2

In the past few months, we've seen the revelation of several WiFi vulnerabilities (eg KRACK).

It doesn't look like NIST has updated any of its best practices. How should we configure our enterprise WiFi to be secure, in the absence of such official recommendations?

Miles B Huff
  • 150
  • 1
  • 13
Filipon
  • 1,204
  • 10
  • 22

3 Answers3

5

With all the recent WIFI hacks, how we should configure our organizational Wifi security configs and version?

You may need to be a bit more explicit with your concerns. You mention KRACK; I posted this answer about the impact of KRACK. Over a year since that post and there are still no reports of this exploit in the wild. KRACK is in most practical terms a non-concern at this point. Could this change? Sure, but not likely.

Only other recent "WIFI hack" I am aware of is the hashcat attack on PMKIDs on wireless networks using PSK. Mitigations here are to either use longer, more complex PSKs or switch to 802.1X.

While it isn't a hack, WPA3 has been mentioned in a number of media channels and is the source of a number of these discussions I have had in the past months, so let me point to another of my answers that talks about WPA3. The majority of that answer still holds true despite some minor changes from the WFA (for instance, I believe OWE is now optional as well).

How we can set our organizational enterprise WiFi to be secure, if there no best practices to follow?

All the major enterprise wireless vendors maintain their own best practice document(s) that contains security and design recommendations. Here are some examples: Cisco, Aruba, and Ruckus.

While many of the recommendations in vendor best practice documents are specific to their platform, the principles often can still be applied. But some general guidance I would give to any deployment I am involved in would be the following:

  • Use 802.1X over PSK. Depending on your security requirements, pick the first option from below EAP methods:
    • EAP-PEAP or EAP-TTLS with proper client/supplicant configuration and two factor authentication generally considered most secure.
    • EAP-TLS if you can't use the above with TFA.
    • EAP-PEAP or EAP-TTLS with proper client/supplicant configuration - generally sufficient for non-mobile devices and doesn't involve the additional complexities of client certificates used by EAP-TLS.
  • If you must use PSK, make it long and complex (but length trumps complex if you must choose between the two).
  • Disable fast roaming/transition/PMK caching features on infrastructure if not necessary. This will slow down client connections and increase load on RADIUS servers.
  • Disable the use of WEP or TKIP (often tied to WPA) - not only necessary from security perspective, but from performance perspective as well (802.11n or newer networks disable data rates higher than 54Mbps if either is in use).
  • Enable mandatory 802.11w (protected management frames) if your clients support it.
  • Require use of DHCP by clients if possible.
  • Enable client isolation features if available and your wireless clients do not need access to other wireless clients.
  • Enable rogue detection features to notify when networks are found using the same SSID(s) as your network.
  • Keep your clients and infrastructure patched.
YLearn
  • 3,967
  • 1
  • 17
  • 34
  • 1
    I don't see why it'd be important to require clients use DHCP. – forest Nov 29 '18 at 08:46
  • @forest, having run networks professionally for years, I can't begin to tell you how often users (well intentioned or not) have configured static IPs on their devices and created issues. They may simply use an IP from the DHCP pool that the DHCP server then assigns to another device causing an IP conflict. If it is intentional, they may be trying to perform MitM as the gateway IP, or unintentionally just create issues by using the gateway IP. In any event, it creates issues that DHCP requirement mitigates. Plus, depending on vendor, this may also enable DAI or IP source protection. – YLearn Nov 29 '18 at 21:45
2

Security best practices are pretty much the same throughout IT: strong passwords, install updates, be prepared for human error...

With KRACK specifically, most operating systems have long since patched KRACK. As long as all wireless routers/access points AND clients have the latest security patches you should be fine.

You could also look into the new WPA3 protocol, but WPA2 is still quite secure for the forseeable future.

J. Rich
  • 51
  • 1
0

I would say most manufacturers have not in fact patched the KRACK exploit. While the wireless manufacturers may have devised new standards, that doesn't actually mean that new hardware will, in fact, have the required updates and fixes to mitigate the attack.

Personally, my advice is just to keep yourself updated as best you can, but also don't always rush into the newest updates either, sometimes the new update can set you back and or have you running in circles because of errors in the coding.

Human error is your biggest worry. Until the machines truly gain "artificial intelligence"

In addition, strong passwords utilizing multiple character types. No similar consecutive characters, and highly recommend multifactor authentication

schroeder
  • 123,438
  • 55
  • 284
  • 319
Syntaxxx Err0r
  • 27
  • 2
  • 2
    Actually, it does mean new hardware will have the required updates and fixes. When WPA3 is finalized and released, anything that wants to by WiFi certified is required to support it. – forest Nov 30 '18 at 01:00