With the rapid adoption of Wi - Fi networks by enterprise IT departments everywhere, network security now involves an entirely new dimension of vulnerability to malicious hackers and casual intruders. Applications and data have literally taken to the airwaves, thanks to the compelling productivity and efficiencies gained by mobility tools such as notebook PCs, handhelds and Blackberries. As an extension to existing wired infrastructure, Wi ‐ Fi helps companies achieve better customer responsiveness and improvements in the bottom line. The downside is that making corporate data accessible through Wi ‐ Fi networks means intruders and other unwanted visitors can easily access such networks if proper precautions and tools aren't used to protect them. In addition, the enterprise wired network itself is subject to unauthorized access without proper precautions. There are five fundamental areas which must be considered when securing the enterprise against wireless threats.

• Creating a wireless security policy • Securing the enterprise wireless LAN
• Securing the enterprise wireline (Ethernet) network
• Securing corporate laptops from wireless threats when outside the enterprise
• Educate employees regarding the wireless policy

This paper will discuss best practices in all five areas to secure the enterprise network, whether wired or wireless, from unauthorized use and hackers. This should be complemented by strong access control and wireline security policies. This paper assumes that a strong firewall, VPN, a VLAN architecture for multiple user communities and wireline IDS/IPS already are in place. Together, the combination can protect the enterprise from unauthorized use, theft and damage to the company’s reputation with customers and partners.

Create a Wireless LAN Security Policy

Much like the security policy that you have in place for wireline access, it’s a good idea to begin with a written wireless policy that covers authorized use and security. A good place to start is with some templates that already exist for the specific sections that should be covered. Good places to review documents for a wireless policy include the SANS Institute and CWNP. Typically, security policy documents include the following sections:

• Purpose
• Scope
• Policy
• Responsibilities
• Enforcement
• Definitions
• Revision History

Background for this document should be thoroughly researched. Most security issues can be traced to oversights or errors in security policy implementation. The following discusses some best practices that you may wish to incorporate into your Wireless LAN Security Policy.

What is WIPS

In computing, a wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

Rogue AP

A rogue access point, also called rogue AP, is any WiFi access point that is installed on a network but is not authorized for operation on that network, and is not under the management of the network administrator.

• APs attached to the enterprise LAN without permission
• Backdoor to the enterprise LAN

Soft (Virtual) AP

SoftAP is an abbreviated term for "software enabled access point." This is software enabling a computer which hasn't been specifically made to be a router into a wireless access point. It is often used interchangeably with the term "virtual router".

• Network interface bridging
• Internet connection sharing (ICS)
• Add‐on devices (e.g., Windy31)
• Windows 7 Virtual Wi‐Fi

Honeypot (Man‐in‐the‐middle) Attacks

A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems.

• Ad-hoc connections
• Connections to external APs
• Probing for vulnerable SSIDs
• Honeypot/Evil Twin target

AirTight Secure WiFi™
One Solution

In today’s age of smart phones, tablets and mobile apps, users expect WiFi wherever they go. What was once considered a special service to customers has become such a commodity that businesses risk turning customers away if they don’t offer WiFi. Besides, WiFi has opened new opportunities for businesses to better engage their customers and to improve service efficiency, in turn resulting in increased revenue. However, for quick-serve restaurant and retail store chains, PCI DSS compliance is also a top priority and security implications of adding WiFi is naturally a concern.

AirTight Secure WiFi™ combines the benefits of WiFi access with industry’s best wireless intrusion prevention and security technology in a single solution, enabling businesses to provide hassle-free WiFi access, while securing their network from WiFi threats and staying PCI compliant.

Nurturing Customer Relations

Offering WiFi, especially if it’s free, is a proven way to attract customers; however, you can go beyond simply providing the convenience of Internet access to guests. AirTight Secure WiFi can be used to creatively leverage the revolution of smart devices and mobile apps for expanding your relationship with customers.
Engage using Social Media, Customized Content and Geo-marketing
Your business could use social media tools to communicate with guests even when they are on-site. A customized content feed to guests could offer valuable information, e.g., newly introduced items on the menu, rewards programs, polls to get feedback on food and service, and contests.
WiFi captive portals could be customized for groups of restaurants or individual outlets for localized marketing, e.g., to push coupons, announce daily specials, inform about fundraising programs for non-profits, and advertise career opportunities.
Customers can be encouraged to register their information to participate in localized opt-in marketing programs. Emerging geo-marketing mobile apps could be integrated with WiFi access to explore new ways of engaging guests.

