Limiting wireless clients to secured access points

I am attempting to enable all my wireless users to ONLY connect to WEP or WAP enabled WLAN's. I do not even want them to be able to see unsecured ones if possible, but would like them only to connect to secured ones. Do you think this is even possible and if so how easy is it to implement?

Configuring and enforcing security policy on wireless stations was a significant problem until the release of "Endpoint Security Solutions" by vendors such as Network Chemistry and Senforce. These solutions consist of client agent software and a central policy server with a management console. Using the management console, network administrators can control connectivity on client devices by using security policies enforced by the agent software. It's important to note that every endpoint security solution is not created equal. Some solutions are focused solely on Layers 1-2 while others are focused on Layer 1-7. The L1-L2 solutions focus on controlling Wi-Fi connectivity using policies that, for example:

* Allow connectivity only to specific SSIDs

* Disable Wi-Fi adapters when a wired adapter is connected and bridged to the Wi-Fi adapter

* Require use of VPN protocols when connected to an authorized-but-unsecure Wi-Fi network

* Prevent hotspot evil twin and phishing attacks

* Provide alerts and reporting

* Set minimum authentication and encryption levels or enforce specific parameters

Layer 1-7 solutions provide many of the same functionality as the L1-2 solutions, but add additional higher-layer features such as:

* Network Access Control (NAC)

* Stateful firewall

* Application control

While a comprehensive solution of this magnitude is never a "no brainer" to implement, each vendor provides a "best practices" whitepaper and instruction manuals on how to get their products up and running fairly quickly. Before you decide that "more layers are better", consider the following:

* You may already have a managed client firewall solution

* You may already have a managed client VPN solution

* You may only need to control the wireless connectivity of client devices

The mindset behind endpoint security solutions is to take the security reins out of the hands of the end user and put it back into the hands of the security administrator - where it belongs. Using this new technology, the security administrator can assure that the organization's security policy is enforced on every mobile device running the endpoint agent software.

Using managed endpoint security solutions, users will not be able to uninstall or disable the agent software, and each time they connect to the network the client-side software agent connects to the centralized policy server to retrieve an updated policy. Once deployed, on-going policy updates within the management console are quite simple to administer. Since each vendor offers a free trial of their endpoint security solution, I suggest you take advantage of this at your earliest opportunity.

Devin Akin is CTO of CWNP, the industry standard for wireless LAN training and certification, as well as an editorial board member of the WVE.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in