How to deploy WPA3 for enhanced wireless security

WPA3 is the latest iteration of the Wi-Fi Protected Access (WPA) standard, succeeding WPA2, which has been the de facto security protocol for wireless networks for nearly two decades. This new standard addresses the security vulnerabilities inherent in WPA2, while adding some brand-new security functionality.

Whether you’re implementing the personal or enterprise mode, or broadcasting an open network, WPA3 provides much stronger protection from Wi-Fi eavesdropping and hacking. Here are some of the key features of WPA3:

• Enhanced encryption for Personal Mode: WPA3 introduces stronger encryption protocols, such as the Simultaneous Authentication of Equals (SAE), also known as Dragonfly, which offers stronger protection against offline dictionary attacks. It replaces the Pre-Shared Key (PSK) method used in WPA/WPA2-Personal.
• Brute force attack protection for Personal Mode: WPA3 provides added safeguards against brute force attacks when using the personal security mode, making it significantly more difficult for attackers to crack Wi-Fi passwords.
• Forward secrecy for Personal Mode: With WPA3, each connection uses unique session keys. Even if an attacker manages to intercept and decrypt a connection, they can’t use the obtained key to decrypt past or future sessions, ensuring forward secrecy.
• 192-bit security for Enterprise Mode: An optional 192-bit security suite is added for WPA3-Enterprise networks. This provides an extra layer of protection for organizations that require the highest level of security. This suite utilizes Commercial National Security Algorithm (CNSA) Suite cryptography, meeting the stringent security requirements of government and defense sectors.
• Encrypted public connections for Open Networks: The new Opportunistic Wireless Encryption (OWE) released alongside Wi-Fi 6 adds the ability to encrypt password-less Wi-Fi networks, coined Wi-Fi Enhanced Open by the Wi-Fi Alliance. This would allow more secure and private connections to open and public Wi-Fi networks, somewhat similar to connecting to a plain-old hotspot while utilizing a VPN to encryption traffic. Keep in mind, this is an optional feature for network devices and support for it isn’t required for hardware to be Wi-Fi 6 or WPA3-compliant. Also remember there’s no authentication with OWE, meaning any client can connect. But, again, that’s the point, to provide some privacy on open networks.

Requirements for using WPA3 on enterprise networks

Implementing WPA3 requires careful planning and consideration in a few areas:

• Network support: Ensure that your network infrastructure, including access points and controllers, support WPA3 and (if desired) the optional OWE for Open Networks. While many newer network devices are WPA3-compatible, older hardware may require updates or replacements. If you’re wanting to utilize certain optional functionality in WPA3, do the research and consider all requirements for that feature. For instance, to utilize 192-bit security for Enterprise Mode, your RADIUS server must support certain EAP modes and you must implement EAP-TLS with server and client-side certificates for the 802.1X authentication. The wireless controller may provide the support, or you may have to utilize an external RADIUS server.
• Client support: Verify that the devices connecting to your network support WPA3. While most modern smartphones, tablets, and laptops are WPA3-compatible, some legacy devices may require updates or replacements. If not all client devices will support WPA3, you can run the network in WPA2/WPA3 mixed mode.
• Software updates: Even though your network and client hardware may already support WPA3 and OWE, check for firmware and driver updates in case more WPA3 features and functionality have been released to support more of the standard. Updating may add additional deployment options.
• Configuration: You have to configure your controller/access points to enable the use of WPA3 and/or OWE encryption and authentication protocols. Not all the network gear will support the exact same deployment options either.

Tips for using WPA3

Here are some tips to maximize the benefits of WPA3 on your enterprise network:

Use WPA2/WPA3 mixed mode: Unless you’re working with a smaller and controlled network where you can ensure all clients will support WPA3, you’ll likely want to still support WPA2 clients. This is possible with the WPA2/WPA3 mixed or transition modes. Though it’s not best performance-wise, it will still be possible for older clients to connect.

Understand the different deployment configurations: When configuring gear that supports WPA3, you’ll find many new deployment options regarding security. This is something to consider even before deployment, when selecting your equipment, so you ensure it will support your desired methods. For WPA3-Personal, you may find options like Hash-to-Element (H2E) for password generation or an optional with Fast Transition enabled. Another example: Some network gear may support WPA3-only for SSIDs broadcasting in the 6GHz band, while others may have WPA2/WPA3 mixed mode support for the newer band. For WPA3-Enterprise, you might see support for different deployment options, such as 802.1X-SHA256 AES CCMP 128, GCMP128 SuiteB 1x, and GCMP256 SuiteB 192 bit. If you have a preference, ensure the gear you select supports it. Do your research on each of the supported deployment configurations to understand what’s the best for your wireless LAN and clients.

Use OWE mixed mode: If you want to turn on OWE for Wi-Fi Enhanced Open connections, consider the mixed or transition mode. That way, the network accepts both traditional unencrypted connections from older clients and encrypted connections from newer clients that support OWE.

Use strong passwords everywhere: Even with the enhanced security of WPA3, weak passwords will always be somewhat of a vulnerability. Use complex, hard-to-guess Wi-Fi passwords and if using the enterprise mode with user passwords, enforce secure user passwords via the RADIUS server. Plus, with all these new innovated encryption techniques, don’t forget about the good old vulnerabilities, like weak admin passwords on network components. 

Regularly update firmware and drivers: Keep your network infrastructure firmware up to date to ensure you have the latest security patches and enhancements, especially updates to WPA3. The same idea applies to client devices; new driver software may add support for better or new WPA3 functionality.

Monitor for rogues, misconfigured, and interferer APs: You can setup the best Wi-Fi security and military-grade encryption on your APs, but a rogue AP plugged into the network by an employee or attacker can then open a gaping whole. Or an approved AP could be misconfigured. So, enable any rogue AP detection or monitoring you have available.

Remember, there are significant enhancements in WPA3, addressing vulnerabilities and introducing new security features. However, there are many requirements to consider without even touching on the other Wi-Fi 6 aspects. The effort may be worth it to make use of the much more secure encryption and forward secrecy with the personal mode or to get the 192-bit security for enterprise mode. Plus, don’t forget that if you want to utilize Wi-Fi Enhanced Open for public Wi-Fi, you need to seek out network gear and clients that actually support it.

Successful implementation of WPA3 requires an updated network infrastructure, client compatibility, and careful configuration. Using mixed or transitional modes for WPA2/WPA3 and OWE, enforcing strong passwords, and keeping firmware and drivers current are essential tips for maximizing WPA3 benefits and ensuring robust Wi-Fi security.

Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, Wi-Fi Surveyors providing RF site surveying, and On Spot Techs providing general IT services.

Source:: Network World