The evolution of telecommunications networks towards the 5G era and the omnipresence of WiFi networks offers us undeniable benefits: speed, unlimited connectivity and accessibility. However, this massive connectivity also comes with increased risks of cyberattacks. Therefore, protecting wireless networks and telecommunications networks has become crucial to ensure a secure and reliable experience.
Contents
- 1 Why is it Crucial to Protect Wireless Networks?
- 2 Security Protocols for Wireless and 5G Networks: Shielding for Connectivity
- 3 Authentication Protocols: Identification and Access Control
- 3.1 EAP (Extensible Authentication Protocol)
- 3.2 PEAP (Protected Extensible Authentication Protocol)
- 3.3 EAP-TLS (EAP-Transport Layer Security)
- 3.4 EAP-TTLS (EAP-Tunneled Transport Layer Security)
- 3.5 LEAP (Lightweight Extensible Authentication Protocol)
- 3.6 Kerberos
- 3.7 OAuth 2.0
- 3.8 PAP (Password Authentication Protocol)
- 3.9 CHAP (Challenge Handshake Authentication Protocol)
- 3.10 MS-CHAP
- 3.11 SIM-Based Authentication (5G)
- 3.12 5G-AKA (Authentication and Key Agreement)
- 3.12.1 Selecting the most appropriate security and authentication protocol depends on several factors, such as the type of network, the level of security required, the available hardware, and compatibility with other systems. I explain when to use each protocol according to these criteria:
- 3.12.2 Safety Protocols
- 3.12.3 Authentication Protocols
- 4 Use Cases: Security in Real-World Situations
- 5 Recommended Settings to Strengthen Your Network
- 6 Network Security as a Fundamental Pillar
Why is it Crucial to Protect Wireless Networks?
Wireless networks are the gateway to connecting devices of all kinds: from laptops and smartphones to smart appliances and vehicles. This expansion increases the attack surface and vulnerability of the network, making an unsecured connection expose users to threats such as information theft and espionage. In the case of 5G networks, the importance is even greater, as they power critical infrastructure, smart cities, and industrial systems. The protection of these networks is the basis for avoiding cyberattacks and guaranteeing the security of our digital lives.
Security Protocols for Wireless and 5G Networks: Shielding for Connectivity
There are several security protocols that help protect wireless networks and telecommunications. These protocols determine the level of encryption and how the network protects the information transmitted, preventing intruders from accessing user data. Let’s review them all:
Safety Protocol | Description | Advantages | Security Level |
WEP (Wired Equivalent Privacy) | First security protocol for WiFi, it uses RC4 encryption. Today it is in disuse due to its vulnerabilities. | Easy to deploy, compatible with older equipment | Low |
WPA (WiFi Protected Access) | Intermediate protocol introduced to improve WEP. Implement TKIP (Temporal Key Integrity Protocol). | Better than WEP, basic protection | Middle |
WPA2 (WiFi Protected Access 2) | Protocol based on AES encryption, introduced to provide greater security in WiFi. | Broad compatibility and robust security | High |
WPA3 (WiFi Protected Access 3) | Next generation of WPA, with stronger encryption and protection against dictionary attacks. | Advanced, attack-resistant security | Very High |
802.11i | A WiFi security standard introduced by WPA2, specifies security enhancements for wireless networks. | Base de WPA2 | High |
5G-AKA (Authentication and Key Agreement) | Authentication protocol for 5G, protects both authentication and signal integrity. | Advanced security on 5G mobile networks | Very High |
IPSec (Internet Protocol Security) | A security protocol used to create secure connections on IP networks, such as in VPN tunnels. | Network-level protection | High |
SSL/TLS | Encryption protocol to secure communications on the Internet; it is commonly used in VPN networks and web traffic. | Protection for transmitted data | High |
802.1X | A security standard that provides access control over wired and wireless networks. | Authentication for Network Access | High |
WEP (Wired Equivalent Privacy)
Description: It was the first security protocol for WiFi networks. Designed in the 90s, it uses RC4 encryption (Rivest Cipher 4) to protect data. However, it has serious vulnerabilities that allow its security to be broken in minutes.
Encryption: RC4 with 40-bit or 104-bit key (known as WEP-40 or WEP-104).
Status: Obsolete due to vulnerabilities; Not recommended for use.
WPA (WiFi Protected Access)
Description: Designed as a temporary solution to replace WEP. WPA uses TKIP (Temporal Key Integrity Protocol) to improve security by dynamically changing keys in each packet.
Encryption: TKIP with RC4 encryption (outperforms WEP but still vulnerable).
Status: Obsolete; the use of WPA2 or WPA3 is recommended.
WPA2 (WiFi Protected Access 2)
Description: Widely used safety standard that replaced WPA. WPA2 uses AES (Advanced Encryption Standard) encryption, offering a much higher level of security.
