Security Safeguards Over Wireless Networks

By Joel G. Siegel, Marc H. Levine, and Roberta M. Siegel

E-mail Story
Print Story
Any business with a wireless network must make certain that the integrity of data transmission and data files on it is assured. A detailed analysis of the security features of the wireless network is crucial in the evaluation and audit of any company and in an assessment of controls in the accumulation, processing, and reporting of financial data.

Wi-Fi Basics

Wireless fidelity (Wi-Fi) uses a radio signal to connect to an access point (AP or “hot spot”) that is linked to the Internet. An AP is a device that serves as a bridge between a wired and a wireless network. The term may apply to either a stand-alone AP or a router with a built-in AP.

The throughput of a wireless network depends on numerous factors, such as how a building is constructed and how far the wireless client (e.g., a notebook PC) is from the router (e.g., the base station) or the wireless AP. Attaching an antenna will extend the wireless range (coverage area) and improve the quality of the signal.

There are several options for connecting desktops to a wireless network. An expansion card with an external antenna is commonly added to a PC. An external USB device may be better, however, because it can more easily be moved for improved reception. Many users prefer to purchase the router, access point, and wireless cards from the same manufacturer.

Wireless Standards

There are currently three types of wireless standards: 802.11a, 802.11b, and 802.11g. 802.11a operates in the 5 GHz radio spectrum; 802.11b and 802.11g operate in the 2.4 GHz band. 802.11a allows more channels (12) than does 802.11g (three). As a result, 802.11a is more suitable for large-scale company installations. As the number of channels increases, there is a higher density of users per AP in a given space. 802.11a supports data rates up to 54 Mbps; 802.11b supports data rates of 1, 2, 5.5, and 11 Mbps; and 802.11g supports data rates up to 54 Mbps.

802.11a and 802.11g products share the same signal modulation approach, referred to as orthogonal frequency division multiplexing (OFDM). 802.11b products use a less efficient technique called direct-sequence spread spectrum (DSSS), giving it a lower throughput.

802.11g was approved on June 12, 2003, by the Institute of Electrical and Electronics Engineers (IEEE), an organization that establishes computing and communications standards. This standard enables the connection of more computers to an AP and makes it easier to transfer larger files. 802.11g has data rates higher than 802.11b, but similar to 802.11a.

802.11g is about five times faster than 802.11b and has a much better throughput. Typically, an 802.11g product can accomplish a throughput of 15 to 20 Mbps within 60 feet of the AP. On the other hand, 802.11b products can achieve only 6 Mbps at this distance. Note that the throughput of 802.11a is similar to that of 802.11g, but at significantly reduced distances.

One advantage of 802.11g is that it is compatible with 802.11b, allowing both clients to share the same wireless network. 802.11g performance declines, however, when 802.11b clients are part of the same network. Some products have a “g-only” mode that enables maximum throughput by excluding 802.11b clients from the network.

802.11i (also referred to as WPA2) is a proposed IEEE standard that would provide greater security features—including stronger hardware-based encryption technology—to wireless local area networks. It will, however, require significantly more processing power. The standard is expected to be finalized and ratified by mid-2004.

802.11e is another proposed standard expected to be approved in the short term by the IEEE. 802.11e defines quality of service levels for data, voice, and video transmitted over a wireless network, considered important for providing services such as telephony and videoconferencing.

Security and Safeguards

Transmissions over wireless networks can be intercepted by any suitable device within the transmission radius. If a network intruder is able to attach to an unsecured AP, she can get access to the wireless network and the Internet connection.

Media-access control (MAC) address filtering can be used to limit access to only identifiable network cards with approved MAC addresses. A MAC address is a hardware code unique to each PC and network device. This system is not foolproof, however, because MAC addresses are broadcast in the clear, so an intruder may be able to spoof them.

Encryption is used to ensure that only authorized receivers can understand transmitted data. Typically, a key is required to encrypt and decrypt information. WPA is an encryption security standard for wireless networks. WPA addresses many wireless LAN vulnerabilities and significantly enhances security in a mixed-vendor environment. TKIP is an open protocol designed as an element of the 802.11i standard. TKIP includes a rekeying feature, a message integrity check, and packet key mixing. WPA is an industry-supported subset of the proposed 802.11i specification using TKIP and 802.11x authentication. It is designed to be forward-compatible with 802.11i.

WPA works as follows: When a client card attempts to access the AP, the authentication server checks the user’s credentials before permitting access. After approval, the server generates a 128-bit master session key so the user can join the wireless LAN. A key management mechanism is established by WPA to automatically produce a different key for every transmitted packet.

In examining LANs, one should determine the existence and strength of important security features, such as 802.11x authentication, proprietary encryption/authentication, access control lists based on MAC addresses, WPA encryption, and options for closed (hidden) networks (nonpublic SSID). In the event that a company already has a virtual private network (VPN), APs should be placed outside the firewall, and VPN software on client stations should be used to tunnel into the network. Even if the network has implemented WPA, VPNs are an important complement that can achieve security when workers access the company’s network from less-secure public access points.

In the future, there will be advanced standard-based wireless technologies beyond 802.11, such as the 802.16a standard, which will apply to metropolitan wireless networking in the 2- to 11-GHz spectrum (see the Worldwide Interoperability for Microwave Access trade alliance at www.wimaxforum.org/home).The next generation of Wi-Fi wireless networking—expected in 2005–2006—is the 802.11n standard, which will have speeds between 108 Mbps and 320 Mbps.


Joel G. Siegel, PhD, CPA, and Marc H. Levine, PhD, CPA, are computer consultants and professors of accounting and information systems at Queens College. Roberta M. Siegel is a computer consultant.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices