PDA

View Full Version : Wireless Dilemna - could be fun helping me.


markdouglas
Oct 16, 2004, 11:47 PM
Dear Gang,

I need some help to prove my office's I.T. person wrong. First, a little background:

I'm a partner in our practice - so our I.T. person works for me. However, despite the fact that she's awful at her job, she's married to another person in our group so firing her or being overly confrontational would be difficult. A couple of years ago before buying a new computer, I asked our I.T. person if I could have an Apple on our office network which is a PC network to simply surf the web. The answer was an emphatic "no" and the explanation was that my Apple would cause the system to crash. I contacted both our ISP and Apple - both of whom said this was hogwash.

This I.T. person insisted that I get a PC laptop which I reluctantly did, and then she couldn't get it to work properly. Finally, I came to my senses, gave away the laptop (lost $2K) and bought a $1400 iBook. Needless to say, the iBook has seemlessly integrated in to our office network and performed flawlessly for the past 2 years.

Here's the current situation: I've been using an Airport Express in my office for the past few months to make my iBook wireless as well as to stream music to my stereo. Well, my I.T. person recently discovered the Airport Express and has gotten her undies in a "Y" about my "unapproved wireless network" because she feels that it opens up our patient data to potential hackers. I find this incredulous as our I.T. people have trouble getting the PCs to access our Unys based patient info and those PCs have software to do so. However, she's being adament about it and has insisted that I shut down my Airport Express.

Can any of y'all give me some info or reassurances about the robustness of the security of the Airport Express that I can use to very specifically prove that her fears are unfounded? I need some ammunition or guidance as to where I might find this ammunition.

TIA,
Mark

TLRedhawke
Oct 17, 2004, 12:26 AM
128 bit encryption built in, which, I might add is a greater level of encryption than most wireless routers will provide. Just make sure you've got the airport admin utility running (even though you don't need it for the Airport Express to work) just so you can show her the level of encryption you have set. It might also be wise to set a password on your wireless network to be safe.

aplasticspork
Oct 17, 2004, 12:32 AM
i second that, i've looked into this a bit as im going to be getting a laptop soon. im not quite sure what your I.T. person is thinking :rolleyes:

thatwendigo
Oct 17, 2004, 12:40 AM
You might want to point out to her that, at least until SP2, most Windows machiens have no support for the latest wireless security standards out of the box. They have to have drivers installed and things tweaked to a ridiculous degree, as I found out when trying to get my mom's boyfriend's laptop onto her network.

We've been using iBooks in my family for some time, and I can just walk into her house and get on the network if I want to. His PC laptop had to have three driver updates, a bunch of arcane system mumbo-jumbo tweaked, and then still didn't want to play nice. We weren't even using an Airport station as the base, so there was no excuse that it could possibly be Apple's fault (it's an SMC wireless router).

Basically, you need to tell her to shut her mouth, that she works for you and not the other way around, and that unless she can document and prove that there's a security hole in OS X that is greater than those in Windows, that you're going to use what you want to. Apple machines have support for WEP 128-bit and WPA right out of the box, and that's the current standard on most Wi-Fi certified gear.

From the Airport Express page (http://www.apple.com/airportexpress/):
Secure Connection

Rest easy AirPort Express takes strong measures to prevent unauthorized intrusion into your wireless network. It features a built-in firewall to protect you from gate-crashers from the Internet. It also features password protection and supports powerful encryption technologies including Wi-Fi Protected Access (WPA) and 128-bit WEP encryption.

BakedBeans
Oct 17, 2004, 01:10 AM
this type of thing really annoys me.... it just plain idiocy, why dont you put the case forward for replacing the whole system with mac osx... you can then use file vault and no hackers are going to get anything about your patients.... its as simple as that....with regards to the "hole" its plain rubbish....

blackpeter
Oct 17, 2004, 01:20 AM
Actually, she's right.

Wireless networks are inherently less secure than wired, primarily because anyone within proximity to the network can get access.

