How to deploy WPA3 for enhanced wireless security

  • Network support: Ensure that your network infrastructure, including access points and controllers, support WPA3 and (if desired) the optional OWE for Open Networks. While many newer network devices are WPA3-compatible, older hardware may require updates or replacements. If you’re wanting to utilize certain optional functionality in WPA3, do the research and consider all requirements for that feature. For instance, to utilize 192-bit security for Enterprise Mode, your RADIUS server must support certain EAP modes and you must implement EAP-TLS with server and client-side certificates for the 802.1X authentication. The wireless controller may provide the support, or you may have to utilize an external RADIUS server.
  • Client support: Verify that the devices connecting to your network support WPA3. While most modern smartphones, tablets, and laptops are WPA3-compatible, some legacy devices may require updates or replacements. If not all client devices will support WPA3, you can run the network in WPA2/WPA3 mixed mode.
  • Software updates: Even though your network and client hardware may already support WPA3 and OWE, check for firmware and driver updates in case more WPA3 features and functionality have been released to support more of the standard. Updating may add additional deployment options.
  • Configuration: You have to configure your controller/access points to enable the use of WPA3 and/or OWE encryption and authentication protocols. Not all the network gear will support the exact same deployment options either.

Tips for using WPA3

Here are some tips to maximize the benefits of WPA3 on your enterprise network:

  1. Use WPA2/WPA3 mixed mode: Unless you’re working with a smaller and controlled network where you can ensure all clients will support WPA3, you’ll likely want to still support WPA2 clients. This is possible with the WPA2/WPA3 mixed or transition modes. Though it’s not best performance-wise, it will still be possible for older clients to connect.
  2. Understand the different deployment configurations: When configuring gear that supports WPA3, you’ll find many new deployment options regarding security. This is something to consider even before deployment, when selecting your equipment, so you ensure it will support your desired methods. For WPA3-Personal, you may find options like Hash-to-Element (H2E) for password generation or an optional with Fast Transition enabled. Another example: Some network gear may support WPA3-only for SSIDs broadcasting in the 6GHz band, while others may have WPA2/WPA3 mixed mode support for the newer band. For WPA3-Enterprise, you might see support for different deployment options, such as 802.1X-SHA256 AES CCMP 128, GCMP128 SuiteB 1x, and GCMP256 SuiteB 192 bit. If you have a preference, ensure the gear you select supports it. Do your research on each of the supported deployment configurations to understand what’s the best for your wireless LAN and clients.
  3. Use OWE mixed mode: If you want to turn on OWE for Wi-Fi Enhanced Open connections, consider the mixed or transition mode. That way, the network accepts both traditional unencrypted connections from older clients and encrypted connections from newer clients that support OWE.
  4. Use strong passwords everywhere: Even with the enhanced security of WPA3, weak passwords will always be somewhat of a vulnerability. Use complex, hard-to-guess Wi-Fi passwords and if using the enterprise mode with user passwords, enforce secure user passwords via the RADIUS server. Plus, with all these new innovated encryption techniques, don’t forget about the good old vulnerabilities, like weak admin passwords on network components. 
  5. Regularly update firmware and drivers: Keep your network infrastructure firmware up to date to ensure you have the latest security patches and enhancements, especially updates to WPA3. The same idea applies to client devices; new driver software may add support for better or new WPA3 functionality.
  6. Monitor for rogues, misconfigured, and interferer APs: You can setup the best Wi-Fi security and military-grade encryption on your APs, but a rogue AP plugged into the network by an employee or attacker can then open a gaping whole. Or an approved AP could be misconfigured. So, enable any rogue AP detection or monitoring you have available.

Remember, there are significant enhancements in WPA3, addressing vulnerabilities and introducing new security features. However, there are many requirements to consider without even touching on the other Wi-Fi 6 aspects. The effort may be worth it to make use of the much more secure encryption and forward secrecy with the personal mode or to get the 192-bit security for enterprise mode. Plus, don’t forget that if you want to utilize Wi-Fi Enhanced Open for public Wi-Fi, you need to seek out network gear and clients that actually support it.

Successful implementation of WPA3 requires an updated network infrastructure, client compatibility, and careful configuration. Using mixed or transitional modes for WPA2/WPA3 and OWE, enforcing strong passwords, and keeping firmware and drivers current are essential tips for maximizing WPA3 benefits and ensuring robust Wi-Fi security.



Source link