As wireless networks continue to evolve and grow in complexity, the use of wired endpoints is rapidly declining. Bring your own device (BYOD) endpoints for conducting business are now commonplace in an increasingly mobile world.
As you work with your managed IT services provider, it’s important to understand the challenges that wireless networks present and why network authentication is so vital to your network’s health.
Securing mobile-age BYOD usage
VectorUSA is paying close attention to the latest industry developments, particularly wireless network authentication. The dramatic surge in BYOD usage and how to best secure those devices, especially on corporate networks, remains a primary concern.
"The dramatic surge in BYOD usage and how to best secure those devices, especially on corporate networks, remains a primary concern." Scott Jamison, Senior Wireless Network Engineer, VectorUSA
In addition, for wireless guest access, it’s becoming standard to have a corporate SSID network. We’re working to extend that same user experience to wired networks as well. When people bring their own computers to plug into your network, they won’t just drop onto your corporate network to gain access. They’ll use the same network authentication methods required to access a wireless network. While wired network infrastructures may not entirely disappear any time soon, we are seeing a huge drop in wired endpoint connections. New wireless technologies like 802.11ax (also known as Max Wi-Fi) are going to provide the higher bandwidth equivalent of wired networks.
No shortage of network challenges
One of the key challenges that all businesses, as well as education, are facing is getting people on networks securely and controlling the services they're able to access. Consider whether once they do gain access to your network — and if they have a virus on their computer — is that going to permeate the rest of your network? Or, will you be able to identify that traffic and shut that connectivity down automatically without it impacting your production network? While monitoring normal traffic patterns, you might spot a laptop that’s not connected to your servers as it should. Perhaps it’s suddenly talking to China and tries to access servers on your network that it shouldn’t. You then conduct a real-time risk assessment that flags the odd behavior. This indicates that the device has reached its security threshold and should be disconnected from your network or placed into a quarantine state for further investigation by your network administrators. As you can see, it’s vital to see what's not just happening on the border or edge of your network, but what's happening within your network.
"...it’s vital to see what's not just happening on the border or edge of your network, but what's happening within your network." Scott Jamison, Senior Wireless Network Engineer, VectorUSA
You can accomplish this by using probes located throughout the network that can sense irregular traffic behavior and patterns.
Go deeper with AI
Through artificial intelligence (AI), you can establish an even deeper level of monitoring that understands what behavior is outside of the norm involving building more dynamic rules. That will enable blocking users even more based on AI decisions. Because there are so many different scenarios out there, and the network environment is consistently changing, AI learns and looks at traffic patterns. It considers what’s normal, what different traffic looks like and then starts remediating based on the gathered intelligence. In fact, VectorUSA fine-tunes alerts to determine the difference between critical alerts and those that are false-positives. Such a tool prevents bad things from occurring while not raising a red flag every time something trivial arises. Additional risks include malware and threats present on BYODs as well as users opening e-mails that contain spyware or malware. While businesses need to protect financial information on servers, educational institutions need to protect private student information. For initial security access with multi-factor network authentication, that can be accomplished using either physical or virtual tokens. The main concern is your target audience and its ability to operate with different authentication techniques. End users want access to be as easy as possible and the security team wants access to be as secure as possible. You have to find a happy medium to make it a usable solution for everyone.
"End users want access to be as easy as possible and the security team wants access to be as secure as possible. You have to find a happy medium to make it a usable solution for everyone." Scott Jamison, Senior Wireless Network Engineer, VectorUSA
Transitioning from wired to wireless
Another challenge is getting large groups of people familiar with what needs to be done to access the network, get the software loaded onto and certificates pushed out to their machines. Onboarding will help to accomplish that but making the transition from a standard wireless network to a secure identity-based network can be difficult. VectorUSA’s approach starts with a wireless-oriented solution. Once we implement wired authentication, we enter a period when we don't enforce it yet. So, if a user plugs her computer in and gains access to the wired network, you would go ahead and authenticate. It that’s working fine, great. If not, we’ll attempt some remediation. With this approach, we try to take care of problems before we enforce the policy. Once we start enforcing the policy, most clients should be unaffected because they've been authenticating for some time and we've already remediated all of the people who would have had problems.
"Once we start enforcing the policy, most clients should be unaffected because they've been authenticating for some time and we've already remediated all of the people who would have had problems." Scott Jamison, Senior Wireless Network Engineer, VectorUSA
When working with clients as well on their wired network improvements and upgrades, we deploy virtual servers by placing them into their existing environment. We then tie the servers into their authentication source, typically like active directory or the cloud. For example, if we're using Amazon Web Services (AWS) or Google Cloud, we'll tie in the authentication to those sources and help the client with migration. With wired security, there are a lot of headless devices that can't do username/password authentication and they need to be securely connected to wired networks as well. We then set up policies such as those for IP cameras which are profiled. Every time we see an IP camera from a particular manufacturer, we’re going to automatically add it to a specific network. Not only does that make the network more secure, but it also simplifies the addition of more headless devices. For instance, every time a printer is plugged in, it automatically gets identified as a printer and is placed onto a printer network. You then don’t need to constantly reconfigure your network.