This is another one of those oh-so-obvious things that you think are \u201cself-evident\u201d but which seem to get lost is the overall scheme of things.\u00a0 So what is it that I am talking about?\u00a0 Well, I’ll tell you, it’s about practicing \u201csafe wireless\u201d within your organization!<\/p>\n
OK, so what am I referring to with the term \u201csafe wireless\u201d?\u00a0 Well, this one is pretty simple \u2014 it’s about doing all the things that should be done to separate and segregate CORPORATE or ORGANIZATIONAL data traffic from GUEST or FOREIGN data traffic.\u00a0 It’s a simple concept, really, but one that I find more and more companies are messing up\u00a0in the mad rush to provide connectivity to the flood of devices that are showing up in offices on a daily basis.<\/p>\n
Example:\u00a0 I have been working with a client that has multiple physical locations and a less than \u201csolid\u201d network security policy.\u00a0 They asked us\u00a0 to \u201clock down\u201d the networks at a number of locations after a recent Cryptowall attack.\u00a0 We provided Sonicwall UTM firewalls so that there would be at one \u201ccontrolled\u201d point of ingress\/egress on their networks which would also do all the standard UTM scanning on traffic to\/from their networks.\u00a0 These units were to replace a mishmash of consumer-grade firewalls.\u00a0 All well and good and proper, specially so for corporate networks.\u00a0 Problem is the plan was blown out of the water when I discovered that each location was providing \u201cpublic\u201d WiFi access using open consumer-grade WiFi access points on the CORPORATE LAN without any sort of traffic segregation abilities.\u00a0 Talk about leaving the door wide open!<\/p>\n
There is little point in trying to control access to\/from your network with commercial-grade firewalls if you allow unfettered \u201cforeign\u201d access to your networks through the indiscriminate use of open WiFi access points and routers.<\/p>\n
So, how do you go about providing WiFi for all those devices?\u00a0 That’s a good question and I’ll try to give some good answers. There is nothing wrong with wanting to provide WiFi access, you just have to plan for the required security.<\/p>\n
First off, you should do everything you can to separate and segregate CORPORATE traffic from everything else.\u00a0 Wherever possible, WiFi access should be on a completely separate network from your corporate network.\u00a0 The separate network could be completely separate physical cable runs for access points with the runs terminated at a firewall that can handle multiple networks with firewall rules between the networks.\u00a0 Or, alternatively, you could have a similar scenario with VLAN’s substituting for the physical networks.\u00a0 In either case, you are putting a \u201cwall\u201d between your precious corporate traffic and that which is NOT corporate traffic.<\/p>\n
Scenarios like the above can be accomplished with many commercial grade firewalls and commercial WiFi gear.\u00a0 Some vendors, such as Sonicwall, have firewall\/WiFi gear combinations that allow you to build a single vendor solution.\u00a0 The point is, the equipment is available to build solutions like this.<\/p>\n
Another option is to use WiFi gear that can provide \u201cvirtual access points\u201d so that traffic connected to a \u201cguest\u201d access point cannot \u201csee\u201d or access resources on the internal network; traffic through the access point is allowed to only go out to the Internet.\u00a0 There are lots of consumer-grade firewalls and access points that incorporate this type of ability but I would not recommend them in a corporate environment due to the large number of security issues that seem to plague consumer-level gear.\u00a0 However, there are some excellent commercial-grade vendors that provide gear that can perform this function, an example is enGenius.\u00a0 For lack of a better way of describing how they work, the access points essentially \u201ctunnel\u201d guest traffic over your network and out through your gateway to the Internet and block access to the LAN.\u00a0 I still prefer and recommend\u00a0separate networks or VLAN’s but, if they are not an option then this is the next best way to go providing you are using commercial-grade gear.<\/p>\n
Another thing you need to keep in mind is the bandwidth that can be consumed by all of the connected WiFi devices.\u00a0 I see this all the time, customers complaining their network is \u201cslow\u201d when, in fact, it is saturated due to the large number of WiFi devices that are connected and consuming resources.\u00a0 Going down the route of physically separating your networks and even physically separating the Internet feeds for the corporate network from the WiFI network can make a very big difference in how things work.\u00a0 If you are on small Internet \u201cpipes\u201d you really want to make sure that corporate resources get the bandwidth they require.\u00a0 Having a guest network overlaid on top of your corporate network, even if properly secured, can be a great way to deny needed resources from your corporate users.\u00a0 If you can provide separate Internet feeds for corporate and guest then so much the better.\u00a0 If you can’t then you do want to be able to throttle how much overall bandwith is given to the guest access.\u00a0 This is accomplished with tools in the access points or tools in the firewall, all of which, again, should be commercial-grade.<\/p>\n
Keeping all of this in mind when you build\/expand your network can help close a lot of security holes before they happen.\u00a0 Of course, there is a whole other discussion to be had regarding granting employee’s devices WiFi access to your corporate assets but that is a topic for another post.\u00a0 Do the best you can to follow the segregate\/separate mantra and you will go a long way towards making your network as secure as you can.<\/p>\n