Must-haves for wireless network security: WLAN switches, intrusion detection and more
Devices like WLAN switches, which can manage hundreds of access points, deserve a look, especially when setting up an enterprise wireless network.
Joel Snyder of Opus One reviews the switch technology and explains why intrusion detection systems and firewalls also need to be carefully added to a "defense in depth" network configuration.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected].
Must-haves for wireless network security WLAN switches, intrusion detection and more
Joel Snyder: Building a secure network means you have to secure that RF
space. You have to get the transmit power and the channel selection right
so you get a good layout, you have to watch your RF space because over
time, you are going to have changes in the way that people have laid
themselves on the building. You may get another building that may change
the coating on their outside of their windows, and that may suddenly
change your wireless network. How are you going to solve all this?
This brings me to another piece of advice, Advice Number 4, which is
to use WLAN switch technology. I am not telling you to go to any
particular vendor, and in fact, I am not saying you have to do this,
but I am saying that folks like Cisco, which bought Airspace, Aruba,
Trapeze, Aerohive, there are other companies, I am sorry I forgot to
mention your favorite, will help you minimize the cost of dealing with
these other problems. Human beings cannot be sitting there all day long
looking at 200, 300, 400 access points, adjusting channels, adjusting
signal levels, looking for rogue APs, whereas, this is why God invented
computers, these guys can. All the stuff in the previous sections, these
wireless switch vendors help you to solve it, they help you. They do not
solve it entirely, but they give you great tools to solve it, so you are
still going to have to have good wireless a survey and you are still going
to have to layout your network intelligently. When you have some device
that can manage 100, 1,000, or whatever APs it is, maybe not 1000, maybe
100 APs, that is going to do it more intelligently than you can, and you
should invest in that technology. Again, the wireless LAN switch vendors
are the ones that I had the most experience with, the ones that are
probably the strongest, they are people that have additional tools, get
some tools to help you solve these problems.
Final piece of advice is to add IDS and firewall technology to the place
where your wireless network joins your network. In this picture here, I am
pointing out that internal access controls give you needed security. We
think we know how to secure the wireless network, we think we know how to
do that, but in fact, a defense-in-depth strategy is always better. I have
drawn in this picture here, the AP, followed by a firewall, followed by an
IPS, that could be one box if you have one product that does all three,
that is fine, it could be two boxes firewall with IPS, UTM-type device
together, that is fine. I am not saying how many boxes you need, all I am
saying is you should have firewall controls from the wireless even though
you think you are only letting authenticated users on to that particular
chunk of wireless. You should have some IPS looking for bad behavior,
because the people that are wireless are most likely to be potential
threats to your network, either because they happen to be portable, so they
are going all over the place, possibly catching more viruses or Trojans, or
just because you got guest users coming in.
One good technique is to use different user profiles to differentiate
users. I got in this picture here, I have shown three different SIDs, maybe
the VoIP phones are in SSID-A, I got PDAs and other devices, guest things
maybe on SSID-B, end users in SSID-C. Normally what will happen is your
wireless access point can trunk these using V-LANS over to your
infrastructure, then from a firewall you can keep people from jumping
between different these VLANS or having access to the wrong traffic. I read
an interesting story where some VoIP hacker said, 'Yes, we were able to get
under these VoIP networks,' and I am just thinking, 'Of course, if the
security guys done their job, the answer would, be so what.' Yes, you can
get on the VoIP network but you could not get anywhere else. The guys went
on to say, 'By the way, no one had firewalls between their VoIP network and
the rest of their enterprise,' which means they were doing separation,
maybe for QOS reasons, but not for security reasons. I am telling you that
you need a firewall to separate those out for security reasons, as well.
Some devices, Rube is a good example, actually give you [inaudible: 04:05]
on the users. You might not need the firewall to be separate or the VLAN
thing; that is between you and your vendor. In any case, having some
differentiation gives you defense in depth.
Speaking of these mobile devices, make sure you are prepped for hybrid
mobile devices; phones and PDAs. Make sure that you are thinking about how
you are going to support them. You may have a big boss that says, "We are
not going to let these guys get on the network,' until one day suddenly,
they change their mind. Do not let yourself be Blackberried by a slow
infusion of devices that you are not prepared for, and then suddenly there
is a critical mass that you have to support. Make sure you are ahead of the
parade or the power curve and saying, 'When this happens,' and it
inevitably will, 'How am I going to handle these mobile devices? What am I
going to do in terms of wireless, in terms of bandwidth, maybe in terms of
synchronization, in terms of tools to handle these devices?' Make sure you
get ahead of the power curve, because if you are not already putting mobile
on your wireless, I can certainly guarantee that one boss time period,
which could be a season, semester, quarter, or an annual report, you will
have them on, sooner or later.
Let me sum this all up by giving you my five concerns. First of all, start
on a secure base. Second of all, think about guest users, if you are going
to have guest users on, figure out a safe way to bring those guest users
on. Third, make absolutely sure you manage your RF and your bandwidth
properly, because you are not going to be able to build a business class
wireless LAN if you have not done that. Fourth, use wireless LAN switch
technology, or something to solve that management problem, provided by two,
and especially my advice point number three. Last of all, make sure you
firewall and IDS or IPS better. Even your internal users, as they come off
the wireless, before they get into your corporate network. These five bits
of advice will help you build a business class, enterprise class, secure
wireless network.