By Jon Griffin Posted March 6, 2018
It seems like new security holes with trusted IT solutions are brought to light everyday. You don’t have to look far for an example. Just look at KRACK. KRACK, or the Key Reinstallation AttaCK, was an extremely dangerous vulnerability that affected the WPA2 protocol. This protocol was used in nearly every wireless internet transaction, and given our collective reliance on WiFi, it impacted quite a lot of people. The majority of the world has recovered since the news of this vulnerability, but it’s important to look at these events and try to learn from them. So let’s look at the question, “How can you secure your organization’s WiFi in light of web vulnerabilities?”
How Organizations Use WiFi
Before we suggest some ways to remediate your security posture against web vulnerabilities like KRACK, and protect against WiFi breaches, let’s step back and understand how most organizations are leveraging WiFi. Over the last decade, virtually every organization has made the leap to WiFi from wired networks. The benefits are significant, including more agile teams, productivity enhancements, and cost savings. The challenge with WiFi has always been security.
A wired network can be more tightly controlled, and initially that was a significant reason why IT admins didn’t move to WiFi. However, the pull was too strong. The benefits and flexibility of WiFi are incredibly powerful, and outweighed the advantages to an on-prem network. On top of that, IT vendors also created additional layers of security to WiFi that would help make IT admins more comfortable with the move. WPA2 was a part of this process. Of course, the wireless access points also started to integrate enterprise grade capabilities such as RADIUS protocol support.
Preparing for Web Vulnerabilities
Unfortunately, as we now know, these steps weren’t enough. As the KRACK vulnerability showed, there was a significant flaw in the client side libraries of devices connecting via WiFi using WPA2. The vulnerability allowed attackers to see all encrypted traffic between endpoints and the WAP (Wireless Access Point).
The fix for KRACK was to update the client side solutions. Platforms such as Android devices, Windows machines, macOS devices, and even Linux systems that utilize WiFi needed to be updated. IT admins everywhere made this a top priority, and eventually re-established their degree of security. However, paranoia is not retroactive. You shouldn’t only patch the vulnerabilities that we know of, you should prepare for the vulnerabilities to come. There are also some great steps you can take to mitigate the risk of being attacked, and you can find these steps in our blog post and associated video “Security Briefing: 5 Ways to Improve WiFi Security in Response to KRACK.”
Preparing for the Next Security Risk
Now is a great time for IT organizations to take a step back and understand the best way of securing WiFi in light of KRACK and other vulnerabilities. A major step that IT admins are taking is to leverage RADIUS to connect the WiFi infrastructure to the identity provider for unique authentication.
With RADIUS, each user will be required to enter their core user credentials into their machine when connecting to the WiFi access point. The WAP will securely send the credentials to the RADIUS server, which will communicate with the core directory service to authenticate user access. Each user will now be uniquely requesting access to the network.
RADIUS sounds like the obvious choice for a major step up in WiFi security, but it actually isn’t used as frequently as you would expect. This is because it can be challenging to implement. IT organizations are required to install a FreeRADIUS server, and then integrate it with the client side access, WAP, and identity provider. Once that is set up, it still needs to be managed and maintained. This all requires a great deal of time and resources.
The good news is that there is a better approach to RADIUS, through a RADIUS-as-a-Service platform. IT admins simply point their wireless access points to the cloud RADIUS server, and everything else is handled by the cloud identity management service. There is no client side configuration, hardware to procure, software to configure, or integration work with the identity provider. All of that heavy lifting is done by JumpCloud, leaving admins able to get back to their core responsibilities. In addition, the virtual RADIUS solution includes an onboard directory service that can function as the organization’s core identity provider. This means IT admins can easily manage which users can access various RADIUS networks. End users can also leverage the same credentials they use for RADIUS to access all of their on-prem and cloud-based resources.
If you would like to learn more about JumpCloud’s RADIUS-as-a-Service offering, reach out to us. We’d be happy to answer any questions you have, and discuss how it would work in your organization. Alternatively, you can also sign up for a free account and see it work for yourself. That way, you can know that the solution works for you before you make any commitment. Plus, your first 10 users are free forever, with no credit card required, so there’s no reason not to give it a shot.