The network perimeter is ground-zero for many of today’s most serious cybersecurity threats. For most organizations that means it is critical their WiFi networks are comprehensively protected to prevent the exposure of sensitive data and unauthorized access. We’ve moved well beyond “best practices” here and are now at “mission critical”—the dynamic, ubiquitous connectivity nature of the edge network with the proliferation of devices including mobile, unmanaged appliances, and headless IoT, OT, ICS endpoints among many others—means WiFi now forms the backbone of enterprise networks. Everyone expects easy access and it’s wonderful to have universal connectivity from a user perspective, but it is a nightmare when it comes to cybersecurity defenses.
Centralized tools lack clear line-of-site to all edge devices which can leave gaps in security. Compounding this challenge is the emergence of highly sophisticated, AI-driven cybersecurity threats that can adapt in real time, automate reconnaissance, and exploit vulnerabilities at machine speed.
This blog outlines best practices for securing WiFi networks and discusses common obstacles that prevent their adoption. It examines the security threats and issues associated with failing to implement the latest WiFi security standard, WPA3, highlighting vulnerabilities that could compromise the organization’s WiFi network
Essential best practices for securing a WiFi network
The most secure WiFi networks implement the following best practices:
- Physically secure the WiFi Access Points (APs)
This includes using a secure mounting bracket or lockable enclosure, placing Ethernet and power cables in conduit tubing to prevent unplugging, and disabling unused ports to prevent unauthorized access to the network. - Implement WPA3-Enterprise
WPA3-Enterprise is the latest WiFi Alliance specification for securing WiFi networks. This includes 802.1X port-based authentication using an AAA server, such as RADIUS, as well as 128- or 192-bit AES-based encryption and GCMP AES-based message integrity. - Use a strong authentication method
EAP-TLS, which uses digital certificates for device and user authentication, should be used. Weaker EAP methods, such as EAP-MD5 and EAP-PEAP, should be disabled. TLS 1.3 is preferred as it offers stronger security than TLS 1.2, eliminating weaker cryptographic algorithms and enabling forward secrecy to protect earlier communications in the event a key is compromised. - Deploy a Public Key Infrastructure (PKI) with a trusted Certificate Authority (CA)
Issuing certificates using PKI with third-party validation is more complex and expensive than issuing self-signed certificates. However, it offers significant security advantages, including increased trustworthiness of the certificates, protection against spoofed certificates, and mitigation of man-in-the-middle (MITM) attacks. - Install a sensor network and Intrusion Prevention System (IPS)
Organizations can deploy sensor networks in either continual scanning mode or occasional scanning mode. Although continual scanning requires dedicated hardware, it enables real-time threat detection and can be effective against intermittent attacks such as channel jamming.
These best practices work together to maximize the security of the WiFi network. If an organization cannot implement these best practices, its WiFi network is vulnerable to attack. Alternative security mechanisms are necessary to minimize the risks.
Top 3 Obstacles to implementing these essential practices
There are three chief business reasons why an organization may not implement these WiFi security best practices.
- Lack of resources
Deploying 802.1X authentication and a robust PKI infrastructure is costly and requires skilled IT staff. One way to alleviate this problem is to deploy cloud-based WiFi solutions where a third-party vendor manages the network infrastructure. Subscription-based cloud services reduced capital expenditure and the need for a diverse and experienced IT staff. In this scenario, organizations deploy lightweight APs and offload tasks such as authentication and key management to the cloud.
- User identities are unknown to the organization in advance
802.1X authentication is designed for environments where users and devices are preregistered and their credentials, such as usernames and passwords, are known by the network. Users connecting to public and guest WiFi networks typically do not have preestablished credentials. This makes 802.1X impractical for guest and public networks . Instead, organizations use WPA-Personal and pre-shared keys.
