Wireless LANs do pose new security challenges, but every network expansion carries both benefit and risk. To reap the benefits of wireless, like anytime/anywhere access to enterprise systems, companies must take steps to reduce associated risks to acceptable levels.
The most effective way to accomplish this is to let policy, not technology, govern secure WLAN implementation. Technology-driven security can waste resources by attacking the wrong problems. Too often, an organization turns on security "knobs" without fully considering whether those measures alleviate their most pressing business risks.
Identify business needs
Policy-driven security begins with a thorough review of business needs and risks. A policy creates a solid foundation for implementing appropriate security measures.
Start by defining business needs. Why are you deploying a WLAN? What business objective(s) does adding wireless accomplish? Security is not just about keeping intruders out – it's about letting legitimate users into authorized systems and services.
Identify who, where, when and what. Which users and devices will be permitted to use wireless at the office, on the road or at home? What networks and servers do they need to access? Which applications, services, databases and network shares must be opened to wireless users? What hours and days will wireless access be required? Answers will help you create a defense that permits legitimate
Also identify behavioral requirements like throughput, latency, network roaming and session persistence. Establishing these objectives can help you make implementation choices that satisfy real business needs and avoid costly over-engineering. To keep this task manageable, define profiles that reflect needs associated with groups of similar users – for example, VoIP users vs. Web/mail users vs. visitors.
Quantify business risks
Next, assess new business risks introduced by adding wireless. Use the needs defined above to pinpoint wireless and adjacent wired subnets that will be exposed to wireless intruders. Inventory stations, access points, radio channels, gateways and servers on the wireless LAN – these too will become valuable network assets.
Revisit the wireless stations and target applications, databases and network shares identified above. What private or sensitive information do these resources contain? Answer this same question for control fields and data to be sent over the air. Produce a list of information assets that must be defended against corruption, loss or disclosure.
Review these asset lists, considering potential threats, the probability of compromise and cost to your company. For example, how likely is it that war drivers will try to use your WLAN for Internet access? What is the cost of stolen bandwidth? What would the business impact be if sensitive data sent over wireless were captured? What would the cost of lost productivity or sales be if an attack were to take your WLAN or database off-line for a day?
It may be difficult to quantify and prioritize these risks, but give it a try. If your staff can't do this, consider hiring independent security auditors who can. It makes no sense to spend $1M to defend a $100K asset from a low-probability threat, but the only way to prevent that is to do the math and apply your security budget accordingly.
Add wireless to existing policy
Use your business need and risk analysis to extend your company's network security policy to address wireless access. Augment existing Acceptable Use Policies (AUPs) for network access, or create AUPs if you don't already have them. AUPs should explain what usage is permitted, under what conditions, with which precautions, for the identified users and environments.
Define AUPs for employee use of your Intranet, as well as for visitor use of your WLAN, traveler use of public hotspots and teleworker use of home WLANs. Even if you plan to ban business laptop use at hotspots or guest access, your policy should state this so that countermeasures can be implemented and compliance can be audited.
Once policy extensions covering wireless have been drafted, get buy-in from all stakeholders and disseminate approved policy to all administrators and users. Policies that lack organizational support or that nobody knows about are historically ineffective.
Implement, verify and adapt… forever
Finally, select, install and configure WLAN security measures to implement and enforce your policy. The policy will come into play throughout WLAN deployment, from topology design to security feature selection, from issuing keys and logins to legitimate users to configuring access controls that permit those users and deny all others.
Test your implementation to verify policy compliance – not just once, but at scheduled intervals. Networks are organic, changing all the time as old systems are retired, upgrades are installed, employees move or leave, and business objectives evolve. To remain effective, policy must adapt to changing needs. Security measures must be continuously updated to fix holes and implement updates – for example, adding new users and deleting stolen devices.
In summary, effective network security is more about process than technology. Using security policy to drive WLAN deployment gives your organization a fighting chance against wireless vulnerabilities and threats.
About the author
Lisa Phifer is the vice president of Core Competence, Inc., a consultant firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years.
For more information, visit these resources:
- On-demand webcast: Locking down your WLAN, part 1: Identifying the threats
- Fun with Security Test: Identifying WLAN threats
- On-demand webcast: Locking down your WLAN, part 2: Implementing countermeasures
- Fun with Security Test: Implementing WLAN security countermeasures
This was first published in June 2003