Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Index

A
AAA Server, 103, 118
acceptable use policies (AUPs), captive portals for, 165–166
access control, for captive portal processes, 167
access control lists (ACLs), 22–23
access hardware, 496
Access Rights Planner, 262–267
accounting, 122
ad-hoc networks
- about, 384
- blocking, 341–342

administrative access and authentication, controlling, 296–301
administrative users, authentication of, 26
AES-256-GCM, 83
AirMagnet Planner, 413
alerting
- best practices, 416–424
- configuring, 313–314

analyst roles, 7–8
Apple AirDrop, 391
Apple MacOS, Fast Transition support and, 199
Apple Wireless Direct Link (AWDL), 344
appliance-based PEPs, 461
application owners, 232
Application Programming Interface (API), 176
application protocols (APs)
- addressing default behavior, 325
- allowlisting, 322–323
- approving, 322–323
- authenticating, 326–327
- authorized, 392
- changing default credentials on, 295
- controlling ports in publicly accessible areas, 326
- enabling secure tunnels from, 324–325
- external, 393
- honeypot, 393
- impersonation, 385
- management VLAN, 186
- misconfigured, 384
- neighbor, 393
- placement of, as a planning and design output, 244
- port uplink redundancy, 204–205
- provisioning
  - about, 321–325
  - DHCP for, 185–186
  - DNS for, 179
- quantities of, 269–270
- remote hardware, 41–42
- replacement of, 269
- rogue, 392
- securing, 321–325, 332–334
- spoofing, 385–386
- using certificates for, 324

applications, as a planning and design input, 240
Architect stage, in Design for Six Sigma (DFSS), 224–225
architectures
- about, 531–532
- determining length of WPA3-Personal passphrases, 555–558
- for guest/Internet-only networks, 551–555
- for internal access networks, 531–551

Aruba Networks, 80, 115, 299, 325, 383, 407, 440
assessments. See testing and assessments
association states, 95
asymmetric-key algorithms, 28
authentication and authorization
- about, 23–24, 101
- access control for captive portal processes, 167
- of administrative users, 26
- best practices
  - for using certificates for 802.1X, 152–158
  - for using certificates for captive portals, 159–162
- captive portals
  - for acceptable use policies, 165–166
  - for BYOD, 166–167
  - for payment gateways, 167
  - security of, 163–167
  - server certificates, 158
  - for user/guest registration, 163–165
- certificates for authentication, 148–163
- change of authorization, 123–127
- of devices, 25–26
- disconnecting messages, 123–127
- EAP support, 132
- EAP-FAST, 130
- EAP-GTC, 135–136
- EAP-MSCHAPv2, 135
- EAP-PEAP, 129–130
- EAP-POTP, 136–137
- EAP-TEAP, 131
- EAP-TLS, 134–135
- EAP-TTLS, 130
- endpoint device certificates for 802.1X, 151–152
- 4-Way Handshake in Wi-Fi, 168–171
- IEEE 802.1X standard, 102–107
- in InfoSec, 24
- inner authentication methods, 133–137
- LDAP authentication for Wi-Fi, 168
- legacy EAP methods, 137–138
- logging/accounting, 122
- MAC authentication bypass with RADIUS, 140–147
- MAC authentication without RADIUS, 147
- MAC filtering and denylisting, 147–148
- Mac-based authentication, 140–148
- network access control (NAC) products, 108–110
- outer EAP tunnels, 129–132
- as a planning and design output, 244
- RADIUS
  - accounting, 122–123
  - attributes, 111–114
  - clients, 118–119
  - policies, 116–118
  - security, 121
  - server certificates for 802.1X, 148–151
  - servers, 107–110, 118–121
  - shared secrets, 120
  - vendor-specific attributes, 115–116
- recommended EAP methods for secure Wi-Fi, 138–140
- relationship of RADIUS, EAP, and infrastructure devices, 110–111
- securing tunneled EAP, 132–133
- security on open vs. enhanced open networks, 167
- server certificate, 121
- of servers, 26
- unsecured EAP methods, 137–138
- user directories, 121
- of users, 24–25
- of wireless infrastructure components, 26–27

authentication and key management (AKM) suites, 79–80
Authentication Server, 103
authorization. See authentication and authorization
authorized AP, 392
automated responses, configuring, 313–314
availability
- high, 203, 204
- in secure wireless architecture, 13

B
backups, managing, 309–313
bandwidth, as an IoT consideration, 467
baselines, configuration, 312
basic service set identifiers (BSSIDs), 188–189
battery life, as an IoT consideration, 466
best practices
- for using certificates for 802.1X, 152–158
- for using certificates for captive portals, 159–162

blocking
- ad-hoc networks, 341–342
- SSID inter-station, 344–346
- wireless bridging on clients, 342–344

