Wireless Security - It's more than Security for Wireless Devices
In a recent study of corporations with more than 1000 employees[i], Rogue Wireless Access Points (AP’s) ranked as one of the top three concerns for IT Administrators. Rogue AP’s can bypass network security, disrupt approved wireless networks and expose the Enterprise to significant damages and liability. Organizations can spend millions of dollars securing their Enterprise Networks (wired and wireless) – yet a single $40 consumer AP can render that investment useless. It is important to note that securing your Enterprise against wireless intrusions involves more than security for your ‘known’ wireless infrastructure.
Enterprise Wireless Security is often erroneously defined as security for wireless access points or devices. Certainly securing any ‘authorized/known’ wireless devices from intrusion with authentication and encryption is an important aspect of wireless security - however it does not address the entire scope of exposure to wireless intrusions – in particular, the wired networks require protection as well.
At issue is the fact that the Enterprise must protect itself from unknown or ‘Rogue’ wireless devices that crop up on the Enterprise WIRED networks. Ultimately, with 802.11 wireless technologies, the Enterprise is no longer in complete control of network infrastructure. Wireless AP’s are inexpensive, they plug and play, and are a convenience that employees have come to expect outside the Enterprise. As the study and broad sentiment makes clear - these devices are a very real threat to Enterprise Network Security.
Nearly all companies have policies and standards for wireless network access within their organizations. The wireless standards they follow can be divided into three main categories:
No Wireless Allowed: In this category corporate policy prohibits wireless devices entirely. It merits mention that policy without enforcement is woefully inadequate. Simply publishing a policy against wireless networking within an organization without enforcement will not suffice. Corporations must enforce their ‘No Wireless’ policies with equal diligence to their ‘Wireless Policies’. Logically, the potential for Rogue AP’s is much higher in areas where there is a ‘No Wireless’ policy in place – otherwise 802.11 connectivity would likely already exist. As you will see in the next paragraph, ‘No Wireless’ remains the most prevalent environment within the Enterprise today…even where corporations have deployed some 802.11 infrastructure.
Wireless Allowed in Limited Areas: Almost without exception, where corporations have elected to deploy authorized 802.11 wireless infrastructure, coverage areas remain a very small percentage of the overall wired Enterprise network. By default - all areas of the wired Enterprise network that do not have authorized 802.11 networks are operating under a ‘No Wireless’ policy. Plainly stated, the most prevalent network environment in the Enterprise today operates under a ‘No Wireless’ policy; even considering corporations that have deployed authorized 802.11 infrastructure.
Wireless Everywhere: This category is extremely rare. Corporations that have deployed 802.11 networks over 100% of the wired Enterprise network are typically either very small organizations that have limited network reach or high tech organizations that have the majority of their users leveraging mobile devices such as laptops or small format mobile solutions such as Pocket PCs or Palm devices.
It should be clear from the topics above that the entire Enterprise network must be secured from wireless intrusions – whether those networks are wired or wireless. Where the Enterprise has deployed authorized 802.11 network infrastructure, it is often possible and certainly more cost effective to leverage that 802.11 infrastructure as RF Security platforms simultaneously – given that many wireless network solutions can now execute security and network transport functions concurrently. Where corporate authorized 802.11 networks exist…user authentication, encryption, constant RF intrusion monitoring and management capabilities are a must. These are excellent practices, however these practices merely secure your ‘known’ or authorized wireless infrastructure footprint while the rest of the Enterprise ‘No Wireless’ network requires similar security diligence: constant monitoring for rogue devices.
Conclusion 1: Where authorized 802.11 networks exist in the Enterprise, constant RF monitoring for intrusions is required. It is most efficient to leverage the authorized 802.11 network AP’s as 24x7 security sensors as well – however where this is not possible separate/overlaid RF hardware sensors can be put in place.
Important Points to Remember:
The most prevalent network environment in the Enterprise today operates under a ‘No Wireless’ policy. In those areas your WIRED Enterprise Network should exist without 802.11 equipment.
With 802.11 wireless technologies, the Enterprise is no longer in complete control of network infrastructure deployments (Rogue AP’s).
Security for ‘Known’ 802.11 devices does not secure the entire Enterprise.
A single undetected $40 Rogue AP can render significant security investments useless.
Corporations should enforce their ‘No Wireless’ policies with equal diligence to their ‘Wireless Policies’.
Constant monitoring of the WIRED Enterprise Network is required to adequately enforce ‘No Wireless’ policies. The scope of the threat for Rogue AP’s is realistically any exposed RJ-45 Ethernet jack.
Conclusion 2: The WIRED Enterprise Network operating under a ‘No Wireless’ policy must be also be constantly monitored for wireless device intrusions.
Methods of ‘No Wireless’ Policy Enforcement / Monitoring
Portable scanning - Ineffective/inefficient relative to: a) level of availability/protection; b) personnel-hour impact
Hardware Sensors - Cost prohibitive/complex over even small geographic distributions
Software Monitoring – Centrally deploy and dynamically scan your entire wired network for real-time 24x7 detection and view of existing AP’s; both authorized and rogue. Protect your wired networks from wireless device intrusions.
The Solution
WiSentry Wireless Access Point Detection Software
WiMetrics Corporation delivers the WiSentry Wireless Access Point Detection System for 24x7 protection from wireless device intrusions via a patent-pending process of dynamic and pervasive network monitoring. By utilizing patent-pending software sensors to constantly monitor for access points on the wired network, WiSentry enables rapid deployment and persistent protection. As the geographic scale of the corporation increases, WiSentry actually becomes MORE cost effective. Deployment can be managed from a central location and the provisioning challenges and expense of hardware solutions are eliminated entirely.
Organizations spend millions of dollars securing their wired networks. Leverage and protect that investment with WiSentry – it’s the video surveillance for your wired networks that you’ve been looking for. Enforce your No Wireless Policies.