- Devices lack the necessary technical capabilities
Legacy devices may lack the necessary hardware and firmware capabilities to support the stronger cipher and security mechanisms mandated in WPA3. Additionally, simple devices like IoT devices and handheld scanners lack the processing and storage capabilities to support advanced cryptographic calculations and digital certificate chains. These devices cannot connect via WPA3 and must fall back to connecting on the less secure WPA2 network.
Security threats when using WPA2-Enterprise
There are two significant security improvements in WPA3-Enterprise: PMF and 192-bit level encryption. These enhancements provide protection against a range of threats.
- Protected Management Frames (PMF)
PMF adds message integrity to several 802.11 management frames, in particular deauthentication, disassociation, and action frames. This allows the client to check the authenticity of these frames. Although PMF can be implemented with WPA2, it is rarely enabled due to limited support by legacy devices. PMF is mandatory in WPA3.
PMF protects the client from deauthentication and disassociation attacks. Attackers use spoofed deauthentication to get clients to connect to a fake access point (AP), which masquerades as a legitimate network. This is referred to as a man-in-the-middle or evil twin attack. When the client connects to the fake AP, the attacker can intercept and manipulate user data such as login credentials.
- 192-bit level security for encrypting data
From a practical perspective, the 128-bit encryption supported in WPA2 is infeasible to decrypt using a brute force attack with today’s computing technology. WPA3 introduced 192-bit level encryption in support of the National Security Agency (NSA) guidelines. The NSA recommends using AES-256 keys in highly sensitive environments where the confidentiality of the data requires long-term protection. Capture Now, Crack Later (CNC-L) attacks are a concern in these situations.
Many WPA3-Enterprise WiFi networks are deployed in Transition Mode, which allows both WPA2 and WPA3 devices to connect on the same network. This exposes the WiFi network to the threat of a downgrade attack, where devices are forced to use WPA2 and not WPA3. The more secure approach is to configure the WiFi network as WPA3-only.
WPA3-Personal also improves security
In environments such as guest and public networks, WPA3-Personal offers two significant security benefits over WPA2-Personal.
- Mandates PMF
Like WPA3-Enterprise, it protects against spoofed deauthentication, disassociation, and man-in-the-middle attacks.
- Replaces Pre-Shared Key (PSK) with Simultaneous Authentication of Equals (SAE)
PSK uses a shared secret passphrase that is preconfigured on both the client and the AP. In contrast, SAE uses a client and AP information exchange, similar to a Diffie-Hellman (DH) exchange, to derive a session key for data encryption. The session key and other cryptographic information are used to derive a commitment key. The commitment key is used to verify that both the client and the AP have the session key and perform mutual authentication.
With PSK, attackers can capture data and subsequently use an offline dictionary attack, trying different passphrases to deduce the passphrase. SAE provides forward secrecy by creating a unique session key for each user per session. This makes it harder to conduct an offline dictionary attack.
Since the WiFi Alliance published the WPA3 specifications, industry researchers have identified weaknesses in the SAE handshake. The Dragonblood attack , which is similar to the KRACK attack on WPA2, weakens the security advantages of WPA3-Personal.
What to do after reading this blog
WiFi security is complex, but this blog gives you a great starting point to more effectively locking down you edge network against the many threats just waiting to find a weak point to gain entry. Using these techniques, starting with the basics, and then moving on to more advanced topics can make your perimeter safer without negatively impacting user experience.
The adoption of WPA3-Enterprise and WPA3-Personal has been slow, primarily due to the prevalence of legacy devices. After reading this blog, you should:
- Determine whether your organization’s WiFi network has enabled WPA3-Enterprise, EAP-TLS, and is using TLS 1.3.
- Determine the percentage of clients that are still connecting with WPA2-Enterprise.
- Review your organization’s Wireless Intrusion Prevention System (WIPS) to identify the types and frequency of known attacks on your WiFi network.
- Assess whether the capital expenditure required to upgrade your WiFi network to WPA3 is justified based on the reduction of security threats outlined in this blog.
- Continue to research and be aware of any emerging weaknesses in WPA3.
