How can we stop employees from connecting simultaneously to our corporate LAN and an external Wi-Fi network?
Simultaneous connection to internal and external networks can present a security risk – this has long been a known VPN risk and is why many companies do not use what are called "split tunnels." When users connected to a corporate Ethernet initiate a Wi-Fi association to a neighbor's AP or a metro-area network, they expose the company network to outside threats. But preventing this from happening is not as easy as you might think.
Users could of course disable their own Ethernet connection before launching Wi-Fi, but many users cannot be bothered or forget to do this. So the real question is how can a company automatically disable Wi-Fi whenever Ethernet is active?
- Some IT-administered Wi-Fi connection managers have this type of policy option. For example, Juniper's Odyssey Access Client includes a wireless suppression option that uses a wireless connection only when no wired connection is present.
- Some host-resident Wireless IPS programs can detect and automatically prevent risky situations, including simultaneous connection to more than one network.
- Some distributed Enterprise Wireless IPS products have the ability to enforce policies that block Wi-Fi connections which pose a threat. This kind of prevention can stop a user from staying connected to any unauthorized Wi-Fi network while at the office, independent of other connection(s) that users may have.
Another less effective option is to use conventional desktop management tools to manipulate the routing metrics for Wi-Fi connections so that Wi-Fi will never be preferred over Ethernet when both connections are active. This is less effective because it does not actually stop any traffic from being sent over Wi-Fi -- for example, traffic destined for other users on the same metro-area Wi-Fi network will still leak out.
Dig Deeper on WLAN Security
Related Q&A from Lisa Phifer
Understanding the functions of a wireless access point vs. wireless router will help you deploy the right device for the right circumstance. Continue Reading
Learn the difference between a site-to-site VPN and a remote-access VPN, as well as the protocols used for each one. Continue Reading
Need to send an email, check your flight's status or get ready for a presentation? You can do it all on your smartwatch, thanks to a slew of Apple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.