Bluetooth, 470–475
Bluetooth Impersonation Attack (BIA), 474
Bluetooth Low Energy (BLE), 470–475
Bonjour, 347–350
Border Gateway Protocol (BGP), 217
BrakTooth, 473–474
bridged communications, controlling, 339–353
bring your own device (BYOD)
- about, 278–279
- as an emergent trend, 445–455
- captive portals for, 166–167
- defining in your organization, 259–261, 448–449
- with internal access, 547–549
- with Internet-only access, 553–555
- legal considerations for, 449–451
- policies for, 446
- recommendations for securing, 452–455
- technical considerations for securing, 451–452

broadcast
- de-authentication and disassociation, 387
- DHCP through, 183

broadcast integrity protocol (BIPP), 318–319

C
California Consumer Protection Act (CCPA), 17
Called-Station-ID, 112
Calling-Station-ID, 112
campus environments, 38
captive portals
- about, 26
- for acceptable use policies, 165–166
- access control for, 167
- best practices for using certificates for, 159–162
- for BYOD, 166–167
- DNS for, 177–179
- for payment gateways, 167
- security of, 163–167
- server certificates, 158
- for user/guest registration, 163–165

cellular LANs, 481–499, 541
cellular technology, 480, 559–561
Center for Internet Security (CIS), 18
central monitoring and alerting, 379–383
certificate signing request (CSR), 151
certificates
- about, 186–187
- for authentication, 148–163
- generating for encrypted management, 283–287
- using for APs, 324

Certified Wireless IoT Connectivity Professional (CWICP), 434
Certified Wireless IoT Design Professional (CWIDP), 434
Certified Wireless IoT Integration Professional (CWIIP), 434
Certified Wireless IoT Solutions Administrator (CWISA), 434
Certified Wireless Network Professionals (CWNP), 433, 436
CFRS, 404
change management, 309–313
change of authorization (CoA), 123–127
Characterize phase, in Design for Six Sigma (DFSS), 224
Chief Executive Officer (CEO), 6–7
Chief Information Officer (CIO), 6–7
Chief Information Security Officer (CISO), 6–7, 231
Chief Security Officer (CSO), 6–7
Chief Technology Officer (CTO), 6–7
choose your own device (CYOD) model, 446–447
cipher suites, 79–80
Cisco, 115, 299, 325, 383
Cisco Discovery Protocol (CDP), 213–215
classification, endpoints and, 239
ClearPass Policy Manager (CPPM), 299
client spoofing, 386
clients
- blocking wireless bridging on, 342–344
- credential sharing and porting, 360–362
- with interfaces bridges, 388–390
- with invalid MAC address, 386–387
- misassociation of, 390–391
- RADIUS, 118–119
- requiring DHCP for, 359–360
- rogue, 384

cloaking SSIDs, 356–359
closed box test, 375
cloud native products, 459
CloudExtreme, 299
cloud-managed edge architectures, 440–441
cloud-routed products, 459
Commercial National Security Algorithm (CNSA), 82
common vulnerabilities and exploits (CVEs), 370–372
community, as resources, 436
company-owned, business use only (COBO), 447
company-owned, personally enabled (COPE) devices, 447
compliance
- regulations for, 17–19
- resources on, 525–528

compliance officer, 231
CompTIA Security+, 435
conferences, as resources, 436
confidentiality, in secure wireless architecture, 13–14
configurations, managing, 309–313
connectivity, issue of, 41
Connectivity Standards Alliance, 475
consultants, 271
consumerization, 339
contractors, 544–547
control plane security, 321–322
Controlled Port function, 106
credential vaulting, 301–303
credentials
- eliminating default, 293–296
- sharing and porting, 360–362

cryptography
- about, 27, 28–29
- cryptographic algorithms and hashes, 27–28
- cryptographic keys, 27
- key exchanges, 27
- key rotation, 27

current security policies, as a planning and design input, 235
cyber insurance, 528–529
cyber security training, 435
Cybersecurity Framework (CSF), 18
Cybersecurity Maturity Model Certification (CMMC), 6, 17, 369

