Appropriate standards for Wireless Local Area Networks (WLANs) SHALL be implemented on business wireless networks with a preference for the most secure options provided by the network device firmware.

Wireless Fidelity, universally known as Wi-Fi, is an essential part of every organization’s network in today's digital landscape. Most businesses make use of multiple wireless networks, say one for enterprise use, one for Bring Your Own Device (BYOD) use, and one for Guest use.

Despite its popularity, Wi-Fi remains vulnerable to many attacks. Businesses can put themselves at risk for compromise if they do not implement their Wi-Fi networks correctly. To mitigate these risks, several common Wi-Fi security controls should be implemented, starting with identifying the correct Wi-Fi standards for use in your business.

An organization’s Wi-Fi is technically referred to as its Wireless Local Area Network (WLAN). A WLAN is a group of networking nodes with wireless transmission capabilities that exchange data in a limited area. There are two components of a functioning WLAN:

  1. Station (STA): an endpoint using wireless networking functionality. Your iPhone, laptop, and TV are all STA.
  2. Access Point (AP): a device that connects STAs with a Distribution System (DS), which is the wired backbone network in your facilities. The DS allows your STAs to communicate with the rest of your network infrastructure and access external networks like the Internet. Access points can come in different forms. If you have a small office network, you likely have a SOHO router, which is actually a multipurpose networking device that has AP functionality built in. In larger networks that require highly distributed Wi-Fi, APs are typically implemented in the form of multiple devices that look like routers but are actually dedicated access points. These devices are strategically placed throughout the business’s facilities and connect to a single wireless access point controller or wireless switch,on which the specifics of the WLAN are configured.

There are two defined modes of wireless networking:

  1. Ad-Hoc Mode: This is a simple peer-to-peer model where one STA communicates wirelessly with another STA. There are no actual APs in this mode. A common Ad Hoc Wireless network you have likely used is Bluetooth, where your wireless earbuds connect to your phone.
  2. Infrastructure Mode: This is the mode that makes up a business or home Wi-Fi network. DS network access is provided to a series of STAs via one or more APs. The various STAs and APs are uniquely identified to each other via their Media Access Control (MAC) address, a unique 6-byte 48-bit hexadecimal value that is burned into each STA’s network interface card. Every AP on a WLAN is identifiable by a pre-configured Service Set Identifier (SSID), which we commonly refer to as the WiFi name. Business networks usually utilize an Enterprise Service Set Identifier (E-SSID). An E-SSID allows one network name to be applied to many individual access points configured in unison on the wireless access point controller. A piece of infrastructure on the DS provides the Dynamic Host Control Protocol (DHCP) service, which issues each STA with an Internet Protocol (IP) address, allowing the STAs to logically communicate with other network assets.

WLANs follow the Institute of Electrical and Electronics Engineers (IEEE) 802.11, which defines the technical capabilities of Wi-Fi. There are various 802.11 standards to choose from, with each one progressing in speed and quality. There are two standardized frequency bands that WLANs can run on: 2.4GHz and 5GHz. A WLAN running on the 2.4GHz band provides greater wireless coverage with the tradeoff of lower speed, while a WLAN running on the 5GHz band provides greater speed with a smaller range of coverage. The 802.11 wireless standards that exist are:

  • 802.11a = operates in 5GHz frequency band with speeds up to 54Mbps. Introduced in 1999, it will almost certainly not be used in your environment.
  • 802.11b = operates at 2.4 GHz with a range of 125ft and speed of 11Mbps. This is painfully slow by today's standards and again will probably not be used.
  • 802.11g = provides backwards compatibility with 802.11b. It has a range of 125ft with speeds up to 54Mbps on the 2.4GHz band.
  • 802.11n = speeds up to 600Mbps, operating on both 2.4GHz and 5Ghz bands with a range up to 230ft. This is a commonly used standard that is still found on a lot of WLANs.
  • 802.11ac (Wi-Fi 5) = offers speed up to a possible 3.5Gbps on the 5GHz band with a general range of 150ft. If you buy a new router from your local electronics store right now, it is bound to use this standard.
  • 802.11ax (Wi-Fi 6) =operates on both the 2.4GHz and 5GHz bands with the 6GHz band also available. It can reach speeds up to 9.6Gbps. This standard functions better in areas with consistent crowds and possible interference, and is a massive leap in functionality and efficiency for business networks.

Security for WLANs is defined by various wireless security standards made available on APs. These standards evolved from the IEEE standards and are now maintained by the Wi-Fi Alliance.

  • Wired Equivalent Privacy (WEP): WEP is an outdated security standard released in 1997 and completely abandoned in 2004. WEP aimed to assure the same level of security as a wired connection, hence the name. WEP used a single 64 or 128-bit key, meaning that only one key was used for all network traffic. As you can see from this description, WEP became insecure very quickly and is not recommended in any way for today’s networks.
  • Wi-Fi Protected Access (WPA): WPA was introduced in 2003 and implemented 256-bit keys and the Temporal Key Integrity Protocol (TKIP), which changed the keys that different systems use. This was a good deal more secure than the static key used in WEP. TKIP was later replaced with the Advanced Encryption Standard (AES). WPA also introduced Message Integrity Checking to ensure that traffic had not been altered by threat actors. Vulnerabilities in WPA were soon uncovered, and just like WEP, it is not recommended for use today.
  • Wi-Fi Protected Access 2 (WPA2): Introduced in 2004, very quickly after WPA, WPA2 uses the robust security network (RSN) mechanism and provides more control over the method used to implement Wi-Fi connections. WPA2 has two deployment options:
    1. WPA2-PSK: Uses a pre-shared key for authentication to the network. This is the traditional method of deploying Wi-Fi, allowing anyone to connect to the network if they have the pre-set password or passphrase.
    2. WPA2-Enterprise: This is a business-oriented standard that allows administrators to set up 802.1x authentication through a RADIUS server. Essentially, this allows employees to connect to the Wi-Fi using a personal username and password. This helps with organization and can reduce the attack surface of your Wi-Fi, especially if combined with MAC Address Filtering and/or Network Access Control (NAC). RADIUS needs to be pre-configured with user credentials hosted on a separate server. There are proprietary and free options for RADIUS Servers. You could also set up your network to use credentials from other identity sources, such as Active Directory. Going the WPA2-Enterprise route requires a bit more work than a PSK deployment; thus, you should plan carefully before attempting to implement it.
  • Wi-Fi Protected Access 3 (WPA3): WPA3 implements several encryption features that offer improved security to WPA2. The SAE Protocol is implemented in WPA3, which is a replacement for WPA2’s PSK. SAE allows much stronger security for the key exchange. While the PSK method of WPA2 may be more straightforward, it is vulnerable to dictionary attacks. WPA2’s 802.1x Enterprise authentication method is also less secure than WPA3’s. WPA3 Enterprise uses 192-bit encryption compared to 128-bit encryption for WPA2 Enterprise. WPA3’s SAE uses solid forward secrecy for the initial key exchange. This prevents the data from being captured and then decrypted in the future because there is a new, unique private key for each network transaction. SAE is also resistant to offline dictionary attacks because both the Host and the AP authenticate simultaneously during a transmission using unique cryptographic keys every time.