The enterprise-level Wi-Fi security primer

Using Wi-Fi has become almost as natural as breathing.

From a business standpoint, some might say it’s critical. We’re online all of the time, every day and everywhere. We rarely consider how we are connected. All that matters is that we have a way to log in.

Wi-Fi has had a profound impact on organizations and employees. It enables users to communicate and collaborate which in turn enhances productivity, agility and ultimately, profitability. It creates opportunity, increases morale and reduces costs.

But despite being so convenient and flexible, best practices for enterprise Wi-Fi security aren’t always followed.

One of the biggest exploits to affect Wi-Fi security was widely publicized last year. Dubbed with the name KRACK, this vulnerability allowed attackers to bypass Wi-Fi security and steal sensitive data, including credit card details, passwords, emails, photos, chat messages, and the list goes on.

The vulnerabilities are real and robust Wi-Fi security is a necessity.

In a world where new cyberthreats and security exploits are unleashed on a daily basis, it’s more important than ever to stay on top of enterprise Wi-Fi security. In doing so, you can ensure your infrastructure and data is protected without compromising seamless access or enhanced productivity.

Identifying the vulnerabilities

The threats awaiting an unprotected WLAN are many.

Passive eavesdroppers can gather sensitive data, intruders can steal bandwidth and wireless traffic can be recorded easily. Even low-level attackers can launch a packet flood that disrupts your network.

If you don’t know what you are securing your Wi-Fi network against, you might as well be taking shots in the dark.

Before a WLAN can be sufficiently planned, deployed and secured, it is essential that all business assets are identified in order to protect them from the impact of theft, damage or loss. At the same time, you should determine who needs access to what and when so that you can define access policies.

WPA2-Enterprise: the recommended industry standard

When it comes to encryption and authentication, you have an increasing number of options available. The method you choose will largely depend on the level of risk that deploying a WLAN opens up and the size of your enterprise. However, the preferred and recommended standard for most organizations is Wi-Fi Protected Access 2 Enterprise (WPA2-Enterprise).

WPA2-Enterprise was first introduced in 2004 and delivers robust security and over-the-air encryption. Authentication is handled by a RADIUS server which authenticates each device before it connects. Once authenticated and connected, a personal tunnel is created between the network and the device, creating a secure connection over which all data is encrypted.

Another point to note is that WPA3 has recently been launched by the Wi-Fi Alliance. While it won’t hit the mainstream immediately, this new standard will provide strengthened user security through individualized data encryption and is certainly one to watch for the future.

Provide a better user experience for everybody

Wi-Fi is designed to allow users to connect and roam, but not at the expense of your network security.

In a business environment that is no longer restricted to trusted corporate users, you also need to secure your network for the BYOD and IoT era. Any device that can connect to your WLAN is a potential threat, whether it’s a client you have known for years or an IoT sensor streaming data in real-time.

In order to provide a positive and secure Wi-Fi experience for everybody, you must define context-based access policies that limit access by user or device. Even better, implement a guest Wi-Fi network that’s separate from your main WLAN and which will segment all guest traffic and isolate it away from your enterprise data.

Good housekeeping and points to note

Network administrators and IT security professionals should also consider these additional housekeeping tips to further secure and manage their enterprise Wi-Fi networks.

  • Deploy a wireless intrusion prevention system (WIPS) and wireless intrusion detection system (WIDS) on every wireless network.
  • Many best practice guides will tell you to change the SSID for your wireless network. It’s important to remember that the SSID is a network name and not a password. There are no security benefits of changing it, but if you need to distinguish your network name from others in the vicinity, changing it can make it more easily identifiable.
  • Ensure all equipment meets Federal Information Processing Standards (FIPS) 140-2 compliance for encryption.
  • Consider centralized WLAN management in the cloud that allows you to configure all access points, manage access policies and analyze network traffic.

Final thoughts on Wi-Fi security

Just like any segment of your network, wireless networks require robust security in order to protect data and systems, while still offering unfettered access to authorized users.

By identifying your vulnerabilities, using recommended encryption and authentication technologies and controlling access to your WLAN, you can ensure that you reap all the business value that Wi-Fi has to offer.