Banning wireless doesn’t stop users
Wireless LANs (WLANs) are increasingly becoming a commodity in the home, in the high street, at the airport – everywhere but in the office it seems. This is because it is still considered a threat to corporate data security – risking data loss, information theft, and virus and worm infection. As a result, despite increasing demands from users for wireless connectivity in the office, many organizations still implement a strict “no wireless” policy. For these organizations, the perceived risk of breaching the established “perimeter security’ architecture of the wired LAN by building WLANs is far greater than the mobility and flexibility benefits of the technology. However, in the quest to shut wireless out completely, two issues have arisen. arise
First, it is incorrect to assume that a network will not be wireless simply because there is a “no wireless” policy. Anyone can buy wireless access points (APs) – it’s easy and cheap. Short of physically searching every employee as they come into the office, it’s impossible to stop the proliferation of wireless technology by a simple policy – and wireless-related threats will always exist, regardless of internal mandates.
Second, many organizations do not realize that, as wireless equipment has matured, the options for deploying secure network mobility have expanded. No longer are organizations limited to a binary decision of allowing or disallowing WLAN access – rather, a range of wireless policies are now possible.
“No wireless” policies without enforcement don’t work
If employees are equipped with wireless devices (including laptops and mobile phones with in-built Wi-Fi), then they’ll want to take advantage of the mobility it provides. It’s too easy for an employee to plug in a wireless hub or router into an RJ45 jack in the office and build a small wireless network – whose range extends onto other floors of the building (where other companies may reside) or out into the car park. Worst of all, the employee will almost certainly have no idea of how their action can compromise corporate IT systems.
When policy does not work (as organisations continue to discover), then the only way to mitigate wireless threats is to deploy a best-in-class WLAN system that can lock down the “air” securely and that, at a minimum, can address the following:
The solution must prevent any employee from installing rogue APs (the wireless device bought by an employee and plugged into an RJ45) within the confines of a protected organisation. Whether a network is wireless-enabled or not, rogue APs can be one of the greatest threats to network security today. However, it is not enough to detect rogues, a complete solution must identify and disable them so that no clients will be able to communicate through them.
The solution must also prevent all ad-hoc WLAN networks from occurring within the confines of a protected organization. In an enforced no-wireless network, all ad-hoc networks – uncontrolled WLANs operating only between clients – must be actively detected and disabled, as they can easily become an unauthorized entry point into the network. A system that offers comprehensive RF monitoring can perform these functions by actively disrupting ad-hoc networks. In turn, the RF monitoring system should also send an alert to the network administrator so ad-hoc networking can be disabled on the violating client.
With so many Wi-Fi ready laptops, poorly configured clients that bridge the corporate wired interface to the laptop’s Wi-Fi interface represent a major security hole. An effective solution must implement advanced RF security to automatically detect wireless bridges, notify network administrators of their existence, and identify the location of the offending client on a building map.
Lastly, it is also important to prevent clients within the protected RF space from connecting to other organizations’ neighbouring networks without disabling the operation of APs or clients. An effective solution should automatically classify neighboring APs as “interfering,” not “rogue, and prevent clients from associating with them.
Progressing from “no-wireless” to secure wireless mobility
As security and technology have progressed, previous concerns associated with wireless access have faded and most organizations now recognize the benefits of user mobility. In fact, many now consider wireless access to be more secure than the wired LAN. What’s more, deploying a wireless network is undoubtedly an easier option. WLANs can be implemented on top of existing networks without requiring upgrades or reconfiguration. As a result, organizations are now beginning to explore how they can offer all the benefits of advanced secure mobility.
The first step for many organizations is to deploy dedicated wireless guest access, as there is increasing pressure to enable visitors to gain instant access to business information. The impact on security and manageability should be negligible in moving from “no-wireless” to wireless guest access only. A guest access solution should not compromise the security of the network in any way, or place excessive burden on the IT staff.
Similarly, restricting access by time and location is also important. One of the operational benefits of a wired LAN is that access is only granted as long as the building is physically open. Some WLAN solutions available today provide the equivalent benefit with configuration options to turn an AP or group of APs off during certain time periods (e.g., overnight). This limits exposure to the wireless network and ensures that IT staff are always present to address issues as they arise.
Another incremental step forward from a “no wireless” policy is to restrict users or devices to those specific applications required. With secure wireless solutions, companies can implement rules to match protocol, IP address and applications. A WLAN with a stateful firewall can automatically blacklist any client that violates specific firewall rules. Automatic blacklisting immediately disconnects the device from the network and generates an alert message to the administrator.
An identity-based wireless solution that integrates encryption, authentication and access control into a single device can offer all the benefits of advanced mobility with a security level comparable to a wired network. Because wireless devices authenticate to the network, identity is learned. Choosing a wireless infrastructure that encrypts all traffic back to the core ensures that network traffic is not forged by an intruder or tampered with in transit. Finally, if access control is done through a firewall, policy can be tied to the identity and role of the user rather than to an arbitrary parameter such as IP address.
Despite this, many organizations will still continue to choose a “no wireless” policy within their network. However, these organizations must still understand that it is critical to conduct a full assessment of the associated risks. Technology advancements now make it simple for organizations to deploy the infrastructure necessary to initially enforce “no wireless” policies and then take steps towards providing advanced mobility. Essentially, a next generation WLAN solution is essential to maintaining stronger security for any type of network.