The fast-growing wireless LAN industry was dealt a bit of a public-relations blow last week when concerns about wireless security led a tech-savvy government research lab to pull the plug on Wi-Fi wireless. Lawrence Livermore National Laboratory (LLNL), a U.S. Department of Energy national laboratory operated by the University of California, banned the "deployment and use of all wireless computer local area networks (LANs) in LLNL's Open and Property Protection areas."
That's a real attention-getter, but there's another side to the story. When
interviewed by 802.11 Planet, an online site that reports on the wireless industry, LLNL spokesperson David Schwoegler said, "Please realize that we
have for more than a decade prohibited any RF, microwave or other technology that can transmit electronic data in our classified areas -- including cell phones. This ban simply extends that ban to other areas of the Lab while we study the issue and the technology. No incident prompted this ban. No information was compromised and only two LANs on site were impacted by the
decision."
I first learned about this incident when a friend showed me
an article in USA Today, which of course is every IT manager's definitive source for technical information on network security. The article included a reference to not only the LLNL situation, but to several other incidents as well where organizations have acted to restrain the use of wireless LAN technology. Those sites included M.D. Anderson Cancer Center, which cancelled a WLAN pilot program; Aeronautical Radio, a provider of communications services to airlines, which advised customers not to use WLANs; and the U.S. Department of Transportation, which is assessing security issues associated with the use of WLANs in airports.
The USA Today article noted that less than 10 percent of organizations
that deploy WLANs actually take advantage of the security capabilities built
into 802.11 products. And, the combination of low cost (WLAN gateway prices
are falling below $150) and easy installation (in most cases, it's
basically a plug-and-play operation and no more difficult than replacing a traditional telephone with a cordless model) means that many more organizations now have wireless systems in place. However, most IT professionals realized
years ago that plug and play and lax security go hand-in-hand.
In the case of government labs and other high-security locations, imposing
strict policies for wireless is just common sense. Clearly, if you are
concerned about nuclear secrets not falling into the hands of terrorists,
your level of concern regarding security requires the definition of
extremely rigorous standards. From a policy standpoint, management is
obliged to identify worst-case scenarios and take action to eliminate those
vulnerabilities. Prohibiting the use of WLANs in this instance is the
responsible thing to do.
The tougher issue raised by these kinds of stories relates to how IT
organizations address the deployment of WLANs in the context of their
overall risk assessment and security policies. Security always involves
delicate trade-offs between legitimate user access needs and the possibility
that sensitive information may be acquired illegitimately.
While it is always a good idea to raise awareness about security issues, it
is essential for organizations to address trade-offs within the context of a
comprehensive security policy. In other words, if contract janitors have
access to computers or paper files after work hours, that should be
addressed with at least as much energy as wireless LAN security. Placing
armed guards at the front door doesn't make much sense if the back door is
left unprotected.
RSS
