Because Wi-Fi signals don’t stop at your office’s brick walls, anyone in the parking lot can “see” your network. If you aren’t using strong encryption, they can “sniff” your traffic out of the air. Today, We shall look into the evolution of wireless security and how to do it right!
1. The Evolution of Encryption
We’ve come a long way since the early days of Wi-Fi, On the Network+ exam, we should know why we don’t use the older technology anymore.
- WEP (Wired Equivalent Privacy): Deprecated. It was broken years ago. A hacker can Crack a WEP password in seconds using basic tools. Never use this.
- WPA (Wi-Fi Protected Access): A temporary fix for WEP. It used TKIP (Temporal Key Integrity Protocol), which is also now considered insecure.
- WPA2: The current standard for most networks. It uses AES (Advanced Encryption Standard) and is very secure.
- WPA3: The newest and strongest. It adds “Simultaneous Authentication of Equals” (SAE) to stop offline password-guessing attacks. If your hardware supports it, use it!
2. PSK vs. Enterprise (802.1X)
How do people log in? This is the biggest difference between your home Wi-Fi and your office’s Wi-Fi.
WPA2/WPA3-Personal (PSK)
Everyone uses the same Pre-Shared Key (the password).
- The Problem: If one employee shares the password with everyone, or if an employee leaves, you have to change the password for everyone to stay secure
WPA2/WPA3-Enterprise (802.1X)
Users log in with their own unique Username and Password (usually their work email credentials).
- How it works: The Wireless Access Point sends the credentials to a RADIUS Server (Remote Authentication Dial-In User Service), which checks them against Active Directory.
- The Benefit: If an employee is put on leave, quits, or gets fired, You can just disable their account. The Wi-Fi password for everyone else stays exactly the same.
3. Captive Portals
Have you ever connected to Wi-Fi at a hotel or an airport and a web page popped up asking you to “Agree to Terms”? That’s a Captive Portal.
- In most businesses: These are typically used for Guest Wi-FI. It allows visitors to get internet access without needing our internal passwords, while still forcing them to follow our “Acceptable Use Policy.”
4. The “Support Associate” Reality: Rogue AP Detection
As an IT Professional, One of the biggest security theat’s would be a “Rogue Access Point”
- The Threat: An employee plugs in a cheap router into a wall jack under their desk to create their own private Wi-Fi. Which bypasses any security filters that were set into place
- The Solution: Most professional Wireless Controllers (WLCs) have “Rogue Detection.”
- They can scan the airwaves for any Wi-Fi signal that isn’t yours and can even “de-authenticate” clients to stop them from connecting to the rogue device.
๐งช The “Exam Tip” for Network+
From studying, It was said multiple times that CompTIA loves to ask about Geofencing. This uses GPS or cellular data to ensure a device can only connect to the network if it is physically located within a specific location/ within boundaries of the business. If a work related device leaves the area, it can be automatically locked or “wiped” for security.
What’s Next?
We’ve secured the building, the ports, and the airwaves. Tomorrow, we will finish the security pillar with Vulnerabilities and Threats. We’ll talk about the “Bad Actor” who they are and what do they want, and how do we spot a “Zero-Day” attack?
๐ Sources & Further Reading.
- CompTIA Network+ N10-009: Objective 4.4 – Explain wireless security settings.
- The Cyber Ledger: Network Hardening
- Professor Messer: Wireless Networking
This article is an independent summary of my learning journey. All trademarks and copyrighted materials belong to their respective owners.