In the increasingly wireless world of today, ensuring that your data is safe is becoming increasingly more and more difficult. This is especially true for organizations that have internal devices that are communicating wirelessly to transfer protected data as well as have to provide wireless internet access to their clients and vendors. Proper implementation will help ensure data security and regulatory compliance.
As in everything that has to do with IT security and compliance, it starts with planning. To achieve security, three items are required:
1) Separation of the corporate wireless network used to access and process confidential information from all other wireless network traffic
2) Controlled access to the corporate wireless network
3) Mechanisms to monitor access, use, and alert of issues
Conceptually, the connectivity looks like this:
On smaller networks, some, or even all of these devices, can be combined. It is common in smaller environments for the network router and the edge firewall to be one physical device, such as a Cisco ASA or SonicWALL TZ series firewalls. While some of these devices come with built in wireless access points, it is not generally recommended unless there are other considerations in play, such as location, type of business, etc.
The devices used in creating secure wireless networks must have the following features:
1) Support for Virtual Local Area Networks (VLANs)
2) Support for management via either console, SSH, or secure web connection
3) Support for the Simple Network Management Protocol (SNMP)
4) The wireless access points must support either Remote Authentication Dial-In User Service (RADIUS) or the Lightweight Directory Access Protocol (LDAP)
Thankfully, most devices sold today across all price ranges will support these.
The main differences between the two wireless networks are authentication mechanisms and access provided. The guest network can have a broadcast Service Set Identifier (SSID) that everyone can see with a simple password based or web based authentication mechanism. I would highly recommend using web based authentication as it allows for a written disclaimer and acknowledgement process that can be monitored and logged. The process looks like this:
For the corporate network, the process is more complex. Turn off the broadcast of the network SSID. To ensure that only appropriate devices can access the internal wireless network, it is necessary to implement physical access controls, such as creating an allowed Media Access Control (MAC) address policy. In addition to that, clients will need to authenticate to an internal authentication server via either LDAP or RADIUS in accordance with internal company access policy, which should include provisions for password complexity, periodic changes, and multi-factor authentication.
The last step is to set up a monitoring mechanism that will alert if there is unauthorized access to either the wireless networks or the devices providing access and managing the flow of data.
When planning and implementing a secure wireless network infrastructure, make sure to have appropriate data access, wireless access, and password policies in place as well as an appropriate infrastructure to manage the implementation of these policies.
Feel free to reach out with any questions or comments.