Setting up “guest” wireless data access so office visitors can search the Web from their laptops isn’t just a question of courtesy; it’s a matter of security — a way to protect the enterprise even from people who don’t exactly count as outsiders, according to IT industry experts.
By building a separate virtual local area network (VLAN) on the company’s wireless network, IT managers can not only provide outsiders a way to access the Web without opening the host firm’s whole corporate network to visitor scrutiny, but also offer employees a sort of staging area for security checks before they access the business’s prime communication nexus.
Employees would see something like a “guest” page on their computer screens before being allowed to access to the internal network, if internal network access is to be allowed at all. At this page, software would check the user’s computer for app patches, security programs and other elements deemed necessary for internal network access, according to the enterprise IT security policy.
Employees with the right profiles and security software on their machines would be allowed onto the corporate net. Employees whose PCs indicated the user as “authorized,” but lacked the requisite security details, would be forwarded to another spot, where users would be able to update software, add programs and generally harden their boxes for network access.
It’s a scenario that IT industry insiders offer as a potential security set-up for wireless networks. Paul Congdon, chief technology officer at Hewlett-Packard Co.’s network tech arm ProCurve Networking Business, and Ajay Sharma, a computer security specialist at IT consultancy Capgemini Canada Inc., painted this protective picture while talking yesterday at a Frankly Speaking Breakfast event on wireless security. Frankly Speaking is a series of early-morning chats with industry experts on various IT topics. It comes courtesy of ITWorldCanada.com’s sister publication, CIO Canada.
Congdon said the VLAN strategy addresses a prime concern about efficiency. “What you don’t want to do is increase your help desk calls,” he told the audience of 45 or so IT chiefs. He explained that the update stage, where improperly armed users download prescribed software for network access, keeps employees from calling the help desk for harried how-to tips on PC maintenance.
Sharma from Capgemini said, “It’s a way of stopping (people) right at the door.” Intruders can’t get in, guests get limited access and employees get an automated opportunity to boost their boxes’ health, and a path to the company’s network.
Plenty of tech vendors sell systems designed to ensure computers are up to snuff and in accordance with the corporate IT security policy before granting network access. Congdon pointed out that HP’s ProCurve equipment comes so armed.
But there are other things an enterprise can do to make wireless security stronger, Sharma said. A few examples from the Frankly Speaking function:
* Ensure the corporate IT security policy includes instructions about “rogue” network devices. Employees should have it spelled out for them, whether they’re allowed to bring network-capable PDAs, cell phones, etc. into the business environment — and if they are allowed, what’s expected in terms of registering the devices, using them on the network and other details. Spell out what can happen to an employee who breaks the rules, too.
* “Run ethical hacking in your organization,” he suggested. A connection stress test could reveal how well or poorly protected the business’s communications are. If one or another department has particularly bad security measures, shame the team into shaping up. “Advertise” the slackers’ slacking in the enterprise, he said.
* Apply just as stringent rules to the wireless access points as you would to the wired network ports. “Companies have tried to address wireless as a separate entity,” Sharma said. It’s the wrong mindset. “Wireless is just an extension of your network.”
One company seems to be taking this advice to heart. Rogers Media Inc., the publishing and broadcasting arm of Rogers Communications Inc., considers wireless access points mere additions to the wireline network, not some separate entity, according to Jim Diederichs, the company’s vice-president and chief information officer (CIO). The firm also has technology that checks computers to ensure they have the proper programs for safe network access.
But sometimes, technology isn’t enough. After attending the Frankly Speaking event, Diederichs explained a situation his company faced:
“Of the last significant network attacks we had, patient zero has been either a financial consultant or a management consultant,” he said. “These are people who come into our building, carrying their own laptops and plugging into a network port.”
Now Rogers goes a step beyond security benchmarks. “We…run a manual, physical check of any laptop before we allow it into the building,” Diederichs said. This human intervention lets Rogers check for malware as well as proper software configurations.