The wired world enterprises have come to know is increasingly turning wireless, and the proliferation of wireless networks makes WLAN security increasingly critical to corporate security.
In its annual Network Barometer Report, IT services firm Dimension Data said most of the clients it assessed had networks composed of roughly 80% wired ports and 20% wireless LAN ports, but it expects that ratio to reverse in the future. Meanwhile, analysts with research firm TechNavio estimate the global WLAN equipment market will see an annual growth rate of nearly 18% between 2012 and 2016.
Wireless guest policies are a first step toward WLAN security, vendor executives said.
"Organizations need to determine how much bandwidth they want to give guests and whether or not they should have access to any corporate resource," says Peter Lane, senior product manager at Aruba Networks. "Traditional guests [typically] will be limited to Internet access (including VPN protocols), while contractors, consultants or other VIP guests may have additional access to some internal resources such as printers, database servers and email."
Employee WLAN access is a little more complicated, he says. "Questions organizations need to answer to determine appropriate employee access include: What device types are employees using? How should they connect, and what resources/systems should they be able to access?" says Lane.
The growth of the bring-your-own-device (BYOD) trend has added new challenges for securing Wi-Fi networks, driving the need for additional mobile policies, says Hemant Chaskar, VP of technology and innovation at AirTight Networks.
Consequently, enterprises need to find ways to address the secure onboarding of employee-owned devices and should look to develop separate Wi-Fi access policies for BYOD devices and devices provisioned by IT, he says.
In addition to creating policies, enterprises need to implement Wi-Fi encryption and 802.1x-based authentication. "For smaller organizations that do not have RADIUS/AD infrastructure, WPA2-PSK (Pre-Shared Key) is also a viable standards-based alternative," says Chaskar. "WEP should be considered equivalent to open--i.e., insecure."
[Find out about detecting rogue APs, supplicant settings, wireless intrusion prevention and more in "How To Secure WLANs: A Visual Overview" slideshow.]
User traffic should also be segmented, Lane advises.
"Use an integrated stateful firewall with user roles to segment traffic," says Lane. "For example, a university could segment guests, students and faculty into different roles behind different sets of firewall rules in the mobility controller or virtual controller. This would allow the organization to scale their network easily without making large security compromises and exposing applications or servers to attack or unauthorized access by those who don’t need or shouldn’t have access."
Running VPNs also an option, but since this is typically software-based, it can result in significantly degraded performance, says Lane. "VPNs also have issues with regard to 'starting' a connection. To secure the connection, no traffic should leave the client until the VPN is up and operating. This can be a problem for applications that automatically try and connect to other systems."
While some in the industry suggest organizations can also consider making their network ID invisible, the effectiveness of that has been questioned due to the availability of hacking tools that can be used to reveal SSIDs.
"SSID hiding reduces temptation from casual attackers, so it’s a useful feature," James Lyne, director of technology strategy at Sophos, noted in a report on Wi-Fi security. "However, be aware that within a few seconds any attacker with basic knowledge will reveal this wireless network name. It is a very light defense that you shouldn't rely on. Make sure you combine it with strong encryption and a good password."