D
data
- ownership/management of, 450
- privacy of, 451

data paths
- about, 56–57, 71
- bridged, 59–61
- controlling guest portals with DNS on wireless, 66–67
- filtering
  - with ACLs on routing devices, 68–70
  - with ACLs on wireless, 65–66
  - with inter-station blocking on wireless, 64–65
  - with network virtualization overlay on wired infrastructure, 71
  - with policies on firewalls, 70–71
  - with SSIDs/VLANs on wireless, 65
  - with VLANs on switches, 67–68
  - within wireless/wired infrastructures, 63–64
- hybrid models, 61–62
- models, 61–62
- as a planning and design output, 245
- role of ACLs/VLANs in segmentation, 62–63
- tunneled, 58–59

dedicated systems, 379–383
Defense Federal Acquisition Regulation Supplement (DFARS), 6
Define phase, in Design for Six Sigma (DFSS), 223–224
denial of service (DoS) attempts, 390
deployment architectures, 484
design. See planning and design
Design for Six Sigma (DFSS), 222–227, 254
Design phase, in Design for Six Sigma (DFSS), 225
devices, authentication of, 25–26, 469
DHCP services
- about, 180–181
- for AP provisioning, 185–186
- planning for Wi-Fi clients, 184–185
- requiring for clients, 359–360
- for Wi-Fi clients, 181–184

Diameter, 118
Diffie-Hellman Ephemeral Key Exchange (DHE), 83
digital signature algorithm (DSA), 83
direct routing, 506
directories, server settings for, 430–431
direct-routed products, 459–460
disconnecting messages, 123–127
Discover stage, in Design for Six Sigma (DFSS), 223–224
discovery protocols, 213–215
distribution of users, 37–43
DNS beaconing, 180
DNS cache poisoning, 180
DNS hijacking, 180
DNS services
- about, 177
- for AP provisioning, 179
- for captive portals, 177–179
- security of, 179–180
- for Wi-Fi clients, 177–179

DNS tunneling, 180
domain administrators, 232
domain services, as a planning and design output, 247
domain-issued certificates, for RADIUS servers, 154–156
downtime, scheduled, 203
dynamic routing protocols, 217

E
edge IP protocols, 505–506
edge ports, securing access to, 332–334
edge switch, 326, 329
e-discovery, 450
802.1AR, 285
802.1X
- about, 26, 29, 33–34, 35, 36, 77, 102–107, 327, 425–428
- best practices for using certificates for, 152–158
- configuring with Microsoft NPS, 513–520
- deciphering acronyms of 192-but Mode, 83–84
- endpoint device certificates for, 151–152
- enhancements with WPA3-Enterprise, 82
- history of, 105
- options for, 79–81
- planning Enterprise (802.1X) Secured SSIDs, 77–79
- RADIUS server certificates for, 148–151
- terminology in, 103–104
- WPA2 to WPA3-Enterprise Migration recommendations, 85–87
- WPA3-Enterprise 192-bit Mode, 82–83

802.1X Authenticator, 103
802.1X Supplicant, 103
802.11 standard, 32, 95, 272, 523–524
802.11R, 321
802.11w. See Wi-Fi Protected Access version 2 (WPA2); Wi-Fi Protected Access version 3 (WPA3)
Ekahau Pro, 413
elliptic curve cryptography (ECC), 84
Elliptic Curve Diffie-Hellman Ephemeral Key Exchange (ECDHE), 83
Elliptic Curve Digital Signature Algorithm (ECDSA), 83
emergent trends
- about, 439
- impacting wireless, 440–465

employee lifecycle, 451
encoding, 378–379
encrypted frames, 319
encrypted management protocols, enforcing, 283–293
endpoint device certificates, for 802.1X, 151–152
endpoints
- authentication of devices, 25–26
- capability requirements, as a planning and design output, 242–243
- configuring, 515–516
- as a planning and design input, 236–239
- that support 802.1X/EAP, 514–515

end-user support roles, 9
Enhanced Interior Gateway Routing Protocol (EIGRP), 217
enhanced open networks, changes in roaming facilitation with, 200–201
enterprise risk management, 16
Epiq Solutions, 404
executive leadership, 267–279
extended detection and response (XDR), 408, 409–410
Extensible Authentication Protocol (EAP)
- about, 103–104
- EAP-FAST (Flexible Authentication via Secure Tunnel), 130
- EAP-GTC (Generic Token Card), 135–136
- EAP-MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2), 135
- EAP-PEAP (Protected EAP), 129–130
- EAP-POTP (Protected One-Time Password), 136–137
- EAP-TEAP (Tunneled EAP), 131
- EAP-TLS (Transport Layer Security), 134–135
- EAP-TTLS (Tunneled Transport Layer Security), 130
- methods for authentication, 127–140
- Mutual Cryptographic Binding, 522
- securing tunneled, 132–133
- support for, 132
- unsecured methods, 137–138

external AP, 393
external server authentication, 328
Extreme Networks, 383
ExtremeCloud, 292

F
Fast BSS Transition, 197–198, 202
Fast Reconnect mechanism, 193–194
fast roaming technologies
- about, 193, 198–199
- changes in facilitation of, 200–201
- Fast BSS Transition, 197–198
- Fast Reconnect mechanism, 193–194
- opportunistic key caching (OKC), 196–197
- pairwise master key (PMK) caching, 194–196
- recommendations for, 201–202
- support for, 199–200

