How to manage access control for Embedded Wi-Fi devices

New access policies for employees, visitor smartphones, tablets, and enterprise wireless LAN/LAN networks have emerged. However, no user interface is embedded.Wi-FiHow to manage devices?

In early Wireless LAN, clients embedded with Wi-Fi usually refer to bar code scanners, point-of-sale terminals, voice IP handheld devices, or other special-purpose devices. Access control is generally loose. The methods used include MAC addresses and Protocol filters, as well as hiding SSID and static WEP passwords. These methods can reduce accidental connection and prevent, but are not guaranteed to prevent) Unauthorized embedded devices connect to the wireless LAN.

Today, this "vague security" policy is very undesirable in consumer electronics that support Wi-Fi. From wireless printers and cameras to media players and monitors, Wi-Fi-embedded devices connected to the enterprise network have been flooded. The problem is that these devices are different from previous devices, existing policies and IT processes cannot be well incorporated. Disabling these devices is not feasible, but adding MAC address filtering does not achieve the purpose of control. Therefore, IT must find ways to prevent unacceptable risks or costs while ensuring secure use.

Control embedded Wi-Fi devices with WPA2-Personal

In the embedded wireless LAN Device Access control method, WPA2-Personal is a method that is often ignored: Pre-Shared Key (PSK) Authentication and AES encryption. "Personal)" indicates that this method is not a policy designed for the enterprise's wireless LAN, PSK is not recommended to control those devices that can be effectively controlled by the WPA2-Enterprise. However, PSK is a viable alternative to consumer electronics that do not support WPA2-Enterprise or device authentication.

Now, all consumer electronics that support Wi-Fi must support WPA2-Personal; over 1800 devices support Wi-Fi Protected Setup (WPS ). WPS is an easy way to enable WPA2-Personal in a relatively strict way that contains a small number or no data items.

To use WPS, we need to find the unique wps pin code printed on the packaging of the client device or the LCD installation panel. Enter the WPS installation page of the AP or controller by using the PIN code. Both parties will complete a security handshake, during which the client will get a random PSK. Some WPS clients also support the use of automated or Near-Field Communication (NFC) installation as an alternative to PIN-based installation. Either way, WPS not only supports automatic PSK installation, but also generates long random PSK s that are sufficient to defend against attacks.

When an embedded device passes this verification, the general policy can be used to control the traffic flow. Each SSID is mapped to a VLAN and is prioritized and filtered based on the Protocol to adapt to different types of devices and services. For example, you can only connect to a wireless printer through the print protocol, but not Telnet, SNMP, or other unknown packets that may attack these embedded devices.

Use Wi-Fi Direct to manage traffic from embedded Wi-Fi devices

From the very beginning, WPS was not widely supported by enterprise AP and controller. However, every Wi-Fi Direct certification product requires support for WPS. This end-to-end Wi-Fi Alliance specification supports direct connection from simple devices to devices without the need for AP or traditional point-to-point Wi-Fi modes. Devices that support Wi-Fi Direct can discover other devices and form a Wi-Fi Direct "group" consisting of two or more devices ". These self-organized groups are used to simplify the Wi-Fi connections required for communications, such as file sharing and printing between consumer electronic products.

For ease of use and traffic separation, enterprises may wish to selectively authorize Wi-Fi Direct usage. For example, the network team needs to be able to authorize the wireless printing function to users without passing through the enterprise network. To coexist with the enterprise wireless LAN, Wi-Fi Direct defines a "managed device" option, which IT can use to control the Wi-Fi Direct channel and power. However, there are no products that support this option. It is too early to talk about the actual impact of Wi-Fi Direct on the enterprise's wireless LAN.

More methods for verifying embedded Wi-Fi devices

To support WPA2-Enterprise verification, embedded Wi-Fi devices also require 802.1X certificates without user intervention, such as device certificates. These certificates are not yet widely used in consumer electronics, but higher-end devices support EAP-TLS, which uses enterprise-published certificates. For example, some devices may provide TPM chips for key storage security, or they may have a special slot that supports external smart cards or USB with certificates.

In addition, Wi-Fi devices that implement Cisco Compatible Extensions (CCX) also support EAP-FAST. This EAP allows enterprises to publish protected access certificate PAC), which can be used to protect the security of non-interactive 802.1X authentication without using electronic certificates. Currently, CCX-certified devices include Wi-Fi voice handheld devices, laptops, reinforced and durable handheld devices, and some smart phones.

Another alternative verification method for a GSM smartphone is the EAP-SIM, which identifies the device's EAP type through its user Identity Module SIM. For UMTS smartphones, similar functionality is provided by EAP-AKA. These certificates may be used by mobile carriers rather than general enterprises, but they also have an interesting role-Wi-Fi/3G roaming. In particular, Wi-Fi Alliance is now developing a hotspot certification program based on IEEE 802.11u, which helps integrated mobile devices achieve transparent roaming, such as smartphones and tablets ). The authenticated device may be able to discover the best nearby hotspots and use a EAP-SIM connection hotspot with a EAP-AKA or WPA2-Enterprise without interrupting or requiring user intervention. In fact, the operator may use the roaming Protocol to implement call/session switching and billing, so as to achieve a user experience similar to the current wireless voice roaming.

Embedded Wi-Fi devices are still unevenly distributed, and they are largely affected by the device type, Wi-Fi security features, including the EAP type, and the intended service usage. Note that device fingerprint recognition may also play a role here-to achieve visibility of embedded devices without IT operations. Enterprises should keep an eye on this issue and consider using the "out-of-the-box" creative policy to address access control needs without exposing the enterprise wireless LAN to major risks.