Chapter 20

Installing and Configuring Wireless Security Settings

This chapter covers the following topics related to Objective 3.4 (Given a scenario, install and configure wireless security settings) of the CompTIA Security+ SY0-601 certification exam:

  • Cryptographic protocols

    • WiFi Protected Access 2 (WPA2)

    • WiFi Protected Access 3 (WPA3)

    • Counter-mode/CBC-MAC protocol (CCMP)

    • Simultaneous Authentication of Equals (SAE)

  • Authentication protocols

    • Extensible Authentication Protocol (EAP)

    • Protected Extensible Application Protocol (PEAP)

    • EAP-FAST

    • EAP-TLS

    • EAP-TTLS

    • IEEE 802.1X

    • Remote Authentication Dial-in User Service (RADIUS) Federation

  • Methods

    • Pre-shared key (PSK) vs. Enterprise vs. Open

    • WiFi Protected Setup (WPS)

    • Captive portals

  • Installation considerations

    • Site surveys

    • Heat maps

    • WiFi analyzers

    • Channel overlaps

    • Wireless access point (WAP) placement

    • Controller and access point security

This chapter briefly digs into the topic of installing and configuring wireless security settings. We start out by discussing cryptographic protocols such as WPA2, WPA3, and CCMP, as well as Simultaneous Authentication of Equals (SAE). From there we cover authentication protocols including Extensible Authentication Protocol (EAP), Protected Extensible Authentication Protocol (PEAP), EAP-FAST, EAP-TLS, EAP-TTLS, and IEEE 802.1X, as well as a quick discussion on Remote Authentication Dial-in User Service (RADIUS) Federation. You also learn about wireless security methods such as preshared key (PSK) versus Enterprise and Open, as well as an overview of Wi-Fi Protected Setup (WPS) and captive portals. Finally, you learn about wireless installation considerations. This section includes a discussion about site surveys, heat maps, Wi-Fi analyzers, channel overlaps, wireless access point (WAP) placement, and controller access point security.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 20-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 20-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Cryptographic Protocols

1–2

Authentication Protocols

3–7

Methods

8–9

Installation Considerations

10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security

1. What WPA version utilizes Simultaneous Authentication of Equals (SAE)?

  1. WPA3

  2. WPA2

  3. WPA

  4. None of these answers are correct.

2. Which protocol is based on AES and provides stronger security over TKIP?

  1. WPA

  2. CCMP

  3. WPA2

  4. All of these answers are correct.

3. Which of the following is a data link layer authentication technology that defines port-based access control?

  1. 802.1X

  2. 802.11ac

  3. 802.11a

  4. None of these answers are correct.

4. Which of the following components of 802.1X would be an access point or switch?

  1. Authorization server

  2. Authentication server

  3. Supplicant

  4. Authenticator

5. Which of the following components of 802.1X runs on a client workstation?

  1. Authorization server

  2. Authentication server

  3. Authenticator

  4. Supplicant

6. Which of the following components of 802.1X includes an authentication database?

  1. EAP-FAST

  2. EAP-TTLS

  3. EAP-TLS

  4. PEAP

7. Which type of EAP authentication uses Secure Tunneling?

  1. EAP-TLS

  2. EAP-FAST

  3. EAP-TTLS

  4. PEAP

8. _______________is automatically used when you select WPA-Personal.

