Selasa, 23 Mei 2006

Wi-Fi can cause big trouble--and you may not even know it. Here's how to keep the hackers at bay.

Going wireless offers a panoply of attractive benefits to school districts. Because you don't have to run cables to every classroom, it's cheaper to deploy a wireless network than an old-fashioned wired network. Wireless makes it more convenient for administrators, teachers and students to connect.

But there's a perilous downside: A wireless network is easier for hackers to break into. Without the proper security measures, going wireless means opening a gaping hole in your computer systems' defenses.

Worse, you may already have a wireless security problem-even if your technology staff hasn't deployed a single wireless access point. At many school districts, parents and teachers have installed unofficial Wi-Fi hotspots that connect to the school's existing wired network. (Wi-Fi, short for "wireless fidelity," is the trade name for a family of wireless networking standards.) In so doing, they may have inadvertently compromised the school's network, and your district's IT staff may be none the wiser.

Rogue Hotspots
Charlie Garten, the former chief information officer for the Poway Unified School District in southern California, says his district's struggles with Wi-Fi security began as early as 2002. "We weren't surprised that there were ways to jump over our firewall using wireless," says Garten, who retired in 2005. "We were caught a little bit by surprise by the number of rogue access points that had been plugged in." In some cases, his staff would receive complaints about network slowdowns at a school; on investigating, they would find as many as 10 Wi-Fi hotspots that had been installed without the IT department's knowledge. "Well-meaning people wanted to get more access for the kids, but they didn't understand all the consequences of just throwing in a bunch of wireless access points," adds Garten.

In the Palo Alto (Calif.) Unified School District, the security holes introduced by rogue hotspots had a much more public and embarrassing effect. Located in the heart of tech-savvy Silicon Valley, Palo Alto's parent community includes many people who work for companies that supply Wi-Fi equipment. As a result, these parents brought wireless networking into their children's schools at a very early stage.

"We had open networks. When they were first installed, folks could sit in the parking lot if they wanted to get some access," says Marie Scigliano, the director of technology for the district. Scigliano's staff was aware of the security problem but hadn't been able to address it completely when, in the summer of 2003, a local reporter found that she could access the district office's network through an unsecured Wi-Fi connection. Worse, the reporter was able to log on to the student information system and download students' grades, phone numbers, home addresses, medical information, psychological evaluations and even full-color photos.

The district quickly took the network offline and began correcting the problem, according to Scigliano. "We came back up with secure networks, logons, authentication and so forth," she says. However, the story received wide national coverage-thanks in part to the severity of the breach-causing a significant public relations problem for the school.

While the reporter didn't publish or alter student records, press reports noted that it would have been easy for her to do so, if she had been a more malicious hacker. That in turn would have exposed the district to serious liability problems and could possibly have put its students in danger.

Steps for Safer Wi-Fi Wireless doesn't have to be a security nightmare. Here are some tips from Brian Hernacki, an architect with Symantec Research Labs, on how you can keep your Wi-Fi network safe and sound: Turn on encryption Set your network to use Wired Equivalent Privacy or even stronger Wi-Fi Protected Access encryption, which encodes every transmission on the network, making it harder for hackers to "sniff" the data as it goes by. Neither form of encryption will keep hackers out entirely, but they set the bar a lot higher. If you use WEP, make sure you use a 128-bit key, which requires a 26-character pass phrase. WPA is harder to crack and uses easier-to-remember passwords for access, so it's a better choice if your equipment supports it. Limit access Wi-Fi networks can be configured to accept connections only from certain computers, using those computers' Media Access Control addresses, a unique number that's attached to the network adapter in every piece of networked equipment. MAC addresses are difficult to spoof, so limiting access to certain MAC addresses helps you ensure that you control who's on your network.

On the down side, you need to maintain an up-to-date list of permitted machines. Require usernames and passwords Configure your network so that users can gain access only with the proper username and password. If you issue unique usernames to each student, teacher and administrator, you'll be able to track any misuse of the system. Because people may share passwords with each other, be sure to change these every month or every quarter. Keep the network inside By carefully locating Wi-Fi routers and using directional antennas (which focus the signal in a particular direction), you may be able to limit the accessibility of your network outside school grounds. This will make it harder for hackers to do their dirty work unobserved. Turn it off at night Turning off the Wi-Fi network after-hours means that hackers will need to make their intrusion attempts during the day, when they're more likely to be noticed by staff or students. Educate your staff Make sure teachers and administrators are aware of the security risks of using Wi-Fi. For the maximum security, permit access to student information systems (such as grades databases) via wired networks only, and ensure that computers connecting to these systems do not also have Wi-Fi capability.