Krome Cast: Tech-IT-Out

KROME CAST: TECH-IT-OUT - Wi-Fi Security - Wireless Network Best Practices for Businesses

Krome Technologies Season 1 Episode 17

In this episode of Krome Cast: Tech-it-Out, we discuss how to effectively secure your corporate wifi network and review the wireless network best practices for businesses.

In today's evolving work environment, the way people work has fundamentally changed. With the move to wireless networks becoming the norm for most, organisations are forced to rethink how they can ensure their networks and devices are secure.

This podcast features Krome’s Commercial Director, Sam Mager, along with Krome's Senior Technical Consultant Paul Edwards, sharing their wireless security tips, and their insights on the wireless network deployment considerations that organisations need to make to ensure their WLAN is secure. 

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Sam Mager  00:01

Welcome to Krome Cast, Tech-it-Out. I'm Sam Mager, Commercial Director for Krome Technologies.  I'm joined today by Paul Edwards, Senior Technical Consultant.  We're here to talk about, how to effectively secure your wireless network.  And some of the best practices, that we'd recommend when looking at either new deployments or I guess, refitting or renovating someone's legacy, corporate Wi-Fi. 

Paul Edwards  00:22

Yes. Hi, Sam. Thanks for having me. 

Sam Mager  00:23

So obviously, in today's, I guess, evolving working environment, kind of, not going to say post-pandemic, it still rolls on to a certain extent, but the way we've worked, it's fundamentally changed, it’s not gonna go back to how it was before.  And we are now very much reliant on wireless networking for the way we work, be it, in an office, from home, could be in a coffee shop somewhere, and I love a bit of free Wi-Fi.  But some of the things you've told me kind of off-camera, made me think about how I'm using that and some my behaviors, how I should be using it moving forward.  So it'd be great if you could tell our audience today, you know, we've obviously helped people, for many years now, working on Wi-Fi installations, but we've picked up some good knowledge, a good knowledge base, I'd like to think so it would be good to get from you, kind of the key concerns or considerations you give when looking at a wireless network deployment.  And we can do this from two angles.  It could be, you know, the clean slate, how we'd do it from brand new, but most instances we see are kind of an evolution of someone's Wi-Fi network.  So, things we'll look for then, and improvements that could be made, considerations people think of. So as, as the more learned person in the room, I’ll kind of chuck it to you, and feel free to just rattle through some of the considerations you'd have.

Paul Edwards  01:33

Okay, so traditionally, many businesses have used, credential-based Wi-Fi authentication, very similar to, or exactly the same as a home network, you put in a password, you connect to a to a network,  it's very simple. And it works in a home environment.  But it's not really suitable for a business environment, where you need to secure data.  A file.

Sam Mager  01:53

Is that where, I've been in a business before, let’s be honest we used to be one of them, where you'd see kind of the guest Wi-Fi password by the coffee machine, or a pinboard or something right.

Paul Edwards  02:02

Exactly that, using that for your production environment is not ideal.  A far more secure way of setting up wireless access is using certificate-based authentication.  A lot of businesses will already have a Windows Server estate.  And it's very straightforward then to deploy a certificate authority or Windows certificate authority that integrates with Active Directory to issue certificates to use for authentication, a whole host of other things as well.  to end-users and end-user devices, But we're going to talk about Wi-Fi authentication today.

Sam Mager  02:36

So that sounds quite interesting, but how does, and again, this is, obviously for a technical audience.  That sounds great, but how does someone actually go about implementing that, and I guess securing it, etc?

Paul Edwards  02:45

So once an enterprise certificate authority has been deployed, it’s a Windows Server role and configured,  it will require what's known as a  network policy server, or NPS server.  This will act as a RADIUS server, allowing radius clients such as access points to connect and to authenticate users and devices against your Active Directory domain, against their, using their certificate.

