3
DEPLOYMENT GUIDE:
Secure Cloud-managed Wireless LAN Solution
Beyond Wi-Fi Security
How important is security beyond WLAN access control? Today’s
Wi-Fi authentication and encryption standards (WPA2, 802.1X etc.)
are generally accepted as robust Wi-Fi access control mechanisms.
Why does anyone need more security than that? Well, the threat
landscape has moved up the stack, and it is constantly evolving.
Our growing dependence on the Internet and cloud services, along
with BYOD has resulted in exponential growth in potential threat
vectors and targets.
Threats enter your network through common applications like
email, web browsers and social networking tools, as well as
seemingly innocent apps and games on the mobile devices
belonging to your staff, or customers. Worms and virus on an
infected mobile device can infect other Wi-Fi attached devices,
even without either of them accessing the Internet.
Securing business communications, personal information, financial
transactions, and the mobile devices of your users, involves
much more than Wi-Fi access control. It requires scanning for
malware, preventing access to malicious websites, and controlling
application usage. But typical Cloud Wi-Fi solutions do not cater
to these requirements. Fortinet has a novel approach which
completely addresses this shortcoming in all existing Cloud Wi-Fi
offerings.
Fortinet Secure Cloud-managed Wi-Fi
Fortinet’s Cloud Wi-Fi solution is unlike any other Cloud Wi-Fi
offering. Based on the FortiCloud provisioning and management
service, and a new class of access points the - the FortiAP-S series - it
offers the same network security capabilities typically found only
in controller-managed enterprise WLAN solutions combined with
supplementary security services.
Normally, if you want to apply comprehensive security for all types
of traffic from access points in remote offices, you need to tunnel
traffic through centralized security devices on the corporate LAN,
and often hairpin it back to where it came from. All this adds
latency and burns the capacity of your network links, forcing
premature costly upgrades.
Doing this is not only complicated, it also masks your visibility of
client and user behavior, as it requires entire VLANs, not unique
sessions to be mapped from one security appliance to the next, to
process security in multiple passes through different devices. It is
highly inefficient.
Distributed enterprises in hospitality, retail and healthcare which
have large numbers of guests would rather not be tunneling video,
gaming and other high-bandwidth traffic from their guests through
the corporate network. But if they want to control application
usage, such as preventing a guest from watching inappropriate
content in their coffee shop, or if they want to fully protect devices
from cyber-threats they’ve had no alternative, until now.
Many vendor’s controller-managed WLAN solutions, including
Fortinet’s solution, allow split routing at remote offices whereby
corporate traffic is tunneled over the WAN to undergo security
processing at the head office or data center, while Internet traffic
goes directly to the Internet. But this Internet traffic is no longer
protected by corporate IPS, antivirus, and web filtering appliances.
Alternatively, all traffic from authenticated corporate users may be
tunneled through the WAN, while only guest traffic goes directly
to the Internet. In this case only guest traffic is unprotected and
uncontrolled. Still, neither approach is ideal.
With the FortiAP-S series all traffic from any type of user can be
protected and controlled regardless whether it is corporate or
Internet traffic, without tunneling everything through the corporate
WAN. Not only is this efficient and cost-effective, it is also the most
secure and least complex of all options.