  1. PKI

  2. WPA

  3. PSK

  4. Open

9. Which of the following was created to give users easy connectivity to wireless access points?

  1. WPA

  2. WPS

  3. WEP

  4. All of these answers are correct.

10. Which of the following can help with the proper placement of access points?

  1. WEP

  2. Channel overlaps

  3. RADIUS

  4. Site survey

Foundation Topics

Cryptographic Protocols

Weak encryption or no encryption can be the worst thing that can happen to a wireless network. This lack of encryption can occur for several reasons—for example, if someone wanted to connect an older device or a device that hasn’t been updated, and that device can run only a weaker, older type of encryption. It’s important to have strong encryption in your network; as of this writing, Wi-Fi Protected Access 2 (WPA2) is the most widely used wireless protocol. It can be used with TKIP or, better yet, AES. Remember that the encryption level of the WAP and the encryption level of the network adapters that connect to it need to be the same. Wi-Fi Protected Access 3 (WPA3) is the future of Wi-Fi security and is quickly becoming the replacement for WPA2. WPA3 includes a more robust authentication mechanism over WPA2. It also provides a higher level of encryption capabilities. It enables a very robust authentication based on passwords by utilizing a technology called Simultaneous Authentication of Equals (SAE). This innovation in Wi-Fi security replaces the preshared key (PSK). SAE helps protect against brute-force password attacks and offline dictionary attacks. The sections that follow describe these cryptographic protocols in more detail.

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Access 2, or WPA2 as it is commonly referred to, is the next evolution of Wi-Fi Protected Access (WPA) that was created to enhance and replace the original WPA protocol. All three current WPA versions were developed by the Wi-Fi Alliance, which is an organization consisting of a partnership between many companies in the industry with the goal of standardizing on Wi-Fi technologies. WPA2 includes support for Counter-mode/CVC-MAC protocol (CCMP) and AES-based encryption. WPA2 can be used in PSK or Enterprise mode. PSK is typically used in personal home deployments of Wi-Fi networks because it is much easier to implement and requires only a single key or passphrase to be configured on the access point and client for authentication. Enterprise mode requires the use of a back-end authentication server such as a RADIUS server.

Wi-Fi Protected Access 3 (WPA3)

As stated previously, Wi-Fi Protected Access 3 (WPA3) was developed as the eventual replacement of WPA2. It was also developed by the Wi-Fi Alliance, which originally released it for certification testing in 2018. One of the main enhancements to WPA3 over WPA2 is the use of Simultaneous Authentication of Equals, which is discussed in more depth later. For WPA3 Enterprise implementations, the minimum security protocol strength is 192-bit. However, WPA3 also enables the use of stronger security mechanisms such as 256-bit Galois/Counter Mode Protocol (GCMP-256) as well as 384-bit Hashed Message Authentication Mode (HMAC) combined with the Secure Hash Algorithm (HMAC-SHA384). It additionally supports the Elliptic Curve Digital Signature Algorithm (ECDSA), which uses 384-bit elliptic curve encryption.

Counter-mode/CBC-MAC Protocol (CCMP)

Counter-mode/CBC-MAC protocol (CCMP) is based on the Advanced Encryption Standard (AES). It provides a stronger mechanism for securing privacy and integrity over Temporal Key Integrity Protocol (TKIP), which was previously used with WPA. An advantage to CCMP is that it utilizes 128-bit keys as well as a 48-bit initialization vector. This enhancement greatly reduces the possibility of replay attacks. One drawback to using CCMP over TKIP is that it requires additional processing power. That is why you will typically see it supported on newer hardware.

Simultaneous Authentication of Equals

Simultaneous Authentication of Equals replaces the use of preshared key in the WPA3 standard. It is defined in the 802.11s standard. The use of passwords or preshared keys has always been a concern in Wi-Fi authentication. An attacker’s ability to guess or brute-force the password is a viable threat. The purpose of SAE is to address this concern and enhance the authentication method used in WPA3 Personal mode. It does this by utilizing a mechanism derived from the Dragonfly Key Exchange defined in RFC 7664. For a more detailed understanding of how SAE works, see the IEEE.org resource at https://ieeexplore.ieee.org/document/4622764.

Wireless Cryptographic Protocol Summary

As you can see from the previous section, the Wi-Fi protocols and cryptographic protections continue to evolve. This is a trend that is expected in security. As computing power is enhanced, the viability to break strong encryption protocols becomes easier. Because of this, we will continue to see this evolution of cryptography and new wireless protocols. Figure 20-1 shows the latest wireless network configuration options on a macOS X system. As you can see, less secure protocols such as WEP and WPA are still available options. These options typically are made available for backward compatibility; however, it is always best to utilize the latest and most secure protocol that your device and network support.

A screenshot depicts wireless client configuration.

