Best Practices for Securing Your Enterprise LAN

Best Practices for Securing Your
Enterprise Wireless Perimeter
339 N. Bernardo Avenue, Suite 200 . Mountain View, CA 94043www.airtightnetworks.net
A I R C O V E R F O R N E T W O R K S E C U R I T Y © 2005, Airtight Networks. All rights reserved.Best Practices for Securing Your Enterprise Wireless Perimeter
Overview
With the rapid adoption of Wi-Fi networks by enterprise IT departments everywhere, networksecurity now involves an entirely new dimension of vulnerability to malicious hackers and casualintruders. Applications and data have literally taken to the airwaves, thanks to the compellingproductivity and efficiencies gained by mobility tools such as notebook PCs, handhelds andBlackberries. As an extension to existing wired infrastructure, Wi-Fi helps companies achievebetter customer responsiveness and improvements in the bottom line.
The downside is that making corporate data accessible through Wi-Fi networks means intrudersand other unwanted visitors can easily access such networks if proper precautions and toolsaren't used to protect them. In addition, the enterprise wired network itself is subject to unau-thorized access without proper precautions. There are five fundamental areas which must beconsidered when securing the enterprise against wireless threats.
. Creating a wireless security policy
. Securing the enterprise wireless LAN
. Securing the enterprise wireline (Ethernet) network
. Securing corporate laptops from wireless threats when outside the enterprise
. Educate employees regarding the wireless policy
This paper will discuss best practices in all five areas to secure the enterprise network,whether wired or wireless, from unauthorized use and hackers. This should be complement-ed by strong access control and wireline security policies. This paper assumes that a strongfirewall, VPN, a VLAN architecture for multiple user communities and wireline IDS/IPS alreadyare in place. Together, the combination can protect the enterprise from unauthorized use,theft and damage to the company's reputation with customers and partners.
Create a Wireless LAN Security Policy
Much like the security policy that you have in place for wireline access, it's a good idea tobegin with a written wireless policy that covers authorized use and security. A good place tostart is with some templates that already exist for the specific sections that should be covered.1Good places to review documents for a wireless policy include the SANS Institute and CWNP.Typically, security policy documents include the following sections:
. Purpose
. Scope
. Policy
1For more information, go to http://www.sans.org/resources/policies/Wireless_Communication_Policy.pdf andhttp://www.cwnp.com/templates/WLAN_Security_Policy_Template_v1.05.pdf Page 1 of 8
A I R C O V E R F O R N E T W O R K S E C U R I T Y © 2005, Airtight Networks. All rights reserved.Best Practices for Securing Your Enterprise Wireless Perimeter
. Responsibilities
. Enforcement
. Definitions
. Revision History
Background for this document should be thoroughly researched. Most security issues can betraced to oversights or errors in security policy implementation. The following discusses somebest practices that you may wish to incorporate into your Wireless LAN Security Policy.
Securing the Enterprise Wireless LAN
Enterprise wireless LAN deployments have skyrocketed in recent years, evolving from guestaccess in conference rooms, to limited hot zones of connectivity within the enterprise to fullcoverage throughout the organization. Unfortunately, many of these deployments are stillinsecure, leaving opportunities for the just plain curious or malicious hackers to try and accessconfidential enterprise information. Securing a wireless LAN is not hard - industry advancesin technology and vendor innovation makes this easier than ever. Following are best prac-tices for securing your enterprise wireless LAN.
Change the Manufacturer's Default SSID to a 'Secure' SSIDAccess points come with a standard network name such as tsunami, default, linksys, etc thatbroadcast to clients to advertise the availability of the access point. This should be changedimmediately upon installation.
When renaming the access point SSID, choose something that is not directly related to yourcompan... [download for more]