Many vendors preach integrated wired and wireless LAN security solutions, but some network security pros, like Ruairi Brennan, IT security analyst at The Electricity Supply Board (ESB) of Ireland, don't see the point.
After all, isolating wired and wireless networks keeps vulnerabilities that are unique to the Wi-Fi network away from the wired network, says Brennan.
The ESB's wireless LAN serves between 8,000 and 10,000 users with 60 Aruba Networks access points (APs). It was built to provide wireless access in conference rooms and other areas that the existing wired LAN didn't serve well.
For security, the ESB turned to AirTight's SpectraGuard Enterprise Wireless IPS (a wireless intrusion prevention system product) and the SpectraGuard SAFE endpoint protection system. Deployed together, these products can stop “bridging” between wired and wireless networks.
“It's a massive security risk if you have someone on the LAN simultaneously accessing an outside wireless access point,” Brennan said. “You could be bridging between a secure LAN and [what could be] an unknown AP on the wireless network.” That only offers the rogue entry point access to secure data.
The SpectraGuard Enterprise package offers the basic necessities of wireless LAN security: It blocks unauthorized access to the wireless LAN by enforcing authentication policy. It also detects rogue APs and prevents them from connecting to the LAN, and it enables centralized management and policy enforcement. Meanwhile, SpectraGuard SAFE sits on endpoints and stops them from connecting to the wireless LAN when they are plugged into the wired network and vice versa.
Centralised wireless LAN policy control
Hospital chain Atlantic Health has broken up its wireless LAN, composed of 2,000 Cisco APs, into several segments with unique policies across its six hospitals. The wireless LAN supports free public Wi-Fi for patients, private wireless access for Neonatal Intensive Care Unit (NICU) rooms, remote access for ambulances and mobile caregivers, Vocera badges for mobile communications between medical staff in the hospital, telemetry reporting and other types of wireless communication.
Atlantic Health has chosen not to go to a third party for wireless LAN security, according to Pat Zinno, director of infrastructure support and services. Security mechanisms such as WPA2 encryption, authentication and RF monitoring for rogue AP detection are built into the APs and controllers, which are all centrally managed from a Cisco Wireless Location Appliance. The location appliance can enforce user policy, as well as RF capacity management on a location basis regardless of the connecting device.
Cisco offers integration of wireless network security with its wired network Intrusion Detection System (IDS), but for now, Atlantic's wired and wireless security strategies still remain separate.
Atlantic Health's wired LAN security requirements are not as complex or demanding as the wireless side. After all, computers connect directly into network ports that are firewall protected. The company also uses an IDS product from Sourcefire that monitors all of the traffic as it traverses the network, Zinno said. He believes that this separation will “evolve over time.”
“The more you can import all of that data [from monitoring across wired and wireless networks] into one, the better you will be,” said Zinno.
Integrated wired and wireless LAN security starts with logging and reporting
Network engineers who are charged with securing two separate and very large wired and wireless networks want unification for their security event information, not their security tools. They want a platform that collects and presents a unified view of information from differing reporting structures used to analyze logs from firewalls and servers.
“A security event management product correlates these events and helps the enterprise see when there's a security incident instead of a lot of noise. Certainly security event management for the wireless LAN should be integrated into a wired security events management product,” said John Pescatore, a distinguished analyst at Gartner Research.
Prepackaged integrated wired and wireless LAN security: But for whom?
Smaller companies with less complex networks may find integration answers in prepackaged all-in-one systems that are marketed by security companies like SonicWALL and Fortinet. These security companies have extended their Unified Threat Management (UTM) systems -- which include firewalls, content monitoring and intrusion prevention -- to traffic coming in from wireless LANs.
SonicWALL says it offers a distributed wireless network with its own “dumb” APs that connect all wireless traffic to a centralized UTM appliance used for both wired and wireless.
“All traffic is backhauled to a UTM where we can make an intelligent decision,” said Matthew Dieckman, SonicWALL's product line manager for secure remote access.
SonicWALL treats all wireless traffic as an “untrusted entity” until it is scanned by a UTM appliance. Then it can be subjected to all of the same access rules that apply to wired LAN traffic.
For smaller companies looking for the least expensive solution, a combined appliance might work, Pescatore said.
“Another scenario would be where the company has small branch offices. If I've got this branch office and they only need one access point, and I could be sure I wouldn't screw it up, I wouldn't have a separate security solution in each of these branches,” he said. But extending this into a more complex network wouldn't be easy, he added.
Bigger wireless security problems: Troubleshooting across spectra
Many enterprises are slow to adopt wired and wireless network security integration because they have more pressing wireless security problems.
For one thing, network managers are more concerned with monitoring and troubleshooting across various types of wireless spectra as smartphones, tablets and other wireless-enabled devices like vending machines that flood their networks.
“If there was one tool we could have, it would be one that picked up all of the wireless spectrums out there,” said Zinno.
Atlantic Health's network is facing interference from microwave ovens and Bluetooth devices, among others. If somebody mistakenly moves a Bluetooth-enabled scanner into an area where it will interfere with Wi-Fi transmittance, Zinno's team needs to be able to track the problem -- and that's not always possible with existing tools. Zinno is currently testing out Cisco's CleanAir spectrum analysis technology, which Cisco claims can find radio interference, map it to the source and automatically troubleshoot the issue.
Engineers also want to use wireless IPS appliances to go beyond detecting rogue APs and into determining where there is unwanted 3G or 4G activity on an enterprise network. This will especially be the case in government agencies and healthcare settings that must meet deep compliance requirements.
While integrated wired and wireless network security might seem like an easier management proposition, wireless network engineers will always demand functionality that is different from what enterprises need on a wired network. Unless those security paradigms can be incorporated into an integrated system, enterprises are likely to stick to managing two separate security systems.