3.4 Given a scenario, install and configure wireless security settings
In __, pre-shared key (PSK) authentication *uses a passphrase to generate the key that is used to encrypt communications*. It is also referred to as group authentication because a group of users share the same secret. When the access point is set to ___-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm. *This HMAC is referred to as the pairwise master key (PMK).* The same secret must be configured on the access point and on each node that joins the network. The *PMK is used as part of __'s 4-way handshake to derive various session keys.*
WiFi Protected Access 2 (WPA2)
While __ still uses a passphrase to authenticate stations in personal mode, it changes the method by which this secret is used to agree session keys. *The scheme used is also referred to as Password Authenticated Key Exchange (PAKE). *In __, the *Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake*, which has been found to be vulnerable to various attacks. *SAE uses the Dragonfly handshake, *which is basically Diffie-Helllman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes.With SAE, there should be no way for an attacker to sniff thehandshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.
WiFi Protected Access 3 (WPA3)
As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process called __. To *use__, both the access point and wireless station (client device) must be__-capable. Typically, the devices will have a push button.*(password auto configuration of access points and clients)......*Unfortunately, WPS is vulnerable to a brute force attack...Some APs can lock out an intruder if a brute force attack is detected*, but in some cases the attack can just be resumed when the lockout period expires....Easy Connect is a brand name for the Device Provisioning Protocol (DPP).//Each participating device must be configured with a public/private key pair. Easy Connect uses quick response (QR) codes or near-field communication (NFC) tags to communicate each device's public key.
WiFi Protected Setup (WPS)
The (site)survey is performed with a Wi-Fi-enabled laptop or mobile device with__ software installed. The __ records information about the signal obtained at regularly spaced points as the surveyor moves around the area.
WiFi analyzers
In order to secure a network, you need to be able to confirm that only valid users are connecting to it. Wi-Fi authentication comes in three types: personal, open, and enterprise. Within the personal category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).
Methods
Authentication protocols
Authentication protocols
Wireless network ___refer to the factors that ensure good availability of authorized Wi-Fi access points. A network with patchy coverage is vulnerable to rogue and evil twin attacks.
Installation considerations
Selecting open authentication *means that the client is not required to authenticate.*(unless an access point without authentication (or encryption) This mode would be used on a public WAP (or "hotspot"). In WPA2, this also means that data sent over the link is unencrypted. Open authentication may be combined with a *secondary authentication mechanism* managed via a browser. When the clientassociates with the open hotspot and launches the browser, the client is redirected to *a__(a web page or website a client is redirected to before being granted full network access)or splash page*.
Captive portals
For performance reasons, the channels chosen should be as widely spaced as possible to reduce different types of interference: • Co-channel interference (CCI)—when two WAPs in close proximity use the same channel, they compete for bandwidth within that channel, as signals collide and have to be re-transmitted. • Adjacent channel interference (ACI)—channels have only ~5 MHz spacing, but Wi-Fi requires 20 MHz of channel space. When the channels selected for WAPs are not cleanly spaced, the interference pattern creates significant numbers of errors and loss of bandwidth. For example, if two access points within range of one another are configured in the 2.4 GHz band with channels 1 and 6, they will not overlap. If a third access point is added using channel 3, it will use part of the spectrum used by both the other WAPs, and all three networks will suffer from interference.
Channel overlaps
*Rather than configure each device individually, enterprise wireless solutions implement wireless controllers* for centralized management and monitoring. A *controller can be a hardware appliance or a software application run on a server*.*An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller isknown as a fat WAP, while one that requires a wireless controller in order to function is known as a thin WAP.* *Controllers and access points must be made physically secure*, as tampering could allow a threat actor to insert a rogue/evil twin WAP to try to intercept logons. These devices *must(configuration of multiple WAP WLAN) be managed like switches and routers, using secure management interfaces and *strong administrative credentials.
Controller and access point security
a wireless network must be configured with security settings. Without encryption, anyone within range can intercept and read packets passing over the wireless network.... The first version of Wi-Fi Protected Access (WPA) was designed to fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, *version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger*.Neither WEP nor the original WPA version are considered secure enough for continued use. WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, deployed within *the___ . AES replaces RC4 and __ replaces TKIP*.___ provides authenticated encryption, which is designed to make replay attacks harder.
