Credential theft is a high priority concern across many industries, and to combat it, many institutions have deployed WPA2-Enterprise wireless networks. This network type encrypts all network communications, as well as secures the authentication process. Often, WPA2-Enterprise is deployed in conjunction with certificates for a highly secure network, but this is not always the case. If credentials are used for authentication rather than certificates, the threat of credential theft is significantly higher. Server certificate validation is integral to securing credentials on wireless networks; however, it is often overlooked or misconfigured, resulting in devices that are still vulnerable to credential theft.
Server certificate validation is simple in concept; as a user connects to the network and before they are authenticated by the RADIUS, the device validates the server certificate and confirms that it is connecting to the correct RADIUS. This may seem like a superfluous detail to some; if you know the name of the network, why would you need an extra protocol to confirm what you can read? Data thieves looking to steal valuable data will use a laptop to spoof an Access Point (AP) and RADIUS server. They will set up the rogue AP to be named similarly to the network in the hopes that a user attempts to connect. Most often, connecting to the wrong network is not the fault of the user. Typically, a device will attempt to connect to the strongest signal, so if the rogue AP hosts the strongest signal, the device will attempt to connect. Once connected, the user will send their credentials with the intent of being authenticated, but the data is intercepted instead. Now the hacker has successfully gained a set of credentials that allow access to the network.
In this situation, had server certificate validation been used, the user never would have attempted to connect to the phony network. Since the thief would not possess the server certificate, the user’s device would have recognized this and immediately canceled sending credentials. They’d have been redirected to the correct network they are authorized to use.
On the surface, it appears that server certificate validation is a simple process that every network should utilize to protect network credentials, so why don’t they? The most common reason for not using it is that many people have not heard of it or don’t understand how it works. Unless they were introduced to it by someone in the industry or a colleague doing network security research, they’re not likely to be familiar with it.
Another common reason is that it can be difficult to configure. Without software that configures the network automatically, properly configuring a network for server certificate validation can be challenging. SecureW2 provides configuration software for organizations wishing to boost their security. The software takes the guesswork out of the configuration process and allows you to accurately configure the network.
Server certificate validation is integral for protecting the network and without it, users are at risk. A guarantee that every network user will only send their credentials to a trusted RADIUS is one less worry for IT. In the midst of uncertainty in network security, server certificate validation offers a welcome definite.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/demystifying-server-certificate-validation/