Maximizing Service Efficiency

irTight Secure Wi‐Fi can help you to bring efficiencies to the service floor—busting long lines and boosting the average order size and the number of orders catered per day

Cater Orders with Mobile PoS

Wait staff can use dedicated Wi‐Fi PoS handhelds or repurpose smart phones and tablets with PoS apps to take orders and swipe credit cards at the tables or when customers are waiting in line or even on demand if cars line up at the drive thru. Card transactions over AirTight Secure Wi‐Fi can be protected using the state‐of‐the‐art WPA2/AES encryption and 802.1x authentication.

AirTight’s Wi‐Fi access solution is vendor agnostic when it comes to supporting Wi‐Fi certified mobile PoS terminals. So you can make decisions about Wi‐Fi PoS products independently and future‐proof its investment. Wireless Self‐service Kiosks without the Hefty Service Fees Wireless kiosks are fast becoming popular among quick‐serve restaurants for allowing patrons to place orders without waiting in long lines. However, high service fees for 3G/4G kiosks have been prohibitive. With AirTight Secure Wi‐Fi in the outlets, you can simply deploy Wi‐Fi kiosks and completely eliminate the recurring hefty 3G/4G fees.

In‐store online ordering is another way to enable self‐service for guests without the need for dedicated kiosks.

The captive portal on AirTight Secure Wi‐Fi access points could be customized with your company branding and designed to inform customers about special offers and allow them to place orders from their Wi‐Fi devices. Customers can enjoy the Internet access while their orders get ready, instead of standing in a long line or waiting for their turn at the drive thru.

Staying Secure and Compliant

While you maximize the business benefits of Wi‐Fi access, AirTight Secure Wi‐Fi will scan for wireless vulnerabilities such as rogue access points and ensure that your enterprise remains protected and meets the wireless security requirements of PCI DSS compliance.

Each AirTight Wi‐Fi access point can support multiple wireless networks. You can run a guest Wi‐Fi hotspot alongside an encrypted Wi‐Fi network for processing credit card transactions or for transmitting other corporate data. AirTight will completely separate the wireless networks so that the guest network data never mixes with the secure corporate data. This ensures that your corporate networks and data remain isolated from guest Wi‐Fi access.

As the industry’s first and still the only cloud‐based solution, AirTight Secure Wi‐Fi simplifies the centralized management of Wi‐Fi access and security across thousands of geographically distributed locations as compared to traditional Wi-Fi solutions. Its plug and play deployment and ease of use eliminates the need for IT staff at remote locations.

Automatic Policy Enforcements


With this in place, your network is protected from all types of wireless threats, vulnerabilities and attack tools!

AirTight WIPS – The Only True WIPS

Key Features Key Benefits
• IEEE 802.11a/b/g/n protocols
• WPA/WPA2 security with PSK and 802.1x authentication
• Multi‐VLAN and‐SSID support
• Multiple modes of operation: full AP, AP/sensor combo and full sensor
• Automated wireless scanning powered by industry’s best wireless IPS technology
• Consolidated wireless PCI DSS compliance reporting
• Customizable captive portal for localized experience
• Cloud‐based management
• Ideal for geographically distributed locations with unlimited scalability
• Plug and play deployment eliminates need for IT support at remote locations
• Cloud‐based management simplifies the management of thousands of geographically distributed locations
• Hierarchical location‐based management simplifies policy definition and enforcement
• Pay‐as‐you‐go subscription pricing eliminates capital expenditure
• A single solution for Wi‐Fi access, security and PCI compliance that delivers the best ROI

About Airtight Networks

AirTight Networks is the global leader in wireless security and compliance products and services, providing customers best‐of‐breed technology to automatically detect, classify, locate and block all current and emerging wireless threats. AirTight offers industry’s leading wireless intrusion prevention system (WIPS) and the world’s only SaaS based wireless security, compliance and Wi‐Fi access branded as AirTight Cloud Services™. AirTight’s award‐winning solutions are used by customers globally in the financial, government, retail and hospitality, manufacturing, transportation, education, health care, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 20 U.S. patents and three international patents granted (Australia, Japan and UK), and more than 20 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit: www.airtightnetworks.com