Security Deployment Considerations - Motorola WiNG 5 System Reference Manual

8.4 Security Deployment Considerations

Before defining a Firewall supported configuration, refer to the following deployment guidelines to ensure the
configuration is optimally effective:
• Firewalls implement access control policies, so if you don't have an idea of what kind of access to allow or deny, a
Firewall is of little value.
• It's important to recognize the Firewall's configuration is a mechanism for enforcing a network access policy.
• A role based Firewall requires an advanced security license to apply inbound and outbound Firewall policies to users
and devices. Role based firewalls are not supported on AP-6511 and AP-6521 model access points.
• Firewalls cannot protect against tunneling over application protocols to poorly secured wireless clients.
• Firewalls should be deployed on WLANs implementing weak encryption to minimize access to trusted networks and
hosts in the event the WLAN is compromised.
• Firewalls should be enabled when providing Hotspot guest access. Firewalls should be applied to Hotspot enabled
WLANs to prevent guest user traffic from being routed to trusted networks and hosts.
Before configuring WIPS support, refer to the following deployment guidelines to ensure the configuration is optimally
effective:
• WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy. Since an
organization's security goals vary, the security policy should document site specific concerns. The WIPS system can
then be modified to support and enforce these additional security policies
• WIPS reporting tools can minimize dedicated administration time. Vulnerability and activity reports should
automatically run and be distributed to the appropriate administrators. These reports should highlight areas to be to
investigated and minimize the need for network monitoring.
• It's important to keep your WIPS system firmware and software up to date. A quarterly system audit can ensure
firmware and software versions are current.
• Only a trained wireless network administrator can determine the criteria used to authorize or ignore devices. You may
want to consider your organization's overall security policy and your tolerance for risk versus users' need for network
access. Some questions that may be useful in deciding how to classify a device are:
• Does the device conform to any vendor requirements you have?
• What is the signal strength of the device? Is it likely the device is outside your physical radio coverage area?
• Is the detected access point properly configured according to your organization's security policies?
• Motorola Solutions recommends trusted and known access points be added to an sanctioned AP list. This will
minimize the number of unsanctioned AP alarms received.
Security Configuration 8 - 31