September 24, 2020
In the increasingly wireless world of today, ensuring that your data is safe is becoming increasingly more and more difficult. This is especially true for organizations that have internal devices that are communicating wirelessly to transfer protected data as well as have to provide wireless internet access to their clients and vendors. Proper implementation will help ensure data security and regulatory compliance.
As in everything that has to do with IT security and compliance, it starts with planning. To achieve security, three items are required:
1) Separation of the corporate wireless network used to access and process confidential information from all other wireless network traffic
2) Controlled access to the corporate wireless network
3) Mechanisms to monitor access, use, and alert of issues
Conceptually, the connectivity looks like this:
On smaller networks, some, or even all of these devices, can be combined. It is common in smaller environments for the network router and the edge firewall to be one physical device, such as a Cisco ASA or SonicWALL TZ series firewalls. While some of these devices come with built in wireless access points, it is not generally recommended unless there are other considerations in play, such as location, type of business, etc.
The devices used in creating secure wireless networks must have the following features:
1) Support for Virtual Local Area Networks (VLANs)
2) Support for management via either console, SSH, or secure web connection
3) Support for the Simple Network Management Protocol (SNMP)
4) The wireless access points must support either Remote Authentication Dial-In User Service (RADIUS) or the Lightweight Directory Access Protocol (LDAP)
Thankfully, most devices sold today across all price ranges will support these.
The main differences between the two wireless networks are authentication mechanisms and access provided. The guest network can have a broadcast Service Set Identifier (SSID) that everyone can see with a simple password based or web based authentication mechanism. I would highly recommend using web based authentication as it allows for a written disclaimer and acknowledgement process that can be monitored and logged.
The process looks like this:
For the corporate network, the process is more complex. Turn off the broadcast of the network SSID. To ensure that only appropriate devices can access the internal wireless network, it is necessary to implement physical access controls, such as creating an allowed Media Access Control (MAC) address policy. In addition to that, clients will need to authenticate to an internal authentication server via either LDAP or RADIUS in accordance with internal company access policy, which should include provisions for password complexity, periodic changes, and multi-factor authentication.
The last step is to set up a monitoring mechanism that will alert if there is unauthorized access to either the wireless networks or the devices providing access and managing the flow of data.
When planning and implementing a secure wireless network infrastructure, make sure to have appropriate data access, wireless access, and password policies in place as well as an appropriate infrastructure to manage the implementation of these policies.
Feel free to reach out with any questions or comments.
"As a medical data company, compliance and data security are extremely important to our organization. The team at Aegis IT Solutions was instrumental in ensuring that our clients’ data is properly safeguarded while providing strategic advice and helping us navigate through complicated compliance challenges associated with an international enterprise providing and managing access to personal confidential data."
"We do data analytics for many large corporate clients, both in the cloud and on premises. Security was a sore topic for us until we retained services of Aegis IT Solutions. Ilya was very responsive, professional and knowledgeable. With his help and leadership, we improved our processes, properly planning for security-related activities and professionally communicating with clients for the best mutually acceptable security approach."
"Client service is the ethos of Aegis IT Solutions. Ilya and his team never fail to provide the most up-to-date insight on technology and system upgrades. They always take time to meet our law firm’s never ending IT needs. We considered Aegis IT Solutions as one of the most essential assets to the function of our busy practice. I am grateful for having formed this lasting relationship."
© 2021. Aegis IT Solutions. All rights reserved.