Securing a wifi network
Within an entity, a wifi network can be implemented to enable:
- employees to log in with their portable devices (GSM, smartphones, tablets);
- visitors to access the Internet using their laptop without accessing the local network.
See also the article on network segmentation for further information.
Wifi for employees
More and more employees take their mobile or portable device to work with them. Providing Internet access for these devices can reduce many security issues such as attempts to log in to the company network or logging in using work computers. This access should be reserved for employees and be protected against any attempt at intrusion, using suitable methods.
The recommended encryption method for this type of application is the WPA2-Enterprise protocol which enables each employee to enter their own password or certificate and which enables the proper management of access rights.
Employees should also be made to sign a wifi usage charter.
Advice: introduce a sectoral policy on System development and maintenance – Use of encryption – and a sectoral policy on compliance – protection of personal data.
The following recommendations should be followed:
- do not connect the wifi network to the fixed network of the entity. Draft and enforce a Sectoral policy on access control – Separation of networks
- activate a DHCP server for the allocation of IP addresses
- install a web filter (proxy) within the wifi network to prevent any access to malicious websites or websites offering inappropriate content (games, gambling, pornography, etc.). Draft and enforce a Sectoral policy on access control – Use of external networks
- add an anti-virus to the proposed web filter
- block all non-web access to the Internet, except certain exceptions such as VPN access (clients may wish to connect to their company network) or email
- encrypt the network. To do this, there a numerous possible strategies. These are detailed below
- make physical access to aerials and the wifi router difficult. Draft and enforce a sectoral policy on Physical and environmental security – Physical security perimeter and Rules within the perimeter.
Wifi for visitors/external users
Visitors seeking to use the Internet within your organisation should have specific access dedicated to them. Given that, as opposed to employees, they have not signed a wifi usage charter, this should be presented to them the first time they connect.
- a hotspot with captive portal which restricts visitor access until they accept the general user conditions and enter a temporary password provided to them;
- an encryption method to avoid certain users from listening into the communications of others; it would be best to implement a secure network with a simple password in this case, even if the password is known to everyone.