By Joseph C. Panettieri
This article appears in the Spring 2007 Issue of MuniWireless Magazine.
Hackers will surely target public broadband networks. Here’s how to safeguard your systems.
How are you going to secure that network?
That’s often the first question facing municipal chief information officers as they formulate their public broadband strategies. “It’s one of the first issues I heard from our mayor, and it’s something we took very seriously as we prepared our RFP for public broadband,” says Hardik Bhatt, CIO of the City of Chicago.
While security solutions vary, most municipalities agree that they face a two-fold security challenge. First, they must secure city-operated applications. Second, they must consider their role in protecting residents and businesses that use public broadband for Internet access.
While licensed-spectrum networks such as cellular systems are well defended, WiFi systems are based on commodity hardware and software that can be easily attacked. Without proper safeguards in place, municipalities and broadband users could be in for a rude awakening.
More than 40 million U.S. users had problems associated with Internet security in 2006, according to Gartner Inc., the technology research firm in Stamford, Conn. Businesses and government agencies have also come under attack. The Internet is still buzzing about a $1 million online banking theft in January that was traced to an alleged hacker in Russia. And in October, a Web site operated by DuPage County, Ill., was hacked during local elections‚Äö?Ñ?Æraising concerns that cyber prowlers will increasingly target e-government applications and public broadband systems.
“Unfortunately, the popularity of WiFi is probably growing faster than the awareness of the associated risks, so the number of unprotected public WiFi users is probably also growing,” says David Blumenfeld, vice president of marketing for hotspot location specialist JiWire Inc. “In the future, that trend may correspond with an increase in undesirable activity on these networks.”
The open, accessible nature of public WiFi may be its greatest advantage, notes Blumenfeld. City-provided IT security would likely add an undesirable level of complexity and inconvenience to the use of the network. “The onus is plainly on the user,” he says. “This is analogous to Internet users’ responsibility for anti-virus protection: Nobody expects the ISP to be responsible.”
“Best practices for security in a public network are quite different from a private network,” adds Dan Lowden, VP of business development and marketing at Wayport Inc., a global hotspot service provider. “In a private network, the provider can enforce very strict security policies. In a public network, the provider has to configure the system to allow any customer to connect.”
City Applications
For city services and employees, municipalities have a range of options. Chicago, for example, has already outlined some basic parameters for security, even though it is still considering the RFP submissions it received in early 2007.
For starters, all city-operated applications in Chicago will sit behind a firewall. Mobile municipal employees and contractors will require virtual private network (VPN) software to access the applications. Other cities, such as Corpus Christi, Texas, also require municipal employees to use VPN software when accessing city applications.
“Municipalities should make a virtual private network mandatory to even get attached to the network,” says Glynn Taylor, president of HotSpotVPN and WiFiConsulting, Inc. Not all cities are doing so: “The RFPs I’ve looked at are pretty slim on security requirements,” Taylor adds.
In addition to VPNs, other security options being used by cities include AES (Advanced Encryption Standard) to safeguard network backhauls, and WiFi Protected Access (WPA) to protect mobile connections, says Dennis Holmes, director of wireless services at Outsource Inc., a public broadband solutions provider. However, a newer security standard, dubbed WPA2 (WiFi Protected Access 2), has proven too complex for many cities to adopt at this time, Holmes says.
Service providers should be able to offer cities customized levels of security for each application. Moreover, the service provider should have management tools that ensure QoS (quality of service), bandwidth shaping and traffic prioritization. For instance, during a municipal emergency, voice and data traffic from first responders should be able to leapfrog all other traffic on the network, experts note.
Identity management security software is also gaining traction within state and local governments. For instance, the Michigan State Police, in conjunction with the Michigan Department of Information Technology, has developed a criminal justice portal for multiple law enforcement applications. Leveraging identity management software from Novell Inc., the portal allows mobile users to access only the areas of the portal for which they are approved.
Mobile devices with built-in biometric technology should further secure public broadband applications. Lenovo Inc., for instance, has sold more than 3 million ThinkPad laptops equipped with fingerprint readers. Many of those ThinkPads were sold to state and local government agencies, according to a company spokeswoman. Instead of memorizing and juggling numerous passwords, government workers can log onto their notebooks by simply touching their finger to the built-in reader. Lenovo acquired IBM’s ThinkPad and PC businesses in 2005.
Residential Access
As opposed to city applications, where municipalities may want to limit and manage access to the Internet, the desire to provide open public access for residents and businesses is defined by a need for broad, easy Internet access that does not have too many limits or limitations. By its nature, that type of public access pushes the responsibility for security out to end users.
“The municipal wireless networks that we have worked on for the public side are basically open,” says Jonathan Baltuch, president of MRI, the integrator for St. Cloud, Fla. “The only security that is in place between the client and the node is the blocking of peer-to-peer access. The traffic between nodes and gateways is fully secured.”
“Security of customer information is ultimately the responsibility of the end user,” adds Lowden. “No matter what measures an ISP takes to make the environment secure, the customers are responsible for protecting their computer/mobile device and sensitive information.”
That’s the situation in Corpus Christi, Texas. “With our network, users are responsible for security,” says Leonard Scott, MIS business unit manager for the city. “The system operates as an extension of the Internet. Your ISP or URL generally provides security for your access.”
Like universities, many cities are developing Web pages that show users how to safeguard their systems. In Chicago, for instance, residents who use the forthcoming network for Internet access will likely be greeted by a splash screen that outlines best practices for basic end-user security, notes Bhatt.
“The ISP should have security best practices and news about threats on the first splash page any user sees,” says Taylor.
Also, many service providers recommend that end-users’ PCs and notebooks use VPN, anti-virus and personal firewall software. They also urge users to turn off their systems’ file sharing capabilities.
Emerging Devices
While security solutions are widely available for PCs and notebooks, the growing popularity of WiFi phones, smart phones and other types of mobile devices introduces new network security risks.
More than 80 percent of smart phones and other handheld devices have no security software in place, estimates Gartner. The typical mobile email user, for instance, doesn’t activate password protection on his or her smart phone, the research firm says. Further complicating matters, hackers are now writing viruses and worms that specifically target smart phones. Anti-virus companies are responding with new software to protect these mobile devices, but Gartner says demand for such software has been soft.
As more devices attempt to access public broadband networks, users should remain vigilant.
“Any network, especially a public network, should be viewed and treated by the customer as a non-secure environment,” says Lowden. “The customer should take reasonable measures to ensure they’ve taken steps to safeguard their systems.”
No comments yet.