Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Mobility

Five Steps to Securing Your Wireless LAN

Advances in WLAN features and capabilities allow organizations to offer the benefits of wireless to their employees without sacrificing security.

Next Steps

For more detail on the steps in this article, read the full-length version.

Learn more about Cisco security products and the Self-Defending Network.

Wireless LANs can bring incredible productivity and new efficiencies to organizations of all sizes. Properly deployed, WLANs can be as secure as wired networks. Use the following five steps as part of your deployment:


1. Create a WLAN Security Policy

A written wireless policy that covers authorized use and security is a necessary first step. Typically, security policy documents include the following sections:

  • Purpose
  • Scope
  • Policy
  • Responsibilities
  • Enforcement
  • Definitions
  • Revision history

2. Secure the WLAN

Securing the network is based on three pillars: secure communications, threat control and containment, and policy and compliance management. With these areas in mind, following are best practices for securing your wireless network:

  • Secure Communications: Encrypt data and authenticate users of the network.
  • Modify the Default SSID: Change this default network naming immediately upon installation to something not directly related to your company. By default, access points broadcast the SSID to any wireless client within range. Disable the broadcast to reject people who may be casually looking for an open wireless network.
  • Use Strong Encryption: Configure a method of over-the-air security immediately after deployment. Use the most secure over-the-air encryption, which is either IEEE 802.11i or a VPN with mutual authentication between the network and the client.
  • Segment Users to Appropriate Resources: With identity networking, wireless devices need to authenticate only once with a WLAN system. Context information follows the devices as they roam, helping to ensure transparent mobility.
  • Ensure Management Ports Are Secured: The management interfaces of the WLAN system should support secure, authenticated methods of management. For example, management should not be possible over the air and you should configure a separate management VLAN such that only specific stations have access to modify the WLAN network settings.
  • Protect Access Points: Cisco lightweight access points do not store encryption or other security information locally, so the network cannot be compromised if an access point is stolen. Prevent tampering by securing access points with a physical lock or deploying access points above a suspended ceiling.
  • Monitor the Exterior Building and Site: Because access point signals extend beyond the perimeter of most buildings, use management tools to prevent RF coverage from extending beyond the building perimeter. Make sure security personnel are aware of vehicles or people that seem to be loitering near the facility for extended periods of time.

3. Secure the Wireline Network Against Wireless Threats

To prevent wireless intrusion, Cisco Unified Wireless Network access points communicate real-time information about the wireless domain, including potential security threats to Cisco Wireless LAN controllers. All security threats are rapidly identified and presented to network administrators through the Cisco Wireless Control System, where accurate analysis can take place and corrective action taken.

If you identify rogue devices on the network, you need to physically remove the rogue device to ensure that the wireless threat is permanently removed. The Cisco Wireless Location Appliance with Cisco WCS can precisely track up to 1500 Wi-Fi-enabled devices such as radio frequency identification (RFID) tags, Wi-Fi phones, laptops, and personal digital assistants.


4. Defend Against External Threats

The network must be protected from security threats, such as viruses, worms, and spyware, while mobile devices are away from the office. A compliance program needs to include monitoring to know when system and network policies are violated.

Laptops need the same protections as the company network. Tools such as Cisco Security Agent consolidate endpoint security functions such as firewall, intrusion prevention, and spyware and adware protection in a single agent. User authentication through passwords, USB tokens, or smart cards can significantly strengthen security measures.

Cisco Network Admission Control (NAC) uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.


5. Enlist Employees in Safeguarding the Company Network

Employee education, including informational posters and security best practices training (such as password selection and privacy), has proven effective in helping companies keep their confidential information and networks secure.