Control 15.10: Create Separate Wireless Network for Personal and Untrusted Devices

Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.

Category

Procedural

Purpose

Some computers, tablets and smartphones are more trustworthy than others. If a device is bought, configured, and safely used by an employee or enterprise, it is likely more trustworthy than a completely unknown device that an enterprise has never seen before. This level of trust can be extended past enterprise devices and into a company’s networks. Devices that are trusted and used only for company tasks should be kept on a completely separate network from personal devices owned by employees or guests. This will keep devices that are misconfigured, infected with malware, or insecurely built from being used to infect a network and its systems. These devices may already harbor malware that could steal sensitive enterprise data, or attack other computers and devices on a network. One infected device can place every device within the network in danger.

Automation

Making a clearly identified guest network available for personal and guest devices helps employees and guests know which networks are for enterprise use and which are not. There is no easy way to automate this Sub-Control. Separate networks will need to be created and properly configured at each wireless access point. Many popular wireless access points come with the ability to broadcast a guest network built right in.

Guidance and Tools

The following resources show how to create guest networks on some of the most common wireless access points from United States ISPs.