The short but solid guide to protecting your company Wi-Fi


NAC blog 8In our last two blogs, we talked about WPA2 Personal, WPA2 Enterprise and additional measures you can take to secure your company Wi-Fi. The story made sense and the circle seems complete. But then you start reading. You know, just to be sure. You discover that the Wi-Fi Alliance (yes, that’s a thing) will come with an upgrade soon, called WPA3. Then, a colleague asks you about WIDS and WIPS; terms you don’t know but seem worth your time now that you’ve read about what they do. A new question arises: is WPA2 Enterprise still the way to go? Is there something better? And if so, should you switch? In this short guide, we hope to hand you some understandable and workable guidelines to protect your company assets and people- even if they gain access to your systems through something as scary as Wi-Fi. 

What we came up with so far

As we explained earlier, Wi-Fi poses problems that you don’t have with network access through cable or VPN. Wi-Fi is literally everywhere, creating chances for intruders to gain access to the network by stealing passwords and decrypting network traffic, or simply by putting an attack computer in monitoring mode and listen to what’s being broadcast. In our previous blog, we therefore told you about the power of WPA2-Enterprise, as it works with personal and temporary keys while authenticating the user before he is allowed access to the network. If you combine WPA2-Enterprise with certificates on both the sending and receiving side (mutual authentication), you water tighten your Wi-Fi protection solution. And if you’re really clever, you also divide your company network into separate compartments so that most users can’t get anywhere near sensitive data in the first place.

Now, let’s challenge this mix of WPA2-Enterprise, mutual authentication and compartmenting and see if it holds!

 

WPA2 goes WPA3

The Wi-Fi Alliance, who’s in charge of the certification of Wi-Fi products, recently announced the upgrade of WPA2 to WPA3. The difference lies in the so-called dragonfly handshake, which makes it pretty much impossible to reverse engineer the password of a Wi-Fi network using an offline dictionary attack. This is very good news for households and small companies using WPA2-Personal, as they work with a pre-shared key. However, the update is less relevant for bigger companies using WPA2-Enterprise, because of the simple fact that this WPA version already got rid of the pre-shared key and all its downsides. As the Wi-Fi Alliance didn’t announce any updates for WPA2-Enterprise, it’s safe to say that both standards will most likely coexist for several years. 

 

WIDS, WIPS and other abbreviations

I recently got an email from a colleague, asking me about the role of WIDS and WIPS in the story of network access control. It was a very good question, as both WIDS (Wireless Intrusion Detection System) and big brother WIPS (Wireless Intrusion Prevention System) are helpful products to detect and even stop security treats on a Wi-Fi network. A WIDS product, for example, monitors the radio spectrum to detect unauthorised devices, MAC-address spoofing, rogue access points and man-in-the-middle attacks, and communicates these problems to the administrators. A WIPS product goes one step further and is also able to prevent all of the aforementioned problems that WIDS is only able to detect. But here’s the thing: if you work with WPA2-Enterprise, the certificate on the client side makes treats such as MAC-address spoofing harmless, making WIDS and WIPS redundant. Second, as the client certificate authenticates the server and vice versa (mutual authentication), the man-in-the-middle doesn’t stand a chance either.

 

Final verdict?

In this blog, we’ve discussed the WPA3 upgrade and the potential role of WIDS and WIPS products. All in all, if you work with WPA2-Enterprise, you’re well on your way to secure Wi-Fi. You see, the Wi-Fi Alliance came with an upgrade for WPA2-Personal for a reason, which means they still have faith in WPA2-Enterprise. If you combine WPA2-Enterprise with dividing your computer network in compartments, you focus on safe access to a smaller network area rather than a securing one large network, which is much harder to achieve. And as this is such a proactive approach, measures such as WIDS and WIPS (helpful as they may be) become pretty much redundant. The more proactive and solid your security solution, the lower the risks of problems and the lower the costs for additional security measures, simply because you don’t need them.

Want to know more about compartmenting as part of your access control solution? Download the white paper below!

Learn more about NAC

Hans-Peter Ponten

Subscribe Here!