SBN

How to protect a corporate Wi-Fi network

Initially, the use of Wi-Fi networks in companies was restricted to providing convenient Internet access at halls or conference rooms. In such an application, the performance was quite suitable and took a secondary place in an IT infrastructure. However, literally over the past decade, many different wireless devices have appeared ranging from toys to serious, industrial-grade equipment. Homes and offices are filled with all sorts of smart devices, most of which can connect to a Wi-Fi network.

Today, technologies for transmitting information without wires have evolved to such an extent that they are already used on a par with the main communication channels. Wi-Fi is so easy and at the same time firmly entrenched in our lives that without it, people, frankly, begin to experience discomfort.

Wi-Fi and businesses

What about businesses? The importance of Wi-Fi both for providing various services to customers and employees and for managing and receiving data from technological facilities, coupled with the interoperability of IoT devices, is increasing every year. Examples include the organization of a comfortable client area, the operation of online cash desks and terminals, smart television, identification of a target audience, logistics in warehouses, and the coverage of stadiums.

Today, wireless communications compete with wired counterparts and are not inferior to them in terms of several important parameters: bandwidth, readiness to simultaneously support multiple communication channels, and resistance to unauthorized access attempts. In hospitals, Wi-Fi networks are used to access patient data, monitor patients remotely, collect telemetry from sensors, and more. Retail and manufacturing use them for logistics and trade.

As for offices and small branches of companies, they use Wi-Fi as the only way to access the enterprise network, applying the All-Wireless Office concept. This provides both the freedom to transform a network architecture without issues that arise from reinstalling communication networks (which reduces costs), and the freedom of choice regarding the suitable workplace model. Also, more and more often, Wi-Fi networks are used to transmit voice and video content, which, as we know, is very sensitive to interference.

Note that in modern realities, Wi-Fi is not built for just-in-case purposes as it solves real business problems. Every company has some kind of a wireless network, be it a wireless router or a large distributed network of access points. In both cases, it can be divided (conditionally, of course) into two categories:

• business-grade Wi-Fi, built upon strict rules and featuring an integrated approach for handling business routines;

• consumer-grade Wi-Fi, operating in accordance with similar rules but unsuitable for handling important business routines for a number of reasons.

Consumer Wi-Fi

This type of a digital infrastructure is to be understood as a set of wireless entities, including conventional routers, most of them chaotically scattered in different parts of the enterprise. Ideally, they should be installed and configured by an IT service employee, because among them there may be, for example, devices with a built-in GSM-module, brought in good faith by ordinary employees, as well as access points operating both with and without a controller.

In fact, even a large corporate Wi-Fi network might fall into the consumer category. Any router with a Wi-Fi module or any access point fulfills its intended function as it emits signals into the air. However, business-grade Wi-Fi has to be built on technologies of the appropriate level and observe strict rules rather than just being a collection of boxes with antennas. But why can’t a secure, high-quality wireless network be implemented that way? What are the weaknesses of garden-variety consumer networks that make them unsuitable for enterprise purposes?

Let’s get down to business: why consumer Wi-Fi will not do

You can, of course, argue that a consumer-grade Wi-Fi is secure enough as long as the SSID is hidden, the network password and WPA2 are set, and the advanced settings even include WPA3. Moreover, only certain MAC addresses are allowed to connect. But modern realities are such that spoofing an authorized MAC is not a problem, nor is retrieving a hidden SSID (lots of free applications can do the trick). The only real challenge is that you will have to tinker with the password, but with the proper effort and methods of social engineering, this is no big deal either. After all, many users keep files containing the most secret passwords in the most exposed places.

The network security techniques above worked just fine a decade ago. Nowadays, leveraging them without extra layers of protection may create a major gap in a company’s security posture. This applies to both modern wireless and wired networks. Spending huge funds on security, both in software and hardware areas, and at the same time leaving Wi-Fi without proper attention makes no sense.

It is important to realize that security is a process. It is a lasting, extended in time, permanent action. It is always movement, it is always analysis, it is always monitoring, it is always decision-making. At times, it requires immediate intervention, and at times, a lengthy analysis to review the correlation of various kinds of events.

