Wireless Network and its Security
___________________, runs at 54 Mbps and is not compatible with 802.11b as it operates at the 5 GHz band.
802.11a, This standard was the first amendment of the original legacy IEEE 802.11 standard (1997) improving data rates from up to 2 Mbps of the original standard. It can cover an indoor area ranging from 35m to 125m.
__________________, This offers a speed of 1.33 Gigabits and a similar range to 802.11n (230 feet).
802.11ac, IEEE 802.11ac is an amendment that improves upon the previous IEEE 802.11 standards. Characteristics of this standard include the introduction of wider channels (80 or 160 MHz compared to 40 MHz for 802.11n) in the 5 GHz band, more spatial streams (up to 8), and the addition of Multi-User MIMO (MU-MIMO). 802.11ac is capable of transmitting data at 1300 Mbps (megabits per second) or 162.5 Mbps (megabytes per second).
___________________, provides data rates of up to 11 Mbps using the 2.4 GHz band.
802.11b, This provides a range of 150 feet and is the oldest standard still in use and supported by wireless routers. This standard provides lower maximum data rates, but a greater range than the 802.11a standard since the 2.4 GHz frequencies used are not as readily absorbed by walls and obstacles as the 5 GHz frequencies used in 802.11a are.
_____________________, supported by all wireless devices and network equipment today and is an economical option for buying a wireless access point. It's the same speed as 802.11a, however, it has a longer range of 170 feet and supports the 2.4 GHz frequency band
802.11g, IEEE 802.11g provides data rates of up to 54 Mbps. This functions in the 2.4 GHz band (like 802.11b) but uses the same Orthogonal Frequency-Division Multiplexing (OFDM)-based transmission scheme as 802.11a. Since the wireless keyboard also operates at 2.4 GHz band, it is likely to cause interference with the 802.11b network.
This is faster than 802.11g and supported by network devices. ____________________, has a network speed of 600 Mbps and a maximum range of 230 feet.
802.11n, This standard uses multiple input/multiple output (MIMO) and may cause interference with nearby 802.11b/g networks. 802.11n has a higher price point than 802.11g.
_______________________, port-based network access control. When a device attempts to connect to the network, it authenticates the device and then opens a virtual port on the wireless access point.
802.1X, However, if authentication fails, then the device is not allowed to access the network. Essentially, there are three components that play a critical role: *Suppliant: It is the device that has to connect to the network. It would usually have a software that is used for connectivity *Authenticator: it is the wireless access point in the case of the wireless network. It could also be a firewall or a proxy server. *Authentication Server: it is the authentication server that grants or denies access. Typically, this role is played by a RADIUS server.
_____________________, Different wireless networks have different speeds. However, most commonly 2.4 GHz radio band is used in wireless networks. The 2.4 GHz is divided into 11 channels. Most channels overlay or overlap with others, but channels 1, 6, and 11 do not overlay or overlap with the other channels.
Channel Overlays
_____________________, WAP is the point to which the users connect. It is not administratively possible for these WAPs to be individually managed. Therefore, you use a wireless controller, which provides a centralized platform to manage all the available WAPs. You can monitor the WAPs in real-time.
Controller and Access Point Security, Steps to Perform: -Change the default admin passwords -Restrict logical and physical access -Enable encryption -Hide the SSIDs -Update the controller and WAPs with software patches -Enable MAC filtering -Enable authentication
______________________, an AES encryption-based protocol that is used in the 802.11i network. It is mainly designed to provide confidentiality, data origin authentication, and integrity that needs to be transmitted from one endpoint to another endpoint.
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (Counter Mode CBC-MAC Protocol) (CCMP). However, it is important to note that CCMP does not provide fault tolerance and reliability. It uses different elements for the data security. For example, Counter CTR mode ciphers, which is a block cipher, secures the data during transmission. It uses CBC-MAC to prevent data modification during its transmission.
Unlike PEAP, ______________________, does not use a certificate for authentication. It rather uses Protected Access Credential (PAC).
EAP Flexible Authentication via Secure Tunneling (EAP FAST), Like EAP, also has three components, suppliant, authenticator, and the authentication server, which manages the PAC. The authentication server is responsible for distributing PAC to the suppliant, which is the client. The PAC can either be distributed manually or automatically. The authentication server provides a shared secret to the suppliant. After this, a secured tunnel is established between both the ends, the authentication server and the client. Finally, the suppliant is authenticated.
_________________, makes use of the TLS protocol. Requires two certificates, one at the client end and another one at the server end.
EAP Transport Layer Security (EAP-TLS), The authentication is performed based on the certificate rather than the user credentials. Even if someone intercepts the user credentials, they will still not be able to connect to the wireless network. This is because the certificate is required for authentication.
__________________________, EAP TLS required certificates for authentication. Removes this bottleneck by using a secure tunnel between the authentication server and the suppliant. It DOES NOT require a certificate like EAP TLS does.
EAP Tunneled Transport Layer Security (EAP TTLS), After a secure tunnel is created, the suppliant can use the user credentials to authenticate itself with the authentication server. Because the tunnel is secured, it prevents any type of attack, such as eavesdropping, to take place for intercepting the user credentials.
