Robert Sayle: Let’s Talk about New Wireless Security Certifications

Hey, biomed! It’s me again, Bob in IT. I know, it’s been a while. Wi-Fi Alliance has been pretty busy this past month. Have you heard about the new wireless security certifications? They rolled out three new certifications. Well, it’s still pretty early, but I can share what we’re thinking in IT in terms of adoption and what we’ll need from you in biomedical engineering.

The first certification is from the Wi-Fi Protected Access security family of technologies: Wi-Fi CERTIFIED WPA3. This is the most impactful one for us. The big development here is a stronger encryption method using 192-bit capable cryptography. We can only take advantage of this when both our access points and our clients are WPA3 certified. This won’t happen until devices get certified and start rolling out into the market. That means you should definitely start asking your equipment vendors to get this certification. In the meantime, we can run our wireless network in a transition mode that permits both WPA2 and WPA3 equipment to share an SSID (service set identifier).

One thing to note about WPA3 is that there is no more support for the WPA-TKIP (temporal key integrity protocol) method that was part of the first version of WPA. Wi-Fi Alliance started deprecating TKIP in 2015, but now it’s truly gone. Do you know if any of your equipment is still using TKIP? Well, if you find that you still have some, we need to get together with the appropriate vendors and work with them on a transition plan. We certainly don’t want to haphazardly flip the switch to WPA3 and in doing so suddenly disconnect that equipment.

The second certification is called Wi-Fi CERTIFIED Enhanced Open. It’s kind of a funny name, but it makes more sense when you realize that it’s used in wireless networks configured for open authentication (in other words, no authentication). We use this on our guest network. The problem with open networks, though, is there’s no security applied—an open network is unencrypted and wide-open for sniffing. Wi-Fi Enhanced Open adds encryption to these networks even though there’s no authentication. It isn’t foolproof, but it’s certainly better than nothing. We’ll be adopting Wi-Fi Enhanced Open for our guest network eventually, but there’s nothing that you need to do on your end.

The last new certification is one I want you to start watching for as you acquire new equipment. This one is named Wi-Fi CERTIFIED Easy Connect. The idea is to make it simple to securely onboard devices that have difficult human interfaces or none at all. It’s a pretty ingenious workflow. You load an app on your phone, for example, and from there set up your wireless network’s configuration. Then, when you want to onboard a new device, you scan a QR (quick response) code affixed to it. The app then connects to the new device, configures the network information, and the device gets connected. Pretty cool, huh?

The thing with Wi-Fi Easy Connect, though, is that it’s targeted at home use, not enterprise. In other words, you can only configure WPA2-Personal or WPA3-Personal settings. Both of those use a simple password. This really isn’t desirable in our hospital because our policy dictates using enterprise settings, such as a certificate or our AD (active directory) credentials. Anyway, if you start seeing your equipment vendors adopting Wi-Fi Easy Connect, and you want to use it, please let us in IT know. We’ll need to make sure our wireless gear supports it, and we’ll need to speak with the security team to find out if it’s acceptable or not.

Well, listen. It was great running into you again. I need to get back over to the tower and run some more tests. See you around!

Robert Sayle, CCIE security emeritus, is a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s