Controlling Wi-Fi access

This protection mode controls how mobile workstations access Wi-Fi networks by:

  • Allowing or preventing the use of Wi-Fi connections and defining a whitelist of Wi-Fi access points in the form of rules, based on the SSID of the Wi-Fi network and/or MAC address of the Wi-Fi access point,
  • Allowing or preventing the use of ad hoc Wi-Fi connections,
  • Forcing the use of secure authentication protocols.

Wi-Fi connections are disabled by default in protection rule sets. If there are several protection rule sets in your security policy, ensure that you enable the policy only for the set(s) in which you want to configure Wi-Fi access, and arrange your rule sets in the right order in the policy. If you enable and allow Wi-Fi access in a rule set near the top of the policy, this rule may overload and cancel the effect of the Wi-Fi access configuration in the rule sets that follow.

Depending on certain events, the block policy for Wi-Fi connections inside or outside a perimeter can be enabled using conditional policies. For more information, refer to the section Assigning a security policy to agents.

To allow or block the Wi-Fi connection feature on workstations:

  1. Select the Security > Policies menu and click on your policy.
  2. Select a rule set.
  3. Click on the Networks > Wi-Fi tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. The first Wi-Fi connection rule cannot be deleted, and is disabled by default. This rule allows you to authorize or block the operation of WiFi network cards on workstations. It is only present in a protection rule set. Expand the rule, enable it by clicking on the button on the left, then authorize or block access.Enabling WiFi

If you disable or block Wi-Fi access and your policy contains rules regarding access to Wi-Fi networks, these rules will not be scanned.

For more granular management of access to Wi-Fi networks, allow Wi-Fi connections and create Wi-Fi network rules.

After you allow the Wi-Fi connection in the first rule of a protection rule set, create rules to block or allow access to certain Wi-Fi networks, or create rules to audit access to Wi-Fi in an audit rule set. By default, if no rules are defined, access to all Wi-Fi networks is allowed and rules can therefore be used to block access to networks in blacklist mode. If you prefer to operate in whitelist mode, i.e., explicitly allowing access to certain networks, create a rule that blocks access to all networks other than those allowed, and place this rule at the end.

To create WiFi network rules:

  1. In the WiFi tab, click on Add > Rule (WiFi networks). A new line is displayed.
  2. In the left side of the rule, click on to add a Wi-Fi network.
  3. Enter the following information:
    • Network name,
    • SSID (Service Set IDentifier). The use of wildcards is permitted (e.g.: stormshield*) and case is not important,
    • MAC access of the access point(s) in hexadecimal format. To indicate several, click on the + icon,
    • WiFi connection mode,
    • Authentication type, to secure communications with the Wi-Fi access point(s).

      NOTE
      The WPA3 authentication mode is not compatible with SES Evolution agents in a version lower than version 2.4.

  4. In the Connection field, select Allow or Block.
  1. In the upper banner in the rule, you can:
    • Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
      Use this mode to test new restriction rules, determine their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule.
    • Enter a comment.
    • Enter a description to explain what this rule aims to achieve.
  2. The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
  3. Click on Save at the top right of the window to save changes.