Below table highlights how Wi-Fi and Private Cellular (CBRS spectrum in US) wireless networks differ in their fundamental approach to device level authentication / authorization, integration with existing enterprise networks, zero trust security models, network access control, and relevant topics.
For engineers who are experts in securing Wi-Fi networks and implement relevant network access control systems, studying these differences will inform how they can influence co-existence of these two technologies in the same enterprise environment.
In general, a Celona private cellular network:
… brings strong device level identification and authentication capabilities,
… solves challenges of reliability for your business critical applications,
… includes app-level segmentation over the air and network access,
… ensures data privacy with full data path control and centralized encryption,
… allows IT/OT teams to have visibility and control over private cellular devices,
… is able to integrate with existing Local Area Network (LAN) policies,
… supports a zero trust strategy with APIs for extensibility and integration,
… gives enterprises the tools to address strict compliance requirements, and
… removes the need for costly and cumbersome overlay systems to manage authentication, network segmentation and access rules.
Enterprise-grade Device Level Identification
Inherent via IMEI (equipment serial number) and IMSI (subscriber ID) associated with the private cellular physical SIM / embedded (eSIM).
IMEI plus SIM identity is used for device level network access controls. No need for a separate identity server to enforce.
Unique device ID can be associated with device group level access rules within the LAN.
Often based on MAC addresses for the devices which comes with spoof risk; mutable if MAC randomization is on. Utilizes PKI or overlay Certificate Authority (CA) to issue device certs; overlay MAC-based profiling / NAC product to reduce spoofing chances.
Also configured with overlay services such as RADIUS, user-based logins, or PKI certificates for user and device level identification.
Enterprise-grade Device Level Authentication
Integrated mutual device level authentication between endpoint and infrastructure based on SIM/eSIM identity. No need for separate identity server to enforce.
Wi-Fi EAP protocols are based on user credentials or certs, and require added workflows and/or software for credential chaining to authenticate both users and devices. Available in device certs, issued by the enterprise organization or via TPM.
Inherent over-the-air segmentation from existing Wi-Fi networks is enhanced by Celona MicroSlicing for device group and app level separation of traffic flows, translated to LAN segmentation rules.
Configured with network-based VLANs, data tunneling to a controller, or vendor-specific access policies and roles.
May require configuration on both the Wi-Fi and wired LAN. Can be dynamically assigned from RADIUS. Vendor-specific implementations extend to granular layer 3-7 access policies similar to enterprise firewalls.
Data Path Privacy and Integrity
Within a Celona private cellular network, data remains on the LAN with on-premises installation of Celona Edge.
Inherent over-the-air control and signaling within a private cellular network stays encrypted for data payloads.
Data path remains on the enterprise LAN until traffic is egressed to Internet.
Optional encryption over the LAN if architecture includes a gateway tunnel termination device.
End User Device Data Encryption
Over-the-air encryption is extended to and through the LAN and enable centralized encryption with AES 128 (equivalent to WPA3-Enterprise) at the Celona Edge, which incorporates cellular mobile core functions.
Private cellular control and signaling traffic is also encrypted and has additional data integrity checks.
Configured via 802.1x SSIDs for enterprise-grade security, after eliminating the use of open / pre-shared key SSIDs for network access.
Centralized encryption over wired infrastructure is optional with a Wi-Fi controller appliance.
Infrastructure Integrity and Hardening
Enabled by default, a private cellular network performs mutual cert-based auth throughout its components.
Issues device certificates to Wi-Fi APs and enables whitelisting for APs, customizing DHCP options, and/or manually pre-provisioning APs for controller-based systems.
Superior due to its ability to operate fully at a lower signal-to-noise ratio (SNR), greatly expanding coverage and enabling predictable connectivity in challenging environments.
Dependent on RF design specific to the enterprise environment and endpoint capabilities; offers radio resource management solutions to dynamically manage power and channel assignments to APs.
Wi-Fi signal is designed to specs of -65dBm with falloff around -75 or -80.
Integrated with Celona’s Microservices architecture at the Celona Edge; additional resiliency can be configured through clustering of Celona Edge install on-premises or in the cloud.
Configured through clustering of controllers for on-premises deployments; for cloud Wi-Fi solutions, vendors use Microservices for resiliency and increased uptime for their APs.
