Index
Note to the Reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations.
Numbers
3DES encryption, 67
4-Way Handshake process
AKM, 169
PMKSA, 220
PSKs, 372–373
roaming, 383
RSNAs, 20, 156–158, 157–158, 172
RSNs, 176
TDLS, 174–176
TKIP, 41
TKIP and CCMP, 69
vulnerabilities, 411
WPA/WPA2-Personal, 197
60-second shutdown, 43
802.11 data frames (MPDUs), 68, 69, 497, 497
WEP, 70–71
802.11 networks
auditing. See audits
basics, 12–14
control frames, 497
data frames, 497
EAP authentication. See 802.1x/EAP authentication; EAP (Extensible Authentication Protocol)
infrastructure. See infrastructure
integration service, 258–259
Layer 2 dynamic encryption key
generation. See dynamic encryption
key generation
legacy security. See legacy 802.11 security
management frames, 497
monitoring. See monitoring
policies. See policies
roaming. See fast secure roaming (FSR)
security basics, 14
authentication, authorization, and accounting, 16–17
monitoring, 17
policies, 18
segmentation, 17
security history, 18–21
802.11i amendment, 18–20
RSNs, 20–21
security risks. See risks
VPNs. See virtual private networks (VPNs)
802.11 Wi-Fi CERTIFIED programs, 8–9
802.11n-2009 amendment, 506–507, 507
802.11w-2009 amendment, 418, 508–509
802.1x/EAP authentication, 95–96
authentication servers, 102–106, 103–104
authenticators, 99–102, 100–102
certificates, 114–120, 115, 117–118
legacy protocols, 121–122
overview, 89–90
PEAP authentication, 501–502
troubleshooting
overview, 374–375
zone 2, 378–382, 378–379, 381–382
A
AAA (authentication, authorization, and accounting), 16–17, 90–91
authentication, 91–92
authorization, 92–93
NAC, 354–355
RADIUS servers, 293–294
AAA keys, 171
AAD (additional authentication data) in CCMP, 75, 76
acceptable use policies, 526–527
Access-Accept RADIUS, 295, 295
Access-Challenge RADIUS, 295, 295
access layers of networks, 12–13
access points (APs), 13
centralized network management systems, 263–265, 264
controller-based, 263
data planes, 261
FSR, 244–245
MDM architecture, 325
Open System authentication, 31, 32
physical security policies, 527
preauthentication, 225–227
rogue devices, 398–399, 399, 486–489, 487–488, 538, 542
scanning, 405–406
Shared Key authentication, 33
WIDS/WIPS, 474–477
Access-Reject RADIUS, 295, 295
acknowledgment (ACK) frames, 416
Action frames in FT, 239–240, 240
Active Directory (AD), 91, 121, 293
active scanning, 405–406
ad hoc policies, 542
ad hoc rogue mitigation, 488, 488
additional authentication data (AAD) in CCMP, 75, 76
Address Resolution Protocol (ARP) flooding, 425
addresses
IP, 248–249
MAC. See MAC (media access control) addresses
OUI, 50
Advanced Encryption Standard (AES)
CCMP, 19
IPSec, 47
overview, 67–68
Suite B, 79
Aerohive Networks, 270
aesthetics, 428–429
agent software in MDM, 331–332, 332
AHs (Authentication Headers), 47
Aircrack-ng tool, 34, 451, 460, 461
AirMagnet WiFi Analyzer, 449, 449, 496
Airodump tool, 460
AirSnort tool, 460
AKM (authentication and key management) services, 166–170, 167–169, 235
AKMP (authentication and key management protocol), 166, 222
Albano, Mike, 371
all-band interference, 446, 447
American Standard Code for Information Interchange (ASCII), 15
AMPE (Authenticated Mesh Peering Exchange), 205
analyzers vs. sniffers, 442
angle of arrival (AoA), 493
ANonces (authenticator nonces), 175–176, 197
anonymous identities, 129
antennas for auditing, 458
AoA (angle of arrival), 493
AP-to-AP handoff communications, 218–219, 219
AP/WLAN controllers, 325
APIs (application programming interfaces), 339
APNs (Apple Push Notification service), 325
Apple Configurator, 329
Apple Push Notification service (APNs), 325
application management in MDM, 335, 335–336
application programming interfaces (APIs), 339
APs. See access points (APs)
ARC4 (Arcfour) algorithm, 66, 72
architecture, 261
bridging, 274–275
centralized, 265
centralized network management systems, 263–265, 264
cloud computing, 265
enterprise routers, 272–273
hybrid, 272
mesh access points, 273–274, 274
unified, 272
WLAN controllers, 266–269, 266
ARP (Address Resolution Protocol) flooding, 425
ASCII (American Standard Code for Information Interchange), 15
Asleap tool, 46, 126, 450–451, 450
ASs (authentication servers), 96
certificates, 115
LDAP, 292
association floods, 418
associations
PMKSAs, 181, 221–224, 221–224, 226
RSNAs. See robust security network associations (RSNAs)
SMKSAs, 181
STKSAs, 181
asymmetric encryption algorithms, 63–64, 64
attacks. See risks
attribute value pairs (AVPs), 95, 307–308, 308
attributes, LDAP, 311
audiences for general policies, 517
audits
documenting, 455–456
exam essentials, 463
general policies, 517
OSI Layer 1, 442–446, 445, 447
overview, 440–442
penetration testing, 449–453, 450–451
policies, 520–521
recommendations, 456
review questions, 464–468
social engineering, 453–454
summary, 462
tools
overview, 457–459
WIPS, 454
wired infrastructure, 453
Authenticated Mesh Peering Exchange (AMPE), 205
authentication, 89
AAA, 90–95
audit recommendations, 456
audit tools for, 459
exam essentials, 144–145
Layer 2. See Layer 2 authentication
legacy 802.11 security, 30–31
legacy protocols, 121–122
MAC, 306–307
review questions, 146–150
RSNs for, 18
summary, 144
authentication, authorization, and accounting (AAA), 16–17, 90–91
authentication, 91–92
authorization, 92–93
NAC, 354–355
RADIUS servers, 293–294
authentication and key management (AKM) services, 166–170, 167–169, 235
authentication and key management protocol (AKMP), 166, 222
authentication attacks, 409–411, 410
authentication cracking software tools, 450–451, 450–451
Authentication Headers (AHs), 47
authentication key management (AKM) suites, 235
authentication servers (ASs), 96
certificates, 115
LDAP, 292
authenticator MACs, 222
authenticator nonces (ANonces), 175–176, 197
authenticators, 96, 99–102, 100–102
overview, 92–93
PMKSA, 222
authorized devices, 481
auto-classification, 481–482, 482
automatic PAC provisioning, 137–139, 138
autonomous access points, 13
autonomous architecture, 261–263, 262
AVPs (attribute value pairs), 95, 307–308, 308
B
bandwidth management in Voice Enterprise, 247
banking regulations, 534–536
baseline practices in functional policies, 522
basic service set identifiers (BSSIDs)
FakeAP, 419
rogue detection, 482–486, 483–485
basic service sets (BSSs)
FT. See fast basic service set transition (FT) amendment
management frames for, 497
Open System authentication, 31
peer-to-peer attacks, 426
Shared Key authentication, 33
battery life in Voice Enterprise, 247
beaconing, illegal, 418
Beck-Tews attacks, 78
behavioral analysis, 471, 495–496, 496
best practices for troubleshooting, 366–368, 368
biometrics, 90
BIP (Broadcast/Multicast Integrity Protocol), 508
bits, 71
blacklisting policies, 325
block ciphers, 65
blocking, peer-to-peer, 427
blueprinting devices, 460
Bluetooth (BT) technology, 446
Boolean Exclusive-OR operations
stream ciphers, 65
WEP, 70
branch routers, 273
bridged virtual interfaces (BVIs), 262
bridging, 274–275
bring your own devices (BYODs), 321
captive portals, 307
exam essentials, 359
MDM. See mobile device management (MDM)
policies, 542
proprietary PSKs, 204
review questions, 360–363
self service device onboarding, 336–339, 338
