With cyberthreats becoming more prevalent, agencies need to ensure that the security controls surrounding their wireless networks are up to par.
Securing a wireless network isn't rocket science, yet organizations continue to make fundamental mistakes that jeopardize their security. There are a few simple steps that IT managers should follow to ensure that users are being provided a secure wireless experience. By deploying encryption, security policies and guest access management, an agency can build a secure, reliable wireless network.
The single most important way to secure a wireless network is to protect it with strong encryption. Encryption technology basically scrambles network traffic using mathematical algorithms that prevents eavesdroppers from understanding the content. Encryption is fairly straightforward to set up, but there are two important choices that must be made when using encryption to properly secure a network.
First, choose a good encryption method. Refrain from using the Wired Equivalent Privacy (WEP) encryption algorithm. This technology is outdated, and there are many known vulnerabilities that essentially render it useless. An attacker with a little knowledge and some free tools can defeat WEP encryption in a matter of seconds. Instead, choose Wi-Fi Protected Access (WPA or WPA2) encryption. Both versions employ strong encryption algorithms to protect traffic sent over a wireless network.
Second, choose whether to use a pre-shared encryption key or enterprise authentication technology.
If using pre-shared key authentication, there are some potential vulnerabilities that might allow an attacker to crack an organization's encryption key if it uses a common service set identifier (SSID) for its wireless network. Be sure to check the 1000 Most Common SSIDs from the Wireless Geographic Logging Engine and choose something that's not on the list.
The alternative, enterprise encryption, leverages an existing authentication infrastructure to allow users to join the wireless network using the same username and password they provide to access their computers, e-mail and other enterprise resources. Using enterprise encryption makes dealing with employee terminations a breeze. When an enterprise account is deactivated, a user simultaneously loses access to the wireless network. No key changes are required.
Network administrators have always grappled with the challenges posed by those who want to bring outside devices onto agency networks. In the past, the quick response to those requests was “No, the agency network is limited to agency devices.” Over the past few years, however, two emerging trends have rendered this position indefensible in many environments. First, many agencies are instituting a “bring your own device” (BYOD) strategy that allows employees to bring smartphones, tablets and notebook computers from home into the office, where they expect to have access to the network.
At the same time, agency guests are starting to have the same expectations for ubiquitous network access. While these guests certainly don't need access to agency data, guest network access has become a standard expectation, especially in facilities where cell phone signals might not penetrate to interior conference rooms. Organizations need to develop clear policies around who may join external devices to the network, what access is afforded to those devices, and who may approve such requests.
One increasingly common approach to this problem is to create an open, unsecured wireless network that allows access to the Internet and nothing else. Visitors can then connect their personal devices to this network without affecting the security of agency systems or data. It essentially recreates the coffee shop wireless experience within the facility while isolating the guest network from secure systems. Anyone on the guest network who attempts to access agency resources would have the same experience as if they were working at home: They'd have to secure their connection using a VPN or other security technology.
Once an organization builds a secure wireless network, there's still one big issue to worry about — rogue wireless access points. It's far too easy for an employee, frustrated with security controls or coverage issues, to drop $60 on a wireless AP and connect it to a wired network. This creates a small “private” wireless network that may not be appropriately secured and limits IT staff's visibility into the devices that connect to it.
In order to reduce this risk, conduct periodic scans for rogue APs. This may be as simple as having a technician walk around the building with a notebook running a tool such as NetStumbler to discover wireless networks. Another option is to invest in an automated wireless intrusion prevention system that continuously monitors an environment and automatically alerts IT staff to the presence of rogue wireless networks. These systems fingerprint the unique electronic characteristics of wireless devices to identify APs not on the approved list.
Wireless networking is changing the way employees interact with resources. It is increasingly common for staff to go days or weeks without ever connecting to a traditional wired network. It's essential for the administrators running these networks to understand user behavior and develop secure, flexible options that balance security concerns with agency requirements. Developing solid wireless policies and backing them up with strong encryption technology and rogue AP detection capabilities can go a long way toward creating a secure wireless environment.