Wireless Security Concerns and BYOD
We need to rethink how we use wireless networking for BYOD.
I continue to be concerned about wireless networking (WiFi) security.
There are some real challenges in making it secure now and into the future:
- Air is a shared medium
- The signal extends beyond our physical borders
- It can only work as long as encryption works
- We can't hide the packets
So, here's the question: Should BYOD devices connect to an internal wireless network or external?
So far, most companies create mechanisms for BYOD to connect to internal wireless networks, but perhaps that's incorrect…:
- Do BYOD devices really need complete access to everything internally?
- Should they share the same IP address space? (I prefer not)
- Should they connect directly without a gateway security device between them and the LAN?
- With the amazingly high proliferation of malware on some mobile platforms, why are we placing them in an internal LAN?
These days, I prefer instead to have BYOD devices:
- Connect to external wireless networks
- Use a virtual workspace or container approach for BYOD apps
- Specify on a per BYOD basis what apps need to VPN or access public networks (this also limits what can enter the VPN…!)
- Control what devices can connect via certificates or other approaches
- Use solutions that can remote wipe just the business apps and data while leaving personal data alone
- Specify other criteria such as device lockouts, min password length, forcing a password, etc.
We need to be aware that wireless security matters a lot. I think everyone should know by now the dangers of open or WEP security, However, we need to wakeup to the risks of preshared keys for personal WPA/WPA2 versus enterprise WPA2. We need to think of personal WPA and personal WPA2 as being just as risky as WEP was a few years ago. With high performance hardware like the type used for Bitcoin mining, shared password encryption is becoming less and less secure.
So, don't allow personal WPA or personal WPA2 access to internal networks and keep the BYOD devices contained.