About Time we modernize Wi-Fi security

I am going to try to keep this brief and hope this message is heard loud and clear. WiFi security, particularly around Authentication and Authorization, needs a makeover! It's about time. I won't talk about over the air encryption mechanisms in my post here. Most traffic over the air is encrypted anyways unless you are using HTTP predominantly in your network in which case we are looking at a whole new blog post. In any case I am not advocating either ways. Let's have a look at what we got for security pertaining to Authentication and Authorization on WiFi today.

802.1x EAP/TLS

The most secure way to access Wi-Fi networks today is 802.1x EAP/TLS. To be honest only a handful of Enterprises have truly implemented this if you think about it. Even the ones who have implemented EAP/TLS based wifi access aren't really universally doing this across their users device base. We have seen and heard the stats a million times now, what is that, every user brings what, did you say on an average 3 oh no 4 devices. Enterprises typically create a Corporate SSID for their "Managed" windows and mac devices where they push user certificates that are managed and maintained by a PKI infrastructure in the background.

Challenges with above:

• Public Key Infrastructure is hard to maintain. If you are a Microsoft shop then you need AD DS, NPS, AD CS, NTP, Online revocation services, not to forget security around the infrastructure and maintain resiliency around the hardware and RACK space in a data center. Lets call it " THE BOXes in the (private)CLOUD"

• Certs need to be issued, revoked, reissued. Lifecylce management. This leads to enterprises off-loading this to 3rd party platforms and paying per user per cert.
• Automatically deploying certs on Windows is OK in a MSFT environment but try doing the same thing on MAC, IOS and Android and that's another uplift.
• Cert Infrastructure needs to scale. This is a big deal for Mid to large scale enterprises trying to deploy certs across tens of thousands of devices. Backend infrastructure needs to be built out to support this scale.
• Majority of Small to mid-size enterprises shy away from deploying this because of complexities involved here and dedicated IT staff and expertise needed. Which means they end up deploying shared passkeys or other not so secure (username/password) means of accessing WiFi which if you can imagine opens up critical resources for easy access. Think of so many small to mid-size financial firms, equity firms, banking firms managing sensitive data. Employees leave and the pass-phrases stay the same and they can still access these resources.
• Most enterprises (Who end up braving PKI) only do this on users corporate owned device. BYOD devices have to go through a separate onboarding flow. These Brave "PKI warriors" are like the heroes on Game of Thrones. Yes you are a hero for a while but you WILL die at the end of the season.

• Even with ALL of the above flaws we are still have a major VULNERABILITY! The Root CA's "centrally" located Private Key! If this gets hacked (Which it does very often) the hacker can issue themselves a certificate and easily get access to critical network resources! It's only a matter of when and not how.

BYOD:

Two major changes have occurred in the enterprise world in recent times. More and more applications are moving to the cloud & Employees are accessing these applications across multiple devices and from multiple locations. Post covid corporate world has relaxed some of these access policies for employees much like a hybrid work environment (Something about employees being more productive or something like that :) ). Which means traditional ways of onboarding BYOD devices via 3rd party NAC solutions is not entirely effective. Think about it, employees are not in the office connecting to corporate WiFi and devices are not talking to something in the network. They are mostly communicating to a SAAS application in the Cloud. SAAS applications can be accessed without being on VPN. Salesforce and other SAAS platforms clearly recommend not accessing them over VPN.

Challenges with BYOD security:

1. Enterprises are NOT affording the same level of secure access to their employees devices as opposed to their corporate owned devices.
2. Complex Wi-Fi onboarding flows on a separate SSID. You typically connect to an dot1x based SSID, get redirected to a splash page on an isolated VLAN via RADIUS attribute. Some expensive 3rd party NAC does network based device fingerprinting (DHCP based or static mappings) and network based posturing (based on limited data it receives on the browser) and once posturing is complete send RADIUS CoA and go over and reconnect again!

Modern Wi-Fi Security Paradigm for ALL enterprises (Zero Trust to the rescue!!)

