Continuing from my first post in the series, today I hope to cover the common use cases and general strategies for securing an enterprise WLAN.
Depending on the size and business needs of the enterprise, a WLAN can be used in a few different ways:
Basic Mobility – the most common use of WLAN is simply to extend the existing wired LAN to wireless users. This can have a very positive impact on productivity, allowing users more flexibility throughout the workspace.
Segmented Mobile Data - this type of WLAN is one where the network is dedicated to use of a specific type of data that is segmented from the main enterprise network. Typical use cases here are in hospitals or retail stores, where compliance regulations provide strict guidance on data protection and segmentation.
Guest Internet Access – common in cafes and large businesses, this type of WLAN typically provides only internet access and is entirely segmented from the enterprise wired LAN.
Wired LAN Replacement - this type of network is becoming a feasible alternative to the hassle of running cable, and will likely continue to grow in popularity as time goes by
These use cases can blend together in any number of ways. A well thought-out design at the beginning, along with the right hardware planning, can accomidate these uses and even more.
General Strategy
Like other networking strategies, the use of proper segmentation at the Layer 2 level is critical when designing a WLAN. Your most critical data flows should have their own segment, protected by methods like VLAN segmentation, firewalling, private IP spaces, and routing tables. Regardless of the authentication and encryption method used for the WLAN itself, properly designing its location within the enterprise wired LAN is critical.
Data encryption in 802.11 is accomplished by a combination of the authentication type with an underlying encryption method. Use of WPA2-AES encryption should be considered mandatory in any new WLAN deployment. This encryption technology has no documented vulnerabilities and widespread hardware and software support. If your enterprise has devices that do not support WPA2-AES, strongly consider replacing them. When designing a network, its security should not be determined by the weakest link. Unless there is a business case for doing something otherwise, use the strongest encryption and authentication methods available.
My next post will get into some specifics about these different use cases!
Tags: Network Design, wifi, wireless