When is a security issue a Wi-Fi problem, and when is it not? Wi-Fi security, or the lack of it, is often blamed, but this is usually because of a misunderstanding of ethernet, which is 802.3 on the IEEE standards, and 802.11, wireless. While an 802.11 AP connects to an 802.3 for conversion, they communicate entirely differently with their clients and the network. Wi-Fi security also is confused with access authorization.
In a recent 7SIGNAL webinar titled Wi-Fi Security 101, Mike Graham, a 7SIGNAL wireless engineer, discusses Wi-Fi security using his extensive security experience.
This webinar covers what security issues are not in the realm of Wi-Fi, 802.11 vs. 802.3 security access and authentication, and how WIPS aren’t just about protecting network access.
It’s important to know where your security issues lie. Often Wi-Fi is blamed when failures in other protocols and processes occur. Here are some examples:
Example 1: A developer disables STFP on a server while connected to airport Wi-Fi with a company laptop.
This is not a Wi-Fi security issue. In this case, security is governed by:
Example 2: A work-from-home call center agent connects to a neighbor’s Wi-Fi network, checks corporate email, and reads one that launches executable malware.
This is not a Wi-Fi security issue, and the breach is caused by a lack of:
Example 3: An employee at headquarters connects to the corporate guest Wi-Fi and downloads documents containing details of thousands of customer PII on an employee-owned laptop.
Once again, this is not a Wi-Fi security issue, and security lies in implementing:
Example 4: A storage engineer stops at a coffee shop to connect to free Wi-Fi to answer emails. While there, hard drives containing employee health records are stolen from the car's back seat.
This is definitely not a Wi-Fi security issue but relates to:
In these examples, the issue lies with poor adherence to security policies. Often, because the connection medium is Wi-Fi, the assumption is that is the problem, but this is far from the truth.
Even though 802.11 and 802.3 connect, their security protocols are quite different. With 802.3, security concerns come from the authorization at a user level. When considering security for 802.11, it is the station (the wireless client) and the AP.
Data loss prevention, data management, malware, etc., have nothing fundamentally to do with Wi-Fi security but are related to access authorization.
One issue with Wi-Fi is stations is that they always listen to and seek networks to join and discuss networks they have previously connected with. This is a fundamental conduit for wireless and rogue APs, even if you have a hidden network that isn’t broadcasting the SSID name. This is why rogue AP detection is essential.
Security policy is discovered through the beacon frame, part of the four-way handshake. (More on this below.) Many things are exposed in Wi-Fi based on the standard that can be used to attack. However, some easy things can be done to mitigate risk.
A station attempting to set up a security association with an access point (AP) may not know the security policy. The station sends a probe request frame to the AP to determine its security policy before setting up a security association.
An AP advertises its security capabilities in these frame types:
Using the work-from-home example, many networks are often found, all broadcasting strong signals on the same channel. This isn’t a security issue, but it can be a problem if someone connects to a network they shouldn’t access.
The four-way handshake is important to understand and requires security features. The authentication frame between STA/AP is part of the open system authentication method, which operates at the link level between stations.
Two authentication messages are exchanged in this transaction. In the initial state, the STA is neither authenticated nor associated with the BSS (business support system) – this is where rough APs and bad actors live, listening, and waiting.
An AP will send a probe response frame containing information about the BSS a station must be able to support. A probe response is a unicast frame sent to the destination address of the station where the probe request originated.
When stations begin searching for a Wi-Fi network to join, they either do so by scanning passively for available networks or actively by proving for Wi-Fi networks they know about
The first method is by passively scanning for a BSS to join. For the STA to become a member of a particular BSS, it must scan for a beacon containing that BSS’s SSID and return a frame matching the SSID’s parameters.
The second method is active scanning, probing for a specific network the STA knows about. The STA waits for a response for an access point that is responsible for the network. A beacon frame is transmitted to the AP to communicate information about the Wi-Fi networks in the AP;s serviceable area to passive and active scanning STA.
A WIP is a system that detects and prevents unwanted intrusions such as rogue APs. Since every vendor prevents and detects differently, it is essential to know their process and what Wi-Fi security protocols are used. For example, to find a particular AP by name, does the WIP identify it by MAC address, or is it pulled out of the beacon frame? It’s important to know where the information is generated.
The answers to these questions help with network design and security posture, especially if you have a WIPS device performing sporadic rather than dedicated scanning.
The basic security issues for any wireless LAN are:
Securing Wi-Fi can be simple if you look at it from the standpoint of securing the wireless LAN without confusing it with data integrity and security. Even with a VPN, there is still Wi-Fi.
While some organizations fear Wi-Fi security issues and want their employees to plug into ethernet, with the correct understanding of Wi-Fi security and the proper WIPS, it is an easy problem to solve.
Is the issue with your wireless LAN or something else? With 7SIGNAL’s monitoring platform for Wi-Fi optimization, you can identify issues quickly and solve them before they become a problem. We deliver enterprise Wi-Fi insights, control and performance to the people and devices that need them most.
Founded by wireless networking pioneers, 7SIGNAL delivers applications that continuously monitor the stability of our clients' Wi-Fi networks to mitigate risk. We offer Wi-Fi connectivity solutions that improve efficiency and productivity, unparalleled visibility and insights, and empower tech teams to solve challenges, save time, and deliver value.
The 7SIGNAL platform is designed for the world's most innovative organizations, educational institutions, hospitals, and government agencies and is currently deployed at IBM, Kaiser Permanente, Nike, and other Fortune 500 companies. 7SIGNAL continuously monitors the connectivity of an estimated 20 million global devices. Learn more at www.7signal.com.