Counter-mode/CBC-MAC protocol (CCMP)Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
Cryptographic protocols9c( these are the cryptographic protocols that provide the encryption for the wireless security for the wireless network -my note ) :
Cryptographic protocols
*_ is similar to PEAP*. It uses a server-side certificate to establish a protected tunnel through which the user's authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that *___can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MSCHAP or EAP-GTC.*
EAP with Tunneled TLS (EAP-TTLS)
___is one of the strongest types of authentication and is very widely supported. An *encrypted Transport Layer Security (TLS) tunnel is established* between the supplicant and authentication server *using public key certificates*(TLS to authenticate via a device certificate/smart card) on the authentication server and supplicant. As *both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed *on the client device, possibly in a Trusted Platform Module (TPM).
EAP-TLS
__defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Vendors can write extensions to the protocol to support third-party security devices. EAP implementations can include smart cards, one-time passwords, biometric identifiers, or simpler username and password combinations.//(from web-The EAP protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one.The Extensible Authentication Protocol (EAP) is a protocol for wireless network....a protocol often used when connecting a computer to the internet.)
Extensible Authentication Protocol (EAP)(look at its name it's basically saying -extensible (various/many) ways to authentication using this protocol
These readings(from a sit survey :signal strength &channel usage) are combined and analyzed to produce a___, showing where a signal is strong (red) or weak (green/blue), and which channel is being used and how they overlap.
Heat maps
As an alternative to personal authentication, the enterprise authentication method implements ___ to use an Extensible *Authentication Protocol (EAP) mechanism.___ defines the use of EAP over Wireless (EAPoW)* to allow an access point to forward authentication data without allowing any other type of network access. It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security method on the access point....*It passes the credentials of the supplicant to an AAA (RADIUS or TACACS+ -authentication servers)server on the wired network for validation.*...*The wireless station and access point use the PMK to derive session keys,*(user credential is used to generate session encryption key)
IEEE 802.1X
..
Pre-shared key (PSK) vs. Enterprise vs. Open9c
In *__, (password tunneling through a TLS-protected tunnel) with EAP-TLS, an encrypted tunnel* is established between the supplicant and authentication server, *but __only requires a server-side public key certificate.*The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password- guessing/dictionary, and on-path attacks.*The user authentication method (also referred to as the "inner" method) can use either MS-CHAPv2 or EAP-GTC. The Generic Token Card (GTC) method transfers* a token for authentication against a network directory or using a one-time password mechanism.
Protected Extensible Application(Authentication) Protocol (PEAP)
Most implementations of EAP use a RADIUS (the authentication server)server to validate the authentication credentials for each user (supplicant).___means that *multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh*.For example, when Bob from widget.foo needs to log on to grommet.foo's network, the RADIUS server at grommet.foo recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.foo's RADIUS server.One *example of___ is the eduroam network (eduroam.org), which* allows students of universities from several different countries to log on to the networks of any of the participating institutions using the credentials stored by their "home" university.
Remote Authentication Dial-in User Service (RADIUS) Federation
___ (SAE) protocol replaces the 4-way handshake*, which has been found to be vulnerable to various attacks. *SAE uses the Dragonfly handshake, *which is basically Diffie-Helllman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes.With SAE, there should be no way for an attacker to sniff thehandshake to obtain the hash value and try to use an offline brute-force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys, providing forward secrecy.
Simultaneous Authentication of Equals (SAE)
The coverage and interference factors mean that WAPs must be positioned(to protect against interference) and configured(for full coverage)!so that the whole area is covered, but that they overlap as little as possible. A__ is used to measure signal strength and channel usage throughout the area to cover. A___ starts with an *architectural map* of the site, with features that can cause background interference marked. These features include solid walls, reflective surfaces, motors, microwave ovens, and so on.
Site surveys
An infrastructure-based wireless network comprises one or more wireless access points, each connected to a wired network. The access points forward traffic to and from the wired switched network. *Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID). Each wireless network is identified by its name, or service set identifier (SSID)*. *Wireless networks can operate in either the 2.4 GHz or 5 GHz radio band. Each* radio band is divided into a number of channels, and each WAP must be configured to use a specific channel
Wireless access point (WAP) placement
__is similar to PEAP, *but instead of using a certificate to set up the tunnel, it uses* a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out- of-band method or via a server with a digital certificate (but in the latter case, EAP- FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack
with Flexible Authentication via Secure Tunneling (EAP-FAST)