FIGURE 20-1 Wireless Client Configuration

Authentication Protocols

There are several types of technologies for authenticating a user to a local-area network. Examples that are software-based include LDAP and Kerberos, whereas an example that includes physical characteristics would be 802.1X. Keep in mind that there is a gray area between localized and remote authentication technologies. Here, each technology is placed in the category in which it is most commonly used.

In the following sections, we mention several encryption concepts that work with the various authentication technologies.

802.1X and EAP

802.1X is an IEEE standard that defines port-based network access control (PNAC). Not to be confused with 802.11x WLAN standards, IEEE 802.1X is a data link layer authentication technology used to connect hosts to a LAN or WLAN. 802.1X allows you to apply a security control that ties physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. It is a good way of implementing port security, much better than simply setting up MAC filtering.

Setting up security control starts with the central connecting device such as a switch or wireless access point. These devices must first enable 802.1X connections; they must have the 802.1X protocol (and supporting protocols) installed. Vendors that offer 802.1X-compliant devices (for example, switches and wireless access points) include Cisco, Symbol Technologies, and Intel. Next, the client computer needs to have an operating system, or additional software, that supports 802.1X. The client computer is known as the supplicant. All recent Windows versions support 802.1X. macOS offers support as well, and Linux computers can use Open1X to enable client access to networks that require 802.1X authentication.

802.1X encapsulates the Extensible Authentication Protocol (EAP) over wired or wireless connections. EAP is not an authentication mechanism in itself but instead defines message formats. 802.1X is the authentication mechanism and defines how EAP is encapsulated within messages. Figure 20-2 shows an 802.1X-enabled network adapter. In the figure, you can see that the box for enabling 802.1X has been checked and that the type of network authentication method for 802.1X is EAP— specifically, Protected Extensible Authentication Protocol (PEAP).

A screenshot of the Local Area Connection Properties dialog box.

FIGURE 20-2 An 802.1X-Enabled Network Adapter in Windows

Note

To enable 802.1X in Windows, you access the Local Area Connection Properties page.

Following are three components to an 802.1X connection:

  • Supplicant: A software client running on a workstation. This is also known as an authentication agent.

  • Authenticator: A wireless access point or switch.

  • Authentication server: An authentication database, most likely a RADIUS server.

The typical 802.1X authentication procedure has four steps. The components used in these steps are illustrated in Figure 20-3.

An illustration shows the components of a typical 802.1 X authentication procedure.

FIGURE 20-3 Components of a Typical 802.1X Authentication Procedure

Step 1. Initialization: If a switch or wireless access point detects a new supplicant, the port connection enables port 802.1X traffic; other types of traffic are dropped.

Step 2. Initiation: The authenticator (switch or wireless access point) periodically sends EAP requests to a MAC address on the network. The supplicant listens for this address and sends an EAP response that might include a user ID or other similar information. The authenticator encapsulates this response and sends it to the authentication server.

Step 3. Negotiation: The authentication server then sends a reply to the authenticator. The authentication server specifies which EAP method to use. (These are listed next.) Then the authenticator transmits that request to the supplicant.

Step 4. Authentication: If the supplicant and authentication server agree on an EAP method, the two transmit until there is either success or failure to authenticate the supplicant computer.

Following are several types of EAP authentication:

  • EAP-MD5: This is a challenge-based authentication providing basic EAP support. It enables only one-way authentication and not mutual authentication.

  • EAP-TLS: This version uses Transport Layer Security, which is a certificate-based system that does enable mutual authentication. It does not work well in enterprise scenarios because certificates must be configured or managed on the client side and server side.

  • EAP-TTLS: This version is Tunneled Transport Layer Security and is basically the same as TLS except that it is done through an encrypted channel, and it requires only server-side certificates.

  • EAP-FAST: This uses a protected access credential instead of a certificate to achieve mutual authentication. FAST stands for Flexible Authentication via Secure Tunneling.

  • PEAP: The Protected Extensible Authentication Protocol (PEAP) uses MS-CHAPv2, which supports authentication via Microsoft Active Directory databases. It competes with EAP-TTLS and includes legacy password-based protocols. It creates a TLS tunnel by acquiring a public key infrastructure (PKI) certificate from a server known as a certificate authority (CA). The TLS tunnel protects user authentication much like EAP-TTLS.

