Wayne Rash has been writing technical articles about computers and networking since the mid-1970s. He is a former columnist for Byte Magazine, a former Editor of InternetWeek, and currently performs technical reviews of networking, wireless, and data center products. He is the former Director of Network Integration for American Management Systems and is one of the founders of the Advanced Network Computing Laboratory at the University of Hawaii. He is based in Washington, DC, and can be reached at firstname.lastname@example.org.
Wireless communication is ubiquitous in the enterprise, just as you’ll find it everywhere else, from your home to the stores in your local mall, and even on many airlines and passenger trains. This wide availability makes it easy to use wireless, but it also means that the threats to your security are vast. Fortunately, it is possible to keep your communications secure and your devices safe, but it can take some planning and some work.
Compounding the complexity of the wireless landscape, there are many types of wireless that your organization can be using. The most common are WiFi and cellular communications, but as we’ll see, there are plenty of others. You have to take all of these types of communications into account when securing your wireless presence, and you need to be prepared to make some changes to the ways you use wireless in some cases.
Wireless in the Enterprise
When you think about the use of wireless in your organization, your first thoughts probably go towards WiFi, which is the form of wireless you’ll find in offices and office buildings. But cellular wireless is also routinely used – although sometimes unofficially – within most organizations. Here’s a look at each type, and how it's used:
- WiFi – this is the wireless networking you’re probably most familiar with. It exists in most organizations, but you’ll also encounter it at Starbucks and other public environments. WiFi can be secure, but it’s frequently open, public and not safe for enterprise communications. Note that if you offer WiFi to guests at your facilities, it must be a separate network. See the section on Guest Access below.
- Fixed point to point wireless – This type of communication exists in the background at many organizations. It’s a link between buildings and is sometimes found in metropolitan areas that normally use either microwaves or lasers. While it can be secure, it’s not that way unless you impose some sort of encryption – and interception is easier than you might think.
- Cellular data – Your cell phone uses cellular data, of course, and so do your tablets and some of your laptop computers. These devices connect using public cellular networks that tap into the public telephone network. Normally these communications are encrypted, but the encryption algorithms are sometimes broken.
- Bluetooth – This is a type of short-range communications usually used to connect your cell phone to the electronics of your vehicle, but it can be used for anything from device controls such as mice and keyboards to connecting headsets and entertainment devices. Bluetooth is encrypted, and its short range makes it harder to crack.
- Proprietary and IoT wireless – The various devices that you use to run your business may include anything from inventory counters to machine controllers to telemetry devices that frequently use wireless communications – and in many cases are not secure. In those situations where security is possible, you usually have to take proactive action to change the configuration to something secure.
- Radio and voice communications – This includes devices such as 2-way radios, which may be analog devices with no security provisions, or they may be digital radios that include encryption. You may not have any control over the frequencies used, but your licensing should allow encryption. You do need to make sure that the radios also support encryption.
Why Wireless Networking is Different
The challenge to wireless networking is that the radio signals on which it depends travel through the public airwaves. Once in the public airwaves, those signals can be intercepted by anyone with a compatible radio receiver. Unfortunately, you have little control over where those signals travel once they’re transmitted.
Of course, this flexibility is the primary reason wireless communications is so attractive. You don’t have to be in a specific location to connect with your organization’s network. Unfortunately, neither do the people who would like to intercept your communications. This means that in addition to possible interception, there are people who can create phony hotspots and rogue wireless access points. Depending on what sort of encryption you’re using this may make your communications essentially unprotected.
Adding to the complexity of securing wireless networking, it’s very difficult to control who has access to a wireless device. Virtually all laptops and tablets contain a WiFi radio. While it’s possible to disable the WiFi radio when you set up a laptop, this may be impractical since it would limit how your employees communicate. Disabling WiFi would effectively render tablet devices useless since few have any provision for wired networking.
But it gets worse. WiFi hotspots are widely available, and they’re cheap. It’s not uncommon for employees to buy a hotspot and plug it into a wired Ethernet connection in their office, and the chances of their remembering (or bothering) to set up secure communications or a secure password are slim. Once this happens, their communications with their personal hotspot are freely accessible to anyone. Worse, the new rogue hotspot opens the network up to the outside world. Fortunately, many WiFi controllers and most intrusion detection appliances can spot rogue hotspots, but you still have to locate them and physically remove them.
Basics of Wireless Security
Securing your wireless communications isn't especially difficult for most organizations, but it does require adherence to a lot of details, all of which are important. For the most part, those details can be looked at as a sort of checklist, every step of which must be followed when configuring an access point or router and when configuring a wireless endpoint. Most of the steps on the checklists apply to WiFi connections, if only because so few wireless devices of other types have much flexibility when it comes to security.
