Enterprise Mobile Device Security: Wi-Fi Network Access and Policies
Mobile devices, including corporate-issued devices, have sophisticated Wi-Fi capabilities, allowing them to connect to public and private networks for Internet access. Device users can connect to networks at public places, such as coffee shops, airports, and hotels, and to private networks, including corporate and home networks.
Some Wi-Fi networks are open, requiring no authentication of the devices or the users connecting to them. All it takes for a user to connect to such a network is to detect the open network by name (or Service Set Identified [SSID]) and connect to it. No password is required, thereby letting anyone connect to the network.
Wi-Fi networks can be secured by requiring a password or using other techniques. Such networks are relatively more secure to connect to. But depending on the nature of security deployed in the Wi-Fi policy, these networks can also be snooped on. There are two broad categories of Wi-Fi networks to which users can connect their mobile devices.
Open or insecure Wi-Fi networks
Open networks can be joined by any user and from any device without the user needing to enter a password. People conversant with networking technology can read traffic over the network sent by other users from laptop computers, tablets, or smartphones.
Traffic that is easy to snoop on includes open or unsecured browsing traffic, such as visiting a website that does not require SSL encryption. Unfortunately, many popular websites like Facebook, Yahoo!, and Twitter do not need SSL encryption, so when users browse these sites over an open Wi-Fi network, they’re vulnerable to being snooped on.
Websites or applications that require SSL encryption are more secure from being snooped on by users on the same Wi-Fi network. While browsing to any website, users can easily see if SSL encryption is turned on. It usually appears as a padlock on the browser itself, sometimes along with the name of the server the user is connecting to.
If you’re managing mobility policies for your corporate users, you need to strongly discourage them from connecting to open Wi-Fi networks from their mobile device. Whether your employees are using personal devices or corporate-owned devices, you don’t want users on an open Wi-Fi network.
Encrypted Wi-Fi networks
Wi-Fi networks can be secured using techniques called WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), or WPA2 (a more recent form of WPA). Among these three, WEP employs the weakest encryption, because it relies on a preshared password key, which is used to encrypt network traffic. WEP-secured networks are more secure than open networks, but anyone who has successfully connected to a WEP-encrypted network can view traffic generated by other users or devices on the same network.
WPA and WPA2 employ stronger encryption than WEP. WPA2 uses stronger encryption and is more recent than WPA. WPA2 comes in two flavors: WPA2-enterprise and WPA2-personal. For private networks, such as home networks, WPA2-personal is the ideal security to deploy. For corporate Wi-Fi networks, WPA2-enterprise is the best possible security to deploy.
As an administrator recommending mobility policies, you can feel secure if users are connecting to WPA2-secured Wi-Fi networks from their devices.
VPN on a Wi-Fi network
If your users do happen to connect to open an Wi-Fi network, make sure they use VPN on their devices to connect to your corporate VPN gateway. VPN results in a secure tunnel being built from the device to the VPN gateway, through which all traffic is encrypted and invisible to network snoopers.
VPN comes in IPSec and SSL flavors, both of which have their pros and cons. Most laptop PCs, Apple Macs, smartphones, and tablets include VPN support for leading networking vendors.