Best Practices for Access Point Security in WatchGuard Cloud

Applies To: WatchGuard Cloud

About Wireless Threats

We recommend that you follow the best practices detailed in this guide to secure your WatchGuard access points, wireless clients, and your network from these types of wireless security threats:

  • Misconfigured access points — Misconfigured or unknown access points connected to your corporate network with a configuration that does not conform to your organization's security policies can be a significant security threat. For example, if your organization's security policy requires wireless SSIDs to use minimum WPA3 security, and the configuration allows an open, unencrypted SSID, the device can allow insecure connections and create a vulnerability for your network.

    To prevent misconfiguration of your access points, we recommend you create a secure common configuration with access points sites.

  • Outdated device firmware — If your device does not run the latest firmware, you might be at risk of a known vulnerability or product issue that can be exploited by a malicious user.

    We recommend you keep access point firmware up-to date with the latest version for your device.

  • Weak device passwords — If you use a weak device password that can easily be guessed or compromised by a brute force attack, this creates a vulnerability and might allow a malicious user to get access to the device and the network.

    We recommend you use strong unique device passwords for your access points.

  • Malicious access points — A malicious access point is a device intentionally set up by an attacker to masquerade as a legitimate access point for users to connect to. The attacker can then intercept and capture sensitive data, introduce malware, or gain access to the sensitive areas of the network. There are two main types of malicious access points:
  • Rogue access point — An unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs. A rogue access point might also be a device connected to the network by someone inside your organization without consent. These access points are security risks to your network if they are misconfigured or do not have the required security features enabled.
  • Evil Twin access point — A nearby access point operating in your airspace that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network. Your clients might connect to the Evil Twin instead of your legitimate access point SSIDs.

    We recommend you enable Airspace Monitoring and ThreatSync integration to monitor your network for these threats and perform response actions to prevent wireless clients from connecting to these threat access points.

Create a Secure Common Configuration with Access Points Sites

To prevent misconfiguration of your access points, you can use Access Point Sites that enable you to manage and deploy shared wireless settings for multiple access points you manage in WatchGuard Cloud.

You can use an access point site to configure wireless SSIDs and radio settings, and then apply that configuration to the access points in the accounts that subscribe to the access point site.

This ensures that you apply the same secure SSID configuration to all the access points you manage. If you configure access points individually, you might apply inconsistent or insecure configurations to different devices.

Screenshot of the Access Point Site configuration page

  • Each access point can subscribe to only a single site.
  • Each access point site can have multiple subscribed devices. All devices that subscribe to a site share the same site configuration settings.
  • When you update an access point site configuration and deploy the site, the site configuration settings immediately deploy to all subscribed devices.

For more information, go to About Access Point Sites.

Keep Access Point Firmware Up-To-Date

Make sure you install the latest access point firmware available for your device to make sure that you always have the latest security updates, product updates, and fixes to known issues.

To upgrade the firmware on your access points:

  • View which devices have firmware upgrades available from the Device Firmware widget on your Dashboard.

Screenshot of the Device Upgrades widget on the WatchGuard Cloud Dashboard

  • Click the widget to go to the Firmware Upgrades overview page where you can immediately upgrade one or more devices, or schedule an update.

    You can schedule firmware updates that enables you to customize a schedule with appropriate times to avoid network disruption.

Screenshot of the Firmware Upgrades Overview page in WatchGuard Cloud

Use Strong Device Passwords

Wi-Fi in WatchGuard Cloud access points have a device administrator password for local Web UI and Command Line Interface (CLI) access to an access point. This enables you to troubleshoot access point issues from a secure direct connection to the device.

You initially specify the device password when you add the access point to WatchGuard Cloud.

When you add multiple access points to a WatchGuard Cloud account at the same time, you can choose to define unique passwords for each device, and export the list to a file for use with a password manager. For more information, go to Add an Access Point to WatchGuard Cloud.

To change the password of an access point in WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the access point.
  3. Select Device Password.

Make sure you use a strong password with a minimum length of 12 characters that contains uppercase and lowercase letters, at least one number, and at least one symbol.

We recommend you specify unique device passwords for each access point you manage and store them in a password manager.