Lack of real-time monitoring and event logging

Together with the first point, this greatly aggravates the situation as we do not know at all who and what is connecting to us. Even if we are behind the proverbial door with seven locks (we allow recognized devices only, all the staff is in-house), we do not know what is going on around us. What is happening over the air? How do access points work? Are there any problems with customers, employees, or equipment to be connected? In the latter case, customers, employees, and terminal equipment administrators can inform of the issues they have faced. To say the least, this is a far cry from a robust arrangement. As a result, the IT service:

• does NOT know the situation (let us clarify that we are talking only about wireless networks);

• does NOT know about an impending or existing problem;

• is NOT notified of attempts to connect to the network;

• does NOT have clear, correct, and reasonable answers when questions arise about the operation of the network as well as the events that have occurred in it and, eventually, does not have the opportunity to rectify the situation and put an end to the problem.

[You may also like: Navigating the Threat Landscape in Unprecedented Times]

Lack of centralized governance

Today, even small businesses are moving away from standalone decentralized Wi-Fi networks, which are expensive to operate, difficult to defend against intrusion, and even harder to scale. By leaving the wireless network without centralized, unified management, we have a set of discrete access points, each independently configured and maintained. It is not uncommon for every branch of a company to deploy its independent Wi-Fi with in-house administrative staff. 

Therefore, the complexity of maintaining a network built this way is enormous and grows as new devices are added. Also, the Wi-Fi network diversity spawns problems with the implementation of its security system. These problems are not limited to the connection to the access point but also make it impossible to determine the correlation of attack events that would take into account all access points in the coverage area. For a full correlation and comparison of various kinds of attacks and intrusions, it is important to have the big picture of what is happening over the air and see the attack vector.

Problems also emerge in the case of interference when joint dynamic radio resource management (RRM) is not feasible. It is worth noting that there are cases of autonomous, disparate Wi-Fi networks consisting of dozens of access points, but the effective operation of such an infrastructure depends on the availability of highly qualified wireless network engineers who write scripts for mass management of all access points, control over the Simple Network Management Protocol (SNMP), statistics collection, etc. In any case, this is a very, very non-trivial approach, which is also very dangerous in the long run due to problems with the maintenance of such a solution in the event the programming engineer who has created this custom app is leaving your company.

This is not to say that such an approach only offers disadvantages and is fully unacceptable. Of course not. Whereas such a solution is not suitable for large-scale wireless networks, it works well for offices with up to five access points. In a network with dozens of access points without proper management, it will be costly and bring a lot of problems.

Business-grade Wi-Fi

Business-grade or enterprise Wi-Fi really means more than controllers and access points. This used to be a decent option for companies that covered a wide range of tasks, but in the current environment, it is clearly not enough. Therefore, a good and high-quality corporate Wi-Fi solution cannot exist on its own. In modern realities, this is a suite of technology solutions and products. 

Why? Because a suite comprises a number of tools that work both together and separately, where each one takes on the load and does its part of the work. When brought together, they compose one large system designed to help simplify and solve the entire range of tasks that arise today in relation to the Wi-Fi network. Let’s take a look at this ecosystem from different angles.

Management and monitoring as one of the most important aspects

Imagine a company with only 10 access points, and all of them, for simplicity, in one building. The IT staff can easily deal with that load independently and solve the issues of administering such a number of entities. They carry out updates, adjust the signal level (if, of course, the point is able to do this and the employees have competencies in this area), and, perhaps, even do security, for example, change passwords.

Everything seems to be good. But what if there are more access points, let’s say, 100 or 500 (or even 1000), and in addition, they are distributed across branches? What if the business circumstances require adding a new Wi-Fi network? Or what if you decide to correlate the names of networks for certain tasks and need to go everywhere and register the SSID?

What about updates? This applies to both scheduled and unscheduled updates, when, for instance, a vulnerability is found in the software and the vendor releases a patch? And what if you need to carry out an inventory or modernization? Also, do not forget about the daily, routine maintenance tasks.

All of that is complicated, cumbersome, and labor-intensive. Thus, the problem of managing a wireless network becomes a very difficult task. Hence the conclusion: corporate Wi-Fi must have centralized management. One place of management, one place of control over all access points, one console, whether it is 100 or 1000 access points. Everything should be in a single place.

As we all know, in wireless networks, radio waves are used to propagate a signal, and, most importantly, it works in half-duplex mode: at a given time, only one party can transmit information, and a violation of this rule causes collisions. True, Wi-Fi is a unified and broadcast environment where everyone hears and listens to everyone. However, not in the sense that they see the transmitted data: after all, there is encryption between the point and the client.

