The Scary World of Wireless
By Jason Cornish, Sr. Systems Engineer
I am sure most have heard of the newly discovered WPA2 security flaw called Krack Attack. If you have not then I am jealous of your ability to hide from the barrage of emails and news flashes that permeate my Twitter feed.
For more information on the Krack Attack, click the image to the right.
While most vendors have provided patches and workarounds to mitigate this security issue, I wanted to expand on wireless security overall. As a quick background, I have been in wireless for over 10 years and have seen lots of security methods come and go. I have dealt with network engineers that have told me they need to have complete security for the wireless, to which my response is “use a patch cord.”
The thing to remember is that wireless is easy to attack, since the attacker does not need to be inside the facility, just within range of the wireless signal to perform the attack.
How do you secure the wireless?
The first method that many home users use, as well as TERACAI, is WPA2 Pre-Shared Key. This method is a password that allows the user to get onto the wireless. As long as I have the password, I can get on. This method can be a big issue down the road for management. Here are a couple that come to my mind right away:
- If you need to change that password then you will need to manually go to every device and update the password or else they will not connect.
- Within Apple iOS 11, if I have someone that I share information with nearby I can just send them the key and the SSiD and they easily join the network. While this is nice and easy for my house, not the best thing for corporate networks.
- You are not able to get device name and user information.This means that in order to troubleshoot you will need MAC addresses to find within the Cisco controllers.
The next way is to use WPA2-Enterprise for network access. This method requires the use of a RADIUS or some sort of access server that will ask for credentials in order to join the network.
These credentials can be username/password combination, client certificate, device certificate, or a combination. This method of security is my recommended solution for network access via wireless.
The recommended solution for network access
The WPA2-Enterprise method of security is my recommended solution for network access via wireless. This method allows me to make the access as tight as I need or want for my network. For example, if I were a banking institution I would require my wireless network to perform device authentication via certificate, and user authentication via certificate.
This method requires that in order for a device (laptop/tablet/phone) to connect to the wireless network, it needs to be a trusted device and have a certificate installed with a known trusted root certificate authority.
After the device is authenticated, the network would then require the user to go through the same process. Using this method helps mitigate someone sharing their credentials and getting unauthorized devices onto the network.
There are many pieces that will need to be implemented to allow for this security solution, but it is worth it. If you are in need of any assistance, please contact your TERACAI rep!
The best way to avoid security breaches
The best way to avoid potential breaches is to be proactive and vigilant. Always test the wireless and verify that it is performing as configured. These tests can include putting your users through some potential hacking situations.
Keep your ear open to see if people share their credentials, or look over your desk and see if your coworker’s login info. is there for easy access. Send a fraudulent email out to the users and, see if they click on it and provide their info. It may surprise you how accessible this type of information can be.
It’s also important to review how your wireless signal is propagating. How far outside your building walls does your signal propagate? Can a hacker sit in the parking lot and cyber-attack you? Lastly make sure that your user databases are up-to-date. The hardware must also be at appropriate code versions and patched as needed.
Unfortunately, this only touches the surface of the crazy world of wireless security we live in. There are many more ways to protect access and to take some of the device registration out of your hands. If you are interested, reach out to the team at TERACAI. We’d love to add peace of mind to your work day.