Sam Mager  03:11

Okay, quick question on that one, you’re talking about different devices and whatnot.  That's not just used for Wi-Fi technology, that certificate technology.  Or am I misunderstanding that?

Paul Edwards  03:18

You can use it for, for Wi-Fi authentication, you can also use it for wired authentication, it’s 802. 1x essentially, so you can use it for wired authentication, you can use it for VPNs, signing documents, you can use it once it's deployed,  you can use it for a whole host of things.

Sam Mager  03:35

Okay, so that would stop the Luddite, like me, popping in someone's office and grabbing an RJ45 connection and trying to get connection to something? 

Paul Edwards  03:45

Exactly that.

Sam Mager  03:46

Cool. Okay. So this is, and again, I'm not a Wi-Fi expert.  I'm not that knowledgeable on Wi-Fi. I know what it does, data in the air moving around, brilliant.  But the security side of it, again we talked off camera, some of the mistakes I've made in the past, you think okay, I should pay more attention to this stuff,  especially given what I do.  But we talked about PKI certificates, and so on.  Again, I've heard of it, but I didn't know what it stood for.  And it'd be great again, if you could just give us a bit more insight and information on that.

Paul Edwards  04:13

So PKI or public key infrastructure is a way of managing, controlling, revoking when they're no longer required certificates on a, on a network, on a, we're talking about Windows on an Active Directory domain as well.  So, if you've got a device that's lost, stolen, you need to prevent that from connecting to your network. Revoke the certificate, you don't need to change any passwords, you don't have to get all the other users to update their Wi-Fi password, it stopped it stops connecting.

 

Sam Mager  04:41

So we've talked about kind of secure passwords before, a lot of this same kind of information is human behavior and whatnot.  You remove, by having, or not having to make people update passwords and re-issue passwords etc,  stop the post-it note at the bottom of the screen for a start.  But I guess from a management perspective, especially if you've got a larger enterprise with JML process and all that sort of stuff. A person leaves, you haven't got to take a whole OU and go everyone's got a new password to do,  it's granular in its, in its approach.

 

Paul Edwards  05:07

Yes, absolutely.  And also from a burden on the helpdesk perspective, there are no passwords, Wi-Fi passwords to give out to users, there are no passwords to change, devices just connect.  They also because the users don't know the password, don’t have the password, they can't share it either with other users in the business,  or with, you know, their family if they live close by, or, you know, other devices,  they may own personal devices, for example,  they can't use that to get onto the production internal network for any non-corporate device.

 

Sam Mager  05:38

Okay.  So that's an interesting point about own devices,  and so on, we saw that especially beginning of the pandemic,  where everyone kind of grabbed any device they could to try and work, we certainly have customers having to deal with this proliferation of home devices and that,  when we discuss this brings its own concerns around security and whatnot and it'd be interesting in your thoughts, your approach to how we protect our environment,  customer environment, etc.  From people using let's call it, non-networked approved, or whatever the terminology is, devices.  And I guess how we configure our, and our clients, wireless networks to protect against, not an erroneous device, because sometimes they’re not doing on purpose, they’re just using what they can.  But, how we kind of give access to what they can have and then protect the crown jewels, what they shouldn't be accessing? 

 

Paul Edwards  06:24

Yeah, you really need to keep those users, visitors, as well,  off the internal production network,  keep them isolated onto a guest network or a staff network that doesn't have access to..

 

Sam Mager  06:37

When I, when I look at my Wi-Fi, to find a Wi-Fi network, not that I do, because I'm just connected to the prod, but if you look through it, we’ve got a guest and a staff and a prod, so on.  So, what's the difference in what I can and can't do on those?  Let's say I'm a visitor to the business, what I can or can't do, and what we've done to actually set up each one of those, so that is, I guess, segregated or protected?

Paul Edwards  06:56

So we have our production network that is used for Krome laptops, Krome devices, so they need to have a certificate on them to connect to that Wi-Fi.  Your issue with the laptop, it just connects.  There are no passwords involved, so that's secured and that provides access to our, I guess the most critical resources, file servers,  things like that, it still goes through a firewall,  there's still scanning on that traffic,  but it allows access to the core of the network, really.

