Wi-Fi now moves more than half of all Internet traffic, and it has helped make mobile the primary digital platform for business users in the U.S. However, there’s a good chance it is the weakest link in your security chain.
As a broadcast technology, wireless is much more susceptible to hacking than wired connections. It doesn’t require much skill, either. There are dozens of tools and how-to videos available online. Although the Wi-Fi Alliance recently took a major step to improve security with the WPA3 security protocol, full industry support for the standard will take a few years, and it will take even longer for widespread adoption.
Even with WPA3-compatible products, companies may be lulled into a false sense of security. Industry analysts say that unless more comprehensive security is built into Wi-Fi infrastructure, networks will remain vulnerable to six known Wi-Fi threats that operate primarily at Layer 2. These include:
- Rogue access points. These are connected to the authorized network, usually with an open SSID (service set identifier) — which is the primary name associated with a WLAN. This allows attackers to bypass perimeter security. They can be a physical access point (AP), or one created in software and bridged to the authorized network.
- Rogue clients. These are clients that previously connected to a rogue AP or another malicious AP within the range of a private network. The client could have been victimized by a plethora of attacks that include loading malware, ransomware, cryptoworms or backdoors onto the client.
- Neighbor APs. These are independent APs not under the control of network administrators. They create the risk of infection by connected to other SSIDs while in range of an authorized AP. This could create unauthorized access through a separate network.
- Ad-hoc networks. They use peer-to-peer connections between clients to circumvent perimeter security and allow clients to evade firewalls as well as content and security controls.
- Evil twin APs. They mimic a legitimate AP by spoofing its SSID and unique MAC address. Besides a commonly known physical AP, attackers can use software that utilizes Wi-Fi network adapters to minimize their physical footprint and avoid drawing attention to large antennas, devices or cables.
- Misconfigured APs. APs with configurations that don’t conform to security policies allow insecure connections and create openings for attacks. This often occurs when APs are left with factory default user names and passwords.
To address these vulnerabilities, WatchGuard recently developed the Trusted Wireless Environment, a framework for building complete Wi-Fi networks that deliver verified, comprehensive security capabilities.
WatchGuard says the framework is designed to be a Wi-Fi security education platform that can raise customer awareness. It provides clarity about what Wi-Fi threats exist and how they work, along with technical product specifications for addressing those threats. Finally, it establishes testing guidelines to verify the security capabilities of Wi-Fi products.
Miercom, an independent third-party testing and certification company, recently evaluated APs from several leading vendors. Because APs in real-world environments must be able to serve clients while also providing security protection, the test scenario used IP multicast traffic to keep the APs busy. Miercom concluded that WatchGuard's cloud-managed AP420 is the only product on the market capable of automatically detecting and preventing each of the six threats described above.
Wi-Fi has become a critical element of business communications. As it evolves to enable a wide range of use cases, it’s important that security keeps pace. Give us a call to learn more about using WatchGuard’s framework and APs to build a secure Wi-Fi network that can meet your needs for years to come.