Fast Transition
- about, 190
- packet analysis of, 200
- support for, 199–200

Federal Energy Regulations Commission (FERC), 305
Federal Information Processing Standard (FIPS), 289
5G technology, 480
fixed environments, Fast Roaming and, 202
form factors
- about, 36
- as an IoT consideration, 466
- endpoints and, 236

Forrester, 274
Fortinet FortiAuthenticator, 299
4D (Discover, Design, Develop, and Deploy), 222
4-Way Handshake in Wi-Fi, 168–171
frameworks, 18–19
FreeRADIUS, 299

G
General Data Protection Regulation (GDPR), 17, 305
general-use networks, Fast Roaming and, 202
Google Transparency Report, 94
Group Policy, 156
groups, endpoints and, 239
guest networks, architectures for, 551–555
guest registration, captive portals for, 163–165

H
handheld testers, 410–412
hardening
- about, 281–282
- additional security configurations, 354–362
- best practices for tiered, 353–354
- controlling peer-to-peer and bridged communications, 339–353
- designing for integrity of infrastructure, 308–338
- securing management access, 282–308

hardware-based IDs, certificate tied to, 285
hash functions, 28, 314
hash-based message authentication code (HMAC), 83
headless devices, 36, 539–544
Health Insurance Portability and Accountability Act (HIPAA), 6, 369
help desk, 8–9, 232
hiding SSIDs, 356–359
home automation, 475–477
honeypot AP, 393
HTTPS, enabling, 287–288

I
IANS Research, 274
IBwave, 414
identification, in InfoSec, 24
identity and access management (IAM), 8, 231
illegal activity, 451
industrial automation, 501–502
InfoSec, 24
infrastructure devices, locking access to, 334–337
infrastructure hardening, as a planning and design output, 251
inner authentication methods, 133–137
inputs
- correlating to outputs, 252–253
- planning and design, 227–241

Institute of Electrical And Electronics Engineers (IEEE)
- about, 30–31
- standards and documents, 522–524

integrated systems, 379–383
integrators, 233
integrity
- designing for, 308–338
- in secure wireless architecture, 12–13

integrity, availability, and confidentiality (IAC) Triad, 11–14
integrity group transient key (IGTK), 318–319
internal access
- architectures for networks, 531–551
- BYOD/personal devices with, 547–549

internal domain CAs, certificates issued from, 286
International Telecommunication Union (ITU-R), 32
Internet Engineering Task Force (IETF)
- about, 31–32
- RFCs, 521–522

Internet of Things (IoT)
- about, 463
- considerations for, 466–467, 507–508
- enterprise technologies, 465–508
- LAN-based, 463–465, 468–470
- protocol-routed, 465
- protocol-translated, 465
- public cellular for, 477–481
- training and certification, 434

Internet-only networks, architectures for, 551–555
interoperability, 274–275
IP local connectivity, 506
IPv4, 505
IPv6, 216, 505
ISA100.11a, 501–502
(ISC)2 Systems Security Certified Practitioner (SSCP), 435
ISO 27001, 525–527
Iterate stage, in Design for Six Sigma (DFSS), 225–227

J
Juniper Mist web UI, 80, 117, 179, 299, 383
Just Works, 472–473

K
key exchanges
- about, 27
- on WPA-Enterprise networks, 191–193
- on WPA-Personal networks, 190–191

keys
- generating for encrypted management, 283–287
- rotating, 27

L
LAN-based IoT, 463–465, 468–470
latency-sensitive applications
- Fast Roaming and, 201
- roaming impact on, 189–190

layer 3 roaming mobility domains, 217
LDAP authentication, for Wi-Fi, 168
leased licensed spectrum, 489
legacy EAP methods, 137–138
legacy open authentication networks, 94–95
Let's Encrypt, 153
Link Layer Discovery Protocol (LLDP), 213–215
LLDP Media Endpoint Discovery (MED), 213–215
local area networks (LANs), 505
local server authentication, 328
location
- as an IoT consideration, 467
- endpoints and, 237

logging
- about, 122
- best practices, 416–424
- configuring, 313–314

loop protection, 216
LoRaWAN, 500–501
Low power WANs (LP-WANs), 272
low rate wireless personal networks (LR-WPANs), 272

M
MAC address
- about, 25
- authentication without RADIUS, 147
- binding APs to ports/switches with, 327–329
- filtering and denylisting, 147–148
- formatting, 429
- randomization, 159–161, 562–564

MAC Authentication Bypass (MAB)
- about, 327
- headless devices with, 541
- with RADIUS, 140–147
- settings for, 429–430
- supporting with 802.1X in medium-security networks, 537

