What is the future of WiFi (from a network security standpoint)
28 comments
·January 8, 2025pwarner
simonm21
Since Covid we have moved to a Zero Trust approach regarding all the things regarding the network. We have more and more access control on the LAN to avoid whoever to connect and now it's time for the Wi-Fi to change its implementation. Currently, most of companies have implemented an "Open SSID" to provide access to visitors, BYOD or partners. Because no other solution existed. Based on the Open SSID, we can configure multiple layers of security to avoid to have this network impacting the corporate network. But now, some mechanisms exist such like OWE to secure the association of device to the network. You may say that I need to have an OWE device to connect to an OWE network and you right, not all devices support this security mechanism. Based on a vendor solution, you can implement an "Open SSID" with a redirection mechanism allowing OWE device to connect to the SSID with OWE and other device which doesn't understand OWE will still connect to the Open SSID. So you keep one SSID with both functionalities and this is huge
Simranjeet2709
When it comes to securing access through open SSIDs, the best way is to have the captive portal in place. Its the perfect way to to build a zero trust network, where in you don't trust anyone who connects to the SSID and is forced to authenticate through the captive portal.
Put captive portal in place and force the users to validate through their phone numbers, social media accounts or emails. You can even integrate your existing IdP to the captive portal and even ask your employees to connect through the captive portal.
Gigachad
The whole security mindset everywhere has shifted towards not trusting the network. Everything encrypted in between your laptop and the end server.
dylan604
Anyone that ever had a policy of trusted devices on the network was just living in a fantasy land. The only reason the network ever had trusted devices was when it was in its infancy and there was nobody using it so the only devices on the net were the devices the admins put there. As soon as the first device that was not controlled by the admins was allowed to connect, the network should have been immediately untrusted.
I've now taken my hindsight glasses off and recognize that it's hard to imagine that assholes and criminals would so easily ruin it for the rest of us. 50+ years later and ~30 years later of the interwebs and now it's an "but of course they would". The sad thing is that there should no longer be a blank sheet of paper for a startup, but every "new" sheet should already have defensive strategies on it. It's just not sexy, and hard to get to MVP so it's easy to drop/ignore/delay. I'm guilty too, but maybe I'm worse because I'm well aware that I'm doing it????
avidiax
IPSec has been used for some time to provide a secure network where only trusted devices can communicate to each other or the infrastructure.
You can still argue about the endpoint security, but at least the network participants and their messages can be secured, even if an endpoint is compromised.
Hilift
A lot of orgs had VPN with forced tunneling before the pandemic. They caved on that in the first few days due to the increased usage and instant split tunneling with no planning. We also caught multiple people who connected unauthorized network connections and created unauthorized bridges/routes. These people exist and you don't know it until they start connecting stuff.
generalizations
Calling "split tunneling" a bad thing is such a cargo cult. Even the good security the GP is describing is a split tunnel: "VPN to get to get to secured resources, and direct fast access to SaaS services".
noodlesUK
I’m concerned that this article is AI SEO slop. It doesn’t say much about its central thesis, but just “delves” into the background of wifi for several hundred words.
OWE, which it mentions at the end is genuinely useful, reducing the drawbacks open networks had in the past.
simonm21
To design the future, we need to know where to we come from and the evolution of it. It's been 8 years that I'm in this industry. I've begin with Wi-Fi 4 standard and we are now in Wi-Fi 7. 8 years ago, the Wi-Fi network was just a good implementation for your business. Now, it's the main communication medium and for most industries, it's a critical or vital infrastructure. The evolution of the design of the Wi-Fi infrastructure is changing all the time based on the evolution of Wi-Fi standards: "Should we implement 6GHz for our corporate environment ? But did I think about all my corporate device compatibility? How much it costs to replace all ? How much time it will take to replace my devices ?" These questions should be taken into account when we think about the future of Wi-Fi. We need to understand the benefits of each evolution and the approach we can take depending on our industry.
mmooss
It's been awhile since I had to think about Wifi on a serious level.
