Our spanking-new "How To" issue includes one article on "How to lock down your WLAN."
I asked three of the Network World Test Alliance experts -- Dave Newman, Tom Henderson and Joel Snyder -- to offer their thoughts on this subject. All three agree it's possible to secure large-scale enterprise nets. And all three say it takes a lot of work.
"Have a plan, follow it through, and don't half-ass it," henderson says. "Figure out encryption and authentication before you start."
They stress that there are different parts to the security puzzle and all have to be in place. And that a WLAN is both like, and unlike, your wired net.
"Understand that your wireless network is like your wired network -- it has multiple uses," says Snyder. "Ergo, you will want to have an insecure part [outside the firewall] and a secure part." Why an insecure part? Because some folks need or want only some simple convenience that the WLAN can offer. If you don't give them that convenience, in an ordered, systematic way, Snyder says, they'll look for ways to get it themselves, and subvert security to do so.
Policies that outline what you can and can't do with the corporate WLAN -- for example, "don't set up your own access point" -- are important, Henderson says. But policies "have to have some flexibility in them or users will be tempted to add [WLAN] equipment 'just so they can get work done,'" he says.
Your WLAN introduces what could be called "three-dimensional chess" into your network. "A wireless network is above and below [you], in a 360-degree-by-360-degree profile," says Henderson.
"WLANs are often unencrypted by default, and everything on them is out in the open until it's encrypted," Henderson says. "Some type of encryption must be selected and therefore [encryption] keys must be distributed." Plan on being attentive to key distribution and management no matter what encryption scheme you use.
Encrypting the net scrambles all the stuff passing over it. But you still need user authentication. "While 802.1x is a pain, it is about the only option right now," says Snyder. He considers "Web-based authentication," usually built around Secure Sockets Layer (SSL) to offer little true security, "especially across a large [user] base."
For many sites, he says, much of what you need for 802.1x is readily available: PEAP and TTLS are available now on Windows 2000 and Windows XP as authentication methods for 802.1x; Meetinghouse offers inexpensive clients for Macintosh and other platforms; and Wi-Fi Protected Access (WPA) software can correct weaknesses in the existing Wired Equivalent Privacy (WEP) encryption for 80.211 WLANs.
Henderson proposes using existing RADIUS or DIAMETER servers as proxy authentication mechanisms that are tied directly to your working directory services.
Newman points out that net execs should attend to both Layers 2 and 3 security. Anything with the "802." prefix is Layer 2; IPSec and most firewalls are Layer 3 and above. "We need both," Newman says.
RF monitoring to detect unauthorized or rogue access points is increasingly important. Henderson suggests evaluating WLAN switch vendors, such as Airespace, Aruba, Trapeze, as the basis of intrusion detection control; or a combination of gateway, firewall and DMZ, based on security gateway products from vendors like Bluesocket and Vernier.
"Security" for WLANs should be thought of as more than simply "access," says Snyder. "If you want your network to be as secure as your wired network, you need to look at issues such as reliability, monitoring and RF management...If the network is not reliable, then it is not secure."
Don't overlook the client devices, warns Henderson. "Consider using device-side firewall applications for each and every wireless devices, whether notebook, tablet PC or handheld device," he says. "Any of these devices can be exposed to crack attempts outside the protected geography [of the enterprise], and can bring home new and interesting problems to fix."
Avoid a host of "anklebiters" by simply paying attention to basic details, says Newman. Use 128-bit WEP, "because it's better than [using] nothing," he says. Don't use the default SSID settings for your access points. "It's staggering, and a little depressing, how many folks run [a WLAN] with these default settings," Newman says.
Finally, put it all in writing.
"Document everything," Henderson says.
What are you doing to secure your enterprise WLAN? What kinds of end-user attitudes and actions are you running into? Do you know if you're being attacked through the WLAN? Is its availability being compromised by denial of service attacks? Write me at jcox@nww.com.
Post a comment
|
Does Verizon's Voyager stack up to the iPhone? |
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
