A wireless local area network (Lan) was once a tool that enabled guests to access the internet, but today organisations increasingly rely upon it. Microsoft employees use theirs extensively 75% of employees use it every day, and 70% believe it saves them at least five hours work a week from increased flexibility.
Modern centrally controlled wireless Lans - even those built on a global scale like Microsoft's - do not add significantly to the task of the IT department, and if implemented properly with authentication, encryption and built-in firewalling, often offer inherently better security than an existing wired network. VoIP phones, corporate laptops, handheld scanners can all be used with the assurance of complete security.
That visitors or consultants connecting to a firewalled guest network should present no security threat to corporate IT systems is well understood, but "guest" devices - employees' cellular telephones with browsers and increasing exchange capability, have to date presented an issue for the IT department. Today, the majority of organisations treat such devices in the same way as a guest - even though the device may be located within the office and belong to an employee, it is only allowed access to the guest network and consequently treated as an un-trusted device without generic access to back-end systems.
However, the popularity of the iPhone, Windows Mobile and Symbian mobile computing platforms, together with developments in client applications, will place pressure on IT departments to accept the latest generation of personal converged phones and PDAs as mainstream client platforms within the corporate environment, allowing devices to communicate directly to data stores and application servers.
Implementations of Fixed Mobile Convergence (FMC) will likely accelerate this trend, as companies look to avoid the costs associated with employees making international cellular calls from within the office. In addition to savings on cellular calls, the organisation will benefit as a whole from the unification of communications that derive from staff cellular phones becoming part of the internal IP-PBX infrastructure.
The challenge now facing senior IT staff is how to walk the tightrope of diversity - allowing multiple types of personal device onto the internal network may risk increasing the complexity of management and potentially compromising security, yet failure to allow users to access back-end systems from a variety of computing platforms will result in the organisation losing out on the benefits that clearly accrue from mobility.
While the question of which devices to allow onto the network will remain open to debate, the question of how to limit devices attaching to the network is relatively straightforward.
It is fortunate for most organisations that personal converged devices such as the iPhone do not come equipped with an RJ45 socket - as wired networks are traditionally built on the basis of a "secure perimeter" and once a device is attached to the network is it assumed to be authorised. In the best wireless networks, such practices are unheard of because every device has to be considered un-trusted until authenticated.
Authentication, perhaps combined with Network Access Control (NAC), or Microsoft's Network Access Policy (Nap) presents an ideal opportunity to decide which device to allow onto the network.
While authentication ensures that only authorised users connect to the internal network, either NAC or Nap will protect the network from untrusted devices joining that may be carrying infection, and ensures the user remediates their device prior to joining the network. Linking NAC or Nap with a firewall in the wireless network offers a more robust method of access control than the traditional VLan or DHCP assignment more commonly associated with wired NAC implementations, and guarantees that users access only the appropriate domains or servers.
The wireless Lan evolves - from convenience network to essential infrastructure.
This was first published in September 2008