IEEE 802.1x

Although 802.1X is often used for port-based network access control on the LAN, especially VLANs, it can also be used with VPNs as a way of remote authentication. Central connecting devices such as switches and wireless access points remain the same, but on the client side 802.1X would need to be configured on a VPN adapter instead of a network adapter.

Many vendors, such as Intel and Cisco, refer to 802.1X with a lowercase x; however, the IEEE displays this on its website with an uppercase X, as does the IETF. The protocol was originally defined in 2001 (802.1X-2001) and then redefined in 2004 and 2010 (802.1X-2004 and 802.1X-2010, respectively).

Remote Authentication Dial-In User Service (RADIUS) Federation

The RADIUS protocol is covered in more detail in Chapter 24, “Implementing Authentication and Authorization Solutions.” This section focuses specifically on a Remote Authentication Dial-In User Service (RADIUS) federation, which is used when an organization has multiple RADIUS servers—possibly on different networks—that need to communicate with each other in a safe way. Communication is accomplished by creating trust relationships and developing a core to manage those relationships as well as the routing of authentication requests. It is often implemented in conjunction with 802.1X. This federated network authentication could also span between multiple organizations.

Methods

WEP is the weakest type of encryption. WPA is stronger, and WPA2 is the strongest of the three. However, it is better to have WEP as opposed to nothing. If this is the case, you should use encryption keys that are difficult to guess and should consider changing those keys often. Some devices can be updated to support WPA, whether through a firmware upgrade or through the use of a software add-on. Figure 20-4 shows a typical WAP with WPA2 and AES configured; AES is the cipher type.

Three screens show wireless security configuration on a typical access point.

FIGURE 20-4 Wireless Security Configuration on a Typical Access Point

The preshared key (PSK) used to enable connectivity between wireless clients and the WAP is a complex passphrase. PSK is automatically used when you select WPA2-Personal in the Security Mode section. The other option is WPA2-Enterprise, which uses a RADIUS server in this WAP. So, if you ever see the term WPA2-PSK, this means that the WAP is set up to use the WPA2 protocol with a preshared key, and not an external authentication method such as RADIUS.

Open Wi-Fi networks are considered insecure and require a protection mechanism be used to supplement them. VPN connections are meant to be secure sessions accomplished through an encrypted tunnel. They are best secured in a wired environment, but sometimes a wireless VPN connection is required. Some devices offer this connection but in an inherently insecure manner; this is known as VPN over open wireless, with “open” being the operative word, meaning insecure and unencrypted. In most business scenarios, this type of connection is unacceptable, and should be scanned for with a wireless scanning utility. Just the presence of a VPN is not enough; some kind of encryption is necessary, whether it be Point-to-Point Tunneling Protocol (PPTP), IPsec, or another secure protocol.

For example, in a standard Cisco wireless VPN configuration, the wireless client initiates a tunnel to a VPN server (a Cisco router), but it is done in a pass-through manner via a wireless LAN (WLAN) controller. (A Lightweight Access Point is often also part of the solution.) It’s the router that must be set up properly, and in this scenario IPsec should be installed and configured. That enables the encryption of session data between the wireless client and WLAN controller.

In other scenarios, especially in smaller offices/home offices, a single device will act as an all-in-one solution. Though wireless VPN connections are uncommon in SOHO environments, this solution presents only a single layer of defense, and you can easily forget to initiate the proper encryption. There are many authentication mechanisms and possibilities, and several ways to encrypt the session. The key here is to remember to have clients authenticate in a secure manner and to handshake on an encryption protocol that will protect the data.

The Wireless Transport Layer Security (WTLS) protocol is part of the Wireless Application Protocol (WAP) stack used by mobile devices. It enables secure user sessions—for instance, banking transactions—using algorithms such as RSA, ECC, Triple DES, and MD5 or SHA.

