March 2013 IT Business Consulting Newsletter

Provide Wireless Access to Business Systems???

By Tom K

I don’t recommend that you provide wireless access to your Business Systems... unless there is a definite business requirement and no other alternatives.

But if you REALLY NEED to provide wireless access to your Business Network, in this month’s newsletter I discuss potential pitfalls and Best Practices you should consider when you deploy wireless access to your Business Network.

I am, however, a big fan of setting up public wireless Hot Spots within your facilities to provide open Internet access to guests and to staff with personal smart phones and tablets. I have discussed this in detail in my March 2015 newsletter, “Securely Implement Public WiFi, version 2015”.


The Pitfalls

Wireless is inherently unsecure.

Sure, you can (and should) use encryption and use a secure password within the Private Wireless Network. But anyone who has the wireless Key (password) can knock on the door of your business resources anytime, from inside the building, in the parking lot, or across the street. As a business owner, this definitely concerns me.

There is an App for that

The wireless threat is no longer just laptops. You can get apps for tablets and smart phones that will allow you to work within a network environment. If my tablet can see the wireless business network, I’m one password away from being in a position to use my apps to access your company jewels. If I’m hanging out in the parking lot, or next door, my tools have all the time in the world to try to break in. Tablets and smartphones are inconspicuous, they are everywhere, and there are millions of them.

No Firewall

When you provide wireless access to your business systems, access is direct... Just like from your wired PCs. All access occurs inside the firewall, so the firewall can’t offer any protection.


Best Practices

If you really need to provide wireless access to your Business Network, you want to make it very difficult for unauthorized persons to access it.

The first step is to make your Private Wireless Network invisible. Do not advertise your private network’s SSID (the ID of the wireless network).

Public wireless networks advertise their presence to all wireless users through the “available networks” list, visible when a wireless device scans for networks. Private networks should never advertise their existence. When they don’t advertise they don’t appear on the list, so anyone who wants to access that Private Wireless Network will need to know the SSID and will need to enter it manually for their wireless device to find the private network. Your first line of defense!

The second step is to use strong security settings in your wireless Access Points (APs). I suggest WPA2-PSK for most implementations.

The third step is to set a secure passphrase (Key or password) for accessing the Private Wireless Network. Don’t make it easy!

The fourth step is to ensure that your business network requires secure log-in passwords. (See my Nov 2011 newsletter “Secure Passwords” for details on creating and enforcing secure passwords.) This should be a corporate standard in any case!

So... they can’t see your Private Wireless Network and they can’t get to it without knowing and typing in its SSID. Once they can see it, they have to know the secure network Key to access it. Then, even though they are now on the Private Wireless Network, they can’t get to any corporate network resources without having a Corporate ID and (secure) password. Looks like we’re good!

But all this security fails if the SSID & Wireless Network Key are compromised. We have to set up policies to safeguard these critical keys.

You need to provide the SSID and Network Key on a strict need to know basis. Therefore, you need to have a published Private Wireless Network Access policy in place that specifically denotes what is required to be granted access to the Private Wireless Network, how staff gets to be authorized to use the Private Wireless Network, and who is responsible to provide the SSID and Key to staff and then track who has been given them.

Once created, I suggest this policy be included in your corporate Employee IT Use and Abuse policy. (I believe the IT Use and Abuse Policy is absolutely critical to your company’s well being. If you don’t have one in place, PLEASE see my January 2012 newsletter “Employee Use and Abuse Policy”).

The Private Wireless Network Access policy should include a section stating that providing the SSID or Key to any unauthorized person is grounds for immediate termination.

Finally, change the Key monthly. The list of staff having the Key should be rather short, so communicating the change shouldn’t be difficult. Consider a practice where the Key changes (for instance) the first Tuesday of each month. And if you fear any security parameters have been compromised, change the SSID along with the Key. It is a simple process.

There is one more step you can take to really lock down wireless access to your bussiness network, which is to only allow devices that have been registered with the Access Points to be granted access. This is a bit tedious from the admin's prospective, as she has to obtain the MAC address (a unique 12 digit hexadecimal number), also known as the physical address, from every device that will be authorized to use the wireless network and enter each MAC address into every Access Point. While this "Access Control" process is tedious, it definitely provides the best security on a wireless network. If a device isn't registered, it can't get onto the wireless network... period!

Note, however, that MAC addresses CAN be spoofed, so you shouldn't forgo any of the previously mentioned security steps even if you do require MAC address Access Control.


The Mechanics

I discussed how to set up a Public WIFI Hot Spot in my March 2015 newsletter, “Securely Implement Public WiFi, version 2015”. Please reference the article for details.

Setting up a Private Wireless Network is very similar, except the Access Points (APs) plug directly into the business LAN rather than into the Firewall’s DMZ, the SSID is hidden, and security is enabled (with a secure Key). Just like the public WIFI system, you can team Private APs to provide extended coverage across your office or campus.


If you have any questions concerning deploying Wireless Access to your Private Business Network, creating policies to manage their use, or any other topics concerning utilizing your infrastructure to enhance your business, I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month I’ll discuss Best Practices for safely using unsecured Public WIFI.