MAC-based authentication
- about, 140–148
- headless devices with other, 543
- troubleshooting, 428–431

malformed packets and fuzzing, 388
managed user, with managed device, 533–539
management access
- about, 282–283
- additional considerations, 307–308
- addressing privileged access, 303–307
- controlling administrative access and authentication, 296–301
- eliminating default credentials and passwords, 293–296
- endpoints and, 237
- enforcing encrypted management protocols, 283–293
- securing shared credentials and keys, 301–303

management VLANs, creating, 299–300
mapping, resources on, 525–528
mDNS protocols
- about, 347–352
- supporting in medium-security networks, 537–538

mesh topology, 507
MetaGeek Wi-Spy +Chanalyze, 402
metropolitan area networks (MANs), 505
Microsoft NPS, configuring 802.1X with, 513–520
migration strategies, 76–77
misconfigured AP, 384
mobile device management (MDM), 25
modulation, 378–379
monitoring and maintenance
- about, 367
- alerting best practices, 416–424
- events
  - to alert on for immediate action, 419–422
  - to log for forensics or correlation, 417–419
  - to report on for analysis and trending, 422–424
- logging best practices, 416–424
- ongoing, 376
- penetration testing, 375–376
- reporting best practices, 416–424
- scheduled, 203–204
- security audits, 368–370
- security logging and analysis, 407–410
- security testing and assessments, 367–376
- synthetic testing and performance monitoring, 405–407
- tools for, 376–416
- training and resources, 432–437
- troubleshooting security, 424–432
- vulnerability assessments, 370–373
- wireless intrusion prevention systems (WIPS), 377–405
- wireless-specific tools, 410–416

Multicast DNS, 522
multi-factor authentication (MFA), 308

N
NAS-IP-Address, 111
NAS-Port, 112
NAS-Port-Type, 112
National Institute of Standards and Technology (NIST)
- about, 18
- NIST SP 800-53, 312, 314, 337, 525–527

neighbor AP, 393
NetAlly, 402, 413
NETCONF, 292–293
network access control (NAC)
- about, 33–34
- access for contractors, 546
- products for, 108–110

network architects, 4–5, 232
network closets, 331–332
network operations teams, 9, 232
Network Planning Template, 261–262
network protocol analyzers, 415
network security training, 435
network services
- as a planning and design output, 247
- for Wi-Fi, 173–187

Network Time Protocol (NTP), 175–176
network topology, 37–43, 502
neutral host networks (NHNs), 498–499, 560–561
“The New Future of Work” report, 442–443
NodeBs, 496
non-802.11 wireless technologies, 465–508
non-user-based devices, 36, 539–544
North American Energy Regulations Commission (NERC), 6, 305
numeric comparison, 472

O
onboarding, troubleshooting, 431
192-bit mode, 82–84, 85
on-prem products, 459–460
open authentication networks
- about, 94
- legacy, 94–95
- Wi-Fi enhanced, 95–98

Open Shortest Path First (OSPF), 217
Open Wi-Fi security, 34
operating system, endpoints and, 236–237
operations roles, 8–9
opportunistic key caching (OKC), 196–197
Opportunistic Wireless Encryption, 522
Optimize phase, in Design for Six Sigma (DFSS), 226–227
organizational risk, aligning wireless architecture security to, 14–16
organizational security requirements, as a planning and design input, 233–235
Orr, Stephen, 216
OUI Lookup Tool, 386
out of band (OOB) pairing, 472
outer EAP tunnels, 129–132
outputs
- correlating to inputs, 252–253
- planning and design, 241–251

overlay systems, 379–383
over-the-air mitigation, 398–400
ownership
- of devices, 37
- endpoints and, 237

P
packet analysis, of Fast Transition, 200
pairwise master key (PMK) caching (roam-back), 194–196
passkey entry, 472
passwords
- eliminating default, 293–296
- length and complexity of, 294
- security of, 307

patches, verifying software integrity for, 314–316
Payment Card Industry Data Security Standard (PCI DSS), 6, 17, 369, 528
payment gateways, captive portals for, 167
Payment Services II Directive (PSD2), 369
peer-based zero configuration networking, 346–347
peer-to-peer communications, controlling, 339–353
penetration testing, 375–376
performance monitoring, 405–407
personal area networks (PANs), 504
personal devices. See bring your own device (BYOD)
personal mode (passphrase with PSK/SAE), 87–93
personal networks, 73
personal (passphrase) Wi-Fi security, 35
physical layer, 503–504
physical security, planning, 331–337
planning and design
- about, 221–222
- correlating inputs to outputs, 252–253
- impacts of, 187–217
- inputs, 227–241
- methodology for, 222–227
- outputs, 241–251
- processes and templates, 254–267
- technical and executive leadership, 267–279

