Implementing wireless LAN security policies for mobile users

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management Hardening Linux as part of your client's network security policy Should hotfix testing be performed by the QA department or by support? Complying with the Federal Information Security Management Act (FISMA) Automated patch management for SMB customers Understanding ISO 27001 and ISO 17799 Maintaining HIPAA compliance How do I create a repeatable patch testing methodology? Creating security policies for an enterprise customer Implementing third-party patches on customer systems Patch management system post-deployment considerations for VARs and consultants

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Balancing the needs of a mobile workforce with information security risk management is definitely a challenge. First, I recommend that a risk analysis be performed so that you will better understand how and where the introduction of wireless capabilities could increase their risk.

Most of the security concerns around wireless for your mobile users can be addressed by implementing current technology following best practice guidelines. One of the biggest challenges is dealing with public Wi-Fi hot spot usage. It may be convenient, but the security risks can be substantial. One of the biggest risks is that their wireless communications could be intercepted. This is usually something that can only be addressed by a written policy.

Your policy should help to drive good decisions by mobile users. For example, decide which open access points they will and will not connect to. The policy should stipulate that open access points are only to be used if the access point owner implicitly communicates that the access point is for general public use. The policy should also require the use of desktop firewall and intrusion protection software in addition to the usual antivirus software. But none of this will guarantee that users are completely protected. The policy also needs to require that encryption be used when any confidential information is being transferred.

I know of some companies that have gone wireless, but not with 802.11 Wi-Fi. Instead they use a wireless data service from one of the wireless carriers, along with a data card, to reduce or eliminate some of the risks, at the cost of bandwidth.

For some wireless security configuration and policy guidelines I suggest the SANS reading room.

Read more about wireless security on SearchSecurityChannel.com.