It's been almost a year since the IEEE 802.11ac specification has been ratified and although wireless speeds have...
greatly increased, the security standards underpinning gigabit wireless have yet to change. Indeed, the same WPA2 encryption protocol supported in 802.11g and 802.11n remains in force. The introduction of the new standard, combined with the increasing use and capabilities of mobile devices, should prompt network managers to review their networks' wireless security policies.
Let's first review the capabilities of IEEE 802.11ac. Wireless LAN (WLAN) systems supporting this standard can deliver data rates in excess of 1 Gbps due to these advances over the earlier 802.11n standard. To that end, 802.11ac:
- Increases the maximum radio channel width from the earlier standard's 40 MHz to 80 MHz or an optional 160 MHz. Doubling the channel width doubles the maximum data rate.
- Introduces an improved modulation technique that increases the amount of data that can be placed in a packet. More data per packet increases the data rate.
- Supports multiple-input, multiple-output (MIMO) to transmit and receive multiple data streams simultaneously in the same radio channel. IEEE 802.11ac doubles 802.11n's four streams to a single device. The new standard can transmit up to eight streams with a maximum of four to a single device; four each to two different devices; or a single stream to eight devices. Each additional stream to a device increases the total data rate to that device.
- Fully supports beamforming, a technique that allows an access point (AP) to focus its transmission energy in a particular direction via multiple omnidirectional antennas. Focusing the signal increases its strength, improving performance for devices at a distance from the AP. The IEEE 802.11n standard included beamforming but differences in implementation among equipment vendors reduced its usefulness. The new standard defines implementation, facilitating operation among multiple vendor products.
Time to review security as mobile devices proliferate
For some enterprises, the introduction of IEEE 802.11ac required no significant changes in their wireless security policies. These enterprises have already recognized that many of their employees rely on mobile devices and have already updated their policies. Many others have made some updates to address issues such as employee-owned devices, but have not undertaken a top-to-bottom policy review.
That said, it's important that all enterprises deploying IEEE 802.11ac -- those that have updated security as well as those that haven't-- determine whether their current WLAN is operating in the 5 GHz band. The 802.11n specification operated in either the 2.4 GHz or 5 GHz bands. IEEE 802.11ac operates only in the 5 GHz band. If the new standard's introduction reflects an enterprise's first use of the 5 GHz band, they will need to update scanning equipment and other procedures to detect rogue APs and other intrusion attempts operating in the higher band.
No single set of mobile security policies will apply to every enterprise. Some must adhere to very specific sets of regulations such as payment card industry compliance or the Health Insurance Portability and Accountability Act; others protect different types of sensitive data, such as corporate financial records or product plans and designs. Some have mobile employees who seldom visit a corporate office; and in others, employees work primarily in the office but log in from home. Each requires a security policy designed for the nature of its business.
Security assumptions must be updated as networks transform
When mobile devices first appeared, they were often considered to be adjuncts to the wired network. This was fine for reading email while out of the office or for taking notes in a meeting, but most work went on at employee desks and was connected via the wired network.
An all-wireless network changes fundamental security assumptions. Data access through the wired network was often determined by employee login credentials and Ethernet port-based virtual LAN (VLAN) membership. Port-based VLAN access is no longer effective in a wireless network. Access instead must be based on the identity and role of the end user, but other considerations may apply.
Device type may also be a critical factor. Many employees have multiple mobile devices and may be limited to reading email from their personal phones, but only be able to access critical information when using an enterprise-owned and configured laptop.
Additionally, location can dictate access. Security software can use various means, such as GPS data or network traceroute, to determine employee location. Data available when an employee is home can be off-limits when in a coffee shop. Detailed financial information may become unavailable as an employee walks out of the office area and into the company cafeteria.
BYOD policies should be re-evaluated with the deployment of IEEE 802.11ac and the understanding that the wireless network has become primary. New devices are released every few months with constantly increasing capabilities. Policies created a few years ago may not account for the new environment.
IEEE 802.11ac greatly increases wireless network capacity but simply represents the latest step in wireless technology's evolution. Additional standards will undoubtedly be developed with additional capabilities. The bottom line: Network security managers must regularly review wireless security policies to address evolving technologies and recognize how business practices have adapted to take advantage of new technological capabilities.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and has provided consulting services to Fortune 500 companies as well as software startups.
Determining WLAN management
Economical wireless security
Next-gen WLAN and its impact