policyIt’s no secret, wireless technologies have become the de facto network access method for many enterprise users with smartphones and tablets leading the way as the tools of choice when it comes to collaboration and productivity. It’s essential to remember that many times the purpose of the 802.11 WLAN is to serve as a portal to the 802.3 wired network where resources reside. As such, the portal needs to be protected from security threats as do the wireless client stations accessing this data. With the wind now firmly mobility it’s a great time to review wireless security best practices.

As a starting point, make sure the data traversing your Wi-Fi network is kept confidential. By nature, wireless is an unbounded medium requiring proper data protection safeguards. The current platinum standard for proper authentication and data confidentiality is WPA2-Enterprise which uses a mature port-based access control method known as 802.1X along with an EAP method for layer-2 authentication. As a byproduct of the EAP exchange, dynamic encryption keys are generated for WPA2’s optional TKIP encryption protocol using the RC4 cypher or its mandatory CCMP encryption protocol using the AES cypher. Most modern day hardware can handle the extra processing required by CCMP/AES encryption so that should be your first choice.

In addition to wireless authentication and encryption, authorization and accounting services should be implemented too. This is where AAA and RADIUS come into play. RADIUS is a mature protocol that provides a centralized means to enforce who can access network resources (Authentication), what they can access once successfully authenticated (Authorization), and provides a paper trail of where they have been on the network (Accounting). Such permission and accounting controls go a long way to securing the entire network, both wireless and wired.

The practice of segmentation is equally important as strong encryption and AAA.  Separating wireless users into specific groups based on role or function is always a good idea.  Traditionally this was accomplished by using different SSIDs, VLANs, and layer-3 network mappings.  Next generation approaches also include role-based access control (RBAC) and location-based access control (LBAC) which provide additional layers of context and awareness to your WLAN environment.

To protect your WLAN investment it’s important to monitor the environment to protect your investment from rogue attacks and to ensure that it’s functioning properly. Numerous physical and media access control attacks exist and a monitoring solution can save you time and money in safeguarding your investment. Having a Wireless Intrusion Detection System (WIDS) or a Wireless Intrusion Prevention System (WIPS) in place is paramount and provides visibility, classification techniques, containment capabilities, and reporting functions necessary to properly manage and enterprise ready WLAN network.

Last but not least is Policy.  What is your wireless security policy? Do you have one in place? What’s the point of having an 802.1X/EAP solution if users share passwords? If a policy doesn’t exist to address rogue access points why purchase a wireless intrusion detection system? A sound wireless security policy must be defined and enforced in order to effectively safeguard all the components of your wireless infrastructure.

-Adam Hensel, AirPatrol Senior Sales Engineer
email Adam