That being said, many offices incorporate WiFi into their network because it makes things more convenient. And if you do things like turn off the SSID broadcast, incorporate WAP encryption and MAC address filtering, then most networks will be safe from your average hacker. If someone is determined enough and has skills to get past these three safeguards, then they probably will get into your wired network as well.

So yes, WiFi is less secure (technically). But this "IT" person sounds like she might not know enough to even properly safeguard your wired network. Your wireless AirPort Express network might just be the most secure node in the whole damn office!

BakedBeans
Oct 17, 2004, 01:27 AM
Actually, she's right.



well shes not...as she didnt say shut it down as its less secure than wired... she said shut it down as its not secure

when it is, if its 128bit encrypted with a good password then you should have no problemos.... like i say...get the whole network on mac (i wouldnt use a pc if you payed me) as pcs are dangerous to hold sensitive information....

infact i would insist she shuts down "all her pcs" to make the place secure..

thatwendigo
Oct 17, 2004, 01:32 AM
Actually, she's right.

A couple of years ago before buying a new computer, I asked our I.T. person if I could have an Apple on our office network which is a PC network to simply surf the web. The answer was an emphatic "no" and the explanation was that my Apple would cause the system to crash.

So, she's right, huh? Having a mac on a PC network will "cause the system to crash?" There was never a mention of security, only networking concerns, and nothing was said about whether the rest of the network is wired or wireless.

If he's the only one with wireless access, you might have a point, but I'd bet a mac with wireless is more secure than most Windows boxes on a wired network.

Westside guy
Oct 17, 2004, 02:02 AM
Well... speaking as a sysadmin, rogue wireless access points are a pain and often a weak point in network defense. The fact that you're using a Mac with it is irrelevant - the Airport Express is connected to the network, right? Your Mac isn't part of the wireless security equation at all.

WEP is inherently insecure, and you don't mention if you're using encryption anyway. It doesn't matter if you're using 40/64 or 104/128 WEP - they're all breakable because one of the weak points is in the 24-bit initialization vector used in both. You can turn off SSID broadcast (have you?), and use MAC filtering (have you?) - but someone who knows what they're doing will know how to fake a MAC address and it'll be easy for them to find yours. Now if you're using WPA and have picked a good long (> 20 characters) password, you're doing much better. Also, have you put a good LONG password on the Airport Express?

Now, this woman sounds like she isn't particularly knowledgeable (at least in non-Windows matters), but she's also in a bad position because it's her rear that's on the line if/when something goes wrong AND she obviously doesn't have authority to enforce what she thinks is good policy.

kiwi-in-uk
Oct 17, 2004, 02:06 AM
Once you have encrypted with a good password (as above), call her bluff and ask her to show exactly how it can be hacked.

matthutch
Oct 17, 2004, 03:46 AM
Once you have encrypted with a good password (as above), call her bluff and ask her to show exactly how it can be hacked.

i agree set it as a closed network (so the ssid doesn't show up), set a a nice long password and high level encryption, and then ask her to show you the weak points.

also remember as you said she works for you, so even if she doesnt like it you are her boss, also you might want to think about getting a new person if she thinks having a mac on a network will cause it to 'crash', because as you said after contacting your isp and apple, it is just plain stupid.

well let us know how it goes, would be interesting to see what she comes back with.

markdouglas
Oct 17, 2004, 07:23 AM
Thank you everyone for your input. I will do as you suggested regarding turning off SSID, bumping up encryption level, and putting in a long password. And, I'm tempted to set up a scenario where our I.T. person has to prove that she can get on the network.

I firmly believe that this is a simple case of a beaurocrat who's furious about me having gotten many of the physicians in our office to switch to Macs (at least for their personal computing needs) because the Macs essentially invalidate her and because I know how to work the Macs better than she knows how to work the PCs.

Can anyone give me specific terms to bolster my argument that my "nub" has superior grade firewalls (soft and hard) compared to other wireless networks? Am I right in assuming that the mere fact that the "nub" is made by Apple makes it inherently more difficult for a PC user to break in to it?

