We hear stories of breaches and security nightmares almost daily in the IT business. Along those lines, we see ever-increasing numbers of people who spend their days trying to break into networks (ethically of course) to ensure breaches are stopped before they ever happen. Recently a research paper was posted claiming our shiny brand-new security standard, WPA3, was broken. In light of this paper, I felt that sharing my methodology for protecting a Wi-Fi network would be very useful to others.
Before we get started, I wanted to give a short background on the aforementioned research paper. As you may know, one of the people key to the creation of WPA3 was Aruba’s very own Dan Harkins. Dan was instrumental in creating the RFC that formed the basis of how WPA3 operates and even shared a bit of his insight in episode #8 of the Aruba Unplugged podcasts.
In this recent blog post, Dan explains the WPA3 handshake process, which is commonly referred to as Dragonfly. According to Dan, while there are some flaws, they are not serious in nature. The vast majority of the issues found in the “Dragonblood” research paper are issues with the implementation of the standard and not the standard itself. This leaves us with a much-improved standard for securing our Wi-Fi networks. So, is WPA3 broken? Absolutely not.
Now for the good part. How should you be protecting your Wi-Fi network these days?
While there isn’t a one size fits all package for securing every network, there are a few things that can increase the security posture of the network.
1. Use certificate-based authentication.
For years, the biggest complaint about implementing certificate-based authentication has come down to a lack of time or skills needed to properly provision clients. With tools such as Aruba ClearPass, on-boarding new devices and users onto the network has become easier than ever.
Here’s a fun story. I recently implemented EAP-TLS on my home network, and the project could have easily turned into a disaster with the CEO of the house (my wife). However, she was kind enough to allow me to keep my job as CTO, after showing her just how simple it was to connect her devices via the ClearPass onboarding process.
With the onboarding process being vastly simplified over the years, no longer do we look at more stringent security measures as something that takes a Ph.D. to use. Simply put, the security provided by using certificates for authentication is the best approach we have today. Attack methods found in the research papers on KRACK and Dragonblood focused on pre-shared key (PSK)-based networks (or EAP-PWD, which is less common these days) and found the same approaches taken against certificate-based methods failed every time. This is just more evidence that we should migrate away from pre-shared key based methods.
But what about those IoT devices, or other headless devices that don’t support things like EAP-TLS, or WPA2/3-Enterprise security?
2. Use certificate-based authentication until you can’t, then use Wi-Fi Enhanced Open.
Now, obviously Wi-Fi Enhanced Open, based on the Opportunistic Wireless Encryption (OWE) standard, does not allow us as much visibility into who is using the device, but at least it gets us into a position of having full encryption of user traffic across the Wi-Fi. No longer does a person using a mobile banking app over public Wi-Fi have to worry about someone sniffing the air for account credentials or other personally identifiable information. I’ll take some security over “open” security any day.
OK, so you want me to use certificates until I can’t, then use OWE. What do I do if I can’t use either? If you are in the unfortunate situation where neither of these options are available, there is always one final recommendation I can make.
3. Utilize a PSK network with dynamic segmentation.
As we all know, there will be times where based on device age or other circumstances, there simply isn’t a foolproof method to securing a device or the network. In those instances, your best bet is to implement a pre-shared key network and a device profiling solution (such as the new Aruba ClearPass Device Insight).
In the case where a PSK or open network is required, it is of the utmost importance that device profiling be used to properly identify devices so additional security measures can be applied down the line. I’m sure that you’ve heard of a defense-in-depth strategy, and Wi-Fi networks should be no different.
While I’m not a security expert by any means, I believe that following the steps above will bring increased protection to Wi-Fi networks everywhere and help network administrators sleep well knowing their network is secure.
