alex_aldo - Fotolia

Get started Bring yourself up to speed with our introductory content.

How to bake security into your Wi-Fi deployment

A Wi-Fi deployment is the preferred method for network access for most enterprises; it’s the InfoSec’s job to make that Wi-Fi secure.

Wi-Fi started its long, steady climb 15 years ago, spring-boarding from home to office, eventually displacing Ethernet as the preferred enterprise network access method in many organizations.

Today, enterprise Wi-Fi deployments are being further fueled by 802.11ac, which represented 18% of the 176 million access points (APs) sold in 2014. Wi-Fi not only transforms how workers connect, but also how communications are secured. Wi-Fi security is no longer an add-on; it must become an integral part of security policy enforcement. In this tip, we examine how organizations can embrace this network security transformation.

Beyond the basics

Years ago, security for a Wi-Fi deployment meant link-layer encryption: First came Wired Equivalent Privacy (WEP); next was Wi-Fi Protected Access (WPA) and Temporal Key Integrity Protocol, or TKIP. Then came Wi-Fi Protected Access 2 and Advanced Encryption Standard (WPA2/AES). However, WPA2, combined with Pre Shared Keys (PSKs) or 802.1X access control, has been supported by every Wi-Fi certified product for nearly a decade. Similarly, keeping wireless intruders at bay may have started with Wi-Fi sniffers and manual site surveys, but fully automated wireless intrusion detection and prevention (WIDS/WIPS) has become a staple, found in every enterprise-class wireless LAN (WLAN) product today.

While these technologies remain largely unique to wireless, they are now simply a foundation upon which to build. For example, 802.1X lays the groundwork to control LAN access, both wireless and wired. WIPS containment can often be triggered to block a suspected attacker at the point of network attachment, both wireless or wired. Increasingly, security policy is not about how a device is connected, but rather who is connected, what they are doing and where they are.

Wi-Fi deployments and policy enforcement

According to Ozer Dondurmacioglu, senior director of product and solutions marketing for Aruba Networks Inc., in Sunnyvale, Calif., many large organizations seek ways to create and then enforce a single security policy that does it all.

"When my doctor is in the cafeteria, he may need access to the Internet -- and nothing more. When he's in his office, he may get access to patient data as well. When he's working from other locations that are high-risk, he may be required to take extra precautions," said Dondurmacioglu. "There should be a way to encapsulate all of this in a single policy, and then translate that paper policy using tools for enforcement.”

Enterprises have many tools at their disposal to help them enforce this kind of unified  security policy, including identity management services, network and application firewalls, mobile device and application managers, secure wired switch ports and APs, location-based services, guest access services and more. However, realizing this single policy vision is best viewed as a phased process which begins with a target policy, taps available tools to enforce essentials, and then layers on new tools to further enhance policy granularity, threat resistance, and user productivity.

For starters, identity management can drive security policies, tying access rights and requirements not to devices or network attachment points, but to individuals and roles; in the scenario mentioned above, the physician could be granted levels of access that vary throughout the workday, based on policy-driven criteria.

Second, firewalls, switches and APs can monitor and implement those access rights. Broad network segmentation can be applied through VLANs and SSIDs, enforced by switches and APs. Network traffic can also easily be filtered by those edge devices -- for example, determining whether that doctor has access to the Internet or to patient data. However, given the complexity of today's mobile applications and associated risks, application firewalls can be useful to assert more granular policies that reduce risk, deter malware and plug data leaks.

Third, policies may factor in device type, ownership and trust by harnessing mobile device and application managers. For example, the doctor may carry a smartphone and tablet, using both throughout his workday. The same policy may apply different access rights to a fully managed tablet and a bring-your-own smartphone, or may require that a secure container be installed on each device as a condition of access to patient data.

In addition, policies are starting to take advantage of location-based services, using techniques such as geo-fencing to restrict access to specified venues and authorized areas within them. Location-based services are now expanding, using new equipment like Apple's iBeacons to improve accuracy (especially indoors), either separately or through integration with network infrastructure. In our example, the doctor's tablet may recognize where it is -- either inside the hospital or at a café -- and vary its behavior accordingly, despite being connected via Wi-Fi in both locations.

Finally, guest access services are playing an increasingly important role in security policy enforcement -- not just for visitors, but also for employees using bring-your-own and other devices. Specifically, network infrastructure can be used to manually or automatically redirect new devices to enrollment portals, where workers can register devices, agree to terms of service, receive device certificates and be provisioned for secure Wi-Fi access. Once connected to a secure network, additional steps may be taken to enable secure mobility, such deploying a secure container or application on our doctor's now-authorized and authenticated mobile device.

Building today to scale for tomorrow

Some of the network technologies that enable a flexible mobile security policy as described above have been around for years; others are relatively new. All of them represent opportunities to harness the network to enforce security policy in a manner that recognizes the risks inherent in a Wi-Fi deployment but also addresses them within a holistic framework that is focused on users and enables their computing needs. As wireless grows more pervasive, enterprises should embrace this kind of approach to enable and enforce secure mobility everywhere.

Next Steps

The risks and benefits of allowing smartphone other wireless devices on the network

Are you up on the latest tools for next-generation network security?

This was last published in April 2015

Dig Deeper on Wireless network security