Add to collection(s) Add to saved
  1. Business

Transforming Your WiFi Network Into A Secure Wireless LAN

Transforming Your WiFi Network
Into A Secure Wireless LAN
A FORTINET WHITE PAPER
Fortinet White Paper
Introduction
There have been a number of moments in the IT and network industry that can be considered as a “Paradigm
Shift”. The personal computer, Ethernet over twisted pair, Digital Subscriber Line (DSL) and Voice over IP (VoIP)
are just some of these. The introduction of Wireless LAN (WLAN) is certainly another one of these moments. The
ability to cut loose from the tether of the Ethernet cable has revolutionized the workplace and completely changed
the role and use of computers and other devices at home.
But the time has come to look more closely at WLAN technology in the 21st century, a century full of user trends
and cyber threats that are exploiting the rapid growth and deployment of WLANs and their inherent weaknesses.
Attacks on enterprise networks are constantly increasing as are their level of sophistication and their success in
passing through a network’s defenses. In such context, WLANs can no longer be treated as an “overlay” network
that may or may not have some degree of integration with the primary wired network. To effectively combat today’s
cyber threats, enterprise WLAN networks must be fully integrated into the overall network and protected by a
robust, end-to-end security infrastructure.
A Historical Perspective
When compared with the traditional Local Area Network (LAN), WLANs come up short from a security perspective.
This issue has nothing to do with technology but rather with history. Since the beginning of networking time,
computers have been connected together by cables to form a LAN. In fact, the evolution of computers has been
in lockstep with the evolution of LANs. As computers became cheaper, faster and smaller, the network has evolved
as well, adding new features and capabilities including many elements of security that were integrated into the
fabric of the network.
Convenience, Convenience, Convenience
Into this environment came the WLAN offering convenience and freedom. No matter where you went you could still
be connected to the network, which brought an unprecedented level of convenience to users. Such convenience
led WLAN technology to be rapidly adopted for facilitating access to the Internet from public places. Because the
technology did not have any inherent security capabilities, most public WLANs adopted an approach of logging
into a secure server to gain access to the Internet. For most network administrators, the requirement of needing
some sort of login credentials was sufficient to control access to the network. It did not however keep a user off
of the actual WLAN and a sufficiently skilled user could bypass the access control server. The risk, however, was
limited to a loss of revenue, not a loss of data, and was considered acceptable.
Eventually, a stronger security solution was developed through the introduction of a basic access control mechanism
via a pre-shared key. Without the key it was not possible to connect to the WLAN. While flaws have been
discovered, new versions of the mechanism have been developed and the majority of WLANs rely on this basic
security strategy.
The use of a pre-shared key alone cannot however be considered as a robust security solution. In a typical
environment, the access key to the network is widely distributed and is rarely changed, automatically weakening its
capability. Regardless of which version of the algorithm is used, as long as a pre-shared access key is used the
problem remains the same - once the access code is compromised the network is no longer “secure”.
Disparate Approach to WLAN Security
WLAN solutions found a sweet spot in the consumer, Small Office/Home Office (SOHO) and small enterprise
markets because they were cost effective, easy to use and their security limitations were acceptable. However,
in order to be adopted by medium and large enterprises, they needed to evolve so that they could address
the specific requirements of these markets, such as extended RF coverage, throughput, scalability and most
importantly security.
Unless the WLAN and its security mechanism could integrate into the existing security environment, medium and
large enterprises would be slow to adopt it. Such integration had to happen at the network’s access layer. Indeed,
large enterprises tend to regard the network as having separate Infrastructure and Access layers. This separation
is the result of the evolution of the requirements and features of the two layers.
Fortinet White Paper
Access Layer
SECURITY
Infrastructure
Layer
Large Enterprise
Small/Medium Enterprise
Integration with Radius
Authentication Server
Standalone Pre-Shared Key
Subsequently, access solutions for the large
enterprise need to support both wired and wireless
access. Once integrated into a unified access
layer, the WLAN would benefit from integrated
security infrastructure with simplified control and
policy enforcement.
As a result, a natural division occurred in the WLAN
market based on market segments and the level
of security required. Large enterprises required
solutions that offered both a unified access layer
and an inherent security mechanism that could
integrate with the existing security architecture.
As this type of enterprise-grade WLAN solution
evolved so did its cost, putting it out of the reach
of small to medium organizations. In order to take
advantage of WLAN technology, these companies
have thus been constrained to rely on lower-cost
solutions with limited security capabilities.
In spite of their costs, limitations and restrictions,
companies of all sizes have widely adopted
WLANs. Convenience, an ability to quickly
respond to new connectivity requirements and
the rapid growth in mobility applications are some
of the factors that have driven their adoption.
However, over the past two to three years, the
significance of these limitations and restrictions
has been driven home by a key trend in the market.
