Chap. 10 Wireless and Physical Access Security

WPA can also implement

802.1X, which uses Extensible Authentication Protocol (EAP) authentication. The AP passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a username and password or could employ smart cards or tokens. This allows WLAN authentication to be integrated with the wired LAN authentication scheme. This type of authentication is suitable for enterprise networks.

evil twin or sometimes wiphishing

A rogue AP masquerading as a legitimate one is called an

disassociation packets

A similar attack hits the target with disassociation packets, rather than fully deauthenticating the station. A disassociated station is not completely disconnected, but neither can it communicate on the network until it reassociates. may also be used to perform a Denial of Service (DoS) attack against the wireless infrastructure. These attacks work against both WEP and WPA. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/ 802.11w). Both the AP and clients must be configured to support MFP.

deauthentication attack

The use of a rogue AP may be coupled with a deauthentication attack. This sends a stream of spoofed deauth frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the rogue AP or to sniff information about the authentication process (such as a non-broadcast ESSID). may also be used to perform a Denial of Service (DoS) attack against the wireless infrastructure. These attacks work against both WEP and WPA. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/ 802.11w). Both the AP and clients must be configured to support MFP.

EAP-MD5

This is simply a secure hash of a user password. This method cannot provide mutual authentication (that is, the authenticator cannot authenticate itself to the supplicant). Therefore, this method is not suitable for use over unsecure networks, as it is vulnerable to Man-in-the-Middle, session hijacking, and password cracking attacks.

turnstile

This risk may be mitigated by installing a turnstile (a type of gateway that only allows one person through at a time).

When considering access point and antenna placement

a device supporting the Wi-Fi standard should have a maximum indoor range of up to about 30m (100 feet), though the weaker the signal, the lower the data transfer rate.

A PSK is generated from

a passphrase, which is like a long password. In WPA-PSK, the user enters a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm.

To crack WEP

a type of replay attack is used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly.

Some APs can lock out

an intruder if a brute force attack is detected, but in some cases the attack can just be resumed when the lockout period expires. To counter this, the lockout period can be increased. However, this can leave APs vulnerable to a Denial of Service attack. When provisioning an AP, it is essential to verify what steps the vendor has taken to make their WPS implementation secure and the firmware level required to assure security.

Examples of directional

antennas include the Yagi (a bar with fins) and parabolic (dish or grid) antennas. These are useful for point-to-point connections (a wireless bridge).

physical access controls,

are security measures that restrict, detect, and monitor access to specific physical areas or assets. They can control access to a building, to equipment, or to specific areas, such as server rooms, finance or legal areas, data centers, network cable runs, or any other area that has hardware or information that is considered to have important value and sensitivity.

Protected Extensible Authentication Protocol (PEAP)

as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password-guessing/dictionary, and Man-in-the-Middle attacks.

WPA and WPA2 are both much more

both much more secure than WEP, though a serious vulnerability was discovered in 2017 (https://www.krackattacks.com) so you should continue to ensure that device firmware is patched against exploits such as this.

To use WPS

both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a pushbutton. Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2. The system generates a random SSID and PSK. If the devices do not support the push-button method, the PIN (printed on the AP) can be entered manually.

The main problem is that distribution of the key or passphrase

cannot be secured properly, and users may choose unsecure phrases. It also fails to provide accounting, as all users share the same key. The advantage is that it is simple to set up. Conversely, changing the key periodically, as would be good security practice, is difficult.

visible presence of guards is a very

effective intrusion detection and deterrence mechanism, but is correspondingly expensive

WEP version 2

enforces use of the 128-bit key and even allows a 256-bit key, but is still not considered secure.

The only reason not to use WPA2 is

if it is not supported by adapters, APs, or operating systems on the network. In many cases, devices will be compatible with a firmware or driver upgrade.

plan of WLAN zones to

From a security perspective, an additional step would be to use the plan of WLAN zones to identify areas where there is leakage of signals.

Faraday cage

It also possible to install communications equipment within a shielded enclosure, known as a __________. The cage is a charged conductive mesh that blocks signals from entering or leaving the area.

