5 Best Practices for Securely Implementing a New WiFi Network

Building wireless networks requires blending systems engineering — properly tuning radio frequency, for instance — with hard-earned knowledge. Although there are many ways to configure and use Wi-Fi, best-in-class organizations should apply these strategies to get the most out of their networks:

1. Practice active management.

Wi-Fi networks don’t stay in top condition on their own. The inevitable moves, additions and changes of people, furniture and everything else within an organization will cause the network to degrade over time and provide less-than-optimum service to users.

Wi-Fi networks are amazingly fault-tolerant. They can survive the loss of access points and the addition of interference without registering significantly perceptible effects. Problems might go unnoticed without active monitoring. Good network management practices, including the regular scanning of logs and the active monitoring of devices and usage, will help identify problems before they affect performance.

2. Use managed wireless products.

The world of wireless changed dramatically in 2003, when Airespace (later acquired by Cisco Systems), Aruba Networks and Trapeze Networks (later acquired by Juniper Networks) developed wireless controller technology.

Before that, it was necessary to manage and configure each wireless access point separately. More important, any tuning of the wireless configuration — such as power levels, channel assignments or enabling hot-spare APs — had to be done manually. In addition to being diffcult to learn and error-prone, wireless tuning is a continuous process that varies depending on the number of people in a room, the usage of the network and even the humidity level in the building.

But Airespace, Aruba and Trapeze developed technology that treated the entire wireless network as a single entity, rather than as a series of individual APs. Thus was born the fully managed wireless solution.

Since then, other vendors have entered this market with similar products. The technology today can handle issues such as mobility, keeping an IP address and connection alive while a user on a VoIP call walks between rooms, floors and even buildings.

When considering wireless management, the network team should be careful to distinguish between fully managed solutions and those that only offer configuration control and log collection. Simply capturing the configurations of each AP and pushing changes to them uniformly is not true wireless management. Although that is a useful function in some environments (such as branch offices with one or two APs), any deployment with more than eight APs will need a fully managed solution.

3. Prioritize usage.

In the first few days after a network is turned on, the smartphones of at least 10 to 20 percent of the people in the building will connect automatically. These devices will consume bandwidth even when no one is using them. If the building is on a high school or college campus, that figure will be closer to 80 to 90 percent. In other words, a wireless network can reach near capacity even when no one is actively using it.

The solution isn’t to prohibit casual use, but simply to make sure that mission-critical applications, such as VoIP (unified communications) or transaction processing, and business uses get priority over nonbusiness and casual usage. By using management configuration, firewalls or Wi-Fi Multimedia (WMM), it’s possible to throttle bandwidth.

4. Develop a guest policy carefully.

Accommodating guest access to wireless networks is generally considered a requirement for enterprise wireless installations. Guests commonly have a legitimate need to connect to the Internet while visiting an organization. Although some road warriors may use alternative technologies, such as 3G or 4G wireless, to bypass local Wi-Fi networks, it is important to plan how other guests will connect to the organization’s WLAN.

Of course, these guests shouldn’t require much access to anything inside the normal enterprise network — printing, perhaps, being the occasional exception. Therefore, securing connections to ensure that guest users do not gain elevated privileges is important.

Any guest policy must balance its requirements for accountability and prevention of “drive-by” connections with the goal of making guest connections simple and quick. Many vendors offer specific guest services, such as captive portals and automated guest provisioning systems, that can ease the task of offering guests wireless connectivity.

Common alternatives, such as requiring guests to preregister Media Access Control (MAC) addresses or obtain a temporary user name and password, tend to be cumbersome and should be avoided. One bad result of a guest policy that is poorly developed or difficult to follow is that staff members might spend valuable time trying to get their visitors logged on to the wireless network. Or, even worse, a staff member might encourage a guest to connect directly to the internal wired network to bypass issues with the wireless infrastructure.

5. Build security from the start.

Security managers tend to be fairly suspicious of wireless networks. If user credentials are all that is required to connect, then a stolen set of credentials could provide an easy pathway into the network via wireless or virtual private network (VPN) connections.

Many techniques exist to increase overall security for wireless users, but it pays to have the organization’s security teams involved from the beginning. Doing so will make it possible to incorporate their requirements into the architecture design and product selection phases of the project.

For example, many enterprise network managers build wireless networks with separate firewall rules and inline intrusion prevention systems. Some wireless products include these features in their solution sets, while others require external devices. Depending on the organization’s security architecture, one method might be more desirable — but discerning that requires collaboration with the IT security staff.

Network access control meshes well with wireless deployments because the wireless authentication standard — known as Wi-Fi Protected Access 2 (WPA2) — uses 802.1X, which is a convenient method for passing NAC information between clients and servers. Although NAC can add complexity to the wireless deployment, having a good solution in place as part of the network can be a first step toward eventual enterprisewide NAC deployment.

Download our free white paper Wi-Fi: Far and Wide for more information.