Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.3. Compare and contrast wireless security protocols and authentication methods. (Obj. 2.3)

💡 First Principle: Strong encryption and robust authentication are non-negotiable for securing wireless networks.

Wireless networks are inherently insecure because their signals travel through the open air, making them easy to intercept. The only thing that protects your data from being read by anyone nearby is strong encryption. Over the years, wireless encryption protocols have evolved to counter new attacks.

  • WEP (Wired Equivalent Privacy): The original, now ancient, protocol. It is completely broken and can be cracked in minutes with freely available tools. You must never use WEP. If you see it as an option, it's a wrong answer unless the question is about identifying an insecure configuration.
  • WPA (Wi-Fi Protected Access): The replacement for WEP. It was an improvement but also has known vulnerabilities. It is considered deprecated and insecure.
  • WPA2 (Wi-Fi Protected Access 2): The long-standing industry standard for security. It mandates the use of the AES (Advanced Encryption Standard), a very strong encryption cipher. For years, WPA2 has been the minimum acceptable level of security for any wireless network.
  • WPA3 (Wi-Fi Protected Access 3): The newest and most secure standard. It offers even stronger encryption and protection against certain types of attacks that WPA2 is vulnerable to, and it simplifies the process of connecting headless IoT devices securely. When available, WPA3 is the preferred choice.

Just as important as encryption is authentication—how users get on the network in the first place.

  • PSK (Pre-Shared Key): Also known as WPA2-Personal. This is what you use at home. Everyone on the network uses the same password to connect. It's simple to manage but less secure in a business environment; if one person leaves the company, you have to change the password for everyone.
  • Enterprise (WPA2-Enterprise / 802.1X): This is the corporate standard. There is no single shared password. Instead, each user authenticates with their own unique credentials (e.g., their company username and password). These credentials are not sent to the access point but to a central authentication server called a RADIUS (Remote Authentication Dial-In User Service) server. This is far more secure, allows for individual access to be revoked instantly, and provides a detailed log of who connected and when.

Technician's Action Plan: Scenario: A small but growing business is using a single password for their Wi-Fi, which they write on a whiteboard for new employees. They have recently had a few employees leave and are concerned about security.

  1. Assess the Current State: Identify the current configuration as WPA2-PSK (Personal). Acknowledge that while WPA2 encryption is good, the use of a single, shared, and publicly displayed password is a significant security risk.
  2. Recommend the Short-Term Fix: Immediately advise them to take the password off the whiteboard. Change the current Wi-Fi password to a new, strong, complex passphrase. This mitigates the immediate risk from former employees.
  3. Propose the Long-Term, Scalable Solution: Explain the benefits of upgrading their network to WPA2-Enterprise (802.1X). Describe how this would eliminate the shared password problem. Each employee would use their own computer login credentials to access the Wi-Fi. If an employee leaves, you simply disable their network account, and their Wi-Fi access is instantly revoked without affecting anyone else.
  4. Outline the Requirements: Explain that implementing WPA2-Enterprise requires two main components they may not have: a wireless access point that supports "Enterprise" or "RADIUS" mode, and a RADIUS server (which can be a service running on a Windows Server or a cloud-based solution).
  5. Create a Phased Approach: Suggest they start with the short-term fix today. Then, you can work on a project to quote and implement the more secure and manageable Enterprise solution as they continue to grow.

Reflection Question: Why is WPA2-Enterprise (802.1X) a superior authentication method for a business network compared to WPA2-PSK (Personal)?