January 24, 2023

Wireless Security: How to Deploy WPA2-Enterprise


Today’s IT teams spend countless hours protecting corporate wireless networks from the dangers that permeate radio waves.

Passive eavesdropping may collect proprietary information, IDs and passwords. Intruders can steal bandwidth to transmit spam or use a network as a springboard to attack others. Even a low-tech attacker can harm a business by launching packet floods against its access points (APs) and nearby server.

At the start of the millennium, the Wired Equivalent Privacy (WEP) The security protocol provided wireless business security by encrypting data so that it was protected during transmission between endpoints. WEP used secret keys to encrypt the data traveling between the access point and the receiving stations. Unfortunately, ten years ago, researchers discovered a flaw in WEP that allowed packet eavesdropping to retrieve the encryption key. Once developed into an exploit, software running on any off-the-shelf laptop could break WEP in minutes. Inevitably, the WEP was replaced in 2003 by the Wi-Fi Protected Access (WPA) security protocol and security certification program.

WPA: deepening security authentication

WPA (called the IEEE 802.11i draft standard) fixes most of the known vulnerabilities in WEP. Primarily intended for wireless enterprise networks, WPA implemented several significant changes.

First, it included the Extensible Authentication Protocol (EAP), which relied on a secure public-key encryption system so that only authorized network users could access the network. Second, WPA improved data encryption through the Temporal Key Integrity Protocol (TKIP); he scrambled the keys using a hashing algorithm to prevent tampering. Finally, a Message Integrity Check (MIC) A feature has been added to determine if an attacker has captured or modified packets passing between the access point and the client.

During the year, however, a flaw was discovered in WPA that relied on old weaknesses in WEP and limitations in MIC functionality.

WPA2: encryption tightening

Available since 2004, WPA2 implements the mandatory elements of the IEEE 802.11i standard. And from March 2006, WPA2 certification by the Wi-Fi Alliance became mandatory for all new devices to carry the Wi-Fi mark.

WPA2 introduces the use of AES (Advanced Encryption Standard) algorithms and CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) to strengthen the security of home and business networks. Dynamic encryption keys are securely distributed after a user logs in or provides a valid digital certificate. WPA2 can be implemented in one of two modes:

  • Pre-Shared Key (PSK) Mode – For home Wi-Fi networks, the owner sets the encryption passphrase on the wireless router and other access points. This passphrase must then be entered by users when connecting to the network.
  • Enterprise Mode – Organizations that want government-grade wireless security should use Wi-Fi Protected Access 2 Enterprise (WPA2-Enterprise). To improve the resiliency of critical networks, WPA2-Enterprise has recently been enhanced with protected management frameworks, which further thwart WPA2 against eavesdropping and packet forgery. All Wi-Fi certified devices support WPA2 for added protection.

WPA2-Enterprise Deployment

WPA2-Enterprise deployment includes installing a RADIUS server (or establishing an outsourced service), configuring access points with encryption and RADIUS server information, configuring your operating with IEEE 802.1x encryption and settings, then connecting to your secure wireless enterprise.

Authentication and business communication: the RADIUS server and EAP

The standard for EAP transmission over a network is IEEE 802.1x. In this authentication framework, the user who wants to be authenticated is the pleading. The RADIUS (Remote Authentication Dial-In User Service) server performing the authentication is the authentication serverand the device at the access point, such as a laptop or smartphone, is the authenticator.

Users are assigned login credentials to enter when connecting to the network; they don’t see the actual encryption keys, and the keys aren’t stored on the device. This protects the wireless network from terminated employees or lost devices. Authentication is port-based so that when a user attempts to connect to the network, communication is permitted through a virtual port for the transfer of login credentials. If authentication succeeds, encryption keys are transmitted securely and the user is granted full access.

RADIUS Server Options

Once you have decided which of the following RADIUS server options to use, you will configure it in the corresponding EAP, AP, and user settings.

  • windows serverIf you have configured Windows Server, you can use either Internet Authentication Service (IAS) in Windows Server 2003 or Network Policy Server (NPS) in Windows Server 2008.
  • FreeRADIUS – this server is a free open source project and the preferred choice of advanced IT personnel. It is available for Linux, Mac OS X and Windows platforms.
  • Outsourced services – if you have multiple offices or lack technical IT expertise, a hosting service is a good option. Many services provide more than just RADIUS server hosting. They can also help with the setup process, perform user onboarding, and provide real-time reporting functionality. Additionally, many companies offer mobile apps that make setting up mobile devices quick and easy for Apple iOS, Android, and Kindle Fire users. Check out No Wires Security and ServerPlus to learn more.

EAP options

Your EAP choice depends on the level of security you need and your server/client specifications. Although there are more than ten types of EAPs, these three are the most popular:

  • PEAP (Protected EAP) — this protocol authenticates users through the user names and passwords they enter when connecting to the network. It is one of the easiest types of EAP to implement.
  • TLS (Transport Layer Security) – although this type of EAP requires more time to implement and maintain, TLS is very secure because client and server validation is done with Secure Socket Layer (SSL) certificates . Instead of logging into the network with usernames and passwords, end-user devices or computers must have an SSL certificate file. You control the CA and distribute client certificates.
  • TTLS (Tunneled TLS) — this version of TLS does not require security certificates and reduces network management time. However, since TTLS does not have native support in Microsoft Windows, it requires a third-party client.

The steps for configuring access points with encryption and RADIUS server information—and configuring your operating system with the IEEE 802.1x setting—depend on your server and client specifications. Consult hardware and software manufacturers for advice.

Standards and Wi-Fi Alliance

There is no end to the task of data theft protection and risk and compliance management in the wireless enterprise. Key wireless security challenges vary widely and continue to evolve as every business is different. Some IT teams are struggling with the impact of BYOD (bring your own device) while others are looking for ways to allow guest access without compromising the security of critical systems. The IEEE 802.11 Working Group and Wi-Fi Alliance continue to respond as best they can to emerging enterprise needs in this area. Additionally, leading platform vendors often offer ways to help manage security measures, helping to reduce the resources needed and the overall time spent on IT management.

Wi-Fi continues to grow and adapt to business needs. While 2.4 GHz may be the standard in modern wireless networks, the IEEE 802.11 specifications offer many other options. Wireless networking products using the Wi-Fi brand can operate in the 2.4, 3.6, 5, and 60 GHz frequency bands. Released in December 2013, the IEEE 802.11ac amendment builds on IEEE 802.11n (October 2009) to include wider channels in the 5 GHz band, more spatial streams, higher order modulation, and the addition of Multi-user MIMO (multiple input/multiple output).

“The emergence of IEEE 802.11ac does not require changes to current industry standard security protocols,” said Kevin Robinson, director of program marketing for the Wi-Fi Alliance. “Wi-Fi CERTIFIED ‘ac’ Is present an opportunity for companies using older equipment to migrate to newer infrastructure and move away from legacy security mechanisms.

The Wi-Fi Alliance is in the early stages of developing a certification program known as Suite B for a set of encryption methods focused on encryption, key exchange, and related technologies for securing data. ultra-sensitive security areas. Suite B will likely be the next level of wireless protection. Until then, we have Wi-Fi with WPA2 and protected management frameworks, which should suffice for the vast majority of modern organizations.

Make sure your group has adopted the latest technologies described here. Enjoy the convenience and productivity of Wi-Fi, but do it securely.

Source link