Stop me if you’ve heard this one: You’re setting up a spiffy new wireless network and you want to get everything right. You know security breaches are happening left and right, and everyone involved with the project wants robust, enterprise security.
But 10 minutes into the requirements gathering process, you realize many of the devices you need to support are woefully under-capable when it comes to security.
Welcome back to The World of PSK, a place none of us seem able to escape.
PSK is here to stay
As a wireless long-timer, I’ve been grousing about poorly implemented client devices for years.
What makes a client device “poorly implemented” by my definition? Many devices are stuck in the past with low-end radios, data rate requirements that are obsolete by modern business WLAN standards, and the inability to do 802.1X-based enterprise WLAN security.
This forces environments that would rather move on from PSK to provide yet another SSID for those “other devices.” Printers have perhaps been the prime offenders here, but with the IoT tide rising, it’s forecasted that many new devices will also be limited in their Wi-Fi security capabilities.
Then there’s the administrative costs of running the RADIUS back-end for 802.1X, which IT-constrained businesses may not be able to support.
For many reasons, the need to build networks that use a pre-shared key as the basis for authentication and encryption at the wireless layer will be with us well into the future.
Some vendors are putting a spin on PSK
If you happen to use WLAN equipment from certain vendors (Aerohive is the hands-down leader in this functionality), you may be able to leverage Private PSK or one of its variants.
The idea here is that you and I both join the same SSID, but your devices use a different pre-share than mine, and the issuing and revocation of those keys is simple.
Not all vendors offer this option (though they should), and because it’s not part of any network standard, each vendor that does have this ability will do it their own way. Make sure you investigate how it’s done for a given vendor before deciding you can use it.
How to live with PSK
Regardless of how big, small, or distributed the networks you support are, PSK does have a bag of concerns that are your responsibility to carry for the lifetime of the particular WLAN.
Some aspects of PSK are intuitive—like you should use a long, complicated passphrase. Others are not—like the fact that in some vendors’ network equipment there’s no way to see a pre-share in clear text in any administrative view once it’s been entered. Hopefully you made note of it somewhere. Ideally, you’d keep a password-protected file with all of your PSK pre-shares, with the date each was put into service.
Some environments will not “give out” the pre-share. Users need to bring their devices to an admin who types it in and thus keeps it secret.
Others freely share it with employees. This gets as deep into procedure as it does technical talk.
No matter how you distribute the pre-share keys, you also have to be smart about the networks they’re used on. For example, guests generally shouldn’t be on the same network as business client devices. (More sophisticated networks sometimes put everything on the same SSID, but then have complex commercial solutions that use various attributes to sort out what client gets on what logical network afterwards.)
Also, any pre-share you put in place today shouldn’t still be in use five years from now. Unless the PSK WLAN is in a tightly controlled environment, it’s best practice to change it on occasion.
Changing PSK pre-shares can be an absolute pain, and larger networks mean more pain. If you’ve had staff turnover or reason to expect the pre-share has been exposed outside of your business (beyond guest networks), you need to bite the bullet.
Depending on how many devices are in play and the number of users who have to change keys, it may be easier to build a new SSID with a new key, and transition devices to that incrementally until you can retire the old one.
Nothing in wireless networking is simple—not even PSK.
Leave a Reply