Wireless networks are integral to most business’ computing infrastructures. The security on these networks needs to be planned with the utmost care. Unfortunately, we often see that the planning for air security is an afterthought.
It shouldn’t be. And it’s not difficult to plan holistically for wireless security if you think about it in three key areas: Securing the air, securing users, and securing devices.
More specifically, we counsel our customers planning wireless networks to work on security in the areas below. Addressing air security this way provides a much better security posture for a business than trying to layer in wireless security after a system is installed and running.
1. RF Efficacy
The first step towards wireless security is to keep the airways clean. Among other issues, radio frequency interference (RFI) can disrupt and disturb the normal functioning of transmitters and receivers, disrupting service.
So basic wireless hygiene includes RFI protection. This usually entails continuously monitoring for interference and identifying its source and location. Interference can be caused by rogue access points that might need to be removed from the environment outright, or by electrically noisy devices that impact radio signaling and that need to be shielded.
To manage RF efficacy you need a system that provides historical reporting as well as real-time custom alerts and that can, for example, tell the network operator as soon as a rogue access point enters the corporate airspace, compromising client security.
2. Threat mitigation and Login security
Of the three pillars of wireless security, it’s in the arena of threat mitigation where the industry has achieved the most. Wireless Intrusion Protection Systems are what protect users and devices from outside and inside attacks. Advancements made in network segmentation also further isolate threats from spreading through a network.
One of the most critical parts of Threat Mitigation for a wireless network is the onboarding system: The way users’ devices are authorized to use the network. If onboarding is too difficult, people are likely to stay on LTE (or wired if possible). If the protection system is easy to use but weak, then the network’s exposure perimeter is very wide, as unwanted users will be able to join the network.
The standard practices for onboarding security are well-established now, include avoiding PSK, where one shared key compromises all devices. We recommend individual authorization, which can be as minimal as iPSK, or more elaborate with EAP/802.1X. These systems combine ease of onboarding with contained and robust security.
Watch this area for a lot of exciting innovations coming in insider threat protection, rapid threat containment, threat correlation, and automated remediation and reporting.
Once a user is onboard the network, there’s another realm of security to consider.
3. Data protection
When most people think of wireless security, this is what they think of: encrypting the signal. This is certainly important. We have used WPA2 for over-the-air security for more than a decade, and the standard continues to evolve. It has to, to stay ahead of increasingly sophisticated exploits, like the “Krack” attack I wrote about last year. The Wi-Fi Alliance’s latest update to its Wi-Fi data protection standard set is a set of enhancements for Wi-Fi Protected Access called WPA3. It will protect networks from a newer class of exploit – but it, too, will need continuous refinement, as attackers will no doubt continue to make runs at it.
Besides over-the-air encryption, you should also be thinking about data access protection from downloadable malware and malicious websites. We recommend strong DNS security as your first layer of defense.
And with the explosion of IoT devices, overall asset health for protocols like Zigbee, BLE, and Thread is important.
Holistic security
Security is often thought of in terms of rings of protection, and has been for hundreds of years: Medieval castles had moats, archers, gates, and soldiers. Network security is similar. It needs to be crafted holistically and in layers. Remember: Think about RF security, Login security, and Data protection. And while you’re at it, keep an eye on the news to make sure every layer is up to date.