4.3 Given a scenario, secure a basic wireless network.

Question 1

Wireless encryption

Answer 1

All wireless computers are radio transmitters and receivers - anyone can listen in
Solution: Encrypt the data• Everyone gets the password• Or their own password• Only people with the password can transmit and listen• WPA and WPA2

Question 2

WPA (Wi-Fi Protected Access)

Answer 2

2002: WPA was the replacement for serious cryptographic weaknesses inWEP (Wired Equivalent Privacy)
• Don’t use WEP
• Needed a short-term bridge between WEP and whatever would be the successor
• Run on existing hardware
• WPA: RC4 with TKIP (Temporal Key Integrity Protocol)
• Initialization Vector (IV) is larger and an encrypted hash
• Every packet gets a unique 128-bit encryption key

Question 3

Temporal Key Integrity Protocol

Answer 3

Temporal Key Integrity ProtocolMixed the keys
• Combines the secret root key with the IV
• Adds sequence counter - prevents replay attacks
• Implements a 64-bit Message Integrity Check
• Protects against tampering
• TKIP has it’s own set of vulnerabilities
• Deprecated in the 802.11-2012 standard

Question 4

WPA2 and CCMP

Answer 4

WPA2 certification began in 2004
AES (Advanced Encryption Standard) replaced RC4• CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaced TKIP

Question 5

CCMP block cipher mode

Answer 5

Uses AES for data confidentiality
128-bit key and a 128-bit block size
Requires additional computing resources

Question 6

CCMP security services

Answer 6

Data confidentiality (AES), authentication, and access control

Question 7

EAP

Answer 7

Extensible Authentication Protocol
An authentication framework
Many different ways to authenticate based on RFC standards
WPA and WPA2 use five EAP types as authentication mechanisms

Question 8

EAP types

Answer 8

EAP-FAST - EAP Flexible Authentication via Secure Tunneling

Cisco’s proposal to replace LEAP (Lightweight EAP - previously used with WEP)• Lightweight and secure

Question 9

EAP-TLS (EAP Transport Layer Security)

Answer 9

Strong security, wide adoption• Support from most of the industry

Question 10

EAP-TTLS (EAP Tunneled Transport Layer Security)

Answer 10

Support other authentication protocols in a TLS tunnel• Use any authentication you can support, maintain security with TLS

Question 11

Protected Extensible Authentication Protocol -Protected EAP

Answer 11

Protected EAPCreated by Cisco, Microsoft, and RSA Security
• Encapsulates EAP in a TLS tunnel, one certificate on the server
• Combined a secure channel and EAP
• Commonly implemented as PEAPv0/EAP-MSCHAPv2
• Authenticates to Microsoft’s MS-CHAPv2 databases

Question 12

Wireless security modes

Answer 12

Configure the authentication on your wireless access point / wireless router
• Open System - No authentication password is required

Question 13

WPA-Personal / WPA-PSK

Answer 13

WPA2 with a pre-shared key• Everyone uses the same 256-bit key

Question 14

WPA-Enterprise / WPA-802.1X

Answer 14

Authenticates users individually with an authentication server (i.e., RADIUS)

Question 15

MAC filtering

Answer 15

Easy to find working MAC addresses
Limit access through the physical hardware address
Keeps the neighbors out through wireless LAN analysis
Security through obscurity (not actual security)

Question 16

Geofencing

Answer 16

Some MDMs allow for geofencing - Restrict or allow features when the device is in a particular area
Cameras - The camera might only work when outside the office
Authentication - The camera might only work when outside the office
Only allow logins when the device is located in a particular area