Month: May 2014
The Hitlist: Corporate WiFi
Many organizations are faced with the decision to implement or to forgo corporate WiFi. There are a number of considers to think about when contemplating this and many are business and security related and not merely technical in nature. Here are some things to consider:
1. Is it necessary?
The first question to ask yourself is whether or not WiFi is necessary, and you must also realize that there are different levels of what is “actually” necessary. If the CEO says that it is necessary to implement WiFi, you must consider the business reason for why it is needed. Would it be used for guest access, internal access, only in conference rooms, or so that tablets can easily access documents? If its the latter, then there are other far reaching things to consider regarding compliance (see our first post in this series). Think long and hard about whether WiFi is really necessary, and whether or not the infrastructure, policies and procedures, and executive buy-in are in place to support a well secured corporate WiFi infrastructure.
2. Hardware
At this point we assume that WiFi is, indeed, necessary. Now, when deciding on what hardware to use, you should use nothing less than enterprise class hardware, end of story. A home network class access point, such as Linksys or D-Link should not be relied upon to protect your corporate network. If you can’t do it right, don’t do it at all.
3. Strong Encryption/Authentication
The encryption should be nothing less than WPA2-Enterprise with 802.1x (LDAP/RADIUS authentication). Another option is certificate based authentication so that only devices with corporately issued certificates can connect. If guest access is available, it should have nothing less than WPA2 and one time passwords issued at a splash screen. These passwords should be directly issues by corporate resources, and not in the form of handouts or posted fliers around the office, and available to your next door tenants.
4. Guest WiFi
If guest WiFi is required, it should not be public as stated above, it should be protected by WPA2 and require one time passwords for access. Under no circumstance should guest WiFi provide any access to internal network resources. Ideally, there would be a physical separation from internal resources, but a strong logical separation can work as well.
5. Range
Configure the power output on the access point antennas so that the signal does not extend far outside of your physical location. There is no reason to broadcast any more than is necessary to provide useful coverage, and you should definitely not be broadcasting your WiFi to anyone outside of your corporation.
6. SSID (Network Name) broadcast
There are differing opinions on this, even among my colleagues. I will cover both lines of thought. If SSID is not broadcast, it helps keep random, non-technical people from attempting to connect to the network, but a well trained individual can easily get around this. If an SSID is not broadcast, the devices connecting to it are set to automatically connect so that they do not have to be configured every time. This opens those devices up to a rather simple man in the middle attack. So not broadcasting an SSID can offer some obfuscation, but it does not offer any real additional security benefit for the organization. On the other side, if the SSID is broadcast, it’s there for the world to see, and it does not mean the devices won’t automatically connect (though this can be managed through policy). This is a discussion that should be thoroughly investigated for a particular company. My opinion on this is that the SSID should be broadcast because there should be other security measures already in place.
7. BYOD
Personal devices should not be allowed to connect to the internal network. The only exception that I would consider are devices managed through a mobile device management (MDM) system. Even then, I am hesitant to recommend this because of the lack of malware and monitoring on personal devices.
8. Corporate Policy
On the flip side of the previous item, corporate devices should not be allowed to connect to the guest WiFi at all, but especially when connected to the physical internal network. This it the equivalent of leaving a window open.
In conclusion, WiFi adds additional attack vectors to a network, it requires additional management from the existing physical LAN, and there a number of factors that are difficult to manage regarding access, authentication and enforcement. If the business does not require it, and it is only a nice to have for convenience; I would consider long and hard whether or not the benefits outweigh the detriments to network security.