Tips for securing your wireless network
Thomas Lippert, senior product manager of mobile, Sophos
But securing wireless networks in a business environment is much more demanding.
Systems administrators must go beyond the basics of wireless security to provide advanced security, manageability and accessibility.
But let's start with the basics. Certain security practices are essential for wireless networks of all types. Strong encryption is one of these essentials —preferably the use of WPA2. An eavesdropper can pick up wireless signals from the street or a parking lot and break older security algorithms like WEP in minutes using tools readily available on the web.
Complex passwords are also important. Cyber criminals can use cloud computing resources to test millions of passwords in minutes, so wireless passwords should be 10 characters or longer and include numbers and special characters. Unique SSIDs should be implemented as well. SSIDs are part of the password used for WPA2 encryption. Hackers use “rainbow tables” to test common SSIDs, so administrators should pick unique network names (but not ones that identify their organization).
VPNs for remote access are another essential practice. Virtual private networks protect communications from mobile employees (who can put a VPN client on their devices) to remote offices (which can use economical, point-to-point VPN connections).
One last basic measure to keep in mind is employee education and published policies. Employees need to be educated on secure networking practices. In companies with bring-your-own-device (BYOD) policies, this includes acceptable uses of personal devices for company business. Organizations that publish policies and systematize training not only improve security, but also enhance their compliance posture by showing auditors that they are taking action to protect confidential information.
Once system admins have performed the necessary secured the wireless communications of their employees, they can move the focus to providing controlled access for guests. Uncontrolled access to wireless networks is a common security issue. Often, customers, suppliers and other office visitors are given IDs and passwords that provide perpetual access to internal networks. Stories abound of contractors whose passwords remained valid for weeks or months after they moved on to other employers.
Some organizations address this problem by providing a separate guest network with limited access to core IT systems. This approach addresses the issue of transient guests, but it is expensive and not always useful for contractors and long-term guests.
A more effective approach is to find tools that restrict guest and contractor access to appropriate periods of time and place limits on their activities.
Managing access points
Deploying and managing wireless access points can be time-consuming. Large offices and
campuses may require many access points to cover all office areas, conference rooms and meeting spaces used by employees. Multiple wireless networks for different groups and for
guests can add to the work.
Not only does complex administration raise staffing costs, but it also increases the likelihood of accidental misconfigurations that cause security vulnerabilities.
Enterprises need to find tools that simplify tasks such as deploying new access points, checking on the status and settings of these devices, and changing parameters. A best-case scenario is to find tools that do not require specialized knowledge or a long learning curve, so the work can be done by network administrators rather than wireless networking specialists.
Providing technical support to remote and branch offices is also a challenge. Constant travel is rarely an option, and it is difficult to work through remote personnel, particularly if no local IT staff is available. Administrators need to find tools that allow them to deploy, monitor and update remote access points from a central console.
Integrating wireless traffic into the network
Cyber criminals are increasingly targeting wireless traffic as an avenue to penetrate enterprise
networks. They are exploiting more opportunities to find weak points because of the growing number of:
- Remote and mobile workers.
- Home computers and mobile devices that lack the endpoint protection tools found on workstations that reside in company offices.
- BYOD policies that limit the control that companies have over the selection and configuration of mobile devices (a trend amplified by the increasing number of organizations with bring-your-own-computer policies).
To prevent wireless traffic from becoming a major threat vector, enterprises should ensure
that wireless traffic flows through the full network security infrastructure so it can be scanned for malware. Probes and attacks can also be detected.
Ideally, the connection should be two-way, so traffic that goes out through the wireless network must first pass through the core security infrastructure. That allows URL and content filtering tools to prevent employees from visiting websites that contain malware or are related to phishing and social engineering attacks. It may also help detect data being exfiltrated as part of an advanced persistent threat.
Putting it all togetherSecure wireless networking for business goes far beyond SSIDs and passwords. Administrators need to manage the basics in multiple locations, efficiently and reliably. They need to be able to tailor access to different employee and guest use cases. And they need to make sure that wireless traffic is scanned just as thoroughly as any other type of web traffic. Ideally, these goals should be achieved economically, and without highly specialized skills or extra training.