The Final Piece Of The Puzzle – Network Management To Secure Wi-Fi

DETROIT – Wireless security is becoming an executive-level concern at corporations because of the Sarbanes Oxley, HIPAA, Visa CISP/PCI, Pedigree, and other regulations. The first three requirements are almost universally acknowledged. The fourth is somewhat intuitive, but needs to be specifically separated so the circle of security can be closed. If a Wi-Fi network is not managed, it is not secure.

Wi-Fi Security: The Basic Requirements

Any organization planning a wireless network must have a strategy for addressing four critical areas:

1) Data Encryption

The most obvious requirement is that all data transmitted between wireless devices and the antennas must be encrypted to prevent lurkers and hackers from viewing data as it.

2) Authentication, Access Control

Only authorized, authenticated users should be able to connect to the network. Certain resources should only be accessible from certain locations. Tracking and recording the movement of users around the network also adds to the security of the network in many cases.

3) Intrusion Detection

Organizations must have intrusion detection that encompasses not just the detection of unauthorized users but also location unauthorized devices in certain locations. Those devices include low cost access points purchased online or from a local computer superstore, or PC’s in an area where only handheld devices should be attaching to the network.

4) Wi-Fi Management

To implement a secure wireless network, enterprises must define policies and ensure that those policies are implemented uniformly across the entire network. And they must continually audit the network to ensure that the policies remain in effect. If this is not done, the enterprise cannot assume that its security has been consistently maintained.

Wireless Network Management

Much has been written about the first three areas above. The intent of this article is for you to gain a sense of how good Wi-Fi management is tied tightly to the other three areas. To fully safeguard Wi-Fi, administrators must have total control over the infrastructure.

Network Discovery

First discover all AP?s and Wi-Fi devices connected to the WLAN to ensure devices are accessing the network appropriately. To ensure discovery of all APs, use a combination of RF scans, and wired side, layer 2 discovery (such as CDP, OSU NMS, WNMP, etc) as well as ?SNMP walks? and HTTP scans. Once all APs have been discovered, generate inventory reports to ensure that no unknown devices have been connected to the network and that all previously known devices are accounted.

Automated Configuration

Implementing encryption and access controls on Wi-Fi requires centralized configuration policies. Applying these policies uniformly to all wireless APs and devices is critical. For example, if an organization specifies a security policy based on WPA with PSK, then every AP must have all the appropriate WPA settings enabled. If an organization is using separate VLANs and/or SSIDs for different classes of network users (i.e., employees vs. guests), then these specific settings must also be applied correctly to each AP on the network.

Configuring these settings manually creates numerous opportunities for human error that could jeopardize security. Gartner Group has estimated that up to 70 percent of wireless LAN attacks will be the result of misconfigured APs and devices. The only way to provide true WLAN security is to use procedure that automatically configures network hardware.

Good network security also requires that passwords, SSIDs and other key security settings be rotated frequently. It?s even more essential when a network is under attack. With a centralized approach, remote administrators can immediately shut down segments of the network during an attack. Another common technique is to schedule segments to shut down when there are no legitimate users on the WLAN ? and back on at the start of business.

Audit

It is not enough to configure APs and devices correctly only at the time of installation. Especially in large organizations with multiple IT staff members, it is common for an access point to become misconfigured during trouble-shooting or from human error. Worst case, if a malicious intruder connects to an AP?s physical interface, they may be able to alter the configuration in a way that undermines all policies put in place.

To combat misconfigured APs, we must provide an audit trail to track each configuration change. By tracing the source of configuration changes, we ensure accountability and are better prepared in the future. In addition to accountability and training, organizations must conduct configuration audits to ensure that in-effect configurations always conform to policies. These audits cannot be conducted manually, since there can be hundreds of settings that must be checked on each AP. A centralized management solution can quickly compare actual AP configurations to pre-defined policies, and automatically report any discrepancies. Situations may dictate procedures to ?auto-repair? configurations to ensure that all APs are always in compliance.

Firmware Updates

Updating AP?s and devices is a requirement for WLAN security. First, as vendors release patches to address security vulnerabilities, it is essential to distribute these update efficiently to hundreds or even thousands of devices across a wide geography. Second, as organizations migrate to new standards like WPA2, many of their legacy AP?s and devices will need firmware updates.

Monitoring, Alerting

A real-time monitoring that tracks each user by username is important to network security. Administrators must be able to determine exactly who is connected to the network, where they are connected, how they have been authenticated, and more.

Monitoring should alert when usage patterns fall outside expected ranges, indicating the possibility of a security breach or other problem. Be able to monitor and report detailed roaming and connection logs for each user, tracking every session on the wireless network for both security and planning purposes.

Conclusion

Without proper Wi-Fi management, it is impossible to secure a large WLAN. Without management tools, the other steps to secure the Wi-Fi network are incomplete and ineffective:

All of these are management tasks that must be performed routinely and reliably for a wireless network to be secure. Information security teams deploying Wi-Fi must insist upon comprehensive management. Without it, they cannot guarantee the security of the organization?s network.

This column was written by Caston Thomas of InterWorks Technology

Our you can telephone him at (248) 608-0000 x304.