In this blog post, I’m going to go over some Wireless basics.
- Most Secure Setting for SSID: The most secure setting currently available for home Wi-Fi networks is WPA3 (Wi-Fi Protected Access 3), which is the latest generation of Wi-Fi security. If your router doesn’t support WPA3, the next best is WPA2. Avoid using WEP, which is quite outdated and significantly less secure. Also, it’s advisable to hide your SSID to make your network less visible to potential attackers, though this is not foolproof security measure. Strong, unique passwords also contribute significantly to network security.
- Recommended Number of SSIDs: The number of SSIDs you should have largely depends on your network needs. In a home network, one or two SSIDs (one for a primary network and one for guests) is typically sufficient. In a larger, corporate environment, you might need more SSIDs to separate network traffic for different departments, user groups, or device types. However, each SSID broadcasts its own beacon frames, which can create interference. More than 3-4 SSIDs on a single access point can start to impact performance due to the airtime consumed by the beacons. So, limit the number to only as many as you need, and no more.
- Good Wireless Strength: Signal strength is commonly measured in dBm (decibels relative to a milliwatt), with values typically ranging from -30 dBm to -100 dBm. A signal strength of -30 dBm corresponds to “excellent” signal strength, -67 dBm is considered a “good” signal for general usage and streaming, and -70 dBm is considered “fair” but can still support most online activities. Anything below -80 dBm is generally considered poor and may result in slow speeds and unreliable connections.
- Best Practices in Designing and Configuring: Here are a few guidelines:
- Location and Coverage: Access points should be centrally located and high up for the best range and least interference. In larger spaces, multiple access points may be needed.
- Channel Selection: Wi-Fi channels can overlap and cause interference. In 2.4 GHz, only channels 1, 6, and 11 are non-overlapping. In 5 GHz, there is more space, so interference is less of an issue. Some modern routers offer automatic channel selection, which can be useful.
- Frequency Bands: If possible, use the 5 GHz band for devices that support it. It’s faster and less congested than 2.4 GHz, though it has a shorter range.
- SSID Segmentation: As mentioned above, segregate your network with multiple SSIDs if necessary, but avoid unnecessary proliferation to reduce interference.
- Security Updates: Ensure your router firmware is always up to date to benefit from the latest security patches and performance improvements.
- Guest Network: Consider setting up a guest network for visitors. This prevents them from accessing your primary network where your personal devices are connected.
- Network Name and Password: Don’t use personally identifiable information in your SSID, and always set a strong, unique password.
Please note that network design and configuration can be a complex topic, and the best choices often depend on the specific situation and requirements.
ENTERPRISE EXAMPLE (Cisco)
Setting up an enterprise network with multiple remote branch sites and two data centers can be a complex process and involves many different components, including wireless controllers, access points (APs), routers, switches, and security appliances. For the wireless portion of this network, Cisco’s equipment provides a number of advanced features that can be very helpful.
Here are some best practices and recommendations when using Cisco’s wireless controllers and APs:
- Centralize Your Wireless Controllers:
In a larger, multi-site enterprise network, you would typically deploy wireless controllers in your main data centers, and then deploy lightweight APs (LWAPs) at each of your remote branch sites. The LWAPs connect back to the wireless controllers over the WAN, allowing you to centralize the configuration and management of your wireless network. For example, you might deploy two Cisco 9800 Wireless Controllers in your primary data center for redundancy and load balancing, and then deploy Cisco 9100 Series APs at your remote sites.
- Implement Controller High Availability:
Since you have two data centers, you should implement controller high availability for failover protection. You can set up a primary wireless controller in your main data center, and a secondary (backup) controller in your secondary data center. If the primary controller fails, the APs can fail over to the secondary controller. Cisco’s wireless controllers support stateful switchover (SSO), which allows APs and clients to switch over to the backup controller without disruption.
- FlexConnect Mode for APs:
Cisco’s FlexConnect mode allows APs to switch client data traffic locally at the remote sites, rather than sending all traffic back to the controller. This can reduce WAN traffic and improve performance. FlexConnect APs can also continue to function if the WAN link goes down, providing more reliable wireless coverage.
- Use CAPWAP or DTLS for AP to Controller Connections:
When LWAPs connect back to the wireless controllers over the WAN, they use a protocol called CAPWAP (Control And Provisioning of Wireless Access Points) to encapsulate their traffic. CAPWAP can optionally be secured with DTLS (Datagram Transport Layer Security) to encrypt the traffic and protect against eavesdropping.
- RF Management:
Cisco’s wireless controllers support advanced RF management features to optimize wireless coverage and performance. For example, Radio Resource Management (RRM) can dynamically adjust AP power levels and channel assignments to minimize interference and coverage holes. CleanAir technology can detect and mitigate RF interference from non-Wi-Fi devices.
- Quality of Service (QoS):
Implement QoS to prioritize critical traffic. For example, voice and video traffic should be given higher priority to ensure smooth performance. Cisco’s wireless controllers support the Wi-Fi Multimedia (WMM) standard for wireless QoS.
- Security:
Implement strong security measures, such as WPA3 for wireless encryption, and 802.1X for network access control. Cisco’s wireless controllers also support additional security features such as rogue AP detection, and Wireless Intrusion Prevention System (WIPS).
- Monitoring and Troubleshooting:
Use Cisco’s network management tools, such as Cisco Prime Infrastructure and DNA Center, to monitor your network and troubleshoot problems. These tools can provide detailed visibility into your wireless network and help you identify and resolve issues quickly.
