Building a solid foundation
802.11 security capabilities built into APs and adapters have a clear impact on over-the-air data protection. For most enterprises, that means choosing equipment that supports WPA2-Enterprise (AES encryption, 802.1X port access control, RADIUS authentication). But WLAN security doesn’t stop there.
Examine distribution of security functionality between your WLAN controller and APs. For example, enterprises with latency-sensitive applications may need controller-based fast roaming features (things like key caching and pre-authentication) ? but these can only be used within single-vendor WLANs.
If your wired network is already segmented by a VLAN, you will need APs that support 802.1Q VLAN tagging and perhaps RFC 3580 (802.1X-based tagging.) If not, insulate your wired network from wireless intruders by placing APs outside a firewall or VPN gateway.
When using 802.1X, your APs (or perhaps your controller) must speak RADIUS to your authentication server, which in turn interfaces with your user directory and database (e.g., Microsoft’s Active Directory). Consider both security and availability when deciding how to relay WLAN access requests between these systems.
For visitors, you might allow unfiltered Internet access, use your controller’s captive portal, or redirect guests to an existing portal inside your wired LAN. Be sure to compartmentalize guest traffic inside your network ? for example, by mapping a “guest” SSID onto its own VLAN.
The biggest deployment challenge is usually client software installation, configuration, and maintenance. On managed client devices, you must deploy 802.1X Supplicants (or, for those who prefer IPsec, VPN clients). Conventional desktop management tools can help here. But installing client software may not be feasible on visitor or embedded devices.
Back on Build Secure Enterprise WLAN Network here
Related posts of this article:
Subscribe to the post comments feeds or Leave a trackback
Be The First To Comment
Related Post
Please Leave Your Comments Below