Security of ERP using a wireless network

That is not safe. 

WPA2 with pre-shared keys is not meant for enterprise environments.  The complexity of distributing the keys just increases the chance that the key will be leaked and allow someone to gain access and/or monitor traffic.  It would also make it easy for any legitimate user (employee) to monitor all of the wireless traffic.  To be fair, employees can also sniff their local subnet on your wired network if you don’t have port security or 802.1x running, but it’s a little more difficult and easier to get caught.

If the underlying connection to your ERP system is encrypted (e.g. SSL), then that traffic will still be secure but you are still opening your network up in other ways.

If you want to allow wireless access, you should use WPA2 with 802.1x authentication, not pre-shared keys. 

You need to address the security of the machines your staff will be using to connect.  Will they be able to use personally-owned devices?  If so, what measures are you going to take to prevent data loss via malware?  Any machine your staff are using to connect to your ERP system should, at a minimum, be patched up to date and have anti-virus.

Regards,

As for an EMR, I would strongly recommend that if you absolutely have to use wireless to pass personally identifiable information, (and ask, sincerely, do you, really?), use a VPN.

WPA of all persuasions, and SSL, have been hacked, as perennially demonstrated at DefCon, every year. If reasonably proficient folks want the info, they will get it over the air using WPAx + SSL.

Repeat: no VPN = don’t do it.

My two bits.

Sincerely,

Scott Helf, DO, MSIT

Chief Technology Officer-COMP

Director, Academic Informatics

Assistant Professor

Department of Academic Informatics

Office of Academic Affairs

College of Osteopathic Medicine of the Pacific

Western University of Health Sciences

309 East 2nd Street

Pomona, CA  91766

909-781-4353

shelf@westernu.edu

www.westernu.edu

You may want to double check this with the vendor, but I believe that Banner INB itself has its own encryption, totally separate from any encryption that might be going on within your networking infrastructure. However, Banner SSB does not.

Jerry

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

Joey,

As follow up to all the great advice offered in other comments, I thought I’d offer some advice as well, based on our work in Higher Education.

In reading your email, the first question that came to mind was in wondering what you meant by “regular basis.” The change should be very frequent.

Probably the main thing you need to address is how you plan to manage the pre-shared key. The “best” or most ideal way to manage the pre-shared key is if you own all the devices; then you can manage and implement the key from domain control.  Most of us are dealing with BYOD, and the organization does not own the devices – there are personal devices being brought to the institution by employees and students. In the case of BYOD, the organization must wrestle with the decision between “should we even allow access to pre-shared keys?” If the decision is made to allow pre-shared keys on personally owned devices, then the organization should develop clear policies and procedures about BYOD (to address and mitigate the risks), train and communicate related to the policies and procedures, apply them consistently, and regularly gather evidence and documentation that proves you are executing your policies and procedures.

Good luck, and I hope you’ll let us all know what you decide.

Verna Lynch | Senior Consultant
d: 207.739.9540 | vlynch@berrydunn.com

www.berrydunn.com/consulting