Controlling Wi-Fi access
This protection mode controls how mobile workstations access Wi-Fi networks by:
- Allowing or preventing the use of Wi-Fi connections and defining a whitelist of Wi-Fi access points in the form of rules, based on the SSID of the Wi-Fi network and/or MAC address of the Wi-Fi access point,
- Allowing or preventing the use of ad hoc Wi-Fi connections,
- Forcing the use of secure authentication protocols.
Wi-Fi connections are disabled by default in protection rule sets. If there are several protection rule sets in your security policy, ensure that you enable the policy only for the set(s) in which you want to configure Wi-Fi access, and arrange your rule sets in the right order in the policy. If you enable and allow Wi-Fi access in a rule set near the top of the policy, this rule may overload and cancel the effect of the Wi-Fi access configuration in the rule sets that follow.
Depending on certain events, the block policy for Wi-Fi connections inside or outside a perimeter can be enabled using conditional policies. For more information, refer to the section Assigning a security policy to agents.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
To allow or block the Wi-Fi connection feature on workstations:
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the Networks > Wi-Fi tab.
- If you are in read-only mode, click on Edit in the upper banner.
- The first Wi-Fi connection rule cannot be deleted, and is disabled by default. This rule allows you to authorize or block the operation of WiFi network cards on workstations. It is only present in a protection rule set. Expand the rule, enable it by clicking on the
button on the left, then authorize or block access.
If you disable or block Wi-Fi access and your policy contains rules regarding access to Wi-Fi networks, these rules will not be scanned.
For more granular management of access to Wi-Fi networks, allow Wi-Fi connections and create Wi-Fi network rules.
![Closed](../../Skins/Default/Stylesheets/Images/transparent.gif)
After you allow the Wi-Fi connection in the first rule of a protection rule set, create rules to block or allow access to certain Wi-Fi networks, or create rules to audit access to Wi-Fi in an audit rule set. By default, if no rules are defined, access to all Wi-Fi networks is allowed and rules can therefore be used to block access to networks in blacklist mode. If you prefer to operate in whitelist mode, i.e., explicitly allowing access to certain networks, create a rule that blocks access to all networks other than those allowed, and place this rule at the end.
To create WiFi network rules:
- In the WiFi tab, click on Add > Rule (WiFi networks). A new line is displayed.
- In the left side of the rule, click on
to add a Wi-Fi network.
- Enter the following information:
- Network name,
- SSID (Service Set IDentifier). The use of wildcards is permitted (e.g.: stormshield*) and case is not important,
- MAC access of the access point(s) in hexadecimal format. To indicate several, click on the + icon,
- WiFi connection mode,
- Authentication type, to secure communications with the Wi-Fi access point(s).
NOTE
The WPA3 authentication mode is not compatible with SES Evolution agents in a version lower than version 2.4.
- In the Connection field, select Allow or Block.
-
Dans le bandeau supérieur de la règle, vous pouvez :
- Choisir de rendre la règle passive. Une règle passive agit comme une règle classique mais ne bloque pas véritablement les actions. L'agent émet uniquement des logs indiquant quelles actions auraient été bloquées par la règle.
Utilisez ce mode pour tester de nouvelles règles de restriction, en connaître les impacts, et procéder à des ajustements avant de désactiver le mode Règle passive. Pour plus d'informations sur les tests de règles et de politiques, reportez-vous à la section Testing security policies. - Sélectionner les paramètres des logs qui seront émis par cette règle.
- Spécifier si une action doit être effectuée lors de l'émission d'un log pour cette règle.
- Saisir un commentaire.
- Saisir une description pour expliquer l'objectif de la règle.
- Choisir de rendre la règle passive. Une règle passive agit comme une règle classique mais ne bloque pas véritablement les actions. L'agent émet uniquement des logs indiquant quelles actions auraient été bloquées par la règle.
- Chaque règle affiche sur sa gauche son numéro de rang. Si besoin, réagencez l'ordre de vos règles en cliquant sur les flèches en dessous et au-dessus du numéro.
- Cliquez sur Enregistrer en haut à droite pour enregistrer vos modifications.