Auditing the Data Confidentiality of Wireless Local Area Networks

Wireless Local Area Networks (WLANs) provide many significant advantages to the contemporary business enterprise. WLANs also provide considerable security challenges for network administrators and users. Data confidentiality (ie, unauthorised access to data) breaches are the major security vulnerability within WLANs. To date, the major IT security standards from the International Standards Organisation (the ISO/IEC 17799) and the National Institute of Standards and Technology (the NIST Special Publication or ‘SP’ suite) have only a superficial coverage of WLAN security controls and compliance certification strategies. The clear responsibility for WLAN managers is to provide network users with best practice security strategies to mitigate the real risk of unauthorised data access. The clear responsibility for IT auditors is to ensure that best practice security practices are in place and that operational compliance is consistently achieved. This paper describes a newly researched software auditing artefact for the evaluation of the data confidentiality levels of WLAN transmissions – and therefore by extension for the evaluation of existing security controls to mitigate the risk of WLAN confidentiality breaches. The paper describes how the software auditing artefact has been evolved via a design science research methodology, and pivots upon the real time passive sampling of data packets as they are transmitted between mobile users and mobile transmission access points. The paper describes how the software auditing artefact uses these sampled data packets to produce a very detailed evaluation of the levels of data confidentiality in effect across the WLAN. This detailed evaluation includes specific identification (for network managers) of the types of software services operating across the WLAN that are not supported with the appropriate data confidentiality controls. The paper concludes by presenting an analysis of the results achieved during beta testing of the auditing artefact within a university production WLAN environment, together with a brief description of WLAN best practice security.