As enterprise Wi-Fi grows, so does the need to protect business networks from wireless intruders and shore up wireless security. Traditional firewalls enforce trust boundaries between wired subnets, but Wi-Fi has a nasty habit of circumventing those established perimeters. Many network operators wage a daily foot war against rogue access points (APs), while engineers struggle to regain control over Wi-Fi access. A Wi-Fi firewall can help you tackle these challenges more efficiently and effectively.
Why deploy a Wi-Fi firewall appliance?
The label “Wi-Fi firewall” has been applied to various appliances, including wireless-capable SOHO firewalls (e.g., SonicWALL, WatchGuard) and wireless network gateways (e.g., BlueSocket, Vernier, Cranite). In this article, we use “Wi-Fi firewall” to describe servers that monitor and filter Wi-Fi traffic, blocking unauthorized 802.11 usage and attacks while still in the air.
Commonly known as wireless intrusion prevention systems (WIPS), these appliances provide full-time security policy enforcement throughout your entire wireless LAN (WLAN). Instead of requiring someone to periodically check every floor of every building to find rogue APs, a Wi-Fi firewall continuously watches for rogue traffic, automatically disconnecting any new AP. Instead of depending on employees to use Wi-Fi safely, a Wi-Fi firewall can disrupt non-compliant sessions to prevent confidential data disclosure.
Adding a Wi-Fi firewall to your network
Deploying a Wi-Fi firewall involves installing a central server in your NOC and positioning remote sensors throughout the offices (“air space”) to be monitored. Sensor network planning is essential to avoid coverage holes in locations like stairwells where intruders might lurk unobserved. Most appliances use overlay networks of dedicated sensors. Some can also use regular APs that watch for rogues in their spare time. Dedicated sensors have better observation and prevention capabilities, but require more up-front investment to purchase, mount, power, and cable. Sensors that support Power over Ethernet and/or daisy-chaining can reduce that cost. Communication between remote sensors and the central server usually requires modest bandwidth, but a large remote office with limited WAN access may deserve its own server.