight network" will pay attention to these measures are dismal at best. Besides, even WEP keys can be broken. I can hear you now: "I have nothing to worry about because I set up a SOHO firewall/VPN gateway right in the telecommuter's home or at the branch office." Think again.

Everything behind the firewall/VPN is wide open. In fact, it's a lot more open than your Internet traffic would be without the VPN box, because the VPN box is not encrypting the traffic on the wireless network. At least in the case of Internet traffic, sniffing can be done only by those with access to ISP networks. You may be safe if you're using properly configured client-based encryption like IPsec, but you still need to make sure all the data you want encrypted is getting encrypted. You should put a personal firewall on the client as well -- better yet, get one that's centrally managed.

Remember, viewing wireless data is fairly easy. All you need is an analyzer, which costs a few thousand dollars -- or Ethereal's free analyzer, a laptop, a wireless card and maybe a car.

I hope you already have WLAN policies in place and are auditing your sites on a regular basis for rogue WLANs. Of course, branch offices are a lot more difficult to manage, but, depending on how many you have and how scattered they are, it may be possible to audit them as well. However, auditing your telecommuters is an entirely different matter. Yes, installing and managing client-based encryption, like IPsec, can be painful, but not when you compare it with the alternative of wardriving your telecommuters' neighborhoods to check up on them.