Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
Wi-Fi Security 6 and 6E: How to protect your corporate WLAN from new threats?
The wireless network (WLAN) has long ceased to be just a convenient addition to a company’s infrastructure. It has become its bloodstream, the primary medium connecting not only employees’ laptops and phones, but also hundreds of IoT devices, production machines and building systems. In response to these growing demands and the enormous density of devices, new standards were born: Wi-Fi 6 (802.11ax) and its latest extension, Wi-Fi 6E. They offer not only a revolutionary leap in speed, but more importantly, significant improvements in performance, efficiency and congested ether management.
But like any new technology, Wi-Fi 6 and 6E, while introducing new capabilities, also open up a new field of discussion on security. While these standards bring with them fundamental and long-awaited improvements, such as the WPA3 protocol, simply implementing new access points is not a magical solution to all problems. Successfully securing a modern WLAN requires a holistic approach that combines the advantages of the new protocols with well-established principles for designing secure networks, such as segmentation and access control.
What are the Wi-Fi 6 (802.11ax) and Wi-Fi 6E standards and what key improvements do they introduce?
Wi-Fi 6, formally known as IEEE 802.11ax, is the latest generation of Wi-Fi technology, designed from the ground up to meet the challenges of today’s world. While previous generations focused mainly on increasing the maximum theoretical speed for a single device, Wi-Fi 6 focuses on performance and efficiency in very high-density client environments – such as offices, conference rooms, production halls and stadiums.
Wi-Fi 6E is a direct extension of the Wi-Fi 6 standard. It does not introduce new modulation technologies, but provides Wi-Fi with a completely new, pristine 6 GHz radio band. Previous Wi-Fi networks operated in the crowded and interfered 2.4 GHz and 5 GHz bands. Opening up the 6 GHz band is like adding a dozen new wide lanes to a congested highway, allowing for even higher speeds and much lower latency.
Both standards introduce a number of technologies that are revolutionizing the operation of wireless networks. The most important of these are OFDMA (Orthogonal Frequency Division Multiple Access), MU-MIMO (Multi-User, Multiple Input, Multiple Output) in both directions, and TWT (Target Wake Time), which together allow a single access point to support dozens of devices simultaneously and efficiently.
How do new technologies such as OFDMA and MU-MIMO affect network performance?
The key to understanding the revolution brought by Wi-Fi 6 is learning about Orthogonal Frequency Division Multiple Access (OFDMA) technology. In older Wi-Fi standards, when an access point (AP) communicated with a device, it occupied the entire available radio channel, even if it was only transmitting a small packet of data (such as an instant messaging message). It was as if a large truck had to carry one small package, blocking an entire lane of the highway in the process.
OFDMA divides a radio channel into dozens of smaller subchannels, called resource units (RUs). This allows an access point to simultaneously send and receive data to and from many different devices within a single transmission. To return to our analogy, it’s as if a truck could take packages to many different recipients at once, making optimal use of the available space. This technology drastically reduces latency and improves overall performance, especially in scenarios with a large number of small packets, which is typical of IoT devices.
MU-MIMO (Multi-User, Multiple Input, Multiple Output) technology, while already present, has been greatly improved in Wi-Fi 6 and works in both directions (uplink and downlink). It allows an access point to “talk” to multiple devices simultaneously, using multiple antennas and advanced beamforming techniques. The combination of OFDMA and MU-MIMO makes Wi-Fi 6 unrivaled in supporting modern dense wireless environments.
What fundamental security improvements does the WPA3 standard make?
Perhaps the most important innovation that came with Wi-Fi 6 is the mandatory support for a new security standard, WPA3 (Wi-Fi Protected Access 3). This is the successor to the long-overdue and, as it turned out, vulnerable to some attacks WPA2 protocol. WPA3 introduces a number of fundamental improvements that significantly enhance security in both corporate and home networks.
The most important change in WPA3-Personal mode (designed for smaller, password-protected networks) is the replacement of the PSK (Pre-Shared Key) protocol with a new SAE (Simultaneous Authentication of Equals) mechanism. This is a key change that makes WPA3-protected networks resistant to offline dictionary attacks, one of WPA2’s biggest weaknesses.
The WPA3-Enterprise mode, designed for large organizations, introduces the mandatory use of Protected Management Frames (PMFs), which protect management communications on the network from eavesdropping and forgery. In addition, WPA3-Enterprise offers an optional 192-bit security mode that complies with CNSA (Commercial National Security Algorithm Suite) requirements, providing an even higher level of cryptographic protection for the most demanding environments.
| The evolution of Wi-Fi Security: WPA2 vs. WPA3 | ||
| Security Aspect | WPA2-Personal/Enterprise | WPA3-Personal/Enterprise |
| Protection against dictionary attacks (offline) | Vulnerable. An attacker can intercept the “handshake” and crack passwords offline without restriction. | Resistant. The Dragonfly Handshake (SAE) protocol prevents offline attacks. Each attempt to guess a password requires a new interaction with the network. |
| Authentication | PSK (Pre-Shared Key) – simple, but vulnerable. | SAE (Simultaneous Authentication of Equals) – a much more secure key agreement protocol. |
| Encryption in public networks | None. Open Wi-Fi networks (e.g., in a coffee shop) do not encrypt traffic by default, leaving users vulnerable to eavesdropping. | Individual encryption. WPA3 Enhanced Open (OWE) automatically encrypts traffic for each individual user, even without a password. |
| The power of cryptography | Cryptography at a good level, but with some weaknesses (e.g., in key management). | Enhanced cryptography. Introduction of PMF as a standard. Optional 192-bit mode for Enterprise available. |
What is the SAE (Simultaneous Authentication of Equals) protocol in WPA3 and why is it resistant to dictionary attacks?