summary, 358–359
broadcast frames, 416
broadcast keys, 155
Broadcast/Multicast Integrity Protocol (BIP), 508
broadcast SSIDs, 51–52
brokers, RADIUS, 294
brute-force dictionary attacks
in penetration testing, 451
preshared keys, 411
WPA/WPA2-Personal, 200
brute-force key attacks, 66
BSSIDs (basic service set identifiers)
FakeAP, 419
rogue detection, 482–486, 483–485
BSSs. See basic service sets (BSSs)
BT (Bluetooth) technology, 446
Burp Suite tools, 451
BVIs (bridged virtual interfaces), 262
BYODs. See bring your own devices (BYODs)
bytes, 71
C
caching
CACs (Common Access Cards), 111
calibration, RF, 492
captive portals
guest access, 342–343, 343–344, 432
MAC authentication, 306–307
piggy-backing attacks, 421
CAPWAP (Control and Provisioning of Wireless Access Points), 264, 267, 473
cardholder data environment (CDE), 538–541
care-of addresses, 250
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), 414, 419
casual eavesdropping, 404–406, 405
CBC (Cipher-Block Chaining), 74, 79
CBC-MAC (Cipher-Block Chaining Message Authentication Code), 74
CCA (clear channel assessment), 415, 415, 444
CCKM (Cisco Centralized Key Management), 230
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol), 19, 67
4-Way Handshake process, 69
future, 79
OSI model, 369
policies, 501–502
CDE (cardholder data environment), 538–541
CDMA2000 networks, 141
CDP (Cisco Discovery Protocol), 408
CEN (cloud-enabled networking), 265
centralized architecture, 265
centralized data forwarding, 267–269, 268
centralized network management systems, 263–265, 264
centralized RADIUS, 301–303, 301–303
certificate authorities (CAs)
client certificates, 119–120
certificates
802.1x/EAP authentication, 114–120, 115, 117–118
server and root CA, 115–119, 115, 117–118
supplicant credentials, 107–109, 108
supplicant troubleshooting, 378–382, 378–379, 381–382
certifications, Wi-Fi Alliance, 7–11, 7–8
Certified Trust Lists (CTLs), 118
chaining, EAP, 142
Challenge Handshake Authentication Protocol (CHAP), 121
change control policies, 524
Change of Authorization (CoA), 355–356
channel beaconing, 418
channel scanners, 472–473
CHAP (Challenge Handshake Authentication Protocol), 121
CIDs (company-issued devices), 322
Cipher-Block Chaining (CBC), 74, 79
Cipher-Block Chaining Message Authentication Code (CBC-MAC), 74
Cisco Centralized Key Management (CCKM), 230
Cisco Discovery Protocol (CDP), 408
Cisco Key Integrity Protocol (CKIP), 72
Cisco Message Integrity Check (CMIC), 72
Citrix vendor, 323
CKIP (Cisco Key Integrity Protocol), 72
classification, device, 480–482, 481–482
device tracking, 489–494, 489–491, 493
rogue detection, 482–486
rogue mitigation, 486–489, 487–488
clear channel assessment (CCA), 415, 415, 444
clear text
EAP-LEAP, 126
EAP-MD5, 126
client isolation
guest access, 345
peer-to-peer attacks, 426–427, 427
client/server RADIUS servers, 105
client/server VPNs, 45
clients
load balancing, 260
roaming thresholds, 217–218, 217
troubleshooting, 370–371
CLIs (command-line interfaces), 282–284, 283–284
cloaking SSIDs, 51–53
closed networks, 51–52
cloud computing, 265
cloud-enabled networking (CEN), 265
CloudCracker tool, 411
CMIC (Cisco Message Integrity Check), 72
CoA (Change of Authorization), 355–356
COBIT (Control Objectives for Information and Related Technology), 533
codes, cryptology, 15
command-line interfaces (CLIs), 282–284, 283–284
command responders in SNMP, 281
Committee of Sponsoring Organizations (COSO), 533
Common Access Cards (CACs), 111
communication of policies, 519
community-based SNMP, 282
community strings, 281–282
company-issued devices (CIDs), 322–324, 324
compliance reports, 541
configuration, management planes, 260
consumerization of IT, 322
content filtering in guest access, 345
Control and Provisioning of Wireless Access Points (CAPWAP), 264, 267, 473
control frames, 497
Control Objectives for Information and Related Technology (COBIT), 533
controlled ports
4-Way Handshake process, 176
controller-based access points, 263, 265
controllers
data forwarding models, 267–269
data planes, 261
MDM architecture, 325
remote office, 269
Converged Wireless Group-RF Profile (CWG-RF) programs, 10
core layer in networks, 12–13
core technology and security program, 9
Corporate Responsibility for Financial Reporting section of SOX, 532–533
corporate security policies for audits, 455
corrupted frames, 506
COSO (Committee of Sponsoring Organizations), 533
cost vs. security, 91–92
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), 19, 67
4-Way Handshake process, 69
future, 79
OSI model, 369
policies, 501–502
countermeasures in TKIP, 41, 43
coverage surveys, 250
cracking
CRCs (cyclic redundancy checks), 37–40, 38, 70, 416
credentials, 89–90
supplicant. See supplicants credit cards, 538–541
Critical alarm level, 505
critical security parameters (CSPs), 531
CRM (customer relationship management), 356–357
cryptanalysis, 16
cryptographic keys, 47
cryptography, 15. See also encryption
cryptology, 15
CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance), 414, 419
CSPs (critical security parameters), 531
CTLs (Certified Trust Lists), 118
customer relationship management (CRM), 356–357
CWG-RF (Converged Wireless Group-RF Profile) programs, 10
cyclic redundancy checks (CRCs), 37–40, 38, 70, 416
D
Daemen, Joan, 67
DAs (destination addresses) in TKIP, 42
data destruction by rogue devices, 401
Data Encryption Standard (DES), 47, 66
data forwarding models, 267–269
data frames in 802.11, 497
data insertion
audit tools for, 459
by rogue devices, 401
data privacy, 14–16, 15–16, 19
Data Safeguards section in HIPAA, 537
data theft by rogue devices, 401
data traffic coexistence in Voice Enterprise, 247
databases, LDAP-compliant, 102
Datagram Transport Layer Security (DTLS), 264
DDoS (distributed denial-of-service) attacks, 402
de facto standards, 30
de jure standards, 30
deauthentication, 416–417, 417, 508
decryption
WEP, 38
DECT (Digital Enhanced Cordless Telecommunications) phones, 446
deep packet inspection (dpi), 342
Defense Department directive 8420.1, 529–530
demilitarized zones (DMZs), 340, 341
denial-of-service (DoS) attacks, 402, 411–412
audit tools for, 459
encryption cracking, 425–426, 426
Layer 1, 412–416, 413–415, 443
MAC spoofing, 420–423, 422–423
management interface exploits, 427–428
peer-to-peer attacks, 426–427, 427
physical damage and theft, 428–430, 429–430
social engineering, 430–431
vendor proprietary attacks, 428
wireless hijacking, 423–425, 424
Department of Defense (DoD)
CAC use, 111
directive 8420.1, 529–530
deployment
RADIUS servers, 299–303, 300–303
DES (Data Encryption Standard), 47, 66
design
in functional policies, 522
troubleshooting, 372
destination addresses (DAs), TKIP, 42
device classification, 480–482, 481–482
device tracking, 489–494, 489–491, 493
rogue detection, 482–486
rogue mitigation, 486–489, 487–488
device wipes, 334
devices as RADIUS servers, 306
DHCP (Dynamic Host Configuration Protocol) servers
hijacking, 423–424
OS fingerprinting, 353–354
dictionary attacks
in penetration testing, 450–451
preshared keys, 411
SAE for, 206
WPA/WPA2-Personal, 200
Diffie-Hellman key exchange
EAP-FAST, 138
IPSec, 47
digital certificates
802.1x/EAP authentication, 114–120, 115, 117–118
