Wi-Fi is a Passion


Designing for security

Security is a hot item, and with wireless, also, an important item to think about is how you are going to implement security in a wireless network. Are you going to use passphrases, RADIUS, and what type of EAP and encryption will you select?

WPA-PSK and WPA2-PSK use a pre-shared key or passphrase. The user needs to enter a password before accessing the wireless network. This security solution is often called WPA-Personal or WPA2-Personal, which as the name suggests, it should be used for personal environments like your home network. However, there are applications that don’t support WPA- or WPA2-enterprise. For those devices, you need to configure a PSK SSID or bypass them in the RADIUS server.

When you select WPA- or WPA2-Enterprise, you need to select a RADIUS server. There are multiple types of RADIUS servers, like FreeRadius, Cisco ISE, Aruba Clearpass ,or Windows RADIUS. A RADIUS can have a database with usernames and passwords, but it is also possible to select an external directory. The most common directory is active directory from Microsoft, but there are free directory services on Linux as well.

After setting this up, you need to select the EAP type. During my CWSP I wrote a blog about the different EAP-types. Do you have a PKI-infrastructure in the company? If so than it might be a good pick to select EAP-TLS or PEAP(EAP-TLS). Other common EAP-types, like EAP-TTLS and PEAP(EAP-MSCHAP-v2), use a server certificate only or with EAP-FAST PAC files. There are also EAP-types that should not be selected anymore because of security weakness reasons, for example EAP-MD5 and EAP-LEAP.

For wireless, there are two types of encryption RC4 and AES. CCMP uses AES and this is WPA2 only. RC4 is used by WEP and TKIP, and this is WPA only. However, TKIP is optional in WPA2, but it will reduce the speed to 54 Mbps. Of course, you want to select the best and strongest encryption as possible, but you need to design for the client. If the client does not support AES, then you need to select RC4 as encryption solution.

Wi-Fi Protect Setup is a button to configure security with one push. You put the access point or router in WPS mode and after that the client, and both will negotiate a unique set of security information between them. However, this is vulnerable when it is configured wrong and because of that it shouldn’t be used in enterprise deployments.

Per-User Pre-Shared Key is not implemented by all vendors, but it is a nice feature. Every client has its own PSK instead of one PSK for all the users. This is a more secure solution than one PSK, but it is not as secure as 802.1X/EAP implementation (this depends on the selected EAP-type). The advantages are when the password needs to be replaced, because someone shared it, you do not need to configure it on all the devices. There is a better accounting, since all the users have their own account, and there is enhanced security between the users within the same network by preventing unicast decryption.

When you are designing open networks for hotspots, you need to secure the network with VPN. This is not always in your own control, for example when it is in a café type environment, you do not know who your visitors are. You can instruct your own employees who are visiting those kinds of locations to use HTTPS websites or SFTP for file transfer and a VPN on the clients. As a wireless designer, you might need to recommend solutions that will work met the infrastructure you design for the company.

Endpoint security
To stay with the clients, those need to be secure as well. This is most of the time the responsibility of the workplace team, but you need to have knowledge of the features that are selectable, such as solutions like antivirus, configuration checks, local proxy, and content filtering. Some are features that you as a network engineer should implement on the network infrastructure.

I wrote some blogs about Wireless Intrusion Protection Systems during my preparation for CWSP. WIPS can be used for recognizing trusted and known wireless devices, report changes, and collecting data and recognized potential threats. There are software-based, hardware-based, and cloud-managed solutions. Where the WIDS (detection) can only detect, the WIPS can also prevent by taking countermeasures based on the intrusion that is detected.