Legalit Opinion: Building Secure Wireless LANs in Legal Practices
Guest article by Tim Daniels, AIT Partnership Group, independent wireless consultants.
Despite advances in the security of wireless networks many IT Managers in the legal industry seem to remain reluctant to allow wireless connectivity within their legal practices.
Many of these prejudices however are based on pre-conceived ideas that come from two sources: 1) personal experiences with simple home network solutions such as Virgin Broadband 2) Early wireless network solutions that had security flaws1 in their Wi-Fi protocols like WEP (Wired Equivalency Protocol).
Easy Access & Control
IT Managers should take a fresh look at wireless security which is now arguably better than security in wired LANs. Here are some good reasons why you should adopt wireless in your legal offices:
• A wireless network in your office allows users to access resources from anywhere in the office, whether at their own desk, meeting room, hot desk or common staff area. If your organisation has multiple offices then staff can also safely auto-connect in remote offices. Network access to file systems and other corporate resources can be controlled per user ensuring a layered approach to information.
• Branch offices can be setup and administered remotely. IT Managers can configure group policies remotely without touching the access point itself. The branch router/access point is posted to the remote office and self-configures upon start-up – adopting the group policies. Branch Routers will automatically setup a VPN link to head office ensuring all network traffic with the branch is secure.
• Guest access allows visitors to securely access your wireless network using a unique time limited pre-shared key. Visitors increasingly need to access external cloud based resources in order to do business.
• BYOD (Bring/Buy Your Own Device) – some wireless solutions allow controlled access by a limited number of devices, perhaps their personal iPad, their PC and their smartphone. Devices may have to be pre-approved by you or they may be allowed limited access to internal networks by default. Again all may be easily controlled by the network administrator function.
• Simple administration of users. Modern wireless solutions allow centrally administered authentication via RADIUS or LDAP active directories, and allows instant access/blocking of devices.
Wireless Security Is Flawed…
Not anymore, I would argue. Whilst early access policy protocols have been shown lacking, modern protocols such as WPA22 are seen as secure, especially the Enterprise flavour (WPA Enterprise) that enables unique pre-shared keys per client provided through an active directory approach. Keys are dynamically generated for the client and AP at the time of login making this methodology more secure. As a fall back Aerohive has a system called “private pre-shared keys”3 which enables each user to have a unique PSK, significantly improving security over simpler fixed PSK solutions.
Am I me?
Having securely connected we need to ensure the users are who they say they are. Authentication of users is best approached using 802.1X which relies on RADIUS to mutually authenticate users to the infrastructure at a port/MAC address level.
If this methodology is not available then a web login page can be used to authenticate user/password before access is given.
Taken together, access and authentication policies are now arguably tighter than the typical security found in a wired network.
What can I access?
Having allowed users to connect and checked they are authentic the next task is to limit where they can go. This is achieved through identity based access control. RADIUS attributes are used to place users into policy groups which then define what resources (VLAN, Applications, Servers) they can access. This is all similar to typical wired network policies with which IT administrators are familiar.
Isolating the bad boys
Wireless Intrusion Detection Systems (WIDS) are incorporated into wireless networks to detect and stop network vulnerabilities. The two most common vulnerabilities are:
• Rogue Access Points – misconfigured or malicious access points connected to the network.
• Ad-Hoc Clients – wireless devices connecting to each other rather than via the APs. The usual cause is that clients turn on “ad-hoc” mode on their own PC in order to try to connect to another wireless device. In general ad-hoc connections should never be allowed.
Wireless detection and prevention systems ensure that only the authorised access points exist. If others are found then they are flagged to the IT administrator allowing them to be quickly isolated from the network.
Previous shortcomings of wireless networks mean that FUD (fear, uncertainty and doubt) creep into an IT managers mind when the word “compliance” is mentioned. Data-security compliance standards in the UK centre around the PCI standards (controlling credit card transactions) which focus on the entire WAN/LAN network.
PCI requires sensitive data is kept segmented and accessed only by those who need it. Many companies have segmentation and firewall policies for their wired networks. These policies must be carried over to the wireless access points which access the network to avoid back door entry points to keep your network secure. Modern wireless solutions, like Aerohive, include security features to ensure PCI (and similar) compliance.
So why Don’t You?
As an industry observer it seems the legal profession moves more slowly than some segments in adopting new technology. But as senior partners start to demand connectivity for their tablets and smartphones within your network IT Managers must come to grips with, and add, wireless. If your preconceptions about wireless networks are that they are insecure and open to abuse it’s time to think again. Security in modern enterprise class Wi-Fi solutions are completely different than your home broadband router!
For more information about wireless security you can download this (Aerohive) White Paper – Building Secure Wireless LAN.
Share your Experiences
If you have recently installed WLAN in your legal offices or had network security issues let us know your experiences, good and bad, using the comments below.
* AIT Partnership Group is an Aerohive Platinum Partner in the UK. As independent consultants we also specify solutions from other manufacturers, if it fits better!