From WiFi to a Secure Wireless LAN
Securing the WLAN has never been as important as it is now. The primary reason for the increased scrutiny of the
security capabilities of WLAN is not a change in purpose but rather a change in user behavior – the growing trend
of using Wi-Fi equipped personal devices in the workplace known as Bring Your Own Device (BYOD). With the
wide scale adoption of smart phones and tablets for accessing content anywhere and at anytime, employees are
using their personal devices in the workplace not only for personal use but also for accessing corporate resources.
While on the surface BYOD might seem as a way to promote productivity, there are a number of challenges with
the use of these personal devices in a corporate setting. The first is the likely risk that the mobile device is infected
with some sort of malware. Over the past several years, the rise of mobile malware has grown exponentially with
the number of devices themselves. An infected device means that viruses, worms and other forms of malware
may have bypassed the traditional security defenses of the organization and have infected corporate resources.
The mobile device may also be part of a botnet under the control of a Command and Control server. If there is
one infected device in the network, there is the very real possibility that there are multiple infected devices on the
network. When activated, these devices will consume bandwidth, affecting end users and applications.
Large Enterprise
Small/Medium Enterprise
Integrated Security
& Secure Wireless LAN
The second issue with an uncontrolled BYOD
environment is that users access from their own
devices their favorite applications and web sites
while at work, which means lost productivity
and wasted bandwidth.But the problems aren’t
confined only to personal devices. Company
supplied devices are equally susceptible. Trying to
limit the use of mobile devices, whether personal
or corporate, has shown to be ineffective.
In such a context, there is an urgent need for
a secure WLAN strategy that can address the
security problems posed by BYOD, while being
affordable for the small and medium enterprise
and yet still meet the security requirements of the
large enterprise. Such a strategy is based on a
security-centric infrastructure approach.
Fortinet White Paper
The Fortinet Secure Wireless LAN Solution
The Fortinet Secure Wireless LAN Solution starts with the premise that there is ONE network, regardless of how
users are connected to it – wired access, wireless access or remote access. Integrated into the network’s fabric
is a single, comprehensive security infrastructure with a common set of rules and policies that determine the level
of access a user is granted, based on their needs, not by which access method they use.
A Security Centric Infrastructure
At the center of the solution is the FortiGate, Fortinet’s
high performance, multi-function network security
appliance. Built on an ASIC-based architecture, the
FortiGate consolidates a number of different security
functions onto a single platform – Firewall, Intrusion
Prevention System (IPS), Anti-Virus and Anti-Spam
are some of these. Because of this capability, the
FortiGate is already the preferred choice of IT security
professionals to simplify and reduce the cost of their
network security solution.
Complementing the FortiGate’s security capabilities
is its ability to provide a unified access layer for all
users. Working in conjunction with Fortinet’s security
aware Ethernet switch, the FortiSwitch, the FortiGate
provides a common set of authentication and network
security policies to all Ethernet connected users. But
the FortiGate is also designed to support the wireless
component of the network through an integrated
wireless controller and a wide range of wireless Access
Points (FortiAP). The wireless controller is a standard
feature of all FortiGate appliances and does not require
any additional licensing.
Once the appropriate model of FortiGate is chosen for
the network, the only additional cost is the number and
type of FortiAPs needed in the network.
Fortinet White Paper
For smaller deployments, the FortiGate is available with
both the wireless controller and access point integrated
into the appliance. A convenient and cost effective “allin-one” solution, the FortiWiFi is particularly well suited
for branch offices, small enterprises or distributed
environments such as retail and hospitality.
For larger installations, which require a more extensive
coverage area, Fortinet’s FortiAPs come in a variety of
form factors and capabilities for both interior and exterior
environments. They support mesh networking including
the ability to provide a bridge between physically
separate LAN segments over the mesh backhaul.
Most FortiAPs also support Power over Ethernet (PoE),
greatly simplifying deployment. Depending upon the
scale of the installation and the model of FortiGate to be
used, the PoE power source can either be the FortiGate
itself or a FortiSwitch. The combination of the FortiWiFi,
FortiGate and FortiAP products allow you to support a
wide range of wireless network requirements, for both
indoor and outdoor environments.
Authentication and Identification
With a single access layer in place, the focus is now on controlling who can access the network, regardless from
where they’re connected – wireless, wired or remote.
Although wired networks have always had authentication as part of their security architecture, typically it was only
the large enterprise that was able to extend this feature to the WLAN. As described earlier, small and medium
enterprises were forced to rely on the use of a pre-shared key to control access to the network. The Fortinet
solution brings the benefit of authentication to all networks, regardless of size, due to its ability to integrate with a
wide range of authentication systems.
A long-standing issue with authentication remains in that a user may have to login multiple times during the
course of the day. For example, the first login would be to the PC, then to the company intranet and then finally
to whatever server he/she may need to access. The login process can be greatly simplified with the addition
of Fortinet’s user identity management appliance, FortiAuthenticator. FortiAuthenticator interacts with any other
authentication servers that may be in the network, acting as a central repository for user identification. In this role,
FortiAuthenticator provides the ability to have a Single Sign On (SSO), improving the user experience by reducing
the number of logins that a user must execute. FortiAuthenticator can also add strong authentication capabilities
to the network such as 802.1x Port Access Control and Two-Factor Authentication, supporting both tokens and
certificates.
