Every device in a wireless network — from clients to access points to wireless controllers and the management system — plays a part in securing the wireless network environment through a distributed defense. Because of its mobile nature, a multilayered approach to security is required. Cisco Systems recommends the following five-step approach for mitigating risks to the network from wireless threats:
Create a WLAN security policy.
Much like the security policy that is in place for wired access, a written wireless policy that covers authorized use and security is a necessary first step. Many templates already exist for the specific sections you should cover (view an example). Typically, security policy documents include the following sections:
- Purpose
- Scope
- Policy
- Responsibilities
- Enforcement
- Definitions
- Revision history
Secure the WLAN.
Securing a WLAN is not difficult; industry advances in technology and the Cisco Unified Wireless Network make it easier than ever. Securing the network is based on extending the Cisco Self-Defending Network strategy:
- Secure communications: This entails both encryption of data and authentication of users to the network.
- Modify the default network name: Change this setup immediately upon installation to something not directly related to your company; do not choose your company name, company phone number, or other readily available information about your company that is easy to guess or find on the Internet.
- Use strong encryption: Immediately after deployment configure your system with the most secure over-the-air encryption-IEEE 802.11i, VPN, or Wireless Equivalent Privacy (WEP) encryption. (If using the latter method, develop a plan to put a stronger form of security in place as soon as possible.)
- Use VPNs or WEP combined with MAC address control lists to secure business-specific devices.
- Use identity networking in combination with virtual LANs (VLANs) to restrict access to network resources.
- Ensure that management ports are secured.
- Physically hide or secure access points to prevent tampering.
- Monitor the exterior building and site for suspicious activity.
Find out more about the Cisco Self-Defending Network strategy.
Secure the wired (Ethernet) network against wireless threats.
- Deploy and enable wireless intelligent protection switching (ISP) devices to prevent rogue access points and other wireless threats-even if you do not have a WLAN. The Cisco Unified Wireless Network is designed to actively monitor for and prevent these threats.
- Permanently remove any rogue devices using location tracking. The Cisco Wireless Location Appliance with Cisco Wireless Control System (WCS) can precisely track up to 1500 Wi-Fi devices such as radio frequency identification (RFID) tags, voice over Wi-Fi phones, laptops, and personal digital assistants (PDAs).
Defend the organization from external threats.
- Equip mobile devices with similar security services as the company network (firewalls, VPNs, antivirus software, etc.).
- Ensure mobile device security policy compliance with the Cisco Clean Access network admission control (Cisco NAC) appliance. Figures 2 and 3 illustrate the Cisco NAC Appliance and Cisco NAC Framework architectures.
Figure 2. Cisco NAC appliance architecture for Cisco Unified Wireless Network
Figure 3. Cisco NAC framework architecture for Cisco Unified Wireless Network
Enlist employees in safeguarding the network.
Social engineering is often the most effective tool in helping to secure the network. Most employees are simply not aware of the risks without education. For example, most people do not realize that the simple act of plugging an access point into an Ethernet jack endangers corporate network security. Employee education, including informational posters or security best practices training (such as password selection and privacy), is effective in helping you keep your confidential information and networks secure.
