Corporate Wireless Network Defense
I recently detailed how to secure your home wireless network in a step-by-step article series. Proper configuration of your wireless network is key to keeping it safe. In this article we will look at how to secure an enterprise wireless network.
WiFi and the enterprise network
I would like to start this article off by mentioning a key point that many people are not aware of. Wireless networks are actually IEEE 802.11 which differs from what we all know to be Ethernet aka IEEE 802.3. The main differences between the two are at the physical and MAC layers. Beyond that, the two are comparable in terms of standards. That said, wireless technology is considered a mature technology, albeit, a rapidly evolving one. To whit, IEEE 802.11a, 802.11b, 802.11g and so on. These various subsets of 802.11 have led to changes in both speed and throughput on the internal wireless network. This rapid maturation of wireless technology has caught the eye of enterprise networks worldwide, and is now widely thought of as a business enabler. Many companies now think of wireless technology as a "must have". With this wide scale adoption of wireless technology by big businesses has come the need to secure it.
Same technology, different problems
Wireless networks, be they home user or corporate, run off of the same technology ie: 802.11 specification. Where the two differ is in the implementation of it. Having a small home wireless router in the corporate enterprise simply isn't realistic. For one, the range of the router is nowhere near powerful enough to reach the sometimes disparate corners of a large enterprise class environment. A company can occupy an entire building or more at times. With this in mind, we already have an extra layer of complexity as the home user only has one wireless router to configure and maintain. In the aforementioned enterprise environment you can have quite a few to afford the enterprise wireless access throughout their office space.
How to manage both wired and wireless?
I have heard some talk about companies going completely wireless but as of yet have not heard of any one company doing so. The reality of it is that most enterprise class network have both wireless and wired networks to contend with. Having to manage the both of them is where the first cracks can appear in a networks defense. Deploying a wireless network into an existing wired one can be a daunting task. It has been said before that complexity and security just don't go together, and it still rings true today. This is why it is very important to have some type of central management by which you can monitor and configure your mixed network. Though I prefer to recommend a variety of vendors for an all in one mixed network solution, the fact remains that Cisco does a very good job of it. That, plus the likelihood that most people already use their gear for their infrastructure needs.
The fundamentals of wireless security for the SoHo user are what I covered earlier in my two articles. This detailed how to properly configure your wireless router, however it also applies to the enterprise environment as well. As a system administrator for an enterprise class network you need to ensure those basic steps are implemented. There are other methods of hardening your wireless network though. Almost everyone has now heard of WEP and what it can do for you. The problem is that WEP is no longer really a viable means of encrypting traffic. One of the better known methods that has since taken over from WEP in the enterprise environment is known as 802.1x. This is a far more secure and robust means of authenticating access to corporate wireless network. More often then not RADIUS is used in conjunction with 802.1x.
What about TKIP?
Not a lot of people have heard of TKIP and what it can do to help further harden your wireless network. Temporal Key Integrity Protocol (TKIP) is often seen as an evolution borne from the weakness of WEP. The relative weakness of WEP was covered in a couple of earlier articles by me. What TKIP brings to the table in terms of enhanced security are new encryption algorithms and further to this is the added plus of always changing the encryption key itself. This makes it exponentially harder for a malicious hacker to get the right one. Further to these measures is that the encryption key itself is encrypted. In essence, even if a malicious hacker can capture the key, the key itself is also encrypted. Furthermore, if the key is itself broken, the odds are rather high that the key would have already changed again. All in all, a very robust solution for any enterprise wireless network. If you are thinking, "this is the solution for me!", please realize there are some drawbacks to implementing it. Not all wireless routers and wireless cards support TKIP. Ensure that before you contemplate upgrading to TKIP that your present hardware supports it.
How about a mix and match?
On top of all the common sense configuration changes to your wireless router, can you also layer on various defenses? Well, in short, yes you can. You could certainly use WEP, TKIP, and the use of Virtual Private Networks (VPN) on your enterprise wireless network. Were you to incorporate all of these measures, then you would have one very secure wireless network. There is however a drawback to this, and that is that the usage of VPN's can cause network problems. Using VPN's extensively can and will cause performance issues on your network. These performance bottlenecks can be overcome through the use of VPN concentrators. This is but one solution to a problem that a security measure introduced on a network can bring.
It all comes down to planning
We have seen in the above paragraphs that there is a wide variety of security concerns and solutions for the enterprise wireless network. Only a brief few were touched as there are literally books that have been written about hardening wireless networks. Many of the security concerns which face the wired network (Ethernet, if you remember, is officially called IEEE 802.3) are also faced by the wireless one (Wireless is also officially designated as IEEE 802.11). Wireless networks themselves are not immune to the effects of a DDoS or DoS attack to name but one danger normally associated with wired networks.
Should you be thinking of integrating a wireless component to your existing wired enterprise network, you would be well advised to sit down first and plan things out. Take a look at your existing infrastructure, and what that equipment has in terms of wireless compatibility. I would always advise to try and stay with the same equipment vendor for nothing else but to help smooth integration. You should also definitely look for some type of centralized monitoring software. This will allow you to quickly and easily monitor all facets of your mixed network in one program.
The goal of this article was to help the enterprise class system administrator to make some informed decisions as it impacts their wireless network. Taking the time to study your existing hybrid network for possible performance or security issues is time well spent. Also remember that there is a wealth of products out there today to help you in your goal of securing your mixed environment network. As always I welcome your feedback and commentary. On that note, till next time.