The interest in protecting organizational wireless networks is growing and so are the number of guidelines, best practices and standards being proposed and adopted (see Wireless Red Teams). One problem is that terminology is not standardized making it difficult to understand the scope and overlap between guidelines – so let’s start with terminology. WLAN can be any wireless technology used for a LAN. There a few out there but Wi-Fi is best known and most widely used. Wi-Fi (also WiFi) is a trademark of the Wi-Fi Alliance that own the profile for devices that implement the IEEE 802.11 WLAN protocols.
So in short, WLAN describes the concept of a wireless LAN; 802.11 is the near-universal technology standard for WLAN; WiFi is the universal implementation of the standard.
A second issue with guidelines are that they many times proscribe a “security” dictate (e.g. use a firewall) or a validation mechanism (e.g. audit) rather than security intent (see my previous post on Outcome Based Security and Privacy Control). This means that you can comply with a guideline but not be secure – validating the old adage that compliance isn’t security. Specifically, for wireless security, there is another issue – the guidelines confound four related, but separate security domains:
- Airspace: Physical corporate premises extended to include areas from which a corporate SSID is visible. Because it is so different from wired networking this domain is often the most misunderstood. This makes wireless security as much as a CPS (Cyber Physical System) issue as a pure IT issue:
- Airspace transmission is over the air, visible and with its own boundaries. This is very different from wired networking which relies heavily on the physical security and boundaries of the network infrastructure. Transmission wires (e.g. CAT7 cable) are secure and usually embedded in concrete. Transmission integrity is taken for granted for wired networks, but not true for the airspace.
- Airspace is very cluttered with networks and devices, unlike the company LAN. It would be very unusual (to say the least) for an organization to provide wired access from their LAN to the LAN of a nearby Café – but 99% of the time there are many, many “foreign” SSIDs (i.e. the broadcast name of a WLAN) visible in the organizations airspace – and some of them might be malevolent.
- WLAN connectivity: Because transmission occurs in the open air, here too things are very different than the wired world. Establishing, maintaining and removing a link to an access point is very different than its wired equivalent which is plugging an ethernet cable into the wall.
- WLAN connected devices: This is sometimes very similar to wired network connectivity (once established the wireless connection can be considered a virtual extension of the wired LAN) – but in many cases the type of devices is quite different. Wireless is becoming the connection media of choice for many IoT devices and they have a very different security profile from standard devices like servers and PCs.
- WLAN infrastructure: WLANs have an access point. This is a device with one leg in the WLAN world, and another in the wired LAN world. These devices, as any gateway between two networks. must be closely managed and monitored.
Sound security for wireless access requires management and monitoring for all four components. Harmony group can help understand how.