Wi-Fi Protected Setup

Wi-Fi Protected Setup (WPS) is a security vulnerability. Although it was created originally to give users easy connectivity to a wireless access point, later all major manufacturers suggested that it be disabled (if possible). In a nutshell, the problem with WPS was the eight-digit code. It effectively worked as two separate smaller codes that collectively could be broken by a brute-force attack within hours.

There isn’t much that can be done to prevent the problem other than disabling WPS altogether in the WAP’s firmware interface or, if WPS can’t be disabled, upgrading to a newer device. In summary, WPS is a deprecated and insecure technology that should not be allowed on a wireless network.

Captive Portals

Have you ever stayed at a hotel or gone to a coffee shop that had free Wi-Fi? What happens when you use that wireless network? Chances are you are redirected to a web page that asks for authentication prior to normal Internet use. Quite often you will have to create an account with a username (usually an email address) and password, which is authenticated through email. This is an example of a captive portal. So, the captive portal method forces the HTTP client (for instance, a web browser) of the wireless device to authenticate itself via a web page. The redirection could occur as HTTP or as DNS. Quite often, it is done through basic TLS-secured HTTPS web pages. This process can often be circumvented with the use of a packet sniffer such as Wireshark. To avoid this potential hazard, an organization can opt for extended or multifactor authentication. Many free, one-time charge, and subscription-based applications are available for an organization to use with Windows and Linux-based platforms. The whole point of the technology is to be able to track users who access the free wireless network. If a user performs any suspect actions, that user can be traced by way of email address, IP address, and MAC address, in addition to other means if multifactor authentication is used.

Installation Considerations

Strategic wireless access point (WAP) placement is vital. That is why it is essential to perform a site survey before deploying wireless equipment. A site survey is typically performed using a variety of Wi-Fi Analyzer tools to produce a heat map of all wireless activity in the area. This map will help determine the best placement for access points. Usually, the best place for a WAP is in the center of a building. This way, equal access can be given to everyone on the perimeter of the organization’s property, and there is the least chance of the signal bleeding over to other organizations. If needed, you can attempt to reduce the transmission power levels of the antenna, which can reduce the broadcast range of the WAP. Also, to avoid interference in the form of EMI or RFI, you should keep WAPs away from any electrical panels, cables, devices, motors, or other pieces of equipment that might give off an electromagnetic field. If necessary, you can shield a device creating the EM field or shield the access point itself.

To really know how to best arrange and secure your wireless connections, you need to understand the different wireless systems and antenna types available. The most common wireless system is point-to-multipoint. This system is commonly used in WLANs where a single central device (such as a SOHO wireless router) will connect to multiple other wireless devices that could be located in any direction. Specifically, it makes use of omnidirectional antennas such as vertical omnis, ceiling domes, and so on. A typical wireless router might have two, three, four, or more vertical omnidirectional antennas. For example, with the introduction of 802.11ax, otherwise known as Wi-Fi 6, we see wireless access points and routers utilizing up to eight antennas. This is due in part to the fact that 802.11ax works on both 2.4-GHz and 5-GHz frequency bands.

With the constant innovation in wireless technology, we also see the introduction of technologies such as Multi-User Multiple Input (MU-MIMO), which utilizes a mechanism called beamforming for transmitting and receiving signals. This helps greatly increase the efficiency of the range. Although the technology continues to evolve, the placement of the WAPs and deployment of the antennas is still similar. Antennas can be rotated so that they are parallel to each other, or at an angle to each other; for example, 180 degrees is often a good configuration to, in essence, “sweep” the area for wireless transmissions. However, you might choose a different method. For example, you might have 100 computers on one floor and two WAPs to work with. The best method might be to position them at vertical angles from each other. One would be in the building’s northeast corner and the other in the southwest corner. Then, each set of three antennas could be positioned in a 90-degree sweep as shown in Figure 20-5. As long as the building isn’t larger than the range of the antennas, this setup should allow for excellent wireless coverage.

An illustration representing wireless point-to-multipoint layout shows two routers, two computers, and a building.

