Security is a top concern among those interested in deploying wireless networks. Fortunately, both user knowledge about security and the solutions offered by technology vendors are improving. Today's wireless networks feature comprehensive security capabilities, and when these networks are properly protected, companies can confidently take advantage of the benefits they offer.
"Vendors are doing a good job of improving security features, and users are getting an understanding of wireless security," says Richard Webb, the directing analyst for wireless local-area networks (LANs) at Infonetics Research. "But all threats are still considered important, and vendors continually need to address the lingering perception that wireless LANs are insecure."
Indeed, security is the biggest barrier to the adoption of wireless LANs. And it's not just a big-company worry. When it comes to wireless networking, "security is still the No. 1 concern for companies across all sizes," says Julie Ask, research director at Jupiter Research.
Gaining a better understanding of wireless LAN security elements and employing some best practices can go a long way toward enabling you to reap the benefits of wireless networking.
Wireless Security Elements
Three actions can help to secure a wireless network:
- Protecting data while it's being transmitted through encryption: In a basic sense, encryption is like secret code: It translates your data into gibberish that only the intended recipient understands. Encryption requires that both the sender and receiver have a key to decode the transmitted data. The most secure encryption uses very complicated keys, or algorithms, that change regularly to protect data.
- Discouraging unauthorized users through authentication: Unique logins and passwords are the basis of authentication, but additional tools can make authentication more secure and reliable. The best authentication is per-user, per session mutual authentication between the user and the authentication source.
- Preventing unofficial connections through the elimination of rogue access points: A well-meaning employee who enjoys a wireless network at home might purchase a cheap access point and plug it into a network jack without asking permission. These are known as rogue access points, and the majority of these are installed by employees, not malicious intruders. Checking for rogue access points isn't difficult. There are tools that can help, and checking can be done with a wireless laptop and software in a small building or by using a management appliance collecting data from your access points.
Wireless Security Solutions
Three solutions are available for secure wireless LAN encryption and authentication: Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and virtual private networking (VPN). The solution you select is specific to the type of wireless LAN you're accessing and the level of data encryption required:
- WPA and WPA2: These are standards-based security certifications from the Wi-Fi Alliance for enterprise, SMB, and small office or home office wireless LANs that provide mutual authentication to verify individual users and advanced encryption. WPA provides enterprise-class encryption and WPA2, the next generation of Wi-Fi security, supports government-grade encryption. "We recommend WPA or WPA2 for enterprise and SMB wireless LAN deployments," says Jeremy Stieglitz, a product manager in the Wireless Networking Business Unit at Cisco. "WPA and WPA2 provide secure access control, strong data encryption, and they protect the network from passive and active attacks."
- VPN: VPN provides effective security for users wirelessly accessing the network while on the road or away from the office. With VPN, users create a secure "tunnel" between two or more points on a network using encryption, even if the encrypted data is transmitted over unsecured networks such as the public Internet. Home-based teleworkers with dial-up or broadband connections can also use VPN.
Wireless Security Policy
In some cases, you may have different security settings for different users, or groups of users, on your network. These security settings can be established by using a virtual LAN (VLAN) on the access point. For example, you can set up different security policies for distinct user groups within your company such as finance, legal, manufacturing, or human resources. You can also set up separate security policies for customers, partners, or visitors accessing your wireless LAN. This allows you to cost effectively use a single access point to support multiple user groups with different security settings and security requirements, all while keeping your network secure and protected.
Wireless LAN security, even when integrated with overall network management, only works if it's turned on and used consistently across the entire wireless LAN. That's why user policies are also an important part of good security practices. The challenge is to devise a wireless LAN user policy that's simple enough that people will abide by it, but secure enough to protect the network. Today, that's an easier balance to strike because WPA and WPA2 are built into Wi-Fi certified access points and client devices.
Your wireless LAN security policy should also cover when and how employees can use public hot spots, the use of personal devices on the company wireless network, the forbidding of rogue devices, and a strong password policy.
Practical Steps You Can Take
- Turn on the security features inherent in your access points and interface cards. This is usually done by running a software program that came with your wireless equipment.
- The same program that turns on your wireless security features will probably also show what firmware version your access points use. (Firmware is software used by devices such as access points or routers.) Check the device manufacturer's Web site for the most current firmware version and update your access point if it's not current. Updated firmware will make your wireless network more secure and reliable.
- Check to see what security resources your hardware vendor offers. Cisco, for example, offers an array of hardware and software products designed to enhance wireless security and simplify network management.
- If you are not capable of, or interested in, deploying and maintaining a secure wireless LAN, consider hiring a value-added reseller, network implementer, or other supplier of wireless networking gear to help or enlist the aid of an outsourced managed security service, many of which have wireless security offerings.
No matter how you proceed, do it in an organized fashion. "Security is definitely something that has to be planned for, just like managing the network, providing coverage and access, and so forth," says Jupiter's Ask. "But it shouldn't be a barrier to the deployment of a wireless LAN."