server and root CA, 115–119, 115, 117–118
supplicant credentials, 107–109, 108
supplicant troubleshooting, 378–382, 378–379, 381–382
Digital Enhanced Cordless
Telecommunications (DECT)
phones, 446
digital watermarking, 16
direct sequencing spread spectrum (DSSS), 404, 498
directive 8420.1, 529–530
directory services, 292
disassociation frames, 416–417, 508
discovery
last mile, 494
passphrase-to-PSK mapping, 182
dissolvable agents in NAC, 352
distributed architecture, 270–272
distributed data forwarding, 267–269, 269
distributed denial-of-service (DDoS) attacks, 402
distributed sites, 300–303, 301–303
Distributed Spectrum Analysis Systems (DSAS), 404, 446, 499
distribution layer, 12–13
distribution system medium (DSM), 218, 259
distribution system services (DSS), 259
distribution systems (DS), 218
DMZs (demilitarized zones), 340, 341
documenting audits, 455–456
DoD (Department of Defense)
CAC use, 111
directive 8420.1, 529–530
domains
mobility, 231
DoS attacks. See denial-of-service (DoS) attacks
downtime management, 520
dpi (deep packet inspection), 342
Dragonfly key exchange, 205
drivers, 96
DS (distribution systems), 218
DSAS (Distributed Spectrum Analysis Systems), 404, 446, 499
DSM (distribution system medium), 218, 259
DSS (distribution system services), 259
DSSS (direct sequencing spread spectrum), 404, 498
DTLS (Datagram Transport Layer Security), 264
dual-SSID onboarding, 337–338, 338
Duration/ID field, 419–420
dynamic encryption audit recommendations, 456
dynamic encryption key generation, 152
exam essentials, 184–185
review questions, 186–191
RSNs. See robust security networks (RSNs)
security of, 156
summary, 184
WEP, 39
Dynamic Host Configuration Protocol (DHCP) servers
hijacking, 423–424
OS fingerprinting, 353–354
dynamic RF, 260
E
EAP (Extensible Authentication Protocol), 9–10, 19, 95, 97, 98
authentication. See 802.1x/EAP authentication
certificates, 108–109, 114–120, 115, 117–118
dynamic encryption key generation, 152–153, 153–154
EAP-AKA, 141–142
EAP-MD5, 125–126
EAP-PEAPv0, 132
EAP-PEAPv1, 132–133
EAP-POTP, 141
EAP-SIM, 141
EAP-TEAP, 142
EAP-TLS, 119, 132, 134–136, 135
frame exchanges, 142–144
and PKI, 63–64
weak, 125
EAP-Authentication and Key Agreement (EAP-AKA), 141–142
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) protocol, 109, 136–140, 138
EAP-Generic Token Card (EAP-GTC), 132–133
EAP-Lightweight Extensible Authentication Protocol (EAP-LEAP), 109, 126–128, 127
EAP-MD5 (EAP-Message Digest5), 125–126
EAP-Message attribute, 308
EAP-MSCHAPv2, 132
EAP over LAN (EAPOL) encapsulation, 120, 122–123
EAP-PEAP (EAP-Protected Extensible Authentication Protocol), 130–133, 131, 375
EAP-PEAPv0, 132
EAP-PEAPv1, 132–133
EAP-Protected One-Time Password Protocol (EAP-POTP), 141
EAP-Subscriber Identity Module (EAP-SIM), 141
EAP Transport Layer Security (EAP-TLS), 132, 134–136, 135, 375
EAP-Tunneled Transport Layer Security (EAP-TTLS), 133, 134
EAPOL (EAP over LAN) encapsulation, 120, 122–123
EAPOL floods, 508
EAPOL-Key frames exchange, 155, 175–176
eavesdropping, 404
authentication attacks, 409–411, 410
malicious, 406–407
preventing, 409
risks, 407–408
ECDSA (Elliptical Curve Digital Signature Algorithm), 79
eDirectory LDAP, 293
eduroam authentication, 305
Elliptical Curve Diffie-Hellman (ECDH) Key Exchange, 80
Elliptical Curve Digital Signature Algorithm (ECDSA), 79
employee sponsorship, guest access, 348–349, 349
Encapsulating Security Payload (ESP), 47, 384
encapsulation, VPNs, 276
encrypted guest access, 351–352
encryption, 62
3DES, 67
AES, 67–68
audit recommendations, 456
audit tools for, 459
CCMP. See CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
DES, 66
dynamic key generation. See dynamic encryption key generation
exam essentials, 81
FIPS levels, 531
future methods, 79
IPSec, 47
OSI model, 369
policies, 524–525
proprietary layer 2 implementations, 80
RC4, 66
RC5, 66
review questions, 82–85
stream and block ciphers, 65
summary, 80–81
symmetric and asymmetric algorithms, 63–64, 64
WEP. See Wired Equivalent Privacy (WEP)
WLAN methods, 68–69
WPA/WPA2, 78–79
endpoint policies, 525–526
enforcement of policies, 501–503, 502, 521
enhanced data security in TKIP, 41
enrollment in MDM, 325–328, 326–329
enterprise routers, 272–273
enterprise wipes, 334
enumerating network devices, 460
ESP (Encapsulating Security Payload), 47, 384
ESS (extended service sets), 231
ESSIDs (extended service set identifiers), 52
evil twin attacks, 423–425, 424
Exclusive-OR (XOR) operations
stream ciphers, 65
WEP, 70
expectations, troubleshooting, 372
Extended IV, 73
extended service set identifiers (ESSIDs), 52
extended service sets (ESS), 231
Extensible Authentication Protocol. See EAP (Extensible Authentication Protocol)
Extensible Markup Language (XML), 329
F
failover in RADIUS, 305–306, 306
FakeAP tool, 419
false positives, 505–506
Faraday cages, 409
FAs (foreign agents), 249–250
fast basic service set transition (FT) amendment, 184
compatibility, 242–243
information elements, 235–236, 236
initial mobility domain associations, 236–238, 237
fast BSS transition information elements (FTIEs), 236, 236
fast secure roam-back, 225
fast secure roaming (FSR), 184, 216
802.11k, 243–245
802.11v, 246
exam essentials, 251–252
FT amendment. See fast basic service set transition (FT) amendment
proprietary, 230
review questions, 253–256
roaming history, 216–220, 217, 219
summary, 251
Voice Enterprise, 247–248
fat access points, 261
FCS (frame check sequence), 43, 68, 76, 497
Federal Information Processing Standards (FIPS), 528
AES encryption, 67
cryptography requirements, 18
DES encryption, 66
FIPS 140-2 regulations, 283
mandates, 530–532
validation, 68
FHSS (frequency hopping spread spectrum) transmissions, 404, 498
filters
guest access content, 345
and eavesdropping, 408
Financial Modernization Act, 534–536
Financial Privacy Rule, 534
fingerprinting
NAC, 353–354
RF, 492
FIPS. See Federal Information Processing Standards (FIPS)
firewalls
distributed architecture, 271
endpoint policies, 526
guest access, 341–342, 341–342
hotspots, 432
PCI requirements, 540
firmware management, 260
five tenets of troubleshooting
client issues, 370–371
design, 372
user expectations, 372
Fixed Mobile Convergence (FMC), 142
flooding attacks, 418
ARP, 425
association, 508
FMC (Fixed Mobile Convergence), 142
foreign agents (FAs), 249–250
forensic analysis, 499–500, 500
Fortress Technologies, 80
forwarding models, 267–269
frame check sequence (FCS), 43, 68, 76, 497
frames
vs. packets, 442
TKIP, 44
frequency hopping spread spectrum (FHSS) transmissions, 404, 498
FSR. See fast secure roaming (FSR)
FT. See fast basic service set transition (FT) amendment
FTAA (FT authentication algorithm), 239, 239
FTIEs (fast BSS transition information elements), 236, 236
full-time sensors, 476
functional policies, 521–522
acceptable use, 526–527
authentication and encryption, 524–525
change control, 524
endpoint, 525–526
monitoring, 525
password, 522–523
physical security, 527
RBAC, 523
remote office, 527–528
G
Galois/Counter Mode (GCM), 79
Galois/Counter Mode Protocol (GCMP), 67–68, 79
GCM (Google Cloud Messaging), 325
general policies, 517
Generic Routing Encapsulation (GRE) protocol, 267, 340, 341
