From Tony Bradley, CISSP-ISSAP,
Your Guide to Internet / Network Security.
FREE Newsletter. Sign Up Now!

Dec 6 2007

Convenience at a Price

Wireless networks have the potential to make enterprise networking much more efficient and cost effective. It is much easier to set a user up with a wireless network connection than to run Ethernet cabling from the nearest switch, through the walls and install a network jack at their desk. Wireless networks also help resolve the fairly ubiquitous problem of having too few network connections in conference rooms, and the fact that the conference room network connections are always at the least functional location possible.

The convenience of wireless networks comes with a price though. Wired network access can be controlled because the data is contained within the cabling that connects the computer to the switch. With a wireless network, the “cabling” between the computer and the switch is called “air”, which any device within range can potentially access. If a user can connect with a wireless access point from 300 feet away, then in theory so can anyone else within a 300 foot radius of the wireless access point.

Threats to Wireless Network Security

Aside from the threat of unauthorized users accessing your network and eavesdropping your internal network communications by connecting with your wireless LAN (WLAN), there are a variety of threats posed by insecure, or improperly secured WLAN’s. Here is a brief list with descriptions of some of the primary threats:

• Rogue WLAN’s – Whether your enterprise has an officially sanctioned wireless network or not, wireless routers are relatively inexpensive, and ambitious users may plug unauthorized equipment into the network. These rogue wireless networks may be insecure or improperly secured and pose a risk to the network at large.
• Spoofing Internal Communications – An attack from outside of the network can usually be identified as such. If an attacker can connect with your WLAN, they can spoof communications that appear to come from internal domains. Users are much more likely to trust and act on spoofed internal communications.
• Theft of Network Resources – Even if an intruder does not attack your computers or compromise your data, they may connect to your WLAN and hijack your network bandwidth to surf the Web. They can leverage the higher bandwidth found on most enterprise networks to download music and video clips, using your precious network resources and impacting network performance for your legitimate users.

Protecting Your Network from Your WLAN

LAN segmentation is used by many organizations to break the network down into smaller, more manageable compartments. Using different LAN segments or virtual LAN (VLAN) segments has a number of advantages. It can enable an organization to expand their network, reduce network congestion, compartmentalize problems for more efficient troubleshooting, and improve security by protecting different VLAN’s from each other.

The improved security is an excellent reason to set your WLAN up on its own VLAN. You can allow all of the wireless devices to connect to the WLAN, but shield the rest of your internal network from any issues or attacks that may occur on the wireless network.

Using a firewall, or router ACL (access control lists), you can restrict communications between the WLAN and the rest of the network. If you connect the WLAN to the internal network via a web proxy or VPN, you can even restrict access by wireless devices so that they can only surf the Web, or are only allowed to access certain folders or applications.