PMK Security Association (PMKSA) caching, 195
PMKID, 195–196
policies
- for RADIUS, 116–118
- role of, 19–21
- updates for, as a planning and design output, 250–251

Policy Decision Point (PDP), 456
Policy Enforcement Point (PEP), 456
Policy Matrix, 262
port entities, 104
portals, troubleshooting, 431
pre-shared keys (PSKs), 275–276
private cellular, 272, 481–499
private WANs, 499–501
privileged access
- about, 277–278, 303
- privileged access management (PAM), 305–307
- remote, 306–307
- securing privileged accounts and credentials, 303–305

privileged access management (PAM), 305–307
privileged accounts and credentials, securing, 303–305
procedures, role of, 19–21
processes
- constraints, as a planning and design input, 240
- planning, 254–267
- updates, as a planning and design output, 250–251

production networks, Fast Roaming and, 201
protected frame types, 318–319
Protected Management Frames (PMFs)
- benefits of, 75–76
- troubleshooting, 431–432

protocol-routed Internet of Things (IoT), 465
protocols
- disabling unused, 337–338
- wireless, 30–34

protocol-translated IoT, 465
proxy, DHCP through, 183
public cellular, for IoT, 477–481
Public Key Infrastructure (PKI)
- about, 25
- certificates issued from, 286

public root CAs
- about, 159
- certificates issued from, 286

public/private key pairs, keys generated on devices using, 286

Q
Qualified Security Assessors (QSAs), 17
quantities, endpoints and, 238

R
radio resource management (RRM) protocols, 205–206
radios, 378–379
RADSEC, 118, 121
rate limiting Wi-Fi, 208–213
registration, troubleshooting, 431
regulatory requirements, 17–19
Regulatory Technical Standards for Secure Customer Authentication (RTS SCA), 369
remote AP hardware, 41–42
Remote Authentication Dial-In User Service (RADIUS)
- about, 26, 104, 297–299
- accounting for, 122–123
- attributes for, 111–114
- Attributes for IEEE 802 Networks, 522
- authentication server that supports, 517–520
- clients, 118–119
- 802.1X/EAP and, 425–428
- MAC authentication bypass with, 140–147
- MAC authentication without, 147
- policies for, 116–118
- security for, 121
- server certificates for 802.1X, 148–151
- server settings, 430–431
- servers, 107–110, 118–121
- shared secrets, 120
- types, 522
- vendor-specific attributes, 115–116

remote branch environments, 39
remote Wi-Fi VPN Client, 42–43
remote worker environments, 40–41
remote workforce, as an emergent trend, 441–445
reporting
- best practices, 416–424
- configuring, 313–314

Requirements Discovery Template, 254–261
resiliency, system availability and, 203–205
resources
- blogs, 524
- book materials, 524
- compliance and mappings, 525–528
- consulting materials, 524
- cyber insurance and network security, 528–529
- IEEE standards and documents, 522–524
- IETF RFCs, 521–522
- Wi-Fi Alliance, 524

revocation lists, 157–158
RF capabilities, 36–37
RF design
- AP placement, channel, and power settings, 205–207
- as a planning and design output, 244
- rate limiting Wi-Fi, 208–213
- roaming and, 206
- survey software and, 412–415
- Wi-Fi 6E, 207–208

RF spectrums, 503–504
risk and compliance roles, 5–6
risk officer, 231
risk tolerance
- assigning level of, 15–16
- factors influencing, 15
- identifying, 14

Rivest-Shamir-Adleman (RSA), 83
roaming capabilities, endpoints and, 238
roaming protocols
- about, 188–189
- impact on latency-sensitive applications, 189–190
- on WPA-Enterprise networks, 191–193
- on WPA-Personal networks, 190–191

rogue AP, 384, 392
rogue client, 384
rogue detection, 355–356
roles and responsibilities
- about, 4
- Chief Information Security Officer, 6–7
- end-user support, 9
- help desk, 9
- identity and access management (IAM), 8
- network architects, 4–5
- network operations teams, 9
- risk and compliance, 5–6
- security operations/analyst, 7–8
- supply chain security, 10–11
- technology manufacturers and integrators, 10
- vendor management, 10–11
- wireless architects, 4–5

