Wireless technology has proven its value in terms of ubiquity and convenience over the past decade. Now, as many organisations have returned to the office in some capacity following lockdowns, many administrators are discovering that it’s time to update their office local area network (LAN). Naturally, they’re considering dropping wired networking altogether, or at least moving to a wireless-first LAN environment
This major change raises important questions for IT teams. For now, we’ll leave aside considerations surrounding performance and reliability and focus on one question: “is it safe?” In short, the answer is yes – a wireless network can be perfectly safe for enterprise applications if proper precautions are taken. Here are our top recommendations for implanting a safe wireless-first or wireless-only enterprise network:
DO plan for Zero Trust architecture. Work towards downgrading staff Wi-Fi networks and aligning it with guest Wi-Fi.
DON’T mix staff and IoT devices. Implement separate SSID to accommodate the growing amount of equipment like meeting room booking displays, CCTV cameras, temperature sensors and smart TVs. Those devices are generally lacking the most recent and advanced security protocols.
DO decommission your print servers and transition to cloud printing. Print servers are a point of many vulnerabilities and attack vectors. To mitigate this issue, “downgrade” your printers from the trusted internal network to guest-level access towards the Internet print service only. There are many options to choose from – Microsoft Universal Print, Kofax (Printix), and Printerlogic, to name just a few.
DON’T allow your Wi-Fi-connected devices to communicate with each other. Implement the “Wireless Client Isolation” feature. Depending on the vendor, the actual setting has different names. For example, Cisco calls it “P2P Blocking”, Meraki calls it “Layer 2 LAN isolation”, and Aruba’s option is called “Deny Intra VLAN Traffic”.
These settings, whatever they may be called, stop devices connected to the same Wi-Fi from communicating directly with each other. There are relatively few use cases where P2P (device-to-device) communication is required. A rare exception is Windows Delivery Optimization (TCP port 7680), but few IT admins are even aware of its existence.
DO keep some minimal level of authentication and filtering for the guest Wi-Fi. This avoids abuse by unsolicited users outside of the network perimeter. Currently, a shared key with WPA2 will suffice. As OWE (Opportunistic Wireless Encryption) becomes more widely supported, it will replace shared keys. OWE is an encryption method designed to enhance the security and privacy of users connecting to open (public) Wi-Fi networks.
DON’T overcomplicate authentication and security for your staff wireless network. It should be reliable and not block users with expired passwords. WPA2-PSK (pre-shared key) will suffice if you have transitioned your staff network to zero trust, it faces your perimeter firewalls, and it requires overlay Remote Access VPN. If zero trust is not yet in place and the staff network allows unlimited access to an internal network, WPA2-Enterpise (with machine certificates) is minimum.
If you introduce too many limitations on staff Wi-Fi, tech-savvy users will move to a less restrictive guest network. If you have transitioned to zero trust for wireless in smaller environments, you could potentially combine staff and guest networks together.
DO review and refresh your internal PKI setup. Make sure your PKI settings are modernised to support Private Key Attestation. That is, each machine should have a digital certificate protected by a special hardware cryptographic key manager chip (TPM for Windows or Secure Enclave in MacOS). This makes the certificate literally impossible to extract, duplicate and reuse for malicious purposes. Machine certificates can be used to implement a user-friendly Always-on overlay remote access VPN solution for your Staff to use.
What’s next?
Wi-Fi can absolutely replace traditional wired LAN in an enterprise environment from a security perspective, it just requires vigilance on the part of the IT team. This is a worthwhile trade-off, especially as most people now work from laptops, many of which don’t even have the hardware for wired networking.
The future of networking is clearly wireless. We have yet to see if technologies like 5G will supersede Wi-Fi, but if it does, many of these recommendations will still hold. The smart choice is to make the right changes today rather than hurriedly making them tomorrow.