This part should be clarified: devices operating in the same frequency range hear each other, and devices on non-overlapping channels do not compete for the data transmission medium. Also, the operation of wireless networks is affected by interference stemming from Bluetooth devices, wireless mice and keyboards, microwave ovens, etc. In addition to external interference, access points can often interfere with themselves. There are various reasons for that, with the most critical of them being as follows:

•          failure to calibrate the transmitter power (using a sledgehammer to swat a fly);

• the wrong location of the access point vertically or horizontally, the direction of the antennas is not taken into account;

• frequency adjustment has not been performed, signal overlap and interference occurs.

All of the above badly undermine the radio properties. Signals get superimposed on each other and change their trajectory when reflecting from various objects. Radio waves in the same frequency range affect each other and spoil the transmitted data. The information reaches the recipients in the form of an incomprehensible bit of mess and is discarded by the device since it does not pass the check or does not allow restoring the original transmitted piece of data. Connected clients suffer and re-transmit data. This leads to network congestion, wasted wireless bandwidth, and increased load on the access point.

Of course, given that modern IT requires the automation of routine (and not only) tasks, it is impossible to imagine a wireless network without centralized management and monitoring. So what do they give us? First of all, it is the ability to see and observe what is happening over the air, as well as to react and influence various situations. The total cost of owning a Wi-Fi network is reduced by unifying the processes for introducing new segments and accelerating the deployment of services based on it, as well as simplifying the operation of the network through a uniform management approach.

The speed of IT service response to business needs keeps increasing. This enables users to flexibly configure the policies and parameters of the wireless network at any time, at any point, as well as standardize AP configuration processes and software version control. An important component of corporate Wi-Fi is the ability to position wireless clients, both in order to identify their location and to ensure the functioning of various industrial systems.

The vast majority of Wi-Fi problems lie in the area of ​​poor design and a lack of quality radio surveys. Again, centralized management and monitoring tools can help overcome this and provide guidance for solving the problem. Naturally, this will not move access points to the places necessary for the high-quality operation of the wireless network, but monitoring will keep you abreast of the problems and gaps. It remains only to take this data into account and eliminate the shortcomings.

Security as an integral part of a corporate Wi-Fi network

Equipment management is always one way or another related to security. The more technologically advanced the world becomes, the more security matters. Wi-Fi is no exception. A modern wireless network must fully comply with corporate security policies and allow the IT team to modernize and flexibly configure it in case of any changes. When we talk about wireless security, we mean the following system-wide features.

First off, it is a flexible configuration of security policies and parameters at any time and at any point in the network, as well as the ability to granularly and comprehensively review the access of devices, employees, and clients to the network. Secondly, it is the availability of an intrusion prevention system in the wireless network that monitors the surrounding radio air using sensors (usually the same access points that distribute Wi-Fi) and examines the data received about the sources of the radio signal, their interactions, unusual activity, and whether the system can signal and prevent events that diverge from the configured security policy. Let us highlight the list of threats that each such system fights against.

Rogue AP is an access point that an attacker controls. The malefactor can fully or partially copy an existing point (for example, the SSID name and MAC address will be identical to those of the legitimate AP) in order to execute various kinds of attacks.

Ad-hoc typically refers to a device brought by a company employee and used to facilitate network access. In this operating mode, the points connected to the device’s Wi-Fi gain access to the LAN segment.

DoS refers to the denial of service. In terms of wireless networks, this is mostly a flood of messages about user de-authentication or filling the radio air with useless data (noise) in order to degrade the quality of the network.

Brute force and attacks piggybacking on vulnerabilities of encryption and authorization protocols. Thus, most threats are in one way or another related to ensuring the availability and security of the data transmission medium.

Mobility also sets new demands to the protection of the corporate network originating not only from the IT service but also from the security service, which ultimately becomes an acutely perceived problem and falls on the shoulders of the same IT specialists. Applying the same security policies and principles throughout the infrastructure, from the wired network to the wireless segments, within an end-to-end approach, delivers high levels of control, scalability, performance, and availability.

To sum it up, security is when an IT service:

• knows who, where, how, and when is or was connected to a wireless network;

• sees what is or was going on over the air;

• monitors the appearance of other people’s access points in the controlled area (within the territory of the enterprise);

• provides guest users with unimpeded, controlled Internet access;

• controls staff access to company resources both from corporate devices and from those brought in according to the Bring Your Own Device (BYOD) principle.

