Wireless Security Methods - WEP, WPA1/2/3 & Personal and Enterprise
Security is of the upmost importance when it comes to network and even more so when we are talking about Wi-Fi. Wi-Fi, as part of it's base fundamental is wireless and even with configuration options does go outside of your preferred area. This can cause a bit of an issue whereby someone can sit outside, with an adapter and monitor and potentially attack your wireless network. In this post, we will go over a high level description of the main security protocols out and about in the wireless world.
Thankfully keeping a handle of which ones are out there is quite simple. The Wi-Fi Alliance, setup in 1999 (by numerous companies to promote compatibility) owns the Wi-Fi trademark and subsequently develops the security protocols, which we'll discuss below.
There is four main Wi-Fi security protocols that you might see out and about and those are as follows, WEP, WPA, WPA2 and finally WPA3. Each have their pros and cons which we will also discuss on top of best practice configuration to save you any headaches later down the line.
However, before we dig deep, I will talk quickly about Open System Authentication (OSA). OSA is an entirely open method of connecting to a wireless network, there is no authentication required to successfully join a network solely configured with OSA. This is commonly used in public wireless solutions like those in the hospitality sector for customers to gain access to the wireless quickly and efficiently with as little issues as possible.
As is quite apparent, the idea of an open mode of accessing a network does raise a few eyebrows however, OSA can be paired with an additional layers of security such as a Captive Portal. This forces users to complete additional steps, for example registering or agreeing to Terms of Service before being granted access to the network OSA can also be used in conjunction with other security protocols with OSA providing the initial connection before enterprise level security protocols kick in, which we'll mention below.
Back to the security protocols, we'll start with Wired Equivalent Policy (WEP). WEP was the first authentication security process having been included in the original 1997 standard. It was an early way of protecting information on a wireless network but due to its age is it now no longer capable of protecting the network as wireless usage has evolved and developed over time.
As a result, you should never choose WEP over other security solutions, but you may find a few legacy devices in your estate that use it. Remember a chain is only as strong as its weakest member. Your two options are to look at upgrading those devices and if that’s not possible, isolating them to limit any interaction between those legacy devices and the rest of your network.
Second up is Wi-Fi Protected Access (WPA). You will likely recognise its successors WPA2 and WPA3 in your home networks as well as in the workplace. WPA was created by the Wi-Fi Alliance to fill the gap while WPA2 was being developed on in the 802.11i standard. This method used the encryption method Temporal Key Integrity Protocol (TKIP) and the Rivest Cipher 4 (RC4) cipher which addressed a lot of WEP weaknesses.
However as time progressed, TKIP and RC4s security vulnerabilities have been discovered and as a result WPA should not be used where possible, legacy devices permitting.
Wi-Fi Protected Access 2 (WPA-2). This was as mentioned above the work of the 802.11i standard and mandates the encryption method CCMP (apologies the non-acronym title is horrendously long) and cipher suite Advanced Encryption Standard (AES). This provides increased security compared to its predecessors and is the majority of what I've seen out and about even now.
WPA2 does allow for backward compatibility by allowing TKIP/RC4, however WPA2 certified devices are mandated to support CCMP and AES, this is solely for legacy devices.
Also, one of the worst setbacks regarding WPA2 was the introduction of Wi-Fi Protected Setup (WPS). You might have seen and used WPS at home which allows quick authentication and access to your Wi-Fi network. This was heavily abused by attacks and WPS as a result should be turned off in every scenario either home or enterprise networks.
Finally, Wi-Fi Protected Access 3 (WPA-3), the most recent of security standards and, conveniently, the strongest. Rolled out in 2018 as a replacement for WPA2 and mandated from 2020 for all new Wi-Fi devices certified by the Wi-Fi alliance. This comes with additional mandatory features such as Protected Management Frames (PMF) and Simultaneous Authentication of Equals (SAE).
PMF is concerned with protection for management action frames being sent by the wireless network. This prohibits eavesdropping and any attacks involving manipulation of management frames. There is a transition mode that you can configure to allow for backward compatibility, however I found some devices are a tad touchy about seeing a PMF and refuse to connect. I advise tests on corporate devices prior to implementing or a separate SSID if needed.
Simultaneous Authentication of Equals (SAE) is a addition to the Pre-Shared Key exchange to remove any issues previously experienced with brute force attacks. This involves a more secure initial key exchange and has been mentioned to remove any security issues with weak passwords.
An additional feature, not mandated as of yet is Opportunistic Wireless Encryption (OWE). OWE is a replacement for the "Open" security previously mentioned. All traffic transmitted over the Open network is still encrypted even without authentication providing a huge security boost to public/guest networks.
To add a bit of context to WPA 1 through 3, you have two configuration modes from which to choose: Personal and Enterprise. Both with differences and different scenarios where one or the other should be implemented.
Personal is more tailored to home or guest access and uses Pre-Shared Keys (PSK) for authentication. This is easy to be implement and simply requires a password to authenticate and is generally considered secure depending on the passphrase used. This is perfectly suited for home as you tend to not have the resources (hardware, software and experience) available to implement anything stronger.
Enterprise is used primarily in an office environment and requires use of the IEEE standard 802.1X (where OSA is used at the beginning). Due to the cost and additional overheard, Enterprise is very unlikely to be seen in a small environment such as a home network.
However given the potentially issues that an attack might have and the limitations of WPA-Personal it is a requirement in modern day enterprise networks (hence the name, WPA-Enterprise. The below image show's the different EAP methods that can be implemented, their differences and finally pros and cons of each.
As a rule of thumb, the more secure, the more overheard is required. Example of this is EAP-TLS, considered one of the most if not, the most secure of the list, but does require additional backend work with Public Key Infrastructure (PKI) and device certificates which can be costly and time sensitive.
Comments
Post a Comment