Your business users want Wi-Fi, but which Wi-Fi solution is right for your organization? Your IT department must assist senior management in deciding which wireless access configuration will work best for your staff and business users.
Wi-Fi Model | Business Functionality | Risk Potential |
No Wi-Fi Network
|
None
|
High*
|
Public Wi-Fi Network
(completely separate from the internal network)
|
Very Little
|
Low
|
Social Wi-Fi Network
(non-public, but untrusted)
|
Limited
|
Low to Medium
|
Corporate Wi-Fi Network
(internal, with limited trust)
|
Best
|
High
| One of the following four Wi-Fi Implementation Models will fit the majority of business scenarios.
* Unless technical and policy measures prevent users from connecting their own access points.
No Wi-Fi Network
Whether your credit union offers a Wi-Fi network or not, the issue of wireless access still must be addressed in your IT and End User policies. If a credit union decides not to implement a Wi-Fi solution, the organization’s IT Policy, IT Security Policy, and End User Policy should explicitly state that, “users may not connect their own access points—also known as rogue access points—to the internal network. Be aware of the temptation for business users who attempt to circumvent Wi-Fi security measures in an effort to make their work easier.
SUMMARY: No Functionality, High Risk if Business Users Install Rogue Access Points
Public Wi-Fi Network (separate from the internal network)
In this model, Wi-Fi access points are completely separate and not connected in any way to the credit union’s internal network. The Public Wi-Fi uses its own infrastructure and Internet connections, providing completely public, open access points for personal use by employees and by clients, according to acceptable use terms defined in the credit union’s IT and End User policies. The credit union should review all pertinent supplier contracts and documents to ensure it has no stated responsibility with the introduction of Wi-Fi and contractual agreements.
Log-in to the Wi-Fi should be implemented via a “splash screen” that redirects the connecting user to a web page with terms and conditions that the user must accept before being able to connect to and use the Wi-Fi. Access to the Wi-Fi can also be implemented via a secure web page Log-in that requires the user to enter a username and password and restricts access to the Wi-Fi network. This type of log-in limits resource use only and is not intended to provide security. A content filter may be considered to prevent abuse.
+ Advantages
|
– Disadvantages
|
Connection to the Wi-Fi network is kept separate from the credit union’s internal network and poses no direct threat to the network.
Staff may use Smart Phones, Tablets and other personal mobile devices for general Internet usage—with restrictive settings on credit union-owned devices connecting to the internal network.
Business clients may appreciate the Internet connectivity at the credit union.
Wi-Fi is not a concern for compliance and IT security audit purposes.
|
Additional cost for a separate Internet connection.
Technical provisions must be implemented to immediately disable Wi-Fi upon connection to the wired network for any laptops and other devices with Wi-Fi capabilities. There should not be any bridges connected to the public Wi-Fi and internal, wired network at the same time.
Access to credit union resources is subject to the same limitations as from any other point on the Internet. Secure VPN tunnels are mandatory, speed is limited by Internet bandwidth and access to specific services should be restricted.
|
SUMMARY: Little Business Functionality, Low Risk
Social Wi-Fi Network (non-public, but untrusted)
A Social Wi-Fi Network uses access restrictions and encryption. Generally, access credentials are provided to all staff members as per the acceptable use terms laid in the credit union’s IT Policy. With this model, “bring your own device (BYOD)” is encouraged; however, BYOD is prohibited on any internal network. The credit union may wish to provide staff and clients with Social Wi-Fi “surf terminals” as well as chat forums or websites with publicly available information.
The single point of connection to the internal network is via a firewall that restricts access to the internal network comparable to that from the Internet, i.e., mainly to web-based services such as Outlook Web Access. The social network is within the responsibility of the credit union, therefore, a content filter is mandatory.
+ Advantages
|
– Disadvantages
|
Wi-Fi is mostly segregated from the internal network, but some security consideration is necessary.
Staff may use Smart Phones, Tablets and other personal mobile devices for general Internet usage—with restrictive settings on credit union-owned devices connecting to the internal network.
The credit union can provide staff with additional intranet social services and selected services from the internal network may be made available at LAN speed.
Separate Internet connection is not mandatory.
IT and End User policies regulate acceptable use.
|
Technical provisions must be implemented to immediately disable Wi-Fi upon connection to the wired network for any laptops and other devices with Wi-Fi capabilities. No bridges may exist that are connected to the public Wi-Fi and internal wired network at the same time.
