Welcome to the WEI Tech Exchange Blog

Don't Sleep On A Wireless Network Security Nightmare

Written by Greg LaBrie | Jun 30, 2022 12:45:00 PM

We’ve been talking a lot about Wi-Fi 6E this spring and summer season even though it was formally introduced by the Wi-Fi Alliance way back in January 2021. So, why all the attention now? There are a lot of groundbreaking aspects of this exciting new technology as Wi-Fi 6E allows for more devices to connect at greater speeds than any of its predecessors. However, it is only now that devices are rolling off the assembly line with Wi-Fi 6E capability. The urgency to upgrade to this new protocol will only grow for enterprises as time goes by.

Still, we must not forget the wireless elephant in the room: Better performance and faster speeds do not amount to much of anything unless your enterprise’s wireless sessions are properly secured. The security threshold of today should always be a determining factor when considering the new technology of tomorrow, especially for wireless environments.

Wi-Fi 6E Is Mandated for WPA3

If your wireless infrastructure primarily relies on Wi-Fi Protected Access 2 (WPA2) as its wireless security protocol, then your system remains vulnerable to attacks that have been present for nearly two decades. That’s because WPA2 dates back to 2004 – the same year the Boston Red Sox broke their 86-year World Series curse. They have since won three more World Series titles, three different US presidents have taken office, and the iPod is far from removed as the most popular personal electronic device. A lot has happened since 2004, and it was good to see Twinkies make a comeback…

While Wi-Fi 5, also known as 802.11ac, does include WPA3 as an option, it isn’t enforced, so client devices can revert to the less secure protocol. This isn’t the case with Wi-Fi 6E. The Wi-Fi Alliance mandates the use of WPA3 for Wi-Fi 6E devices that operate in the 6 GHz band. In other words, if you want to experience the expanded boundaries of wireless network performance, you must abide by the increased security parameters.

Why WPA3 Is More Secure

For those that utilize pre-shared keys (PSK) for access authentication, WPA3 removes the ability for hackers to connect to your network using dictionary attacks. This has always been a weak point for WPA and WPA2 as hackers throw thousands of passwords from a list until they get one to hit. Of course, one could always create a 63-character length key consisting solely of gibberish, but let’s face it – how many IT administrators actually do that?

WPA3 replaces PSK authentication with something called Simultaneous Authentication of Equals (SAE). While SAE still uses a passphrase, it isn’t sent between Wi-Fi devices during the SAE exchange. It also commits a device to one password guess for each authentication cycle by utilizing a new authentication handshake mechanism. This prevents an attacker from cycling through an endless password list in quick succession, making brute force attacks nearly irrelevant. While we do not recommend using “password123” or “qwerty” as your passphrase, WPA3 does help relieve the pressure of creating that perfect password.

For those organizations that currently use WPA2-Enterprise, WPA3 gives organizations the option of extending the length of the encryption key from 128 bits to 192 bits. It also requires the use of Protected Management Frames (PMF) that protects traffic from being eaves dropped and forged.

Open Access Now Means Encrypted Access

Providing wireless access to guest end users and the general public has always been tricky. Still, it is an expectation of the end user whenever visiting a business for a sales presentation or performing work in a café that requires internet access. Requiring PSK access requires some way to convey the passphrase to those who need it, while providing the convenience of wide-open access introduces austere security issues. Open wireless sessions are especially vulnerable to man-in-the-middle attacks in which an attacker intercepts the four-way handshake process of the unencrypted connection to lure users to connect a rogue wireless connection. The attacker can then intercept packets that traverse through their device. Wi-Fi 6E prevents this from happening by replacing open authentication with what’s called Opportunistic Wireless Encryption (OWE). OWE merges convenience and security together because all sessions are encrypted with a secret key, regardless of whether access authentication is required or not. In similar fashion to WPA3, OWE support is mandatory for any devices operating within the 6 GHz band.

These Security Features Are Available In Wi-Fi 6...Right?

Almost. Wi-Fi 6E is a technical extension of the Wi-Fi 6 standard that was released in 2019, and yes, WPA3, SAE, OWE and PMF are each available in Wi-Fi 6. However, there is one big thing that isn’t – the 6 GHz frequency band. Not only does the 6 GHz band offer enhanced capacity and throughput, but it also gives an exclusive pipe that Wi-Fi 6E clients can operate in. This means no interference from noisy legacy devices that also rely on legacy security protocols. Because the mentioned security enhancements are mandated with this private frequency band, organizations that work toward a full integration of Wi-Fi 6E are ensured greater security across their entire wireless spectrum. Hands down, mandated security is preferable to optional security.

Backwards Compatibility

Juniper Networks has embraced this new high caliber wireless standard and currently offers two solutions to get you closer to greater security and speed. The Juniper AP34 and Juniper AP45 are tri-band access points that support not only the 6 GHz frequency, but the 2.4 GHz and 5GHz as well. This makes them backwards compatible so that you can accommodate your current legacy wireless devices while you work to work to upgrade your fleet of devices.

Conclusion

Upgrading to Wi-Fi 6 from Wi-Fi 5 is only a half-step upgrade. With Wi-Fi 6E, you get enhanced security and high performance in one package. Wi-Fi 6E is the complete experience, and with backwards compatibility built into the Juniper infrastructure, there’s no reason not to take advantage of everything that Wi-Fi 6E has to offer.

 

Next Steps: Download our new white paper, Future-Proof Your Wireless Network With Wi-Fi 6E to discover what critical capabilities your wireless network infrastructure is currently missing. This is information that every network administrator should read!