




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The importance of effective planning, design, and implementation of wireless networks to meet the needs of organizations. It highlights the value of site surveys, developing effective networking policies, strategies for managing user access, and testing the vulnerability of networks. The document also provides a four-step process for developing and enforcing BYOD policies that involve stakeholders and build understanding. It emphasizes the need for tailored policies and consistent enforcement with technology support.
Typology: Study notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





The widespread proliferation of high-bandwidth smartphones, tablets and notebook computers, combined with the bring-your-own-device (BYOD) approach to computing, means that organizations rely more on their wireless networks each day. How can enterprises plan for the continued growth of wireless networks and ensure that they have a modern, robust infrastructure that is ready for tomorrow’s wireless needs?
Many IT decision-makers wonder if the rapid shift toward wireless networking will render the wired network obsolete. Craig Coolidge, a networking practice lead at CDW, believes that is not the right question to ask today. Instead, he suggests asking, “How do we need to plan our wired networks to support the next generation of wireless networks?”
A strong wired infrastructure will support the robust wireless networks that enterprises need. To build that foundation, organizations will want to develop an effective network policy to address today’s wireless needs, conduct a site survey to improve performance of the wireless network,
READ ABOUT
DEVELOPING AND
ENFORCING POLICY
IT teams often struggle with effective and enforceable BYOD policies. They find themselves torn between meeting the needs of users and maintaining a secure, reliable network. Creating policies about the devices that individuals may use to access enterprise networks and data is challenging and often pits these seemingly competing interests against each other. In many cases, this situation leads to a policy that falls short.
Effective policy requires an understanding of an organization’s users. As a guiding principle, IT leaders should keep in mind that users attempting to connect personal devices to the network are not adversaries. Rather, they are business partners who are trying to get their jobs done as efficiently as possible. With this in mind, IT groups should craft and enforce policies tailored to the needs and security requirements of specific departments, user roles and computing scenarios. A one-size- fits-all policy is probably not appropriate outside of the most highly sensitive environments.
»
RATHER THAN CREATING BYOD POLICY IN A VACUUM, ENTERPRISES SHOULD FOLLOW A FOUR-STEP PROCESS THAT INVOLVES STAKEHOLDERS AND BUILDS UNDERSTANDING:
Develop a policy draft. After assessing the business needs and security requirements of the organization, IT leaders should create a draft policy that may be used as the starting point for conversations about BYOD.
Validate it against business scenarios. IT managers should work with leaders from other areas of business to vet the policy and build a base of support. They should make sure that the policy does not impede productivity without a strong rationale.
Communicate the policy clearly. Users will not follow the policy if they do not know it exists. They will also search for technical loopholes to get their jobs done if they do not understand the rationale behind the policy.
Enforce the policy consistently. Effective and consistent enforcement of a BYOD policy requires technology support. Once an organization decides what devices are allowed on the network, IT staff should implement technical controls that block unauthorized devices.
Following this process will provide enterprises with a clear, explainable and enforceable approach to personal devices on their wireless networks.
establish a system for managing user access that meets business and security requirements, and continually test and monitor the vulnerability of the network.
»
FIREWALLING
WIRELESS NETWORKS
The growing presence of personal devices on enterprise networks (by both employees and guests) leads to a heightened desire to protect the enterprise-owned devices also on those networks. Organizations increasingly make use of firewalls to segment wireless networks from wired networks and keep different classes of users and devices from each other.
The design of a wireless segmentation scheme depends on the unique business needs of the enterprise. In the most basic scenario, organizations might create separate wireless networks for employees and guests and restrict the access that each group has to other devices on the network.
This approach protects enterprise assets from untrusted systems. In some situations, organizations may also wish to segment sensitive systems from the rest of the network. For example, engineers might create a restricted network for wireless point-of-sale devices that process credit card transactions in a retail setting.
Organizations can build a segmented wireless network by combining firewalls with their existing wireless infrastructure. One common way to do this is to create separate service set identifiers for each wireless network and then associate each SSID with separate virtual local area networks. Firewalls can separate the VLANs from each other, implementing different access policies for traffic between wireless VLANs and between wired and wireless VLANs. Enterprises can implement this solution using existing firewalls or by choosing wireless products that incorporate firewall technology.
As enterprises plan for expected growth in wireless network use, they should also ensure that the supporting infrastructure scales appropriately. For example, a network segmentation strategy will only serve an organization effectively if the firewall enforcing the separation has enough capacity to support all connected VLANs. Otherwise, the firewall itself becomes a bottleneck and limits the capacity of the entire network.
