When wireless networks are created and designed in the modern enterprise, security for these networks is necessary, but so is ensuring the business requirements are aligned. Everything from antenna placement, conducting site surveys, antennas used, supported cipher suites, authentication protocols, and the EAP type used can all play a role in the security of a company’s wireless network. Given that there are so many different factors to consider with wireless security, where does someone start? A good jump off point is with business stakeholder requirements (BRS). Understanding these needs goes a long way to serve the organization.
The wireless network solution could implement the best and top of the line industry security standards, but if the business doesn’t sign off on it, if there is no support from senior management, key stakeholders etc. the implementation should not be considered a success. Criteria such as budgeting, available resources, available infrastructure capabilities, key and critical business operations functionality and physical building layouts are important areas to consider with any wireless solution.
With this information at hand, you can then begin to create systems requirements. With the systems requirements, consider areas such as antenna type and placement. These questions can also be answered from business stakeholder requirements (BRS) requirements. Business stakeholder requirements are requirements set forth by key individuals with a vested interest in the company’s well-being. For example, if business stakeholders want the access points to be “barely noticeable” (i.e aesthetic pleasing), you should avoid dipole antennas in favor of internal antennas. With dipole antennas, they are noticeable and would not meet the requirement from the BRS. Similarly, if one of the business requirements is that areas outside the building should have network coverage and that users should be able to stay connected between buildings, you may want to consider antennas to be placed outside which may lead to additional requirements and discussions. For example, when leaving antennas exposed to the elements, protecting these access points and equipment is especially relevant. NEMA (National Electrical Manufacturer Association) enclosures are highly suggested as they can help prevent damage to occur to these access points. NEMA enclosures help protect access points from natural events such as rain and lightning from causing damage to these access points. To help establish the other business requirement of ensuring users stay connected from building to building when taking calls, access point features such as roaming are highly recommended. With roaming however, this can all be impacted based on the roaming method and approach to solving this problem.
With regards to roaming, which feature works best? Again, this comes back to your previously gathered requirements. The type of roaming options available to you depends on the implementation of the security protocols in the network. If, for example, a wireless network is utilizing Wi-Fi Protected Access (WPA) Personal or Wi-Fi Protected Access 2 (WPA2) Personal, using roaming options such as PSK Roaming is a possibility, and the re-association time is usually less than 50 milliseconds. If, for example, the wireless network is implementing Wi-Fi Protected Access (WPA) Enterprise or Wi-Fi Protected Access 2 (WPA2) Enterprise, the assumption of an implementation of 802.1X is currently in use, other roaming options such as 802.1X/EAP Slow Roam can be used. This authentication method, however, can take some time (usually more then 200 milliseconds) With using this method, when a client roams from one access point to another, that client has to perform the entire 802.1X port-based authentication again following the steps from supplicant, to authenticator, to authentication server and perform the EAP exchange. This would impact the requirement of ensuring that Voice over IP calls are not dropped and would not meet the needs of the stakeholders from what was gathered in your business requirements. A more balanced solution to meet the stakeholder requirement established previously would be to consider PMK Caching. PMK Caching is a roaming technology between access points. The initial first step in PMK Caching is to create a full 802.1X/EAP successful authentication (connect to first building access point). Once this is established, the access point and the client cache (i.e store) the PMKSA (at the first building access point). If, for example, a user moves to another building, they would have to setup another 802.1X/EAP authentication. If the user were to move back to the initial building (where the first 802.1X/EAP successful authentication occurred), when the client re-associates back to the first access point, the PMKID references the PMKSA (cached value). With using the PMKID to reference the PMKSA, this allows for the roaming to take place without the need to perform the full 802.1X/EAP authentication again. Using a solution like this helps keep a balance between security, usability, and functionality. When there is a balance between security, usability, and functionality, you are ensuring that the network is secure (to the available options), it is usable and functional and can prevent unnecessary or potential risks such as a rogue access point being brought into the network to have adequate coverage. Whichever approach you decide for your network implementation, there are other areas to consider. Some of these areas include: industry acceptability and credibility (do bodies such as IEEE and the Wi-Fi Alliance adopt these as industry standards and can they be certified to ensure they are operable) , is it universal across any WLAN infrastructure and architecture implementation (could I use a wireless access point from one vendor (Ex: Cisco) and implement it with a current access point (Ex: Juniper Networks) without the need to have more costs by changing the entire network infrastructure around? Is the technology complex to implement and does it produce a lot of traffic overhead that could cause further problems down the road?
The topics are just areas of concern that modern enterprises face with securing wireless networks. When these networks are being developed, designed and implemented, security is a factor that affects the entire process and can help make a difference between a secure and insecure network.