ZP

3.4 Given a scenario, install and configure wireless security settings

Cryptographic Protocols

WiFi protected access II (WPA2)

  • address vulnerabilities found in WEP

CCMP (Encryption Protocol for WPA2):

  • Uses AES (Advanced Encryption Standard) for strong data encryption.

  • Combines two methods:

    • Counter Mode: Ensures data privacy.

    • CBC-MAC (Message Authentication Code): Checks for data tampering during transmission.

WiFi protected access III (WPA3)

  • success to WPA2 , offering even stronger protection

GCMP (Encryption Protocol for WPA3)

  • Uses AES encryption like WPA2, but with a more robust method called Galois/Counter Mode Protocol GCMP

  • GCMP provides both confidentiality (encryption) and authenticity (integrity) for WPA2’s CCMP

  • GCMP ensures that data remains confidentiality and hasn’t been tampered with during transmission

Counter-Mode /CBC -MAC Protocol (CCMP)

  • Combines two essential features:

    • Data Confidentiality (Encryption) : Protects the actual data

    • Message Authentication Code (MAC) for Integrity : Ensures that the data hasn’t been tampered with.

Simultaneous Authentication Protocol (SAE)

  • is a secure password-based authentication and key establishment protocol

    • plays a crucial role in Wi-Fi security, particularly in the context of WPA3

  • developed to replace the older Pre-Shared Key (PSK) method used in WPA2.

  • Relies on Diffie-Helman Key exchange

  • Includes mutual authentication

How does Simultaneous Authentication Protocol (SAE) work?

  • two devices want to establish a secure connection

  • they both contribute to the key exchange process, ensuring mutual authentication

  • creates a shared session key without transmitting that key across the network

  • is an IEEE standard and is often referred to as the dragonfly handshake

Authentication protocols

Extensible Authentication Protocol (EAP)

  • It’s an authentication framework used in computer networks

  • allows different methods to be employed based on the specific requirements of the network

  • used to verify the identity of users or devices before granting access

  • works seamlessly with 802.1X , which is a standard for port-based network access control

What is Transport Layer Security TLS?

  • ensures secure communication by agreeing on cryptographic algorithms, verifying identities, and establishing session keys

Protected Extensible Authentication Protocol (PEAP)

  • enhances the security of the authentication process by encapsulating the existing EAP within a TLS tunnel

  • users can authenticate using a Generic Token Card (GTC)

How Protected Extensible Authentication Protocol (PEAP)works ?

  • The authentication Server (AS) uses a digital certificate

  • The clients (user’s device) doesn’t need its own certificate

  • User authentication occurs during MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2)

  • MSCHAPv2 credentials are verified against Microsoft’s MS-CHAPv2 databases

EAP-FAST Flexible Authentication via Secure Tunneling

  • is an authentication protocol designed to provide secure authentication within wireless networks

  • uses a protected access credential (PAC) as a shared secret between the Authentication Server (AS) and the supplicant (the user’s device)

How EAP-FAST Works?

  • The supplicant receives the PAC from the AS.

  • The supplicant and AS mutually authenticate each other.

  • They then negotiate a Transport Layer Security (TLS) tunnel.

  • User authentication occurs over this secure TLS tunnel.

  • The RADIUS server plays a crucial role by providing the authentication database and EAP-FAST services.

EAP-TLS Transport Layer Security

  • provides robust security for user authentication

  • widespread adoption across the industry

  • requires digital certificates on both the Authentication Server (AS) and all other devices (such as wireless clients or user’s devices)

  • requires an Public Key Infrastructure (PKI)

  • Certificates must be deployed to all wireless clients

  • Not all devices can support the use of digital signatures

How does EAP-TLS Transport Layer Security ?

  • The AS (Authentication Server) and User’s Device exchange certificates for mutual authentication.

  • A TLS tunnel is established for secure communication.

EAP-TTLS Tunneled Transport Layer Security

  • allows other authentication protocols to operate within a TLS tunnel

  • the TLS tunnel provides a secure channel for authentication

How does EAP-TTLS Tunneled Transport Layer Security ?

  • requires a digital certificate on the Authentication Server (AS)

  • does not require certificates on every device

  • Any method can be used within TLS tunnel

IEEE 802.1x

  • is a network access control (NAC) standard that ensures access to a network

  • operates at the port level (such as Ethernet switch ports or wireless access points

  • Until a device successfully authenticates, it is denied access to the network

  • a device must authenticate itself to gain network access

  • Used in conjunction with an access database

    • RADIUS, LDAP, and TACACS+

RADIUS Federation

  • allows you to link a user’s identity across multiple authentication systems.

  • uses 802.1x as the authentication method

  • also uses EAP alongside 802.1x for wireless authentications

  • members of one organization can authenticate to the network of another organization

    • use their normal credentials

  • Driven by eduroam

    • is a worldwide federation of RADIUS server using IEEE 802.1X

    • When educators visit a different campus, they can use their normal authentication credentials

Methods

Pre-shared Key (PSK) authentication

  • is commonly used in home networks and small businesses.

How Pre-shared Key (PSK) works?

