It isn’t hard to set up security for the wireless router in your basement: Change the SSID, pick a strong password and perhaps install VPN software for remote access.
But securing wireless networks in a business environment is much more demanding. Systems administrators must:
· address the basics - securing wireless access points and protecting remote and mobileemployees
· provide controlled access for guests and contractors
· deploy and manage multiple wireless access points in central offices
· deploy and manage wireless access in remote offices (ideally, without travel or local IT staff)
· integrate wireless traffic into the company’s core network security infrastructure
1. The Basics Securing Wireless Access Points and Protecting Remote and Mobile Employees
Certain security practices are essential for wireless networks of all types.
Strong encryption—preferably use WPA2. An eavesdropper can pick up wireless signals from the street or a parking lot and break older security algorithms like WEP in minutes using tools readily available on the Web.
Complex passwords. Cybercriminals can use cloud computing resources to test millions of passwords in minutes, so wireless passwords should be 10 characters or longer and include numbers and special characters.
Unique SSIDs. SSIDs are part of the password used for WPA2 encryption. Hackers use“rainbow tables” to test common SSIDs, so administrators should pick unique network names (but not ones that identify their organisation).
VPNs for remote access. Virtual private networks are essential to protect communications from mobile employees (who can put a VPN client on their devices) and remote offices (which can use economical, point-to-point VPN connections).
Employee education and published policies. Employees need to be educated on secure networking practices. In companies with bring-your-own-device (BYOD) policies, this includes acceptable uses of personal devices for company business. Organisations that publish policies and systematise training not only improve security, but also enhance their compliance posture by showing auditors that they are taking action to protect confidential information.
2. Provide Controlled Access for Guests
Uncontrolled access to wireless networks is a common security issue. Often, customers,suppliers and other office visitors are given IDs and passwords that provide perpetual access to internal networks. Stories abound of contractors whose passwords remained valid for weeks or months after they moved on to other employers.
Some organisations address this problem by providing a separate guest network with limited access to core IT systems. This approach addresses the issue of transient guests, but it is expensive and not always useful for contractors and long-term guests.
Another approach is to find tools that restrict guest and contractor access to appropriate periods of time and place limits on their activities.
3. Manage Multiple Access Points in Central Offices
Deploying and managing wireless access points can be time-consuming. Large offices and campuses may require many access points to cover all office areas, conference rooms andmeeting spaces used by employees. Multiple wireless networks for different groups and for guests can add to the work.
Not only does complex administration raise staffing costs, but it also increases the likelihood of accidental misconfigurations that cause security vulnerabilities.
Enterprises need to find tools that simplify tasks such as deploying new access points,checking on the status and settings of these devices, and changing parameters.
A best-case scenario is to find tools that do not require specialised knowledge or a long learning curve, so the work can be done by network administrators rather than wireless networking specialists.
4. Manage Access Points in Remote Offices
Providing technical support to remote and branch offices is also a challenge. Constant travel is rarely an option, and it is difficult to work through remote personnel, particularly if no local IT staff is available.
Administrators need to find tools that allow them to deploy, monitor and update remote access points from a central console.
5. Integrate Wireless Traffic into the Network Security Infrastructure
Cybercriminals are increasingly targeting wireless traffic as an avenue to penetrate enterprise networks. They are exploiting:
· More opportunities to find weak points because of the growing number of remote and mobile workers.
· Home computers and mobile devices that lack the endpoint protection tools found on workstations that reside in company offices.
· BYOD policies that limit the control that companies have over the selection and configuration of mobile devices (a trend amplified by the increasing number of organisations with bring-your-own-computer policies).
To prevent wireless traffic from becoming a major threat vector, enterprises should ensure that wireless traffic flows through the full network security infrastructure so it can be scanned for malware. Probes and attacks can also be detected.
Ideally, the connection should be two-way, so traffic that goes out through the wireless network must first pass through the core security infrastructure.
That allows URL and content filtering tools to prevent employees from visiting websites that contain malware or are related to phishing and social engineering attacks. It may also help detect data being exfiltrated as part of an advanced persistent threat.
Secure wireless networking for business goes far beyond SSIDs and passwords. Administrators need to manage the basics in multiple locations, efficiently and reliably.
They need to be able to tailor access to different employee and guest use cases. And they need to make sure that wireless traffic is scanned just as thoroughly as any other type of Web traffic. Ideally, these goals should be achieved economically, and without highly specialised skills or extra training.