![[image]](Wireless%20Networks_Final%20Draft_Images/Wireless%20Networks_Final%20Draft_1.png)
|
675.28.7 |
15 April 2004 |
![[image]](Wireless%20Networks_Final%20Draft_Images/Wireless%20Networks_Final%20Draft_2.png)
![[image]](Wireless%20Networks_Final%20Draft_Images/Wireless%20Networks_Final%20Draft_3.png)
Final Draft
Working Paper on potential privacy risks associated with wireless networks.
Main Recommendations.
- adopted at the 35
th
meeting, 14-15 April 2004 in Buenos Aires -
Wireless communications offer many benefits such as portability and flexibility, increased productivity, and lower installation costs and are becoming increasingly popular. Wireless technologies cover a broad range of differing capabilities oriented toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices or homes without the need for wires and without loosing network connectivity.
Ad hoc networks, such as those enabled by Bluetooth, allow data synchronization with network systems, application sharing between devices and eliminate the need for cables for printer and other peripheral device connections. Handheld devices such as personal digital assistants (PDA) and mobile phones allow remote workers to synchronize personal databases and provide access to corporate services such as e-mail, and Internet access. Wireless technologies offer the prospect of greater functionality in the future.
However, there are risks associated with the use of wireless technology, in particular because the technology’s underlying communications medium, the airwave, is open to intrusion unless appropriate security precautions are taken.
These risks include:
The capture of location data and other personal data (e.g. MAC address of the WI-FI card) about the network user;
Unauthorised and undetected access to corporate networks by external users;
Bypassing of corporate firewalls and e-mail filtering by wireless users also connected to corporate networks, leading to loss of protection from virus attack and spam;
Eavesdropping of personal communications and undetected connections between wireless network users, especially in public places;
The Working Group calls upon the IEEE Task Group and the WI-FI Alliance as well as the vendors involved in wireless products to give data security and privacy matters a high priority in the current and future development of wireless technology.
Recommendations
A )Risk Analysis and desired Security Level
Wireless network managers should be aware of the technical and security implications of wireless and handheld device technologies.
Wireless network managers should perform a risk assessment and develop a security policy before considering wireless deployment in order to ensure that they have examined and can manage and mitigate the risks to their information, system operations, and continuity of operations.
Wireless network users should be made aware of the technical and security implications of wireless and handheld device technologies.
For their own concerns, all users should perform a personal risk assessment before purchasing, using or running wireless technologies and services, because their own and personal security requirements will determine which products or services should be considered.
B) Network Parameter Settings
Wireless network managers should carefully plan the deployment of wireless technology and set appropriate parameters on devices in order to guarantee both network functionalities and service security. In particular, passwords should be long enough and may incorporate special characters in order not to be discovered by an attack.
Users should be guided and should be made aware of how to configure wireless devices to ensure a high level of security and confidentiality.
C) Security management
Wireless network managers should establish security management practices and controls to maintain the security of the wireless network.
Wireless network managers must routinely test the inherent security features, such as authentication and encryption that exist in wireless technologies. The authentication in wireless network is very important and could be based on a stronger identification with regularly modified passwords.
Wireless network managers should inform the user of the level of security of the network and the measures available to safeguard the confidentiality of communication.
A high level of default settings should be provided.
D) Other Considerations
Providers of wireless networks should be aware of the legal requirements and that these may differ from one jurisdiction to another.
The Working Group stresses also that security concepts are difficult for users to understand. Practical application may also be difficult even for experienced IT specialists. The industry as a whole should tackle the problem at both technical and informational levels in order to enhance confidence in technology.
Service providers over Internet, in particular WEB mailers , should offer the opportunity for application level encryption (e.g. SSL).
Users should not be prevented from using pseudonymous access to publicly available services.