  • the network administrator configures a shared secret (PSK) on both the access point (AP) and the clients devices

  • When a client wants to connect, it provides the PSK during the initial handshake

  • The Access Point verifies the PSK and if it matches, the client gains access

Open Authentication

  • No authentication required

  • Anyone can connect to the network without providing credentials

  • No encryption or security measures

  • Commonly used in public Wi-Fi hotspots

Wi-Fi Protected Setup (WPS)

  • originally known as Wi-Fi Simple Config

  • simplifies the process of connecting a mobile device (like a smartphone or tablet) to a Wi-Fi network

  • Allows easy setup of a mobile device

  • Different ways to connect

    • PIN configured on access point must be entered on the mobile device

      • – Push a button on the access point

      • – Near-field communication

      • – Bring the mobile device close to the access point

Captive Portal

  • serves as a gateway to a network

  • ensures only validated users can access the network

  • detects your lack of authentication and redirects your web access to a specific page

  • end user must put in their username and password to gain access to the business venue’s wireless network

Site Surveys

  • are essential for designing and optimizing wireless networks.

  • involves assessing the existing environment to make informed decisions about access point (AP) placement, channel selection, and interference mitigation.

  • identify existing access points

  • locate existing APs within the coverage area

Heat Maps

  • create visual representation of signal strength across the coverage area.

  • help identity dead zones, areas with weak signals and potential interference spots

WiFi Analyzer

  • all devices hear each other’s transmissions

  • capture packets quietly-avoid transmitting while monitoring

  • Some network drivers wont capture wireless information

    • You’ll need specialized adapters/chipsets and drivers

Apart of WiFi Analyzer

Signal-to-Noise Ratio (SNR)

  • Measures the strength of the signal relative to background noise

Channel Information

  • Identifies the frequency channels being used

SSID (Network Name)

  • Reveals the network identifier

MAC Addresses

  • Shows the source and destination addresses

Channel Overlays

  • refers to the co-existence of multiple wireless networks operating on overlapping channels

  • occurs when multiple client devices and access points (APs) share the same channel

  • These situations compete for oppurtunities to transmit, potentially causing collisions

Wireless access point placement (WAP)

  • avoid excesssive overlap between adjacent AP’s

    • overlapping APs can lead to interference and reduced performance

  • interference can degrade Wi-Fi performance

    • Electronic Devices : Microwaves, Cordless Phones, Bluetooth devices, and other electronics can interfere with Wi-Fi signals.

  • Nearby Wi-Fi networks can cause interference

  • Place APs where users need coverage the most

Controller and access point security

Wireless controllers

  • Wireless controllers

    • Centralized management of wireless access points

    • Manage system configuration and performance

  • Securing wireless controllers

    • Control access to management console

    • Use strong encryption with HTTPS

    • Automatic logout after no activity

  • Securing access points

    • Use strong passwords

    • Update to the latest firmware

What is a wireless controller?

  • is a specialized networking device or application that manages wireless network access points (APs).

__________________________________________________

Advanced Study Notes

Which encryption does CCMP use?

  • AES (Advanced Encryption Standard)

Which methods does CCMP use?

  • Counter Mode : Ensures Data privacy

  • CBC-MAC : Checks for data tampering during transmission

Which encryption does GCMP uses?

  • AES (Advanced Encryption Standard) but more robust

Which methods does GCMP use?

  • CBC-MAC : Checks for data tampering during transmission

  • GCM - provides both confidentiality , encryption, and integrity

Counter-Mode/CBC-MAC Protocol Features

  • Encryption

  • Message Authentication Code (MAC) - Ensures that the data hasn’t been tampered with

What Authentication is Simultaneous Authentication Protocol (SAE) ?

  • a secure password-based authentication

How many parties are needed for Simultaneous Authentication Protocol (SAE) ?

  • 2 mutual authentication

What is Extensible Authentication Protocol (EAP) used on?

  • encrypted networks to provide network authentication

What is Extensible Authentication Protocol (EAP) used for ?

  • provide network authentication (how a user access a network)

What standard does EAP work with?

  • 802.1X , which is a ________ for port-based network access control

What is Transport Layer Security (TLS) ?

  • a cryptographic protocol designed to provide communications security over a computer network.

What is Protected Extensible Authentication Protocol (PEAP) commonly used for?

  • provide network authentication

What contain the EAP connection within a Transport Layer Security (TLS) tunnel

  • Protected Extensible Authentication Protocol (PEAP)

What is Public Key Infrastructure (PKI)

  • is a system that encompasses everything used to establish and manage public key infrastructure

  • helps keep our digital communication secure

  • involves creating, managing, and distributing digital certificates

MS-CHAPV2

  • uses a challenge response authentication

    • a method used to verify the identity of a user or system

  • involves a challenge presented by the server to the client

How Protected Extensible Authentication Protocol (PEAP) works?

  • The Authentication Server (AS) uses a digital certificate

  • The clients (user’s device) doesn’t need its own certificate

  • Your device validates the Authentication Server’s digital signature

  • User authenticates during the MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2)

What is EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) commonly used for?

  • provide network authentication

How does EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) work?

  • no server certificate

  • uses a shared temporary key called the PAC

  • during the initial setup, the Authentication Server and Client device exchange information

  • The Authentication Server generates a PAC as shares it securely with the supplicating

What is EAP-TLS Transport Layer Security used for?

  • provide network authentication

EAP-TLS Transport Layer Security requires digital certificate on?

  • both the client device and the authentication server (AS)

What is EAP-TTLS used for ?

  • provides network authentication but addresses some of EAP-TLS limitations

EAP-_____ sets up a secure tunnel between the client and the authentication server using Transport Layer Security. The clients sends its credentials (typically a username and password to the authentication server. The server validates the credentials and determines whether the client is authorized.

  • TTLS

What authentication methods can be used with EAP-TTLS?

  • PAP,CHAP,MS-CHAP, and MSCHAPV2