Sophos has suggested best practices that can help administrators go beyond the basics of wireless security to provide advanced security, manageability and accessibility.
“It isn’t hard to set up security for the wireless router in your basement by changing the SSID, picking a strong password and installing VPN software for remote access,” says Brett Myroff, CEO of Sophos distributor, NetXactics. “But securing wireless networks in a business environment is much more demanding.”

He says that certain security practices are essential for wireless networks of all types, and include strong encryption – preferably WPA2.

“An eavesdropper can pick up wireless signals from the street or a parking lot and break older security algorithms like WEP in minutes using tools readily available on the Web.
“Cybercriminals can also use cloud computing resources to test millions of passwords in minutes, so wireless passwords should be 10 characters or longer and include numbers and special characters.”

SSIDs are part of the password used for WPA2 encryption. Hackers use “rainbow tables” to test common SSIDs, so administrators should pick unique network names, but not ones that identify their organisation, Myroff adds.

Virtual private networks are essential to protect communications from mobile employees (who can put a VPN client on their devices) and remote offices (which can use economical, point-to-point VPN connections).
Employees need to be educated on secure networking practices. In companies with BYOD policies, this includes acceptable uses of personal devices for company business.

“Organisations that publish policies and systematise training not only improve security, but also enhance their compliance posture by showing auditors that they are taking action to protect confidential information,” he says.
Uncontrolled access to wireless networks is a common security issue.

“Often, customers, suppliers and other office visitors are given IDs and passwords that provide perpetual access to internal networks. Stories abound of contractors whose passwords remained valid for weeks or months after they moved on to other employers.

“Some organisations address this problem by providing a separate guest network with limited access to core IT systems. This approach addresses the issue of transient guests, but it is expensive and not always useful for contractors and long-term guests.
“Another approach is to find tools that restrict guest and contractor access to appropriate periods of time and place limits on their activities.”

Deploying and managing wireless access points can be time-consuming. Large offices and campuses may require many access points to cover all office areas, conference rooms and meeting spaces used by employees. Multiple wireless networks for different groups and for guests can add to the work.

Not only does complex administration raise staffing costs, but it also increases the likelihood of accidental misconfigurations that cause security vulnerabilities.

Myroff says that enterprises need to find tools that simplify tasks such as deploying new access points, checking on the status and settings of these devices, and changing parameters.

“A best-case scenario is to find tools that do not require specialised knowledge or a long learning curve, so the work can be done by network administrators rather than wireless networking specialists.”

Providing technical support to remote and branch offices is also a challenge. Constant travel is rarely an option, and it is difficult to work through remote personnel, particularly if no local IT staff is available.
“Administrators need to find tools that allow them to deploy, monitor and update remote access points from a central console,” he adds.

Cybercriminals are increasingly targeting wireless traffic as an avenue to penetrate enterprise networks. They are exploiting:
* More opportunities to find weak points because of the growing number of remote and mobile workers;
* Home computers and mobile devices that lack the endpoint protection tools found on workstations that reside in company offices; and
* BYOD policies that limit the control that companies have over the selection and configuration of mobile devices (a trend amplified by the increasing number of organisations with BYO-computer policies).

To prevent wireless traffic from becoming a major threat vector, Myroff suggests that enterprises should ensure that wireless traffic flows through the full network security infrastructure so it can be scanned for malware. Probes and attacks can also be detected.

“Ideally, the connection should be two-way, so traffic that goes out through the wireless network must first pass through the core security infrastructure. That allows URL and content filtering tools to prevent employees from visiting websites that contain malware or are related to phishing and social engineering attacks. It may also help detect data being exfiltrated as part of an advanced persistent threat.”

Secure wireless networking for business goes far beyond SSIDs and passwords. Administrators need to manage the basics in multiple locations, efficiently and reliably. They need to be able to tailor access to different employee and guest use cases. And they need to make sure that wireless traffic is scanned just as thoroughly as any other type of Web traffic.

“Ideally, these goals should be achieved economically, and without highly specialised skills or extra training,” Myroff concludes.