Sam Mager  07:26

To show how smooth that is, as well, when we implemented that I didn't even realise, I didn't realise until we started having these conversations, that I didn't actually have to put a password in anymore,  to connect to our wireless network, it just happened.  So I guess if you haven't done that a business you should because it's actually brilliant from a user perspective. 

Paul Edwards  07:40

Yeah.

Sam Mager  07:40

Okay that's our prod, and then we've got, we've got staff,  and we've got guest, do we not?

Paul Edwards  07:44

We've got staff, and we've got guests. So for staff, it's isolated from our production network, you can only get to the internet, it still goes through a firewall, still scanned, still got some controls on your URL filtering,  but it's very much internet only, there's no other access to internal resources, internal servers.  We've got a visitors or guest network, which is a, that does use password-based authentication with visitors, you can't really have control over their devices to put a certificate on there,  you have to use a password, but that password be rotated periodically,  and it again only allows access to the internet,  there's no other access there.

Sam Mager  08:24

Is that straight out, or is that via a firewall still?

Paul Edwards  08:27

All goes through a firewall.  It's got slightly different traffic control measures, there are some things we can't do with guest traffic, where we don't have control of their devices, but it's still scanned, it still offers very similar protection, but it's just there's no access to our internal resources there.

Sam Mager  08:43

Okay, so then obviously, I've talked before about how I've been guilty of just jumping on someone's free Wi-Fi before because it's there.  Now, do I assume, that that goes through some sort of firewall?  And I'm offered, and I mean we offer that to our guests right, surely everyone does? Or that I'm in the wild wild west, and I'm at risk and should know better?

Paul Edwards  09:03

A lot of websites will use SSL HTTPS, you’ll see it in the address bar to encrypt the data between your laptop and the website you're visiting.  So as long as you've got a padlock and some address bars are, 

Sam Mager  09:18

I always pay attention to that.

Paul Edwards  09:20

The browsers are pretty good, they’ll flag sites now as not secure.  So that does encrypt traffic.  However, you really need to be using a VPN to secure that, that traffic.  If you use a full tunnel VPN,  all your internet traffic will go back to your corporate firewall,  you can protect it with the same URL filtering policies,  the same scanning ability if you've got a layer seven firewall,  you'll be able to protect that traffic and your device a lot better,  so that when they come back to the office,  you know there's nothing on there that shouldn't be.

Sam Mager  09:47

Which is why we have mandatory VPN connections.  So if I do happen to be in a coffee shop down the road hijacking their free Wi-Fi,  I'm protected from doing us any damage?

Paul Edwards  09:56

Absolutely, all the traffic is encrypted.

Sam Mager  09:59

Brilliant, it's good to know.  Okay, so there are some good points on kind of what we've done around segregation, the VLANs, etc, working in wild wild west, and then how we protect that, I guess some of the other scenarios that we see when talking to our customers will be,  and we have seen a fair bit, to be honest with you,  that kind of lovely green field, come and help with my Wi-Fi, and then the evolution, I've got a lovely, very heavy bricked building,  and my Wi-Fi's not working very well, kind of key considerations I guess,  we're looking at both,  we'll start with Greenfield, what do we do?  How do we do it? How to Make sure a Wi-Fi implementation is successful?  And I guess the more trickier one is always the, kind of listed buildings and whatnot with thick walls that we have to sometimes deal with.  But shall we start with greenfield?

Paul Edwards  10:38

Yeah, so there is a Wi-Fi planning tool that we can use to gauge where to place access points.  Physically, they should be kind of out of reach from of users from a security point of view as well,  less chance of them unplugging things, plugging in their own devices.  So the more you can hide them within reason, the better, placing them and the type of access point, some are higher density ones, they'll support a load of users concurrently.  So it's really sizing the correct access point, also, the location of the access point,  and the number as well.

