Keeping Wi-Fi secure in a modern world

By Patrick Frost, Professional Services Network Consultant at LAN3.  

  • Monday, 17th September 2018 Posted 6 years ago in by Phil Alsop
A lot of us in the technical world have our heads down at the moment and before we know it, the end of 2018 will be upon us. We’ll find ourselves in a new world for wireless as the first of a new generation of access point creeps onto the market, labelled 802.11ax. When we cross a technology barrier like this it is natural to contrast it with the last time this happened and re-examine some of the challenges that we still face.

 

As the number of wireless devices per person increased and the Wi-Fi deployments responded with providing more bandwidth and reliability during the 802.11n era, Wi-Fi has changed from something of convenience to a functional necessity. Beyond that, BYOD and IoT have expanded the variety of connecting devices at an ever-increasing density. Add mobility into the mix and the demand from users is now: connect to anything, with anything from anywhere. In catering for them, the security at the edge of the network begins to dissolve.

 

In a modern wireless network, be it a multi-national or higher education, designing for wireless security and functionality in combination has become paramount to protect the increasing amounts of sensitive data we store and our business-critical systems.

Many of the best designs ensure the following principles: traffic segmentation, access control, client validation, accountability, reducing impact of compromised credentials, reducing risk of human engineering, data privacy and data integrity. The very best do so whilst making the user experience effortless and reducing administration.

 

Below are some examples of that in action:

 

Best Practice Basics: Segmenting Wi-Fi management traffic on a separate VLAN, blocking or refusing operation in legacy wireless modes or legacy authentication.

 

802.1X: Available with all enterprise vendors and when combined with the data from a domain or a management platform, certificates can be deployed to more capable devices and used for machine-based authentication. Devices are often configured by policy which makes ongoing administration very light. As users do not enter their credentials, this stops them being compromised either accidentally or through social engineering or keystroke monitoring. 802.1X has the option to use many different variations of authentication but all are variations of EAP. Many of these allow for validation of the client using a certificate (such as PEAP) but others can validate both the client and the RADIUS server (EAP-TLS). On top of this many EAP types also support strong encryption of data traffic and the RADIUS server must authenticate the AP with a shared secret.

 

Individual PSKs: Multiple vendors have adapted the WPA2 pre-share key to allow for many keys to be used for one SSID. This is very useful for devices that are not 802.1X capable or cannot be joined to a domain. The keys can be restricted to a certain amount of authenticated user per key or restricted by time, which also makes them ideal for guest access or BYOD. If any key is compromised, this also has little impact as it can be revoked and a new key issued, which significantly reduces administration.

 

Onboarding Solutions: Available from a handful of vendors, these captive web portals are used to autoconfigure a device, sometimes by downloading a profile file which includes a certificate. This allows a BYOD or guest device to join a network by 802.1X with highly secure EAP. Although quite price restrictive, these systems greatly reduce administration whilst providing great security for non-domain devices.

 

Role Based Access: The three solutions above can usually categorise a connection and deal with it’s traffic in different ways, usually putting it into a specific VLAN or applying firewall rules.

 

WDS: Most enterprise vendor APs can detect APs that may affecting your network or pose a security threat. These will be categorised as Rogue APs by the Wireless Detection System. The Rogue APs can be used to a very detrimental affect on a network, especially if deployed maliciously.

 

Even with these features, wireless networks can still be at risk from data theft by offline dictionary decryption or injection attacks using exploits like the WPA2-Krack. 802.11n and 802.11ac networks do not usually encrypt their management frames either so Rogues APs or clients can spoof an AP deauthenticate a client. This is usually done for jamming purposes, but it can be used to force clients onto a Rogue AP broadcasting the same SSID.

 

However, we may have some solutions coming soon. Earlier this summer, the Wi-Fi Alliance announced its certification scheme for WPA3 security. Not only does this this make protected management frames mandatory, but it also employs very strong encryption algorithms for WPA3-Enterprise and a different authentication process for WPA3-Personal.

 

This system is called Simultaneous Authentication of Equals (SAE) which prevents offline dictionary decryption.

 

The better news is that 802.11ax uses WPA3 as a mandatory feature and with chip manufacturers having announced 802.11ax chipsets for tablets and phone earlier this year, we may be able to use these standards very soon.