How to deploy a secure wireless network with existing facilities

Because of the business needs, the enterprise's mobility requirements are increasingly high, while the security risks are followed. While solutions to specific security issues have been developed, an integrated approach is needed to leverage the wired network infrastructure in the corporate network to enhance security for WLANs (WLAN, Wireless Local area network).

The development of Enterprise WLAN

Corporate WLANs have grown rapidly and are no longer the same as simply cheap access points that can cover a home or small office wireless network. There are two main drivers behind the development of WLAN deployments, the first of which is to increase productivity and to provide wireless access to customers or employees using notebooks.

The second driver is to use wireless to replace the wired infrastructure and to be driven by advanced technologies such as 802.1N standards. The advantages of wireless speeds up to 170Mbps and the ability to build an enterprise-wide wireless network have made wireless technology a better alternative to wired. In addition, many effective attacks have been developed to help determine the optimal network coverage, avoid overlapping, and better utilize spread spectrum to reduce collisions and maximize performance. While the focus is on performance, the real benefit of wireless is that it brings better mobility to productivity.

Growing mobility Security Risks

However, mobility also incurs a lot of security risks and problems. Because the wireless endpoint is not fixed, compared to wireless networks, companies more comfortable with the security of the wired network, because the cable network by the Enterprise building solid wall and door protection, and there are access cards and user authentication infrastructure. Because wireless networks can easily be accessed by people outside the building, wireless networks are more susceptible to theft, attacks, and various forms of anonymous attacks.

Of course, a number of techniques have been developed to try to address these issues, from WEP to leap, WPA, 802.1x, and the embedding of IPSec VPNs in the client and access infrastructure. All of these methods have certain limitations.

Customer access is also a major problem for corporate WLANs because of the potential for serious consequences. If the customer uses the enterprise's wireless network access and carries on the illegal operation, the enterprise which provides the network interface must undertake certain legal responsibility. If a wireless network is compromised or an important database is attacked, the negative impact on the business will be even worse. These results may include fines, lawsuits and loss of reputation.

This column more highlights: http://www.bianceng.cn/Network/wxwl/

IT departments need to know clearly whether a corporate employee notebook or a customer notebook is accessing the wireless network and must be tightly encrypted when the laptop accesses the corporate network over a wireless network. IT departments should also use existing infrastructure, such as active Directory, to authenticate employees and expect customers to perform the same validation.

Limitations of the current solution

There are many enterprise-class WLAN solutions that can solve these problems, but many solutions are expensive and functionally imperfect, with much less encryption validation than the common wired infrastructure.

In the wireless world, it is not possible to solve all the problems of WLAN security, and problems need to be solved separately. It's not surprising that many of the solutions are very independent, and only get the overall solution from the same vendor to get the best results. Changing markets also allow these mobile products to continually update and upgrade the infrastructure to take full advantage of the necessary improved technology.

Leverage existing wired infrastructure

In view of this situation, it should be asked whether there are different methods. In the Wired World, the Layer 2 switch is doing a lot of exchanging packets at a fantastic speed, Layer3 switches and routers are connected to the network, and authentication infrastructure (such as active Directory, LDAP, and RADIUS) is validated directly. In addition, authentication infrastructure, such as firewalls and access control lists, can be enhanced to protect, and access technologies such as IPSec and SSL VPN can provide external network connectivity to the internal network, as well as NAC infrastructure, endpoint Security, Ids/ips, and so on.

Given the existing investments in all of these infrastructure technologies and the deployment of the various wired and remote users behind the existing infrastructure, would it not be possible to save a lot of money if the WLAN infrastructure is placed at Layer 2 and the existing technologies are provided with additional functionality? If we do this, we can have cheap access points, And the controller does not need to be better than the LAYER2/3 switch, which will greatly reduce the cost of enterprise wireless deployment, and allows enterprises to mix and match the use of different vendors when technology, and avoid large-scale lock upgrades.

There are also cheaper alternatives to help businesses achieve this. NAC technology has matured to the point where it can automatically access the endpoint and distinguish between enterprise access and customer access. The integration of NAC with SSL ensures that transmission paths are encrypted at all times, and that the integration of authentication infrastructure, such as IPSec and SSL VPN, can provide validation for employees. The built-in virtualization technology and the automatic redirection of customers to different virtual ports eliminates the need for customers and employees to use separate SSID or separate customer access devices. The default routing and VLAN technology on some SSL VPNs ensures that client traffic is completely differentiated from enterprise traffic and ensures that only this framework can be used to access other locations.

Authentication issues

A wide range of authentication frameworks allow customers to register access and have a permanent token as the user's true identity, which can be achieved through a customer registration process, such as the function at the reception desk. You can even differentiate between different types of guests and log in to different networks.

Deployment authentication should be automated, and logging and accountability can provide clues associated with the extreme behavior of users accessing the media, which can be provided by law or by a supervisor.