In his blog, “Are There KRACKS in Your Wireless Network Security?” John Gordineer points out that SonicWall SonicWave wireless access points (APs) provide an extra level of protection against these attacks. Let’s take a closer look at how they do this. SonicWave APs provide something very few other access points on the market have – a third radio dedicated to security. Why is that important? Most access points have two radios. One operates in the 2.4 GHz frequency band and the other in the 5 GHz band. In order to perform security scanning for rogue APs, you need to take one of those radios away from its normal duties for a period of time. The problem is, this consolidates all wireless users onto a single radio, slowing the wireless performance providing a poor user experience. Now, you can schedule the scan for the middle of the night when there are fewer wireless users, but that’s like turning on a security camera for only 30 minutes each day. The odds that the attack occurs during this short window are pretty small. On the other hand, SonicWave APs use that third radio to scan for and block rogue access points 24×7 so you’re covered around the clock. If an unauthorized access point is detected it can be automatically disassociated from the network and traffic between the access point and clients will be blocked. Here’s how it looks in SonicOS, the firmware of the managing SonicWall firewall.
Let’s apply this to the WPA2 vulnerability that opens WiFi networks to key reinstallation attacks. Hackers within WiFi range can use KRACKs to steal sensitive organizational and personal information. To do this, the hacker attaches a rogue access point called an “evil twin” to the WiFi network, mirroring the MAC address and SSID of the real AP. Using certain techniques within the KRACK, the hacker redirects unpatched clients to connect to the rogue AP. Then, during the four-way handshake between the real access point and client device, the hacker launches a man-in-the-middle (MITM) attack and forces the client to reinstall an encryption key that’s been used already, something that the WPA2 protocol was thought to prevent. The WiFi client associates with the evil twin access point using unencrypted data transmissions making it easy for the attacker to read the communications.
SonicWave access points on the other hand protect against KRACKs in two ways. First, they don’t support the IEEE 802.11r Fast BSS Transition (aka fast roaming) which is vulnerable to KRACKs due to protocol deficiencies. And second, SonicWave access points use AES-CCMP for the key exchange, so the hacker cannot forge the key and join the network. To get around this, hackers may attempt to deploy an “evil twin” access point on a different WiFi channel to fool wireless clients into connecting to the rogue AP instead of the SonicWave AP. As I mentioned earlier, however, this won’t work with SonicWave APs due to the third radio which continually scans for and blocks rogue access points from connecting to the network using Wireless Intrusion Detection and Prevention. There’s even an option in the Wireless Intrusion Detection and Prevention settings to add evil twins to a list of rogue APs.
If you’re in the market for a new wireless access point check with the vendor to see if it comes with two radios or three like the SonicWave series. Having that third radio will provide you with a range of advantages you won’t get with standard two-radio APs including added protection against attacks like KRACK.