How to design architecture for enterprise wireless security
Learn about a five-phase design methodology that will help your company plan for and create an enterprise wireless security architecture.
Enterprise wireless networks have been undergoing a tremendous transformation. From a changing workspace due to IoT, remote work and new generations of Wi-Fi to a multitude of sophisticated threats, the spotlight is on enterprise wireless network security. Knowing how to configure and maintain the wireless security architecture is critical to keep attackers at bay.
In Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise, author and security researcher Jennifer Minella provides networking and security teams a resource to follow. She starts by explaining wireless network security techniques, processes and products before outlining how to design an architecture, as well as the components and processes teams need to set up a secure wireless network.
In Chapter 5, Minella laid out a guide for designing the optimal wireless security architecture. "What I've noticed over the years is that most networking professionals within an organization tend to wing it when it comes to planning," she wrote in the chapter's introduction, "often bypassing any formal scoping and documentation and skipping to configuring products."
The excerpt below introduces readers to Minella's design methodology that follows five phases: define, characterize, design, optimize and validate.
Check out a Q&A with the author on zero trust and wireless security, UX considerations without affecting security and more.
Planning and Design Methodology
You've likely heard of design methodologies such as 4D (Discover, Design, Develop, and Deploy). The Wi-Fi world has its own set of design steps addressing the many phases of RF design and validation. While all valid, these traditional models don't focus on design, nor do they address the complexity of architecture that crosses disciplines and domains.
My design methodology incorporates five interconnected phases, unabashedly borrowed from the constructs of the Design for Six Sigma (DFSS) framework. For any Six Sigma professionals out there, I hope you'll extend a bit of latitude and allow me to exercise some artistic license.
These five phases are not always linear in nature, but they do link to two concrete processes of inputs and outputs of a design architecture and can be grouped into three stages: discover, architect, and iterate.
The five phases for designing a secure wireless architecture are (see Figure 5.1):
- Discover Stage
- Phase 1: Define (scoping)
- Phase 2: Characterize (requirements mapping)
- Architect Stage
- Phase 3: Design (functional mapping)
- Iterate Stage
- Phase 4: Optimize (design adjustment)
- Phase 5: Validate (validate design against requirements)
Discover Stage
The discover stage includes the tasks that serve as inputs into the architecture design. This entails scoping and requirements mapping with the first two phases:
- Phase 1: Define (scoping)
- Phase 2: Characterize (requirements mapping)
Once these two phases are complete, you'll move onto the architect stage, which encompasses the third phase, design.
Phase 1: Define
The define phase includes identifying project requirements, elements of scoped environment, and scope limits.
During this time, the architect should perform activities such as:
- Identification of the teams and roles involved in the project
- Discovery of the environment (wired and wireless network infrastructure components, capabilities, and topology)
- Scope of user and endpoint population and capabilities
- Identification of applications to be supported over the wireless network
- Scope of geography/coverage areas (e.g., campus, branch offices, home users)
- Identification of security and compliance requirement
- Discovery of additional supporting policies or guidance for security
- Documentation of discovered items
This exercise of the define stage of discovery is enhanced by the characterize phase, which aligns requirements to the scoped elements.
Phase 2: Characterize
The characterize phase addresses the discrete elements for requirements mapping. In this phase the architect captures both qualitative and quantitative security characteristics mapped to the individual classes of networked elements such as endpoints, applications, and users. Those characteristics are then used for functional mapping in the design phase.
The architect correlates items from the define phase such as:
- Identify elements (endpoints, users, infrastructure, or assets) that need specific security controls to meet business objectives or compliance requirements (e.g., network segments in scope of PCI)
- Group and categorize elements with similar needs or characteristics
- Identify and document which scoped elements have requirements dictated by policy or regulation, such as authentication or encryption
- Document requirements for cases requiring elevated controls such as additional monitoring or inspection, security posturing, multi-factor authentication
The define and characterize phases together comprise the discovery tasks and are the inputs to the architecture tasks of design, optimize, and validate.
Architect Stage
The architect stage (architect being an action here) involves only the design phase, where the inputs from the discover stage are used for functional mapping.
Phase 3: Design
The design phase encompasses the heavy lifting of taking the discovery inputs and performing functional mapping for requisite security controls and monitoring. As part of this work, the architect should also document conditions, variables, and known or anticipated design gaps.
During the design phase, an architect will:
- Begin mapping defined requirements to planned designs for scoped elements (wired and wireless infrastructure, endpoints)
- Document conditions and variables that may impact the expected outcomes and security posture (such as unknowns of planned but unscoped projects based on wireless connectivity such as digital transformation or IoT programs, or unknown variables of endpoint support for WPA3, or an upcoming merger or acquisition)
- Evaluate current infrastructure and tools to determine if they can meet the objectives
- Identify vendors, products, and configuration options to meet the security and connectivity objectives
- Define metrics and outputs for monitoring and testing against mapped elements
- Produce documentation for as-built designs of the infrastructure devices
Iterate Stage
Maintaining security requires continuous improvement, and the iterate stage helps meet this need with the final two phases:
- Phase 4: Optimize (design adjustment)
- Phase 5: Validate (validate design against requirements)
The iterate stage is focused on design iteration and ensuring the architecture is updated to meet changes including those related to new vulnerabilities, changes in the network infrastructure, changes in endpoints and applications, and changes in use cases, among other things.
The design, optimize, and validate phases are iterative, with optimize and validate phases often being interconnected and non-linear.
During these tasks, it's reasonable to expect a proof of concept (PoC). PoCs may be as basic as having the internal team create test SSIDs and validate the operation against the design architecture or as complex as a lengthy structured plan with a vendor that includes installation of hardware and/or software.
NOTE: In this model optimize and validate phases refer to optimizing and validating the design architecture, not the implementation. This is a subtle difference from other network design and deployment methodologies.
Phase 4: Optimize
During the optimize phase, the design is refined to enhance robustness of performance and security.
With industry standards evolving at an unprecedented rate, wireless endpoint capabilities always in flux, and security threats changing daily, wireless networks are no longer set-and-forget. For purposes of security, the architecture tasks are iteratively optimized and recurringly validated.
As part of recurring optimize phases, architects should be:
- Researching changes in security protocol standards and implementing enhancements in the architecture
- Evaluating new vendor product features for additional security benefits
- Consuming output from validation to further refine the architecture
- Communicating to stakeholders any major changes in guidance for security best practices
- Updating internal standards and process documents to reflect changes as needed
Phase 5: Validate
As part of the validate phase, the architect will verify capabilities and expected outcomes of the design against the originally scoped requirements from the discover stage tasks (define and characterize). The architect should also plan to communicate with other teams regularly and request feedback from stakeholders to ensure the scope hasn't changed and expectations are met and documented satisfactorily.
After an initial deployment and as part of ongoing improvement, the validate phase will include testing and validation of the system including security assessments and penetration testing, possibly along with compliance audit outputs.
In the iterative validate phases, the architect will:
- Evaluate the planned design against the requirements defined in design and characterize phases
- Document gaps to be addressed in an iterative optimize phase
- Communicate findings to participating teams
- Present findings to stakeholders and request feedback
- Incorporate data from identified metrics in design phase
The five phases facilitate the collection and organization of the data for planning in the form of inputs and outputs. Inputs being data consumed and factored in planning, and outputs being the actionable requirements for the infrastructure design.
Excerpted with the permission of the publisher, Wiley from Wireless Security Architecture by Jennifer Minella. Copyright © 2021 by John Wiley & Sons Ltd. All rights reserved. This book is available wherever books and eBooks are sold.