In fact, the best way to look at wireless security for your devices is to eliminate any wireless device that can't be made to fit your security requirements. If elimination isn't possible because the device is necessary and can't be modified, then it must be on its own network segment and its own firewall connection at a minimum.
The first steps in securing your wireless networks aren't hard, but each one must be followed:
- Change defaults – Do not use the default settings on your wireless access points or routers. This means using a different network numbering scheme, different service set identifiers (SSID), and password. You should also enable WPA2-PSK (AES) or WPA2-Enterprise encryption. That list of acronyms means wireless protected access v.2, which is the only version that's even remotely secure, AES (advanced encryption standard) is widely accepted as being very secure as long as it's using 256-bit encryption. The enterprise version of WPA means that it uses RADIUS authentication.
- Control Access using MAC addresses – Set your access point, your router or your firewall to allow only specific MAC (media access) addresses to communicate. These are permanent hardware addresses for endpoints, and that means that endpoints without a listed MAC address can't join the network.
- Encryption – The only acceptable level of wireless encryption is 256-bit pre-shared key (PSK) or better.
- Control the Information you Broadcast such as SSID – The default for most wireless access devices is to broadcast the SSID, which makes it easy to find the network, so make sure you turn the SSID broadcast off. That SSID is the network name you see when connecting to a WiFi network.
- Firewalls and Intrusion Prevention (including through wireless controllers) – Most firewalls have the ability to treat your wireless network as a separate network, and so do most enterprise routers and switches. A wireless network has unique vulnerabilities, and it must be on a separate network for proper security management. In addition, wireless devices with limited security capabilities must be on a separate network of their own.
- Monitor malware intrusions – Your next generation (NG) firewall can inspect incoming packets and detect malware. This needs to be part of your wireless security.
Some devices, especially devices for certain medical, inventory or manufacturing capabilities, include wireless communications. The communications may or may not be a form of WiFi, but in any case they need to be secure. While in some cases you can make do with unsecured devices on a separate network, if the devices are delivering information for which protection is required, then they must be made secure or be replaced. Despite the cost, it's probably cheaper than paying the fines for a HIPPA violation.
Deter Sniffing with Intrusion Detection
Intrusion detection is part of the suite of capabilities for some firewalls, network managers and other security appliances. These devices can detect when an unauthorized device appears on the network, and in some cases can block network access, or disassociate the device from the wireless network.
Be aware of fixed wireless sniffing and intrusion. This is a primary threat for point-to-point and fixed wireless communications, in which the signal is detected and captured by a receiver in the RF or laser signal pattern. Even capturing and recording the signal can be a threat, because it may be possible to break your encryption given enough time.
Manage Signals to Avoid Wireless Interference and Spoofing
Finally, you need to retain control of your signal. An important means of minimizing interception of your wireless signal is to make sure it travels as little as possible outside the confines of your own space. This can be accomplished through proper antenna design and proper signal patterns, but is usually beyond the technical capacity of most network managers. If your data is extremely sensitive, you may need to bring in specialized engineering help, or even deny wireless access to devices with such data.
Wireless interference and spoofing are security threats that aren't intended to steal your data as much as they're intended to keep you from using your network. In some cases, employees can open insecure holes in your network, and in others interference is affecting your network adversely, but is not being done intentionally.
Spoofing happens when an outsider introduces an access point that appears to be part of your network. This access point is used to gather traffic for later analysis. A specialized type of spoofing happens when someone sets up a WiFi radio that's designed to appear like one that's already in use so that wireless devices will connect to it rather than to the real access point. This kind of "man in the middle" attack is common where you find public hotspots, which is a significant reason not to allow your employees to work at Starbucks or other locations using a public WiFi access point.
If you find that it’s essential that your employees use open public hotspots, then their communications with their office network must use a VPN to protect the content. Your network configuration can enforce the use of such a VPN by simply not allowing outside access by any other means.
Don’t Drown in Packet Flooding or Fall into Rogue Access Points
An easy way to make an organization’s wireless communications stop working is Packet Flooding. This refers to flooding the airwaves with radio signals intended to disrupt your communications. Just the sheer amount of radio energy can prevent communications. Such interference is illegal, but to report it, you must first locate the source of the interference. When it's found, you can call law enforcement, and the Federal Communications Commission can (and frequently will) find ways to take them off the air. But if you can figure out who is causing the disruption, and convince them to stop, it'll go away a lot sooner.
