The wireless landscape is at an odd juncture, especially when it comes to security. Typically, technologies get better as they age, or they fade into obsolescence. While Wi-Fi has generally gotten faster through its five major generations, wireless security lumbers along in the most peculiar of fashions in response to wide-ranging client capabilities and organizational philosophies. The disclosure in October 2017 of a major security flaw in the WPA2 protocol just illustrates the latest vulnerability. But not trying to secure your wireless is not an option. So how to make Wi-Fi secure?
Old mantras still resonate
Even with today's mishmash of wireless client devices and the blurring lines between the consumer and business device spaces, we can rely on classic fundamentals to tackle wireless security issues and start a policy discussion:
- Security starts with policy. Without operational rules in place to guide your security strategy, you can't even begin to develop a plan to make Wi-Fi secure.
- You can say no. This is just part of policy. Very few networks are obligated to accommodate every crazy gadget that hits the market, yet saying no can be uncomfortable. There is a middle ground: Know your performance parameters and don't yield. Devices either live up to these specs or you have a legitimate rationale for turning them away for the greater good. These are some examples:
- minimum supported data rates (defined by you);
- no special multicast requirements;
- your minimum required wireless security capabilities; and
- ability to disable default credentials or unused network services.
- Know the value of what you're protecting. Anyone running a business network needs to be aware their environments are going to be targeted for various attacks over time. But security is a touchy subject. It can lead to paranoia, and overspending, in the name of protection. If you don't have high-value or sensitive data, it may be silly to spend precious budget dollars to build a virtual fortress in front of what amounts to low-value target. There are approaches for every budget to make Wi-Fi secure.
- Keep administrative access to a minimum; change defaults. Whether your wireless LAN (WLAN) is composed of thousands of access points or just a couple, be sure to carefully control administrative access to the system and change access credentials periodically. It's not a bad idea to only permit administrative access from trusted parts of the network Also change default passwords and disable unused services on all network devices.
None of these steps is meant to dazzle with originality; we're just talking Wireless Security 101. Now let's go a bit deeper into more contemporary concerns.
Not all clients belong on the same WLAN
Whether the business environment is large or small, guests and gadgets should not share the same wireless or wired network space as your business-critical clients. There are many ways to achieve isolation even in smaller business settings, and there are some devices that you may not want on Wi-Fi at all to avoid wireless security issues; one example is point-of-sale terminals that never move. As a wireless expert, I'm here to tell you that patch cables still have their place in your security plans.
Pre-shared security isn't going anywhere, so deal with it
It's maddening that, after so many years of wireless evolution, client device vendors are still creating products for the enterprise market only capable of residential-grade security. For all of my complaining in blogs and at conference presentations on this topic, nothing has really changed. So how do you make peace with, and responsibly work within, the constraints of pre-shared networks?
If your vendor provides Personal Pre-Shared Key options, absolutely consider them. If not, then make sure you never use WEP and only use AES encryption with WPA2 pre-shared configurations. Find a way to change keys at least annually, even if it means creating a new service set identifier to force the issue.
Security is pricey; know your requirements
It's getting harder to find simple Remote Authentication Dial-In User Service servers that aren't part of license-heavy network access control systems. Typically, the sales pitch is both deep and wide and sounds phenomenal -- until you hear the costs that go with the complexity and how you may have to bend to fix the system instead of vice versa. The only defense here is to know your budget and discrete requirements and to hold the vendor to only what you need. Some customers might benefit from every module offered, but both purchase price and Opex increase with every feature and required license.
And it's okay to get your enterprise security from Vendor Y, even if your WLAN is built on Vendor X's hardware. You've got options; don't hesitate to exercise them.
How BYOD and IoT do you go to prevent wireless security issues?
The questions of BYOD and the internet of things (IoT) get us back to policies and what you allow on the network. Whatever you do allow on the network should be assessed for risk, and someone needs to "own" them -- BYOD and IoT -- when trouble hits. Do early testing off the production network, and don't turn them loose until you understand how they fit into your overall network picture.
If the gadget in question doesn't need access to the internet, then by all means put it in an isolated virtual LAN. If it does need internet access, make sure it's as secure as possible, given its limitations, and get on a patch schedule where you periodically check for firmware updates, regardless of what these devices are. For personal phones or tablets that employees use at work, individual business circumstances will dictate how much control you exert over them. Just make sure you understand the BYOD devices in use and what the risks are in allowing them into your business operations. In addition, determine if a mitigation strategy is warranted in the form of a mobile device management product should these devices be lost or stolen.
It's complicated ...
There is no one-size-fits-all strategy for WLAN security. Every WLAN environment has some basic commonalities, even if the permutations of how you might weave a security strategy get a lot more granular and diverse for each situation.
None of us wants the reputational damage or potential financial impact that comes with being breached. WLAN security begins with defining requirements and sticking with them as you build your defenses so you stay focused. Then review on a regular basis to make sure evolution isn't required.
Making Wi-Fi secure isn't always easy, but it is always necessary.
Check out this in-depth look at endpoint security essentials
A mobile endpoint security primer for infosec pros
How to find the best tools for managing wireless networks