Wi-Fi Zero-Trust Architecture

Wi-Fi Zero Trust is a new security architecture that promotes a zero-trust policy on any device, even if that device is an I.T asset of the organisation. The zero-trust security architecture defines a principle of 'never trust and always verify'.

The Inside Threat

Traditionally organisations focus on defending access into their network and assume that every device inside a network is trusted and authorised for accessing resources. The vulnerability with this idea is that once an attacker or unauthorised device gains access to a network, that device can easily access all of the resources internally. In the Wi-Fi zero-trust architecture, no device is trusted inside the network and is authorised and isolated from other network devices/users.

Possible Solutions

When looking for possible solutions when implementing a Wi-Fi Zero-Trust architecture inside your network there are a few possible ways to look to achieve this.  There is no one definitive solution as security should always be designed with a layered approach in mind.

Client VPNs

Client VPNs are an easy go-to solution with users, they are familiar with this technology as it is widely used for access into networks for external locations.  The idea here is that each device would have a VPN client installed that would terminate at your perimeter and access to resources controlled typically by a firewall or security device.  The downside to this approach is that you have the additional overhead of managing the client VPN and VPN concentrator. 

The problem with this approach is that the network can no longer see the network traffic as it is tunneled inside the VPN and therefore you can't apply any application visibility controls or QoS (Quality of Service).  This is especially less than ideal when dealing with voice and video applications over a Wi-Fi network as software applications that handle this traffic need to be marked and prioritised to ensure end to end performance.

Client Isolation

Client isolation has been around for a long time and is best known for its use in Wi-Fi Hotspot solutions where each client is isolated from each other in an effort to protect one user from communicating to another. Below shows a Wi-Fi network where each client is isolated from talking to each other.

client-isollation.JPG

For those who are not too familiar with how client Isolation works, here is a quick video from CommScope to explain ( Ruckus Client Isolation ). Client isolation whitelists are used to allow users to access resources on the network which can be time-consuming to manually keep the lists up to date, but can be extremely effective. CommScope has some granular controls over client isolation as seen below.

client-isollation-config.JPG

 The downside to L2 client isolation is that it does not scale too well and doesn't provide any protection outside of its L2 subnet.

User/Device Private VLAN

Placing each user into their own VLAN or "bubble" is a more sophisticated way of isolating a user from other users and devices. The idea here is that each user is dynamically assigned their own VLAN upon authenticating onto the Wi-Fi network and they can only access the resources that are allowed via access control lists or firewall rules.  This approach scales better than just client isolation as all blacklisted devices can be by default blocked from each other by default and whitelisted devices can be placed in various subnets.

The CommScope CloudPath Security Solution is one such solution that provides the ability to isolate users in this way and has the added benefit of not having to install any VPN software on each end device. Using CloudPath's auto VLAN assignment you can assign available VLAN IDs from a configured range of VLANs to users during their enrolment onto the network. This feature can be used with a variety of authentication methods such as 802.1X EAP-TLS (certificates), MAC authentication, and DPSK (Dynamic Pre-Shared Key).

CloudPath also has a unique on-boarding service for the provisioning of devices enabling seamless on-boarding for your corporate and BYOD devices.  For more information on Cloudpath can be found on this Webinar (https://www.youtube.com/watch?v=aU0FQfnFdZE)

Wi-Fi Zero Trust Conclusion

There should be multiple layers of security in your Wi-Fi Zero-Trust design starting with enterprise-level security.  CloudPath brings the highest level of authentication for any user on any device on any network.  Add that to placing them into their own private VLAN and you have a highly secure, scalable network built to provide the security needed in today's zero-trust world.

If you would like more information on how we can secure your network using our cloud solution and professional services please get in touch.