Enable Airspace Monitoring and ThreatSync Integration

You can enable Airspace Monitoring and ThreatSync integration on your access points to monitor your network for malicious access points and take response actions against these threat devices.

How Airspace Monitoring Works

Airspace Monitoring uses WatchGuard's patented identification technology to scan your wired network and your wireless airspace for malicious access points such as Rogue, Suspected Rogue, and Evil Twin access points.

Rogue Access Point

A Rogue access point is an unauthorized access point that is physically connected to your wired network and broadcasts wireless SSIDs your clients might connect to instead of your legitimate access point SSIDs.

Diagram of Rogue Access Point detection with Airspace Monitoring

All WatchGuard access point models managed by WatchGuard Cloud can detect Rogue and Suspected Rogue access points on your network.

  • WatchGuard access points scan the wired network for access points physically connected to the network, and also scan your wireless airspace for the SSIDs broadcast by these access points.
  • WatchGuard Cloud can correlate the MAC addresses of the detected wired and wireless interfaces to determine whether the access point is a Rogue access point.
  • If the correlation between the MAC addresses is uncertain, then the access point is classified as a Suspected Rogue access point which means it might be an unauthorized device that you must investigate. The access might also be a legitimate device that you have not added to your Trusted Access Points list.

Evil Twin Access Point

An Evil Twin is a nearby access point operating in your airspace (not connected to your wired network) that broadcasts the same SSID name as your managed access points to appear as a legitimate access point on your network.

Diagram of Evil Twin Access Point detection with Airspace Monitoring

  • Only WatchGuard access points with a wireless scanning radio (AP230W, AP330, and AP430CR) are able to detect Evil Twin access points that operate in your wireless airspace.
  • WatchGuard Cloud uses patented signature-based identification to determine whether an access point is an Evil Twin and not a known WatchGuard managed access point or trusted access point.
  • The device might be a legitimate access point on your network that is not configured in your Trusted Access Point list.
  • This device might also be a legitimate access point operating in your airspace such as a guest hotspot or private wireless network from a nearby business with the same SSID.

Airspace Monitoring Requirements

Airspace Monitoring requires the following:

  • A WatchGuard USP Wi-Fi Management license
  • Access point firmware v2.2.23 or higher on all access points
  • Access point firmware v2.7.9 or higher when integrated with ThreatSync to perform response actions and block wireless client connections to Rogue and Evil Twin access points.
  • An AP230W, AP330, or AP430CR with a dedicated scanning radio for over-the-air Evil Twin detection and ThreatSync response actions to block wireless client connections to malicious access points.
  • All other Wi-Fi in WatchGuard Cloud access point models can detect Rogue and Suspected Rogue access points physically connected to the network, but cannot detect Evil Twin access points or perform ThreatSync response actions.
  • In larger deployments, we recommend you deploy one access point with a dedicated scanning radio for every 3-5 access points in your deployment.

Enable Airspace Monitoring

We recommend you use an Access Point Site to apply the Airspace Monitoring configuration to multiple access points.

  1. Select Configure > Access Point Sites.
  2. Select an Access Point Site.
  3. In the Configuration Details, click Add Advanced Settings.
  4. Enable Airspace Monitoring.

Screenshot of the access point Airspace Monitoring settings in WatchGuard Cloud

  1. Add the MAC addresses of any trusted devices in your deployment to your Trusted Access Points list.

WatchGuard access points and wireless Fireboxes managed by WatchGuard Cloud in the same account are automatically identified as trusted access points.

We recommend you add these devices to the Trusted Access Points list if they exist in your deployment:

  • Wi-Fi 5 access points managed by WatchGuard Wi-Fi Cloud
  • Wi-Fi 5 access points managed by a Gateway Wireless Controller on a Firebox
  • Wireless Fireboxes not managed by WatchGuard Cloud
  • Third-party access points
  1. Save the configuration.
  2. Deploy the configuration to your access points.