While authentication is absolutely necessary as part of an overall security architecture, it also serves a second
important role – identification. By identifying users, either by their name or by device, it is then possible to apply a
set of policies defining their resource access rights.
Fortinet White Paper
Policy, Control and Client Reputation
As the central component in the security architecture, Fortinet’s FortiGate is the logical place to define and
implement these policies. FortiGate’s operating system, FortiOS, is the core of Fortinet’s Smart Policies and Client
Reputation capabilities. The evolution towards Advanced Targeted Attacks (ATA) has driven Fortinet to develop
more intelligent security features to provide organizations with control and knowledge – ie. knowledge of who is
connected to the network and the type of device being used. Based on this information, intelligent policies can be
applied to the user, restricting access to parts of the network or applications as defined in the policy – for greater
control. Identification is also crucial to the FortiOS client reputation capability. Client reputation is a real-time
analysis of the users’ online behaviors compared to their predefined policy. Knowing when users are behaving
in an unusual manner, as compared to their past known behaviour, is an excellent first warning alert of a potential
threat, particularly in addressing Zero Day Threats.
Definition of those policies and their distribution to the appropriate appliance is one of the many roles of
FortiManager, Fortinet’s network management platform. FortiManager allows the network administrator to easily,
centrally and effectively configure and manage the whole of the Fortinet solution from a single console.
To
reduce the complexity of managing a potentially large number of access points, FortiManager provides centralized
management of all the FortiAPs on the network with detailed views of the clients connected to an individual AP and
if any rogue APs have been detected in the network. SSID management and centralized firmware upgrades are
also part of the FortiManager’s role in the Secure WLAN.
While FortiManager provides a certain level of analysis and reporting, more in-depth capabilities are available when
the FortiManager is integrated with FortiAnalyzer, Fortinet’s centralized logging, analysis and reporting platform.
FortiAnalyzer is the central collection point for all security events that occur in the network transforming individual
alarms and events into a cohesive and comprehensive view of the security state of the network. FortiAnalyzer also
plays an important role in regulatory compliance through the Wireless PCI compliance report, providing detailed
information on APs, clients, SSID, the type and number of devices and any rogue APs that have been detected
on the network.
Fortinet White Paper
Summary
Now that WLANs have become a standard part of an enterprise network and their role is becoming increasingly
important due to BYOD, it is time to make sure that they have the same level of security and capabilities as the
wired LAN. In fact, because of its ubiquity and relative ease of access, strong security of the WLAN should be a
major priority for any network administrator.
Cost
Security
Access
The Fortinet Secure Wireless LAN Solution allows a network of any size to take advantage of wireless technology
without compromising the network’s security by focusing on three key characteristics – A Unified Access Layer,
Cost Effectiveness and Integrated Security.
SECURE WIRELESS LAN
Strong authentication, smart policies based on user identity and device identification and a sophisticated client
reputation capability give not only the WLAN but the whole network the ability to effectively combat the increasingly
sophisticated attacks that enterprise networks are constantly encountering.
Fortinet White Paper
About Fortinet
Fortinet is a global provider of high-performance network security solutions that provide our customers with
the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies,
combined with our FortiGuard security intelligence services, provide the high performance and complete
content protection our customers need to stay abreast of a constantly evolving threat landscape. More than
125,000 customers around the world - including the majority of the Global 1,000 enterprises, service providers
and governments - are utilizing Fortinet’s broad and deep portfolio to improve their security posture, simplify
their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to the
perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect the
constantly evolving networks in every industry and region around the world.
AMERICAS HEADQUARTERS
EMEA HEADQUARTERS
APAC HEADQUARTERS
1090 Kifer Road
Sunnyvale, CA 94086
United States
Tel +1.408.235.7700
Fax +1.408.235.7737
www.fortinet.com/sales
120 rue Albert Caquot
Sophia Antipolis
France 06560
Tel +33.4.8987.0510
Fax +33.4.8987.0501
300 Beach Road 20-01
The Concourse
Singapore 199555
Tel +65.6513.3734
Fax +65.6295.0015
www.fortinet.com
Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics
contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments
and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited
to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Fortinet White Paper
Related documents
FortiGate-VMX
FortiGate-VMX
FortiAnalyzer datasheet
FortiAnalyzer datasheet
Providing single sign-on in advanced mode for a Windows AD network
Providing single sign-on in advanced mode for a Windows AD network
What is new?
What is new?
Fortinet Solutions for Compliance Requirements
Fortinet Solutions for Compliance Requirements
Controlling Web 2.0 Applications in the Enterprise
Controlling Web 2.0 Applications in the Enterprise
CIS 464 Wireless Communications
CIS 464 Wireless Communications
Events Detail - Exclusive Networks
Events Detail - Exclusive Networks
FortiWeb
FortiWeb
goingsoft Inroom WLAN AP
goingsoft Inroom WLAN AP
FortiGate VM Installation Guide
FortiGate VM Installation Guide
Download