Wireless LAN nodes have rapidly overtaken wired ports in many enterprises. Wireless technology presents some unique security considerations, however, so a company must ensure its enterprise WLANs is fully secure.
An important first step to WLAN security is to establish clear employee wireless use policies and security protocols. Where appropriate, limit access on specific devices (such as handheld devices used in a factory or warehouse) so that users can only access specific applications or websites. If you operate in a bring-your-own-device environment (BYOD), there should be clear usage guidelines as well, to ensure employees do not create vulnerabilities.
Have a guest network policy in place, too. Your warehouse probably doesn’t need a guest WLAN, but nearby offices might, so have rules about the type of limits that will be placed on guest access and which capabilities to provide for visiting contractors, consultants, or others who may need to access printers or servers on the enterprise WLAN while on the premises.
Conduct a site survey to catalog all of your wireless access points, clients, and other equipment. You may be surprised at what you find, including rogue networks set up by well-meaning employees to extend access without permission, unauthorized workstations, and equipment that doesn’t belong to you. You’ll also find neighboring networks and equipment that you should accommodate by avoiding cross-channel interference and avoid false intrusion alerts due to neighboring networks.
Implement Proper Security
It can be easy to eavesdrop on enterprise WLAN traffic, and hackers could use the network as a launchpad to attack other networks, steal bandwidth, obtain data or passwords, or transmit false data. You can reduce these risks by implementing some standard security protocols.
Segment user traffic so that guests and employees are divided between different sets of firewall rules using a virtual controller. Even office applications could be segmented from warehouse or factory floor users. In addition, make sure the physical network infrastructure is out of reach of the public and is protected from unauthorized access. Also, limit signal strength so your WLAN doesn’t extend outside of your facility.
Use 802.11 security authentication and encryption as a first line of defense. In addition, 802.1X and Wi-Fi Protected Access (WPA)/WPA2 technologies will provide additional enterprise WLAN protection. Be sure to use WPA2 in enterprise mode, which will require setting up a RADIUS server or service for 802.1X authentication, and change your global Wi-Fi passwords often.
Place wireless access points outside the network firewall. Be sure to password protect both applications and mobile devices in case an unauthorized party gains access to the mobile hardware.
You can utilize a wireless or mobile virtual private network (VPN) to connect the enterprise WLAN to the network. However, VPN tunnels are bound to IP addresses, which change when users are roaming between access points. A wireless gateway can provide tunnel persistence under this configuration.
Use a centralized wireless LAN management tool to help better improve visibility into network operations, troubleshoot problems, and commission new assets. These can be on-site systems or cloud-based like the new Zebra Azara solution. In the later case, the system can be used to manage enterprise WLANs at different facilities from a single location.
Intrusion detection monitoring software can help analyze enterprise WLAN activity. You may require separate tools to detect attacks originating from the WLAN.
Likewise, mobile device management (MDM) software can also improve security. MDM tools are generally used to troubleshoot and provision mobile hardware, but they also provide the ability to quarantine devices that may include unauthorized software. They can also be used to limit the types of applications employees download on the devices and allow IT to remotely lock or wipe a device that has been lost or stolen.
Enterprise WLANs present some unique security challenges, but they can be as secure as your wired infrastructure provided you take the right steps in designing the network and deploying sufficient authentication, encryption, and management tools to prevent attacks.