A
wireless local area network (Lan) was once a tool that enabled
guests to access the internet, but today organisations increasingly
rely upon it. Microsoft employees use theirs extensively 75% of
employees use it every day, and 70% believe it saves them at least
five hours work a week from increased flexibility.
Modern centrally controlled wireless Lans - even those built on
a global scale like Microsoft's - do not add significantly to the
task of the IT department, and if implemented properly with
authentication, encryption and built-in firewalling, often offer
inherently better security than an existing wired network. VoIP
phones, corporate laptops, handheld scanners can all be used with
the assurance of complete security.
That visitors or consultants connecting to a firewalled guest
network should present no security threat to corporate IT systems
is well understood, but "guest" devices - employees' cellular
telephones with browsers and increasing exchange capability, have
to date presented an issue for the IT department. Today, the
majority of organisations treat such devices in the same way as a
guest - even though the device may be located within the office and
belong to an employee, it is only allowed access to the guest
network and consequently treated as an un-trusted device without
generic access to back-end systems.
However, the popularity of the iPhone, Windows Mobile and
Symbian mobile computing platforms, together with developments in
client applications, will place pressure on IT departments to
accept the latest generation of personal converged phones and PDAs
as mainstream client platforms within the corporate environment,
allowing devices to communicate directly to data stores and
application servers.
Implementations of
Fixed Mobile Convergence (FMC) will likely accelerate this
trend, as companies look to avoid the costs associated with
employees making international cellular calls from within the
office. In addition to savings on cellular calls, the organisation
will benefit as a whole from the unification of communications that
derive from staff cellular phones becoming part of the internal
IP-PBX infrastructure.
The challenge now facing senior IT staff is how to walk the
tightrope of diversity - allowing multiple types of personal device
onto the internal network may risk increasing the complexity of
management and potentially compromising security, yet failure to
allow users to access back-end systems from a variety of computing
platforms will result in the organisation losing out on the
benefits that clearly accrue from mobility.
While the question of which devices to allow onto the network
will remain open to debate, the question of how to limit devices
attaching to the network is relatively straightforward.
It is fortunate for most organisations that personal converged
devices such as the iPhone do not come equipped with an RJ45 socket
- as wired networks are traditionally built on the basis of a
"secure perimeter" and once a device is attached to the network is
it assumed to be authorised. In the best wireless networks, such
practices are unheard of because every device has to be considered
un-trusted until authenticated.
Authentication, perhaps combined with
Network Access Control (NAC), or Microsoft's Network Access
Policy (Nap) presents an ideal opportunity to decide which device
to allow onto the network.
While authentication ensures that only authorised users connect
to the internal network, either NAC or Nap will protect the network
from untrusted devices joining that may be carrying infection, and
ensures the user remediates their device prior to joining the
network. Linking NAC or Nap with a firewall in the wireless network
offers a more robust method of access control than the traditional
VLan or DHCP assignment more commonly associated with wired NAC
implementations, and guarantees that users access only the
appropriate domains or servers.
The wireless Lan evolves - from convenience network to essential
infrastructure.