__________________, the actual carrier for the authentication information and is used with variety of wireless protocols, such as WPA and WPA2.
Extensible Authentication Protocol (EAP), There are different variants of EAP. Some of them use certificates while others do not. One of the drawbacks of EAP is that it, by default, does not secure the authentication information. It takes it for granted that the information that it is carrying is secured or encrypted.
____________________, may want to verify the coverage of the wireless network. In a building, there can be a possibility that several areas, whether they are far away or have interfering objects, such as walls, do not receive signals.
Heat Maps, Without using a heat map, it is not possible to find the areas that have either good or bad coverage. For examples, wireless network signals are often blocked by walls, ceilings, wireless radios, or even other wireless networks. You can use software to generate a heat map to detect the signal strengths. You can explore dead zones, which do not receive any wireless signals. If there are such areas, then you may either move the WAP to another location or install a wireless network range extender, which can be located near the dead zones. It will catch the WAP signals and further broadcast them, which increases the wireless network range.
In the enterprise mode, a RADIUS server is used for authenticating the user. In this mode of implementation, encrypted session keys are sent to the client from the RADIUS server. To make it more secure, certificates can be integrated with the private/public key pair. When a user attempts to connect to the wireless network, the user is authenticated based on his own user credentials, which can be stored in Active Directory. ----------------------------------------------------------------------------- In the pre-shared mode, the client and the wireless access point must exchange and negotiate a key before the communication can begin. It does not utilize the RADIUS server as the communication is directly between the client and the wireless access point. In the open mode, there is no authentication and is unsecured. It is usually used in public wireless access points where there is no access to the sensitive data. ------------------------------------------------------------------------------------ open mode, there is no authentication performed when a user attempts to connect to the wireless network. User simply selects the network and connects to it without providing a password.
Pre-shared key (PSK) vs. Enterprise vs. Open
_________________, was an improvement over EAP. Because EAP does not encrypt the information that it carries. Uses secure Transport Layer Security (TLS) tunnel.
Protected Extensible Application Protocol (PEAP), PEAP uses a TLS tunnel to transport information from one end to the other end, which are essentially the suppliant and the authenticator. The information is encrypted and authenticated by a server-side certificate to ensure it cannot be tampered with. TLS is the security protocol used by PEAP. TLS is used to add encryption and authentication to the protocols. PEAP is mainly used with 802.1X wireless access points and switches. It is also used by Windows-based VPN and Terminal Services Gateway.
typical wireless network, if it does not have enterprise mode enabled, you need to provide a password to connect to it. _______________________, adds another element in the authentication process. Along with the password, it also enforces the MAC address authentication.
Simultaneous Authentication of Equals (SAE), At the base of it, SAE uses Diffie-Hellman key exchange method. However, it adds an additional authentication requirement, which is authenticating the MAC address as well. The SAE process starts with the SAE exchange after which the client and the wireless access point (WAP), both create an encryption key that is further used to create a session key. After the session key is generated, the client is able to connect to the WAP. The key advantage of SAE is that each time the session key is uniquely generated. If one key is compromised, the other sessions are not impacted.
_____________________, the first step in implementing a wireless network. Helps to determine where to place Wi-Fi access points for the maximum coverage while minimizing the number of access points needed for that coverage.
Site Survey, It also reveals the location of signal interference from other Radio Frequency (RF) sources as well as interference caused by physical obstacles.
___________________________, you should determine the best location through a survey. If that is not done for some reason, you should place it in a location or room where the users are present.
WAP Placement, When placing a WAP, you need to be aware of the interferences from the different object, such as: -Electronic devices, such as cordless phones -Walls, doors, and ceilings -Nearby wireless networks -Number of users
_____________________, you can analyze its performance and review several parameters, such as: SSID Signal strength Minimum, maximum, and average signal strength Channel and band being used
Wi-Fi Analyzer
______________________, a secure solution, also known as 802.11i, which is currently mandatory on all Wi-Fi devices and provides CCMP and AES encryption support.
Wi-Fi Protected Access 2 (WPA2), WPA2 can be implemented in two different modes: -Preshared key: A shared secret is used to authenticate the client. -Authentication server: An authentication server is used to authenticate the client. NOTE: -Encryption Algorithm: AES, CCMP -IV Size: 48-bits -Encryption Key: 128-Bits -Integrity Check Method: CBC-MAC
_____________________, successor of WPA2. It adds several new capabilities that did not exist in WPA2.
WiFi Protected Access III (WPA3), adds some capabilities, such as: -Protection from several attacks, such as de-authentication, handshake capture dictionary, PMKID Hash Dictionary, KRACK exploit, and handshake capture encrypt/decrypt. -Uses Wi-Fi Easy Connect instead of Wi-Fi Protected Setup (WPS). Wi-Fi Easy Connect uses Device Provisioning Protocol (DPP). -Replaces Pre-Shared Key (PSK) with Simultaneous -Authentication of Equals (SAE) -Supports Protected Management Frames (PMF) -Blocks authentication after certain number of failed attempts NOTE: *Encryption Algorithm: AES-GCM & Elliptical Curve *Cryptography of CNSA Suite B *Encryption Key: 192-Bits for Enterprise, 128-bit for Personal *Integrity Check Method: Secure Hash Algorithm