Wireless Network Security

# Wireless Network Security

Definition

Wireless network security encompasses the controls that protect wireless local area networks (WLANs) and connected devices from unauthorized access, eavesdropping, and attack. Wireless networks broadcast data through radio frequencies that extend beyond the organization's physical walls. Any device within range can detect the network, attempt to connect, and, if the security controls are insufficient, intercept traffic or gain unauthorized access to the internal network.

This physical characteristic makes wireless networks fundamentally different from wired networks. A wired network requires physical access to a port or cable. A wireless network requires only proximity. An attacker in the parking lot, in the lobby, or in an adjacent building may be within range of the organization's wireless network. The attack surface is not bounded by walls. It is bounded by signal propagation, which the organization does not fully control.

Wireless security has evolved through four generations of encryption protocols: WEP (Wired Equivalent Privacy, broken and deprecated), WPA (Wi-Fi Protected Access, deprecated), WPA2 (the current baseline standard), and WPA3 (the current recommended standard). Each generation addressed vulnerabilities in the previous, and the transition from WPA2 to WPA3 is ongoing across enterprise environments.

How It Works

Encryption Protocols

WEP (deprecated). Released in 1999, WEP used RC4 encryption with static keys that could be cracked in minutes using freely available tools. WEP is completely broken and provides no meaningful security. Any network still running WEP is effectively unencrypted. No organization should be using WEP under any circumstances.

WPA/WPA2-Personal (PSK). WPA2-Personal uses a pre-shared key (a password) for authentication and AES-CCMP for encryption. Every device on the network shares the same password. WPA2-Personal is secure against external attack when the password is strong (long, random, unique), but it has structural limitations for enterprise use: the shared password cannot be individually revoked (if one employee leaves, the password must be changed for everyone), there is no per-user accountability (logs show device MAC addresses, not individual identities), and the pre-shared key is vulnerable to offline dictionary attacks if captured during the four-way handshake.

WPA2-Personal is appropriate for small offices and home networks. It is not appropriate for enterprise environments where individual identity, access control, and accountability are required.

WPA2-Enterprise (802.1X). WPA2-Enterprise replaces the pre-shared key with individual authentication through 802.1X and a RADIUS server. Each user authenticates with their own credentials (username and password, certificate, or both) through an Extensible Authentication Protocol (EAP) method. The most secure EAP methods are EAP-TLS (certificate-based, no password transmitted) and PEAP (password-based with a TLS tunnel protecting the credential exchange).

WPA2-Enterprise provides per-user authentication (each user has a unique credential), per-user accountability (the RADIUS server logs each authentication event with the user's identity), and individual access revocation (disabling a user's credential does not affect other users). WPA2-Enterprise is the minimum acceptable standard for enterprise wireless networks.

WPA3. Released in 2018, WPA3 addresses remaining WPA2 vulnerabilities. WPA3-Personal replaces the four-way handshake with Simultaneous Authentication of Equals (SAE), which eliminates offline dictionary attacks against the pre-shared key. WPA3-Enterprise provides 192-bit security (aligned with CNSA Suite recommendations for government and defense environments) and requires Protected Management Frames (PMF), which prevent deauthentication and disassociation attacks.

WPA3 adoption is increasing but not universal. Many organizations still operate WPA2-Enterprise because their access point hardware or client devices do not support WPA3. The transition is in progress. CDA recommends WPA3-Enterprise for new deployments and a migration plan for existing WPA2 environments.

Wireless Network Architecture

Enterprise wireless architecture includes several security design decisions:

Network segmentation. Wireless networks should be segmented from the wired corporate network. A guest wireless network should be completely isolated from the internal network (internet access only, no internal routing). An employee wireless network should be placed in a separate VLAN with firewall rules controlling access to internal resources. IoT devices (cameras, printers, building management systems) should be on their own wireless segment with restricted access.

Segmentation limits the blast radius of a wireless compromise. An attacker who gains access to the guest wireless network reaches the internet but cannot reach internal systems. An attacker who gains access to the IoT wireless segment can reach IoT devices but cannot reach the employee workstation VLAN or the server VLAN.

Wireless intrusion detection/prevention (WIDS/WIPS). Monitor the wireless spectrum for unauthorized access points (rogue APs), unauthorized clients, deauthentication attacks, evil twin attacks, and other wireless-specific threats. WIDS/WIPS systems use dedicated sensors (or dedicated radio interfaces on existing access points) to continuously scan all wireless channels and alert on anomalous wireless activity.

Rogue AP detection is the highest-priority WIDS function. A rogue AP is an unauthorized access point connected to the internal network (an employee plugging in a personal wireless router) or an evil twin (an attacker broadcasting a network name identical to the organization's legitimate network to trick devices into connecting). Both create unauthorized entry points that bypass the organization's wireless security controls.