Access to credit union resources must be heavily restricted, similar to the restrictions for an internet-based user.
Wi-Fi network security must be considered—Wi-Fi may be in scope for IT security audits.
|
SUMMARY: Limited Business Functionality, Low to Medium Risk
Corporate Wi-Fi Network (internal, but with limited trust)
In this scenario, the Wi-Fi network is basically an extension of the credit union’s internal, wired network. As such, tight security is mandatory and BYOD is not permitted—only credit union-owned and -controlled devices may connect to the Corporate Wi-Fi. The IT and End User policies should clearly define acceptable use and the consequences of non-compliance with these policies. Access should not be through a static password, but through an authorization server, preferably with a certificate infrastructure.
Even with the tightest security, there should still be some segregation between the wireless and the wired network, where firewall rules limit access to the most critical systems such as the banking system. A Corporate Wi-Fi network may share the Internet access infrastructure of the wired network, including content filter and other network security infrastructure.
+ Advantages
|
– Disadvantages
|
Wi-Fi offers wired-comparable access speed to most services on the network.
Provides the highest business benefit, with most or all services available.
Internet Access Infrastructure can be shared with the wired network.
IT Policy and End User Policy regulate acceptable use.
|
BYOD is not permissible. Employees are limited in accessing the Wi-Fi for personal use such as social media.
High effort is required for setup and monitoring.
Authorization server is required.
Wi-Fi is in scope of all relevant regulatory and contractual obligations.
Wireless Intrusion Prevention System is recommended.
|
SUMMARY: Best Business Functionality, Medium to High Risk
STEP 2 — IT policies for successful Wi-Fi implementation
When the credit union has selected a suitable Wi-Fi implementation model, it must be addressed in the IT Policy; outlining the business value, functionality and security expectations that senior management has regarding Wi-Fi. The End User Policy should clearly define acceptable use and the consequences of non-compliance.
A solid IT Policy is the guideline that the IT Department uses to deliver a solution that is aligned to business requirements.
Policy considerations and statements Implementation Model | IT Policy | End User Policy | No Wi-Fi Network
|
The IT Policy should state that Wi-Fi is not to be used.
|
The End User Policy must state that users may not connect access points to the internal network under any circumstances.
| Public Wi-Fi Network
(completely separate from the internal network)
|
Intended use of the Public Wi-Fi and the requirement of complete segregation from the internal network.
Access from the Public Wi-Fi to the internal network is subject to the same limitations as access from any other point on the Internet.
Users must accept “Terms and Conditions” as a condition to access services through the Public Wi-Fi.
BYOD is allowed on Public Wi-Fi only.
|
Users may not connect any access points to the internal network.
Acceptable use and the consequences for non-compliance.
User-owned devices may only be used for general Internet usage (and possibly some other, defined services), but may not be used to access or store any credit union data, unless the data is classified as public.
| Social Wi-Fi Network
(non-public, but untrusted)
|
Intended use of the Social Network Wi-Fi and definition as an untrusted network.
High-level statements requiring an effective segregation of the Social Network Wi-Fi from the internal network through firewalls.
Statement about limited access to the internal network, for example, “Access is limited to web-based services through a VPN portal. BYOD is allowed only on the Social Network Wi-Fi.”
High-level statements about value-added services offered by the credit union on the Social Network Wi-Fi and that such service may only contain data classified as public.
High-level security requirements for the Social Network Wi-Fi, detailing authentication and encryption requisites with reasonable security and content filtering.
|
Users may not connect any access points to the internal network.
Acceptable use and the consequences for non-compliance.
User-owned devices may only be used for general Internet usage (and possibly some other, defined services), but may not be used to access or store any credit union data, unless classified as public.
| Corporate Wi-Fi Network (internal with limited trust) |
Intended use of the Corporate Wi-Fi.
High-level statements requiring partial segregation from the internal network through firewalls.
Statement about access limitations to any applications and network segments on the internal network.
Statement limiting access to the Corporate Wi-Fi to credit union-owned devices as well as security requirements (full encryption, malware-protection where applicable, remote wipe capability, etc.) for any devices accessing the Corporate Wi-Fi.
High-level statements requiring tight security for the Corporate Wi-Fi, including best practices encryption, certificate-based authentication using an authentication server, physical security for access points and Wireless Intrusion Detection/Prevention System.
|
Users may not connect any access points to the internal network.
Acceptable use and the consequences for non-compliance.
User-owned devices may not be used on the Corporate Wi-Fi.
| STEP 3 — Pre-deployment checklist
Before you decide on the details of your new Wi-Fi network, there are a few general considerations:
Perform a site survey to determine the best locations for access points. While such a survey is usually concerned with getting every part of the building covered with as few access points as possible, there is an additional consideration for a Corporate Wi-Fi. To minimize the potential for attacks from outside the building, the footprint of the Corporate Wi-Fi network should extend as little as possible beyond the exterior walls of the building.
Consider physical security in the placement of the access points. An attacker with physical access to an unprotected Wi-Fi device may easily gain a foothold in the network. If you cannot lock up the access points in wiring cabinets or similar locations, consider access points built for hostile environments.
Choose the right access point for the job. While an expensive, hardened access point for a public Wi-Fi network may be overkill, a Corporate Wi-Fi needs just that.
Research the security track record of the products under consideration.
STEP 4 — Leading Wi-Fi security practices
Except for a Public Wi-Fi, good wireless security is important to prevent your network perimeter from being compromised. All non-public Wi-Fi access points should follow these leading IT security practices:
Disable all non-secure configuration interfaces on your access points. Use secure counterparts like https and ssh instead of less secure protocols such as http and telnet.
Disable administration of the access points (“in band” administration) from the Wi-Fi network. Only allow administration of the access points from the wired network.
Disable all unused physical ports on your access points.
Disable WLAN Auto Configuration or, preferably do not buy access points with that functionality.
Disable Wi-Fi Protected Setup (WPS), as this protocol has been compromised.
Immediately change all default passwords.
Do not use the default SSID (network name) or your credit union’s name for your network name. Choose a network name that does not provide meaningful information to an attacker. For example, “SOCIAL” might be a good SSID for a Social Network Wi-Fi.
Do not use the WEP security protocol. It takes less than 5 minutes to crack and is no more secure than an unprotected Wi-Fi network.
Require WPA2 with pre-shared keys (passwords), except for corporate networks. WPA2 (Wi-Fi Protected Access) is currently the most secure protocol to protect your Wi-Fi privacy and is available on most Wi-Fi equipment.
Disable “wireless client to client” connections. Allow connections to the wired network only from wireless devices.
Use Network Time Protocol (NTP) to provide accurate timestamps for audit purposes.
Additional security measures for deploying a Corporate Wi-Fi Network
Use Enterprise-level WPA2 protocol with certificate-based authentication through an authentication server. This is the best way to prevent unauthorized devices from connecting to the network.
WPA2 should be set to use CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) encryption.
All devices that connect to the network must be under the control of the credit union. BYOD is not permitted. All connecting devices should be fully encrypted, have strong authentication and hardened operating systems. Where applicable, anti-malware must be installed. We do not recommend allowing wireless devices that do not have remote wipe capabilities.
Limit the footprint of your access points. Use the lowest radio output power that will offer satisfactory communication.
Wi-Fi Network Access Logs should be archived for audit purposes and, if possible, analyzed by a log management solution.
Access to the internal, wired network should be through a firewall, because the Wi-Fi network is never fully trusted. Where possible, isolate access points on individual Virtual LANs (VLANs).
Choose “enterprise class” access points with no additional functionality. Many less expensive Wi-Fi access points contain a lot of additional, unneeded functionality and may include complete routers, file servers or media streaming. These devises have many known, critical vulnerabilities and offer a significant potential for configuration issues. Such functionality represents an unacceptable security risk for a Corporate Wi-Fi Network.
STEP 5 — Post-implementation considerations End user training
Once your new Wi-Fi network is operating, you should consider end-user awareness training. It is imperative for your users to practice proper and acceptable use of the Wi-Fi network. To ensure compliance with IT and End User policies, make sure to include end user training in your Wi-Fi rollout. Training for end users should be kept up-to-date and the training should be included in orientation for all new employees.
Disclosure
Even the best Wi-Fi implementation weakens the security of your network perimeter to some degree. Some supplier contracts may require the credit union to obtain the supplier’s consent before a Wi-Fi network is implemented. It is the credit union’s responsibility to verify any wireless requirements or restrictions with its suppliers prior to implementing a Wi-Fi network.
Monitoring and documentation
Unless you deployed a more comprehensive Wireless Intrusion Prevention Solution, use a Wi-Fi monitoring tool to scan your environment regularly for rogue access points. Document your Wi-Fi network configuration and use proper change management procedures before modifying the configuration. Monitor configurations for deviations from the documented defaults.
Conclusion
Deploy only as much Wi-Fi capabilities as you need to support your business goals. Alternatively, if the primary motivator is user gratification, a Public or Social Wi-Fi network implementation may be a more suitable solution for your credit union’s needs. Whichever Wi-Fi network model you choose, make sure your IT and End User policies are updated accordingly and that an appropriate documented risk assessment is reported and reviewed by the executive and audit committee.
Risk advisory expertise Stephan Muhs, CISA, CISSP, CRISC – Information Technology Auditor
Stephan Muhs is an IT Auditor with PRA Group providing network and systems security assessment for clients across Canada. Bringing decades of IT experience to PRA, Stephan has worked nationally and abroad with clients in the financial services, logistics, manufacturing, utilities and non-profit industries. Stephan’s extensive experience comprises systems administration and security, IS operations and change control, internal and external vulnerability assessment, information systems audit, security and privacy audit, IT risks and controls review, operations audit, ethical hacking and PCI-DSS compliance scanning. Mr. Muhs’s professional designations include a Certified Information System Auditor (CISA), a Certified Information Systems Security Professional (CISSP) and a Certified Risk and Information Systems Control (CRISC). With his combination of credentials and deep industry experience, Stephan Muhs has the high calibre of business intelligence clients expect from PRA.
Disclaimer: This document is intended for informational purposes. While every effort is made to ensure that the information contained herein is reliable, P. Reimer & Associates Ltd. (“PRA Group”) does not warrant the accuracy, completeness or currency of such information. You should consult with PRA Group or other professional advisors to determine how the information contained in this document applies to your particular situation prior to making any decision or taking any action based upon such information. In no event shall PRA Group or its directors, officers, employees or agents be liable for any loss, damage or expense directly or indirectly arising out of or in connection with the use of, or reliance upon, the information contained in this document.”
Frequently asked questions about Wi-Fi implementation 1. Should I use a hidden SSID?
A “hidden SSID” means that the access points will not broadcast the name or SSID of your wireless network. This will prevent the network from showing in the list of available networks in the Wi-Fi settings of client devices. To connect to a network with a hidden SSID, the user must know the network name and enter it manually.
+ Advantages
|
– Disadvantages
|
A hidden SSID prevents accidental attempts to connect to your Wi-Fi network
It may discourage casual attempts at “hacking into the network”
|
Widely available Wi-Fi “sniffing” tools allow a dedicated attacker to determine the SSID, so this is of little value to discourage a targeted attack
Some client devices have difficulties to connect to a network that has a hidden SSID, this may increase the support effort on behalf of the IT department or cause user frustration
|
SUMMARY: Improves security somewhat, but maybe not enough to justify the additional support efforts.
2. Should I use MAC Whitelisting?
The MAC (Media Access Control) address is a globally unique identifier used in wired and wireless Ethernet networks to address network devices and route network traffic within a network. Addressing the differences between IP addresses and MAC addresses is beyond the scope of this document; for the purposes of a sound Wi-Fi implementation it is sufficient that MAC addresses should be unique and are used to identify devices connecting to a Wi-Fi network.
If MAC whitelisting is used to configure access points, only devices with a known and whitelisted MAC address are allowed to connect to the network.
+ Advantages
|
– Disadvantages
|
It may discourage casual attempts to hack the network.
|
Widely available Wi-Fi “sniffing” tools allow a dedicated attacker to determine the MAC addresses associated with various access points, even when encryption is used. After obtaining valid MAC addresses using a sniffing tool, the attacker can then change his own MAC address to impersonate one of the legitimate devices. Consequently, MAC Whitelisting will not impede a targeted attack in any measurable way.
Every new client device needs to be added to the MAC Whitelist and all retired devices should be removed. This makes the support effort unwieldy in all but the smallest installations.
|
SUMMARY: Currently not worth the additional support effort.
|