What Does Secure Wi-Fi Look Like In 2017?
This series of posts is dedicated to helping network managers plan a WLAN deployment by answering commonly asked questions about wireless networks. Today we cover the topic of security.
Ah, the never ending fun of keeping your network secure, while maintaining the balance of usability to avoid making network access unnecessarily complex for your legitimate users. With a range of devices to support, IT departments are looking for a simple way to on-board and secure both staff-owned and personal devices, including BYOD, guest, and peripherals. However simple and secure are not two words that are typically associated.
IT departments are also looking for context – understanding who is connected, what devices they can connect with, which apps they attempt to use, and where they are located. Mobility has changed the way we approach network security at the access layer, and context is key to a successful deployment.
1) Providing Access to Only Those That Should Have It
When you think about Wi-Fi, one of the most important considerations is of course network security. Over the years, WLAN security has evolved far beyond basic authentication and encryption. As more devices go mobile, and different use cases arise, extra border controls must be put into place. In a simplistic view there are two main things that you want to achieve 1.
Making sure that only the right people and devices have access and 2. Once they are in, making sure that they behave themselves. Let’s start with number 1.
2) Who’s On the Guest List?
Before anything else, authentication comes first, and if it isn’t done right, you can forget reading the rest of this section. Before we determine which authentication method to use, we first need to determine who you want to be able to access the network? In most campuses, there is a growing demand for corporate, guest, BYOD, and peripheral device connectivity.
• Corporate Owned – Usually centrally controlled and administered. The IT department has easier access to these devices and in many cases can push configurations and settings remotely.
• BYOD – For consumer devices owned by the employees, MDM (Mobile Device Management) can be implemented to maintain some order, however for personal BYOD, staff members want to be able to access the network, without having to jump through too many hoops.
• Guest – With a growing expectation from your visitors that they will receive Internet access, there are various methods that can be used to secure and administer guest connectivity. For the user, access must be very simple, but in the backend there must be controls in place to prevent guests from accessing certain areas of the network.
• IoT – An increase of network connected ‘things’ ranging from Apple TV’s and printers, to light bulbs, surveillance, HVAC systems etc., means that IT departments face a new wave of security challenges. In an ideal scenario, we would implement 802.1X (RADIUS based authentication) for every device, however, for some of the above use cases, this may not be possible. Are you safe from an IoT attack?
Corporate devices are straightforward, they are centrally managed, and using tools such as Group Policy or MDM, 802.1X settings can be configured remotely. However, for personal BYOD, guest, and IoT devices, the IT department may not have the access or rights to install certificates, or the devices may not actually support 802.1X in the first place.
Typically, the only alternative would be to use a basic captive portal for guests, or PSK (Pre-Shared Key) for the devices that don’t support 802.1X, neither of which are particularly compelling for the security conscious organization. While PSK still authenticates users, every device shares a common password, which prevents context-based access that we will discuss shortly, and if the key becomes compromised, you face an administrative headache. There is hope though; an authentication method that an increasing number of vendors are adopting is ‘Private’ Pre-Shared Key (PPSK).
PPSK’s are unique pre-shared keys created for individual users or devices on the same SSID. They offer the key uniqueness and policy flexibility that 802.1X provides, with the simplicity of pre-shared keys, without any of the inherent drawbacks. As the keys are still industry standard WPA2-AES keys, they are compatible with any device that supports PSK today, requiring no additional software to be installed on the client device. For the user, PPSK’s are a simple method of accessing the network, and for the administrators, they have the confidence that every device has been uniquely identified.
3) The Importance of Context-Based Access
We have already discussed the importance of authentication and its role in preventing access to unauthorized users and devices, however your first line of security is an enabler of a powerful second wave of defense: context-based access controls. Unbeknown to the user who simply clicks and connects to the network, there are powerful security services that can run in the background of your wireless infrastructure. Once a user has entered their 802.1X (Typically AD) or PPSK credentials, the WLAN infrastructure will analyze every detail of this user, and assign a user profile based on their role within the organization. A user profile typically controls the following:
• Device Availability – Although the user has been granted access, it is also important to validate the device that they are connecting with. If, for example, the user is using the corporate credentials on their personal device, the access points can either restrict or block access.
