Wireless Security – What do I need?
There are varying levels of wireless security that you can employ on your Wi-Fi networks ranging from completely open to tightly secured. Here is a look at the various security protocols you should consider employing on your wireless networks:
Wired Equivalent Privacy (WEP) – the oldest and most commonly used Wi-Fi security protocol that leverages a passcode to encrypt data and to check that transmitted data is unchanged when received on the other end. This protocol has been found to have numerous security flaws and can be easily cracked over the years since it uses less than 128-bit encryption. Though it is better than having a completely open network, it is recommended to upgrade to WPA security and sunset any WEP-secured networks.
Wi-Fi Protected Access (WPA) – works similar to WEP, however, this protocol employs stronger security mechanisms such as 256-bit encryption and the Temporal Key Integrity Protocol (TKIP) to generate new keys for each packet of data transmitted. It is considered much more secure than WEP, though it still has some flaws.
WPA2 – A newer version of the WPA protocol that addresses the security flaws of previous generations by using the strongest encryption methods. This has become the standard for security on wireless networks.
WPA3 – The newest wireless security protocol designed to encrypt data using a more frequent and automated encryption type called Perfect Forward Secrecy. Though it is considered more secure than WPA2, it has not been widely adopted yet.
At a minimum, your wireless networks should be secured using WPA2 or higher. One additional security method you should consider implementing is RADIUS authentication or certificate-based authentication, which enables users to be able to join a corporate wireless network using their identity credentials (such as Active Directory or another identity management service) or by using an installed signed certificate on the computer itself which verifies its authenticity as an authorized device. One advantage of RADIUS security when combined with modern identity management tools is that you can enforce multi-factor authentication when joining a company wireless network, providing additional assurance that only authorized users and devices are joining your wireless network.
It’s become leading practice to set up a separate guest wireless network that can be used for both employee BYOD devices as well as guests at your location to be able to access the internet. It’s important that this guest network is logically segregated from your main local area network and can not access computer or devices on your main network. Although it is a guest network, it is still a good idea to employ some form of password to access it so that it is not open to everyone or easily scannable by outsiders.
Lastly, if a wireless radio or device is not in use, particularly on a machine, embedded device, or Human Machine Interface (HMI), it is always good practice to disable that wireless radio to prevent outsiders from trying to connect to it.