Encryption: AES with 128-bit key, compatible with CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) for integrity and authenticity.
Status: Standard until the introduction of WPA3.
WPA3 (WiFi Protected Access 3)
Description: The latest version of WPA includes several security enhancements for WiFi networks, such as protection against dictionary attacks and stronger encryption.
Encryption: SAE (Simultaneous Authentication of Equals), also known as Dragonfly, with AES-256 encryption.
Status: Recommended for all modern WiFi networks.
802.11i
Description: A WiFi network security standard introduced by WPA2. Implement AES and CCMP to provide authenticity, integrity, and confidentiality.
Encryption: AES with CCMP.
Status: Base for WPA2.
5G-AKA (Authentication and Key Agreement)
Description: Authentication protocol and encryption specific to 5G networks, protects both user authentication and signal integrity.
Encryption: Based on advanced symmetric encryption and authentication algorithms (MILENAGE algorithm).
Status: Security standard in 5G networks.
IPSec (Internet Protocol Security)
Description: Network layer security protocol used primarily in VPN networks to secure IP traffic.
Encryption: Algorithms such as AES and 3DES (Triple DES) in combination with AH (Authentication Header) or ESP (Encapsulating Security Payload).
Status: Wide use in VPN networks and secure network-level connections.
SSL/TLS
Description: Encryption protocols that protect communications on the internet. SSL (Secure Sockets Layer) is obsolete and has been replaced by TLS (Transport Layer Security).
Encryption: AES, RSA, ChaCha20 (depending on configuration), along with HMAC for authenticity.
Status: Standard for HTTPS connections and secure applications on the internet.
802.1X
Description: Access control protocol for wired and wireless networks that ensures only authorized users access the network.
Encryption: Uses EAP for authentication and can integrate encryption such as AES for added security.
Status: Widely used in conjunction with WPA2 and WPA3.
Authentication Protocols: Identification and Access Control
Authentication is an essential component of ensuring that only authorized users access the network. There are various authentication protocols that help protect the network from unauthorized access, ensuring that communication is established only with legitimate devices.
Authentication Protocol | Description | Advantages | Common Applications |
EAP (Extensible Authentication Protocol) | Adaptive authentication framework used in WiFi and 5G. Supports multiple authentication methods. | Flexibility and security | WiFi, 5G networks |
PEAP (Protected Extensible Authentication Protocol) | A variant of EAP that encapsulates the EAP in a TLS tunnel for added security. | Higher security than standard EAP | WiFi Networks |
EAP-TLS (EAP-Transport Layer Security) | Digital certificate-based protocol for authentication on secure networks. | Robust Security, Reliability | Enterprise Networks |
EAP-TTLS (EAP-Tunneled Transport Layer Security) | A variant of EAP that allows multi-method authentication in a TLS tunnel. | Security and flexibility | WiFi Networks |
LEAP (Lightweight Extensible Authentication Protocol) | Cisco’s proprietary protocol, now deprecated, vulnerabilities in encryption. | Support on Cisco Devices | Old, WiFi networks |
Kerberos | An authentication system that uses tickets to access networked services securely. | High security in business environments | Corporate Networks |
OAuth 2.0 | Authorization protocol that allows information to be shared securely without sharing credentials. | Ideal for in-app authentication | Mobile and web apps |
PAP (Password Authentication Protocol) | Basic authentication protocol, sends credentials in plain text. | Simplicity | Old, basic networks |
CHAP (Challenge Handshake Authentication Protocol) | Improved PAP that uses challenges to authenticate, avoids direct sending of passwords. | Medium security | Older networks, VPNs |
MS-CHAP | A variant of CHAP developed by Microsoft, used in VPN networks. | Microsoft Networking Support | Corporate VPNs |
SIM-Based Authentication (5G) | SIM-based authentication for 5G networks, leveraging mobile operator infrastructure. | Ease of use in 5G networks | 5G Mobile Networks |
5G-AKA (Authentication and Key Agreement) | Specific authentication for 5G that guarantees robustness and efficiency in the identification process. | Advanced security for 5G networks | 5G Networks |
EAP (Extensible Authentication Protocol)
Description: Adaptive authentication framework used in WiFi and 5G networks. Supports various authentication methods, such as digital certificates or passwords.
Encryption: Depends on the EAP method used (e.g., EAP-TLS uses TLS with AES encryption).
Status: Basis for many authentication methods, common in WiFi and mobile networks.
PEAP (Protected Extensible Authentication Protocol)
Description: A variant of EAP that encapsulates EAP within a TLS tunnel, offering greater security.
Encryption: TLS with AES.
Condition: Wide use in business WiFi networks.
