Hi Andreas,
I was thinking long time how to write my thought upon this topic concisely, but to keep all that can matter. Sorry if it got too long...
Maybe I've started from wrong starting point. I think we both shouldn't cover only single particular scenarios and try to prove which technique is superior to others. PSK, WPA2-Enterprise, open network, 802.1X and other security approaches are just tools, some of them are welcome in particular scenarios, while others are not. That's why your question:
Why just having this feature implemented as well and let the customer decide, what he uses?
is quite reasonable and I agree with you.
However, let me think of it a little more do we really need per-device PSK.
😉
I would divide the risk in three pieces: risk of reaching the network, risk of listening to a particular conversation and risk of spoofing the device (MAC).
If you have single PSK that is right, your entire traffic can be blown out and MAC spoofing is nearby. Reaching the network is obvious.
In that case you might want (depending on budget and security policy) to use other techniques in addition to stay away of MAC spoofing risk and take care of achieving security with higher layers of communications for critical applications. In terms of unauthorized access to the network, MAC whitelist and blacklist can work along with ACLs or similar techniques, but will still not help with MAC spoofing without even more advanced device recognition techniques...
If there is more of security concerns, I would rather move to 802.1X credentials-based (not necessarily certificates). Unauthorized access can be still there (if someone gets your personal AD login/pass), traffic sniffing is rather difficult, but there's still a risk of spoofing the device (take a look here:
https://hackinparis.com/data/slides/2017/2017_Legrand_Valerian_802.1x_Network_Access_Control_and_Byp... ). So for greater security 802.1X can still be not enough! It is nice however, because it can give you easy to maintain role-based access control scenario and with NAC or other stuff (like web authentication on switches) you can still ask the user repository of a particular user without having his device supporting 802.1X - of course security drops down a little). BTW, NAC doesn't necessarily require any client installed on a device.
Individual PSK is something between PSK and 802.1X IMO. If someone gets the credentials (but also have to spoof the MAC, if we compare to plain PSK without any additional things like MAC whitelist) it can reach the network, it could also compromise that device conversation. You also have to generate and distribute those PSKs what sounds almost like certificate-based 802.1X (agreed, certificates are way more complex to deploy and maintain). When it comes to guest users, that's reasonable; when you have big company and would like to use that instead of 802.1X - I simply don't see a good reason right now, maybe if someone doesn't have money or permission to deploy AD+NPS or FreeRADIUS or else what would give you many other features alongside. It's more probable with really small companies (European-sized small companies, to be clear but then often Extreme might seem to be just too expensive), bigger ones usually have some virtualization space and Windows Small Business Server at least so they are good to go for 802.1X. Could you please provide some use-case scenarios?
Most importantly, with any security mechanism there is a risk that a stolen device can be reported after hours or even days after something has happened so manual intervention can be late, depending on the situation (especially if it really has to be manual, and the only admin is on a day off). But stolen credentials (without stealing a device!) can be found out even later, if it's just about decrypting the target's traffic (no spoofing, no advanced device fingerprinting techniques in the network to detect spoofing). With 802.1X as far as I know even having the user credentials is not enough to see his traffic unencrypted on wireless. If that individual PSK would create per-session keys that would be hard to decrypt on-the-fly, it would be nice as easier to deploy with simple and small networks without all that 802.1X infrastructure (and without granular role-based access control, until there would be an option to apply not only PSK to each device but also some ACLs, VLANs and so on).
Have in mind, there are other risks like looking at the traffic after it reaches the wired network, using rogue APs and so on... PSK or whatever is just about securing the wireless communication. So eventually, I believe the attacker might have a lot of time to do what he wants regardless the security technique (PSK/individual PSK/802.1X); because of this, none of those is enough for enterprise security if used as the only building block. Each company should have it's own security policy that takes all the possible factors into account to find a reasonable balance between low cost/comfort of use and critical data/infrastructure security.
Thanks for the topic as it's always good to see some nice features that other vendors have, perhaps Extreme will take that into account, between working on 11ax and WPA3 which is mostly desired right now I believe.
😉
By the way, what tools or techniques you guys find good for detecting MAC spoofing (on wired/wireless) and credentials (individual PSK, 802.1X) reuse? Only SIEM? Posture assessment?
Kind regards,
Tomasz