Wireless security is not only a huge subject, but it’s also extremely important. Remember: Wireless signals are not contained to copper or fiber like a wired network — these signals leave your office and your building and travel a good distance. It’s very easy for someone to sit in a parking lot and practice some “wardriving” in an attempt to eavesdrop on your wireless communications.
In early 2018, a Key Reinstallation Attack (KRACK) showed a severe vulnerability in WpA2. It was patched quickly but this raised wireless security questions about WPA2. Shortly after, the WiFi Alliance released WPA3, which includes many security improvements over WPA2, including:
- Protection against dictionary attacks via the Simultaneous Authentication of Equals (SAE), which replaces the WPA2 pre-shared key mechanism. The user must interact with the network each time they make a guess, meaning off-line attacks are not going to be possible and dictionary attacks would take too long, as the attacker would need access to the Wi-Fi network.
- Prevention of reading pre-captured data and other sessions data through the use of individualized data encryption where traffic between each endpoint and the access point is encrypted with a unique key.
- Stronger cryptographic suite for the enterprise going from 128 bit in WPA2 to 192 bit, while WPA3-Personal remains at 128 bit. Correct, 128 bit hasn’t been broken yet, but why wait? This is a great example of being proactive in security.
- An attempt to help secure open wireless networks with Opportunistic Wireless Encryption (OWE). This will use a Diffie-Helman exchange between the endpoint and the access point in order to negotiate an encryption key. This requires no human interaction or configuration.
To summarize, WPA3 improved security and the process of forklift-upgrading existing hardware — software updates are available as long as the vendor supports the hardware.
Six Tips for Upgrading Your Wireless Security
Besides upgrading to WPA3, what else can we do to help secure our wireless networks? Here are a few tips:
- If you must use pre-shared keys (PSK), ensure the keys are long and complex. You should rotate these keys on a regular schedule. I know rotating PSKs is not fun, but it’s a necessity.
- If you are able, switch from PSKs to 802.1x. This means you’ll be using SSL certificates to authenticate hosts and can tie it all together using RADIUS and group policies in a Windows environment.
- Ensure you completely isolate your guest Wi-Fi from production, and audit this! Also, enable content filtering for your guest Wi-Fi to disable P2P sharing and other non-necessary activities. Remember: You are responsible for what your guests do on your network. Also, consider using bandwidth throttling to ensure guests don’t use up your internet bandwidth and cause congestion problems.
- Do not rely on MAC address filtering for any wireless security. It’s too easy to sniff a permitted MAC and spoof it.
- If you absolutely do not want to allow wireless access to production, but there is a need for it, consider a corporate Wi-Fi network with only internet access. Then, users can use a VPN to connect into production and still achieve mobility.
- Lastly, consider using directional antennas and power regulation to help contain the Wi-Fi signals to your immediate vicinity. By having omnidirectional access points at full power, you’re unable to contain your signals.
My #1 Wireless Security Tip
If I had to pick just one of the above-mentioned suggestions to implement, I’d definitely go with No. 2 and implement an 802.1x or another enterprise-based wireless authentication setup. This will help secure your wireless network greatly, and, by managing certificates and wireless settings in a group policy, you can change out settings in a nicely phased approach and won’t need to physically touch endpoints to update settings.
Hopefully, you’ve gained some security knowledge with this post, and if you have other suggestions, please let me know! Again, the more we share our knowledge, the better off we’ll all be!