Wireless security policies are essential, but for security pros like David Fournier, crafting one that enables...
business processes can be as pleasant as standing in a long checkout line.
Fournier, senior information security analyst for a large New England grocery chain, is charged with securing a wireless network utilized by several thousand devices. When those clients range from wireless PCs to handheld scanning devices, and transmit everything from mission-critical inventory data to day-to-day Web traffic, keeping business needs aligned with the wireless security policy isn't easy.
"It's a constant battle between availability and security," Fournier said. "It's about providing the availability and convenience of a wireless network, but in a secure manner."
Experts caution that the process of developing or revising a wireless network security policy can be a sobering reminder of the ever-changing wireless threat landscape. But a policy that mitigates an organization's unique risks and recognizes there is no real network perimeter can go a long way toward keeping data safe.
Enterprises need policies that seek to prevent common Wi-Fi security issues like unauthorized or misconfigured access points, authorized users simultaneously connected to an external wireless host or access point, and malicious hackers who crack weak security protocols to gain network access, said Lisa Phifer, vice president of network security consultancy Core Competence.
And then there's compliance. "Many companies are now required by industry regulation or law to maintain the privacy and integrity of selected data," Phifer said. "Preventing wireless-borne network intrusion is a key part of compliance, along with the ability to document access to satisfy audit and reporting requirements."
Early in policy development, security managers often overlook the complexity of radio-frequency management. Many enterprise switch and router vendors, for example, now offer wireless security management add-ons, but those products have a long way to go, said Aaron Vance, a senior analyst with Synergy Research Group.
Vance said the network access control (NAC) market is still transitioning toward product sets that tightly integrate security management. "You need tools that provide visibility into the network, both from a wired and wireless perspective, so that you can create and set up policy for different kinds of users based on their credentials," Vance said.
Fortunately, Vance noted, all of today's products include support for 802.11i, the Wi-Fi security standard approved by the IEEE in 2004. Also known as WPA2, 802.11i replaced the inadequate WEP standard and augmented the original WPA standard. Vance said that not all organizations have updated their clients to support 802.11i, but doing so can significantly improve security without affecting ease of use.
RSA Conference 2007
Though many templates are available when it's time for the actual creation of a wireless security policy, Vance said it's important for each organization to enter the process knowing its industry-specific risks. For instance, the risk profiles of a financial services firm and a large retail chain will likely be quite different.
Policies should also delineate permissions for trusted versus untrusted users. Phifer said many policies restrict Wi-Fi "guest" users from accessing any trusted network resources, providing only public Internet access and email or VPN protocols. Phifer added that techniques like VLAN tagging should be used inside the network to keep outsider traffic compartmentalized.
Yet demarcation of an organization's perimeter is getting more difficult all the time. Fournier said in addition to an authentication system based on Cisco Systems' proprietary LEAP protocol, his company policy relies on virtual LANs and SSIDs to segment guest wireless users.
"Any wireless signal could be a potential risk here," Fournier said. "When you're providing potential network connectivity outside the physical confines of a building, you've got to know that's where the risk is. But employees demand the convenience of having wireless."
Even for those organizations that have wireless policy under control, experts ominously warn that the greatest wireless security policy challenges may lie ahead. Wireless voice traffic will be a significant driver of enterprise Wi-Fi growth, Vance said, but adding a security layer to the data can degrade performance.
Fortunately, Phifer said, these issues are making it easier to justify wireless security costs.
"Even if you cannot put a dollar figure on potential threat impacts," Phifer said, "ranking business risks can help to justify investment in WLAN security measures."