Addressing wireless security challenges with Cloud-managed Wi-Fi infrastructure

Friday, 22 April 2016 00:00 -     - {{hitsCtrl.values.hits}}

Technology and market trends are forcing rapid changes to enterprise IT— especially in regard to how corporate networks are secured. As the number and types of network-connected wireless devices continue to grow exponentially, these connected devices present new vulnerabilities and a growing attack surface for hackers to exploit.

Market researcher Gartner predicts that there will be 33 billion connected endpoints by the year 2020 with a majority comprised of new “headless” device types driven by the Internet of Things (IoT). The proliferation of devices and applications is posing serious challenges for organisations that need to ensure the protection of their entire network and guard against advanced cyber security threats. 

This alarming gap between the expanding access layer and adequate cyber security protections has also been highlighted in Fortinet’s Global Wireless Security Survey. Conducted by independent market research company Lightspeed GMI last May, the survey showed that 88% of CIOs are worried that their existing wireless security is inadequate. A total of 1,490 qualified IT decision-makers were interviewed - CIOs, CTOs, IT Directors and Heads of IT at organisations with more than 250 employees around the globe including Asia Pacific countries India, Japan and Hong Kong.

Wi-Fi security adoption in Asia Pacific has been relatively high. However, most Asia Pacific ITDMs are still worried about the state of wireless security in their organisation with 44% stating they are very concerned, and there are indeed valid justifications for their concerns. Wireless LAN (WLAN) networks are subjected to vulnerabilities. Here are some major security challenges that besiege every Wi-Fi environment:


1. Blurry network boundary 

The reality is that there are many ingress and egress points on the network—and not all of them are governed by an edge firewall. In today’s environment, not all attacks come from outside a network. An attack could come from the inside (knowingly or unknowingly). With no other safeguards beyond perimeter protection in place, once something malicious has internal access to the network there is little to stop it from eventually making it to critical systems.


With the explosion of BYOD in the enterprise, and the subsequent mission-criticality of mobile devices and applications, organisations have struggled to balance the concerns around providing pervasive, easily managed Wi-Fi coverage with WLAN security and compliance

3. Rogue APs

Rogue access points pose a serious network security threat by creating a leakage point where sensitive data such as credit card information can be siphoned off the network. For this reason, the PCI DSS and other data security standards often mandate proactive monitoring and suppression of rogue APs.

4. Authentication 

Authentication is an important part of network security as it allows you to identify network users, ensuring that your network is only accessed by authorised users, and allowing different users to have access to different data and services. Most data breaches can be traced back to login credentials stolen via phishing attacks as the initial intrusion vector.

5. Man-In-The-Middle attack

With weak access points (AP) in an unencrypted Wi-Fi wireless security network, Man-In-The-Middle attack is a looming threat. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. 


Emergence of Cloud-managed Wi-Fi security infrastructure

According to IDC, adoption of cloud-managed Wi-Fi is growing steadily. For many organisations, especially distributed enterprises (organisations built on a hub-and-spoke model, with a centralised IT staff, and with multiple remote sites needing connectivity), a traditional controller-based model of Wi-Fi may not meet their needs for scalability, a less physically intensive infrastructure, and automated provisioning and management across a wide geographic area. Cloud-managed Wi-Fi has emerged in recent years to address these growing needs.

In the traditional model of enterprise-grade Wi-Fi, controllers can represent a large capital expense. In the case of cloud-managed Wi-Fi, scaling up the network involves just the cost of additional access points (APs) plus applicable subscription fees. This cost structure often works well for small to medium-sized organisations and distributed enterprises. The space requirements of a controller are sometimes prohibitive for small distributed enterprise branch locations. This, along with a frequent lack of onsite networking expertise, has often led to distributed enterprises doing without Wi-Fi —or employing consumer-grade solutions that lack adequate security, policy, and network management capabilities.

Centralised management and provisioning capabilities are important within a cloud-managed Wi-Fi platform. In such an infrastructure, APs ship preconfigured to remote sites, with provisioning taking place centrally through a Web based management application. Once APs arrive at a remote site, a branch worker need only plug in the AP and click through a Web-based GUI to get Wi-Fi up and running in minutes. User and device policies—as well as all relevant WLAN updates —are managed centrally. 

Cloud-based management solution manages both security and wireless infrastructure by protecting the network from advanced threats and allowing granular access controls and application usage policies.


Key challenges for Cloud Wi-Fi security infrastructure

Distributed organisations face many challenges as they deploy and manage a wireless LAN solution for their customers and employees. Current enterprise WLAN solutions often require complex architectures to segment guest and internal networks, while demanding extra hardware like separate WLAN controllers and security appliances. While emerging cloud-managed Wi-Fi vendors have helped to reduce the complexity and management issues associated with deploying wireless networks, moving WLAN control into the cloud has introduced many security challenges.

Generally speaking, cloud-managed Wi-Fi is capable of being just as secure as traditional Wi-Fi. However, many cloud solutions on the market today do not reach this level of security. Most support basic wireless intrusion detection systems (WIDS), 802.1-based authentication, application visibility, and other standard wireless security mechanisms. However, the majority of these platforms do not support broader network security requirements such as intrusion prevention systems (IPS), Web content filtering, application control, antivirus, and others. Of course, security features need frequent updates to be effective, and the centralised updating capabilities of cloud-managed Wi-Fi help enable this. 

Due to wireless traffic leaving the remote network in a cloud-managed model, the security functionality requirements of cloud-managed Wi-Fi are greater than those of traditional Wi-Fi in many ways. Regardless of control architecture, WLAN security requires more than just captive portal authentication, 802.1X, and WIDS/WIPS. Secure cloud-managed APs must move beyond wireless intrusion protection to network-wide IPS because threats are commonly found at the network layer and higher.

Cloud-managed APs must also support URL filtering and application control, and these functions have to be dynamic. They cannot operate based on static URL and application lists because security threats constantly emerge and evolve. Dynamic lists are consistently updated in real-time based on the latest industry threat information.


Securing WLAN: Still a top priority

WLANs have become a standard part of an enterprise network and its role is becoming increasingly important due to BYOD. As such, WLAN must be a key priority for any network administrator. Strong authentication, smart policies based on user identity and device identification and a sophisticated client reputation capability give not only the WLAN but the whole network the ability to effectively combat the increasingly sophisticated attacks that enterprise networks are constantly encountering.

(The writer is Fortinet’s Senior Director, APAC Wi-Fi Business.)

Recent columns