This is another one of those oh-so-obvious things that you think are “self-evident” but which seem to get lost is the overall scheme of things. So what is it that I am talking about? Well, I’ll tell you, it’s about practicing “safe wireless” within your organization!
OK, so what am I referring to with the term “safe wireless”? Well, this one is pretty simple — it’s about doing all the things that should be done to separate and segregate CORPORATE or ORGANIZATIONAL data traffic from GUEST or FOREIGN data traffic. It’s a simple concept, really, but one that I find more and more companies are messing up in the mad rush to provide connectivity to the flood of devices that are showing up in offices on a daily basis.
Example: I have been working with a client that has multiple physical locations and a less than “solid” network security policy. They asked us to “lock down” the networks at a number of locations after a recent Cryptowall attack. We provided Sonicwall UTM firewalls so that there would be at one “controlled” point of ingress/egress on their networks which would also do all the standard UTM scanning on traffic to/from their networks. These units were to replace a mishmash of consumer-grade firewalls. All well and good and proper, specially so for corporate networks. Problem is the plan was blown out of the water when I discovered that each location was providing “public” WiFi access using open consumer-grade WiFi access points on the CORPORATE LAN without any sort of traffic segregation abilities. Talk about leaving the door wide open!
There is little point in trying to control access to/from your network with commercial-grade firewalls if you allow unfettered “foreign” access to your networks through the indiscriminate use of open WiFi access points and routers.
So, how do you go about providing WiFi for all those devices? That’s a good question and I’ll try to give some good answers. There is nothing wrong with wanting to provide WiFi access, you just have to plan for the required security.
First off, you should do everything you can to separate and segregate CORPORATE traffic from everything else. Wherever possible, WiFi access should be on a completely separate network from your corporate network. The separate network could be completely separate physical cable runs for access points with the runs terminated at a firewall that can handle multiple networks with firewall rules between the networks. Or, alternatively, you could have a similar scenario with VLAN’s substituting for the physical networks. In either case, you are putting a “wall” between your precious corporate traffic and that which is NOT corporate traffic.
Scenarios like the above can be accomplished with many commercial grade firewalls and commercial WiFi gear. Some vendors, such as Sonicwall, have firewall/WiFi gear combinations that allow you to build a single vendor solution. The point is, the equipment is available to build solutions like this.
Another option is to use WiFi gear that can provide “virtual access points” so that traffic connected to a “guest” access point cannot “see” or access resources on the internal network; traffic through the access point is allowed to only go out to the Internet. There are lots of consumer-grade firewalls and access points that incorporate this type of ability but I would not recommend them in a corporate environment due to the large number of security issues that seem to plague consumer-level gear. However, there are some excellent commercial-grade vendors that provide gear that can perform this function, an example is enGenius. For lack of a better way of describing how they work, the access points essentially “tunnel” guest traffic over your network and out through your gateway to the Internet and block access to the LAN. I still prefer and recommend separate networks or VLAN’s but, if they are not an option then this is the next best way to go providing you are using commercial-grade gear.
Another thing you need to keep in mind is the bandwidth that can be consumed by all of the connected WiFi devices. I see this all the time, customers complaining their network is “slow” when, in fact, it is saturated due to the large number of WiFi devices that are connected and consuming resources. Going down the route of physically separating your networks and even physically separating the Internet feeds for the corporate network from the WiFI network can make a very big difference in how things work. If you are on small Internet “pipes” you really want to make sure that corporate resources get the bandwidth they require. Having a guest network overlaid on top of your corporate network, even if properly secured, can be a great way to deny needed resources from your corporate users. If you can provide separate Internet feeds for corporate and guest then so much the better. If you can’t then you do want to be able to throttle how much overall bandwith is given to the guest access. This is accomplished with tools in the access points or tools in the firewall, all of which, again, should be commercial-grade.
Keeping all of this in mind when you build/expand your network can help close a lot of security holes before they happen. Of course, there is a whole other discussion to be had regarding granting employee’s devices WiFi access to your corporate assets but that is a topic for another post. Do the best you can to follow the segregate/separate mantra and you will go a long way towards making your network as secure as you can.