Rogue access points are usually the result of an employee bringing an inexpensive wireless router into the office and connecting it to your company network. They usually do this because a wireless signal isn't available to them. Your wireless network controller can find these rogue devices, and some controllers can disable them. But a more permanent fix is to find out why the employee brought the rogue into the office, and if possible fix that problem as well.
Innocent Interference can be an Unintended Culprit
Not all interference with your wireless networking is intentional and not all interference is malicious. From time to time you may discover network interference from other services on the same frequency, and you may have interference from non-communications devices. If you find such interference from licensed services, your only choice is to move to a difference frequency because most wireless networking uses unlicensed frequencies. Users of such frequencies are not protected against interference from licensed services. In addition, some devices, such as microwave ovens, also produce radio signals in the same frequency range as wireless networking. Your only choice there might be to buy a new microwave.
It's good security practice not to allow your wireless communications to escape into the outside world if you can avoid it. You can get a good idea of your signal footprint using some commercially available software that can work with your wireless controller, but you'll probably get more accurate results by hiring an engineering firm that specializes in wireless security to perform a site survey. Unless you change your network, you only need to do this once.
If possible, don't allow outsiders to access your organization's network. If you must provide guest access, do it with a separate network that has no connection to your home network, and which only allows access to the internet.
If you must allow guests to use wireless networking, then set up a guest network that's totally separate from your organization's production network, and don't allow any interconnections for any reason. Meanwhile, configure your employees' wireless devices to prevent some insecure practices, such as peer to peer networking.
Managing the Internal Network Connection with Segmentation
One of the most effective ways to ensure any sort of network security, regardless of whether it's wireless, is to segment the network so that each part is dedicated to a specific purpose or function. For example, the accounting department should be on a separate network from sales, which should also be separate from engineering and manufacturing. This applies to wireless networking as well because of the unique vulnerabilities of a wireless connection, and as mentioned above, any guest networks should be on yet another separate network, preferably one that's dedicated to such use, and which has no connection whatsoever to your corporate or production networks.
Your network should include internal firewalls, so that users on one part of the network, for example in sales, can't get to an unrelated part, such as the accounting department. Failure to create separate, firewalled, segments was a key failure that was directly related to the recent Target breach.
Assess your accessibility
Correct placement of access points on your wireless network is important in providing effective wireless access for your employees and for any other networked devices. You need to have enough access points (APs) to provide good radio coverage, but you don’t want so many that you're projecting radio signals long distances from your building. Because of variations in the way your building will interact with the microwave energy used in wireless networking, you may benefit from having your wireless networking implementation designed by a qualified engineer.
The type of access points in use on your network can also affect your wireless security. A smart AP can handle much of the task of authentication directly at the network edge, but your existing authentication system may not allow that. In some cases, a dumb AP which handles little beyond providing a radio and encryption, may be required to work with your RADIUS server. Both types of APs are available for most networks, although smart AP designs may be slightly more expensive.
By necessity, your wireless security must be part of your overall network security. This means, among other things, that you will need to include your wireless network into your authentication, access control and intrusion detection management. You will need to ensure that your existing logging includes network traffic coming from the wireless users, and you will need to include the wireless network in your reporting systems. For the most part, this will be fairly straightforward, but you will need to make sure that the separate networks are accessible to the security and logging servers.
Testing and Verification
Once you're satisfied that your wireless networks are fully operational and that they meet your security requirements, it's time to make sure. One means of testing whether your security meets your own requirements is to look for wireless signals using test equipment designed for the purpose, which can be found at Netscout with their AirCheck Wireless Tester and from other test equipment companies. Such test devices can find security problems, rogue access points and dead spots in your wireless coverage.
In addition, your IT department should spend time attempting to penetrate your security. This should be an ongoing project so that your team finds any problems before an intruder does.
While incorporating a wireless network into your enterprise can be challenging when it comes to implementing the technology, there aren't any secrets. You have to realize that your network is using radio signals that can be intercepted by anyone with a receiver, and make sure that you take steps to keep them from getting access to the information those signals are carrying. In addition, it's important to realize that your network may be open to anyone with a radio transmitter, unless you take steps to keep them out.
While there aren't any secrets to how this is done, it's important that you cover all of the details. Because anyone can attempt to access your wireless network, that network is more vulnerable than a corresponding wired network. This means you may want to control whether extremely sensitive data is allowed on the wireless network, but it also means that you can have the flexibility and cost savings from a wireless network safely and securely, if you take the proper steps.
 “Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both?,” How-To Geek, http://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/.
 “AirCheck G2 Wireless Tester,” NetScout, http://enterprise.netscout.com/products/aircheck-g2-wifi-tester.
Photo credit: perspec_photo88 via VisualHunt.com / CC BY-SA