named for a hardware manufacturer is probably
indicative of someone who was too lazy not
only to secure the network, but too lazy to
name it; but it also could be a trick. It’s a good
idea to ask an offi cial employee for the right
SSID. Hotels always should have this
information on hand, and the barista in the
coffee shop is probably more tech-savvy than
he looks. Piggybacking on an unsecured
residential network for free is easier than
signing up for an offi cial hotspot, but it’s not
worth the risks.
Once connected, most commercial hotspots
will take you to a dedicated Web page for
authentication and/or billing. Tell your
employees to watch for “https…” in the Web
address or a logo that looks like a gold lock in
the right-hand corner of the page. This means
the browser is using SSL for server-side
authentication, which is a good thing. If the
connection doesn’t include a log-in page, it’s
likely that the computer is connected to the
wrong network. If you’re at a hotspot that
charges a usage fee, you probably want to avoid
entering your credit card information into a site
that does not employ SSL.
In fact, if your employees are conducting any
sensitive business transactions via the Web,
they should try to use only Web sites that
employ
SSL.
There’s always the chance, however, that there
is an “evil twin” lurking about, masquerading as
the
offi cial hotspot network. Adhering to rules
1-4 should help lessen this chance.
9. Turn off the radio when you don’t need it.
Disabling ad-hoc networking should prevent a
computer from connecting to wireless
networks indiscriminately. But disabling the
radio will guarantee it. In Windows, you can do
this simply by right-clicking on the wireless
network icon in the right-hand corner of your
screen. Click disable.
4
WHITE PAPER: A Manager’s Guide To Wireless Hotspots — How To Take Advantage Of Them While Protecting The Security Of Your Corporate Network
Basic rules for business travelers
who want to use hotspots:
Nobody wants to think of employees as intruders,
but they can be an unintentional threat to the
network. Alas, there’s always the chance that your
employees have left their wireless radios on when
they return to the offi ce and plug back into the
corporate network. If devices start fi nding Wi-Fi
networks that reside outside the offi ce walls, they
could threaten the corporate network, forming a
bridge between the outside wireless network and
the corporate wired network. This can be a problem
even if the corporation adheres to wireless LAN
security protocols such as 802.11i, which addresses
wireless authentication. “802.11i only secures a tiny
portion of the value chain,” says Farpoint’s Mathias.
Furthermore, even if the employee’s device’s radio
is turned off, there’s a chance that the device
was infected with spyware. If devices have been
infected with malware on the road, there’s a chance
they can infect the corporate network when they
return. This is a serious problem that can cause
major headaches for network administrators. In
short, it means that viruses can be spread from the
trusted side of the corporate fi rewall.
Separately, there’s a possible threat from the
onslaught of municipal Wi-Fi networks, which are,
essentially, city-wide hotspots. If your corporation
sits in a city with its own Wi-Fi network, then that
network is in your air space.
One way to mitigate such threats is simply to keep
track of them with an intrusion protection system.
Motorola’s
Wireless Intrusion Protection System
(Wireless IPS) is a server software sentry that
alerts the IT manager to myriad wireless network
menaces, including those caused by imprudent
hotspot users.