1. Identity and Access Management & Security need to come together.
2. Cryptographically bind the users corporate identity to each of the users device.
3. Eliminate shared credentials (pass phrases) and centralized private keys.
4. Eliminate the need to manage and maintain PKI.
5. Implement Un-Phishable Multi factor Authentication (MFA) that does NOT cause user friction. Invisible MFA if you will.
6. Implement scalable Certificate Based authentication without the need for Central CAs. Create a Personal CA on each of the corporate users device.
7. Store the Private Key in a Tamper resistant/Brute Force resistant Trusted Enclave within the device itself (TPM on windows, T2 chip on Mac, secure enclave on Android etc). Private key should never leave the device or appear on the network.
8. Mechanism that does not require enterprises to upgrade their existing device inventory. So support same security across legacy WPA2 based as well as newer devices that support WPA3 based mechanisms. By the same token these mechanisms need to be able to support existing WiFi standards. For ex: An enterprise currently on 802.11ac wave 2 looking to move to WiFi 6 or 6E shouldn't have to wait for the upgrade to implement secure access.
9. Use modern authentication standards like SAML and OAUTH2/OIDC rather than legacy RADIUS based approach.
10. Automatically remove the employees credentials from ALL their devices when they leave the organization. This is possible when using modern ways to synchronize directories by using SCIM.
11. Provide the same secure access across ALL of the employees devices tied to the corporate Identity.
12. Capability for the end users to securely onboard their own devices without involving IT staff even when they are not on corporate network.
13. Eliminate IT tickets for rolling over passwords or lost password recovery. Yes there is a BIG cost associated with this.

Traditional NAC based Authorization on WiFi networks:

Traditional Network access control based policies have long been the way to authorize and onboard users devices. They rely on being on the traffic path of the initial onboarding flow so they can capture rudimentary information from the wire and apply network policies based on that.

Challenges with traditional NAC:

1. NAC policies are not very comprehensive. See device security posture based authorization policies below and information they are able to capture.
2. They are EXPENSIVE! Licenses are not cheap.
3. You need to buy some sort of consulting services from the vendor to help deploy this and set this up.
4. Even enterprises that deploy NAC don't really use all bells and whistles of the solution. Network policies configured are pretty basic. This is done because of the fear that some complex policy might break something.
5. Small to Mid Size enterprise customers (Not ALL) mostly don't deploy NAC solutions to increase security.
6. There is no concept of continuously monitoring the device posture after the device has authenticated. See continuous authentication below.
7. They are not being used when employees access web applications behind an SSO or other enterprise applications like RDP/SSH/Desktop login.

Device Security Posture Based Authorization Policies:

Zero Trust framework calls for collecting at least one risk signal from the users device. I say why one how about a hundred. No need to put the devices on separate quarantined VLANs, no need to have complex wifi flows, no CoA business, no device fingerprinting on the wire. No OS fingerprinting. How about we look for things like whether the users device maintains a good security hygiene all the time, like ensuring its firewall is always on, disk encryption is always enabled, device is managed by an MDM, device has an EDR software and list is on and on and on. See the video below to see how this is done.

Continuous Authentication:

Traditional Authentication mechanism authenticates the user one time and the device is authorized to access WiFi for a day or two before the authentication flow kicks in again. Modernized Zero Trust Framework calls for continuously monitoring the devices security posture and trigger a reauthorization as soon as a change is detected to the device's security posture that makes its non compliant. Continuous authentication is the cornerstone of modern security. Imagine a case where the device is allowed to access the WiFi from certain trusted locations detected per devices GPS coordinates. Well, what if the user turns off GPS. The ability to detect an event like this and trigger a re-authentication is a game changer.

Yes there's more! Continuous Authentication also works when the device is NOT connected to corporate WiFi. Lets take an example of an enterprise that has deployed a cloud based WiFi solution that not only manages WiFi infrastructure but also manages Wired infrastructure like switches firewalls and VPN infrastructure. A corporate employee, Alice, who is trying to access critical corporate network resources over a VPN connection on let's say a Starbucks wifi network. Alice decides to download a malware infected file which is detected by an EDR service on her device which brings here zero trust score below the threshold set by the enterprise. This should trigger an event via an API to the WiFi cloud which is also managing the corporate VPN infrastructure which should then disconnect Alice from the VPN before she spreads it on the corporate network.

In Summary

1. Eliminate shared passkeys and PKI with proven certificate based authentication using TLS1.3 which creates a personal CA on each of the users device and stores the private key in an insulated environment on the device itself (each device has its own private key). Native cloud based rather than on prem "boxes".
2. Most traditional legacy MFA are phishable. Implement Un-Phishable MFA on WiFi using cert based mechanisms & with Biometrics. All the while, ensure the user friction is minimum. No one wants to see a code appear on a secondary device and go grab & enter it every time there is an authentication transaction.
3. Do authorization based on the devices security posture. Collect risk signals straight from the device rather than sniffing the wire.
4. Continuously evaluate devices security posture and trigger a re-authorization if a change is detected which does not match corporate policy.
5. Continuous Authentication helps with securing the network irrespective of the device connecting on Corporate Wired/ device accessing network resources over VPN/ or any Wireless network.

That's all I have to say.