In the end, the network needs to be convenient for users as well as secure. The users are the reason the network is there, and if they can’t use the network, it isn’t serving its purpose.
Security is often seen as a direct trade-off with convenience, but it does not have to be an either/or situation. If a security mechanism is difficult to use, users will seek to bypass it whenever possible. When security is bypassed, it isn’t working. So, when implementing security mechanisms, strive to make them both usable and secure. Security mechanisms don’t have to impede usability.
As an example, MAC address filtering is mostly transparent to the end user. It does not impose a burden on them, so most users are not going to try to subvert the filtering. The only time it affects them is when they need to get a new network card added to the filter lists. The burden of work (and inconvenience) for MAC filtering lies with the system administrator. Being the person who implemented the security mechanism, the system administrator will hopefully be diligent in maintaining the list of allowed MAC addresses and not try to defeat his own security mechanism.
A bad example, where security makes it inconvenient for users, is the default method of WEP-key management. The user is responsible for entering the right WEP keys into the system and keeping them up to date. A change to the keys, which should happen on a regular basis, requires every user to change settings or have someone do it for them. The shared static keys of WEP also encourage users to talk about them openly, in an effort to help other users. Automatic key distribution mechanisms and authentication systems that distribute keys help shield the user from the morass of key management and prevent problems.
Authentication systems such as captive portals and 802.1x, which are both discussed in Chapter 14, provide authentication methods to help manage identification of users in a wireless network and authorize use of services. When properly integrated, these tools can provide security that is unobtrusive to users, yet quite robust.
The security pitfalls of wireless networking underscore a problem that has not been well addressed so far: the security of client machines is just as important as the security of servers, firewalls, and networks. Even with all of the widespread worms and attacks against broadband users’ home computers, most users do not have a good handle on maintaining the security of their systems. It is important to convey the importance of client security to your users and teach them the basics of host security, so that they can do their part to keep the network secure. At the same time, you should strive to ease as much of this burden on the user as possible.
Wireless networks exaggerate this problem, as they in most cases expose the traffic between the clients and the gateway. This can lead to direct access to client machines without having to pass through the gateway’s firewall. VPN software, IPsec tunnels, and WEP are good tools for limiting this exposure, but users need to be aware of the risks. Travelers that use their laptops in hotels, airports, and at conferences need to take special care with their systems, as all of these environments often contain hostile traffic and people actively looking for systems to attack.
Explaining the security mechanisms in use to your users, making sure they understand them, and instilling a sense of responsibility has multiple benefits. Users will be better able to contribute to the overall security of the system with a good understanding of the things they need to be wary of and the things they need to do.