There is no shortage of advice on wireless security. Unfortunately, the Internet's ability to archive everything anyone ever wrote means that old, outdated advice can overwhelm current information. In this wireless security update,
1) Open access for guests is a problem. If your stance on guest wireless is generous, and you offer free unprotected access, you need to rethink a bit. The trend among lawmakers is to prohibit freely available Wi-Fi by making you responsible for any use or misuse of your guest wireless service. Get ahead of the coming legal bandwagon by either turning on basic encryption or installing a captive portal.
We all know that WEP is completely discredited as an encryption protocol, but for guest access you can use WEP with short keys as a simple method of authentication. WEP won't help to protect your guest's data, but a WEP key can be the easy equivalent of a "password of the day" that you can implement on your current open wireless network in less than a minute. If you do choose WEP, set a regular schedule for changing the key. A better solution, if you have the time and the budget, is to install a simple captive portal that either authenticates individual guest users or is used to enter a unique daily password. This need not be an expensive alternative. You can find basic open source captive portals that can be loaded into small dedicated devices that sit between your guest wireless and the rest of the world. The cognoscenti are especially fond of Mikrotik's miniature, low-cost devices, which combine solid network hardware with well-supported features, such as a wireless portal.
Guest, or captive, portals can range from the very simple to elaborate guest provisioning systems. In the easiest case, you may simply ask that users agree to an acceptable usage policy or perhaps enter their name and email address -- the equivalent of asking someone to sign a guest register. Going further, you can have a password that changes daily or weekly, or even a system where individual users must register and be sponsored to receive a username and password that will let them through the portal and onto the Internet.
2) RF management is more important than ever. With the rise in 802.11n devices and access points --you won't be able to buy new wireless devices without 802.11n soon -- you need to be mindful of what is happening in the radio frequency (RF) environment. The old, and still correct, answer is to move your production wireless to the 5GHz band (802.11a) as much as you can. This gives you more bandwidth to play with, and gets you out of the way of legacy equipment and neighbors who may be stomping on your signal and affecting your performance. Early testers, including Craig Mathias of Farpoint Group, a Massachuetts-based mobile advisory firm., have found that mixing 802.11n and non-802.11n devices gives sub-optimal results, so if you can keep them out of each other's way, you'll have the happiest users.
3) Roaming wireless users on the road need protection. Roaming wireless users on the road need protection. While we haven't seen a huge number of attacks on roaming wireless users in the wild, the number of potential ways to subvert and infect your users when they're using Wi-Fi on the road is growing every day. At several recent security conferences, researchers have demonstrated many scenarios threatening wireless users such as "evil twin access points," which pretend to be normal Internet access points, but act as man-in-the-middle attackers.
Device protections, such as antimalware tools and personal firewalls, are especially critical, as is the training of end users to never, ever, ignore errors messages about SSL certificates. Your best solution is to insist that roaming users immediately bring up a VPN connection (probably SSL VPN, which works best in the uncertain environment of roaming Wi-Fi) back to your corporate network for all traffic, including Internet browsing. That's right, time to turn off split tunneling and local network access, enforced with a firewall, for wireless roaming users. It's wasteful, yes, but only when you have an authenticated and encrypted tunnel -- with no other traffic allowed to the device -- are you getting protection against the growing spectrum of threats. Don't forget, though, to combine the VPN connection with a tight firewall, to achieve the desired protection.
4) Wireless switches aren't just for big companies. Originally, folks like Aruba Networks Inc., Airespace (now Cisco Systems Inc.) and Trapeze (now part of Belden Inc.) built wireless switches that didn't pay off until you had fifty or more access points. Now, a slew of other companies have entered the wireless switch business specifically aimed at the SMB market. Netgear Inc., D-Link Corp., Motorola Inc., SonicWALL Inc., and more are all solidly in the wireless switch business. Get out of the habit of buying cheap standalone access points and managing them as individual elements -- you're just asking for both security and RF configuration errors and mishaps. Send that old stuff home with employees or donate it to a local charity, and start buying dual-band 802.11n gear that will talk to a wireless switch. Even with recent cost reductions, it's still more expensive than buying the AP-of-the-week from Best Buy, but the ability to manage your RF environment, apply a single security policy, easily segment guest and staff access, change configurations quickly, and have a single entry point for wireless traffic into your network all add up to a compelling argument to move to wireless switches.
About the author:
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
This was first published in May 2010