Wireless LAN security tips for effective network lockdowns

Effectively integrating a wireless LAN with the corporate network is one of the biggest concerns for a chief information security officer (CISO). Thus before implementing a wireless LAN, CISOs must ensure the following factors.

If you go in for a corporate-wide wireless LAN deployment, then you must begin with the wireless LAN controller. As your network grows, you will require more sophisticated wireless management solutions (which are similar to network management tools).

If you go in for a corporate-wide wireless LAN deployment, then begin with the wireless LAN controller. As your network grows, you will require more sophisticated wireless management solutions.

The wireless LAN controller is an effective wireless network security tool which allows you to manage wireless devices, access points, identity management, log-in and usage trails. Wireless LAN controllers typically offer the following capabilities.

Configure access points – Wireless LAN controllers allow you to configure and deploy the same security policies across all wireless access points from a central location. For example, you can configure similar encryption policies for all your access points. Enterprises can also configure user identity and controls related policies at each access point.

Lightweight Directory Access Protocol (LDAP) based authentication - Many a time, when a person leaves the organization, he still has the wireless key through which he can get network access. Wireless LAN controllers allow you to implement directory (active or LDAP) based authentication. When a user connects to access points, the wireless LAN controller will authenticate its entry in the directory. So if a user leaves the organization, the enterprise simply needs to delete this user from the directory. He will not be able to access the wireless LAN even though he has the key.

Block rogue access points - Some wireless LAN controllers come with wireless IDS and IPS capabilities which allow you to identify and block rogue access points. These controllers deploy sensors strategically through the corporate network to identify such attacks. Such solutions can block the rogue access point's IP address as well as the switch's ports. Thus you can drop the signals from a compromised access point.

Link your wireless LAN with Network Access Control (NAC) – Wireless LAN controllers can help you integrate the wireless LAN with your NAC solution. So whenever a new handheld or laptop tries to connect to your wireless network, it will immediately connect to your NAC and check whether this end device complies with your security policies. When buying a wireless LAN controller, you must ensure that it can integrate with other technologies (For example, you may have switches and access points from different companies).

Wireless LAN IDS/IPS scanners are specialized standalone wireless security solutions which help organizations to perform 24/7 monitoring of its wireless space. As mentioned earlier, this solution helps you identify and block rogue access points by either disabling switch ports or blocking radio signals.

About the author: K K Mookhey is the founder and principal consultant of NII Consulting, which provides services in IT audits, risk management, compliance and computer forensics.

(As told to Dhwani Pandya.)