Effectively integrating a wireless LAN with the corporate network is one of the biggest concerns for a chief information security officer (CISO). Thus before implementing a wireless LAN, CISOs must ensure the following factors.• Be very clear about why you need to implement a corporate-wide wireless LAN.
• Who are the users allowed on the wireless LAN? What kind of access will they have once they are connected?
• What kind of access do you want to give for guests, vendors and business partners? It's best to create a separate path to give them limited wireless access and functionalities.
• What kind of monitoring is required? How do you design the user registration and de-registration process?
• Security configuration of wireless devices.
• Decide the wireless network's coverage area.
• Conduct regular vulnerability assessments and audits of wireless infrastructure.
"If you go in for a corporate-wide wireless LAN deployment, then you must begin with the wireless LAN controller. As your network grows, you will require more sophisticated wireless management solutions" (which are similar to network management tools).Enterprises can establish strong access controls at the interface of wireless and wired networks. But if you want to use your wireless LAN as a substitute for the wired network, then you need extremely strong monitoring capabilities which can be achieved through a wireless IDS and IPS solution. Wireless LAN controllers
The wireless LAN controller is an effective wireless network security tool which allows you to manage wireless devices, access points, identity management, log-in and usage trails. Wireless LAN controllers typically offer the following capabilities.
Configure access points – Wireless LAN controllers allow you to configure and deploy the same security policies across all wireless access points from a central location. For example, you can configure similar encryption policies for all your access points. Enterprises can also configure user identity and controls related policies at each access point.
Lightweight Directory Access Protocol (LDAP) based authentication - Many a time, when a person leaves the organization, he still has the wireless key through which he can get network access. Wireless LAN controllers allow you to implement directory (active or LDAP) based authentication. When a user connects to access points, the wireless LAN controller will authenticate its entry in the directory. So if a user leaves the organization, the enterprise simply needs to delete this user from the directory. He will not be able to access the wireless LAN even though he has the key.
Block rogue access points - Some wireless LAN controllers come with wireless IDS and IPS capabilities which allow you to identify and block rogue access points. These controllers deploy sensors strategically through the corporate network to identify such attacks. Such solutions can block the rogue access point's IP address as well as the switch's ports. Thus you can drop the signals from a compromised access point.
Link your wireless LAN with Network Access Control (NAC) – Wireless LAN controllers can help you integrate the wireless LAN with your NAC solution. So whenever a new handheld or laptop tries to connect to your wireless network, it will immediately connect to your NAC and check whether this end device complies with your security policies. When buying a wireless LAN controller, you must ensure that it can integrate with other technologies (For example, you may have switches and access points from different companies).Wireless LAN IDS/IPS scanners
Wireless LAN IDS/IPS scanners are specialized standalone wireless security solutions which help organizations to perform 24/7 monitoring of its wireless space. As mentioned earlier, this solution helps you identify and block rogue access points by either disabling switch ports or blocking radio signals.
About the author: K K Mookhey is the founder and principal consultant of NII Consulting, which provides services in IT audits, risk management, compliance and computer forensics.
(As told to Dhwani Pandya.)
This was first published in October 2009