Guide to Wireless LAN Security
Top 5 Questions for WLAN Security VendorsBy Lisa Phifer
Many companies that have dabbled in Wi-Fi for best-effort Internet and email are ready to turn the crank on pervasive enterprise WLANs to support mission-critical applications. During this expansion, security will be crucial. What questions should enterprises ask of perspective WLAN security vendors?
#1: Are you ready for 802.11n?
From site survey and planning to WLAN analysis and Wireless IPS, most security products will require software updates and/or hardware upgrades for 802.11n. Today, ask about features for modeling, detecting, and decoding both pre-N and 802.11n draft 2.0 protocols. Next year, those features will require update to align with the final 802.11n standard. When it comes to security, blind spots are unacceptable. A security product that cannot see what an 802.11n AP or station is doing puts your network at risk.
#2: How do you secure VoFi and multimedia traffic?
WLAN equipment is being scaled and refined to support the stringent demands of voice and multimedia. Security and performance are often pitted against one another, and minor annoyances for data will quickly become show stoppers for latency-sensitive or high-throughput applications. Enterprises should ask WLAN vendors how they secure such applications, and the impact of various security settings on capacity and quality. WLAN planning systems must be able to consider these application needs, while WLAN analysis and IPS will need to offer meaningful interpretation, like the ability to differentiate between basic interference and targeted VoFi attacks.
#3: Do you have a knack for NAC?
Network Access Control (NAC) is poised to take enterprise networks by storm, with broad impact on both wired and wireless LANs. Fortunately, most wireless APs can use 802.1X to fit nicely into any flavor of NAC. But don't make assumptions. Enterprises should ask WLAN vendors how the APs and controllers they buy can be plugged into existing Cisco/Microsoft/TCG architectures. Look for capabilities like policy-based virtual APs, wireless isolation of unknown/infected clients, and 802.1X/VLAN mapping. Also ask about VLAN support in WLAN analyzers and IPS, and integration between Host WIPS agents and NAC agents.
#4: Security vs. scalability
As WLANs grow, tasks that were once practical and feasible will quickly become onerous, even impossible. Scalability certainly applies to WLAN security tools. Ask about WLAN planning and automation features that help minimize time-consuming site surveys. Inquire about WIPS capacity and reliability in large, distributed networks with hundreds of sites and thousands of APs. For example, deauthenticate-based blocking will have a tough time scaling without saturating the affected channels and sensors. In a large WLAN, diagnosing interference through ad hoc, on-site sampling simply won't cut it – ask about WIPS-integrated spectrum analysis.
When it comes to total cost of WLAN ownership, task automation and process integration are key. Pinching pennies on less-capable security platforms could end up costing a bundle by requiring on-site staff and tools for investigation and remediation. Look for role and regional delegation of WLAN security administration, monitoring, and reporting tools. Ask about centrally-initiated investigative aids, like the ability to use a remote sensor for traffic capture. Finally, look for opportunities to leverage existing security management infrastructure, like integration between WLAN authentication and Identity Management systems, or between WLAN alerts and Security Event Management Systems (SEMS).