LEAP is vulnerable

LEAP relies on MS-CHAP to transmit authentication credentials. This means that _____________ to password cracking, as demonstrated by the ASLEAP cracking tool

RADIUS FEDERATION

Most implementations of EAP use a RADIUS server to validate the authentication credentials for each user (supplicant). RADIUS federation means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh. For example, when Bob from widget.com needs to log on to grommet.com's network, the RADIUS server at grommet.com recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.com's RADIUS server.

eduroam

One example of RADIUS federation is the ___________ network (https://www.eduroam.org), which allows students of universities from several different countries to log on to the networks of any of the participating institutions using the credentials stored by their "home" university.

skimming

One type of RFID attack is skimming, which is where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card. Any reader can access any data stored on any RFID tag, so sensitive information must be protected using cryptography. It is also possible (in theory) to design RFID tags to inject malicious code to try to exploit a vulnerability in a reader.

captive portal or splash page

Open authentication may be combined with a secondary authentication mechanism managed via a browser. When the client associates with the open hotspot and launches the browser, the client is redirected to a? This will allow the client to authenticate to the hotspot provider's network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.

zones

Physical security can be thought of in terms of ________. Each zone should be separated by its own barrier(s). Entry and exit points through the barriers need to be controlled by one or more security mechanisms. Progression through each zone should be progressively more restricted.

spectrum analyzer

The source of interference can be detected using a

CCTV (closed circuit television)

is a cheaper means of providing surveillance than maintaining separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is not already in place on the premises. It is also quite an effective deterrent. The other big advantage is that movement and access can be recorded. The main drawback compared to the presence of security guards is that response times are longer, and security may be compromised if not enough staff are in place to monitor the camera feeds.

Radio Frequency ID (RFID)

is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. When a reader is within range of the tag (typically either up to 10cm or up to 1m), it produces an electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag.

Near Field Communications (NFC)

is a very short-range radio link based on RFID. NFC works at up to 4cm at data rates of 106, 212, and 424 Kbps. NFC sensors and functionality are now commonly incorporated into smartphones.

EAP-TLS

is currently considered the strongest type of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client PC, possibly in a Trusted Platform Module (TPM).

Extensible Authentication Protocol (EAP)

is designed to support different types of authentication within the same overall topology of devices. It defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Widely adopted now, vendors can write extensions to the protocol to support third-party security devices.

Security lighting

is enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier. The lighting design needs to account for overall light levels (illuminance), the lighting of particular surfaces or areas (allowing cameras to perform facial recognition, for instance), and avoiding areas of shadow and glare.

WPA2

is fully compliant with the 802.11i WLAN security standard. The main difference to the original iteration of WPA is the use of Advanced Encryption Standard (AES) for encryption. AES is stronger than RC4/TKIP.

HVAC (Heating, Ventilation, Air Conditioning)

is often used to describe these services. For general office areas, this basically means heating and cooling; for other areas, different aspects of climate control, such as humidity, may be important.

rogue AP

is one that has been installed on the network without authorization, whether with malicious intent or not. It is vital to periodically survey the site to detect rogue APs. A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident. If connected to a LAN without security, an unauthorized AP creates a very welcoming backdoor through which to attack the network. A rogue AP could also be used to capture user logon attempts, allow Man-in-the-Middle attacks, and allow access to private information.

EAP-Tunneled TLS (EAP-TTLS)

is similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user's authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MSCHAP or EAP-GTC.

The main problem with WEP

is the 24-bit initialization vector (IV). The IV is supposed to change the key stream each time it is used.

Wired Equivalent Privacy (WEP)

is the original encryption scheme and still supported on old and new devices. However, the encryption system, based on the RC4 cipher, is flawed and WEP should no longer be used, if at all possible. Under WEP version 1, you can select from different key sizes (64-bit or 128-bit).

Coverage

means that the WLAN delivers acceptable data rates to the supported number of devices in all the physical locations expected. To maximize coverage and minimize interference, position the AP as high as possible and set the channels of other nearby APs to different settings.

open authentication

means that the client is not required to authenticate. This mode would be used on a public AP (or "hotspot"). This also means that data sent over the link is unencrypted.

Pre-Shared Key (PSK)

means using a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret

WEP is not

not safe to use. If devices only support WEP, the best alternative is to enhance the connection security with another security application, such as L2TP/IPSec.

WLAN authentication comes in three types

pre-shared key, enterprise, and open.

