Q: I just inherited a major 802.11b deployment. I have no budget - what are the top 3 to 5 things I should do to ensure the network is secure? Joe - Seattle

The Wizards gaze deeply into their crystal ball and respond:

Pat Calhoun, Airespace

There is no "one-size-fits-all" approach to wireless security. Every individual enterprise requires its own comprehensive framework that addresses all facets of wireless networking, from the radio frequency physical layer to the protection of key business-critical applications. The best solution is a mix of well established industry standards, such as 802.1x, Wi-Fi Protected Access (WPA), and IPSec, combined with innate WLAN infrastructure capabilities, such as real-time monitoring for intrusion protection. The trick is understanding what security risks to look for, and knowing how best to address them in your enterprise environment. Below are some common things to consider:

• Does your WLAN system support security policies for heterogeneous users? How are the security approaches integrated? For example, can the same access points support multiple networks, such as an open "guest" network alongside an employee network using higher level encryption?

• Can you apply wired security policies to your wireless network? Are you reinventing the wheel? It is often extremely useful to map existing security schemes, such as virtual LANs, access control lists (ACL), and back-end authentication services (e.g., RADIUS) in your wireless network. In some instances, you may even want to leverage firewall and intrusion protection services. But, beware of WLAN products that offer a subset of what traditional security solutions offer, and require you to create completely separate security policies for wireless users. You do not want a false sense of security by deploying a scaled down firewall on your WLAN switch. In addition, and perhaps more importantly, users expect a seamless experience across wireless and wired networks. It might not be practical to have IT staff manage, update and control separate policies for both environments.

• Can your WLAN address security threats in real-time? A wireless network should be able to monitor the air space in real-time and detect malicious or unauthorized activity, such as rogue devices, attack signatures, excessive sources of interference, etc. Ideally, this functionality will be built into the access points themselves to avoid the need for handheld scanners, or separate overlay monitoring devices, which add cost and complexity. Your WLAN security system should place a high emphasis on eliminating false positives, as these have a tendency to increase cost and can ultimately affect overall security if your administrators get in the habit of ignoring valid attacks.