rollback support, 312–313

S
SANS, 435
Sarbanes-Oxley (SOX), 305, 369
scheduled downtime, 203
scheduled maintenance, 203–204
scheduled testing, 203–204
scope of work/project, as a planning and design input, 228–230
secure file transfers, enabling, 290
Secure Hash Algorithm (SHA-384), 83
securing tunneled EAP, 132–133
security. See also specific topics
- about, 10
- aligning to organizational risk, 14––16
- assessments of, 373–374
- authentication, 23–27
- of captive portals, 163–167
- compliance requirements, 17–19
- cryptography, 27–29
- of devices, 37
- distribution of users, 37–43
- DNS, 179–180
- endpoint devices, 35–37
- endpoints and, 238
- IAD Triad, 11–14
- logging and analysis of, 407–410
- monitoring, 355–356
- network topology, 37–43
- on open vs. enhanced open networks, 167
- for RADIUS, 121
- regulatory requirements, 17–19
- role of policies, standards, and procedures, 19–21
- segmentation, 22–23
- SSID security profiles, 34–35
- wireless standards and protocols, 30–34

security analyst, 231
security audits, 368–370
security information and event management (SIEM), 7, 408, 409
security operations centers (SOCs), 7–8, 231
security orchestration, automation, and response (SOAR), 7, 408, 409
Security Transition Modes, 565
segmentation
- about, 22–23
- enforcement models, 460–461
- policies for, 470

self-signed certificates, 153, 284
sensor placement, 379
server certificates
- about, 121
- for captive portals, 158

servers
- authentication of, 26
- RADIUS, 107–110, 118–121

service set identifiers (SSIDs)
- about, 34, 72–73, 98–99, 188–189
- enterprise mode (802.1X), 77–87
- enterprise-secured networks (802.1X), 35
- guidance on, 550–551
- hiding and cloaking, 356–359
- impersonation, 385
- inter-station blocking, 344–346
- migration strategies, 76–77
- open authentication networks, 94–98
- Open Wi-Fi security, 34
- personal mode (passphrase with PSK/SAE), 87–93
- personal (passphrase) Wi-Fi security, 35
- as a planning and design output, 247–249
- transition modes, 76–77
- WPA2/WPA3, 73–76

services
- DHCP, 180–186
- DNS, 177–180

7Signal, 407
shared credentials and keys, 301–303
shared/coordinated spectrum, 489
Sigfox, 500
Signal Hound, 404
Simple Network Time Protocol (SNTP), 175–176
6loWPAN, 476–477
smart building, 475–477
SNMP, removing default strings, 296
SNMPv2c, 296
SNMPv3, 291–293
software
- patching, 469
- as a planning and design output, 249–250
- updating, 469
- verifying integrity for upgrades and patches, 314–316

software-based PEPs, 460–461
spectrum analyzers, 400–403
SSH
- enabling, 289–290
- key management, 302–303

standards
- role of, 19–21
- wireless, 30–34

Subject Alternative Name (SAN), 151
subscriber identity module (SIM), 25–26
supply chain security, 10–11
survey software, RF design and, 412–415
SweynTooth, 473–474
switches, 331
symmetric-key algorithms, 28
synthetic testing, 405–407
System and Organization Controls (SOCs), 369
system availability
- as a planning and design output, 249
- resiliency and, 203–205

system logon banners, 307
system owners, 232
system security requirements, as a planning and design input, 239–240

T
TACACS+, 26, 297–299
TalentLMS, 443
tamper-evident labels (TELs), 337
teams involved, as a planning and design input, 230–233
Tech Field Day, 436
technical elements, 45
technical leadership, 267–279
technology
- manufacturers and integrators, 10
- wireless standards and, 30–32

Telnet, enabling, 289–290
templates, planning, 254–267
terminology, 3–4
testing and assessments
- of applications, 415–416
- scheduled, 203–204
- of wireless security, 367–376

third parties, 271, 544–547
third-party CAs, certificates issued from, 286
Thread, 476–477
3GPP (3rd Generation Partnership Project), 32
tiered hardening, 353–354
time sync services
- about, 174
- servers and, 175
- uses in Wi-Fi, 175–177

tools. See also specific tools
- about, 376–377
- as a planning and design output, 249–250
- wireless intrusion prevention systems (WIPS), 377–405

training resources
- about, 432
- conferences and community, 436
- technology courses and providers, 432–435
- vendor-specific, 435–436

Transition Modes, 76–77, 319–320
Transport Layer Security (TLS), 83
troubleshooting
- of applications, 415–416
- MAC-based authentication, 428–431
- onboarding, 431
- portals, 431
- protected management frames (PMFs), 431–432
- registration, 431

Trusted Platform Module (TPM) chips, 25
Trustwave's SpiderLabs, 349–350

U
Uncontrolled Port function, 106
Universal Plug-n-Play (UPnP) protocols, 350–351
unlicensed spectrum, 489
unprotected frametypes, 317–318
unsecured EAP methods, 137–138
upgrades, verifying software integrity for, 314–316
uptime, 203
user directories, 121
user-attachment, endpoints and, 237
user-based devices, 36
user-based logons, enforcing, 297–299
users
- authentication of, 24–25
- captive portals for registration of, 163–165
- distribution of, 37–43
- as a planning and design input, 239

