Public security slip forces Georgia Capitol to lock down WLAN

By Andrew R. Hickey, News Writer 07 Mar 2006 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Having the security flaws of your wireless LAN outed on the local TV news is never good; just ask the folks at the Georgia State Capitol building.

Back in 2002, a local television exposé of unsecured networks pointed a finger right at the Capitol.

"What happened was … one of the TV stations here in Atlanta was driving around in a van to see if they [could] hack into these wireless networks," said Michael Clark, of the Georgia Technology Authority (GTA), the IT group charged with the state's government networks and systems. "And they came upon the State Capitol."

The network wasn't secure, and the local TV stations and newspapers let the public know, broadcasting that pretty much anyone could get onto the network from close range. In response, the WLAN was immediately shutdown, Clark said.

So when the staff at the Capitol building started investigating the idea of deploying a wireless network late last year, the GTA had to make sure everything was secure. The WLAN was requested by Gov. Sonny Purdue's administration, which wanted the ability to take laptops with them wherever they went within the building -- from offices, to conference rooms to other areas.

"There were several issues, and security was obviously paramount," Clark said. "[The governor and his administration] didn't want the signal to leak outside the building."

Sounds easy enough, considering the Georgia State Capitol, built mostly from marble and granite in 1889, is essentially a fortress with walls three feet thick originally designed to withstand cannon fire.

But, ironically, those same walls presented a difficult challenge during this era of civil peace in Georgia. Waves from the access points used to design the network could not permeate them. That problem was solved with some creative adjustments in access point location, but still, the number of access points was also unsettling, because their visibility could invite unwanted network guests.

"There are so many people in and out all the time," Clark said. "We didn't want [the access points] to be obvious to anyone. We tried to make them as inconspicuous as possible" for security reasons.

Related stories Find out how Continental secured its network Check out an exclusive story on WLAN security Think you know it all? Take a wireless LAN quiz

Because of the Capitol's unsecured high-tech history, Clark and the GTA are somewhat tightlipped about the security measures taken to lock down the network, but Clark stressed the new set-up won't be seen on the 11 o'clock news any time soon. While the configuration is a secret, the main protection is delivered through AirDefense Enterprise, a wireless intrusion prevention system, along with access points from Cisco Systems Inc.

"We used sophisticated security procedures and measures to make sure only people who are supposed to be on the network can get onto the network," Clark said. Those measures involve the ability to block unwanted users or sniff them out and bump them off the network if they -- by some stroke of luck -- manage to get on.

Eric Ahlm, director of emerging technologies with security consulting firm, Vigilar Inc., which handled installation and planning, called the Capitol's implementation a challenge because of the obvious need for 100% security and a "very aggressive" timeline to get everything installed.

"[IT] kind of learned a lesson the hard way. They basically ripped out everything they had and replaced [the entire wireless network]," he said, noting the added challenge that the team installing the network could only work weekends and off hours to avoid disturbing state business. Plus, Gov. Purdue wanted a quick turnaround, so the network had to be up and running within a few weeks.

Vigilar's Ahlm said his company provided a wireless access-point architecture review, product tuning, security consulting and training. Once the network was in, Vigilar tested its security by trying to hack in. After the follow-up risk assessment and some fine-tuning, it was ready to go.

AirDefense, on its end, added in the company's wireless intrusion prevention system, AirDefense Enterprise. The system monitors all 802.11 activity and correlates events across the WLAN. It detects unwanted traffic and protects the network from wireless threats and unauthorized devices. Engineers from AirDefense also helped with the architecture review, testing and tuning of the new WLAN.

"There is a tremendous amount of critical and confidential information flying through the airwaves in the Georgia State Capitol," Richard Rushing, AirDefense's chief security officer, said in a statement. "Our challenge is to keep this information secure while enabling wireless access."

According to Clark, so far there have been no noticeable problems on the WLAN, and it appears the TV crews have stopped driving by.

"There were no significant issues during planning, implementation and testing," he said. "It was all pretty seamless. It's running smoothly."

Tags: WLAN Security,  Network Security Monitoring and Analysis,  Wireless LAN Implementation,  Wireless Network Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT WLAN Security Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Enterprise wireless LAN security: 802.11 and seamless wireless roaming Monitoring your network to detect rogue access points (APs) Persistent, secure connections for roaming WiMAX, 3G and 802.11x 802.11n's impact on WLAN security Set up secure wireless networks with 802.11x, access points and bridges How wireless network encryption affects signal strength, connectivity New PCI compliance rules ban WEP, tighten wireless LAN security How to avoid the WPA wireless security standard attack Network Security Monitoring and Analysis Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Hospital gains network visibility by convincing vendors to collaborate What software monitors and locks users from accessing my router? Data leak prevention starts with trusting your users NagVis -- 'Nagios: System and Network Monitoring, Second Edition,' Chapter 18 What is a genetic algorithm and where can I learn more about them online? Wireless LAN Implementation 802.11n wireless LAN access point market: Who's really in second place? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Distributed antenna systems and WLAN: A network management burden Wireless AP SSID and channel configuration for a distribution network Solid 802.11n deployment prepares medical center for future demands How 802.11n wireless APs in Greenfield mode affect nearby networks How to create a Wi-Fi hotspot Beamforming, RF management key to 802.11n wireless LAN success Set up secure wireless networks with 802.11x, access points and bridges

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary