As enterprise Wi-Fi grows, so does the need to protect business networks from wireless intruders and shore up wireless security. Traditional firewalls enforce trust boundaries between wired subnets, but Wi-Fi has a nasty habit of circumventing those established perimeters. Many network operators wage a daily foot war against rogue access points (APs), while engineers struggle to regain control over Wi-Fi access. A Wi-Fi firewall can help you tackle these challenges more efficiently and effectively.
Why deploy a Wi-Fi firewall appliance?
The label "Wi-Fi firewall" has been applied to various appliances, including wireless-capable SOHO firewalls (e.g., SonicWALL, WatchGuard) and wireless network gateways (e.g., BlueSocket, Vernier, Cranite). In this article, we use "Wi-Fi firewall" to describe servers that monitor and filter Wi-Fi traffic, blocking unauthorized 802.11 usage and attacks while still in the air.
Commonly known as wireless intrusion prevention systems (WIPS), these appliances provide full-time security policy enforcement throughout your entire wireless LAN (WLAN). Instead of requiring someone to periodically check every floor of every building to find rogue APs, a Wi-Fi firewall continuously watches for rogue traffic, automatically disconnecting any new AP. Instead of depending on employees to use Wi-Fi safely, a Wi-Fi firewall can disrupt non-compliant sessions to prevent confidential data disclosure.
Shopping for a W-Fi firewall? Consider the following
Security event detection: Can the appliance accurately detect the attacks, anomalies, and policy violations important to your business?
Performance event detection: Can it also spot excessive errors, interference, and other Wi-Fi performance issues?
Intrusion prevention: Can it take action (manual or automated) to contain intruders by disconnecting them from your wired or wireless network?
Location mapping: Can it approximate the location of rogue APs and clients to facilitate physical removal?
Real-time status: Is it easy to assess overall security status? Are details readily available to support investigation?
Historical reporting: Can you generate built-in or custom reports that contain the data you really need?
Adding a Wi-Fi firewall to your network
Deploying a Wi-Fi firewall involves installing a central server in your NOC and positioning remote sensors throughout the offices ("air space") to be monitored. Sensor network planning is essential to avoid coverage holes in locations like stairwells where intruders might lurk unobserved.
Most appliances use overlay networks of dedicated sensors. Some can also use regular APs that watch for rogues in their spare time. Dedicated sensors have better observation and prevention capabilities, but require more up-front investment to purchase, mount, power, and cable. Sensors that support Power over Ethernet and/or daisy-chaining can reduce that cost. Communication between remote sensors and the central server usually requires modest bandwidth, but a large remote office with limited WAN access may deserve its own server.
Choosing the right Wi-Fi firewall
As with any security appliance, it is critical to choose a Wi-Fi firewall that can enforce your company's security policy. If your company bans Wi-Fi, look for an appliance that focuses on effective rogue containment without a lot of setup. If your company has a large WLAN, look for an appliance that lets you define and enforce Wi-Fi security rules with sufficient granularity and scalability. There is no substitute for in-situ trials, but reading product reviews can help.
Another common concern is manageability -- particularly in large WLANs where the volume of events can be overwhelming. Look for features that zoom in, drill down, and otherwise break a big problem into digestible pieces. Templates, hierarchical rules, and self-configuration capabilities also help.
Finally, a wireline firewall can discard bad packets, but a wireless firewall must run active interference, sending 802.11 frames to kick rogues off the air. Wi-Fi containment techniques vary in both effectiveness and impact on authorized users. (Read more on wireless session containment here.)
Finding a Wi-Fi firewall
Capabilities described herein are available in both software and hardware packages. Some companies like to install software (e.g., AirMagnet Enterprise) on their own server platform. Others prefer turnkey appliances to speed and simplify deployment.
Those in the market for a Wi-Fi firewall appliance may want to consider these hardware products:
- AirDefense Enterprise
- AirTight Networks SpectraGuard Enterprise or Sentry
- Bluesocket BlueSecure Centralized IPS
- Highwall Technologies Enterprise
- Network Chemistry Scanner
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs, mobile security and virtual private networking at many industry conferences and on-line webinars. Lisa's WLAN Advisor column is published by SearchNetworking.com, where she is a site expert on wireless LANs. She also has written extensively about network infrastructure and security technologies for numerous publications including Wi-Fi Planet, ISP-Planet, Business Communications Review, Information Security and SearchSecurity.com.