GLBA (Gramm-Leach-Bliley Act), 527, 534–536
global positioning system (GPS) devices, 406
Global System for Mobile Communications (GSM), 141
GMKs (group master keys), 172–173, 173
GoDaddy certificate service, 116
Google Cloud Messaging (GCM), 325
government and industry regulations, 528
compliance reports, 541
Department of Defense directive 8420.1, 529–530
FIPS, 530–532
GLBA, 534–536
HIPAA, 536–538
PCI standard, 538–541
SOX, 532–534
GPOs (Group Policy Objects), 339
GPS (global positioning system) devices, 406
Gramm-Leach-Bliley Act (GLBA), 527, 534–536
GRE (Generic Routing Encapsulation) protocol, 267, 340, 341
Greenfield PHY headers, 507
Group Key Handshake, 177–179, 178
group keys for RSNAs, 170
group master keys (GMKs), 172–173, 173
Group Policy Object (GPO), self service device onboarding, 339
Group Temporal Key Security Associations (GTKSAs), 181
group temporal keys (GTKs)
Group Key Handshake, 177–178, 178
TKIP, 41
GSM (Global System for Mobile Communications), 141
GTKSAs (Group Temporal Key Security Associations), 181
guest access
captive portals, 342–343, 343–344
employee sponsorship, 348–349, 349
encryption, 351–352
exam essentials, 359
firewall policies, 341–342, 341–342
hotspots, 432–433
limiting, 345
overview, 339
policies, 542
review questions, 360–363
social login, 349–350, 350–351
SSIDs, 340
summary, 358–359
H
handheld diagnostic tools, 368, 368
handshakes
4-way. See 4-Way Handshake process
Group Key Handshake, 177–179, 178
hardware-based sensors, 472–473, 473
hardware OTPs, 109
HAs (home agents), 249–250
Hashed Message Authentication Codes (HMAC), 47, 227
HATs (home agent tables), 249–250
Health Insurance Portability and Accountability Act (HIPAA), 527, 536–538
hierarchy
High Throughput (HT)
TKIP, 43
WEP, 78–79
High Throughput (HT) stations, 506–507
hijacking, wireless, 423–425, 424
HIPAA (Health Insurance Portability and Accountability Act), 527, 536–538
HMAC (Hashed Message Authentication Codes), 47, 227
home addresses, 249
home agent tables (HATs), 249–250
home agents (HAs), 249–250
HomeRF devices, 447
honeypots, 129
Hotspot 2.0, 351–352
HT (High Throughput)
TKIP, 43
WEP, 78–79
HT Greenfield mode, 507
HT (High Throughput) stations, 506–507
HTTP fingerprinting, 354
HWMP (Hybrid Wireless Mesh Protocol), 205
hybrid architecture, 272
Hybrid Wireless Mesh Protocol (HWMP), 205
Hypertext Transfer Protocol Secure (HTTPS), 284–285, 453
I
IA (information assurance) in SOX, 533
IAB (Internet Architecture Board), 5, 6
IANA (Internet Assigned Number Authority), 104
IBM vendor, 323
IBSS. See independent basic service sets (IBSS)
ICANN (Internet Corporation for Assigned Names and Numbers), 6, 6
ICCs (integrated circuit cards), 110
ICV (Integrity Check Value)
identity provider (IdP), 356–357
IEEE (Institute of Electrical and Electronics Engineers), 4–5. See also 802.11 networks
IESG (Internet Engineering Steering Group), 6–7, 6
IETF (Internet Engineering Task Force), 5–7, 6
IETF RFC 2866, 92
IKE and IKEv2 (Internet Key Exchange) protocol, 47, 384–386
illegal channel beaconing, 418
implementation in functional policies, 522
in-scope wireless networks, 539
independent basic service sets (IBSS)
IBSS with Wi-Fi Protect Setup, 11
Open System authentication, 31
peer-to-peer attacks, 426
rogue mitigation, 488
Shared Key authentication, 33
information assurance (IA) in SOX, 533
Information Systems Audit and Control Association (ISACA), 533
Information Technology Management Reform Act, 530
infrastructure, 258
802.11 services, 258–259
architecture. See architecture
exam essentials, 285–286
logical planes of operation, 259–261
RADIUS servers. See Remote Authentication Dial-in User Service (RADIUS) servers
review questions, 286–289
summary, 285
VPN security, 275–279, 276, 278–279
initial mobility domain associations, 236–238, 237
initialization vectors (IVs), 36, 36, 70, 460
inner identities, 128
insertion
audit tools for, 459
by rogue devices, 401–402
Institute of Electrical and Electronics Engineers (IEEE), 4–5. See also 802.11 networks
integrated circuit cards (ICCs), 110
integrated OS supplicants, 96–97, 97
integrated WIDS/WIPS architecture, 475–477, 478
integration service (IS), 258–259
Integrity Check Value (ICV)
intelligent edge access points, 263
intentional interference, 412–413
interference
jamming, 412–416, 413–415, 443–444
Layer 1 DoS attacks, 412–413
International Organization for Standardization (ISO), 3–4
Internet Architecture Board (IAB), 5, 6
Internet Assigned Number Authority (IANA), 104
Internet Corporation for Assigned Names and Numbers (ICANN), 6, 6
Internet Engineering Steering Group (IESG), 6–7, 6
Internet Engineering Task Force (IETF), 5–7, 6
Internet Key Exchange (IKE and IKEv2) protocol, 47, 384–386
Internet of Things (IoT)
proprietary PSKs, 204
security policies, 516
Internet Protocol Security (IPsec), 47, 277
Internet Research Task Force (IRTF), 6, 6
Internet Security Association and Key Management Protocol (ISAKMP), 47
intrusion detection systems. See wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
IoT (Internet of Things)
proprietary PSKs, 204
security policies, 516
IP packets, 45
IP tunneling, 267
iPhone Configuration Utility, 329
IPsec (Internet Protocol Security), 47, 277
IRTF (Internet Research Task Force), 6, 6
IS (integration service), 258–259
ISACA (Information Systems Audit and Control Association), 533
ISAKMP (Internet Security Association and Key Management Protocol), 47
ISB band interference, 444–446, 445, 447
ISO (International Organization for Standardization), 3–4, 4
isolation, guest access, 345
IV/Key IDs, 73
IVs (initialization vectors), 36, 36, 70, 460
J
JAMF Software vendor, 323
jamming, 412–416, 413–415, 443–444
John the Ripper tool, 451
K
Kali Linux tool, 451, 452, 460
Key Confirmation Keys (KCKs), 173, 173
Key Encryption Keys (KEKs), 173, 173
key holder roles, 232
key mixing in TKIP, 41–42
Keyed-Hash Message Authentication Code (HMAC), 47, 227
keying material, 153
3DES, 67
CCMP, 74
dynamic. See dynamic encryption key generation
IPSec, 47
RC5, 66
TKIP, 72
kiosk mode in guest access, 347, 348
L
L2TP (Layer 2 Tunneling Protocol), 46–47
laptops as audit tools, 458
last mile discovery, 494
Layer 1 DoS attacks, 412–416, 413–415
Layer 2 authentication
802.1X overview, 95–96, 114–120, 115, 117–118
authentication servers, 102–106, 103–104
authenticators, 99–102, 100–102
EAP. See 802.1x/EAP authentication
legacy protocols, 121–122
supplicants
credentials. See supplicants
Layer 2 DoS attacks, 416–420, 417, 419
Layer 2 dynamic encryption key generation. See dynamic encryption key generation
Layer 2 Tunneling Protocol (L2TP), 46–47
Layer 3 roaming, 248–250, 249, 384, 384
Layer 3 VPNs, 277
LCI (location configuration information), 492
LDAP. See Lightweight Directory Access Protocol (LDAP)
leakage, wired, 408
LEAP (Lightweight Extensible Authentication Protocol), 122, 126–128, 127, 410–411
legacy 802.11 security
authentication, 30–31
exam essentials, 55
review questions, 56–60
SSID cloaking, 51–54
summary, 54–55
uses, 54
legacy 802.11n format, 507
legacy devices, 204
levels
alarms, 505
FIPS encryption, 531
liability waivers for audits, 455
lifetime of PMKs, 222
Lightweight Directory Access Protocol (LDAP)
