Combat Wi-Fi's tendency to to circumvent traditional firewalls by suggesting your customers install a server that specifically monitors and filters Wi-Fi traffic. This tip, courtesy of SearchNetworking.com, discusses the why and how.
As enterprise Wi-Fi grows, so does the need to protect business networks from wireless intruders and shore up wireless security. Traditional firewalls enforce trust boundaries between wired subnets, but Wi-Fi has a nasty habit of circumventing those established perimeters. Many network operators wage a daily foot war against rogue access points (APs), while engineers struggle to regain control over Wi-Fi access. A Wi-Fi firewall can help you tackle these challenges more efficiently and effectively.
Why deploy a Wi-Fi firewall appliance?The label "Wi-Fi firewall" has been applied to various appliances, including wireless-capable SOHO firewalls (e.g., SonicWALL, WatchGuard) and wireless network gateways (e.g., BlueSocket, Vernier, Cranite). In this article, we use "Wi-Fi firewall" to describe servers that monitor and filter Wi-Fi traffic, blocking unauthorized 802.11 usage and attacks while still in the air.
Commonly known as wireless intrusion prevention systems (WIPS), these appliances provide full-time security policy enforcement throughout your entire wireless LAN (WLAN). Instead of requiring someone to periodically check every floor of every building to find rogue APs, a Wi-Fi firewall continuously watches for rogue traffic, automatically disconnecting any new AP. Instead of depending on employees to use Wi-Fi safely, a Wi-Fi firewall can disrupt non-compliant sessions to prevent confidential data disclosure.
Adding a Wi-Fi firewall to your customer's networkDeploying a Wi-Fi firewall involves installing a central server in the NOC and positioning remote sensors throughout the offices ("air space") to be monitored. Sensor network planning is essential to avoid coverage holes in locations like stairwells where intruders might lurk unobserved.
Most appliances use overlay networks of dedicated sensors. Some can also use regular APs that watch for rogues in their spare time. Dedicated sensors have better observation and prevention capabilities, but require more up-front investment to purchase, mount, power and cable. Sensors that support Power over Ethernet and/or daisy-chaining can reduce that cost. Communication between remote sensors and the central server usually requires modest bandwidth, but a large remote office with limited WAN access may deserve its own server.
Choosing the right Wi-Fi firewallAs with any security appliance, it is critical to choose a Wi-Fi firewall that can enforce your customer's security policy. If your customer bans Wi-Fi, look for an appliance that focuses on effective rogue containment without a lot of setup. If your customer has a large WLAN, look for an appliance that lets you define and enforce Wi-Fi security rules with sufficient granularity and scalability. There is no substitute for in-situ trials, but reading product reviews can help.
Another common concern is manageability -- particularly in large WLANs where the volume of events can be overwhelming. Look for features that zoom in, drill down and otherwise break a big problem into digestible pieces. Templates, hierarchical rules and self-configuration capabilities also help.
Finally, a wireline firewall can discard bad packets, but a wireless firewall must run active interference, sending 802.11 frames to kick rogues off the air. Wi-Fi containment techniques vary in both effectiveness and impact on authorized users. (Read more on wireless session containment.)
Finding a Wi-Fi firewallCapabilities described herein are available in both software and hardware packages. Some companies like to install software (e.g., AirMagnet Enterprise) on their own server platform. Others prefer turnkey appliances to speed and simplify deployment.
Those in the market for a Wi-Fi firewall appliance may want to consider these hardware products:
About the author
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Lisa teaches about wireless LANs, mobile security and virtual private networking at many industry conferences and on-line webinars. Lisa's WLAN Advisor column is published by SearchNetworking.com, where she is a site expert on wireless LANs. She also has written extensively about network infrastructure and security technologies for numerous publications including Wi-Fi Planet, ISP-Planet, Business Communications Review, Information Security and SearchSecurity.com.
This tip originally appeared on SearchNetworking.com.
This was first published in December 2006