Satoshi Shiba, networking security solutions specialist Fortinet's senior director, APAC Wi-Fi Business, recently talked with Computerworld Malaysia on what security challenges and vulnerabilities should be addressed with cloud-managed and traditional Wi-Fi or WLAN (wireless local area network) infrastructures.
Photo - Satoshi Shiba, Fortinet's Senior Director, APAC Wi-Fi Business.
First of all, could we talk about the adoption of cloud-managed Wi-Fi security infrastructure?
According to IDC, adoption of cloud-managed Wi-Fi is growing steadily. For many organisations, especially distributed enterprises (organisations built on a hub-and-spoke model, with a centralised IT staff, and with multiple remote sites needing connectivity), a traditional controller-based model of Wi-Fi may not meet their needs for scalability, a less physically intensive infrastructure, and automated provisioning and management across a wide geographic area. Cloud-managed Wi-Fi has emerged in recent years to address these growing needs.
In the traditional model of enterprise-grade Wi-Fi, controllers can represent a large capital expense. In the case of cloud-managed Wi-Fi, scaling up the network involves just the cost of additional access points (APs) plus applicable subscription fees.
This cost structure often works well for small to medium-sized organizations and distributed enterprises. The space requirements of a controller are sometimes prohibitive for small distributed enterprise branch locations. This, along with a frequent lack of onsite networking expertise, has often led to distributed enterprises doing without Wi-Fi -or employing consumer-grade solutions that lack adequate security, policy, and network management capabilities.
Centralised management and provisioning capabilities are important within a cloud-managed Wi-Fi platform. In such an infrastructure, APs ship preconfigured to remote sites, with provisioning taking place centrally through a Web based management application. Once APs arrive at a remote site, a branch worker need only plug in the AP and click through a Web-based GUI to get Wi-Fi up and running in minutes. User and device policies-as well as all relevant WLAN updates -are managed centrally.
Cloud-based management solution manages both security and wireless infrastructure by protecting the network from advanced threats and allowing granular access controls and application usage policies.
When we're talking about managing Wi-Fi network security generally, would be the top five challenges?
Blurry network boundary
The reality is that there are many ingress and egress points on the network-and not all of them are governed by an edge firewall. In today's environment, not all attacks come from outside a network. An attack could come from the inside (knowingly or unknowingly). With no other safeguards beyond perimeter protection in place, once something malicious has internal access to the network there is little to stop it from eventually making it to critical systems.
With the explosion of BYOD in the enterprise, and the subsequent mission-criticality of mobile devices and applications, organisations have struggled to balance the concerns around providing pervasive, easily managed Wi-Fi coverage with WLAN security and compliance
Rogue access points pose a serious network security threat by creating a leakage point where sensitive data such as credit card information can be siphoned off the network. For this reason, the PCI DSS and other data security standards often mandate proactive monitoring and suppression of rogue APs.
Authentication is an important part of network security as it allows you to identify network users, ensuring that your network is only accessed by authorized users, and allowing different users to have access to different data and services. Most data breaches can be traced back to login credentials stolen via phishing attacks as the initial intrusion vector.
With weak access points (AP) in an unencrypted Wi-Fi wireless security network, Man-In-The-Middle attack is a looming threat. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones.
What would be some of the key challenges and vulnerabilities in a typical Cloud Wi-Fi Security infrastructure?
Generally speaking, cloud-managed Wi-Fi is capable of being just as secure as traditional Wi-Fi. However, many cloud solutions on the market today do not reach this level of security. Most support basic wireless intrusion detection systems (WIDS), 802.1-based authentication, application visibility, and other standard wireless security mechanisms. However, the majority of these platforms do not support broader network security requirements such as intrusion prevention systems (IPS), Web content filtering, application control, antivirus, and others. Of course, security features need frequent updates to be effective, and the centralised updating capabilities of cloud-managed Wi-Fi help enable this.
Due to wireless traffic leaving the remote network in a cloud-managed model, the security functionality requirements of cloud-managed Wi-Fi are greater than those of traditional Wi-Fi in many ways. Regardless of control architecture, WLAN security requires more than just captive portal authentication, 802.1X, and WIDS/WIPS. Secure cloud-managed APs must move beyond wireless intrusion protection to network-wide IPS because threats are commonly found at the network layer and higher.
Cloud-managed APs must also support URL filtering and application control, and these functions have to be dynamic. They cannot operate based on static URL and application lists because security threats constantly emerge and evolve. Dynamic lists are consistently updated in real-time based on the latest industry threat information.
Taking Malaysia as an APAC example, what is the state of Wi-Fi adoption in the region?
Technology and market trends are forcing rapid changes to enterprise IT- especially in regard to how corporate networks are secured. As the number and types of network-connected wireless devices continue to grow exponentially, these connected devices present new vulnerabilities and a growing attack surface for hackers to exploit.
Gartner predicts that there will be 33 billion connected endpoints by the year 2020 with a majority comprised of new "headless" device types driven by the Internet of Things (IoT). The proliferation of devices and applications is posing serious challenges for organizations that need to ensure the protection of their entire network and guard against advanced cyber security threats.
The alarming gap between the expanding access layer and adequate cyber security protections has also been highlighted in Fortinet's Global Wireless Security Survey. Conducted by independent market research company Lightspeed GMI last May, the survey showed that 88% of CIOs are worried that their existing wireless security is inadequate. A total of 1,490 qualified IT decision-makers were interviewed - CIOs, CTOs, IT Directors and Heads of IT at organizations with more than 250 employees around the globe including Asia Pacific countries India, Japan and Hong Kong.
Wi-Fi security adoption in Malaysia has been relatively high. However, in line with the global survey's findings on Asia Pacific ITDMs, most in Malaysia are still worried about the state of wireless security in their organisation with 44 percent stating they are very concerned.
Sign up for CIO Asia eNewsletters.