Mark

yellow
Oct 17, 2004, 07:29 AM
[reposted below]

markdouglas
Oct 17, 2004, 07:39 AM
Regarding the encryption, yes I am using 128 bit encryption.

My reasoning behind not being particularly worried about this "nub" isn't only my lack of trust with regard to our I.T. person, it's because I think that someone that is determined enough to hack in to a wireless network could just as easily hack in to our network from any of several other non-wireless ways. Plus, they'd have to have software on their PC that lets them access a whole different (antiqueted) system that actually has the patient data.

However, I acknowledged to her that I felt someone from the NSA could probably do so if so inclined.

An analogy I used to our I.T. person: yes, I realize that my vehicle's lack of side impact airbags for the back seat passengers means that you could suffer head trauma in the unlikely event that you were riding in the back seat of my car when it was hit from the side.

Mark

yellow
Oct 17, 2004, 07:46 AM
I don't think the NAT on a APExpress is any more or less secure then any other router. And it being an Apple does not inherently make it more secure from Windows users, nor anyone else for that matter.

Your experience with this IT lady tells me that she's ignorant of Apple hardware, and rather then having to learn about it and support it, she simply says it won't work and that's that. If she really didn't want to support it, there are much better ways of making that knows.

I can see and understand her fury with a random wifi access point. Look at it from her point of view..

She has to protect patient data. She has to cope with HIPAA. She has "protected" all the avenues of entry into this 'data vault' and suddenly, some physician (I'm sorry, but you're a doctor, not an IT person, you know more about physiology then you do about computers) that she has historically had "troubles with" introduces a potential security hole into her "protected" fortress. Now she has to deal with getting rid of or learning about how to support your APExpress. It's pretty obvious from her earlier notions on what her tactics are.. But from her standpoint, how can she rely on you to constantly maintain vigilance with respect to the wifi access point's security (and all that entails)? After all, you've got patients to see buddy.. it's not your job. So I can empathize with her, though I don't condone her poor methods.


Nice job on switching the office, though. :D

yellow
Oct 17, 2004, 07:52 AM
Regarding the encryption, yes I am using 128 bit encryption.

Frankly, (as noted above) WEP is not that secure, which is why other standards were created and have been adopted. Any WiFi access point is inherintly insecure. If possible, I suggest you also turn on MAC address filtering and only allow one MAC address, that of your iBook.

Mechcozmo
Oct 17, 2004, 09:02 AM
The Airport Express is simply a wireless router, plain and simple. Do the things suggested above, but then also turn it off when you are not using it, or at least unplug the Ethernet cable. Your network admin doesn't sound too knowledgeable (The guy who does work at my dad's office is a Windows guy but he does a fair amount with Macs, and even a little bit of Linux!), but then again, she is probably freaked out about security.

After you do the things above, ask her if the network is secure enough.


Sidenote: While away from home, I found a wireless network that was called "Apple Network f3a6" or something close to that. I connected to it, then started up the Airport Admin utility, and was soon able to see everything about their Airport Base Station! And I was able to see their computers on the network, but I didn't bother trying to guess the passwords.

markdouglas
Oct 17, 2004, 10:11 AM
Yellow,

I appreciate your input and I'll take to heart your points. Incidentally, I'll be the first to admit my lack of computer networking knowledge - in fact, that's why I switched to Apple - i.e. to be more empowered in terms of computing.

Getting back to our I.T. person and her concerns; I felt like I wasn't being reactionary and in fact I was very prompt about unplugging my Airport Express when she asked that I do so. However, last evening she stated that she had statements from Intel (???), Linksys, and Apple stating that WiFi was unacceptably weak in terms of security. She says that I can't ever hook back up the Airport Express. This ticks me off because this is the same woman that couldn't figure out how to burn mp3's off of my old computer (the PC that she had me buy) to a CD so that I could transfer them to my new iBook two years ago. Our PR person accomplish this simple task when I told her that our I.T. department couldn't do so. Also, I really like the flexibility of WiFi as well as the music streaming to my stereo.

So, any other insights? Any software that I can get that will squelch her concerns?