QoS and Prioritization
Transmission is schedule-based, managed by the Celona software, and guaranteed; QoS and latency / throughput / packet error rate service levels are enforced both over-the-air with Celona MicroSlicing, and extended to the LAN.
Transmission on a contention basis where endpoints compete for airtime; additional QoS settings are available and can be extended to the wired LAN but will stay contention-based.
Wireless to Wired Handoff
By default, endpoint traffic is securely tunneled back to the private cellular mobile core (Celona Edge) for traffic handling. It can also be switched, routed, or NAT’d (Network Address Translation) within the LAN.
Endpoint Wi-Fi traffic can be bridged locally at the edge or tunneled to a centralized gateway or controller; once on the LAN, traffic can be switched or routed to support configurations for proper segmentation.
Zero Trust Strategy Support
Private cellular offers strong mutual auth and encryption along the entire user traffic data path. Endpoints are known, provisioned entities and identity is not ‘guessed’ as with headless Wi-Fi devices.
Relies on vendor specific integrations via common enterprise interfaces (LDAP, RADIUS and RESTful APIs).
Protection is enabled via strong mutual auth the endpoint device and the mobile core. The derived temporary keys are provided to the wireless layer to perform radio level encryption.
A rogue AP can spoof a legitimate SSID and coax clients to the "honeypot". Standard protection comes with a properly-configured 802.1x SSID which enforces full mutual auth before association.
Rogue / Malicious Endpoint
Natively protected against rogue devices and malicious endpoints through device level identity verification.
Susceptible to rogue endpoints for SSIDs that don’t enforce strong device identity & auth, including those relying on MAC address specific or passphrase security. Mitigations include 802.1x with device certificates.
Spoofing Attack - Management Traffic
Management and signaling traffic is always encrypted. Identities and mutual authentication are pre-defined in device provisioning and offer protection before, during, and after the connection is established.
Unless 802.11w (PMF) is in use, Wi-Fi management frames are unencrypted and unauthenticated, allowing spoofing of both AP and endpoint MAC addresses / management frames. This opens the door to de-auth and other DoS attacks. 802.11w is mandatory if WPA3 is used. Note that 802.11w does not protect prior to the initial 802.11 association and 4-way handshake.
Lateral Movement via direct peer comms
Celona MicroSlicing segments traffic over the air, preventing lateral movement through peer-to-peer communication. MicroSlicing can be applied per-IP flow over the air, and integrate with existing LAN policies for traffic forwarding.
Wi-Fi networks by default allow inter-station comms between endpoints connected to the same SSID. Mitigations include segmentation control with granular policies for the wireless system, or an overlay of NAC or zero trust solutions to protect against lateral movement and malware.
RF Jamming / Layer 1
Private cellular networks are susceptible to layer 1 jamming but not layer 2.
Endpoint devices are known to the system through provisioning and joined with strong mutual authentication.
Unknown or unauthorized endpoints cannot request airtime access from the radio network.
Susceptible to layer 1 attacks with jamming whether maliciously in a DoS attack or simply due to nearby equipment. Malicious endpoints can use CTS/RTS packets to consume all Wi-Fi airtime resources as a layer 2 attack. Due to contention based system, Wi-Fi can be impacted by layer 1 interference, and layer 2 attacks are mitigated if the RF environment (all SSIDs and endpoints) are using PMF for integrity.
Supporting Your Zero Trust Strategy
In this episode of Field Journal, Andrew von Nagy of Celona talks to Jennifer Minella of Viszen Security on how enterprise network security teams can support and improve their zero trust security policies with the use of private cellular wireless networks.
Maintaining Data Privacy
Jennifer and Andrew continue their discussion by reviewing the advantages of utilizing the private LTE / 5G wireless networks to tackle data privacy and control requirements for critical applications within the enterprise.
Integrating with Enterprise Policies
Last video of this 3-part series ends with Jennifer and Andrew discussing how existing enterprise local area network (LAN) segmentation policies that are already in place can be translated to private cellular wireless with the use of 5G LAN technology.
For a deeper dive into how the Celona solution can enforce enterprise network access policies on private LTE / 5G, checkout our getting started guide. To see our unique "5G LAN" solution in action, pick one of our options for a product journey.