attributes, 311
authenticators, 99
LDAP-compliant databases, 102
MDM architecture, 325
MDM enrollment, 327
overview, 292–293
passwords, 523
proxy, 298
Lightweight Extensible Authentication Protocol (LEAP), 122, 126–128, 127, 410–411
Link Layer Discovery Protocol (LLDP), 408
Linux-based audit tools, 460–462, 461
LLC (Logical Link Control) sublayer, 12
LLDP (Link Layer Discovery Protocol), 408
load balancing, 260
location configuration information (LCI), 492
location tracking, 489–494, 489–491, 493
logging in TKIP, 43
Logical Link Control (LLC) sublayer, 12
logical planes of operation, 259–261
loss of services from rogue devices, 401
M
MAC (media access control) addresses
authentication, 306–307
piggy-backing attacks, 421
MAC (Media Access Control) sublayer, 12
MAC Protocol Data Units (MPDUs), 68, 69
WEP, 70–71
MAC Service Data Units (MSDUs), 32
encryption cracking, 425
integration service for, 258
protecting, 409
TKIP, 42–43
WAN encryption, 68–71
machine authentication, 112–114, 113
Major alarm level, 505
malicious data insertion
audit tools for, 459
by rogue devices, 401–402
malicious eavesdropping, 406–407
man-in-the-middle attacks, 116, 424, 424
management
overview, 280–281
Management Assessment of Internal Controls section of SOX, 533
management consoles for WIDS/WIPS, 472, 472
management frame protection (MFP), 418, 508
management information bases (MIBs), 281
management interface exploits, 427–428
Management MAC Protocol Data Units (MMPDUs), 497
management planes, 259–260, 265
mapping passphrases to PSKs, 182–183, 196–200, 197
masquerading, audit tools for, 459
master keys
AKM, 169
PMKs. See pairwise master keys (PMKs)
RSNAs, 171–172
SMKs, 179
master session keys (MSKs)
RSNAs, 171
MD5 (Message Digest 5), 47, 125–126
MDID (mobility domain identifier) field, 235
MDIE (mobility domain information element), 235, 236
MDM. See mobile device management (MDM)
measurement and management in Voice Enterprise, 247
media access control (MAC) addresses
authentication, 306–307
piggy-backing attacks, 421
Media Access Control (MAC) sublayer, 12
mesh access points, 273–274, 274
mesh protocols, 260
mesh temporal keys (MTKs), 207
Message-Authenticator attribute, 308
Message Digest 5 (MD5), 47, 125–126
Message Integrity Code (MIC), 72–73
CCMP, 75–76
Cisco, 73
MFP (management frame protection), 418, 508
MIBs (management information bases), 281
MIC (Message Integrity Code), TKIP, 41–43
Microsoft Certificate Services, 116
Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP), 46, 121
Microsoft Point-to-Point Encryption (MPPE), 46
MIMO (multiple-input multiple-output) radios, 506–507
Minor alarm level, 505
Miracast program, 11
Mitigation section in HIPAA, 537
MMPDUs (Management MAC Protocol Data Units), 497
mobile device management (MDM), 321
application management, 335, 335–336
architecture, 324–325
CIDs vs. personal devices, 323–324, 324
over-the-air, 332–334, 333–334
vs. self service device onboarding, 339
stolen devices, 334
mobile wireless intrusion detection systems. See wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
MobileIron vendor, 323
mobility domain associations, 236–238, 237
mobility domain identifier (MDID) field, 235
mobility domain information element (MDIE), 235, 236
mobility domains, 231
monitoring, 470
802.11n-2009 amendment, 506–507, 507
802.11w-2009 amendment, 508–509
alarms and notification, 503–506, 504
audit recommendations, 456
device classification, 480–482, 481–482
device tracking, 489–494, 489–491, 493
rogue detection, 482–486
rogue mitigation, 486–489, 487–488
exam essentials, 509–510
false positives, 505–506
management planes, 260
overview, 17
policy enforcement, 501–503, 502
reports, 506
review questions, 511–514
summary, 509
WIDS and WIPS. See wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
MPDUs (MAC Protocol Data Units), 68, 69
WEP, 70–71
MPPE (Microsoft Point-to-Point Encryption), 46
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), 46, 121
MSDUs. See MAC Service Data Units (MSDUs)
MSKs (master session keys)
RSNAs, 171
MTKs (mesh temporal keys), 207
multicast frames, 416
multifactor authentication, 90–91, 110
multiple-input multiple-output (MIMO) radios, 506–507
multiple radio sensors, 478, 479
mutual authentication, 114–115
mutual nondisclosure agreements for audits, 455
N
NAC. See network access control (NAC)
narrow-band interference, 413, 416, 444, 445
NASs (network access servers), 294
NAT (Network Address Translation), 385
National Bureau of Standards (NBS), 66
National Institute of Standards and Technology (NIST), 18
AES encryption, 67
DES encryption, 66
FIPS, 528
policy best practices, 517
Suite B, 79
National Security Agency (NSA), 79
NAV (network allocation vector), 419–420
NBS (National Bureau of Standards), 66
negotiation in passphrase-to-PSK mapping, 182
neighbor devices, 482
Netrepid survey, 400
NetStumbler tool, 405
network access control (NAC), 321
AAA, 354–355
Change of Authorization, 355–356
exam essentials, 359
OAuth, 357
OS fingerprinting, 353–354
RADIUS servers, 105
review questions, 360–363
SSO, 356
summary, 358–359
network access servers (NASs), 294
Network Address Translation (NAT), 385
network allocation vector (NAV), 419–420
network management systems (NMS), 263, 264, 280
Network Time Protocol (NTP), 367
network topology maps, 455
NIST (National Institute of Standards and Technology), 18
AES encryption, 67
DES encryption, 66
FIPS, 528
policy best practices, 517
Suite B, 79
Nmap tool, 451
NMS (network management systems), 263, 264, 280
nonces
with PMKs, 175–176
WPA/WPA2-Personal, 197
nondisclosure agreements, 455
notification originator applications, 281
NSA (National Security Agency), 79
NTP (Network Time Protocol), 367
null probe requests, 405
O
OAuth (Open Standard for Authorization) protocol, 350, 350, 357
octets, 71
OFDM (orthogonal frequency division multiplexing) technologies, 404, 498, 507
off-channel scanning, 477
Offensive Security provider, 451
offline dictionary attacks, 410, 410, 450
Ohiagi/Morii attacks, 78
OKC (Opportunistic Key Caching), 227–230, 228–229, 383
OmniPeek tool, 462
onboarding, self service device, 336–339, 338
one-time passwords (OTPs), 109–110, 110
one-way authentication, 126
opaque elements, 137
Open Standard for Authorization (OAuth) protocol, 350, 350, 357
Open System authentication, 18, 31–32, 32
Open Systems Interconnection (OSI) model, 3–4, 4
Layer 1 audits, 442–446, 445, 447
Layer 2 audits, 447–449, 448–449
OpenLDAP, 293
Opportunistic Key Caching (OKC), 227–230, 228–229, 383
organizationally unique identifier (OUI) addresses, 50
orthogonal frequency division multiplexing (OFDM) technologies, 404, 498, 507
OS fingerprinting, 353–354
OSI (Open Systems Interconnection) model, 3–4, 4
Layer 1 audits, 442–446, 445, 447
Layer 2 audits, 447–449, 448–449
OTPs (one-time passwords), 109–110, 110
OUI (organizationally unique identifier) addresses, 50
outdoor access points, 527
over-the-air fast BSS transition, 238–239, 239
over-the-air MDM, 332–334, 333–334
over-the-air provisioning process, 328
over-the-DS fast BSS transition, 239–242, 240
overlay WIDS/WIPS architecture, 474, 475
Oxley, Michael, 532
P
packet numbers (PNs) in CCMP, 74–76
packets vs. frames, 442
