In Blog, WiFi

WiFi Security RADIUS

WiFi networks are clearly the network norm in virtually all of today’s organizations. While the convenience and flexibility of WiFi have been game changing, concerns continue to abound about WiFi security. In this article, we’ll provide an introduction to WiFi security.

The Advent of WiFi

WiFiTo deeply understand WiFi security, we need to take a step back in time to fully understand the wired world. Wired networks often relied on physical security in addition to network based security. If an attacker could not connect to a wired connection inside the organization, then it was unlikely they could bypass all of the perimeter security. For many organizations, this meant that the wired internal network was usually open, although you still needed to authenticate to have services. An attacker, though, could see what was going on in the network by simply having a conduit to the network.

The result was that a generation of port-level security emerged called 802.1x to take wired security to the next level. This adoption meant that not only did users need to authenticate to the network, but they also weren’t allowed past the port until they were validated. Attackers couldn’t freely sniff the network, if you will.

On a WiFi network, the span and range of the signal can be quite wide, enabling attackers to connect to the network from the parking lot, the office next door, or even the next building. The concept of security through physical presence no longer worked. Even more so, connecting to the network only required a shared set of credentials which in most offices was pretty easy to obtain. This approach to WiFi has been quite standard and also scary to most IT admins and MSPs.

Improving WiFi Security

RADIUS-as-a-ServiceThe result has been a focus on stepping up WiFi security. The most significant step actually goes back to a concept that 802.1x pioneered on wired networks: individual authentication to access the network. By integrating this concept through a cloud RADIUS server, individuals looking to access the network must uniquely authenticate with their personal credentials. Those credentials are checked against those stored in an on-board directory service to ensure that the person is who they say they are. If the credentials pass, the user is then subsequently allowed to gain access. The shared WiFi SSID and passphrase are not enough to join the network. This approach to WiFi security is a dramatic step-up from allowing shared access.

For an even further enhancement to this WiFi security approach, many IT admins and MSPs are also segmenting their network, known as VLAN tagging, only allowing users access to segments that they are authorized for. For instance, because sales personnel are in a separate segment from developers, they cannot possibly access production servers. Or, marketing and finance personnel are delegated to different VLANs to protect confidential data and systems.

Both of these approaches are a game-changing way to protect WiFi networks while benefiting from the convenience and productivity of WiFi. If you’d like to learn more about upping your WiFi security game, contact our expert staff with your questions and concerns.

Recent Posts