WPA3 is the latest iteration of the Wi-Fi Protected Access (WPA) standard, succeeding WPA2, which has been the de facto security protocol for wireless networks for nearly two decades. This new standard addresses the security vulnerabilities inherent in WPA2, while adding some brand-new security functionality.
Whether you’re implementing the personal or enterprise mode, or broadcasting an open network, WPA3 provides much stronger protection from Wi-Fi eavesdropping and hacking. Here are some of the key features of WPA3:
- Enhanced encryption for Personal Mode: WPA3 introduces stronger encryption protocols, such as the Simultaneous Authentication of Equals (SAE), also known as Dragonfly, which offers stronger protection against offline dictionary attacks. It replaces the Pre-Shared Key (PSK) method used in WPA/WPA2-Personal.
- Brute force attack protection for Personal Mode: WPA3 provides added safeguards against brute force attacks when using the personal security mode, making it significantly more difficult for attackers to crack Wi-Fi passwords.
- Forward secrecy for Personal Mode: With WPA3, each connection uses unique session keys. Even if an attacker manages to intercept and decrypt a connection, they can’t use the obtained key to decrypt past or future sessions, ensuring forward secrecy.
- 192-bit security for Enterprise Mode: An optional 192-bit security suite is added for WPA3-Enterprise networks. This provides an extra layer of protection for organizations that require the highest level of security. This suite utilizes Commercial National Security Algorithm (CNSA) Suite cryptography, meeting the stringent security requirements of government and defense sectors.
- Encrypted public connections for Open Networks: The new Opportunistic Wireless Encryption (OWE) released alongside Wi-Fi 6 adds the ability to encrypt password-less Wi-Fi networks, coined Wi-Fi Enhanced Open by the Wi-Fi Alliance. This would allow more secure and private connections to open and public Wi-Fi networks, somewhat similar to connecting to a plain-old hotspot while utilizing a VPN to encryption traffic. Keep in mind, this is an optional feature for network devices and support for it isn’t required for hardware to be Wi-Fi 6 or WPA3-compliant. Also remember there’s no authentication with OWE, meaning any client can connect. But, again, that’s the point, to provide some privacy on open networks.
Requirements for using WPA3 on enterprise networks
Implementing WPA3 requires careful planning and consideration in a few areas:
- Network support: Ensure that your network infrastructure, including access points and controllers, support WPA3 and (if desired) the optional OWE for Open Networks. While many newer network devices are WPA3-compatible, older hardware may require updates or replacements. If you’re wanting to utilize certain optional functionality in WPA3, do the research and consider all requirements for that feature. For instance, to utilize 192-bit security for Enterprise Mode, your RADIUS server must support certain EAP modes and you must implement EAP-TLS with server and client-side certificates for the 802.1X authentication. The wireless controller may provide the support, or you may have to utilize an external RADIUS server.
- Client support: Verify that the devices connecting to your network support WPA3. While most modern smartphones, tablets, and laptops are WPA3-compatible, some legacy devices may require updates or replacements. If not all client devices will support WPA3, you can run the network in WPA2/WPA3 mixed mode.
- Software updates: Even though your network and client hardware may already support WPA3 and OWE, check for firmware and driver updates in case more WPA3 features and functionality have been released to support more of the standard. Updating may add additional deployment options.
- Configuration: You have to configure your controller/access points to enable the use of WPA3 and/or OWE encryption and authentication protocols. Not all the network gear will support the exact same deployment options either.
Tips for using WPA3
Here are some tips to maximize the benefits of WPA3 on your enterprise network:
Remember, there are significant enhancements in WPA3, addressing vulnerabilities and introducing new security features. However, there are many requirements to consider without even touching on the other Wi-Fi 6 aspects. The effort may be worth it to make use of the much more secure encryption and forward secrecy with the personal mode or to get the 192-bit security for enterprise mode. Plus, don’t forget that if you want to utilize Wi-Fi Enhanced Open for public Wi-Fi, you need to seek out network gear and clients that actually support it.
Successful implementation of WPA3 requires an updated network infrastructure, client compatibility, and careful configuration. Using mixed or transitional modes for WPA2/WPA3 and OWE, enforcing strong passwords, and keeping firmware and drivers current are essential tips for maximizing WPA3 benefits and ensuring robust Wi-Fi security.
Eric Geier is a freelance tech writer. He’s also the founder of NoWiresSecurity providing a cloud-based Wi-Fi security service, Wi-Fi Surveyors providing RF site surveying, and On Spot Techs providing general IT services.
Source:: Network World