Windows XP / Networking

---

Developing a Security Architecture

Although obvious differences exist between wired and wireless networks, the security principles remain the same. By analyzing the security needs of your organization, you can protect it by implementing the right security controls correctly, at the right time. Working in this manner, you can ensure a successful outcome. Developing a security architecture is more important to the security of your organization than any software or hardware you may purchase. Security is not a point product, such as a firewall; rather, it is a process.

Building a secure wireless network is akin to building a house. When you start to build your house, you have to decide whether you will build a ranch, a split-level, a bungalow, a Tudor, a mansard, a neo-classical revival, or what have you. This is your security stance and strategy. Well, the first step in creating a secure wireless network is to determine your stance and establish an enterprise-wide strategy for deployment and usage. Are you a security-conscious organization? Is your industry security-conscious? Do your customers and clients expect secure applications? Do you process or maintain personal information? These are all questions to help you derive your security stance. At the highest level, your strategy should address the requirements of the following:

Confidentiality:
The means for keeping transmitted data secret until it reaches its destination.

Integrity:
The means by which the recipient of the data transfer can know that the data is intact and that no one has tampered with it.

Authentication:
Ensures that network access is granted to only approved persons or devices.

Availability:
The quality of being at hand when needed.

Accountability:
The responsibility to someone or for some activity.

These are high-level goals of your security program. Your strategy should address the following areas as well:

Determine business needs
What are the business drivers and needs of your organization? Identify objectives clearly, and make sure that the benefits outweigh the risks.

Integrate wireless policies into existing IT policies
Remember that wireless solutions are an extension of the wired network.

Clearly define wireless network ownership
This ensures control as well as response when you identify security threats. Also, defining network ownership should nip backdoor or rogue access points in the bud.

Protect the existing infrastructure
This is what it really is about. Do not place wireless devices directly on the internal network. Instead, provide a separate network or demilitarized zone to control access to the wired network.

Educate users about wireless policies
This includes providing awareness sessions for employees.

Your policy should consider the assets you intend to protect: sensitive data and network services. You cannot develop policy statements without considering the threats you are trying to prevent: equipment damage or theft, denial of service, unauthorized access, fraud, data theft, personal information exposure, data insertion, and legal liabilities.

To build a house, you need a blueprint or architectural plan. The blueprint lays out what is expected. You want to know how many washrooms or other services you will have. Likewise, your security architecture should have a plan or blueprint. A good security plan includes the following network services:

Authentication:
One entity (that is, simply a person or system) proves to the other its identity.

Access control:
You allow or deny an entity access to the network.

Replay prevention:
An entity can determine a previously sent message.

Message integrity:
An entity can verify that no one has changed thevcontent of a message in transit.

Message privacy:
Sensitive information is encrypted when transmitted between two wireless entities to prevent interception and disclosure or to prevent a third party from tracking communications between two other entities.

Non-repudiation:
An entity can verify the origin or the receipt of a specific message.

Accountability:
An entity can trace the actions of an entity uniquely to that entity.

Key protection:
The system can protect the confidentiality of a key used by an entity.

When building a home, you want to ensure that you begin with a strong foundation. You pour some concrete and form the basement or foundation. The foundation or baseline of any security architecture is the security policy.