MENU
At the start of the millennium, the Wired Equivalent Privacy (WEP) security protocol allowed encrypted data to be sent securely between two different endpoints.
In 2003, this was replaced by Wi-Fi Protected Access (WPA) after serious vulnerabilities in WEP were found.
An improved version, WPA2, followed in 2004, which was itself eventually replaced by WPA3 in 2018. In this article, we take you through the development of WPA and explain how you can deploy WPA3-Enterprise across your company – important in the era of laws like the CCPA, HIPAA and the GDPR, which require companies to protect personal data.
No network is 100 percent secure. Consider data minimization as one of your cybersecurity defense strategies. Data minimization involves keeping only the data you need for its intended purpose and restricting access to only those who need it.
WPA (referred to as the draft IEEE 802.11i standard) addressed most of the known vulnerabilities of WEP. Primarily intended for wireless enterprise networks, WPA implemented several significant changes.
Those changes were:
Within the year, however, a flaw was found in WPA that exploited older weaknesses in WEP and limitations of the MIC feature.
WPA2 introduced the use of AES (Advanced Encryption Standard) algorithms and CCMP (Counter Cipher Mode with Block-Chaining Message Authentication Code Protocol) to tighten the security of both home networks and business enterprises.
WPA2 had two operating modes: one for home Wi-Fi networks and the other for organizations wanting government-grade wireless security (known as WPA2-Enterprise).
WPA2-Enterprise deployment includes installing a RADIUS server (or establishing an outsourced service), configuring access points with the encryption and RADIUS server information, configuring your operating system with the encryption and IEEE 802.1x settings, and then connecting to your secure wireless enterprise.
The impetus to improve on WPA2 became urgent in 2017 when security expert Mathy Vanhoef declared that all Wi-Fi networks were vulnerable to hacking.
WPA3, introduced in 2018, addressed vulnerabilities that persisted in WPA2. The enhancements provide users with stronger privacy protections and secure their devices better, regardless of their technical knowledge.
The key enhancements in WPA3 are:
Like WPA2, WPA3 has two modes: one for home and one for businesses. WPA3-Enterprise is designed for organizations and businesses that transmit sensitive data and offers a boosted 192-bit minimum-strength security protocol. It also incorporates cryptographic tools that align with the Commercial National Security Algorithm (CNSA) Suite that were created by the Committee on National Security Systems.
The standard for passing EAP over a network is IEEE 802.1x. In this authentication framework, the user who wants to be authenticated is the supplicant. The authentication server is an external RADIUS server. The device at the AP, such as a laptop or smartphone, is the authenticator.
Users are assigned login credentials to enter when connecting to the network; they don’t see the actual encryption keys, and the keys aren’t stored on the device. This protects the wireless network against terminated employees or lost devices. When a user attempts to connect to your network, login credentials are sent through a virtual port. If successful, the encryption keys are distributed, granting the user full access.
Once you decide on which of the following RADIUS server options to use, you will set it up in the corresponding EAP, AP and user settings.
Your EAP choice depends on the level of security you need and your server/client specs.
Although there are more than 10 EAP types, the three most widely used are:
The steps for configuring the APs require you to enable WPA3-Enterprise only mode or transition mode by setting the AKM suite to 00-0F-AC:5 (802.1X with SHA-256). Your APs will use CCMP encryption, so make sure to turn off older encryption methods like TKIP and WEP. You also need to enable Protected Management Frames (PMF) to help secure your network.
On the client side, set up your usernames and passwords or client certificates if that’s what you choose to use. You’ll need to do this for every laptop, tablet, smartphone or other device that connects to your server. Boost connection speed and security further by enabling “fast roaming” and “server certificate validation” if they’re available.
Implementation may vary depending on the hardware and software you choose.
The cost of a cybersecurity breach can reach hundreds of thousands of dollars, and sometimes more, depending on the size of your business. You can mitigate some of these costs by taking out cyber insurance.
There’s no end to the task of protecting against data theft and managing risk and compliance in the wireless enterprise. Key challenges in wireless security vary widely and continue to evolve because every enterprise is different. Some IT teams struggle with the impact of BYOD (bring your own device), while others seek ways to allow guest access without compromising security of mission-critical systems.
The IEEE 802.11 working group and Wi-Fi Alliance continue to address emerging needs, now offering innovations like IEEE 802.11ax, better known as Wi-Fi 6. This update brings improvements designed to enhance network performance at busy times, such as:
In addition, major platform vendors often provide ways to assist in the management of security measures, helping to reduce the resources needed and overall time spent on IT management.
Wi-Fi continues to grow and adapt to business needs. While 2.4 GHz was once the norm in wireless networking, the introduction of Wi-Fi 6 has expanded operation into multiple frequency bands and brought significant advancements, like increased capacity and better performance in dense environments.
When it comes to security, WPA3, certified through the Wi-Fi Alliance’s Wi-Fi CERTIFIED program, has emerged as the latest and most secure protocol. It significantly strengthens encryption, protects against brute-force attacks through SAE and provides transition modes for mixed WPA2/WPA3 environments. Importantly, while WPA2 networks remain secure when properly maintained, WPA3 offers additional security enhancements for those who need them.
The Wi-Fi Alliance and other entities are constantly working to develop new security methods and certifications to ensure optimal protection. As such, updating firmware and drivers regularly, adopting the latest standards, and keeping informed about advancements in security protocols are paramount to maintaining a secure network.
Make sure your group has adopted the latest technologies, such as Wi-Fi 6 and WPA3. Enjoy the convenience and productivity of Wi-Fi, but do it safely.