Government Technology - September 2008 - (Page 45) “The most important requirement from a network access control perspective would be defining your policies for accessing your environment. That’s really the prerequisite for any effective network access control.” Patrick Wheeler, senior product manager of endpoint security, Symantec said Patrick Wheeler, Symantec senior product manager for endpoint security. This includes establishing what security software and configuration options should be on each computer accessing the network, how often antivirus and other software should be updated, and putting it all in the policy to drive compliance. “That’s going to be the first requirement for best practices,” Wheeler said. Security officers should also plan and understand their objectives, he added. Do you want the same access control and security standards for employees as for contractors who might only access the network a few hours a day or week? If so, are these contractors using the same types of laptops mobile employees use? “Some organizations are going to want a very tight, locked-down network access control solution. For others, that might be overkill,” Wheeler said. “I think understanding your priorities and objectives is really the next best step. The third thing that is really critical, is making sure there’s coordination between the different people who are going to be affected by, and ultimately managing, a network access control solution.” Westchester County, N.Y., is centralizing the management of various pockets of wireless devices that have been deployed in different areas. Only employees can use the private network. “We’re trying to standardize the fact that if you’re a county employee, and you access a particular wireless network or segment, credentials that you currently have as an employee are authenticated to allow you to get onto that particular network,” said Lennox Harris, the county’s network engineering manager. Authentication means verifying users’ identities before granting network access. Westchester’s authentication credentials include passwords, and the county issues laptops to employees that are configured by a desktop support group. The laptops have security software and authentication settings, so if remote employees use them, there’s no chance they will compromise the network by accessing it with consumergrade personal laptops. Safeguard Technologies Everyone knows about firewalls, but what are other security practices that help secure a wireless network? “There’s a whole bunch of things that you can do,” said Mark Weatherford, executive officer of the California Office of Information Security and Privacy Protection. His office helps state agencies implement information security protocols. Weatherford advises administrators create unique service set identifiers (SSIDs), or a network name. For example, in a Linksys network, the word “linksys” is the default SSID. It’s a good idea to change it to something less obvious to ward off unwanted attention. Administrators should also use media access control (MAC) address filtering, said Weatherford. The MAC address is a number that identifies a computer’s network adapter. Each computer accessing a wireless network has a different MAC address. MAC filtering can deny network access to a computer with the wrong MAC address. “Obviously encryption of the network itself is the most important thing that you can do,” said Weatherford, who recommends using Wi-Fi Protected Access 2 (WPA2). Wi-Fi Protected Access (WPA) technology encrypts data at an advanced level and establishes strong access controls and user authentication. Weatherford said WPA has stronger encryption algorithms than the Wired Equivalent Privacy tools found on many wireless networks. He recommends employees develop strong passwords and change them often. “Ideally from a mathematical standpoint, a good, strong password is 20 characters, and you could make a sentence and make it a pass phrase, so think ‘pass phrase’ as opposed to ‘password,’” Victor said. But IT managers might breathe a little easier if their employees entered more than just passwords to access the network. Additional authentication methods include: something a person knows, like a password or identification number; something a person possesses, such as a card; or a unique physical Access Denied Administrators can use a number of methods to keep unwanted users off their networks, including: • Filtering technologies, such as media access controls, can weed out devices that are foreign to an organization. • Passwords and PINs can help verify only the people with authorization to use a network are allowed access. • Cards and other devices distributed only to employees authorized to access a network can also help ensure only desired users gain access. • Biometric identifiers, such as fingerprint readers, iris scanners or voice recognition technologies, confine network access to certain users and can’t be shared with others. 45 http://www.govtech.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.