Sam Mager  11:13

That's quite an interesting point actually, the physical location because I have, I do know people, that have tried to jam cables, into Wi-Fi and whatnot, we do see it, but that's obvious if you leave them out now.  You can't see them around our office, because you've done the clever thing, and buried them in the ceiling and whatnot, which is, which is quite common.  But that makes me think about, there's,  I've never really thought about it before, but there's obviously a method to the madness around where we put these things in our office, but how do you, how do you work out,  I guess, you mentioned different APs before as well so,  these come in different flavors, different strengths or whatnot,  so how do you work out, you know,  what is the most suitable AP  for our use for our clients use,  I guess what the difference, variables,  and how do you make sure we have them in the right place?

Paul Edwards  11:48

It comes down really to the models offered by that vendor and picking one that's appropriate to their, their use case, we’ve gone into offices and seen access points kind of hidden away in a corner,  which is really not the ideal place to have it,  in the corner on the floor,  a user can easily unplug it,  and from a signal strength point of view is not great either.  Somewhere central, in the ceiling, is ideal as users can't get to them, at least not easily.  And, 

Sam Mager  12:13

You'd be pretty determined.

Paul Edwards  12:14

Absolutely.  So you don't have them, you know, unplugging them, restarting them at will.  So, from a security point, it's great.  From a signal strength, it's even better, because it's central, and it's somewhere that can reach the most area with that, that single AP,  where you've got to deploy multiple APs,  that positioning and signal strength does go into it.

Sam Mager  12:35

That was it, you were talking about signal strength, again, chatting to me off-camera, trying to educate me slightly,  but I always thought it just best to have as many APs as you can,  all blasting out a signal, and that's good.  You know, obviously, saturation has got to be the best way of doing it, well I'm clearly wrong.

Paul Edwards  12:47

Not always no, you can have too much, and they can get to a point where they start to interfere with each other, and they start to kind of negatively interact, and actually, you end up in a  worse state by having more APs.  So switching them off, dialing down the signal strength, can actually give you a better, better overall coverage because each AP will better cover its own area.

Sam Mager  13:07

I've seen that in some of the wireless mapping assessments we do, where you kind of plot out how it is, and then how it could be, it's quite interesting.  I've always, as I said, I thought just seeing it splurged with Wi-Fi signal would be the best,  but actually, how you guys work that all out is, it's really interesting, especially when you see some of the older buildings, we've worked with where people think they've got it right,  and they actually walk around with the wand and see,  it's not so good, and how you guys actually map it to work, is actually very interesting.  So, and there have been some very interesting points on this whole topic, but it'd be good, before we wrap up,  if you could, for our audience, I guess,  top things that you consider when looking at any wireless deployment, when you talk to a customer,  I think these are the things we must discuss today.

Paul Edwards  13:45

Deploy multiple wireless networks, SSIDs, one for your production network, one for your staff to use for personal devices,  it's going to happen in any network,  and, and one for your visitors as well.  So segregate traffic from all of those places all on different VLANs and deploy a PKI for your internal infrastructure is a great way to secure your, your corporate devices to make sure that they can they are the only ones that are authorised or allowed on your production network.

Sam Mager  14:15

And then enforce the VPN connection for when your commercial directors working in the coffee shop.

Paul Edwards  14:19

Yeah, coffee shop or even a home network, where you don't have control over it,  you don't have the same corporate policies.  It's really, essentially all the same, it's untrusted.  So yeah, deploy a VPN, and secure the traffic. 

Sam Mager  14:31

Brilliant, thanks Paul.

Paul Edwards  14:33

Thank you.

Sam Mager  14:34

Thank you for joining us on this edition of Krome Cast, Tech-it-Out.  Please remember to like, subscribe, comment and share.  If there's anything you'd like us to cover in future episodes, leave it in the comment section below.  Thank you.