For more information about Airspace Monitoring, go to Access Point Airspace Monitoring

Enable ThreatSync Integration

You can also integrate access point Airspace Monitoring with ThreatSync. ThreatSync is a WatchGuard Cloud feature that provides eXtended Detection and Response (XDR) technology for WatchGuard devices and products. You can receive incident alerts in ThreatSync when Airspace Monitoring detects malicious access points such as Rogue and Evil Twin access points. You can also perform response actions to block wireless client connections to Rogue and Evil Twin access points. For more information, go to About ThreatSync.

We recommend you enable ThreatSync on all your devices, and make sure you automatically enable ThreatSync on new devices you add to your account. For more information, go to Configure Device Settings in ThreatSync.

To configure which products and devices send data to ThreatSync:

  1. Select Configure > ThreatSync > Device Settings.
    The Device Settings page opens.
  2. To automatically enable ThreatSync for any new access points you allocate to the account in WatchGuard Cloud, select the corresponding check box for Access Points.
  3. To specify which specific access points send data to and receive actions from ThreatSync, clear or select check boxes next to the Firebox and access point names.

    Screenshot of ThreatSync Device Settings page

  4. Click Save.

To enable or disable ThreatSync on an access point, at the device level:

  1. Select Configure > Devices.
  2. Select the access point.
  3. In the ThreatSync section, disable ThreatSync.

    Screenshot of the ThreatSync toggle on the Device Settings page in for an Access Point in WatchGuard Cloud

ThreatSync Response Actions

With ThreatSync integration, you can perform response actions to Wi-Fi threat incidents in ThreatSync to block wireless client connections to detected malicious access points.

Diagram of access point and ThreatSync response actions against an Evil Twin access point

  • The WatchGuard access point that detects the malicious device must have a dedicated scanning radio and run firmware v2.7 or higher to perform over-the-air response actions and block wireless client connections to the malicious access point.
  • Wireless clients already connected to the malicious access point are disconnected from the device. Further connection attempts are blocked.
  • You cannot perform over-the-air response actions against malicious access points that use WPA3 security, WPA2 security with Protect Management Frames enabled (802.11w), or OWA security.
  • You cannot perform over-the-air response actions against malicious access points that broadcast on a channel not in the current country of operation of the detecting access point.

Before you block wireless client connections to a detected malicious access point, make sure that this is not a known access point in your deployment.

  • This might be a wireless Firebox not managed by WatchGuard Cloud, a WatchGuard Wi-Fi 5 access point, or a legitimate third-party access point in your deployment. You can trust these devices to prevent future alert notifications.
  • For Evil Twin access points, this device might also be a legitimate access point operating in your airspace such as a guest hotspot or private wireless network from a nearby business with the same SSID.

Caution: Make sure you adhere to local regulations for the use of over-the-air response actions to disconnect wireless clients from an access point.

Monitor the ThreatSync Dashboard

You can view threat information from Monitor > Threats. For more information, go to Monitor ThreatSync.

The Summary page provides a snapshot of incident activity. This page includes graphs and incident data and provides a snapshot of incident activity over a specified period of time.

Screenshot of the Monitor Threats summary page in WatchGuard Cloud

The Incidents page shows a list of incidents, such as malicious access points (Rogue and Evil Twin access points) for a specified time period and enables you to perform actions against these threats.

Screenshot of the ThreatSync incidents page with malicious access point incidents

Select a specific incident to view the incident details. Click Block Connections to block wireless client connections to the malicious access points.

You can also create ThreatSync automation policy templates that include multiple automation policies and assign the template to the accounts or account groups you manage. Automation policy templates enable you to apply ThreatSync automation policies consistently across managed accounts, and save time when you set up ThreatSync for new accounts or account groups.

For example, you could create a policy that automatically blocks client connections to access points detected by ThreatSync as a Rogue or Evil Twin access point. This automates the process of detection and remediation to block wireless client connections to a malicious access point.

Screenshot of a ThreatSync automatic policy to block connections to malicious access points

For more information, go to Manage ThreatSync Automation Policy Templates (Service Providers).

Related Topics

Access Point Airspace Monitoring

Airspace Monitoring Alerts

Access Point Airspace Monitoring Report

ThreatSync

ThreatSync Best Practices

Configure Device Settings in ThreatSync