Who controls the wireless management initiatives at your company? Is it the employees that bring their mobile or tablet devices to work and make them a part of your network infrastructure? Or is it company policy and processes that determine what types of wireless devices can or cannot be used and how they connect to the network?
Even though it may seem virtually impossible to enforce a wireless management policy in today’s BYOD world, a top down mandate is essential for successful and safe wireless networks. Wireless is still relatively new to many organizations, and the creation of a wireless network is not something that should happen organically. It needs to be well planned, designed, implemented, and monitored, taking into account the requirements of end users (like BYOD) to reach its full potential.
And, as is already well documented, wireless can also create a plethora of security vulnerabilities for your network infrastructure if you don’t have the right practices and equipment in place from the start. Below we will discuss some potential pain points and best practices for managing your wireless system and providing users with the connectivity they expect.
Consumer-Grade Wireless Gear Can Sabotage Your Network
Many companies assume that setting up a wireless network for their business is just like setting up a wireless network for their home. This might be a less expensive option at the beginning, but it will provide plenty of headaches in the end.
The biggest issues with consumer-grade gear are configuration and management. Consumer-grade gear is designed to make it very easy for someone with no networking knowledge to get their system up and running quickly. To enable this, most configuration options are pre-determined, and are often not the best options an enterprise wireless network. Let’s take a simple example, like broadcasting the network name. Consumer-grade equipment on a home network is likely to default to broadcasting the network name, but our recommendation for enterprises is to disable this broadcast, so users need to be told by IT what the WLAN name is and how to connect to it. It doesn’t add a tremendous amount of security, but it’s just one more step that makes things just a bit harder for those looking to hijack your signal, or worse yet, hack your network.
Another issue with configuration is that consumer-grade gear may not even offer some of the configuration options you need for an enterprise network. Let’s say you want to control the power output of certain APs on your network, perhaps because they are near an exterior wall and you want to turn down the power to minimize signal leakage outside your facility as much as possible. A consumer-grade AP may just assume that this is a parameter that no home user needs to adjust. Why would they? Most home applications use a single AP and want as much coverage in the home as possible, so reducing the power is a configuration option that may only generate more support calls, so it’s left off as an option, leaving you stuck with an AP that is broadcasting farther than you desire.
Management is also an issue. Consumer-grade APs are assumed to be stand-alone devices, which is the typical home use case. But in your facilities you will most likely need multiple APs, with overlapping coverage, and achieving this requires the ability to carefully manage your WLAN infrastructure. In fact, what you really need is enterprise-grade WLAN equipment that is controller-based. Equipment of this type typically uses “thin” APs, where some of the AP functions found in consumer-grade equipment are moved to a centralized controller. Though more expensive, the benefits of such a system far outweigh the costs. Controller-based systems can make dynamic changes to the AP infrastructure, including channels and power, so that your WLAN is always operating at maximum efficiency. It can also roll out changes, like a firmware upgrade, to all APs simultaneously, making upgrades extremely simple. There are many high-quality enterprise-grade solution providers in the market, and you’re probably familiar with the brands. Be sure to scope out your requirements, and then shop around. Each vendor has a wide range of equipment, with a wide range of costs, so it should not be difficult to find a solution that’s within your budget and still meets your requirements. Also, a big added bonus is that you’ll get far superior support than what you’ll get by buying consumer-grade WLAN equipment.
Common Security Risks of Wireless
The security risks with WLANs are extremely well documented. Just do a web search and you could be reading for days. From simple eavesdropping to disruption attacks to unauthorized network breaches (see our blog on wireless penetration testing for more details), your WLAN is far more vulnerable than your wired network. For enterprise WLANs there’s only one option – use WPA2 Enterprise WLAN security. This is the only method that can truly secure your WLAN. In fact, over the coming years, you’ll see the Wi-Fi Alliance (WFA) slowly phase out certification of all other security options due to the limited protection they provide. WPA2 Enterprise provides the strongest authentication (determining who can join the network) and the strongest encryption (“scrambling” data during wireless transmission so it is not accessible to eavesdroppers) available.
This is another area where consumer-grade equipment may fall short. It may offer WPA2-Personal, but this is different than WPA2-Enterprise, which requires a back-end RADIUS server for authentication, something a home user is not at all likely to have. Enterprise networks already have a back end authentication server in place to handle wired connections, so there’s no excuse for using anything but WPA2-Enterprise.
And if you’re looking for yet another layer of security, require that all users who access corporate data, even email, use a VPN connection when on a wireless network. Though this does not add much when using WPA2-Enterprise on the corporate WLAN, your users will also want to access corporate data over other wireless networks, whether in their home, hotels, airports, coffee shops, etc. In these cases you have no control over the security of the WLAN in use, so requiring a VPN connection for any corporate access gives you back some control of the security of the wireless connection.
Wireless Needs to Be Planned
Wireless systems should not be grown organically, based on consumer-grade equipment; you must plan ahead for a multitude of factors that can create problems when users access your sensitive corporate data.
When designing your wireless network, you must look at the following:
- The applications users are going to want to access over Wi-Fi.
- The placement of access points, which depends heavily on your environment. Are you a warehouse, a retail store, or a hospital? Do you want access points to be conspicuous?
- How your physical layout and networking needs affect the type of equipment you’ll need.
- Will you want directional antennas in some areas to help deliver more range for your WLAN, and better contain signals within your facility?
- Do you want dynamic tuning of your WLAN?
- Do you want centralized management?
WLAN planning tools do an excellent job proposing AP placement as well as recommending specific AP hardware that may be needed to meet your unique requirements. If you have an existing WLAN, use the planning tool to verify your current network coverage and performance before planning any expansion.
Although we might draw parallels between our enterprise wireless system and our home wireless system, they are not even close to the same. To ensure that your network is secure and that users are experiencing the full potential of wireless it is important to have a plan in place and manage your system accordingly.