Enterprise-grade Wi-Fi systems have proven to be secure for thousands of demanding customers across virtually all industries. With the recent hype around 5G and service providers promoting 5G as an alternative to Wi-Fi in the enterprise, it pays to understand how 5G security stacks up against Wi-Fi security.
Cellular security has improved with each generation. The security of first-generation analog cellular systems, based on the AMPS (Advanced Mobile Phone System) standard, was essentially non-existent. These calls were unencrypted and could be intercepted with basic scanners. The security of currently deployed LTE networks is far better. LTE uses strengthened encryption and an authentication algorithm (“AKA”) that shares a key between the client and the receiving base station. But while LTE security is solid, it isn’t perfect.
According to researchers at Purdue and the University of Iowa, LTE is vulnerable to some types of cyberattacks, including data interception and device tracking. The Associated Press last year reported the US Department of Homeland Security (DHS) has acknowledged the existence in Washington, DC of cell site simulators, called “Stingrays,” that could track cellular devices, intercept calls, and potentially even plant malware. 5G security improves upon LTE security incrementally, with identical encryption, slightly hardened authentication, and better key management. But overall, 5G security is largely comparable to LTE security.
Just as cellular security has improved, Wi-Fi security has evolved with each generation. Early Wi-Fi networks, beginning in the late 90s, used weak encryption and authentication, called “WEP”. The subsequent WPA and WPA2 standards feature improved encryption. Authentication with WPA2 can be either enterprise-grade 802.1X, or weaker PSK (pre-shared key), which hackers could potentially break by running through possible passwords until they can confirm the WPA2 handshake using a guessed password. This is called a Dictionary Attack. For this reason, most of our enterprise customers implement WPA2 with 802.1X, which is not prone to dictionary attacks. While some people claim Wi-Fi is insecure, pointing to poorly implemented networks that deactivate all password protection (e.g., a local coffee shop), this is not representative of enterprise practices. Still, the Wi-Fi industry developed WPA2 15 years ago, at a time when the wireless, computing, and security landscapes were substantially different.
Recently, the Wi-Fi Alliance standards body responded with WPA3—a significant update to Wi-Fi security. Aruba is a leader in the development of WPA3. WPA3 implementations fall into one of three categories: (1) OWE (“Enhanced Open”), which encrypts traffic to prevent snooping attacks on open networks that do not have password protection, (2) WPA3-Personal, which uses a shared-secret and a cryptographically stronger key exchange that is resistant to dictionary attacks, and (3) WPA3-Enterprise, which significantly strengthens enterprise-grade 802.1X and optionally includes the same Suite B/CSNA crypto algorithms used for Top-Secret or higher classified government networks. Unlike 5G, which is not backward-compatible and requires completely new handsets and radio networks, customers can upgrade the software on most of Aruba’s currently deployed Wi-Fi networks to include WPA3 (unless they are implementing Suite B/CNSA). We expect major handset OS vendors, such as Apple and Google, to roll out WPA3 and Enhanced Open by the end of 2019. WPA3 certification will be mandatory for all new Wi-Fi 6 equipment starting later this year.
It’s also worth noting that cellular encryption generally has lagged Wi-Fi encryption. For example, LTE encryption is based on an algorithm that uses a 64-bit key length, while WPA2-AES encryption, part of Wi-Fi since 2004, uses 128-bit encryption. 5G uses 128-bit encryption and may, in a future release of the 5G standard, upgrade to 256-bit encryption. Wi-Fi already supports 256-bit encryption through the Suite B/CNSA extensions of WPA3.
Until this point, we’ve highlighted the evolution and current state of authentication, encryption, and key management for cellular and Wi-Fi standards. These are important security design elements. But it’s also important to consider a customer’s ability to tailor its networks to suit its needs by applying specific security and compliance tools and policies. The average security buyer at a large enterprise uses more than 50 different security and compliance tools, and no two organizations have exactly the same needs. Our customers have been successfully deploying their chosen security and policy tools to enterprise Wi-Fi networks for decades. The architecture of these networks is flexible and allows customers to break out, analyze, and apply policy to traffic. Wi-Fi 6 and WPA3 completely retain this flexibility.
5G is a different story. If an enterprise wants to replace Wi-Fi with 5G, there are a few different approaches. Each has implications for security customization.
- The first approach is to extend macro 5G service into the enterprise using DAS (Distributed Antenna Systems) or small cells. With this approach, it is difficult to break out traffic and implement specific security solutions. In other words, you get what you get.
- If your company is large enough, and your service provider is willing to sell and manage an individualized Network Slice, you could buy a slice specific to your company. Network slicing enables carriers to create customized virtual network overlays under one nationwide, physical network. With slicing, they can tune each of these virtual networks to serve business cases that require specific network characteristics. Your service provider may sell a low-latency network slice, or an IoT-oriented network slice. You could then have the service provider apply specific security solutions to that slice and possibly even manage it for you, as a part of their network. But all traffic passing over such a slice would be invisible to security appliances that are wired directly into an enterprise network.
- Your enterprise could choose to deploy a private 5G network on your premises, using either spectrum licensed from a service provider, or possibly other spectrum that is unlicensed (e.g., CBRS spectrum). You can apply security to a private 5G network in a similar way you can apply it to an enterprise Wi-Fi network, but this requires investing in completely separate, parallel network infrastructure. Consequently, this approach will likely be limited to very specific enterprise use cases.
Security is not a monolithic consideration. It includes elements like authentication, encryption, and key management. For well-designed and deployed networks, we believe these elements for Wi-Fi 6 are equal to, or better than, 5G. An equally important consideration is the ability of an enterprise to apply the specific security and policy tools to their network in a flexible way, tailored to its needs. Wi-Fi enterprise networks are highly flexible, as they always have been. But depending on the deployment approach for a 5G network, it may or may not be able to accommodate the level of security and compliance customization required by enterprise customers.
Aruba Executive Perspectives on 5G and Wi-Fi 6
Jeff Lipton: Making Sense of 5G and Wi-Fi in the Enterprise