Protecting Against KRACK

Written by Vince Lujan on October 20, 2017

Share This Article

Suddenly WiFi security is in the headlines around the world. Why? It was recently discovered that WiFi connections are no longer secure because of a vulnerability in WPA2, the protocol that we all use to communicate with wireless access points.

According to the official website, an attacker within range of a victim can exploit these weaknesses using Key Reinstallation Attacks (KRACK). As a result, IT admins all over the world are scrambling to protect against KRACK.

The Dangers of KRACK

WiFi security KRACK

The KRACK security vulnerability affects just about all devices that are using WiFi. This is one of the reasons that IT organizations are so worried. Just about every mobile phone, tablet, laptop, and desktop computer could be affected with the vulnerability.

Like many other serious security holes, it is critical for IT admins to take this seriously and execute on the remediation steps for KRACK. In this case, as in many others, the remediation is to patch devices.

Most OS vendors have already issued patches and those devices that are set for automatic update should be already receiving the fixes. For those situations where IT admins are on the hook to patch machines, they will want to start that process.

Best Practices for Protecting Against KRACK

  • Install the latest updates for all of your devices.
  • Avoid using public WiFi to transmit sensitive information.
  • Leverage HTTPS encryption.
  • Implement a Virtual Private Network (VPN).
  • Employ a RADIUS Server.

You can read more about these five best practices for improving your WiFi security posture here.

Protecting WiFi Beyond KRACK

Wifi authentication

WiFi security, though, isn’t just about protecting against KRACK. The issues are more significant than just a single vulnerability.

WiFi networks have been notoriously insecure since their inception. Perhaps the most significant issue has been the concept of a shared SSID and passphrase. These shared credentials are the way that employees, guests, and others access the WiFi network.

Of course, we know that shared credentials are a significant risk point. As users come and go, the somewhat private shared credentials make their way out into the public and can no longer be private. IT admins can rotate those credentials often, but then it’s a hassle for all of the users that are staying on the network.

IT admins have solved this problem through unique access. By connecting WiFi access to the core identity provider using the RADIUS protocol, each person that accesses the network must be do so with their core credentials. This ensures that each person’s access is unique.

The challenge for IT admins has traditionally been that the process of implementing RADIUS can be painful and time consuming. Fortunately, a new generation of RADIUS-as-a-Service (or Cloud RADIUS) is making this process far easier.

Protecting WiFi with Directory-as-a-Service

Cloud Radius is a core component of JumpCloud’s Directory-as-a-Service® platform. IT admins can leverage Directory-as-a-Service for a wide variety of implementations, including securing WiFi with RADIUS.

The benefits of implementing RADIUS-as-a-Service from JumpCloud include the ability to restrict access to the network on an individual basis by requiring each user to authenticate using their core JumpCloud identity. That means no more shared SSIDs and passphrases.

Further, IT admins no longer have to waste time and effort trying to configure RADIUS servers and hardware on-prem. Instead, RADIUS-as-a-Service shifts the entire RADIUS infrastructure and the directory service to a hosted solution in the cloud.

IT admins simply point their WAPs to the cloud RADIUS server and load their users into the cloud identity provider. The result is that users now have to uniquely login to gain WiFi access.

While, this won’t help protect against KRACK attacks, it will, however, significantly improve your overall network security. Along with patching KRACK, the next most important thing that IT admins can do is implement RADIUS on their WiFi networks.

Learn More about Protecting Against KRACK

Get Started and Learn more about JumpCloud

To learn more about protecting against KRACK, or how Directory-as-a-Service can boost your organization’s security posture at large, drop us a note. You can also sign up and secure your WiFi with RADIUS-as-a-Service today. Your first ten users are free forever.

Vince Lujan

Vince is a writer and video specialist at JumpCloud. Originally from the horse capital of New Mexico, Corrales, he has lived in Boulder, Colorado for three years. When Vince is not developing content for JumpCloud, he can usually be found at the Boulder Creek.

Continue Learning with our Newsletter