How can we stop employees from connecting simultaneously to our corporate LAN and an external Wi-Fi network?
Simultaneous connection to internal and external networks can present a security risk – this has long been a known VPN risk and is why many companies do not use what are called "split tunnels." When users connected to a corporate Ethernet initiate a Wi-Fi association to a neighbor's AP or a metro-area network, they expose the company network to outside threats. But preventing this from happening is not as easy as you might think.
Users could of course disable their own Ethernet connection before launching Wi-Fi, but many users cannot be bothered or forget to do this. So the real question is how can a company automatically disable Wi-Fi whenever Ethernet is active?
- Some IT-administered Wi-Fi connection managers have this type of policy option. For example, Juniper's Odyssey Access Client includes a wireless suppression option that uses a wireless connection only when no wired connection is present.
- Some host-resident Wireless IPS programs can detect and automatically prevent risky situations, including simultaneous connection to more than one network.
- Some distributed Enterprise Wireless IPS products have the ability to enforce policies that block Wi-Fi connections which pose a threat. This kind of prevention can stop a user from staying connected to any unauthorized Wi-Fi network while at the office, independent of other connection(s) that users may have.
Another less effective option is to use conventional desktop management tools to manipulate the routing metrics for Wi-Fi connections so that Wi-Fi will never be preferred over Ethernet when both connections are active. This is less effective because it does not actually stop any traffic from being sent over Wi-Fi -- for example, traffic destined for other users on the same metro-area Wi-Fi network will still leak out.
Dig Deeper on WLAN Security
Related Q&A from Lisa Phifer
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ... Continue Reading
Licensed and unlicensed frequency bands serve different purposes for wireless communications. Find out the differences between the two bands and the ... Continue Reading
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading