U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Security Tip (ST18-247)

Securing Enterprise Wireless Networks

Original release date: September 04, 2018

In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available.

What is enterprise network security?

Enterprise network security is the protection of a network that connects systems, mainframes, and devices―like smartphones and tablets―within an enterprise. Companies, universities, governments, and other entities use enterprise networks to help connect their users to information and people. As networks grow in size and complexity, security concerns also increase.

What security threats do enterprise wireless networks face?

Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization’s network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These attacks could hinder network connectivity, slow processes, or even crash the organization’s system. (See Securing Wireless Networks for more information on threats to wireless networks.)

How can you minimize the risks to enterprise Wi-Fi networks?

Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected Access 2 (WPA2) incorporates Advanced Encryption Standard (AES) and is the standard employed today to secure wireless enterprises. In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available. IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:

  • Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS) on every network.
  • Ensure existing equipment is free from known vulnerabilities by updating all software in accordance with developer service pack issuance.
  • Use existing equipment that can be securely configured.
  • Ensure all equipment meets Federal Information Processing Standards (FIPS) 140-2 compliance for encryption.
  • Ensure compliance with the most current National Institute of Standards and Technology. (See Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.)
  • Establish multifactor authentication for access to your network. If this is not possible, consider other secure authentication means beyond a single shared password, such as Active Directory service authentication or an alternative method (e.g., tokens) to create multifactor authentication into your network.
  • Use Extensible Authentication Protocol-Transport Layer Security certificate-based methods (or better) to secure the entire authentication transaction and communication.
  • Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES encryption used by Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If possible, use more complex encryption technologies that conform to FIPS 140-2 as they are developed and approved.
  • Implement a guest Wi-Fi network that is separate from the main network. Employ routers with multiple Service Set Identifiers (SSIDs) or engage other wireless isolation features to ensure that organizational information is not accessible to guest network traffic or by engaging other wireless isolation features.

What else can you do to secure your network?

Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points, client misassociation, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.

The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these practices based on  local considerations and applicable compliance requirements. For more in-depth guidance, see A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).

  • Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, regardless of the authentication or encryption techniques used by the offending device (e.g., network address translation, encrypted, soft WAPs).
  • Set the WIDS/WIPS sensors to
    • detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and
    • detect and block multiple WAPs from a single sensor device over multiple wireless channels.
  • Enforce a “no Wi-Fi” policy per subnet and across multiple subnets.
  • Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbps―the system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance.
  • Provide automated (event-triggered) and scheduled reporting that is customizable.
  • Segment reporting and administration based on enterprise requirements.
  • Produce event logs and live packet captures over the air and display these directly on analyst workstations.
  • Import site drawings for site planning and location tracking requirements.
  • Manually create simple building layouts with auto-scale capability within the application.
  • Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future locations.
  • Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and administrator privileges to other administrators.
  • Meet all applicable standards and, if Federal Government, comply with the Federal Acquisition Regulation.

Author

NCCIC

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top