September 15, 2010, 10:40 AM — Wi-Fi support has made its way into all kinds of consumer devices -- from smartphones to gaming consoles, cameras, DVD players and televisions -- and it is often implemented with native connection sharing capabilities. While great for consumers, this creates security and performance issues when any of these devices end up at work.
This article looks at three of the challenges consumer-ization presents to IT administrators. Further, it identifies some best practices that enterprise teams can implement to mitigate the problems.
1. Wireless intrusion points: Before wireless commoditization, wireless intrusion points in an enterprise were mostly limited to specific hardware such as wireless bridges and NAT/routers. One had to physically connect such a device to a network to create an intrusion point (exception being "soft AP" functionality available with a few add-on Wi-Fi cards on Linux/Windows).
Things have changed dramatically with the virtual Wi-Fi feature introduced in Windows Vista and Windows 7. Now almost any innocuous wireless notebook can become a threat to your security.
With virtual Wi-Fi, it is not only easy to set up a "soft AP" using the inbuilt Intel Centrino wireless adapter, but also, it is possible to enable a simultaneous client and AP mode operation. Moreover, free tools such as Connectify enable this configuration in just a couple of clicks.
Virtual Wi-Fi creates a wireless hotspot by "bridging" communication between two wireless interfaces on a host -- one that is used for client operations and the other that is used for AP operations. Note that the AP mode operation is very similar to that of a network address translation (NAT) AP.
Further, insecure Wi-Fi configurations such as Open and WEP are also allowed while creating virtual AP profiles. Thus, unauthorized users (ghost riders) can possibly piggyback behind authorized or guest users in your enterprise. This can pose a serious threat to enterprise security.
Realize that enabling 802.1X port control on your Ethernet ports will not block this threat for the simple reason that there is no unauthorized port to block. Further, network-access control cannot block such devices as they are hidden behind the NAT functionality of your authorized wireless client.