NFC does not

provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data. Vulnerabilities and exploits are also likely to be found in the software services that use NFC. It is also possible to jam NFC signals, creating a Denial of Service attack.

Bluesnarfing

refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.

EAP implementations can include

smart cards, one-time passwords, biometric scanning, or simpler username and password combinations.

An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use

some DoS technique to overcome the legitimate AP. This attack will not succeed if authentication security is enabled on the AP, unless the attacker also knows the details of the authentication method. However, the evil twin might be able to harvest authentication information from users entering their credentials by mistake.

PEAP is supported by

supported by Microsoft® as an alternative to EAP-TLS. It is simpler and cheaper to deploy than EAP-TLS because you only need a certificate for the authentication server.

Fire suppression

systems work on the basis of the Fire Triangle. The Fire Triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn. Removing any one of those elements provides fire suppression (and prevention).

Wi-Fi products work in either

the 2.4 GHz band or the 5 GHz band, or both. While band selection does not have a direct effect on the confidentiality or integrity of the network, it can affect availability and performance.

Infrastructure—

the adapter is configured to connect through an access point (AP) to other wireless and wired devices. In 802.11 documentation, this is referred to as a basic service set (BSS). The MAC address of the AP is used as the basic service set identifier (BSSID). More than one BSS can be grouped in an extended service set (ESS).

disabling WPS through

the admin interface does not actually disable the protocol, or there is no option to disable it.

TKIP fixes

the checksum problem in WEP (Message Integrity Check), uses a larger IV (48-bit) to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext, and adds a sequence counter to resist replay attacks.

Ad hoc—

the wireless adapter allows connections to and from other devices (a peer-to-peer WLAN). In 802.11 documentation, this is referred to as an independent basic service set (IBSS).

The problem: Flexible Authentication via Secure Tunneling (EAP-FAST)

there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.

directional antenna may also be useful to an

to an eavesdropper, allowing them to snoop on a network from a greater distance than might be expected.

Unfortunately, WPS is

vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest is verified as two separate PINs of four and three characters.

Wi-Fi Protected Access (WPA

was designed to fix the security problems with WEP. Version 1 of WPA still uses the RC4 cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.

Lightweight EAP (LEAP)

was developed by Cisco in 2000 to try to resolve weaknesses in Wired Equivalent Privacy (WEP) and represents a very early implementation of EAP. When a client connects to an access point (the authenticator), it enables EAPoL and the client authenticates to the server and the server to the client. The server and client then calculate a transport encryption session key, which the server sends to the access point. This key is used to encrypt the rest of the session. LEAP relies on MS-CHAP to transmit authentication credentials.

BAND SELECTION: it can affect availability and performance.

• 802.11a—legacy products working in the 5 GHz band only. • 802.11bg—legacy products working in the 2.4 GHz band only. • 802.11n—products can be either dual band (supporting both 2.4 GHz and 5 GHz operation) or 2.4 GHz only. Most access points are dual band but many early 802.11n client adapters were single band only. • 802.11ac—5 GHz only. Most access points supporting 802.11ac are dual band but use the 2.4 GHz band for legacy clients (802.11bgn) only. Note that better performance will be obtained by disabling support for legacy standards (especially 802.11b).

Wireless networks can be configured in one of two modes:

• Ad hoc—the wireless adapter allows connections to and from other devices (a peer-to-peer WLAN). In 802.11 documentation, this is referred to as an independent basic service set (IBSS). • Infrastructure—the adapter is configured to connect through an access point (AP) to other wireless and wired devices. In 802.11 documentation, this is referred to as a basic service set (BSS). The MAC address of the AP is used as the basic service set identifier (BSSID). More than one BSS can be grouped in an extended service set (ESS).

There are two principal risks: PROTECTED DISTRIBUTION, FARADAY CAGES, AND AIR GAPS

• An intruder could attach eavesdropping equipment to the cable (a tap). • An intruder could cut the cable (Denial of Service).

Physical access controls depend on the same access control fundamentals as network or operating system security:

• Authentication—create access lists and identification mechanisms to allow approved persons through the barriers. • Authorization—create barriers around a resource so that access can be controlled through defined entry and exit points. • Accounting—keep a record of when entry/exit points are used and detect security breaches.