PACs (Protected Access Credentials), 109, 137–140, 138
pairs of keys, 63
pairwise master key identifiers (PMKIDs), 221–222, 222
OKC, 227–229
PMKSAs, 222
Pairwise Master Key R0 (PMK-R0), 232–234
Pairwise Master Key R1 (PMK-R1), 232–234, 233–235
pairwise master key security associations (PMKSAs), 181, 221–224, 221–223
pairwise master keys (PMKs)
AKM, 169
nonces with, 175
OKC, 227–229
PMKSAs, 222
PSKs, 374
SAE, 207
WPA/WPA2-Personal, 197–198, 197
pairwise relationships, 170–171
pairwise transient key security associations (PTKSAs), 181, 221
pairwise transient keys (PTKs)
PSKs, 373
SAE, 207
TKIP, 41
WPA/WPA2-Personal, 197
PAP (Password Authentication Protocol), 121
part-time sensors, 477
passive scanning, 405–406
passphrase-to-PSK mapping, 182–183
passphrases
entropy, 202–203
proprietary PSKs, 204
SAE for, 206–208
WPA/WPA2-Personal, 195–200, 196–197
Passpoint program, 11
Password Authentication Protocol (PAP), 121
password-based key generation function (PBKDF), 183
passwords
entropy, 201–203
guest access, 347
policies, 522–523
and social engineering, 431
supplicant credentials, 106–107
Payment Card Industry (PCI) standard, 538–541
PBKDF (password-based key generation function), 183
PCAOB (Public Company Accounting Oversight Board), 533
PCI (Payment Card Industry) standard, 538–541
PEAP (Protected Extensible Authentication Protocol), 130–133, 131, 447
peer-to-peer attacks, 426–427, 427
penetration testing
policies, 520–521
tools, 458–459
performance analysis, 500–501
permissions in RBAC, 310
persistent agents, 352
personal devices
proprietary PSKs, 204
personal firewalls, 432
phases
EAP-FAST, 137
phishing attacks, 425, 430–431
PHY headers, 507
physical carrier sense component, 414
physical damage from DoS attacks, 428–430, 429–430
Physical layer in OSI model, 369
physical security
audit recommendations, 456
policies, 527
piggy-backing attacks, 421
PKI (public key infrastructure)
and EAP, 63–64
PMK-R0 (Pairwise Master Key R0), 232–234
PMK-R1 (Pairwise Master Key R1), 232–234, 233–235
PMKIDs (pairwise master key identifiers), 221–222, 222
OKC, 227–229
PMKSAs, 222
PMKs. See pairwise master keys (PMKs)
PMKSAs (pairwise master key security associations), 181, 221–224, 221–223
PNs (packet numbers) in CCMP, 74–76
Point-to-Point Tunneling Protocol (PPTP), 46
802.11 WLANs, 541–542
audit recommendations, 456
for audits, 455
creating, 517–519
enforcement, 501–503, 502, 521
exam essentials, 543–544
functional. See functional policies
general, 517
government and industry regulations. See government and industry regulations
managing, 520–521
MDM servers, 325
review questions, 545–550
rogue access prevention, 402
summary, 543
port-based access control standard, 93
port control for rogue access prevention, 403, 403
port suppression
rogue access prevention, 403
SNMP for, 489
portals, captive
guest access, 342–343, 343–344, 432
MAC authentication, 306–307
piggy-backing attacks, 421
ports in 802.1X standard, 96
power constraint elements, FSR, 244
PPTP (Point-to-Point Tunneling Protocol), 46
pre-robust security network associations (pre-RSNAs), 159, 160
preauthentication for RSNAs, 225–227, 226
preshared keys (PSKs)
802.11i amendment, 19
guidelines, 523
passphrase-to-PSK mapping, 182–183
RSNIE indicator, 161
vs. Shared Key authentication, 34
troubleshooting, 372–374, 373–374
vulnerabilities, 411
WPA/WPA2-Personal, 195–200, 196–197
pretexting, 534
PRFs (pseudo-random functions), 175
printers, wireless, 400–401
prioritization in Voice Enterprise, 247
privacy of data, 14–16, 15–16, 19
Privacy Rule in HIPAA, 536–537
private keys, 63
probe requests, null, 405
probe response floods, 418
profiles in MDM, 329–331, 330–331
proper use policies, 543
proprietary attacks, 428
proprietary FSR, 230
proprietary Layer 2 implementations, 80
proprietary PSKs, 203–205, 204
Protected Access Credentials (PACs), 109, 137–140, 138
Protected Extensible Authentication Protocol (PEAP), 130–133, 131, 447
for eavesdropping, 407
WIDS/WIPS, 471, 496–497, 497–498
protocol fuzzing, 495
protocols, management, 280–285, 283–284
proxy
LDAP, 298
proxy authentication, 102–103, 103, 293, 293
PS-Poll floods, 508
pseudo-mutual authentication, 127
pseudo-random functions (PRFs), 175
PSKs. See preshared keys (PSKs)
PSPF (public secure packet forwarding) feature, 427
PTKs. See pairwise transient keys (PTKs)
PTKSAs (pairwise transient key security associations), 181, 221
Public Company Accounting Oversight Board (PCAOB), 533
public key infrastructure (PKI)
and EAP, 63–64
public keys, 63
public secure packet forwarding (PSPF) feature, 427
push notification with MDM servers, 325
Q
QoS metrics in FSR, 244
quality in Voice Enterprise, 247
questions for troubleshooting, 366–367
R
R-UIM (Removable User Identity Module), 141
radio cards in IBSS, 157
radio frequency (RF) communications, 12
calibration, 492
fingerprinting, 492
interference sources, 443–446, 445, 447
jamming, 443–444
signature analysis, 499
radio resource measurement (RRM), 243, 245, 491–492
radio supplicants, 97
RADIUS. See Remote Authentication Dial-in User Service (RADIUS) servers
RadSec (RADIUS over TLS) protocol, 307
rainbow tables, 450
rate limiting in guest access, 345
RBAC. See role-based access control (RBAC) security
RC5 encryption, 66
read community strings, 282
real-time location systems (RTLS)
fingerprinting methods, 492
realms in RADIUS proxy, 304–305, 305
reassociation services, 216–219, 219
received signal strength indicator (RSSI) values, 217–218, 490
Registry values for MAC addresses, 421, 422
regulations. See government and industry regulations
reinjection attacks, 39
remote access
policies, 542
VPNs. See virtual private networks (VPNs)
Remote Authentication Dial-in User Service (RADIUS) servers
802.1x/EAP, 376–377
attribute value pairs, 307–308, 308
authentication, 102–106, 103–104, 294–295, 294–295
authorization, 92–95, 294–295, 294–295
captive portals, 306–307
certificates, 116
CoA, 355–356
configuration, 296–298, 297–298
credentials, 106–107
database integration, 299
deployment models, 299–303, 300–303
devices as, 306
distributed architecture, 271
features and components, 308–309
LDAP proxy, 298
overview, 293–294
passwords, 523
remote office controllers, 269
remote office policies, 527–528
remote packet capture, 497, 498
Removable User Identity Module (R-UIM), 141
reports
compliance, 541
management planes, 260
in monitoring, 506
Requests for Comments (RFCs), 7
reverse social engineering, 431
RF. See radio frequency (RF) communications
RFCs (Requests for Comments), 7
Rijmen, Vincent, 67
Rijndael algorithm, 67
risk assessment policies, 517, 519
risks, 398
auditing for, 441
DoS attacks. See denial-of-service (DoS) attacks
eavesdropping, 404–411, 405, 410
exam essentials, 433
guest access and hotspots, 432–433
review questions, 434–437
signature analysis, 494–495, 495
summary, 433
unauthorized rogue access, 398–403, 399, 401, 403
WPA/WPA2-Personal, 200–201
roaming
control planes, 260
FSR. See fast secure roaming (FSR)
troubleshooting, 382–384, 382–384
roaming keys in RSNs, 183–184
robust management frames, 418, 508
robust security network associations (RSNAs)
802.11 standard, 20
creating, 158
encryption methods, 153
key hierarchy, 170–174, 171–174
