informa
/
Commentary

Is 'Private' Enterprise WiFi Obsolete?

Private enterprise WiFi arose during the time of strong network perimeters and weak internal security. It's now time to rethink.
7 Hot Advances In Email Security
7 Hot Advances In Email Security
(Click image for larger view and slideshow.)

This is going to be completely obvious to digital natives, and a gigantic ambush to about everybody else: Internal, private enterprise wireless is mostly irrelevant.

Here's why.

First, let me further define what I mean by "private" wireless. It's a WiFi network that allows authorized company employees to connect to the squishy, less-secured internal network instead of a DMZ or a public network.

Unfortunately, these private networks can be extremely insecure, resource-intensive, and possibly useless.

If you think that an "internal-only" wireless network is a secure network, think again. Yes, it's true that if you do it right, an enterprise wireless network is much more secure than a consumer-grade wireless network, for many reasons, including dynamic keying. However, these networks are often not done right for a number of reasons, including backward compatibility with WEP or WPA and, frankly, complexity.

WPA2 isn't truly secure thanks to parallel computing and graphics coprocessors. VLANs are frequently used as isolation mechanisms from less secure, public ESSID, but are all switches adequately protected from a VLAN hopping attack? Certificates help to prevent certain types of attacks, but not all enterprise wireless deploys certificates, the point being it is complex, expensive, and really hard to truly secure a private WiFi network.

Given the factors mentioned above, it should now be apparent why enterprise WiFi is also resource-intensive. Staff must be vigilant. Some sort of intrusion monitoring is needed. Plus, the gear and software needed for enterprise WiFi is expensive. 

None of this is actually necessary.

Here's the thing. Business leaders have already insisted that you have public wireless as a "curb appeal" amenity for your guests.

Most organizations no longer operate in a cocoon, a network where no devices ever leave the corporate network. Indeed, it is dangerous to pretend as if no malevolent intruder will ever connect to your LAN or wireless network.

The truth is, "borderless" networking is fairly entrenched at this point. The notion of a network perimeter doesn't really apply as much, particularly as we modernize our application infrastructure.

We use software-as-a-service (SaaS), which lives outside the perimeter. Employees demand remote access to everything. Mobility has created an insatiable demand for connectivity without the limits of a VPN.

Office 365 and Google Docs add fuel to the flame -- employees can access their most sensitive company documents from anywhere at any time. The borderless network is arguably more, not less secure than the perimeter network used to be. Cloud providers have stepped up and are using techniques like two-factor authentication, mobile verification of suspicious logins, geo-verification, and email confirmation of new devices to ensure that your users really are who they say they are.

Still, proponents of these internal, employee-only networks sometimes say that they are needed in order to provide accountability and logging for employees. 

Says who? If you're already issuing mobile devices, the provider probably is not giving IT detailed connection logs unless there is a suspected security breach. Asking the provider for those logs simply to make sure that you keep tabs on employee network connections is usually a request that goes unfulfilled.

[Missing a key ingredient in your recipe for IT success? See Secret To Enterprise IT Success: Reorganize.]

Sure, you can force proxies to an enterprise server that does keep track of net connects, but ultimately that doesn't keep employees from using their own devices and their own networks to avoid accountability. That ship has sailed. We are going to have to find other mechanisms besides network logging to keep employees engaged and accountable. 

So, what is the problem that we're trying to solve with enterprise WiFi?

Oftentimes in IT, there is a tendency to lead with solutions to solve problems that may not even exist anymore. The world has unarguably changed since the advent of these internal networks. Before you deploy new infrastructure or sign up for a new maintenance contract, a little analysis of your company's situation is definitely in order. 

I think that in many cases, unless you're in a highly, highly regulated industry, you may find that focusing on end-user device security, application security, and user education is what really pays off security-wise.

You also need to realize that digital companies must have digital employees, all of whom want hassle-free wireless, whether it's via a hotspot or on-premises. Most often, providing a reasonably secure, externally connected WiFi connection will work for guests and your digitally native employees.