Wireless technology is dramatically changing the way companies operate. Employees have immediate access to business-critical applications and information from anywhere in the office, enabling them to respond to customers and colleagues in real time. The result is increased productivity and enhanced customer service. Consequently, work has become less of a place to go and more of an activity that can be conducted from anywhere.

However, wireless networks pose inherent security risks as they eliminate physical boundaries for the network. No organization can afford this convenience at the expense of network security.

Today's concerns
The old network paradigm of the wired user going to where the data resides is obsolete. The growing popularity of wireless LANs brings the data to the user, yielding a more productive and efficient workforce. Mobile users access the network from anywhere in range of the wireless network, at any time. However, despite the overriding benefits, business owners and network administrators have legitimate concerns about implementing and managing wireless access to the network. Wireless networks introduce a number of critical security risks and challenges, making it important to implement strong security measures to mitigate these risks.

Stand-alone access points
The initial wave of wireless technology consisted of standalone access points (APs). These products simply aggregated 802.11 wireless traffic. There was no centralized management and it was challenging to create a larger, more distributed wireless network that maintained consistent performance as users roamed. Scalability was also an issue, since each AP required local management. More importantly, stand-alone APs offered no centralized security policies. The basic level of built-in security, usually WEP (wired equivalent privacy) or increasingly WPA (Wi-Fi protected access) with a pre-shared password, gave unsuspecting users a false sense of security.

Secure wireless gateways
In response to growing security concerns, some vendors have developed secure wireless gateways, a separate device that can be added to the existing network. Operating in conjunction with other vendors' APs, gateway security appliances apply security and management policies to all WLAN traffic. However, they don't manage the AP devices themselves, which means firmware upgrades or radio tuning must be individually applied to each AP, consuming a greater amount of resources than a centralized solution.

Combined switch and access points
Most recently, the industry has seen the introduction of a single vendor wireless switch combined with manageable APs. The drawbacks to this type of solution are cost and management. It requires an additional wireless-specific switch with a specific WLAN management system that runs alongside a company's existing LAN management platform, so business owners are still left with two parallel networks. This type of solution would still be prone to more evasive and dynamic threats presented by application level malware such as viruses, spyware, worms and phishing attacks.

Today's challenge
Network and security administrators are seeking ways to protect their wireless networks from the very same threats against which they must diligently guard their wired networks. Data security is reported as the primary reason for organizations not implementing wireless LANs. Similar to data transmitted from the Internet, one cannot be sure of where wireless data entering the network originates since it is transmitted through walls and buildings. Therefore, as with data from the Internet, the wireless network must be treated as 'untrusted' and segmented from the internal network.

Although all three of the product categories detailed earlier address valid wireless needs and concerns, they ignore network administrators' requirement for a secure and convenient method of applying the same robust level of security on the wireless network that currently exists on their wired network-without implementing a parallel wireless network and a separate management system. Guarding against a more sophisticated class of threats tends to consume a far greater amount of resources, so duplication of these sorts of threat management systems for a wireless network is not practical.

Key security requirements
The basis of a sound wireless security strategy requires the following guidelines:

• Apply the same security policies to the wireless network as with any untrusted network.
• Implement a layered security approach, starting with a robust firewall and then adding a dynamically updated database containing thousands of attack and vulnerability signatures.
• A layered approach results in a complete security solution that protects your network against a comprehensive array of dynamic threats, including: viruses, worms, Trojans, software vulnerabilities (such as buffer overflows), peer-to-peer and instant messenger applications, backdoor exploits and other malicious code.
• Apply the same security policies for wireless clients connecting through the wireless network as you would to remote users connecting through the Internet to the internal trusted network.

Demand proven security
Any user crossing an untrusted network to get to an internal network must use IPSec VPN client software on their computers (laptops, home office desktops or branch office workstations). IPSec has been the standard for many years and has proven to be rock solid in providing everything from VPN access over the Internet to secure communication for financial transactions. The VPN client addresses authentication and traffic encryption with the internal network gateway.

