Ongoing, as part of network monitoring and management health.
Wi-Fi is one of the fastest growing network technologies in the enterprise, deployed widely in public spaces such as airports and coffee shops, and used by remote, small office/home office (SOHO) and mobile workers. Even if you don't think your company is using wireless, if you run a site survey for access points (APs) you might be surprised what you find.
According to Diana Kelley, an executive security advisor for Computer Associates Intl. Inc.'s eTrust security management solutions business unit, there are several steps enterprises that use wireless or support remote access from wireless networks can implement to increase the security of WLANs.
Inventory and map your systems
Before you can look for unauthorized APs on your network, you need to know what authorized ones are out there. Use an inventory tool to create a map of APs under your management.
Move to WPA or WPA2
WEP is famously "broken," but enhanced security for WLAN is available with Wi-Fi Protected Access (WPA) and the recently ratified 802.11i (WPA2) standard. Official 802.11i has all the abilities of WPA and adds the requirement to use the Advanced Encryption Standard (AES). AES provides enough security to meet the needs of the Federal Information Processing Standard (FIPS) 140-2 specification, often required by government agencies. AES support may require new hardware for
Port-based access control can prevent unauthorized users from getting past your APs and into your internal network. If you've already deployed 802.1X on your wired network, extend it to the WLAN for increased security.
View all WLAN access as untrusted
All WLAN traffic should be protected with a gateway firewall. Even if the AP is in the CEO's office and she's the only one authorized to use it, it's still an untrusted network.
Tie WLAN monitoring to LAN monitoring
Traffic on the WLAN affects your entire network, so integrate the monitoring of it into your current network management framework.
Thinking about taking the Wi-Fi leap, but concerned about how it will impact your overall network security? Kelley recommends five things to get you on the right track for a successful, secure deployment.
1. Forget about absolute security -- it doesn't exist. The goal is a WLAN that's protected at an acceptable risk level.
2. Understand the business value. Don't forget that there's a risk to not taking a risk. If the WLAN is going to save your company money on wiring or increase productivity of the sales force, enumerate the benefits to justify the deployment.
3. Update policies. If users don't know what's acceptable, how can they follow the rules? Make sure polices are updated to take into account proper WLAN usage.
4. Plan for placement. Cement walls and support beams can interfere with wireless signals. Conversely, if you're in a high density area, make sure your AP signal isn't leaking further than you thought.
5. Test. Before announcing the availability of the WLAN to your enterprise, make sure it's running as you expect, that APs are accessible from key areas like conference rooms and that there are enough APs to handle the traffic load.
To find certified WPA products, visit http://www.wi-fi.org.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in July 2004