Based on what I have learned over the last few years regarding mobility and security, I propose some foundational guidelines for protecting any enterprise mobility environment.
In an age where a hidden SSID can be easily discovered, this is step is merely meant to limit visibility and deter the accidental threat. The accidental threat is someone who never intended to connect to a wireless network. However, when this person sees the revealed SSID, he attempts to access the network multiple times with various passphrases. Based on alerting settings, this harmless user will send false alarms.
Once again we are in an age where there is a counter measure to this level of protection. Similar to the hidden SSID, MAC authentication deters the accidental and harmless threat. This person will connect to the network, realize that there is essentially no access to the network and disconnect.
As of March of 2014 it has been documented that this method of security also has vulnerabilities. With those vulnerabilities, WPA/PSK becomes another deterrent for an accidental and rather pedestrian threat.
Now that pedestrian intruders have been weeded out, you as an administrator know that any unknown device that is connected to a hidden SSID, bypassed MAC authentication, and decrypted WPA2/PSK has access to the network and is a legitimate threat. For intruders like the one just mentioned, at minimum, this next level of protection is required.
Wireless Intrusion Detection
With WIDS enabled the network will detect any oddities within the network. That includes any rogue access points, unauthorized devices, MAC spoofing, and various attacks at the disposal of a malicious intruder. In the event that the deployed network is the only wireless network within the area, an administrator could configure the system to automatically take action (WIPS) without human intervention.
Access Point Power Settings
Keeping the signal within the coverage area [as best as possible] reduces coverage bleed and can help keep unwanted users off the network. This requires network intruders to come into the coverage area attempt to threaten the network. With security cameras properly deployed the area and/or an observant store manager, an administrator may be able to physically identify the network intruder and possibly put a device to a person.
Probe Response Threshold
Setting the probe response threshold provides a minimum signal strength for network connectivity and its purpose is similar to adjusting the power settings. Although this functionality does not reduce coverage bleed, it require network intruders to come preferably within the coverage area. When coupled with some additional vigilance, an administrator can put a face to a device.
Time-Based Access Restrictions
Without the proper access restrictions the previous two protection methods may not provide the desired results. A network intruder could wait until closing hours or the weekend to attempt malicious attacks. In the event that some minimum coverage bleed exists, closing hours gives him all the time in the world to find the coverage leak, gain access to the network and wreak havoc.
Temporary “Self-Destruct” Accounts
In many mobility deployments of enterprise networks, installers that are not employees install and configure the network. Using various automation tools administrators can push parameters to all network equipment and protect access credentials. When network verification is required, this becomes a challenge. Many environments have employees that are not qualified to properly verify mobility services within the environment. When coupled with installers that are not employees, proper verification is a challenge. This can be resolved with temporary accounts that provide installers with just enough access and time to verify that the network has been properly configured and performs according to specifications.
Now that the wireless portion of the network has been protected, turn your attention to the wired portion of the network. Although this may be a small percentage of the network, it is just as important. I recommend employing as many of the same security measures on the wired network that have been employed on the wireless network. This protects
For some this may appear to be over the top. But when protecting a wireless network from unwanted users, think of this network as a home in a tough part of town. What tools would a resident use to protect his family and/or himself from unwanted intruders?
- Shut and Close all Windows and Curtains (Hidden SSID)
- Keys for Residents Only (MAC Authentication)
- Locked Doors (WPA2/PSK Encryption)
- Few Items of Interest (Access Point Power Settings/Probe Response Threshold)
- Minimal Visitors (Time-Based Access Restrictions)
- Security Cameras/Alarm System (WIDS)
- Contact Authorities/Take Immediate Action (WIPS)