There are three main types of alarm:

• Circuit—a circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit. • Motion detection—a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room. The sensors in these detectors are either microwave radio reflection (similar to radar) or Passive Infrared (PIR), which detect moving heat sources. • Duress—this type of alarm is triggered manually by staff if they come under threat. There are many ways of implementing this type of alarm, including wireless pendants, concealed sensors or triggers, and DECT handsets or smartphones. Some electronic entry locks can also be programmed with a duress code that is different from the ordinary access code. This will open the gateway but also alert security personnel that the lock has been operated under duress.

Problems with the WEP encryption scheme are as follows:

• The IV is not sufficiently large, meaning it will be reused within the same keystream under load. This makes the encryption subject to statistical analysis to discover the encryption key and decrypt the confidential data. • The IV is often not generated using a sufficiently random algorithm; again, assisting brute force or statistical analysis attacks. • Packets use a checksum to verify integrity, but this is also easy to compute. This allows the attacker to "bit flip" the ciphertext and observe a corresponding bit in the plaintext.

Flexible Authentication via Secure Tunneling (EAP-FAST)

is Cisco's replacement for LEAP. EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange.

Determining where to use physical access controls requires

a cost-benefit analysis and must consider any regulations or other compliance requirements for the specific types of data that are being safeguarded.

control and provisioning of wireless access points (CAPWAP)

Alternatives to LWAPP include the derivative _________________________ protocol or a proprietary protocol.

Wi-Fi Protected Setup (WPS)

As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process called

data emanation

As unguided media, wireless networks are subject to ____________ or signal "leakage."

protected distribution system (PDS)

As well as the switches, routers, and servers housed in equipment cabinets, thought needs to be given to cabling. A physically secure cabled network is referred to as a

lightweight access point protocol (LWAPP)

Cisco wireless controllers usually communicate with the access points using the

shielding

Depending on the level of security required, you may then want to install _________ at strategic locations to contain the WLAN zones. For example, you might install ___________ on external walls to prevent signals from escaping the building. Of course, this will block incoming signals too (including cell phone calls).

FENCING

The exterior of a building may be protected by fencing. Security fencing needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance. Buildings that are used by companies to welcome customers or the public may use more discreet security methods.

WEP cracking tools

The flaws in WEP allow attackers using WEP cracking tools, such as Aircrack-NG (https://aircrack-ng.org) or AirSnort (https://airsnort.soft112.com), to decrypt and eavesdrop traffic. These tools work by obtaining many examples of IVs.

TEMPEST (Transient Electromagnetic Pulse Emanation Standard)

The leakage of electromagnetic signals was investigated by the US DoD who defined __________________ as a means of shielding the signals.

bluejacking

Unless some sort of authentication is configured, a discoverable device is vulnerable to bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/ video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware (https://securelist.com/the-most-sophisticated-android-trojan/35929/).

mantrap

Where security is critical and cost is no object, a mantrap could be employed. A mantrap is where one gateway leads to an enclosed space protected by another barrier.

war driving

You may want to turn the power output on an AP down and ensure strategic AP device placement to prevent

Lock types can be categorized as follows:

• Conventional—a conventional lock prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking. • Deadbolt—this is a bolt on the frame of the door, separate to the handle mechanism. • Electronic—rather than a key, the lock is operated by entering a PIN on an electronic keypad. This type of lock is also referred to as cipher, combination, or keyless. • Token-based—a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card. • Biometric—a lock may be integrated with a biometric scanner. • Multifactor—a lock may combine different methods (for example, smart card with PIN).

Bluetooth devices have a few known security issues, summarized here:

• Device discovery—a device can be put into discoverable mode meaning that it will connect to any other Bluetooth devices nearby. Unfortunately, even a device in non-discoverable mode is quite easy to detect. • Authentication and authorization—devices authenticate ("pair") using a simple passkey configured on both devices. This should always be changed to some secure phrase and never left as the default. Also, check the device's pairing list regularly to confirm that the devices listed are valid. • Malware—there are proof-of-concept Bluetooth worms and application exploits, most notably the BlueBorne exploit (http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf), which can compromise any active and unpatched system regardless of whether discovery is enabled and without requiring any user intervention. There are also vulnerabilities in the authentication schemes of many devices. Keep devices updated with the latest firmware.

