Wireless Security Methods - WEP, WPA1/2/3 & Personal and Enterprise

Security is of the upmost importance when it comes to network and even more so when we are talking about Wi-Fi. Wi-Fi, as part of it's base fundamental is wireless and even with configuration options does go outside of your preferred area. This can cause a bit of an issue whereby someone can sit outside, with an adapter and monitor and potentially attack your wireless network. In this post, we will go over a high level description of the main security protocols out and about in the wireless world. 

Thankfully keeping a handle of which ones are out there is quite simple. The Wi-Fi Alliance, setup in 1999 (by numerous companies to promote compatibility) owns the Wi-Fi trademark and subsequently develops the security protocols, which we'll discuss below. 

There is four main Wi-Fi security protocols that you might see out and about and those are as follows, WEP, WPA, WPA2 and finally WPA3. Each have their pros and cons which we will also discuss on top of best practice configuration to save you any headaches later down the line. 


However, before we dig deep, I will talk quickly about Open System Authentication (OSA). OSA is an entirely open method of connecting to a wireless network, there is no authentication required to successfully join a network solely configured with OSA. This is commonly used in public wireless solutions like those in the hospitality sector for customers to gain access to the wireless quickly and efficiently with as little issues as possible. 

As is quite apparent, the idea of an open mode of accessing a network does raise a few eyebrows however, OSA can be paired with an additional layers of security such as a Captive Portal. This forces users to complete additional steps, for example registering or agreeing to Terms of Service before being granted access to the network OSA can also be used in conjunction with other security protocols with OSA providing the initial connection before enterprise level security protocols kick in, which we'll mention below.


Back to the security protocols, we'll start with Wired Equivalent Policy (WEP). WEP was the first authentication security process having been included in the original 1997 standard. It was an early way of protecting information on a wireless network but due to its age is it now no longer capable of protecting the network as wireless usage has evolved and developed over time. 

As a result, you should never choose WEP over other security solutions, but you may find a few legacy devices in your estate that use it. Remember a chain is only as strong as its weakest member. Your two options are to look at upgrading those devices and if that’s not possible, isolating them to limit any interaction between those legacy devices and the rest of your network.


Second up is Wi-Fi Protected Access (WPA). You will likely recognise its successors WPA2 and WPA3 in your home networks as well as in the workplace. WPA was created by the Wi-Fi Alliance to fill the gap while WPA2 was being developed on in the 802.11i standard. This method used the encryption method Temporal Key Integrity Protocol (TKIP) and the Rivest Cipher 4 (RC4) cipher which addressed a lot of WEP weaknesses. 

However as time progressed, TKIP and RC4s security vulnerabilities have been discovered and as a result WPA should not be used where possible, legacy devices permitting. 


Wi-Fi Protected Access 2 (WPA-2). This was as mentioned above the work of the 802.11i standard and mandates the encryption method CCMP (apologies the non-acronym title is horrendously long) and cipher suite Advanced Encryption Standard (AES). This provides increased security compared to its predecessors and is the majority of what I've seen out and about even now. 

WPA2 does allow for backward compatibility by allowing TKIP/RC4, however WPA2 certified devices are mandated to support CCMP and AES, this is solely for legacy devices. 

Also, one of the worst setbacks regarding WPA2 was the introduction of Wi-Fi Protected Setup (WPS). You might have seen and used WPS at home which allows quick authentication and access to your Wi-Fi network. This was heavily abused by attacks and WPS as a result should be turned off in every scenario either home or enterprise networks. 

  

Finally, Wi-Fi Protected Access 3 (WPA-3), the most recent of security standards and, conveniently, the strongest. Rolled out in 2018 as a replacement for WPA2 and mandated from 2020 for all new Wi-Fi devices certified by the Wi-Fi alliance. This comes with additional mandatory features such as Protected Management Frames (PMF) and Simultaneous Authentication of Equals (SAE)

PMF is concerned with protection for management action frames being sent by the wireless network. This prohibits eavesdropping and any attacks involving manipulation of management frames. There is a transition mode that you can configure to allow for backward compatibility, however I found some devices are a tad touchy about seeing a PMF and refuse to connect. I advise tests on corporate devices prior to implementing or a separate SSID if needed. 

Simultaneous Authentication of Equals (SAE) is a addition to the Pre-Shared Key exchange to remove any issues previously experienced with brute force attacks. This involves a more secure initial key exchange and has been mentioned to remove any security issues with weak passwords. 