»
ROLE-BASED ACCESS AND ENCRYPTION
Maintaining separate SSIDs works well when organizations need to separate only a few classes of users and devices from each other, but it is not a very scalable solution. Running too many SSIDs on the same wireless network can reduce efficiency and create a substantial management burden for network engineers.
Organizations that wish to maintain granular access policies but bump up against the limitations of multiple SSIDs may choose to instead deploy technology that supports 802.1X, a protocol that helps to authenticate devices wishing to connect to a network. With this approach, the enterprise can run a single SSID and apply individual policies to each user based on his or her role. Engineers customize the network experience for each role, tailoring the network to meet the needs of each group of users.
From the user’s perspective, 802.1X is nearly transparent. Users simply sign into the network using their regular credentials and then access their resources normally. Behind the scenes, the network authenticates them, confirms the access policy for that user’s role and then applies appropriate security policies to ensure that only authorized resources are accessible.
From the network engineer’s perspective, 802.1X allows organizations to provide a single, unified wireless networking experience across sites while still meeting security requirements. This technology allows granular access control while minimizing network overhead and scales to meet even the most complex security requirements.
TESTING WIRELESS SECURITY:
VULNERABILITY ASSESSMENTS
AND PENETRATION TESTING
Network security is an ongoing process that requires constant attention and vigilance. Small configuration changes may have significant downstream security effects and expose the organization to security risks. For this reason, every wireless network should undergo periodic security testing to validate that it meets security standards. There are two main tools to assist with this effort: vulnerability assessments and penetration testing.
Vulnerability assessments involve scanning the network for known security issues and reporting them to administrators for follow-up and appropriate remediation. Conducting a proper vulnerability assessment includes analyzing wireless configurations and scanning the network to ensure that the implementation meets the organization’s security policy. It may address these questions:
Administrators may supplement vulnerability assessments with wireless penetration tests. In these tests, normally performed by external parties
such as CDW, skilled security specialists try to break into a network by undermining security controls. Penetration tests are the most realistic form of security testing.
One important technique used in both vulnerability assessments and penetration tests is the detection of rogue wireless access points. Users often connect unauthorized wireless APs to enterprise networks, and those rogue devices significantly undermine network security. They create an insecure method of access to the enterprise network, potentially bypassing authentication controls and opening the network to penetration risk. Enterprises should use rogue AP detection technology to routinely scan their networks for the presence of unauthorized APs.
COMBINING VIRTUALIZATION WITH VPN
Security-conscious organizations do not want sensitive data proliferating across a variety of personal devices because of bring-your-own-device (BYOD) practices. Placing data on employees’ personal devices creates many forms of risk, including the potential exposure of that data if the devices are not securely configured and the difficulty of retrieving sensitive information if the worker leaves the organization. At the same time, enterprises want to encourage productivity-boosting BYOD practices. This creates a dilemma.
One approach to resolving this problem combines the use of virtual private networks (VPNs) and virtual desktops. Enterprises may create a virtual desktop infrastructure that provides employees with controlled access to sensitive information. The virtual desktop includes all of the productivity tools that users require to work with sensitive information, as well as access to shared storage.
When a remote worker needs to access sensitive information, he or she connects to the VPN and then uses it to access a virtual desktop. The data never leaves the virtualized environment, leaving no trace on the user’s personal device after the connection terminates. This approach provides the power of BYOD without the risk of sensitive data proliferation.
CONCLUSION
Wireless networks are quickly overtaking their wired counterparts as the workforce becomes increasingly mobile and enterprises adopt BYOD computing policies. The typical user now carries multiple devices, each capable of consuming large amounts of bandwidth, further straining existing wireless infrastructure.
Organizations seeking to remain ahead of the wireless adoption curve must continue to research and implement next-generation wireless networks. In addition to improving network performance (by deploying new 802.11ac-enabled technology for increased capacity and optimizing the use of existing bandwidth), they must also design authentication and authorization mechanisms that extend security controls to wireless networks both inside and outside of central IT’s control. This includes the adoption of 802.1X standards, VPNs and rogue AP detection in a manner that both protects wireless users and allows segmented, role-based access to enterprise resources.
Enterprises that adopt forward- thinking wireless strategies will find themselves well-positioned to take advantage of new wireless technologies that come on the market. These organizations will remain ahead of the wireless adoption curve and promote greater productivity among users.
»