Extreme Networks Office of the CTO - Guest Blog from: Jennifer (JJ) Minella of Viszen Security
I recently had the pleasure of catching up with David Coleman and talking about my upcoming book, "Wireless Security Architecture". Off camera, we had an exchange about the future of wireless security and David's question got me thinking: What will the wireless security landscape look like in five years?
In writing the book, several themes emerged that will certainly influence the direction of not only wireless, but all network security in the coming years. These are the three trends I think will shape wireless security from 2022-2027.
The world of wireless follows the cycle of divergence-convergence-divergence, and 2022 starts the next cycle of diverging technologies. Or, more specifically, diverging spectrums.
Fifteen years ago, if you visited a hospital, you'd find a mélange of wireless technologies spread across spectrums ranging from sub-1 GHz to the now ubiquitous 2.4 GHz Wi-Fi and beyond. In large environments, there would even be a dedicated keeper of the spectrum to ensure various monitoring systems didn't trample on one another. Healthcare, of course, was just one example of this diverged radio frequency (RF) model. It was common in manufacturing and warehousing, among other industries.
Over time, the industry converged towards Wi-Fi, first in 2.4 GHz, later adding 5 GHz, and now 6 GHz. Not only is the spectrum becoming diverged in Wi-Fi, but perhaps a more notable trend is the growth of non-Wi-Fi wireless technologies.
Thanks to consumerization and digital transformation projects, the Internet of Things (IoT) is now moving into enterprise environments. Connectivity models to support these devices and use cases vary from the goals of Wi-Fi, making it practical for organizations to consider new technologies and their accompanying spectrums, some (but not all) of which live in the familiar 2.4 GHz range. Low-power wide-area networks (LPWANs) and low-rate wireless personal area networks (LR-WPANs) are two models prevalent in supporting IoT connectivity.
On the heels of the IoT explosion came private cellular including cellular LAN models where cellular layer 1 and 2 technologies are being used in a LAN connectivity model, similar to Wi-Fi.
The unprecedented growth of IoT devices and the emergence of private cellular bring new spectrums to manage, and new protocols and technologies to monitor and secure, which brings us to the second trend.
Twelve years ago, the wireless intrusion prevention system (WIPS) business was booming. Wi-Fi was still in its relative infancy, and many compliance regulations mandated specific monitoring of the air -- either to secure what was in use or to ensure Wi-Fi wasn't present in prohibited areas.
Fast forward to today, and standalone WIPS solutions are virtually non-existent. Overlay systems were expensive to deploy and brought little benefit once the industry moved away from over-the-air mitigation. As Wi-Fi was more readily adopted, the regulations changed, and requirements for expensive WIPS faded away.
It’s an unpopular opinion, but I predict a resurgence in WIPS in the coming years. The combination of requirements to monitor and secure a broader spectrum, combined with more sophisticated attacks, will rekindle our need for beefy monitoring. Whether the reborn WIPS will be integrated into the Wi-Fi products or re-emerge as standalone solutions remains to be seen.
WPA3 brings new security and recommendations, many of which specify monitoring for downgrade attacks (e.g., forcing a WPA3 endpoint with PMF to WPA2). There is also a need to monitor for active brute force attacks against WPA3-Personal networks secured with Simultaneous Authentication of Equals (SAE). SAE brings huge improvements to security over its Pre-Shared Key (PSK) predecessor, but it's not impervious to attack.
Going one step further, I believe WIPS solutions will play a more active role in detecting and preventing malware, including (and especially) ransomware, by identifying anomalous lateral movement and connections.
The new breed of WIPS will then address new spectrums, new protocols, and new attacks. This allows us to continue down the path of diverged wireless securely, which also means some changes will come in workflows and architecture. Hence, the third trend.
If my book demonstrates nothing else, it conveys to the reader the complexity of securing network architectures, especially wireless. As the world works towards zero trust models and tackles growing security compliance mandates, the silos of technology and operational teams in organizations will need to be broken.
aSecurity requires a holistic approach, which means collaboration and communication will be king. Networking teams will work hand-in-hand with information security teams. IT teams will convene with operational technology (OT) teams. Wired architects will work closely with wireless architects. Endpoint teams, server teams, help desk specialists, application and data owners, and non-technical business program managers will all have a role to play in the collaboration.
Each organization's approach may vary across interdisciplinary projects and teams. Some will create overlay teams; others cross-functional task forces. Many may engage third parties or non-technical project and program managers.
Regardless of the approach, executed appropriately, the outcome will drive organizations towards further and faster innovation while increasing the security and resilience of the networked infrastructures.
These are the three main themes that will shape our landscape in the coming years, but they’re not the only trends to pay attention to. Security compliance regulations and new controls frameworks will impact tactical operations of wireless security, influencing everything from how we segment to how we handle privileged access.
As MAC randomization expands and morphs, it will continue driving changes that impact workflows and tools in IT and security teams. With the IEEE issuing statements directing us all to not rely on MAC addresses for anything beyond layer 2 connectivity, the industry will have to find new ways to manage device identification.
For at least the next 24 months, there will likely be a certain amount of chaos as organizations begin to migrate from WPA2 to WPA3, and also incorporate 6 GHz into their Wi-Fi strategy. Migration strategies for WPA3, especially for existing WPA2-Personal networks, are not straightforward and wireless professionals will have their hands full trying to convince their leadership the pain of a proper migration is worth the security ROI.
2022 and the coming years will prove to be a fun and a fantastic time for technologists architecting and securing wireless networks. There’s a lot to learn with novel technologies and use cases.
Jennifer (JJ) Minella of Viszen Security is a longtime IT security consultant, author, and public speaker. Her new book from Wiley Publishing, “Wireless Security Architecture” is available now for preorder