How can we stop employees from connecting simultaneously to our corporate LAN and an external Wi-Fi network?
Simultaneous connection to internal and external networks can present a security risk – this has long been a known VPN risk and is why many companies do not use what are called "split tunnels." When users connected to a corporate Ethernet initiate a Wi-Fi association to a neighbor's AP or a metro-area network, they expose the company network to outside threats. But preventing this from happening is not as easy as you might think.
Users could of course disable their own Ethernet connection before launching Wi-Fi, but many users cannot be bothered or forget to do this. So the real question is how can a company automatically disable Wi-Fi whenever Ethernet is active?
- Some IT-administered Wi-Fi connection managers have this type of policy option. For example, Juniper's Odyssey Access Client includes a wireless suppression option that uses a wireless connection only when no wired connection is present.
- Some host-resident Wireless IPS programs can detect and automatically prevent risky situations, including simultaneous connection to more than one network.
- Some distributed Enterprise Wireless IPS products have the ability to enforce policies that block Wi-Fi connections which pose a threat. This kind of prevention can stop a user from staying connected to any unauthorized Wi-Fi network while at the office, independent of other connection(s) that users may have.
Another less effective option is to use conventional desktop management tools to manipulate the routing metrics for Wi-Fi connections so that Wi-Fi will never be preferred over Ethernet when both connections are active. This is less effective because it does not actually stop any traffic from being sent over Wi-Fi -- for example, traffic destined for other users on the same metro-area Wi-Fi network will still leak out.
This was first published in July 2007