Thursday, June 25, 2015

Break the PSK Habit!

Many are guilty (I know I am), or have inherited it from a predecessor, setting a WPA/WPA2 (even worse, WEP) personal mode password or PSK on your wireless network.  This is surely the easiest way to get wireless security up and going for both yourself and the people/clients you are providing access to.  However, it is far from secure.  Enter WPA2-enterprise mode; don’t let the term fool you. Just because it says enterprise doesn’t mean it’s for enterprise environments only, or that it comes with a hefty price tag.  The daunting task of setting enterprise mode security on your wireless network is not quite as daunting as it once seemed.  With so many networks getting hacked and experiencing security breaches, focusing not just on the wired side, but the wireless side is equally as important.

Since passwords of WEP and WPA/WPA2 PSK wireless networks are stored on the devices used to access them (usually in plain text), this makes your network vulnerable to attack.  There are several scenarios of how this can happen to you.  The most common is a device becoming lost or stolen.  To protect your network and all the data contained within it, you would have to change the PSK not only in AP or wireless controller itself, but every device as well, in order to prevent a potential breach.

So, how can you make a change for the better?  Let’s dive into the benefits of enterprise mode security and explore how this can fit in not only large enterprises but in the SMB space as well.

802.1X authentication provides an extra layer of security for a wireless network and is overall, a better choice for business networks.  One of the main requirements for this method of authentication is utilizing a Remote Access Dial-In User Service (RADIUS) server.  Essentially, this utilizes a username and password to gain access to wireless services.  In fact, if you are already running Windows Active Directory, then you are half way there!  Installing Network Policy Server (NPS) will take you the rest of the way.  Don’t have Active Directory?  No worries, there are a plethora of RADIUS servers available, ranging from open source to hosted solutions. 

In the event of a lost or stolen device, using WPA2-enterprise mode and disabling the user’s account or changing their password is a far easier task to keep your network secure over making a wholesale security change on your entire infrastructure. Another flaw that personal mode is prone to is eavesdropping.  This will allow an attacker to “listen” to all the wireless traffic that is being exchanged from the victim(s) wireless device and gain access to sensitive information.  This is done via decrypting the traffic that is being sent between devices and APs with the wireless key that was easily obtained from the lost/stolen device.  With enterprise mode, decrypting in this fashion is not possible.

Along with these advantages, come additional features to assist in the overall security of your network.  By requiring users to authenticate to a RADIUS server upon connecting, you can specify unique policies that control a variety of limits including time of day, device, and AP restrictions.  With 802.1X, the ability of setting port access on supporting switches is also a great benefit for security conscious admins.

In certain cases, implementing an 802.1X solution may not always be practical, especially for devices that are not compatible.  As time goes on, this is becoming less and less the case.  Many smart devices have the capability built into their software to authenticate against a WPA2-enterprise mode network.  There are a couple of options for devices that are not capable of handling this encryption type.  Many of them are less than ideal, ranging from MAC authentication to setting up a separate SSID with a PSK for those devices.  Neither of which are a wise path when considering implementing WPA2-enterprise mode security.  As MAC addresses are too easily spoofed and a separate SSID using a PSK can defeat the purpose of enterprise mode.  Ideally, using the wire would be the preferred method with those devices; however, a wireless bridge (disabling the internal WiFi) that utilizes enterprise mode would be the preferred choice.

It is much less time-consuming and simpler to implement a personal mode or a PSK when deploying security on a wireless network.  While taking the time to utilize a WPA2-enterprise mode, deployment may seem challenging and not worth the effort, and it’s true that the tradeoffs need to be heavily weighed.  Are you willing to deal with the repercussions of an attack?  Or is securing your wireless network with WPA2-enterprise mode more of a practical and secure long term solution?  I know my answer.

1 comment: