Institutions #FAIL when it comes to their wireless security, but why?

Writing this as a response to a question asked about guest wireless basics (hit the character limit too quickly):

Wireless configurations are not one-size-fits-all. Starting from the top, the security protocol used will depend on the devices/clients you would like to be able to connect to it. WPA3 is great but today's standard is a blended WPA deployment, to make use of recent developments in speed and association but also allow 'legacy' devices on older standards (1-7 year old devices). Before you say the below items "are overkill for what we are doing," I must state that of course, this all depends on budgets and priorities, but doing things *right* the first time often saves you money, time, effort, and headaches (let alone law suits and more).

Beyond the protocol choice, I would highly suggest that if you need a guest wireless network, you enable guest wireless isolation. This ensures that all devices connected to the guest wireless have no access to each other or the trusted network (only an internet connection; no LAN). Further, I highly suggest you USE your guest wireless network. What do I mean here? I mean that any wireless device (yes, including the CEO's mobile phone) connects to the guest wireless and NOT the business/trusted network. For this reason, I often argue that nobody but IT should even know the wireless password, as they should be the only folks entrusted to determine if a device should be connected to it. I used to think the reasoning here was obvious but: Your mobile devices almost never need network access to local/corporate assets, therefore they should not have it. Sure, there are exceptions like printers and such, but those can be dealt with in more effective ways than handing out master keys to the network. Network access should be on an as-needed basis, and guarded carefully.

Make damn sure to disallow Management WebUI access to the wireless controller and all other assets from the guest wireless

One area I see many wireless deployments failing security checks is that the deployment engineers did not make damn sure to disallow Management WebUI access to the wireless controller and others from the guest wireless network - I've seen guest wireless networks with access to the management WebUI everywhere: from Universities, to Law Enforcement and other Public Services, to "integrated managed healthcare consortiums," that may or may not start with a "K" and rhyme with "ermenente," and many others that you know the name of... And just so you know, merely isolating a guest wireless network does not always disallow admin access to the WebUI; check and verify! What's the harm here? You should make it your goal to provide as little information as possible, even to users of your [guest] network, about the network. And remember this; always. ANY info I (as an attacker) can discern on you, your systems, hardware, or applications in use, can be extremely valuable in navigating your defenses. Even if your credentials are unique and safe, the login page, alone, can tell a knowledgeable visitor: your wireless infrastructure's vendor, system, and even its patch level, which can lead to identifying a vulnerability to exploit.

ANY info I (as an attacker) can discern on you, your systems, hardware, or applications in use, can be extremely valuable in navigating your defenses.

Beyond this, virtual segregation (VLAN'ing) or even physically segregating the guest wireless is important. Add to that, the procurement of a completely separate WAN connection for the guest wireless for good measure.

...I may or may not have prioritized my own network traffic above core business systems at international hotels, or not, (especially on remote islands, where bandwidth can be rare, slim, and expensive) because they relied on a DHCP scope to segregate their network prioritization... A simple static IP assigned over WiFi got me everywhere I wanted to go, and more...

Beyond this, imagine the havoc one could wreck if he were connected to JonDoe555.com's guest wireless with a WAN IP included in the SPF record for JonDoe555.com... Email spam / black lists are easy to get on and difficult to get off of... Especially with the sheer number of them these days. And this is just one of MANY potential attack vectors. Block outbound SMTP traffic at least at the port level, but to take it a step further, perform [deep] packet inspection and block certain types of traffic, regardless of their port assignments.

I cannot go any further without mentioning: PATCHING! Remember back in October of 2018, when WPA2 was found to have a 0-day vulnerability, where an attacker could inject a packet and perform a session hijack by guessing the next packet number accrual to be sent from a legitimately-connected device? Well, even if you don't, if your wireless infrastructure hasn't been patched since then, you're probably vulnerable to that attack/exploit. You know the most common date of firmware on wireless devices? The date of deployment... And how old is your infrastructure? Keeping up with firmware patches is a good portion of the battle, once a secure implementation has been deployed.

This article was meant to address safeguarding your institution from havoc one could wreck from a guest wireless network, but I also can't finish this article without mentioning filtering Corporate Wireless (and wired) network clients by MAC address, or 802.1x. Although these are not surefire in their approach, as MAC spoofing is rather easy, and wireless MAC addresses (of trusted devices) can literally be pulled out of the air, additional security measures such as implementing a RADIUS server would prove most beneficial.

Rogue AP detection and DeAuth attacks can be fun, but is also illegal in the US, under FCC regulations, due to the 2.4Ghz and 5Ghz wireless spectrum being classified as "public domain." and altering of neighboring networks or infringing on their ability to broadcast can be prosecuted under the first amendment. And this is where defenders must get crafty, as attackers don't adhere to law. It's like fighting a war where only one side adheres to the Geneva Convention... It certainly makes things more difficult for the honorable. But on the defense side, we can still gain back our edge.

Regarding wireless reception and deployments: One misstep many IT folks make (even network engineers) is that when they want better reception, they increase the AP's transmit power or simply "add an Access Point." Well, the problem with this solution goes back to the fundamentals of wireless networking (which few today seem to understand). RSSI is your Received Signal Strength Indication (to a wireless network). This is measured in decibels, and it is equal to the signal strength from the AP you're connected to, minus environmental noise. What is environmental noise? Any other traffic on your wireless channel (or close to it, depending on your channel width). What this means is that if you have two APs broadcasting on the same exact channel, right next to each other, you won't be able to connect to either one of them, even in immediate proximity (because your RSSI would be zero - since the signal from both would be about even, and one works as nosie to the other). It's like having two speakers at high volume playing completely different songs of the same acoustic frequency, and trying to listen to intricacies of one of them - it simply is not going to happen, for the same reason that a defense mechanism to bugged devices and locations is to play audio in the frequency of the human voice. Further, most network engineers seem to forget that wireless connectivity requires traffic going BOTH ways. You can't just boost the transmit power of your AP; the wireless device connected to it must be able to send the signal back to it. Getting flash backs to a time when you had full reception but couldn't connect?? It could also be explained by a DHCP timeout or other issues, but that's a story for another day.

My point is that you can't send an amateur and expect that he do the job of an expert. And now days, amateur look identical to experts on paper, since everyone is copying/pasting each others resumes on the internet. Amateurs don't work out when it comes to cyber security, wireless networking, tiling a bathroom, or even painting. You just can't expect them to perform at an expert level. And if you're an amateur looking to become an expert: Understand that there is no singular solution to any specific attack vector. Cyber security is spy vs spy. Every defense you put in place augments your attack surface. I will either go through it or around it. Layer your defenses such that your institutions are still protected when several of your defenses fail. Because they will.

Layer your defenses such that you are still protected when several of your defenses fail. Because they will.

Disclaimer: This article is not meant to be conclusive as to how to secure wireless networks; it was simply a medium of responding to a comment in more than 1300 characters. Further, each option you chose to or not to check, merely augments your attach surface. Sometimes for better, and sometimes for worse. If you are implementing anything tech-related, don't settle for a tech that can do it; find an EXPERT who can do it RIGHT.