An additional feature, not mandated as of yet is Opportunistic Wireless Encryption (OWE). OWE is a replacement for the "Open" security previously mentioned. All traffic transmitted over the Open network is still encrypted even without authentication providing a huge security boost to public/guest networks. 


To add a bit of context to WPA 1 through 3, you have two configuration modes from which to choose: Personal and Enterprise. Both with differences and different scenarios where one or the other should be implemented. 

Personal is more tailored to home or guest access and uses Pre-Shared Keys (PSK) for authentication. This is easy to be implement and simply requires a password to authenticate and is generally considered secure depending on the passphrase used. This is perfectly suited for home as you tend to not have the resources (hardware, software and experience) available to implement anything stronger.

Enterprise is used primarily in an office environment and requires use of the IEEE standard 802.1X (where OSA is used at the beginning). Due to the cost and additional overheard, Enterprise is very unlikely to be seen in a small environment such as a home network.  

However given the potentially issues that an attack might have and the limitations of WPA-Personal it is a requirement in modern day enterprise networks (hence the name, WPA-Enterprise. The below image show's the different EAP methods that can be implemented, their differences and finally pros and cons of each.  

As a rule of thumb, the more secure, the more overheard is required. Example of this is EAP-TLS, considered one of the most if not, the most secure of the list, but does require additional backend work with Public Key Infrastructure (PKI) and device certificates which can be costly and time sensitive.  



http://www.bluewolfspirit.com/notes/security-written/version_41_20_eap_methods.html



References:

Wi-Fi Alliance - Discover Wi-Fi Security 
https://www.wi-fi.org/discover-wi-fi/security

Comments

Post a Comment

Popular posts from this blog

Wireless Modulation - BPSK, QPSK and QAM

Image
Modulation is one of the key components relating to how your network traffic is translated into a format that is traversable over  any network infrastructure either wired or (and the topic of this post) wireless connections.  Modulation sits at the lowest level of the OSI model, the Physical Layer (Layer 1).  Think of modulation in a real world example, as a translator. Preparing the data received from the higher layers of the OSI model into a more accessible and easily transmitted format across the network and more specifically relating to Wi-Fi, across the antennas transmitters/receiver hardware.   Wi-Fi modulation has seen many changes across its evolution from it's first initial standard in 1997 and is still changing even now with the currently in development standard Wi-Fi 7 (11be) which we will also cover in terms of it's changes to modulation.   There is three main ways that modulation takes place in Wi-Fi, and they're as follows, Binary Phase Shift Key (BPSK), 
Read more

Wi-Fi 6E (6Ghz) Design Considerations

Image
Wi-Fi 6E capable networks are few and far between from what I've seen in the wireless world. We have seen a huge uplift of devices capable of accessing this previously unused spectrum. However I've found that wireless networks are still playing catch up when it comes to deploying a 6Ghz capable network.  So to educate a few people and to refresh my own knowledge, this blog post will cover off a bit of background information when it comes to the new 6Ghz spectrum. I'll go over the EU, UK and US standpoints and their differences, client connectivity and overall the challenges that you may come across when designing a 6Ghz capable network (most likely) alongside your existing 2.4Ghz and 5Ghz networks.  The certification was ratified by the Wi-Fi Alliance in 2021, not long after the Wi-Fi 6 standard itself was approved by the IEEE back in 2020. 6E (as I will call it going forward), as previously mentioned allows the use of the 6Ghz spectrum previously unused within the Wi-Fi sp
Read more

802.11 Frame Types - Management Frames

Image
802.11 Management Frames are used primarily as the name might suggest, to manage the wireless medium. The type of value regardless of which management subtype you see (covering this shortly) will always be shown as Type 00 as highlighted in the image below. This helps identify to the wireless device that the packet is a management frame; the same function happens for the control "01" and data frames "10".  Management frames come in different shapes and sizes but some of the most important are as follows: Beacon: Beacon frames are transmitted by the Access Point to announce the existence of a Basic Service Set. This will contain information about the BSS such as the SSID, supported data rates, country and (due to most APs being 11n and 11ac capable) 11n and 11ac capabilities and information. It's worth noting beacons are transmitted at set intervals, this can be configured to either increase or decrease the time frame in between
Read more