[You may also like: Securing the Public Cloud When Your Workforce is Remote]

Wi-Fi 6, or in a nutshell…

Technologies do not stand still and are developing intensively. Wi-Fi is no exception. Due to the peculiarities of the data transmission medium used here, the reliability of information delivery is always front and center. This is what the CSMA/CA transmission method, which enables Wi-Fi to broadcast data in the worst conditions, tells us. Because of this, you can often hear the phrase that Wi-Fi is easy. Yes, really simple. One point, two points, and … it works!

It is very easy to create a wireless network that violates almost all the fundamentals of its deployment, and Wi-Fi will work, but, unfortunately, it will not be adapted to solving business problems.

What makes a wireless network work regardless of circumstances? Let’s note two fundamental points: firstly, only one device always transmits data at a time, and secondly, everything except data is broadcasted slowly and clearly (this is done for the compatibility of different generations of Wi-Fi devices).

Wi-Fi 6, aka 802.11ax, is focused on achieving higher communication parameters, greater client density, and efficiency in using the data transmission medium. A brief look into Wi-Fi 6 without going into technical details reveals its advantage, which lies in faster, even somewhat complex, and efficient interaction with connected devices. Let’s note the main features of this standard.

Modulation: The quality of Wi-Fi transmission is dependent on Quadrature Amplitude Modulation (QAM), which determines the amount of information that can be transmitted in a single signal. In Wi-Fi 6, it reaches 1024-QAM.

OFDMA: Orthogonal Frequency Division Multiple Access. This provides the ability to deliver information to multiple clients at the same time.

MU-MIMO (Multi-User, Multiple Input, Multiple Output): the ability to exchange data with multiple devices simultaneously, focusing on spatial differences between them.

BSS Coloring: digital code to prevent interference. One of the problems behind slow Wi-Fi performance is mutual interference between access points. The Wi-Fi 6 standard assumes that a device is transmitting and operating while another device is also broadcasting on a given frequency. In this case, access points operating on the same frequency channel use different digital codes. Therefore, when a client wants to start sending data, the client can analyze the code of the current transfer and determine how much it can be changed.

TWT (Target Wake Time): The access point tells clients the time intervals in which they can connect, transmit data, and disconnect again, thus being able to monitor a large number of clients and predict traffic transmission. 802.11ax clients use less power because they turn off the radio transmitter and still remain associated with the Wi-Fi network. This approach is suitable for IoT devices that do not transmit information constantly, allowing some time intervals.

Conclusion

Wireless networks themselves provide a huge amount of statistics on their performance and clients. But for such information to make sense, analytical tools are needed that make it possible to understand how applications work, who, how and where connects to the network, what quality of the connection the network provides. A holistic approach allows IT professionals to see each access point individually and the big picture, as well as remotely identify and troubleshoot network problems.

Today, more and more companies are deploying their corporate Wi-Fi networks in an integrated design, and such solutions always pay off. Benefits and convenience of using a wireless corporate network can only be obtained if it is built according to the rules. With proper design and deployment, the wireless network will:

• be present throughout the entire territory of the enterprise (where it is supposed to be present);

• compete with wired information transmission thanks to modern technologies that increase the speed of data transfer in the wireless network;

• provide reliable protection of corporate data from intruders.

A Wi-Fi network provides the benefits and convenience of increasing overall productivity and employee mobility, coupled with uninterrupted access to information anywhere in the office or even outside of it. It allows you to reduce costs due to the ease of maintenance and more efficient use of space due to the absence of wires. It also provides the ability to quickly and easily connect to the Internet for guests and customers, scalability of services for employees, industrial equipment, IoT, etc.

You should also take into account modern realities and available technologies when architecting a wireless network. Think of incorporating Wi-Fi 6 at the project stage, since it may take years to build the network, and in the next two to three years almost 100% of devices will be compatible with this standard. It includes many good improvements and developments, and it would be wrong to ignore its features from an investment protection point of view. The wireless network must be affordable, reliable, scalable, secure, and efficient.

Like this post? Subscribe now to get the latest Radware content in your inbox
weekly plus exclusive access to Radware’s Premium Content

*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by David Balaban. Read the original post at: https://blog.radware.com/security/2022/02/how-to-protect-a-corporate-wi-fi-network/