Next-generation WiFi infrastructure: redesign focused on cybersecurity
Thanks to its long-standing expertise and capacity, Paraflow implemented a critically important transformation in an international company.
WiFi Network Redesign for Enhanced Cybersecurity Level
International Company
Production
Cybersecurity and Network Infrastructure
Cisco, Cisco ISE, Microsoft Intune, Microsoft Cloud PKI
Paraflow received an assignment from its long-term client, an international company with subsidiaries in several countries, including Bulgaria, to redesign the corporate Wi-Fi infrastructure to address multiple security issues related to the provided Wi-Fi networks. In most of its offices, the company provides Wi-Fi access to its employees, contractors, and visitors. External collaborators and suppliers of the company often need Wi-Fi access to the corporate network to fulfill their duties in maintaining equipment, software, and hardware solutions. Typically, contractors and collaborators operate on a BYOD principle, using username and password authentication for Wi-Fi access. In some cases, the company provides contractors with corporate devices for the duration of work. Employees of the organization usually connect their devices - laptops and mobile devices to the corporate Wi-Fi network through authentication with a username and password, which is a less secure method. All types of operating systems are used - Windows OS, MacOS, iOS, and Android.
Challenges
The challenges faced by the team of experts at Paraflow during the project preparation were related to ensuring wireless access, specifically:
- Employees regularly change their passwords, but changes in passwords are not automatically propagated to all devices. This leads to user accounts being locked and the affected devices being disconnected from the Wi-Fi network.
- The machine certificate-based authentication approach yields inconsistent results due to the wide variety of devices, operating systems, and the lack of a centralized solution for issuing and installing these certificates across devices.
- Contractors and collaborators have access to the corporate Wi-Fi network using their personal devices. Sometimes the company provides this staff with corporate devices to carry out their duties.
To address the aforementioned issues, a project has been initiated to redesign the corporate Wi-Fi infrastructure, mainly regarding security.
- Reduce the number of Wi-Fi networks in the organization.
- Clearly distinguish between Wi-Fi networks for employees, for external visitors and suppliers, and for mobile devices owned by the company.
- Enhance the level of security in the Wi-Fi infrastructure by using digital certificates for all devices (desktop computers, mobile devices, laptops) and centralized management of access to Wi-Fi networks through system profiles defined in Microsoft Intune.
Methods
The approaches used by Paraflow were the following:
- Use of predefined profiles in Microsoft Intune for managing access to Wi-Fi networks.
- Use of machine certificates as an additional security factor, issued by Microsoft Cloud PKI.
- Access control (AAA) to Wi-Fi networks with Cisco ISE.
- Integration of Cisco ISE with Microsoft 365.
The Paraflow expert team proposed a hybrid-type solution based on collaboration between Cisco ISE, Microsoft Intune, and Microsoft Cloud PKI. The solution covered all stationary and mobile devices of the company with Windows, MacOS, iOS, and Android operating systems.
Results
- Clearly defined cybersecurity requirements for connecting devices to the company's wireless network.
- Centralized management of wireless access for all company devices through system profiles in Microsoft Intune. Corporate devices can only connect to permitted Wi-Fi networks defined by the system profiles and in compliance with the relevant cybersecurity requirements.
- Centralized checking of the status (Compliant/Non-compliant) of each device requesting access to the corporate Wi-Fi network through integration between Cisco ISE and Microsoft Intune. If the device's status is Non-compliant, the device is not allowed access to the corporate Wi-Fi network.
- Increasing the level of cybersecurity in the organization's Wi-Fi networks by using machine certificates as an additional factor for authentication.
- Reducing the number of Wi-Fi networks.
Microsoft 365 Intune was implemented as a centralized solution for device management, aimed at enforcing unified security standards, standardizing settings, increasing efficiency, and reducing maintenance efforts.
This type of project is a strategic choice for any organization striving for comprehensive protection of wireless access and secure connectivity of every device in the corporate environment. The Paraflow team has many years of expertise and capacity to implement such critically important transformations.
The Paraflow team is looking forward to answering your questions.
More projects