overview, 220
preauthentication, 225–227, 226
security associations, 181–182
station requirements, 156
robust security network information elements (RSNIEs), 221
cipher information in, 78
PMK caching, 225
robust security networks (RSNs)
4-Way Handshake process, 174, 176, 176
802.11 standard, 20–21
802.1X-2004 standard, 93
AKM services, 166–170, 167–169
capabilities, 9
goal, 18
Group Key Handshake, 177–179, 178
passphrase-to-PSK mapping, 182–183
RADIUS, 294
roaming and dynamic keys, 183–184
RSNA key hierarchy, 170–174, 171–174
RSNA security associations, 181–182
TDLS PeerKey Handshake process, 180–181, 181
TKIP and CCMP compliance, 69
vs. TSNs, 161
802.11w-2009 amendment, 508–509
mitigating, 486–489, 487–488, 508–509
rogue access points, 398–399, 399, 486–489, 487–488, 538, 542
rogue containment, 486–487, 487
role-based access control (RBAC) security
audit recommendations, 456
in audits, 453
distributed architecture, 271
exam essentials, 311–312
LDAP attributes, 311
policies, 523
review questions, 313–317
summary, 311
round function, 65
router-to-router VPNs, 45
routers, enterprise, 272–273
RRM (radio resource measurement), 243, 245, 491–492
RSNAs. See robust security network associations (RSNAs)
RSNIEs (robust security network information elements), 221
cipher information in, 78
PMK caching, 225
RSNs. See robust security networks (RSNs)
RSSI (received signal strength indicator) values, 217–218, 490
RTLS (real-time location systems)
fingerprinting methods, 492
S
SaaS (Software as a Service), 265
SAE (Simultaneous Authentication of Equals), 205–208, 206–207, 274
Safe alarm level, 505
Safeguards Rule, 534
SAML (Security Assertion Markup Language), 356–357, 357–358
SANS Institute, 517
Sarbanes, Paul, 532
Sarbanes-Oxley Act (SOX), 527, 532–534
SAs (security associations), 181–182
ISAKMP, 47
VPNs, 385
SAs (source addresses) in TKIP, 42
scaling VPNs, 48–49
scanners and scanning
access points, 405–406
off-channel, 477
WIDS/WIPS, 472–473
SCEP (Simple Certificate Enrollment Protocol), 328, 328
scope of policies, 518
script kiddies, 52
SDR (software defined radio), 476
secret keys, 63
secrets, shared, 120–121, 120, 137
authenticators, 102
secure channels in AKM, 167
Secure Hash Algorithm (SHA), 80
Secure Hash Algorithm 1 (SHA-1) hash functions, 47
Secure Shell (SSH) protocol, 284, 453
Secure Socket Layer (SSL), 107–108, 108
vs. TLS, 116
WIDS/WIPS, 473
SecurID technology, 109
security
Voice Enterprise, 247
security and management (SIEM) platforms, 478
Security Assertion Markup Language (SAML), 356–357, 357–358
security associations (SAs), 181–182
ISAKMP, 47
VPNs, 385
security through obscurity, 16
seeds
dynamic keys, 153
WEP, 42
segmentation
overview, 17
self service device onboarding, 336–339, 338
servers
certificates, 115–119, 115, 117–118
MDM architecture, 325
RADIUS. See Remote Authentication Dial-in User Service (RADIUS) servers
VPN, 48
WIDS/WIPS, 471
service loss from rogue devices, 401
service providers (SPs) in SAML, 356
service set identifiers (SSIDs)
vs. BSSIDs, 157
cloaking, 51–53
roaming, 384
RSNs, 159–160
social login, 350
VLAN assignment, 309
Severe alarm level, 505
SHA (Secure Hash Algorithm), 80
SHA-1 (Secure Hash Algorithm 1) hash functions, 47
Shared Key authentication, 18, 33–36, 33
shared keys. See preshared keys (PSKs)
shared secrets, 120–121, 120, 137
authenticators, 102
sharing passwords, 431–432
shielding by Faraday cages, 409
SIDs (system identifiers), 112, 381
SIEM (security and management) platforms, 478
signature analysis, 471, 494–495, 495, 499
SIM (Subscriber Identity Module) cards, 141
Simple Certificate Enrollment Protocol (SCEP), 328, 328
Simple Network Management Protocol (SNMP)
in audits, 453
management, 280–282
port suppression, 488–489
rogue access prevention, 403
rogue device classification, 482–483
versions, 281–282
vulnerabilities, 428
Simultaneous Authentication of Equals (SAE), 205–208, 206–207, 274
single-channel jamming, 413
single-input single-output (SISO) radios, 507
single sign-on (SSO), 356
single-site RADIUS server deployment, 299–300, 300
single-SSID onboarding, 338
SISO (single-input single-output) radios, 507
site surveys, 442–446, 445, 447
size of cipher blocks, 66
small and medium business (SMB) offices, 527–528
small office, home office (SOHO) environments, 194
remote office policies, 527–528
WPA/WPA2-Personal. See WPA/WPA2- Personal
SMB (small and medium business) offices, 527–528
SMKs (STSL master keys), 179
SMKSAs (STSL Master Key Security Associations), 181
sniffers vs. analyzers, 442
SNMP. See Simple Network Management Protocol (SNMP)
SNMPV1, 281
SNMPV2, 281–282
SNMPV3, 282
SNonces (supplicant nonces), 175, 197
social engineering
audits, 453–454
honeypots, 129
overview, 430–431
proprietary PSKs, 204
social login for guest access, 349–350, 350–351
Software as a Service (SaaS), 265
software-based sensors, 472
software defined radio (SDR), 476
SOHO (small office, home office) environments, 194
remote office policies, 527–528
WPA/WPA2-Personal. See WPA/WPA2- Personal
source addresses (SAs) in TKIP, 42
SOW (statement of work) agreements, 455
SOX (Sarbanes-Oxley Act), 527, 532–534
spectrum analysis
site surveys, 442–446, 445, 447
spoofing
disassociation and deauthentication management frames, 416–417, 417
MAC addresses, 49, 420–423, 422–423
SPs (service providers) in SAML, 356
SSH (Secure Shell) protocol, 284, 453
SSH2 protocol, 284
SSIDs. See service set identifiers (SSIDs)
SSL (Secure Socket Layer), 107–108, 108
vs. TLS, 116
WIDS/WIPS, 473
SSO (single sign-on), 356
stakeholders for policies, 518
standalone access points, 261
standalone sensors, 474–475
standards organizations, 3
IEEE, 4–5
statement of work (SOW) agreements, 455
statements of authority in general policies, 517
states in AES, 67
static WEP keys, 37–39
station-to-station links (STSLs), 179, 180
stations (STAs)
Open System authentication, 31–32, 32
Shared Key authentication, 33
steganography, 16
sticky client problem, 382
STKs (STSL transient keys), 179
STKSAs (STSL Transient Key Security Associations), 181
stream ciphers, 65
strong EAP protocols, 127–128, 129
STSL Master Key Security Associations (SMKSAs), 181
STSL master keys (SMKs), 179
STSL Transient Key Security Associations (STKSAs), 181
STSL transient keys (STKs), 179
STSLs (station-to-station links), 179, 180
Subscriber Identity Module (SIM) cards, 141
Suite B, 79–80
supplicant nonces (SNonces), 175, 197
supplicants
digital certificates, 107–109, 108
machine authentication, 112–114, 113
one-time passwords, 109–110, 110
PACs, 109
smart cards and USB tokens, 110–111, 111–112
usernames and passwords, 106–107
troubleshooting, 378–382, 378–379, 381–382
symmetric algorithms, 63–64, 64
system identifiers (SIDs), 112, 381
T
tags
VLANs, 271
tamper-evident labels (TELs), 283, 283
tarpitting methods, 509
TAs (transmit addresses) in TKIP, 42
TDEA (Triple Data Encryption Algorithm), 67
TDLS (Tunneled Direct Link Setup) program, 11
TDLS Peer Key (TPK) Handshake, 174–176, 176, 180
TDoA (time difference of arrival), 493, 493
Telnet protocol, 283–284
TELs (tamper-evident labels), 283, 283
Temporal Key Integrity Protocol (TKIP)
4-Way Handshake process, 69
802.11i amendment, 19
strength of, 426
