Most security professionals understand the risks posed by wireless networking and that using Wi-Fi Protected Access (WPA or WPA2) is critical to the security of an environment. After all, failure to encrypt wireless traffic exposes communications to eavesdropping attacks and can open a network to the threat of penetration by outsiders. Most security professionals are also aware that the old Wired Equivalent Privacy (WEP) encryption standard is no longer a viable security mechanism due to several significant WEP security flaws.
You might assume almost every organization would have WPA set up in a quick, simple fashion. Unfortunately, that assumption is incorrect.
With that common understanding, you might assume almost every organization operating a wireless network would have WPA set up in a quick, simple fashion. Unfortunately, that assumption is incorrect. Today I heard from an employee at a very security-aware organization that they had just received a five-page configuration guide explaining how the employees could securely connect to the organization's wireless network. Is that really necessary in this day and age? In this tip, fwe'll discuss how to ensure you have the best Wi-Fi security for your midmarket organization without sacrificing usability.
WPA security: WPA PSK vs. WPA Enterprise
When configuring your WPA wireless network, you have two different options for authentication. One, used by many small businesses and home users, is the pre-shared key (PSK) option. With this approach, you create a single password for your wireless network and then provide it to all of the users, who type it into their browsers. This is fine when you have a small home or office with 5-10 users, but it quickly poses a scalability challenge when you expand to a midsized business. The challenge it poses is that you need to not only change the password periodically but also you must change it every time a user leaves the organization. This requires reconfiguring each and every wireless device on the network. In a 200-employee company with a 10% staff turnover rate, this means you'd be reconfiguring your wireless devices 20 times a year!
The best Wi-Fi security solution, in many cases, is WPA Enterprise which provides authentication for WPA security. This technology adds a new layer of individual user authentication to the network. Instead of relying upon a single pre-shared key, users wishing to join the network simply provide their username and password. The wireless network then contacts a Remote Access Dial-In User Service (RADIUS) server to verify the user's credentials. If the user provided the correct password and he or she is authorized to access the wireless network, the RADIUS server instructs the wireless network to accept the connection.
Unfortunately, many midsized businesses simply don't have the infrastructure to support WPA Enterprise in this traditional manner. They may not have the time, money or expertise to set up a RADIUS server for use by the wireless network. The end result is that they often resort to using WPA PSK and simply don't change the password as often as necessary, posing a significant security risk to the organization, as terminated employees may still be able to access the network and provide that access to others.
WPA Enterprise in the midsized business Fortunately, there are solutions available for the midsized business that allow you to take advantage of the benefits of WPA Enterprise without the cost and expense of setting up a RADIUS server. The two major options are:
- Purchase wireless access points with built-in WPA Enterprise authentication: Instead of relying upon a RADIUS server to perform user authentication, some wireless access points come with this technology built in. Wireless APs such as the HP ProCurve Access Point 530 and the ZyXEL NWA-3500 allow for an internal database containing up to 100 usernames and passwords. If you need only a small number of wireless access points at a single site, this may be the best solution for you.
- Use a hosted RADIUS service: If you're not interested in or able to replace your existing access points, an application service provider can do it for you. NoWiress Security offers the AuthenticateMyWiFi service that, for $130 to $360 per year, will manage RADIUS service for you.
If you already have a Windows or Unix infrastructure and a strong IT staff, you may wish to consider a third option that some large enterprises choose, which is building your own RADIUS server. However, a small or midsized business can gain the same benefits by using one of these two options mentioned above without nearly as much time and trouble, if there's room in the IT budget. Whatever path you choose, improve the security of your network by migrating to WPA Enterprise soon!
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.