John Pescatore

John Girard and I are in the midst of updating the WLAN IPS MarketScope research note. NetworkWorld reports that the Payment Card Industry Security Standards Council will be issuing some guidance on WLAN security where credit card processing is involved.  Though it looks like they have pushed out the release by a day, it looks like they will be making it clearer that WLAN IPS systems will be required. It appears they will always push to see them used to scan for “rogue” access points even where WLAN is not officially used on the network involved in credit card processing.

NIST has put out a WLAN security guidelines bulletin and SP 800-48 with good information, as well. John G. and I have put out a series of best practices research notes on securing WLANs – it is really not all that hard to do. However, you do need some form of monitoring capability to make sure mistakes aren’t made. Turns out that the network folks responsible for keeping WLANs running also need RF monitoring – help desk calls of the type “I can’t get on the wireless LAN” can take many hours to resolve without being able to look at the over the air signals. As a minimum, if you can’t deploy a dedicated WLAN monitoring solution, take a look at getting security use out of WLAN monitoring systems put in place by the networks operations group.

The starting point is making sure you have secure configuration guidelines and then a monitoring solution to make sure that all access points stay configured that way. With those two things in place, WLAN security is not that hard. What’s coming along, however, is the need to monitor for other types of wireless, like cellular data cards, WiMax and other emerging wireless technologies.