Alex - stock.adobe.com
For many businesses, wired Ethernet is no longer supreme. Instead, Wi-Fi has become the go-to network access technology for users and endpoints. Wireless LANs, or WLANs, offer many advantages over their wired alternatives. They are reliable, flexible and can reduce cost of ownership. WLANs offer easy installation, the ability to move and not be tied to a physical location, and scalability.
With the advantages, however, comes a major disadvantage: security. Wi-Fi's borderless nature -- in combination with a confusing array of legacy and modern authentication, access control and encryption techniques -- makes WLAN security an overwhelming challenge.
WLAN security is a complex topic, so let's break it down in steps. First, we discuss some common WLAN threats enterprises face when the correct security policy isn't in place. Then, we examine the evolutionary history of WLAN security and the techniques today's security engineers consider to be the best. Finally, we detail some WLAN best practice security guidelines.
WLAN threats and vulnerabilities
WLAN cybersecurity threats can lead to data loss, malware infections, distributed denial-of-service (DDoS) attacks and other detrimental scenarios. There are many threats and vulnerabilities to be aware of, including the following:
- IP spoofing. If a bad actor can successfully connect to the corporate WLAN, tools can be used to impersonate -- or spoof -- trusted devices by changing the source IP address in the packet header. In turn, receiving devices may unknowingly accept the spoofed packets. DDoS botnets and man-in-the-middle attacks are among the most common tactics employed with IP spoofing.
- DNS cache spoofing/poisoning. DNS spoofing is the act of placing an unauthorized device on the WLAN to spoof the DNS server that other connected clients use. In turn, users and devices that attempt to access a trusted remote resource, such as a website, are redirected by the spoofed DNS server to a malicious one.
- Rogue/evil twin access points (APs). These occur when bad actors deploy a wireless AP that uses the same or similar-looking service set identifier (SSID). Unsuspecting users connect to the rogue device, where traffic can then be captured and monitored, or are even redirected to malicious destinations.
- War driving. When WLAN signals propagate outside company walls and into public spaces, war drivers search for open or exploitable WLANs to use for free internet access -- called piggybacking -- or for more nefarious reasons, such as attempting to find and steal sensitive corporate data.
How WLAN security has evolved over time
Early iterations of Wi-Fi focused more on connectivity, as opposed to security. As a result, WLAN security protocols were designed to provide secure access.
The Wired Equivalent Privacy (WEP) standard, introduced in the late 1990s, was the first attempt to keep hackers from accessing wireless traffic, but it was fatally flawed. WEP relied solely on pre-shared keys (PSKs) to authenticate devices. PSKs were not changed frequently enough, however, and hackers found they could use simple tools to crack the statically encrypted key in just a few minutes. WEP is now considered to be woefully insecure and should be removed from corporate use.
In 2003, a new standard, Wi-Fi Protected Access (WPA), was standardized. It offered a more secure encryption mechanism. The initial WPA uses a stronger, per-packet key encryption foundation, dubbed Temporal Key Integrity Protocol.
WPA2, released in 2004, made configuration management easier and added Advanced Encryption Standard for stronger security protection.
WPA3, introduced in 2018, uses even stronger encryption mechanisms. Because it's a relatively new standard, however, many legacy devices can't support WPA3. As a result, organizations today commonly deploy a combination of the three WPA protocols to protect their corporate WLANs.
WPA is commonly configured using one of two different authentication key distribution methods:
- WPA-Personal, also known as WPA-PSK, is based on a shared password that users employ to gain network access. Because this authentication technique is shared, it's considered less secure than WPA-Enterprise.
- WPA-Enterprise, also known as WPA-Extensible Authentication Protocol (WPA-EAP), uses 802.1x Remote Authentication Dial-In User Service to connect to a user database containing individual usernames and passwords. With WPA-EAP, each user must enter a valid username and associated password before gaining access to the WLAN. This method is considered secure because no passwords are shared between users and devices.
WLAN security best practice tips
Enterprises should carefully plan and execute a cohesive strategy to protect their WLANs against data loss and unauthorized access. While the final security options depend on the level of protection required and available budget, there are some important tips and techniques to get started.
As with anything security, ensure your IT security policies define access requirements: Who needs access to what and when? Include remote and on-the-go employees, too.
Other best practices include the following:
- Segmentation of Wi-Fi users and devices by SSID. Departments and devices use WLANs in different ways. Therefore, not every device can be secured using the same standard. One way to protect devices that can support, say, WPA-Enterprise, from those that can only support WPA-Personal is to logically segment legacy devices into a separate SSID. Once segmented, access policies can be wrapped around the less secure endpoints.
- Guest Wi-Fi. Set up a separate guest Wi-Fi SSID for those users and devices that only require internet access. Access policies can block these devices from communicating with any users or devices on the corporate network, while still delivering internet-bound traffic securely beyond the network edge.
- Signal strength bleeding out into unsecured areas. APs installed near external walls should have their power levels carefully set to reduce any leakage into nearby parking lots or public squares. Doing so helps protect against external wireless interference and also reduces the chance that an unauthorized user can successfully connect to the network.
- Rogue AP detection. Most enterprise-grade WLAN platforms include tools that can monitor the 802.11 wireless frequency ranges to identify rogue APs -- or those potentially spoofing corporate SSIDs.
- 802.1x authentication vs. PSK. Require, whenever possible, users and devices authenticate using 802.1x, as opposed to a PSK. This reduces the need to manually change PSKs multiple times a year. It also prevents the sharing of PSKs, which can potentially lead to hackers using Wi-Fi to gain unauthorized access to the corporate network.
- Network LAN switchport configurations. Configure the switchports that connect wireless APs to the corporate LAN with security in mind. Place AP management IP addresses on a segmented virtual LAN, allowing only specific VLANs to be trunked to the APs. Use static or sticky media access control address port security techniques to protect against people unplugging an AP and attaching an unauthorized device into the LAN.
- Employment of external security tools that can further secure WLANs. Supplement with other tools to protect users, devices and data transported across the WLAN. Examples include the following:
- network access control or unified endpoint management platforms to provide granular access controls;
- VPN technologies to protect when sensitive data is transmitted or received across insecure Wi-Fi connections; and
- AI-backed network detection and response platforms that can monitor traffic flows and alert personnel when users, devices or traffic flows veer from normal behavior, a sign that some form of WLAN compromise may be occurring.
Other standard security best practices also apply, including the following:
- using firewalls and antimalware;
- ensuring secure remote access via VPNs, zero-trust network access or Secure Access Service Edge;
- keeping software patched and up to date;
- changing any default credentials;
- educating users about security; and
- keeping up to date with current security threats.