Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Five Keys to Secure Wireless LANs

Wireless LANs offer great benefits to your users: They can use their laptops in meetings to gain instant information access and move to quiet spots in the office to finish assignments before deadline. But WLANs also offer one of the greatest security threats to the integrity of your network. Here are five simple steps to lowering your threat exposure.

  1. Look for rogue hot spots
    Your organization's highest risk is from the rogue wireless access point (WAP). These are not necessarily covert attempts to bypass your security policy. Rather, the cost and simplicity of buying a WAP at a local store makes it easy for someone to set one up to make their lives easier around the office. There are many tools available, ranging from specialized WLAN sensors to regular "packet sniffers," designed to keep your network free of unmanaged WAPs.
  2. Secure the endpoint to protect your network
    One concept to understand is that the wireless LAN is at best a semitrusted network. Your endpoints are exposed just as if they were on a remote broadband connection. At the very least, endpoints should have a personal firewall. Trusted users in compliance with your security policy should be placed on one virtual LAN that can access the internal network while guests or people without the proper security posture should be placed on another that can only access the Internet.
  3. Segment the network
    As a corollary to protecting the endpoint, you should use a strong perimeter firewall to segregate your wireless LAN from your wired network. Although WAPs provide rudimentary access control, they do not provide the depth of security needed in today's environments. An added bonus is that you will be able to apply consistent security policies across your WLAN and your perimeter.
  4. Consider IPSec over WLAN encryption
    Changing from the failed Wired Equivalent Privacy (WEP) and the stopgap Wireless Protected Access (WPA) to 802.11i and WPA2 protocols has helped the WLAN industry recover from a black eye. But there is a lot of WLAN gear out there that does not support the new standards. Until you can get 802.11i rolled out enterprise-wide, it is better to set a policy of using IPSec for encryption when users are accessing sensitive information. It is proven and it is already in place on many laptops.
  5. Consider your risk
    In the end, your WLAN security should be a component of risk analysis. What is your exposure? Do you have procedures in place for detecting rogue access points? What is your liability if an unauthorized person were to connect to your WLAN and then your network? Security needs to be in response to your exposure and the possible breach of network integrity.