EAP-TLS (EAP-Transport Layer Security)
Description: A variant of EAP that uses digital certificates to securely authenticate, considered one of the most secure authentication methods.
Encryption: TLS with AES.
Status: High level of security, preferred in enterprise environments.
EAP-TTLS (EAP-Tunneled Transport Layer Security)
Description: Variant of EAP that allows authentication in a TLS tunnel, supporting internal authentication methods such as PAP or CHAP.
Encryption: TLS with AES.
Status: Common in enterprise networks.
LEAP (Lightweight Extensible Authentication Protocol)
Description: Cisco’s proprietary protocol, currently deprecated due to vulnerabilities.
Encryption: RC4, considered insecure.
Status: Not recommended, replaced by EAP-TLS and PEAP.
Kerberos
Description: Ticket-based network authentication system, used in enterprise networks to authenticate securely.
Encryption: AES, DES (depending on implementation).
Status: Widely used in corporate networks and Active Directory systems.
OAuth 2.0
Description: Authorization protocol that allows information to be shared securely without sharing credentials directly.
Encryption: Does not define encryption; relies on HTTPS (TLS) for transmission protection.
Status: Wide use in web and mobile applications.
PAP (Password Authentication Protocol)
Description: Basic authentication protocol that sends credentials in plain text.
Encryption: Does not use encryption (plaintext only).
Status: Obsolete and highly insecure, used only on very old networks.
CHAP (Challenge Handshake Authentication Protocol)
Description: Improved PAP, uses a challenge system to prevent direct password submissions.
Encryption: Hashing algorithm (MD5 in older versions, although insecure).
Status: Used on some VPNs and older connections.
MS-CHAP
Description: A variant of CHAP developed by Microsoft, used in VPN networks.
Encryption: Based on MD4 and DES (vulnerable in older versions).
Status: Obsolete; It is recommended to use safer alternatives.
SIM-Based Authentication (5G)
Description: SIM-based authentication for 5G networks, facilitating automatic authentication of devices.
Encryption: Depends on the SIM encryption mechanisms (MILENAGE).
Status: Wide use on mobile networks.
5G-AKA (Authentication and Key Agreement)
Description: Specific authentication for 5G networks that guarantees robustness in identification and signal security.
Encryption: Symmetric encryption algorithms (MILENAGE).
Status: Standard on 5G networks, provides advanced authentication.
Selecting the most appropriate security and authentication protocol depends on several factors, such as the type of network, the level of security required, the available hardware, and compatibility with other systems. I explain when to use each protocol according to these criteria:
Safety Protocols
- WEP (Wired Equivalent Privacy)
- When to use: Not recommended. WEP is an insecure protocol and is deprecated due to its vulnerabilities. It can only be considered on older networks where there are no hardware upgrade options, but with great caution and limited access.
- WPA (WiFi Protected Access)
- When to use it: On older networks where the hardware does not support WPA2 or WPA3. Although it improves over WEP, it is vulnerable to several types of attacks. This is an intermediate option and should only be used if WPA2 or WPA3 cannot be enabled.
- WPA2 (WiFi Protected Access 2)
- When to use it: It’s the best option on most current WiFi networks that don’t support WPA3. It offers a robust level of security, compatible with almost all modern devices and is suitable for business and residential networks.
- Considerations: WPA2 is a good choice when you need a balance between security and compatibility.
- WPA3 (WiFi Protected Access 3)
- When to use it: On modern WiFi networks that require maximum security, such as in business or residential environments that need advanced protection. WPA3 is resistant to dictionary attacks and offers stronger encryption.
- Considerations: Some older devices do not support WPA3, so it is important to check hardware compatibility.
- 802.11i
- When to use it: It’s not used directly as a network setup, but it’s the foundation of WPA2. If a device supports 802.11i, it will support WPA2.
- 5G-AKA (Authentication and Key Agreement)
- When to use it: Exclusive to 5G networks, it protects mobile communications and is ideal for telecommunications environments where secure authentication and reliability are required.
- Considerations: It is the standard in 5G networks, so it is used by default in these configurations.
- IPSec (Internet Protocol Security)
- When to use it: Ideal for VPNs and secure connections on IP networks. It is often used in enterprise connections and corporate VPNs where high security is required.
- Considerations: Requires more configuration resources and can impact performance due to its complexity.
- SSL/TLS
- When to use it: In any communication on the internet that requires secure encryption, such as HTTPS connections in browsers and data transmission in secure applications.
- Considerations: It is essential for web connections, and is used in VPNs and cloud applications.
- 802.1X
- When to use it: In environments where advanced access control and user authentication are needed, such as in enterprise networks.
- Considerations: It is common in networks that also use WPA2 and WPA3 to add an additional layer of authentication.