Last I knew: Due to the nature of the medium (radio waves), wifi was a 'circuit-switched' network - any two devices communicating monopolized the entire network. That is, unlike a switched wired network, only two devices can communicate at once (usually an endpoint and a base station).
More devices using the network, which of course was usually necessary, required some sort of time-division multiplexing - the network needed to slice up circuit access by time. The only other solutions were multiple networks, which were created with multiple radios on different frequencies, and [edit: beam forming], which created different networks to different physical locations - if that actually worked in practice.
Has anything changed? Are there new solutions to the circuit-switching limitation? Has someone managed to turn wireless into a packet-switched network?
kbolino
WiFi is a shared medium, but shared medium and circuit-switched are not the same thing. WiFi uses packets and conforming devices do not block other devices for any longer than the time to send a packet.
evil-olive
starting with 802.11ax ("Wifi 6") [0] they've started doing frequency-division [1], in addition to time-division.
as I understand it, a channel can be effectively divided into K separate sub-channels, and then in a crowded space with N active users, your time-division only needs to contend with N/K other users.
this dovetails well with Wifi 6E expanding to the 6ghz range, and Wifi 7 (among other things) expanding channel bandwidth to as large as 320mhz. (compare this to classic 2.4ghz having only 3 non-overlapping channels of 20mhz width each)
0: https://en.wikipedia.org/wiki/Wi-Fi_6
1: https://en.wikipedia.org/wiki/Orthogonal_frequency-division_...
mmooss
Thanks.
> starting with 802.11ax ("Wifi 6") [0] they've started doing frequency-division
How does that differ from multiple radios running multiple connections? Is it that there are many more frequencies, closer together, dynamically allocated?
varenc
That's a bit of an oversimplification. Access Points coordinate communication to ensure clients take turns, and Wi-Fi avoid collisions by having clients listen for an idle channel before transmitting and exponentially backing off if it's busy (CSMA/CA). So even when clients share the same frequency, it’s not 'circuit-switched' since transmissions are managed dynamically. Clients wait for the AP to respond before sending additional data. And there's QoS features to ensure things like live voice take priority over a bulk download.
Wi-Fi 6 adds OFDMA, which splits channels into sub-channels so multiple clients can transmit simultaneously, and MU-MIMO allows simultaneous streams to different clients. Beamforming helps too with directional signals.
tl;dr; it is a shared medium but with lots of tech on top of it that mitigate much of the issues!
mmooss
Thanks ... but one thing I don't understand:
> MU-MIMO allows simultaneous streams to different clients
That's great, but the question is the same: how? How does it solve what I called the circuit-switching problem (i.e., each tranmission utilizing the channel 100%)?
aeonik
You can multiplex by frequency as well.
Also, modern wireless systems can even multiplex by location, using phased arrays, it will beam a spotlight of radio to your direction, and can noisy data from receiving phase information as well.
mmooss
How are those different than the multiple radios and beam forming (oops, I see I wrote something else) that I mentioned? I'm not being snarky; I'm trying to learn what I'm missing. Thanks.
aeonik
I think you could approximate the phased array and frequency multiplexing with a bunch of dish antennas connected to separate radios, but the dishes would need to be connected to motors to follow moving targets. It would also require a lot more physical space.
The neat thing about phased arrays is that they are solid state, aka no moving parts, so they have a much faster response.
Here is a really good presentation on how they work and how to build one.
Joel_Mckay
Kerberos and VPN like any other public network, and quantum-resistant ciphers.
Also, some beam-steering tricks that likely won't be available in the US for another 5 years... =3
dostick
Also can be said in half of words, “The Future of Wi-Fi security”
transpute
Per-device wifi passwords can be used on networks that don't have 802.11x.
Eingrand1978
Thanks Simon for joining the conversation nd bringing in some context and ultimately confirming you are not an AI ;-)
aaron695
[dead]
Eingrand1978
[flagged]
Our corporate Wi-Fi is shifting towards an open guess network. The idea blew the security team's mind, then COVID came and sure enough, most people worked from home or Starbucks or hotels etc, so all the sudden we had to assume the Wi-Fi network was insecure.... VPN to get to get to secured resources, and direct fast access to SaaS services.