SSID to VLAN mapping is inadequate
Vendors advocating a standalone access point approach to enterprise wireless LAN deployments propose enabling guest access through the creation of multiple SSIDs per single access point. Each SSID (Service Set Identification) maps back to a network VLAN with access to different network resources.
Each SSID has its own security profile, with the internal employee SSIDs/VLANs requiring full 802.1x user authentication and subsequent encryption (e.g., WEP, TKIP via WPA) as well as the guest SSID/VLAN being routed directly to the Internet. It is the responsibility of the guest to ensure an adequate level of security once connected to the Internet (e.g., VPN, personal firewall). Much like the wired approach previously discussed, this method is flawed and not preferred. VLANs offer a viable method for limiting broadcast storms and logically segmenting traffic, but should not be considered highly secure. Meta Group research shows that most organisations do not believe the segmentation provided by VLANs is adequate to protect internal resources from external users.
The preferred method of establishing guest access and enhancing guest services is via third-party gateway/appliance solutions that sit in the network path and are able to enforce strict user access policies.
To simplify guest access, ideal solutions require no configuration changes to the client device. Instead of relying on SSIDs and VLANs, gateway/appliance solutions are able to leverage a multitude of authentication methods to regulate network access. The best approach for guest authentication is via a Web browser (housed within the gateway/appliance) that is automatically pushed to the user upon association to the wireless network.
The guest is then required to input a user name and password prior to accessing the network. The gateway/appliance will regulate the network resources to which the authenticated guest has access, and can differentiate network access based on the level of user authentication. To add an additional layer of security, highly security-conscious organisations may decide to create a separate network segment that is physically connected only to the DMZ. Although most systems can manage multiple user profiles, the majority of guests may be given a single username and password (e.g., -Guest"). To further simply the distribution of passwords, enterprises that want basic authentication will be satisfied by posting the login information in the conference room or guest access location and subsequently changing the password on a weekly or biweekly basis.
Wireless LAN system vendors will also move toward offering guest access as a specific feature. As these systems mature and enterprises migrate toward an integrated wired and wireless infrastructure beginning in 2004-07, the requirement for third-party gateways/appliances will gradually decline.
Liability for misuse
Enterprises must be concerned with the ways in which internal employees and guests use the network. Although internal employees are governed by corporate policies dictating acceptable use of the communications infrastructure, guests typically do not fall under the jurisdiction of such policies. Some basic policy may be able to be enforced using physical policy managers (e.g., URL filtering) that sit in the guest and employee data path. Enterprises providing guest access to the Internet should take steps to create a policy defining acceptable terms of use.
Third-party gateway/appliance solutions and many wireless LAN systems offer the ability to redirect a user to a Web browser. As previously discussed, this can be used for Web-based authentication, but should also be used as a means of forcing a guest to -accept" or -not accept" the predefined terms of use. By forcing the user to agree to use the network only for business purposes, the enterprise can limit its liability in the case of a guest's malicious use.
Business impact: Providing access to network resources and services for consultants and guests will increase productivity.
Bottom line: IT organisations will increasingly be forced to provide Internet access as an additional service to external consultants and other guests. Third-party gateway/appliance solutions--and, increasingly, wireless system vendors--will offer the best method of providing this service in a secure and manageable way.
 | ||||||||||
| More from META Group | ||||||||||
|
|
|
||||||||
|
| | ||||||||
| ||||||||||
| ||||||||||
1%
4%
