When it comes to wireless security, good enough is simply not good

By on

As security threats increase in quantity and complexity, assuring business continuity means that corporations need to aggressively and proactively protect the entire network infrastructure.

Enterprises will continue to invest in purpose-built, comprehensive security products to defend their wired network, but even more importantly, the enterprise must protect the more vulnerable wireless portion of their networks. Because wireless networks utilize a transport mechanism (air) that can be hacked easily, and users can move from location to location, these networks require even more stringent and specific security solutions. The price the enterprise could pay for deploying "good enough" security in their wireless network includes loss of revenue, loss of reputation, loss of productivity, and in some cases loss of market capitalization.

And yet, enterprises that deploy wireless networks are being told that wireless networks do not need the purpose-built security products such as vulnerability assessment, network admission, intrusion prevention, patch management, firewalls and virus outbreak control that they rely on to secure their wired networks. Enterprises are being told by wireless access point and switch vendors that they can simply rely on RF management and "security features" that have been bolted onto the AP or WLAN switch to assure that their wireless infrastructure is secure. RF management and 802.1x alone does not offer assurance of a stringent network admission process that includes authentication, authorization, vulnerability assessment and patch updating. Authentication using WPA802.1x does not do anything to stop a vulnerable or infected device from getting onto the network. RF management is a limited solution at best and can't pattern match to look for virus signatures or protocol anomalies. The switch vendors claim of "good enough" security using a WLAN switch will not suffice when a worm proliferates throughout the entire network as a result of infected device being admitted onto the wireless part of the network.

Switches are built and optimized for moving packets forward. This is what they were designed to do and it is what they do best. The less time a switch spends thinking about the destination the better, because then it is doing what it was meant to do -- switch. As soon as a switch vendor introduces complex decisions, packet inspection or assessment of any end device status, performance of the switch and speed of the network is degraded. If the enterprise wants to bring performance back up, it must pay for a larger, higher processing speeds, and thus a more expensive switch. When a security threat does occur, the enterprise must react quickly without disrupting the switch configurations and destabilizing the network, which is often caused when WLAN switch vendors offer changing VLANs and ACLs as a security solution.

Enterprises should not shortchange the wireless network. The wireless network does not deserve any less stringent security than the wired network. In fact, it requires more security. The wireless network must be protected against all threats common to the wired network, as well as assure security during sessions when users are moving between locations. As is the case in the wired environment, enterprises want to use products to defend their networks that were built for that purpose – security.

With the onslaught of viruses and worms, enterprises can no longer afford "good enough" security offered by AP and switch vendors declaring that RF management is all that is necessary to secure the wireless infrastructure. Enterprises want to control network admission, ensuring that only clean devices are authenticated and authorized users can get on the network. They want to control what resources users have access to on the network. They want to prevent intrusions through IPSs that can pattern match worm and virus signatures and protocol anomalies, as well as provide them with threat updates. They want to enforce access and security policies that are very granular, and they want to surgically remove offending devices from the network without taking their entire network down to search for them. They want audit tools to understand trends and usage patterns so they can fend off attacks that might look similar. WLAN switches and APs cannot offer the multitude of security capabilities enterprises require for their wireless networks. They are not built to deliver security to the network -- they are built to switch. Security products are built specifically to assure security of the network and security companies focus all of their resources around a single goal – secure the network and assure business continuity. Enterprises shouldn't settle for anything less.

Bethany Mayer is Vice President of Marketing at Vernier Networks

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?