Authentication Protocols
- EAP (Extensible Authentication Protocol)
- When to use it: As an authentication framework, EAP is used in environments where flexibility is required for different authentication methods, especially on WiFi and 5G networks.
- Considerations: If you want a flexible authentication protocol that can be adapted according to the needs of the network.
- PEAP (Protected Extensible Authentication Protocol)
- When to use it: On enterprise networks that need to encapsulate EAP within a secure tunnel (TLS) to protect user credentials.
- Considerations: It is useful when using password authentication and an additional layer of security is desired, for example, in institutional WiFi networks.
- EAP-TLS (EAP-Transport Layer Security)
- When to use it: On high-security networks that can implement certificate-based authentication, such as businesses or universities.
- Considerations: Requires certificate management infrastructure, making it ideal in enterprise networks with centralized credential management.
- EAP-TTLS (EAP-Tunneled Transport Layer Security)
- When to use it: When more flexible authentication is needed within a secure tunnel, allowing authentication methods such as PAP or CHAP.
- Considerations: It is a good choice for environments that cannot implement EAP-TLS but require additional protection in the authentication channel.
- LEAP (Lightweight Extensible Authentication Protocol)
- When to use: Not recommended. Due to its vulnerabilities, LEAP is outdated and should be avoided.
- Considerations: If you are on an older Cisco network, you should upgrade to a more secure solution such as EAP-TLS or PEAP.
- Kerberos
- When to use it: In enterprise networks and environments with servers and workstations in an Active Directory domain.
- Considerations: Ideal for authentication in Windows networks and Active Directory environments that require fast and secure ticket-based authentication.
- OAuth 2.0
- When to use it: On web and mobile applications that need authorization without sharing credentials, such as third-party services (e.g., social media access).
- Considerations: It does not provide direct authentication, but authorization, so it is ideal for integrations between web services.
- PAP (Password Authentication Protocol)
- When to use it: Avoid using it in modern environments, as it transmits credentials in plain text.
- Considerations: It should only be used in older environments where no other options are available. It is very insecure and outdated.
- CHAP (Challenge Handshake Authentication Protocol)
- When to use it: On older networks or dial-up connections that need basic authentication without direct password exposure.
- Considerations: Still vulnerable to dictionary attacks, it should be used only if there are no more secure alternatives available.
- MS-CHAP
- When to use it: On older VPNs or Microsoft environments. However, it is vulnerable and has been replaced by safer methods.
- Considerations: Modern methods such as EAP-TLS should be migrated if possible.
- SIM-Based Authentication (5G)
- When to use it: On mobile 5G networks, especially for authentication on SIM card devices.
- Considerations: It is the standard authentication method in mobile networks and very secure for telecommunications networks.
- 5G-AKA (Authentication and Key Agreement)
- When to use it: Exclusive to 5G networks; provides advanced authentication for mobile connections.
- Considerations: Automatically used on 5G networks, it provides high-level authentication.
Use Cases: Security in Real-World Situations
- Smart Offices and BYOD (Bring Your Own Device): In an office where employees use their own devices, authentication via WPA3 and 5G-AKA, along with authentication protocols such as EAP, ensures that devices are authorized and protected.
- IoT in Smart Homes: For connected homes, using WPA3 on home WiFi reduces the risk of attacks on IoT devices, while OAuth 2.0 authentication can secure individual devices.
- Enterprise Networks with Remote Access: Businesses that require secure remote connections can use WPA3 in combination with Kerberos for authentication and WPA3 for an extra layer of security in enterprise WiFi networks.
Recommended Settings to Strengthen Your Network
To maximize security on wireless and 5G networks, it is essential to configure devices properly:
- Enable WPA3 on WiFi: This is the highest security option available for home and business WiFi networks. Configuring your router to this protocol will help prevent dictionary attacks and protect the integrity of your network.
- Deploy 5G-AKA on 5G Networks: Ensure that devices and systems using 5G are configured to take advantage of the 5G-AKA protocol, which offers strong authentication and optimizes resource consumption.
- Virtual Private Network (VPN) Usage: On 5G and WiFi networks, using a VPN provides an extra layer of privacy and security, especially when users are accessing the network from external or public locations.
- MAC Address Filtering and Hidden SSID Configuration: Implementing MAC filtering and hiding the SSID on WiFi networks helps make it harder for intruders to access. While it’s not a definitive solution, it adds an extra layer of security.
- User Authentication with EAP and Kerberos: The combination of these protocols in business environments allows secure connections to be established, verifying the identity of users continuously.
Network Security as a Fundamental Pillar
As connectivity grows and becomes more advanced with technologies like 5G, protecting our wireless networks becomes indispensable. With the implementation of the right protocols and optimized configurations, it is possible to not only enjoy the advantages of these networks, but also a safe and reliable user experience.
Thanks for Reading me!
Leave a Reply