This is the third and final post in a series examining the risks associated with the three most popular Wi-Fi network categories (listed below), and what users can do to manage these.
- Residential, Home, SOHO (Small Office/Home Office) Wi-Fi networks
- Public Wi-Fi networks (coffee shops, libraries, shopping malls, hospitality market, outdoor hot spots provided by the telcos or ISPs)
- Enterprise Wi-Fi Networks (internal staff and guest network access)
Enterprise Wi-Fi Networks
There are multiple formats of enterprise Wi-Fi setups, including:
- standalone Access Points (APs)
- light-weight APs adopted by a controller
- hybrid solutions, which are a combination of the above
- controller-less types of architectures (APs communicating between each other)
- mesh APs
- APs and controllers managed by a Wireless Network Management System (WNMS)
- APs and controllers managed by a virtualized based and/or cloud-based solution
Depending on an enterprise’s security strategy, these infrastructures are used in the following setups:
- open system authentication (no security at all)
- open system authentication and using a so-called “Captive Portal”, for example, a guest network for visitors, subcontractors, suppliers, which has a login page to enter your credentials
- APs with a configured encryption standard (WEP, WPAv1 or v2 PSK).
- APs using IEEE 802.1x authentication with an Authentication Server in the backend of the network containing the usernames and passwords. Note: open system authentication is required first before the real authentication can be to create a Robust Security Network (RSN) Architecture
What to be aware of when setting up and managing an Enterprise Wi-Fi Network
Establishing and managing the security for an enterprise’s network can be challenging and may require additional security solutions to manage the security in the enterprise end-to-end. Such solutions include:
- Network Access Control (NAC) solutions, which allow client devices (laptops and smart devices) to be centrally managed before they can get access to the corporate network. Security policies can also be applied to these devices to maintain the security, for example, setting personal firewall rules, updating anti-virus and anti-malware policies and enabling/disabling USB-ports, CD/DVD drives and other interfaces if they are active at the same time (e.g. a Wi-Fi interface and an Ethernet interface, or a Bluetooth interface and Wi-Fi, or a 3G/4G/LTE/5G mobile/cellular connection with a Wi-Fi interface).
- Mobile Device Management (MDM) solutions to manage either corporate issued and/or Bring Your Own Device smartphone/tablets being used on the corporate network. Such solutions can include measures to manage which applications and software can be downloaded and used during working hours, including social networking apps; use of cameras when the device is within the premises; the ability to set up a Wi-Fi hotspot on the device (“tethering”).
- Wireless Intrusion Detection and Prevention Solutions (WIDPS), which is a large kind of database management system where Wi-Fi activity is collected, correlated and monitored for suspicious activity. Such solutions can help detect Denial of Service (DoS) attacks as well as rogue APs or clients, which can be isolated from the network if needed by doing air termination or switch port based blocking. Furthermore, it can help security officers report on the health and security of the Wi-Fi system.
- Firewalls, Network Intrusion Detection/Prevention Systems (NIDPS), Routers with Access Control Lists (ACLs), switches with port-based access, private VLANs, Authentication Servers (RADIUS, LDAP, DIAMETER, KERBEROS) and Virtual Private Network (VPN) solutions.
Security risks to be aware of when using Enterprise Wi-Fi networks
These environments can be extremely complex, especially when they connect thousands of wired and wireless devices, both corporate and personal, and as such require continual upkeep to maintain performance and security. Take for example WIDPS systems, either standalone or integrated in WNMS, or cloud-based platforms, which can easily have up to 250+ different types of Wi-Fi security-related events.
In our Wi-Fi security workshops, we teach attendees about the need to continually manage and test these systems – we often compare this practice to the need to test smoke detectors; how do you know that you’ll be alerted when there is a fire if you don’t continually test the detectors?
Overall, Wi-Fi security should be part of a broader security perspective, for example, an internationally accepted framework like ISO/IEC 27001 ISMS (Information Security Management System) to manage security end-to-end. This includes further developing a Wireless Service Security Management System (WSSMS) aligned with the ISO standard.
How can you protect yourself from such risks?
There are several ways that enterprises can manage for these security risks. These include:
- Getting management buy-in so they understand the risks and importance of protecting company assets and information, and need to comply with local and international regulations.
- Appointing a dedicated security officer and team, preferably in the organization itself, which is accountable or responsible for the security in the organization 24 hours a day, 7 days a week.
- Engaging with external security experts to stay up-to-date with the latest security trends and help with security vulnerability assessments for compliance reasons.
- Training and education at all levels in the organization, which includes management, personnel, internal and external staff and suppliers. Note: the training needs to cover multiple security domains.
- Implementing automated security systems as mentioned earlier, for example, NAC, MDM and WIPS.
Be sure to check out other posts in this series including for public and home and office Wi-Fi security.
Ronald van Kleunen is CEO of Globeron Pte Ltd. He is a Certified Wireless Network Expert and Certified Security Professional.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
Hi Tom Van Driessche,
This was a excellent informative post you have shared on this page about the chosing of switch in a network to access the wireless point of hostapd with the help of wireless mobile network and if you want to increase the security of a data files related to your organization then you must buy a mobile wireless with a four antennas because its range are large and also this router send a packet of acknowledgement automatically if someone try to hack the system ,So you must buy this router after getting the suggestions of different senior persons about the usage of this product.