Mark

mkrishnan
Oct 17, 2004, 10:22 AM
She has to protect patient data. She has to cope with HIPAA. She has "protected" all the avenues of entry into this 'data vault' and suddenly, some physician...

But on the other hand, the issue that your wireless network is unofficial aside, it is becoming increasingly common for hospitals to use wireless networks. Ours does. So what do they do? I'm pretty sure it isn't any more sophisticated than WPA with a closed network / pre-matched MAC addresses, etc. We use a wireless network on the "school" side of our hospital's activities too. HIPAA hardly prohibits it. But I agree that your IT person can't do her job if she can't control all the access points onto the network. Whether she can do her job if she *can* control them is another question. ;)

Anyway, ditto on using WPA instead of WEP, and also in the airport admin utility, there's a range limiter. Sounds like you don't use your laptop far from your office. So turn the power output on the Express down until it can't be accessed from far away. This should increase your safety as well. All these things are small incremental boosts, but that's basically all there is.

Celeron
Oct 17, 2004, 01:03 PM
I just thought I'd throw in my 2 cents on the subject here. Coming from a Sysadmin background I know the concerns of your admin. As has been mentioned, WEP is horribly insecure and can be cracked very easily. Frankly, if your admin says no wireless access points then thats what you have to do. Does your place of employment has a security and access policy? If so, what does it outline with regard to wireless devices?

All wireless is insecure, and there is really nothing you can do to be 100% sure everything is locked down tight. In the home environment this is acceptable, in the work place, where you are talking about patient data, its simply asking for trouble. Its not a question of whether or not someone will hack your airport express, but WHEN someone will hack it. Installing a wireless access point is akin to sprinkling network ports out in the parking lot. Not a good idea.

Suck it up and unplug it. In this instance your sysadmin is covering her own butt, which I don't blame her for. If someone rides into the network from your access point and steals some patient data it will be her fault and not yours.

Westside guy
Oct 17, 2004, 02:32 PM
And, I'm tempted to set up a scenario where our I.T. person has to prove that she can get on the network.

C'mon, think things through for a minute. Other than being a tad vindictive, what does this accomplish? Does her ability or inability to hack your network prove whether or not it's safe? (Hint: the answer is NO)

This is exactly why I said rogue access points are such a pain. The people who set them up are almost always sure they won't be problematic - even if they don't have any particular technical knowledge on network security.

Your tech person doesn't know her stuff - but in this case it doesn't invalidate her concerns.

markdouglas
Oct 17, 2004, 02:36 PM
Celeron,

Thank you for your input, too. I will use WPA (whatever that is) instead of WEP. However, in my particular situation, I don't believe that our patient data (which incidentally is largely in paper charts - only patient billing and scheduling info is on our system) is any less safe in a wireless network than in general. Let me ask you this: if we're protecting our network from a very savy hacker (someone who can get past a 24 digit hexadecimal code and then get on to our Unysis based patient data base), why then shouldn't we strip search our after hours janitorial staff to make sure that they aren't stealing charts or photo-copies of the charts. I think we'd both agree that this later scenario is ridiculous and impractical, but my point is when is enough protection enough? I realize that someone from the NSA could hack in to my network, but wouldn't it be much easier to simply steal the patients' charts which are spread throughout our office (we're not using EMR - electronic medical records - yet)?

Is there a more secure WiFi than 128 bit encryption? Does anyone know what HIPAA asserts is "standard" as I doubt they simply say "no" to WiFi as wireless tablets are the future for "E.M.R.s"?

TIA,
Mark

Mechcozmo
Oct 17, 2004, 04:29 PM
My dad does EMR stuff. He has a VPN going from our home (64 bit WEP) to the hospital, where he does his work, etc. There is also a wireless access point in the hospital (in certain areas only, btw...NO CELLPHONES!) where he can do his work. I do not know about the security there, but I know that in his office it is a 128bit network. I think. Anyway, no problems yet. I do believe that the MAC addresses are limited to a certain few...don't know for sure. (And I know I said MAC, because that is a separate doohickey from our beloved Macs)