There are several alternatives to wet-pipe systems that can minimize damage that may be caused by water flooding the room.

• Dry-pipe—these are used in areas where freezing is possible; water only enters this part of the system if sprinklers elsewhere are triggered. • Pre-action—a pre-action system only fills with water when an alarm is triggered; it will then spray when the heat rises. This gives protection against accidental discharges and burst pipes and gives some time to contain the fire manually before the sprinkler operates. • Halon—gas-based systems have the advantage of not short circuiting electrical systems and leaving no residue. Up until a few years ago, most systems used Halon 1301. The use of Halon has been banned in most countries as it is ozone depleting, though existing installations have not been replaced in many instances and can continue to operate legally. • Clean agent—alternatives to Halon are referred to as "clean agent." As well as not being environmentally damaging, these gases are considered non-toxic to humans. Examples include INERGEN (a mixture of CO2, Argon, and Nitrogen), FM-200/ HFC-227, and FE-13. The gases both deplete the concentration of oxygen in the area (though not to levels dangerous to humans) and have a cooling effect. CO2 can be used too, but it is not safe for use in occupied areas.

As with other security troubleshooting, there are two general kinds of issues with access point configuration; those where legitimate users cannot connect and those when unauthorized users are able to connect. In the first case, make the following checks:

• Ensure that wireless access points are implementing WPA/WPA2 with a strong passphrase or enterprise authentication. • Check that clients are configured with the correct passphrase or that access points can communicate with RADIUS servers and that they are operational and functioning as expected. • Ensure that no other wireless signals are interfering with the access point's transmission.

existing infrastructure, try to plan the site using the following principles:

• Locate secure zones, such as equipment rooms, as deep within the building as possible, avoiding external walls, doors, and windows. • Position public access areas so that guests do not pass near secure zones. Security mechanisms in public areas should be high visibility, to increase deterrence. Use signs and warnings to enforce the idea that security is tightly controlled. Beyond basic no trespassing signs, some homes and offices also display signs from the security companies whose services they are currently using. These may convince intruders to stay away. Conversely, entry points to secure zones should be discreet. Do not allow an intruder the opportunity to inspect security mechanisms protecting such zones (or even to know where they are). • Try to minimize traffic having to pass between zones. The flow of people should be "in and out" rather than "across and between." • Make high traffic public areas high visibility, so that covert use of gateways, network access ports, and computer equipment is hindered, and surveillance is simplified. • In secure zones, do not position display screens or input devices facing toward pathways or windows. Alternatively, use one-way glass so that no one can look in through windows.

There are two versions of PEAP, each specifying a different user authentication method (also referred to as the "inner" method):

• PEAPv0 (EAP-MSCHAPv2)—uses MS-CHAPv2 for authentication. This is by far the most popular implementation. • PEAPv1 (EAP-GTC)—Cisco's implementation.

SECURE WIRELESS TRAFFIC Follow these guidelines when securing wireless traffic:

• Select access points and supplementary directional antennas that adequately meet your bandwidth and signal range requirements. • Select the appropriate frequency band and configure the signal strength to meet your needs. • Consider using thin APs in a controller-based architecture to centralize wireless network operations. • Conduct a site survey to determine the best possible ways to position your wireless infrastructure with respect to confidentiality, integrity, and availability. • Configure your Wi-Fi networks with WPA2 encryption and an appropriate authentication method: • Consider using WPA2-Enterprise in a large corporate environment to take advantage of 802.1X/ RADIUS authentication. • Use a long passphrase to generate a more secure PSK. • Avoid using the PIN feature of WPS. • Implement a captive portal requiring login credentials to protect against unauthorized users accessing your Wi-Fi hotspot. • Patch and update firmware on all types of wireless systems (Wi-Fi, Bluetooth, RFID, and NFC) regularly and monitor security bulletins for news of emerging attack vectors.

The EAP framework involves three components:

• Supplicant—this is the client requesting authentication. • Authenticator—this is the device that receives the authentication request (such as a remote access server or wireless access point). The authenticator establishes a channel for the supplicant and authentication server to exchange credentials using the EAP over LAN (EAPoL) protocol. It blocks any other traffic. • Authentication Server—the server that performs the authentication (typically an AAA server).