Let’s start with a core, absolute truth: We will never have enough security in any element of IT. Period. Security is itself a classic more-variables-than-equations problem, with inadequate strategies, implementations, just plain bugs, and new threats appearing all time. So the name of the game must be simply to stay one step ahead of the bad guys, making it so difficult to hack into a network or eavesdrop on communications that all but very richly funded state actors are precluded from causing harm--and with even those guys finding well-prepared targets very tough nuts to crack indeed.
The original knock against wireless LANs back in the early 1990s was--apart from the obvious fact that implementations during that era were slow, unreliable, expensive, and with very limited range, was that the air was fundamentally and essentially insecure. After all was said and go , anyone nearby with a suitable radio receiver--say, even outside a given building in the parking lot--could eavesdrop with no real challenge.
To at least make a stab in the direction of addressing what is, then, an ongoing and perpetual concern, the original (1997) IEEE 802.11 standard included a security mechanism known as WEP, for Wired Equivalent Privacy. This name sold WEP a bit short because most wire at the time had (and even today still has) no security at all; WEP, with all of its shortcomings, was actually much better. Anyone with the right equipment and close proximity to especially unshielded twisted pair (UTP) cabling could easily tap an Ethernet cable with no one in network operations the wiser. Perimeter security was assumed to be a good idea, of course, at least until the Edward Snowden affair. It’s, of course, um, not.
But WEP was also fundamentally flawed and easily broken, leading the Wi-Fi Alliance--the trade association that really defines what production WLAN systems do--to develop the specs for a quick but effective hack: Wi-Fi Protected Access, or WPA. WPA is based on a technique known as the Temporal Key Integrity Protocol, or TKIP, which was itself then included in the IEEE’s official replacement of WEP, 802.11i, in 2004. TKIP changes keys on a per-packet basis, invalidating the attacks used against WEP. Under no circumstances, however, should anyone today be using either WPA or WEP: They have both been broken and cannot be fixed.
WPA was succeeded by WPA2, which added much better authentication and a much more secure encryption mechanism (known as CCMP). CCMP is based on the Advanced Encryption Standard, or AES. But even WPA2 is subject to attacks these days, so now we have WPA3, which is clearly the best approach to basic Wi-Fi security yet. Most importantly, WPA3 provides much better defense against brute-force attacks, and its application will be transparent on new equipment and with backward compatibility to WPA2 while the full transition--which will likely take years--is completed.
Like WPA and WPA2, WPA3 security has two fundamental operating modes, Personal and Enterprise. The Personal mode supports pre-shared keys and improves authentication over what’s being done in WPA2, and 128 bits is the effective key length. Enterprise leverages more elaborate authentication, typically based on 802.1X, and offers 192-bit keys.
The Wi-Fi Alliance also announced a mechanism it calls Easy Connect to enable secure connections for devices with minimal or even no display interface, as is typically the case with IoT. The technique used here is becoming quite common: Use an app to scan a QR code, and the secure connection is automatically set up. This is clearly much easier than having the device fake being an AP at first power-on, entering target AP credentials--again, typically from a smartphone or other wireless client--and then rebooting, the inconvenient, time-consuming, and error-prone process that has been most common to this point.
Finally, the Alliance announced Wi-Fi Certified Enhanced Open, designed to improve security on public-access APs where the distribution of credentials is inconvenient or impractical. I’d still caution that the use of a VPN at Layer 3 (such as IPSec, and the many commercial VPN services available today) or Layer 4 (commonly, the little “lock” glyph on a Web page displayed) is vital on networks that have no Wi-Fi security, and there are many products and services that provision VPNs at very reasonable prices.
Now, no one should be saying that WPA3 alone provides sufficient security. As noted above, additional measures at Layers 3, 4 and even application-specific security at Layer 7 are often, if not usually, indicated, desirable and even essential, depending upon local security policy. While WPA3 security, operating at Layer 2, encapsulates and thus secures all upper-layer traffic, keep in mind that an attack on Layer 1 (radio waves traveling over the air) isn’t the only vector for a security assault or subsequent breach.
WPA3 also is not yet available in all products, and it’s safe to say that many current-generation APs and clients won’t be upgraded to WPA3. This is, of course, due to the fact that 802.11ax is on the horizon and vendor-created demand for WPA3 may provide many potential buyers with an added incentive to upgrade--not just for more performance, but also (and equally important) for more security. And, in the end, no one can ever have too much of either.
We recommend the eventual and inevitable upgrade to WPA3, but doing so is just one element in an overall security solution. You know, that one that will never be “done.”