Remember, these are general recommendations and the specifics can vary greatly depending on the size and nature of your enterprise, the network topology, the specific models of equipment you are using, and your business requirements. Always engage with network design professionals when planning and implementing such a setup.
SSID ENCRYPTION
Encryption in a wireless network happens on the SSID level. When you configure your SSID, one of the options you will set is the type of encryption used for that SSID. Here are the options that are commonly available on most routers and access points:
- None: This option provides no encryption. Your wireless network will be open, meaning that anyone can connect to it without needing a password. This is not recommended for anything but the most temporary and specific use cases due to its complete lack of security.
- WEP (Wired Equivalent Privacy): This is an old and insecure type of encryption. It can be easily broken with readily available tools. As such, it should not be used.
- WPA (Wi-Fi Protected Access): WPA was introduced as a replacement for WEP, and is significantly more secure. However, it has since been superseded by WPA2 and WPA3, and is not recommended unless you have older devices that don’t support the newer standards.
- WPA2 (Wi-Fi Protected Access II): WPA2 is currently the most widely supported encryption standard, and offers good security. It uses either TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption Standard) for encryption, with AES being the more secure option.
- WPA3 (Wi-Fi Protected Access III): This is the latest and most secure form of Wi-Fi encryption. However, it is not yet supported by all devices, so you may need to maintain a WPA2 network for backwards compatibility.
When you set up your SSID, you should select WPA3 if it’s available and all your devices support it. If not, use WPA2 with AES encryption. This will ensure the highest level of security for your wireless network.
It’s also recommended to use a strong, unique password for your SSID to prevent unauthorized access. The longer and more complex the password, the more secure your network will be. Avoid using easily guessable passwords or personal information.
For enterprise environments, the use of WPA2/WPA3-Enterprise is recommended. This version uses a RADIUS server to authenticate each user individually. It provides an even higher level of security, but requires additional setup and infrastructure.
Note: Regardless of the encryption used, make sure the firmware of your routers and other network devices is regularly updated. Manufacturers often release updates to patch vulnerabilities and improve security.
RADIUS WITH WINDOWS
When setting up a RADIUS server to work with Windows Active Directory (AD), you typically use the Network Policy Server (NPS) role in Windows Server, which provides the RADIUS functionality.
Here are some best practices for setting up and securing NPS with AD:
- Use PEAP-MS-CHAP v2 or EAP-TLS:
These are two common authentication methods used with NPS and AD.
- PEAP-MS-CHAP v2: PEAP (Protected EAP) encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The advantage of PEAP-MS-CHAP v2 is that you don’t need to install a client-side certificate for each user/device, but it is less secure compared to EAP-TLS.
- EAP-TLS: This method is more secure than PEAP-MS-CHAP v2 because it uses certificates for both the client and the server, which makes it much harder for an attacker to impersonate a valid user or the RADIUS server. However, it does require you to set up a Public Key Infrastructure (PKI) to manage these certificates.
- Set Up a Secure NPS Server:
- Update and Patch Regularly: Keep your NPS server up to date with patches and updates from Microsoft. This ensures that you have the latest security fixes and improvements.
- Isolate the Server: The NPS server should be in a secure network location, such as behind a firewall, to protect it from external threats.
- Use Strong Encryption: When configuring your NPS policies, select the strongest encryption methods available (typically, this is WPA2/WPA3).
- Secure your RADIUS Traffic:
RADIUS traffic between your APs and the NPS server should be secured. This is especially important if the APs and the NPS server are not on the same local network. The standard method to secure RADIUS traffic is by using IPsec.
- Regular Auditing:
NPS allows you to log successful and failed authentication attempts. Regularly auditing these logs can help you detect and respond to security incidents.
- Limit NPS Server Access:
Only allow RADIUS traffic from trusted network devices (your APs, for example). This can be done through IP filtering and firewall rules.
Remember, the specifics of setting up NPS and AD integration can vary depending on your network environment and security needs, and it’s recommended to consult with a network security professional when implementing such a setup.
CERTIFICATES
RADIUS integration with Windows Active Directory typically involves the use of certificates, especially when using the EAP-TLS or PEAP-MS-CHAP v2 authentication methods, and it also typically involves the use of 802.1X.
Here’s how they each work:
- Certificates: These are used for server and sometimes client authentication. They prove the identity of each party to each other, preventing impersonation attacks.
- EAP-TLS (Extensible Authentication Protocol-Transport Layer Security): This is the most secure method and uses certificates on both the RADIUS server and the client devices. This can be more complex to set up because it requires a Public Key Infrastructure (PKI) to issue and manage certificates for all client devices.
- PEAP-MS-CHAP v2 (Protected EAP with Microsoft Challenge Handshake Authentication Protocol version 2): This method only requires a certificate on the RADIUS server. The client devices use a username and password for authentication, which is easier to set up but less secure than EAP-TLS.
- 802.1X: This is a network access control protocol. It works by placing a “port” into an unauthorized state until the client device has successfully authenticated. With a wireless network, 802.1X works in conjunction with EAP methods (like EAP-TLS or PEAP-MS-CHAP v2) to provide network access control at the individual device level.
In a Windows environment, the RADIUS server functionality is usually provided by the Network Policy Server (NPS) role in Windows Server. The NPS server is integrated with Active Directory to authenticate user credentials, and it uses certificates and 802.1X to provide secure, controlled network access.