Captive portal authentication. Guest wireless networks typically use captive portal authentication: the user connects to the open wireless network and is redirected to a web page where they accept terms of service, register their device, or authenticate with temporary credentials. Captive portals provide accountability (logging who connected and when) and terms acceptance (the organization's acceptable use policy for guest wireless) without requiring guest users to have corporate credentials.

Certificate-based authentication. The most secure wireless authentication method is certificate-based 802.1X (EAP-TLS). Each authorized device receives a digital certificate that the RADIUS server validates during connection. Certificate-based authentication eliminates password-based attacks entirely: there is no password to phish, no credential to steal, and no hash to crack. The certificate is stored in the device's trusted platform module (TPM) or secure enclave, making it resistant to extraction.

Certificate deployment requires a public key infrastructure (PKI) or a cloud-based certificate management platform (Microsoft Intune certificate profiles, SCEP, or similar). The operational overhead is higher than password-based authentication, but the security improvement is substantial for environments where wireless compromise would have significant consequences.

Wireless Threats

Evil twin attacks. The attacker creates an access point with the same SSID as the organization's legitimate network. Devices that have previously connected to the legitimate network may automatically connect to the evil twin (most operating systems connect to known SSIDs without re-authenticating). Once connected, the attacker can intercept traffic, capture credentials, and deliver malware.

Defense: WPA2/WPA3-Enterprise with certificate validation. The client validates the RADIUS server's certificate during connection. An evil twin cannot present a valid certificate for the organization's RADIUS server, so the connection fails. WPA2-Personal networks are vulnerable to evil twin attacks because there is no server certificate to validate.

Deauthentication attacks. The attacker sends forged deauthentication frames to clients, disconnecting them from the legitimate access point. The clients automatically reconnect, and the attacker can capture the reconnection handshake (WPA2-Personal) or force clients to connect to an evil twin. WPA3's Protected Management Frames prevent deauthentication attacks by requiring management frames to be authenticated and encrypted.

KRACK (Key Reinstallation Attack). Discovered in 2017, KRACK exploited a vulnerability in the WPA2 four-way handshake to decrypt traffic and inject packets. The vulnerability affected virtually every WPA2 implementation. Patches were released for most platforms, but the vulnerability accelerated the adoption of WPA3 (which is not affected by KRACK).

Rogue access points. An unauthorized access point connected to the internal network. The rogue AP may be malicious (planted by an attacker) or unintentional (an employee plugging in a consumer router for convenience). Either way, it creates an unmonitored, unsecured entry point to the internal network that bypasses the organization's wireless security controls.

Why It Matters

The Invisible Perimeter

Wireless networks extend the network perimeter beyond the organization's physical control. An attacker does not need to enter the building. They need to be within wireless range, which extends dozens to hundreds of meters depending on the access point's power and antenna configuration. In dense office environments, shopping centers, and multi-tenant buildings, the wireless signals of multiple organizations overlap, creating opportunities for interception, impersonation, and unauthorized access.

Remote and Hybrid Work

Remote and hybrid work models have expanded wireless security concerns beyond the office. Employees connecting to corporate resources from home wireless networks, coffee shop Wi-Fi, hotel networks, and airport hotspots expose their traffic to networks the organization does not control. VPN encryption protects the traffic in transit, but the endpoint's wireless connection is the first link in the chain. An employee on an open (unencrypted) public Wi-Fi network without a VPN is transmitting corporate data in cleartext to anyone within range.

IoT Proliferation

The number of wireless-connected devices in enterprise environments has grown rapidly: security cameras, badge readers, environmental sensors, smart displays, printers, building management systems, and medical devices. Each IoT device is a wireless client that may have limited security capabilities (no support for WPA3-Enterprise, no ability to run endpoint agents, no regular firmware updates). IoT wireless segmentation is essential to prevent compromised IoT devices from providing a path to the corporate network.

Related Articles

• Network Segmentation
• Zero Trust Architecture
• Security Posture and Hygiene (SPH): The Terrain
• Penetration Testing
• Attack Surface Management
• Multi-Factor Authentication (MFA)

Sources

1. Wi-Fi Alliance. "WPA3 Specification: Version 3.0." Wi-Fi Alliance, 2020.
2. National Institute of Standards and Technology (NIST). "Guide to Securing Legacy IEEE 802.11 Wireless Networks: SP 800-153." U.S. Department of Commerce, 2012 (guidance principles remain applicable).
3. Center for Internet Security. "CIS Controls v8: Control 12.6 (Wireless Access Control) and 12.7 (Leverage WPA3)." CIS, 2021.
4. Vanhoef, Mathy, and Frank Piessens. "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2." ACM CCS, 2017.
5. National Security Agency. "Commercial National Security Algorithm Suite (CNSA) 2.0." NSA, 2022. (192-bit security requirements for WPA3-Enterprise in government environments.)

Word count: 1,952