Although the main standard for WLAN specific encryption lies in the IEEE 802.11i standard, the convenience of utilizing IPSec VPN lies in its dual purpose flexibility. User credentials and privileges remain the same whether the employee is away from the office or using a wireless connection in a meeting room. A secure wireless access solution should have the flexibility to provide both IPSec VPN access over the WLAN and support WLAN encryption standards such as IEEE 802.11i.

Centralized security products implementing wireless security must also be able to differentiate between trusted and untrusted networks and enforce security policies to all traffic traversing the network. A company should employ a user database to identify users for the purpose of granting access and tracking usage for accountability. One user database should be shared between the wired and wireless networks so the network administrator does not have to maintain two discrete databases.

Require rogue access point detection
Rogue AP detection is necessary to ensure there are no backdoor vulnerabilities introduced into the network through the addition of an unauthorized AP to the network. This requires the ability to conduct on-demand and scheduled scans of the radio frequency (RF) spectrum to locate, log and alert network administrators of neighboring APs.

Address evolving threats and productivity issues Network attacks are evolving rapidly and becoming more sophisticated. A stateful packet inspection firewall and VPN solution are necessary, but no longer sufficient to ensure network integrity and comprehensive security. Regardless of the type of network, it is imperative for business owners and network administrators to take the necessary security precautions to avoid being vulnerable to blended attacks. These types of attacks are introduced through e-mail, attachments, embedded in web pages or transmitted through peer-to-peer applications. Security solutions such as gateway anti-virus, anti-spyware and intrusion detection and prevention are required to mitigate these types of blended attacks. The centralized security solution should apply security services to all network traffic and between network segments in combination with traditional firewall and VPN policies.

Ensure ease of management TCO
The integration of wireless and wired security into one platform should include the capability to configure and manage both wired and wireless networks, and enforce corporate security policies for the networks from a single central management interface. This eliminates the need to train administrators on multiple security management platforms, as well as the need to perform redundant management activities. Central control of logging and reporting of auditable network activities should also be included.

An effective wireless security solution must allow the network administrator to communicate with hundreds of access points without having to deal with each one individually. Single security management requires the ability to manage and configure all access points from one central management interface, and security policy updates should be automatically provisioned to each access point from the central console.

Easily deploy wireless guest Internet access
A wireless security solution must be able to provide easy-to-deploy guest access, allowing easy, extemporaneous guest access to public resources such as the Internet, while ensuring that they do not have access to trusted network resources such as the wired LAN. The challenge is in the ability to simultaneously support a wireless environment where trusted users can access network resources while still providing the continuity of guest access to visitors, without the need to deploy a separate, parallel network. To accomplish this goal, the security solution must provide guest access services with authentication mechanisms that differentiate guest users from trusted wireless users, and provide different levels of access based on the user and the company's acceptable use policies.

Plan for growth
A wireless security solution must be easy to deploy and scale, while providing an efficient transition from legacy wireless networks. Scalability is essential. Organizations with large campuses may need hundreds of access points and a wireless security solution can simplify deployment by automating the initial provisioning of the access points, as well as automating large-scale changes such as distribution of new firmware and configurations. Wireless security solutions should also be transparent to the user without the mandatory need for difficult to deploy and manage supplicant software or other changes to their devices.

Summary
Regardless of whether the network is wired or wireless, steps should always be taken to preserve network security and integrity. Because the strongest security approach is to treat your wireless network with the same distrust as the Internet, a gateway security appliance should be deployed which can centrally manage and enforce security on both the wired and wireless networks as well as segment the untrusted network from the internal network.

A comprehensive firewall appliance that has multiple integrated security functions and integrated wireless functionality offers the most effective and efficient way of providing rock solid protection for your network-both wired and wireless.

Disparately viewed and managed wired and wireless networks are destined for obsolescence. Wireless security must move in a new direction with solutions that converge both wired and wireless networks in a cost-effective, efficient and highly secure platform. Only this type of comprehensive solution can address the needs of all classes of network user and network administrator.

By: John DiLullo
The author is VP-Worldwide Sales, SonicWALL

Page(s)   1