|
Before wireless access, laptops, and DHCP, it was common to use the network to segment access according to user role. Firewall rules could use the static IP address of a user’s 30-pound desktop to ensure that machine’s user had access to the appropriate resources. For all intents and purposes, this was as good as writing a rule based on the identity of the user herself. In recent years, mobility has relegated the network to a second-tier role from a security perspective.
Authenticating the user at the network connection itself is quite easy with dial-up and VPN. For LAN access, the picture is quite different. Physical access to the building is often used as a proxy for a valid authentication. Anyone in the building, regardless of his or her role, can plug in a device with an IP stack and connect.
Unfortunately, this trend towards all or nothing access has occurred at the exact time that the types of network users and the ways they connect are becoming more diverse. Short-term or “guest” users are using this open LAN connectivity to access corporate data and applications to complete assignments or retrieve information.
On the whole, that’s not a bad thing. Network utility and value have grown and the constituents are able to derive value from it. The security reality of this increased connectivity, is far less desirable.
Open networks force applications to shoulder the burden of security. Traditional network firewalls and intrusion prevention devices still serve a role, but as more application traffic is encrypted and as users are more apt to change their IP addresses, their utility is growing more suspect. Networks and data are hardly secure if anyone is allowed to knock on the front door of a critical application with impunity.
Just like a corporation badges its doors, activates alarms and employs security guards to guard its buildings, it is only common sense that multiple defenses are needed to secure its network. Beyond the intuitive hypothesis of multiple layers of defense lies a far less ambiguous admonishment of open networks--audit and regulatory requirements.
In a heavily regulated world, chances are SOX, HIPAA, PCI, GLBA, DMCA, CALEA, FISMA or other mandates apply to most organizations and networks. Compliance with these regulations usually requires audited network access. Auditors are interpreting some of these regulations as mandating authenticated networks so that access can be traced based on time of day, user or even network destination.
The heightened security requirements couldn’t have come at a worse time for organizations. IT spending and budgets have been on the decline for the last several years. This is especially critical for authenticated networking since solutions must span multiple forms of network access including remote-access, wired, and wireless. If not managed carefully, guest management can become a costly proposition to many organizations. The best approach to solving the guest user problem leverages an organization’s existing network infrastructure and enforcement devices to prevent significant overhead or cost.
Open Wireless LAN to the Internet
This is the least secure, least auditable, most legally suspect, and naturally, the most deployed solution for guest access. Organizations simply deploy a parallel wireless infrastructure or a separate SSID that provides access only to the Internet; essentially, this is a free hotspot within the organization that is open to anyone.
The benefits of this approach are its low cost, simple deployment, and limited ongoing maintenance requirements. These benefits are also limiting factors. Without audit of use, there is no way of knowing who is taking advantage of the network or what—possibly illegal— activities it is being used for. Additionally, long-term users are given a quick way to get direct Internet access if desired. This can be challenging from a security perspective, since long term users can be simultaneously connected to the Internet and to the organization’s main internal network. Attacks that might compromise the Internet-facing wireless connection could potentially traverse the user’s client device to the internal network via the wired port. This option also does nothing to prevent guest users from connecting to any wired port to get full access to the network.
|
