Secure Wireless Access
With the consumerisation of IT and the influx of Bring Your Own Device (BYOD) to the corporate environment, whether it be iPads, Android smartphones or Windows laptops, the challenges are the same, How can we provide access to secure corporate resources and networks with minimal intervention and impact on the IT support infrastructure?
Active Directory was never designed to be used in a BYOD environment. In the past one user might have had 2 devices such as a laptop and a desktop but now a user might have multiple devices such as a laptop, a smartphone and tablet device, all of which may require access to corporate resources but in reality should have very different access and restrictions assigned to them.
It is important to make the distinction between what these devices should be able to access when connected to the corporate network and what they can access when connected to a home network accessing corporate resources.
This white paper is really focusing on devices connecting to the corporate network, whether these be corporate issued laptops through to BYOD mobile phones or a heart monitor in a hospital environment.
The Wireless Local Area Network (WLAN) now needs to be able to identify the device, the location, and the user to make a decision as to which resources should be available.
Mobile workers/Static mobile workers
We live in an ‘always connected’ world, for better or worse depending on your point of view. Arriving at hotels, airports, coffee shops or sports stadiums your device will either be connected already using a mobile network or it will be searching for a free Wi-Fi network to connect to. This could be for work use, social media updates or video chat to family/friends/colleagues.
Giving employees the flexibility to work from home or whilst on the move, but also giving them the choice of using their own devices or home machines can be quite empowering for employees and can also improve productivity.
Like the wired market, there is a huge amount of choice of technology but with all the wireless standards available it is quite complex. Making a choice from 802.11a, 802.11b/g, 802.11n and planning for the future 802.11ac can be a headache. Any infrastructure investment must be scalable and should be both backward compatible with older standards but also be future proof for when new standards become mainstream. The reality is that the number of wireless devices is only going to increase as will bandwidth requirements so don't be caught out.
This whitepaper isn't looking at individual technologies but at those features that need to be considered when choosing a wireless solution. Being vendor agnostic means we at SecureData have the ability to look at multiple technology solutions and recommend the one which is the best fit for your requirements as some solutions will suit better than others.
Making sure that the solution is secure is of fundamental importance, i ntrusion detection and prevention systems must be a feature of the solution being selected. Being able to monitor the air and surrounding network for attacks against the wireless infrastructure should not be over looked and should be a requirement for providing a secure wireless network.
Firewalls and access
A fundamental feature of any wireless solution should be the ability to firewall traffic and define different types of access whether this be device or user based. Guest users should be protected from each other as this is a good way to stop malware from propagating, but also protects machines and devices from each other.
The ability for the system to apply a role to a user allows for greater granularity when configuring access. My Laptop, for example might see the WLAN as an extension to the network, if my iPhone connects, it might only require access to email and the Internet. The solution should be flexible enough to cater for this as the number of wireless devices is only going to increase in the future as will the security and bandwidth requirements.
Encryption and authentication
The next step is to work out what devices will be connecting to the network (and which network).
Wireless printers for example, might not support 801.1x EAP-TLS authentication, therefore it is important to decide how these devices are allowed (if at all) to connect to the WLAN and to apply the necessary access filters to these devices (see Firewalling and access).
The majority of devices will support the ability to authenticate a user against an Active Directory, but this means that anyone can authenticate their ’untrusted’ device to your wireless network. The challenge then becomes how to securely connect multiple devices using one account but still maintain the ability to identify each device and apply different rules to these devices
The challenge then is to connect the devices to the network without overloading the IT support department.
The solution should provide a simple, streamlined and if possible automatic way of enrolling devices to the network. It’s no use having EAP-TLS and an underlying PKI system if users are unable to connect their devices to the network without calling their IT department. The problem is compounded further with BYOD, the IT department will not be able configure and troubleshoot each and every employee or guest owned device.
Knowledge is power. If you have the ability to identify which devices are connecting to the WLAN, you have the ability to control what they can are able to connect to. An iPhone should not necessarily require the same access to the network as a corporate laptop.
With the ability to identify the user and device you have the ability to limit the number of devices a user can connect to the WLAN. If a device is lost or stolen the credentials can be locked for an individual device meaning that Active Directory credentials do not necessarily need to be reset for all devices, just the device that has been reported lost or stolen.
Mobility has never been easier or more important. Sales offices, regional offices, global offices- wherever users are they expect to be able to connect to the corporate wireless network. A solution that is able to provide a global standard of connectivity is essential, not only for the staff moving around the globe but also the staff supporting these mobile users.
A centralised deployment makes for easier management of both SSIDs, authentication and support. If the same system is used across the globe then then there will be no technology overlap , no "I can connect in this office, why can’t I connect in that office". One security and access policy can be easily managed from one location.
Any wireless solution needs to be aware of the air around it. It needs to be smart enough to know when channels are buys, when there is interference and adapt as necessary. With higher bandwidth now available and gigabit speeds around the corner, a system that is able to handle the number of users, the bandwidth and the interference seamlessly is critical.
Wireless is fast becoming as critical as a wired network. Whether this is for user access to systems on the LAN, wireless security cameras or health monitoring equipment in hospitals, the demand it there and will be growing; TV's, printers, speakers etc. All have wireless connectivity now. Some of which will require access the corporate or guest WLAN.
Large or Small
There should be no difference in functionality between a large campus deployment and a smaller scale deployment, such as a few access points in a local coffee shop.
All deployments should be secure, as fast as necessary and manageable. Without this, guest networks become overrun by old accounts and corporate networks quickly become unsecure due to old credentials and devices not being removed from the systems.
The solution should be fully functional regardless of its size or complexity.