FIGURE 20-5 Wireless Point-to-Multipoint Layout

Addressing channel overlaps by channel selection and channel width selection can impact performance and security as well. In this case, 5-GHz frequency bands usually offer better performance than 2.4-GHz bands, but both can be monitored over the air by attackers. Some WAPs can be set to autoconfigure, seeking the least-used wireless frequencies/channels, which can be great for performance but might be a security risk. Consider using less common channel numbers and perhaps a narrower channel—for example, 40 MHz instead of 80 MHz for 802.11ac. And remember to reduce antenna power levels as much as possible. Once again, you must test carefully, and then balance performance and security for optimal organization efficiency.

As we discussed in the previous section, 802.11ax is one of the most innovative wireless technologies to date. It is quickly becoming the most widely used for corporate and home use cases. One of the major advantages to 802.11ax is its increased efficiency and speed. However, it also has made enhancements in addressing channel congestion utilizing a new channel-sharing technique that takes advantage of a technology called orthogonal frequency-division multiple access (OFDMA). For more details about this technology, visit www.cisco.com/c/en/us/products/collateral/wireless/white-paper-c11-740788.html.

In some more simplistic point-to-point wireless systems, only two points need to be connected; these points are usually fixed in location. In this case you would use directional antennas—for example, a parabolic antenna (dish) or a Yagi antenna.

Whatever you implement, it’s a good idea to perform a wireless site survey. There are three kinds of wireless surveys you might perform, each with its own purpose, and all of which are usually based on software that collects WLAN data and signal information (though hardware can also be used to measure radio frequencies):

  • A passive site survey listens to WLAN traffic and measures signal strength.

  • An active survey actually sends and receives data to measure data transfer rate, packet loss, and so on.

  • A predictive survey is a simulated survey based on real data such as the WAP to be used, the distance between the average computer and WAP, and so on.

Surveys can be instrumental in uncovering nonaggressive interference such as neighboring radio waves and electrical equipment (RFI and EMI, mentioned earlier).

One of the tools used most commonly in site surveys is a Wi-Fi Analyzer. Wi-Fi Analyzers come in many forms. Some are hardware devices that are purpose built to analyze the wireless signals in an area. Or they can simply be a piece of software that runs on a laptop and works in conjunction with the wireless adapter either built into the laptop or a third-party adapter that connects via USB. The main purpose of the Wi-Fi Analyzer is to give you a picture of the signal and channel saturation in the area you are surveying. From a security perspective, you can also use it to create a heat map of where your Wi-Fi network signals are able to reach.

Surveys can also be used to locate aggressive jamming techniques often caused by wireless signal jammers. A signal jammer can easily be purchased online and can be used to initiate a denial-of-service attack to the wireless network. This attack is made by creating random noise on the channel used by the WAP or by attempting to short out the device with powerful radio signals. The right wireless software (such as inSSIDer Paessler PRTG) can be used to locate signal jammers in or around your building so that you can remove them. Wireless software can also be used to identify potential wireless replay attacks that might exist within the network infrastructure.

Many WAPs come with a built-in firewall. If the firewall is utilized, the stateful packet inspection (SPI) option and NAT filtering should be enabled. The WAP might also have the capability to be configured for MAC filtering (a basic form of network access control), which can filter out which computers can access the wireless network. The WAP does this by consulting a list of MAC addresses that have been previously entered. Only the network adapters with those corresponding MAC addresses can connect; no one else can join the wireless network. In some cases, a device might broadcast this MAC table. If this is the case, look for an update for the firmware of the WAP and, again, attempt to fine-tune the broadcast range of the device so that it does not leak out to other organizations. Because MAC filtering and a disabled SSID can be easily circumvented using a network sniffer, it is very important to also use strong encryption and possibly consider other types of network access control (such as 802.1X) and external authentication methods (such as RADIUS).

Some WAPs also support isolation. AP isolation (also known as isolation mode) means that each client connected to the WAP will not be able to communicate with any other clients connected to the WAP. Each client can still access the Internet (or other network that the WAP is connected to), but every wireless user will be segmented from the other wireless users.

It is also possible to include the IEEE 802.1X standard for port-based network access control that can provide for strong authentication. For a WAP to incorporate this kind of technology, it must also act as a router, which adds the duty of wireless gateway to the WAP.