• VLAN Assignment – To prevent the creation of multiple SSID’s for each department, everyone can connect to a single SSID, and based on their identity, can be placed into separate VLAN’s through the user profile.
• Firewall & Application Access – Limit the access a user or device has to applications and particular parts of the network, using integrated DPI Layer 2- 7 firewalls within the access points.
• Time of Day Access – Limit the time of day certain groups of users or devices can access the network. This can be useful to prevent guest access outside or working hours for example.
• Location Access – In some cases, organizations may want to prevent mobile access for highly secure areas.
• Bandwidth Allocation (QoS) – Set minimum and maximum performance levels per user, device, or application, to prevent for example BYOD devices streaming cat videos and consuming your bandwidth. Learn how to prioritize devices on your network.
• Tunnel Policy – VPN or GRE tunnel policies can be created to segregate the traffic of users to an isolated DMZ or other part of the network; this is a common practice for guest networks.
• Device Enrollment – As BYOD becomes more prevalent, the WLAN infrastructure can actually integrate with MDM servers and redirect unenrolled devices to a registration page where they can download the MDM profile. Until the profile is installed, the access points will quarantine the device.
Context-Based access policies ensure that the network is used as intended, and prevents abuse. Context-Based access policies ensure that the network is used as intended, and prevents abuse. Remember, without identity (obtained through the authentication phase), your policy granularity will be restricted. Each vendor provides differently policy capabilities, so it is important to clarify both what is achievable and how granular the policies are.
Secondly, and crucially, understand what functionality is included within the controller (if required as part of the solution) or access points natively, and which functionality requires additional licenses or additional hardware/software appliances. Covering these bases at the beginning will ensure that costs are clear today, and avoid nasty surprises in the future.
4) Increasing visibility
If you implement WLAN solutions that can provide context-based network access as discussed, then you are already on the road to a properly secured network. One of the advantages of context-based access is that you have identified exactly who and what are on your network, and once you have this information, it not only allows you to set policies according to your requirements, but also increases visibility into how your network is actually being used.
Once connected to the network, your WLAN will identify and track every mobile user, device, and app. If a WLAN solution is deployed with a management platform, it then becomes very easy to monitor the activity of your network, filtering information based on SSID, location, network policy, group of access points etc. This enables administrators to ensure that networks are not being abused, and if so, identify threats and adjust security policies accordingly.
5) End-to-End Security
Having discussed some of the most important elements of your WLAN security, there are some other areas that should be addressed before selecting your WLAN solution.
• RADIUS/AD Integration – To achieve 802.1X authentication, it requires the use of a RADIUS server and certificate authority (CA). Many WLAN solutions provide on-board RADIUS servers, eliminating the need for additional server builds, and allowing for direct integration with AD, reducing the amount of disruption to network configurations.
• Firewall – To protect the network from the edge, enterprise WLAN solutions often implement fully stateful, app aware firewalls directly within their access points, however this is not a complete substitute for a dedicated firewall within your network.
• VPN – For campuses that have remote offices or teleworkers, access points that integrate VPN server/client functionality offer the ability to extend WLAN security policies to remote locations.
• WIPS – Ensuring that only authorized users connect to the network relies on both proper authentication methods, along with active monitoring tools such as wireless intrusion prevention (WIPS). WIPS features monitor the network for potential internal and external threats and alert administrators to attacks, such as denial of service (DoS) attacks or rogue access points and clients. The administrator in turn can activate anti-threat protection methods manually or automatically to contain or eliminate the threat.
With the amount of protection mechanisms used to control the access to wireless networks in modern solutions, WLANs are in many cases more secure than the implementation of many wired networks today. Every feature discussed in this section ensures that you can confidently deploy a wireless network that supports your corporate, guest, BYOD, and IoT devices without fear of threat.
All posts in this WLAN Buyer’s Guide series:
Part 5) Is All Enterprise Wi-Fi Equal?