TKIP/RC4 encryption, 163–165, 164–165
temporal keys (TKs)
CCMP, 74
passphrase-to-PSK mapping, 182
THC-wardrive tool, 460
theft
from DoS attacks, 428–430, 429–430
by rogue devices, 401
third-party attacks, 402
third-party supplicants, 97, 98
threat assessment
auditing for, 441–442
in general policies, 517
time difference of arrival (TDoA), 493, 493
time to live (TTL) values, 486
TKIP. See Temporal Key Integrity Protocol (TKIP)
TKIP-mixed transmit address and key (TTAK), 42
TKIP sequence counters (TSCs), 41–42, 72–73
TKs. See temporal keys (TKs)
TLS (Transport Layer Security), 48, 115–116, 129
RadSec protocol, 307
vs. SSL, 116
VPNs, 278
tokens
topology maps, 455
TPC (Transmit Power Control), 244
TPK (TDLS Peer Key) Handshake, 174–176, 176, 180
TPKSA (TPK security association), 180, 182
tracking devices, 489–494, 489–491, 493
training, audit recommendations for, 456
transform sets, 47
transition security networks (TSNs), 20, 159, 159, 161
transitions
Voice Enterprise, 247
transmission keys in WEP, 37
transmit addresses (TAs) in TKIP, 42
Transmit Power Control (TPC), 244
Transport Layer Security (TLS), 48, 115–116, 129
RadSec protocol, 307
vs. SSL, 116
VPNs, 278
triggering alarms, 503–504
Triple Data Encryption Algorithm (TDEA), 67
Triple DES (3DES), 47
troubleshooting
802.1x/EAP, 374–382, 375–376, 378–379, 381–382
client issues, 370–371
design, 372
exam essentials, 387
review questions, 388–395
summary, 387
user expectations, 372
trusted root CAs, 116
TSCs (TKIP sequence counters), 41–42, 72–73
TSNs (transition security networks), 20, 159, 159, 161
TTAK (TKIP-mixed transmit address and key), 42
TTL (time to live) values, 486
tunneled authentication, 125
Tunneled Direct Link Setup (TDLS) program, 11, 180–181, 181
Tunneled Extensible Authentication Protocol (TEAP), 142
tunnels
802.1x/EAP, 375
EAP, 129
IP, 267
Mobile IP, 250
two-factor authentication, 90–91, 110
U
unauthorized devices. See rogue access
unbounded media, 62
uncontrolled ports, 96
unicast frames
deauthentication, 417
Layer 1 DoS attacks, 416
unicast keys, 153
unidirectional antennas, 413
unified architecture, 272
unintentional interference, 412
Universal Mobile Telecommunications System (UTMS), 141
Universal Serial Bus (USB), 110–111, 112
US Department of Defense (DoD) directive 8420.1, 529–530
user expectations in troubleshooting, 372
user planes, 259–261
User Subscriber Identity Module (USIM), 141
usernames
EAP-LEAP, 126
EAP-MD5, 126
guest access, 347
supplicant credentials, 106–107
users in RBAC, 310
USIM (User Subscriber Identity Module), 141
UTMS (Universal Mobile Telecommunications System), 141
V
validation, FIPS, 68
vendor proprietary attacks, 428
vendor-specific attributes (VSAs), 105, 308–309
vendor-specific supplicants, 97
vendors, FIPS-compliant, 532
Verisign certificate service, 116
versions, SNMP, 281–282
Very High Throughput (VHT)
AES, 67–68
TKIP, 43
WEP, 78–79
violation reporting procedures for policies, 517, 521
virtual-carrier attacks, 420, 508
virtual carrier sense, 419, 419
virtual local area networks (VLANs), 266
deployment, 271
virtual ports, 96
virtual private networks (VPNs)
analogy, 276–277
benefits, 49
configuration complexity, 48
endpoint policies, 526
IPsec, 47
L2TP, 46–47
PPTP, 46
scalability, 48–49
security, 275–279, 276, 278–279
troubleshooting, 384–386, 385–386
VLANs (virtual local area networks), 266
deployment, 271
VMware Air Watch vendor, 323
Voice Enterprise, 247–248
Voice Enterprise Wi-Fi CERTIFIED programs, 10–11
Voice Personal Wi-Fi CERTIFIED programs, 10
voice quality in Voice Enterprise, 247
VPNs. See virtual private networks (VPNs)
VSAs (vendor-specific attributes), 105, 308–309
W
wardialing, 405
watermarking, 16
weak EAP protocols, 125
weak key attacks, 39
web clips in MDM profiles, 329
web content filtering, 345
web portals, captive, 306–307, 342–343, 343–344
WECA (Wireless Ethernet Compatibility Alliance), 8
WEP. See Wired Equivalent Privacy (WEP)
whitelisting policies, 325
Wi-Fi Alliance, 7–11, 7–8, 371
Wi-Fi Aware program, 11
Wi-Fi CERTIFIED programs, 8–11
Wi-Fi Direct programs, 10
Wi-Fi Explorer, 406
Wi-Fi Interoperability Certificates, 8, 8
Wi-Fi Multimedia (WMM) programs, 10
Wi-Fi phishing attacks, 425, 431
Wi-Fi Pineapple tool, 453, 453
Wi-Fi Protected Access (WPA) certification
802.11i amendment, 18–20
introduction of, 194–195
TKIP, 41
Wi-Fi Protected Access 2 Wi-Fi CERTIFIED programs, 19–20
Wi-Fi Protected Setup programs, 10
wide-band interference, 444, 445
WIDS. See wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
WiFi CERTIFIED TDLS certification, 180
WiFi Scanner tool, 406
WiFiFoFum tool, 406
WIGLE (Wireless Geographic Logging Engine), 406
Windows-based audit tools, 462
Windows Registry values for MAC addresses, 421, 422
WIPS. See wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
Wired Equivalent Privacy (WEP)
dynamic encryption key generation, 152–155, 153–154
encryption cracking, 425
history, 18
MPDU, 70–71
Open System authentication, 32
purpose, 18
Shared Key authentication, 33, 33
TKIP, 42
wired infrastructure audits, 453
wired leakage, 408
wireless bridges, 274–275
wireless discovery tools, 459
Wireless Ethernet Compatibility Alliance (WECA), 8
Wireless Geographic Logging Engine (WIGLE), 406
wireless hijacking attacks, 423–425, 424
wireless intrusion detection systems/wireless intrusion prevention systems (WIDs/WIPs)
alarms and notification, 503–506, 504
architecture models, 474–480, 475–476, 478
audits, 454
behavioral analysis, 495–496, 496
device classification, 480–482, 481–482
device tracking, 489–494, 489–491, 493
rogue detection, 482–486
rogue mitigation, 486–489, 487–488
DoD standards, 530
and eavesdropping, 407
false positives, 505–506
forensic analysis, 499–500, 500
hotspots, 432
infrastructure components, 471–473, 472–474
introduction, 470–471
PCI standard, 539
performance analysis, 500–501
protocol analysis, 449, 449, 496–497, 497–498
reports, 506
rogue access prevention, 402–404
servers, 471
signature analysis, 494–495, 495
spectrum analysis, 498–499, 499
wireless network management (WNM), 246
wireless network management systems (WNMS), 260, 263
wireless switches, 266
Wireshark protocol analyzer, 407, 451
WLAN security overview, 2
802.11 networking basics, 12–14
802.11 security basics, 14–18, 15–16
802.11 security history, 18–21
exam essentials, 22–23
review questions, 24–27
standards organizations, 3–11, 6–8
summary, 21–22
WMM-Admission Control program, 11
WMM Power Save (WMM-PS) programs, 10
WNM (wireless network management), 246
WNMS (wireless network management systems), 260, 263
WPA (Wi-Fi Protected Access) certifications
802.11i amendment, 18–20
introduction of, 194–195
TKIP, 41
WPA/WPA2, 78–79
WPA/WPA2-Personal, 194–195, 195
exam essentials, 208
preshared keys and passphrases, 195–200, 196–197
proprietary PSKs, 203–205, 204
review questions, 209–213
risks, 200–201
summary, 208
WPA2 (Wi-Fi Protected Access 2) certification, 19–20
write community strings, 282
X
X.509 certificates, 110
XML (Extensible Markup Language), 329
XOR (Exclusive-OR) operations
stream ciphers, 65
WEP, 70
xSec protocol, 80
Z
Zed Attack Proxy (ZAP), 451
zero day attacks, 496
zero-knowledge proof key exchange, 205
zeroization, 531