Another option is to consider encryption technologies on the application layer, such as TLS, SSH, or PGP; these and others can help secure data transmissions from attackers who have already gained access to the wireless network. When it comes down to it, authentication and a strong wireless protocol such as WPA3 with AES are the two security precautions that will best help protect against network attacks.

Controller and Access Point Security

We previously mentioned wireless LAN controllers. If your organization has or needs multiple WAPs, a smart method is to wire them each to a WLAN controller. This device acts as a switch for all the WAPs, thus increasing data transfer speeds between them, and more importantly, centralizes the management of security options. Most of the WAP functionality is handed off to the controller. If this controller is physically stored in a server room or data center, the access to its functionality becomes inherently more secure (especially if a Faraday cage is implemented). In this scenario, the WAP devices are considered “thin access points” because of the reduced functionality. Contrast this to the typical “fat access point” that contains all functionality. Because the fat access point must be located close to users to be functional, it creates more potential for attackers to gain access to it. Most midsized companies and virtually all enterprise networks use WLAN controllers.

Finally, another option is to not run wireless at all. It’s tough to hack into a wireless network that doesn’t exist! This solution is typically seen only in very high security facilities such as government or the Department of Defense. However, if you decide to go down the antiwireless road, make sure that any devices that enable wireless access have those wireless functions disabled. This includes wireless access points, laptops, and other mobile devices that have wireless adapters, and any Bluetooth, infrared, or other wireless transmitters. The truth is, in today’s world of IoT devices, it is almost impossible to go without a wireless network. Although some IoT devices do have Ethernet ports, many do not offer one at all. The best approach to integrating IoT devices into your network is to segment them from mission-critical devices. It is well known and understood that many IoT devices do not have the most robust security built in and can increase the risk of compromise on your network.

Wireless Access Point Vulnerabilities

The wireless access point is the central connecting device for wireless network adapters that might exist in PCs, laptops, handheld computers, mobile devices, and other computers. You need to secure any broadcasts that the WAP might make and verify that transmissions are encrypted with a strong encryption technique. It’s also important to watch out for rogue access points and round up any nomads on your network. Many wireless controllers can identify rogue access points that are in range and enable you to label them as friendly or malicious. Obviously, a friendly access point would be one that you know of, such as a neighbor or another company in your general area. However, some access points actually may be compromised devices that are being used to deauthorize your clients and spoof your network. This type of attack would allow the rogue access point to become a man in the middle and gather credentials as well as sniff traffic on your network. By labeling the rogue unknown access points as malicious, you are able to protect your clients from connecting to them. However, it is important that you do not label a “friendly” access point as malicious. You might just upset a neighbor that way.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 20-2 lists a reference of these key topics and the page number on which each is found.

Table 20-2 Key Topics for Chapter 20

Key Topic Element

Description

Page Number

Paragraph

Cryptographic protocols

551

Figure 20-2

An 802.1X-enabled network adapter in Windows

554

Figure 20-3

Components of a typical 802.1X authentication procedure

555

Figure 20-4

Wireless security configuration on a typical access point

557

Paragraph

Installation considerations

559

Figure 20-5

Wireless point-to-multipoint layout

560

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Access 3 (WPA3)

Simultaneous Authentication of Equals (SAE)

IEEE 802.1X

Extensible Authentication Protocol (EAP)

EAP-TLS

EAP-TTLS

EAP-FAST

Protected Extensible Authentication Protocol (PEAP)

Remote Authentication Dial-In User Service (RADIUS) federation

preshared key (PSK)

Wi-Fi Protected Setup (WPS)

wireless access point (WAP) placement

site survey

Wi-Fi Analyzer

heat map

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. What is one of the key enhancements in WPA3 and a replacement for PSKl?

2. What type of EAP authentication uses the protected access credential?

3. What encryption protocol addresses some of the vulnerabilities of TKIP?

4. Which component of 802.1X is a software client?

5. Which component of 802.1X is an access point or switch?

6. Which tool can be used to get a visual picture of Wi-Fi channel saturation?

7. Which encryption protocol is used with WPA2 and WPA3?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.202.167