By now, the risks of not securing your company’s Wi-Fi networks are well known and range from annoying (passersby mooching your free network and slowing down connections) to critical (unauthorized parties accessing your corporate information, eavesdropping on and intercepting sensitive information, capturing login credentials and spreading malware or viruses).
Fortunately, most companies have responded to these threats by securing their networks with WPA or WPA2, which encrypt data transmitted over the network and limit access only to authorized users (WPA2 is stronger, recommended for business and the term I’ll use from here out).
Unfortunately, many companies use the Personal mode of WPA2, or WPA2-Personal, which relies on a shared passphrase for access and is not the best solution for corporate environments. Below, I shine some light on the pitfalls of this setup and suggest a better alternative.
Note: I assume it goes without saying that you should no longer rely on WEP.
The Dangers of Shared Wi-Fi Passphrases
The biggest issue with the Personal mode of WPA2 is that it relies on a shared passphrase. That is, to access the Wi-Fi network, you just need to enter a code and you’re in. Every person and every device uses the same code. This scenario might be sufficient for a home network, but for corporate use it’s not hard to imagine how this can lead to issues. Consider:
- How easy it will be for employees to share the passcode with non-employees.
- It’s highly likely someone in your company is going to end up writing the passcode down, which could then fall into the wrong hands.
- Passcodes are subject to brute-force cracking.
- What happens when someone leaves the company? You’ll need to change the passcode to ensure they can no longer access the network and any shared resources.
- What happens if someone loses a device? Same as above; you’ll need to update the passcode so anyone who finds the device won’t be able to access your corporate network.
- In light of the previous two bullets, how often and literally how will you roll out updated passcodes? Will you need to go around to each machine and enter the new passcode? If not, how will you share the new passcode with employees?
To sum it up, shared passphrases can leave holes for unauthorized users to slip through and gain access to your network. Once they’re on your corporate network, they’re “through the front door” and those same risks I mentioned above for open networks apply – they can eavesdrop and intercept data, steal credentials, monitor traffic, access shared resources, spread malware or viruses and more.
WPA2-Enterprise Is a Better Option for Corporate Wi-Fi
So I think we can all agree at this point that WPA2-Personal is not sufficient for most companies. Instead you should consider WPA2-Enterprise, which, in addition to other benefits, eliminates the shared passphrase. There is additional setup involved with this type of deployment, but I would argue it’s worth the effort considering the following benefits:
- As mentioned, each user gets a unique credential for accessing the network instead of using one universal passcode. In addition to the obvious security benefit, this makes things easier if an employee leaves the company or loses a device, since only one credential needs to be removed/updated. These credentials are deployed and managed by administrators, so end users don't need to remember them or configure anything.
- Users are unable to eavesdrop on other users’ sessions (e.g. monitor traffic, steal credentials). Each user session is encrypted using a different key, unlike WPA2-Personal which uses a shared key. Users are unable to decrypt and view other users’ activity. You can see how this would be helpful if an unauthorized user were to gain access.
While the technical specifics behind this type of deployment are beyond the scope of this post, this article provides a nice overview: Wireless Security in the Enterprise: Deploying WPA2-Enterprise.
WPA2-Enterprise with Certificates is the Best Option for Corporate Wi-Fi
When setting up WPA2-Enterprise, you get to choose your Extensible Authentication Protocol (EAP), which, to put it very simply, is how clients will authenticate to your Wi-Fi network. One option is to use username/password (e.g. an employee’s domain credentials), but passwords are notoriously unreliable (users write them down, they’re susceptible to brute-force hacking, etc.). A much better option is to use certificates; Microsoft echoes this sentiment:
“Password-based authentication methods, however, do not provide strong security and their use is not recommended. It is recommended that you use a certificate-based authentication method for all network access methods that support the use of certificates. This is especially true for wireless connections…”
Using a certificate-based EAP means only users, machines and mobile devices with properly configured certificates will be able to access your Wi-Fi networks. Even if someone managed to obtain an employee login, they still wouldn’t be able to access the network. Another benefit is that, unlike password-based schemes which really only authenticate the user, certificates can be issued to the machines themselves to help prevent rogue device access (e.g. an unauthorized personal mobile device, malicious third party).
Leveraging Active Directory
Many WPA2-Enterprise deployments leverage Active Directory, Group Policy and a RADIUS server for deploying wireless network settings and credentials. Certificates fit right into this scenario. By leveraging Group Policy and a RADIUS server, you can push out certificates to client computers and create policies that will automatically place devices into their appropriate network. Some CAs, including GlobalSign, offer Active Directory integrations so you don’t have to run your own internal CA, which can be resource-intensive and time-consuming, to get this functionality.
I hope this post opened your eyes to the dangers of using a shared Wi-Fi passphrase and encouraged you to investigate WPA2-Enterprise if you haven’t already. If you are already using it, are you using certificates to strengthen authentication and secure access to your wireless networks? Why or why not? Let me know in the comments!
Have questions about using certificates to control access to wireless networks or how to deploy? Give us a shout; we’re happy to help!