Wireless Local Area Networks (WLANs) have become extremely convenient methods of accessing network resources. But if they are not properly secured, companies are exposing themselves to myriad threats from hackers, viruses, and other abuses.
Kang Eu Ween, Enterprise Solutions Director for Juniper Networks, presents six questions CIOs should ask themselves about their WLAN infrastructure.
1. Is your wireless LAN encrypted?
If not, it should be, using the latest encryption technologies. An unsecured WLAN is openly accessible by anyone with a Wi-Fi enabled device. WLAN encryption is an evolving field and new methods to secure WLAN traffic are being created. Legacy methods (including WEP) may not be secure enough because exploits and weaknesses are always being discovered. As of this writing, WPA encryption is seen to be superior to WEP encryption, and a second version of WPA is in the works.
Also, always use the highest bit-strength available.
2. Is the encrypted wireless LAN directly connecting to corporate internal network?
It is better not to have the WLAN instantly and directly connect to key network resources, but rather have in place network authentication mechanisms (on top of WLAN encryption and authentication) to check the security clearance of users connecting via the WLAN.
Treat the WLAN the same way you would a wired LAN because a WLAN is essentially the same as the open Internet, as in the Demilitarized Zone (DMZ) in front of a firewall, and open to attack by anyone. The best way to secure the network is to have an SSL VPN run on top of the WLAN. An SSL VPN can allow access to only specific network resources and applications, rather than the entire network by default (as in an IPSec-based VPN).
Client and host checking functionality, such as the Juniper Networks’ Endpoint Defense Initiative, also ensures client machines are checked to be virus-free and fit certain security criteria before connecting to the network.
3. Is there a security policy in place to restrict users to add wireless access point to internal corporate network?
Even the best technical mechanisms will be meaningless if users decide to circumvent them. Security policies must be in place to encourage proper security habits. Users should also be properly trained in security procedures.
4. Is the encrypted wireless LAN being segmented for different groups of users?
There is no need to offer complete and limitless access to all network resources for all users. It is better to segment the network so that specific user groups (e.g., Human Resources) can access the resources they need. In the event of a network breach, hackers will not instantly gain access to everything.
5. Are users using strong authentication?
Three-factor authentication, such as offered by RSA’s SecureID token, is an excellent method to ensure users are properly authenticated. But authentication must not be confused with data encryption, and network traffic should still be secured even if users successfully authenticate. This is to prevent vulnerability to man-in-the-middle wire-tapping attacks on the WLAN radio signals.
6. Is there another wireless LAN ready for visitors/customers?
It is not only convenient for visitors to your company to have WLAN access, it is also imperative that guests only use the Internet and do not have unfettered access to internal resources. Guests should have guest accounts and should never be given internal user logins. Visitors might accidentally provide the logins to hackers, and visitors may also have relationships with your competitors that you are not aware of. Best to be safe.