Implementing a wireless network within the enterprise can provide a high degree of mobility for enterprise users allowing access to enterprise assets no matter where they are located on the campus. The access to critical infrastructure should be properly segmented to ensure the security of the assets from unauthorized access that may be successful via a weak wireless security implementation. In environments with a securely implemented wireless infrastructure, it is recommended to also segment the networks with an intelligent firewall to detect and mitigate attacks over the wireless network. Some compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) mandate a segmentation of the wireless network when any portion of the wireless network connects to the cardholder data environment. It is a good practice to keep the critical enterprise assets segmented not only from the wireless network, but also from the general user population.
Segmentation is more than connecting the access points to a different switch or configuring in a VLAN. The services used by the wireless network for authentication, DNS, and other network services should be segmented in a manner that will not allow circumvention of security controls or compromise of credentials on wireless network to allow direct access to critical assets including credential stores. Segmentation can most easily be accomplished using a firewall with strict policy adherence to ensure changes to the firewall rules do not reduce the effectiveness of the segmentation.
The primary purposes of wireless networks in the enterprise are generally two-fold. First, provide employee access to enterprise assets anywhere on the premises and second, provide guest wireless access for non-employees such as vendors and contractors to access the Internet and VPN services of their respective employers. These two primary use cases warrant considerable planning and control to ensure there is no cross-over of the two domains.
Wireless networks are meant to extend network access beyond what is typically not physically feasible or inexpensive enough to provide wired infrastructure. When enterprise users access the wireless network, access to enterprise systems, applications, and Internet are expected, but to provide the access requires integration into the existing wired network. User authentication, IP addressing using DHCP, e-mail, web, and other network services must be able to get the information from somewhere in order to provide the level of access required to get an IP address and be able to authenticate users to network resources. This dependency on network services may be an issue if shared with critical enterprise assets without the proper security implemented, such as network segmentation and possibly stand-alone solutions, as mentioned previously.