Too often, small business equals small budget when it comes to doing wireless, but sometimes just knowing what can be done goes further than more money.
There are many ways to approach wireless security, and businesses of any size have options. Let’s talk about how I approach my own small- and mid-sized business (SMB) settings when it comes to security and Wi-Fi.
Requirements: Everybody’s got ‘em
It all starts with understanding your client’s business operations:
- What network devices and applications are used in their environment?
- How many wireless networks do they have? How many should they have?
- What does the connected LAN look like?
- Do they have PCI or HIPAA concerns?
- Do they want to provide a guest SSID?
- Do they want their employees to have the freedom to use their own devices on the network?
Write it all down. Think about it, refine it, and ultimately, use it shape how they require the network environment (and all its distinct little buckets of users and devices) to work. Until you do that, it’s hard to implement configurations and solutions.
Don’t cross the streams
Regardless of the size of the business environment, you absolutely don’t want guest traffic mixing with the point of sale terminals. Nor do you want the electronic medical records (EMR) terminals sharing a subnet with the CCTV cameras.
Some things absolutely have to be isolated. It doesn’t mean you need a dozen SSIDs, but it may well mean you have at least two or three.
If your clients have the budget, a NAC system can help keep the number of SSIDs down while figuring out what device should logically go where on the network. But the complexity and total cost of operations here is frequently cost-prohibitive to SMB networks.
The cloud gives options
There are really interesting options for wireless security when you look at cloud offerings. In my Meraki locations (Meraki is just one example here), I can leverage the native RADIUS server to use full 802.1X-based WPA2 enterprise security. All I have to do is add the individual users of the service once.
I can also use PSK capabilities (and change them frequently), add splash pages, set up guest networks and walled gardens, do traffic and rate controls, and even provide the texting of passwords to visitors with no extra boxes on site.
Cloud dashboards and small business networks go together like peas and corn, and the remote monitoring and management afforded by cloud offerings is the icing on the cake.
Don’t backslide
Ideally, the wireless security you put into place will accommodate all the various nuances of your client’s operations, and let you sleep at night. It’s fairly common to go weeks and months with everything running smoothly—until the day comes where someone wants to put a new gadget in the environment. Maybe it’s a Chromecast on the break room TV or a digital sign.
First of all, tell your client they can actually say no to devices they don’t want on the network. But if you do try to accommodate the new oddball device, don’t rush it into the network.
Go back to the requirements you defined, figure out where the new device would work, and more importantly, where it should not be in the wireless mix. Keep the most important devices isolated, and don’t let impulsiveness lead to violations of your client’s security posture.
Wireless security doesn’t end with technology
Any IT environment is a mix of network, devices, applications, and people. Of all of these, the human component is frequently the wildcard when it comes to security.
People ignore or misunderstand policy, plug things into nearby ports, open dodgy emails, and do all manner of irresponsible things at the workplace. If you don’t help your client lay down the law on everything from unauthorized devices to social engineering, then you’re asking for trouble.
Exactly how you secure the WLAN environment will vary depending on your scenario. Regardless of what you run with, understand that you’re never really “done.”
Make sure the security policy is mandatory reading with employee sign-off, whether your client has two employees or 200.
PSK, network device, and user passwords should all be updated at least once a year.
Know that PCI requires annual audits or your client will incur extra fees.
Do refresher training for employees every so often.
Make sure you’re keeping all network component firmware up to date.
Use calendar reminders if you need to for keeping it all straight.
And if it feels like security is a pain to stay on top of, you’re headed in the right direction.
Leave a Reply