V
Validate phase, in Design for Six Sigma (DFSS), 227
validated frames, 319
validating server certificates, 154
vendor management, 10–11, 233
vendor-specific attributes (VSAs), 115–116
vendor-specific training and resources, 435–436
virtual LANs (VLANs)
- about, 22–23
- edge port, 329
- RADIUS attributes for dynamic, 113–114
- VLAN hopping, 330

virtual private network (VPN), 27, 546
vulnerability assessments
- about, 370–372
- external, 373
- internal, 372–373

W
wide area networks (WANs), 505
Wi-Fi
- clients
  - DHCP for, 181–185
  - DNS for, 177–179
- design impacts on security, 187–217
- future of, 559–561
- infrastructure that supports Enterprise (802.1X) SSID security profiles, 513–514
- LDAP authentication for, 168
- management frames, 317
- network services for, 173–187
- rate limiting, 208–213
- recommendations for Fast Roaming in secure, 201–202
- recommended EAP methods for secure, 138–140
- 6E, 207–208
- time sync services in, 175–177
- training and certification, 433–434

Wi-Fi Alliance (WFA), 31, 77, 93, 524
Wi-Fi Protected Access version 2 (WPA2)
- about, 73–75, 319–320
- benefits of Protected Management Frames (PMF), 75–76
- considerations for, 320
- migration recommendations, 85–87, 92–93
- protected management frames, 316–321
- using with 802.11R, 321

Wi-Fi Protected Access version 3 (WPA3)
- about, 73–75, 319–320
- benefits of Protected Management Frames (PMF), 75–76
- changes in roaming facilitation with, 200–201
- cipher suites, 79–80
- considerations for, 320
- determining length of passphrases, 555–558
- enhancements with, 82, 88–92
- guidance on, 549–550
- headless devices on, 541, 543
- migration recommendations, 85–87, 92–93
- 192-bit mode, 82–83
- Personal Only Mode, 91
- Personal Transition Mode, 91
- protected management frames, 316–321
- Transition Mode, 85–86
- using with 802.11R, 321

Wi-Fi Protected Access-Enterprise (WPA-Enterprise)
- guidance on, 549–550
- roaming and key exchanges on, 191–193

Wi-Fi Protected Access-Personal (WPA-Personal)
- PMKID attacks on, 195–196
- roaming and key exchanges on, 190–191

Wi-Fi VPN Client, remote, 42–43
Wi-Fi-enhanced open authentication networks, 95–98
wildcard certificates, 153
Windows, Fast Transition support and, 199
wired infrastructure
- adding integrity to, 325–330
- as a planning and design output, 245–247

wireless access networks (WANs)
- connections, 39–40
- private, 499–501

wireless architects, 4–5, 268
wireless bridges, 390
wireless infrastructure and operations
- about, 45–46, 55–56
- architectures with cloud management, 50–51
- authentication of components, 26–27
- cloud-managed benefits, 48–49
- connection type
  - for endpoints, 236
  - as a planning and design output, 241–242
- control plane, 46–47
- controller managed Wi-Fi, 52–53
- data plane, 47–48
- LAN services, 39–40
- local cluster managed Wi-Fi, 53–54
- management
  - architecture and products, as a planning and design input, 241
  - model and products, as a planning and design output, 243
- management plane, 46
- remote APs, 55
- rogues/neighbors, 392–395
- role of gateway appliances with cloud-managed APs, 51–52
- technology
  - expectations for, 275–279
  - selecting, 271–275
  - standards/protocols, 30–34
  - types of, 272
- validating vendor files, 315
- wireless-specific tools
  - about, 410
  - handheld testers, 410–412
  - network protocol analyzers, 415
  - RF design and survey software, 412–415
  - testing and troubleshooting applications, 415–416

wireless intrusion detection systems (WIDS), 377–378
wireless intrusion prevention systems (WIPS)
- about, 7, 355–356, 377
- attacks on, 384–391
- history of, 380
- mitigation and containment, 396–397
- recommendations for, 404–405
- requirements for, 378
- WIDS vs., 377–378
- wired IPS vs., 377–378

Wireless LAN Professionals Conference (WLPC), 436
WirelessHART, 501–502
Wireshark, 126, 386
Wyebot, 407

X
X.509, 150

Z
zero touch provisioning (ZTP), 42
zero trust
- about, 268, 455
- current state of, 455–456
- impact on wireless, 462–463
- language for, 456–457
- products, 457–460
- segmentation enforcement models, 460–461

Zeroconf
- about, 351–353
- supporting with 802.1X in medium-security networks, 537–538

Zigbee, 475

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Index

Create new playlist

Sign In

Sign Up

Table of Contents for
Index