Co-authors: SureCloud’s Managing Cybersecurity Consultant Chris Hembrow and Senior Cybersecurity Consultant Nick Spencer.
Segmentation is the practice of dividing or separating something into different parts or sections. In the case of IT systems, this typically involves splitting a network into sub-networks, where each one is a separate network segment. Segmented networks can then be isolated from each other, increasing the security of the network. Network segmentation is an important consideration for any robust cybersecurity risk management posture – SureCloud’s IT Risk Management services and risk management software products can help you put together a programme that reflects your business needs. This series of blog posts will describe the different types of segmentation, the benefits of each, and applicable controls to maximize the security they provide.
Segmentation of Wireless Networks
So far in this series, we have reviewed controls to protect against attacks from outside the corporate network, or with direct access to corporate networks. This final article will review controls that aim to protect against threats from wirelessly-connected devices.
Wireless networks provide a convenient method to allow computers to connect to a network. Still, unfortunately, this very convenience makes it easier for unauthorized or inappropriate devices to connect unless suitable controls are implemented. The very nature of wireless technologies also means that an attacker might not need physical access to an office or another environment or potentially not even need to be near to connect to the network.
Types of Wireless Device
This article discusses controls for three common categories of wireless devices:
- Corporate devices – devices provided, supported and controlled by the organization
- Bring Your Own Device (BYOD) – employee-owned devices
- Unknown devices – all other devices where the ownership and status may be unknown
How do security concerns differ for corporate devices?
Corporate devices refer to those which are provided by an organization and which are usually configured with appropriate security and management tools. Because of this, these are the most trusted devices. As such, they are often allowed to make the same connections via the wireless connection as when physically connected to the network. As a result, businesses should take steps to ensure that only approved and trusted corporate devices can connect via any high-access wireless network. The connection should identify the connecting device, ideally using a centrally managed and controlled mechanism such as a Domain-issued computer certificate to mitigate against unknown or unapproved devices connecting.
Optionally, the connection authentication could also confirm the device’s user, to ensure that they are an approved organization user and not an attacker using a stolen or otherwise compromised device.
Once connected to the wireless network, devices should be isolated from each other to prevent cross-device exposure or compromise, and all connections should use the strongest encryption available to prevent eavesdropping.
What are the risks of Bring Your Own Device (BYOD)?
Allowing uncontrolled and unmanaged devices to have full access to the corporate network without any restrictions or verifying the state of the device could lead to a malware infection being introduced onto the network, or it could provide an attacker with access to the network through a compromised device.
Bring Your Own Device (BYOD) provides a particular challenge: how to allow unknown and untrusted devices to connect to the corporate network without impacting the security of that network. These devices typically belong to an organization’s employees, who are subject to corporate policy and standards, and where there is a level of trust in place. This trust does not, however, signify that their devices are sufficiently secured to be permitted to join the network; it only suggests that the user’s intent is known and non-malicious.
All BYOD devices that connect to a corporate network should do so via a dedicated, segregated, and authenticated connection. The authentication should occur at the network layer during the initial connection, not after the connection. This will permit the use of encrypted connections and help to prevent eavesdropping. Protocols such as WPA2-Enterprise can be configured to require users to authenticate using RADIUS or equivalent – rather than via an unencrypted, open connection and web form authentication or a shared password/key. To further enhance the authentication, Multi-Factor Authentication can mitigate attacks from compromised user credentials.
Devices such as smartphones and tablets should be placed in a further restricted network which permits access to only the services which are appropriate to these devices. This might allow access to an Intranet and proxied Internet access, but not to systems which would not typically be used by these types of devices, such as file servers.
Employee-owned laptops, if permitted, should only be allowed to connect after the IT and/or IT Security department confirms that appropriate protections such as anti-virus are present and that devices are patched and updated to a suitable level. This could alternatively be managed as part of the connection itself with systems such as Network Access Control which can interrogate the devices; this could place the devices in a restricted network if the security level is not appropriate, allowing them to be remediated before allowing a full connection.
As with corporate wireless, devices connecting to the BYOD wireless network should be isolated from each other to prevent cross-device issues.
How should we handle unknown devices?
As discussed in the first Network Segmentation article, unknown or untrusted “guest” wireless devices should be isolated completely from the corporate network. This could provide guests with access to external systems such as the Internet, or the means by which to connect to their own VPN while protecting the corporate network from possible compromise from these devices. The difference between a “guest” or unknown device and a BYOD device is that the owner or user of that device is typically unknown to the organization; there would be no contractual or other obligations against them regarding their conduct on any organization network. The Cisco BYOD Design Guide states:
“Guest wireless traffic from the campus or a branch location is configured to be auto-anchored (tunneled via Ethernet-over-IP or CAPWAP) from the internal wireless controllers to the guest wireless controller. This may provide a somewhat higher level of security, in that guest wireless devices are not terminated on the “inside” of the corporate network. This is often desirable from a customer perspective because the security posture of guest devices cannot be determined.”
To achieve this, a dedicated Wireless LAN Controller or similar can be placed inside a dedicated, isolated DMZ segment. Traffic would be tunnelled from the wireless access points through internal Wireless LAN Controllers and onto the Guest controller before finally exiting the network. This efficiently segregates the traffic from the corporate network as it transitions to the exit point without requiring additional access points.
Guest access should also require users to authenticate, either during the connection itself or after connection via a web form. This could be using temporary credentials provided to the guest on request, which would provide a level of accountability to any actions conducted by connected devices and also discourage potential misuse by guests.
Once again, devices connecting to the Guest wireless network should be isolated from each other to prevent cross-device issues.
Corporate and Guest Wireless Segmentation Infographic
Improving Your Business Cyber Security
With this knowledge of threats from corporate, BYOD, and unknown wirelessly-connected devices in mind, businesses can begin to improve their cybersecurity processes. With guidance from SureCloud’s Cyber Risk Management experts, you can develop a segmentation plan that accounts for BYOD devices and guest device connections. This ability is particularly relevant in the face of remote working trends, where facilitating maximum productivity outside of formal workspaces is more important than ever. Take a look at our risk management software offerings for more information.
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle, from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.