Wireless security is critical. Mitigate WiFi security risks by taking these steps.
If you are in the process of implementing or redesigning a wireless LAN for your company, you must make security a top priority. Because wireless signals often propogate beyond physical barriers, the risk of someone attempting to break in using the wireless infrastructure is higher compared to someone gaining physical access to a wired port.
Additionally, simply securing a WLAN through the use of authentication mechanisms and encryption isn't enough. You have to be concerned with who you are granting access to and what they can access. The identification and segmentation of employees, contractors, and guests is a great way to protect the network.
BYOD is a top consideration when investigating how to best secure your wireless LAN. Losing control over the devices and software that access internal resources requires a new layer of security between the foreign end device and the wireless network.
Moreover, enterprises must consider the possibility of advanced threats that can be used in an attempt to steal data or to disrupt wireless connectivity, both of which can be incredibly damaging to business objectives. New WLAN security tools can help mitigate these threats.
In this slideshow, we’ll discuss these WiFi security risks and what best practice methods can be implemented to alleviate the threats.
(Image: Mikko Lemola/iStockphoto)
Separate internal users from guest users
Unless your guest users absolutely require access to internal resources, make sure you place them on a completely separate guest WiFi network. All of today’s modern enterprise WiFi architectures offer an easy way to safely onboard guest users and segregate them so they only have access to the Internet, not internal resources.
Wi-Fi Protected Access 2 -- typically referred to as WPA2 -- is a security protocol that incorporates all of the necessary security elements found in the 802.11i IEEE security specification. There are two different types of WPA2. The first one (WPA2 Personal) uses a standard pre-shared key and the second (WPA2 Enterprise) utilizes 802.1x authentication. If possible, use WPA2 Enterprise whenever possible since it requires each to authenticate using his or her own unique username/password.
Physically secure your APs
Because a wireless LAN must be deployed in a distributed manner, you end up with wireless access points in closets and ceiling throughout a building. Do your best to physical secure the APs to prevent against theft or tampering. Most enterprise-class APs give you the ability to mount and then lock the device in place. Also make sure that any local access to the WAP requires a unique password.
Limit WiFi signal
When it comes to WiFi signal strength, more is not always better. From a security standpoint, your goal should be to provide sufficient WiFi signal only to the areas where it’s required. If you have WiFi signal that reaches beyond building walls and out into public spaces, you risk inviting people who may attempt to break into the network or interfere with the wireless signal.
Rogue AP detection
A rogue wireless access point is an unauthorized AP that has been installed on a secure network. Rogue APs pose a serious security threat and it’s important that you have the right tools in place to actively monitor the WLAN and remove the devices from your network.
Wireless intrusion prevention systems
Advanced enterprise wireless security can include a dedicated wireless IPS. These devices monitor and detect more targeted and nefarious WLAN attacks that use techniques such as AP spoofing, malicious broadcasts, and packet floods.
Mobile device management
MDM isn’t simply about being able to better manage BYOD devices; there’s a security element involved as well. With most MDM solutions, you have the ability to quarantine devices that don’t meet set security standards, limit application installations, and implement data loss prevention (DLP) through techniques such as geofencing.
Support legacy WiFi devices
Finally, we must consider the very real possibility that we will have to manage legacy WiFi devices that don’t have the capabilities in order to meet our best practice implementation standards. Wireless printers and WiFi-capable handheld scanners are notorious for sticking around for years in the enterprise. In situations were devices don’t have the ability to use the most secure form of WiFi authentication and encryption, it’s best to segment these devices onto their own separate virtual network with their own unique SSID.