The SAE (Simultaneous Authentication of Equals) protocol, also known as Dragonfly Key Exchange, is the heart of the WPA3-Personal security mechanism and the biggest step forward from WPA2. To understand its strength, it’s first necessary to know the weakness of its predecessor. In WPA2-PSK, when a device connected to a network, there was a simple exchange of four packets (known as 4-way handshake). An attacker could passively intercept this exchange and then, on his own computer, try to guess the network password by checking millions of combinations per second (an offline dictionary attack).
SAE completely changes this process. Instead of a simple exchange, it introduces an interactive cryptographic protocol in which both parties (device and access point) must prove to each other that they know the password, but
If an attacker intercepts traffic from such a session, he won’t be able to use it to crack the password on his computer. He would have to initiate a new, genuine attempt to connect to the access point each time to verify that the password is correct. This moves the attack from offline to online, slowing it down drastically and making it extremely easy for security systems to detect. In practice, SAE renders Wi-Fi password dictionary attacks useless.
What are the best practices for designing and implementing a secure Wi-Fi 6/6E network?
Simply deploying Wi-Fi 6 access points and enabling WPA3 is only the beginning. Building a truly secure WLAN requires a well-thought-out architecture and the use of a series of best practices that together create a multi-layered defense.
Network segmentation: This is the absolute foundation. Never put all devices on one “flat” network. You should create separate, isolated networks (SSIDs mapped to different VLANs) for different groups of users and devices. The bare minimum is a separate network for corporate employees, a separate one for guests and a separate one for IoT devices.
Strong authentication: In corporate environments, the WPA3-Enterprise standard should always be used instead of a simple password ( WPA3-Personal). It uses the 802.1X protocol to authenticate each user individually, usually based on their Active Directory credentials and digital certificates. This gives much more control and the ability to track activity.
Monitoring and protection: WIDS/WIPS (Wireless Intrusion Detection/Prevention System) systems should be implemented, which monitor the radio spectrum for unauthorized (fake) access points, attempted deauthorization attacks or other malicious activity. Also key is the integration of WLANs with NAC (Network Access Control), which allows security policies to be enforced and the status of devices to be assessed before they are allowed on the network.
How can nFlo help you audit, design and deploy a secure next-generation WLAN?
At nFlo, we understand that the wireless network is the operational backbone of most companies today, and its security and performance have a direct impact on business. Our approach to WLANs is comprehensive – we combine deep engineering knowledge with cyber security expertise to deliver solutions that are not only fast, but most importantly resilient to attacks.
Our services begin with a professional audit and design (Site Survey). Before we deploy even a single access point, we conduct a detailed analysis of the radio environment, mapping coverage and capacity needs and designing optimal device placement. In parallel, we conduct a security audit of the existing Wi-Fi network, identifying configuration weaknesses, outdated protocols or segmentation gaps.
We specialize in deploying and configuring secure Wi-Fi 6/6E networks based on solutions from leading manufacturers. Our team not only installs the hardware, but more importantly implements security best practices – from WPA3-Enterprise configuration with 802.1X authentication, to segmentation-based architecture design, to integration with
About the author:
Łukasz Szymański
Łukasz is an experienced professional with a long-standing career in the IT industry. As Chief Operating Officer, he focuses on optimizing business processes, managing operations, and supporting the long-term growth of the company. His versatile skills encompass both technical and business aspects, as evidenced by his educational background in computer science and management.
In his work, Łukasz adheres to the principles of efficiency, innovation, and continuous improvement. His approach to operational management is grounded in strategic thinking and leveraging the latest technologies to streamline company operations. He is known for effectively aligning business goals with technological capabilities.
Łukasz is, above all, a practitioner. He built his expertise from the ground up, starting his career as a UNIX/AIX systems administrator. This hands-on technical knowledge serves as a solid foundation for his current role, enabling him to deeply understand the technical aspects of IT projects.
He is particularly interested in business process automation, cloud technology development, and implementing advanced analytics solutions. Łukasz focuses on utilizing these technologies to enhance operational efficiency and drive innovation within the company.
He is actively involved in team development, fostering a culture of continuous learning and adaptation to changing market conditions. Łukasz believes that the key to success in the dynamic IT world lies in flexibility, agility, and the ability to anticipate and respond to future client needs.