Cisco Blogs

Reflecting on Wireless Security

- June 8, 2009 - 4 Comments

As we gear up for Cisco Live! 2009 in San Francisco, I’ve thought back to some of the other shows that I’ve been to over the past couple of months. In April, I had the opportunity to visit the RSA Conference 2009, where Cisco gave show attendees to RSA’s booth a sneak peak of the integration between RSA enVision and Cisco’s Context-Aware mobility service. And at Cisco Networkers Solutions Forum in Toronto, I had the honor to lead two sessions, one on strategies for 802.11n deployment and one on mobility services. On both occasions, I had the pleasure to interact with a number of customers and the same question came up: “Why do I need to worry about RF security if I don’t have a production wireless network?” When asked that question, I generally respond by asking how the organization enforced their “no wireless” policies, not just for rogue access points but other forms of unauthorized wireless access as well. Generally, organizations admitted that while the policy is in place, there is not much teeth in terms of enforcement.Clearly, organizations that have a wireless network need to be concerned about how they secure it. But, in the same way organizations need to deploy monitoring systems at the perimeter of their network to protect the corporate network from the WAN, organizations, regardless if they have a wireless network deployed, also need to have monitoring of the RF environment as well through solutions like wireless IPS. For instance, many know that rogue access points, either installed for malicious purposes or by an employee trying to obtain wireless access, can pose a serious threat in that they provide unsecured access into the corporate network from areas outside the building or campus. But, while rogue access points are a well known threat, ad-hoc networks can pose a significant threat as well. In this case, a client PC uses its own wireless card to act like an access point for other clients to connect to. This can present an unsecure back door to the client PC or, possibly, to the broader corporate network if it is connected to the wired network. Those who have seen the wireless network name “Free WiFi Internet” in areas like airports or even planes may have seen this concept at work. While scanning of the wired network may detect threats like rogue access points, only scanning of the RF environment itself can uncover threats like ad-hoc networks from your client devices. Recognizing that the RF medium, irrespective of a production wireless network, poses its own security challenges, compliance structures like the Payment Card Industry’s PCI Data Security Standard (DSS) require scanning for wireless devices. This scanning is required regardless if there is a production wireless network in place. Two of the options to fulfill the requirement are to conduct quarterly scans or use a wireless intrusion prevention system to provide full time, proactive scanning. My colleague, Dimitris Haramoglis, has done an excellent job outlining that proactive scanning is both the technologically and financially superior method for wireless threat detection.Organizations who have a “no wireless” policy need to realize that such a policy must be enforced through proactive monitoring of the RF environment. An advantage to Cisco’s approach to wireless intrusion prevention is that in laying the groundwork to monitor the RF environment, the organization also lays the groundwork to deliver enterprise mobility connectivity should an organization’s policy change. Without monitoring of the RF environment, a policy that may have intended to provide a stronger security posture may, in fact, leave the organization vulnerable.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Oh so true! Having a WIPS is CRITICAL. With new devices such as Sprint's and Verizon's MiFi devices. The backdoor is more and more available for open networks with users have their shared drives and folders available to the nefarious networker.

  2. Reggie,Yes, there are clearly more infrastructure-like devices entering the same RF space as Wi-Fi networks. So it will be increasingly important for organizations to be aware of, monitor and secure their RF environment regardless as to whether there is a production WLAN environment.

  3. Hi Sean,do you think cranite fortress is dead? What may be Cisco's strategy on Layer 2 hardware encryption? Is cranite pass-thru still supported?CheersMartin Voelk - CCIE 13708

  4. Martin,Cisco's current recommendation for securing WLAN links is to migrate to 802.11i / WPA2 for the greatest level of security. This provides robust encryption between a WLAN client and the access point it is connected to.