Enterprise LAN:
With the rapid adoption of Wi-Fi networks by enterprise IT departments everywhere, wi-fi network security now involves an entirely new dimension of vulnerability to malicious hackers and casual intruders. Applications and data have literally taken to the airwaves, thanks to the compelling productivity and efficiencies gained by mobility tools such as notebook PCs, handhelds and Blackberries. As an extension to existing wired infrastructure, Wi-Fi helps companies achieve better customer responsiveness and improvements in the bottom line.
Enterprise Wi-Fi Security
The downside is that making corporate data accessible through Wi-Fi networks means intruders and other unwanted visitors can easily access such networks if proper precautions and tools aren't used to protect them. In addition, the enterprise wired network itself is subject to unauthorized access without proper precautions. There are five fundamental areas which must be considered when securing the enterprise against wireless threats.
- Creating a wireless Security Policy
- Securing the Enterprise Wireless LAN
- Securing the Enterprise Wireline Network
- Securing corporate laptops from wireless threats when outside the enterprise
- Educate employees regarding the wireless policy
This paper will discuss best practices in all five areas to secure the enterprise network, whether wired or wireless, from unauthorized use and hackers. This should be complemented by strong access control and wireline security policies. This paper assumes that a strong firewall, VPN, a VLAN architecture for multiple user communities and wireline IDS/IPS already are in place for the Wi-Fi Network Security. Together, the combination can protect the enterprise from unauthorized use, theft and damage to the company's reputation with customers and partners.
Create a Wireless LAN Security Policy:
Much like the security policy that you have in place for wireline access, it's a good idea to begin with a written wireless network security policy that covers authorized use and security. A good place to start is with some templates that already exist for the specific sections that should be covered. Good places to review documents for a wireless policy include the SANS Institute and CWNP.1 Typically, security policy documents include the following sections:
- Purpose - Scope - Policy
Background for this document should be thoroughly researched. Most Wi-Fi Network Security issues can be traced to oversights or errors in security policy implementation. The following discusses some best practices that you may wish to incorporate into your Wireless LAN Security Policy.
Securing the Enterprise Wireless LAN:
Enterprise wireless LAN deployments have skyrocketed in recent years, evolving from guest access in conference rooms, to limited hot zones of connectivity within the enterprise to full coverage throughout the organization. Unfortunately, many of these deployments are still insecure, leaving opportunities for the just plain curious or malicious hackers to try and access confidential enterprise information. Securing a wireless LAN is not hard - industry advances in technology and vendor innovation makes this easier than ever. Following are best practices for securing your enterprise wireless LAN.
Change the Manufacturer's Default SSID to a 'Secure' SSID
Access points come with a standard network name such as tsunami, default, linksys, etc that broadcast to clients to advertise the availability of the access point. This should be changed immediately upon installation.
When renaming the access point SSID, choose something that is not directly related to your company. Do not choose your company name, company phone number or other readily available information about your company that is easy to guess or find on the Internet.
Use Strong Encryption and Authentication
Default settings for most access points do not include any form of security being enabled. This is the most common reason that wireless LANs are hacked or used by unauthorized personnel. When deployed, immediately turn a method of over-the-air security on. For enterprises, it is recommended that the most secure over-the-air encryption and authentication method be used - either IEEE 802.11i or a VPN.
IEEE 802.11i, also known as WPA2 when the access point is certified by the Wi-Fi Alliance, uses IEEE 802.1x for mutual authentication between the client and the network and AES for data encryption. Its predecessor was WPA, an interim form of security certified by the Wi-Fi Alliance while the 802.11i standard was still being ratified. WPA also uses 802.1x for authentication, but TKIP for encryption. While AES is considered the stronger encryption method, it is worth noting that WPA has never been cracked.
