Wireless Security and Enterprise Network Design
Key Takeaways
- Enterprise wireless security should use strong authentication, modern encryption, secure management, segmentation, and monitoring.
- WPA3 improves wireless security; WPA2-Enterprise with 802.1X is still a common enterprise pattern where supported.
- Guest wireless should be isolated from internal networks and normally limited to internet access.
- Wireless design includes coverage, capacity, roaming, channel planning, and rogue access point detection.
- Enterprise network design combines wireless controls with segmentation, NAC, logging, redundancy, and secure device administration.
Wireless Security and Enterprise Network Design
Wireless networks extend the enterprise boundary into the air. A secure design must protect authentication, encryption, segmentation, management, and monitoring.
Wireless Security Options
| Option | Use case | Security note |
|---|---|---|
| WPA3-Enterprise | Enterprise authentication with modern protection | Strong option where clients support it |
| WPA2-Enterprise | 802.1X enterprise authentication | Common in business environments |
| WPA2/WPA3-Personal | Shared passphrase | Better for small or simple networks, weaker accountability |
| Captive portal | Guest onboarding or terms acceptance | Not a replacement for encryption or internal segmentation |
| Open network | Public convenience | Assume traffic can be observed unless protected by higher-layer encryption |
Enterprise networks should avoid shared passwords for employee access when possible. 802.1X with unique user or device authentication improves accountability and allows role-based access.
Wireless Controls
| Risk | Control |
|---|---|
| Shared password reuse | WPA2/WPA3-Enterprise with 802.1X |
| Rogue access point | Wireless IDS/WIPS, controller detection, switch port controls |
| Guest access to internal systems | Guest SSID mapped to isolated VLAN |
| Weak management access | Admin MFA, management VLAN, secure protocols |
| Poor coverage causing unsafe workarounds | Site survey, proper AP placement, capacity planning |
| Evil twin attack | User training, certificate validation, trusted SSID configuration |
SSID and VLAN Example
| SSID | Authentication | VLAN | Access |
|---|---|---|---|
| Corp | WPA2/WPA3-Enterprise, 802.1X | Role-based employee VLAN | Internal apps by role |
| Corp-IoT | Device certificates or controlled onboarding | IoT VLAN | Required services only |
| Guest | Captive portal or sponsored access | Guest VLAN | Internet only |
| Admin | Strong auth, limited users | Management VLAN | Network management systems |
The SSID name is not the security boundary by itself. The mapped VLAN, firewall rules, identity policy, and monitoring enforce the boundary.
Enterprise Network Design Checklist
Secure enterprise network design should include:
- Redundant edge firewalls or routers where availability requires it.
- Segmentation between user, server, management, guest, and device networks.
- Centralized authentication for network access and administration.
- Secure management protocols such as SSH and HTTPS instead of Telnet or HTTP.
- SNMPv3 instead of older insecure SNMP versions where SNMP is needed.
- Centralized logging and time synchronization.
- Documented IP addressing, routing, and change control.
- Monitoring for rogue devices, unusual traffic, and failed authentications.
PBQ-Style Wireless Scenario
A company has one shared Wi-Fi password for employees, contractors, printers, and guests. Guests can reach file shares. A rogue AP was found under a desk.
Best redesign:
- Create an employee SSID using WPA2/WPA3-Enterprise with 802.1X.
- Create a guest SSID mapped to an internet-only VLAN.
- Place printers and IoT devices in a restricted device VLAN.
- Use NAC or controller policy for role-based access.
- Enable rogue AP detection and investigate switch ports.
- Restrict wireless controller administration to the management network with MFA.
Do not solve this only by changing the shared password. That may remove current guests temporarily, but it does not create accountability or segmentation.
Wireless Exam Traps
- Trap: Captive portal equals encryption. It does not. A captive portal controls onboarding or terms acceptance.
- Trap: Hiding the SSID is strong security. It is not a strong control; clients and attackers can still discover networks.
- Trap: MAC filtering is strong authentication. MAC addresses can be spoofed, so MAC filtering is weak by itself.
- Trap: Guest Wi-Fi can share the employee VLAN if the password is different. Guest isolation requires network segmentation and policy.
- Trap: Wireless security ends at the AP. It also includes controller security, switch ports, RADIUS, certificates, logs, and firewall rules.
An enterprise wants unique user authentication for employee Wi-Fi and role-based network access. Which design best fits?
Which controls improve guest wireless security? Choose two.
Select all that apply
A rogue access point is discovered connected to an office switch port. Which control set best addresses recurrence?