Security deployment considerations – Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

568

Brocade Mobility Access Point System Reference Guide

53-1003100-01

8

Security Deployment Considerations

Getting Started with the Mobile Computer

Before defining a firewall supported configuration, refer to the following deployment guidelines to
ensure the configuration is optimally effective:

•

Firewalls implement access control policies, so if you don't have an idea of what kind of access
to allow or deny, a firewall is of little value.

•

It's important to recognize the firewall's configuration is a mechanism for enforcing a network
access policy.

•

A role based firewall requires an advanced security license to apply inbound and outbound
firewall policies to users and devices. Role based firewalls are not supported on Brocade
Mobility 6511 Access Point.

•

Firewalls cannot protect against tunneling over application protocols to poorly secured wireless
clients.

•

Firewalls should be deployed on WLANs implementing weak encryption to minimize access to
trusted networks and hosts in the event the WLAN is compromised.

•

Firewalls should be enabled when providing Captive Portal guest access. Firewalls should be
applied to Captive Portal enabled WLANs to prevent guest user traffic from being routed to
trusted networks and hosts.

Before configuring WIPS support, refer to the following deployment guidelines to ensure the
configuration is optimally effective:

•

WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless
security policy. Since an organization’s security goals vary, the security policy should document
site specific concerns. The WIPS system can then be modified to support and enforce these
additional security policies

•

WIPS reporting tools can minimize dedicated administration time. Vulnerability and activity
reports should automatically run and be distributed to the appropriate administrators. These
reports should highlight areas to be to investigated and minimize the need for network
monitoring.

•

It is important to keep your WIPS system firmware and software up to date. A quarterly system
audit can ensure firmware and software versions are current.

•

Only a trained wireless network administrator can determine the criteria used to authorize or
ignore devices. You may want to consider your organization’s overall security policy and your
tolerance for risk versus users’ need for network access. Some questions that may be useful in
deciding how to classify a device are:

•

Does the device conform to any vendor requirements you have?

•

What is the signal strength of the device? Is it likely the device is outside your physical
radio coverage area?

•

Is the detected access point properly configured according to your organization’s security
policies?

•

Brocade recommends trusted and known access points be added to an sanctioned AP list. This
will minimize the number of unsanctioned AP alarms received.