3.4 Given a scenario, install and configure wireless security settings.
Heat maps
One way to visually see the results of these site surveys is to use a ___ ____. There are a number of tools that can help you build these _____ ____. All you would need to do is move around your building and have this system create, visually, where your wireless networks happen to be, and where the largest signal strengths might be for that network.
Site surveys
___ _____ of the facility document AP locations but can also identify rogue APs. A rogue AP is an undocumented AP and might not be secured properly to be transmitting sensitive data. where we're going to get more information about the wireless infrastructure that may already be in place. There may be existing access points in the same building or location where you'll be installing additional access points, or there may be access points that are located nearby that aren't necessarily in your control.
EAP-TTLS
here you can tunnel other authentication protocols within the existing TLS tunnel. Unlike EAP-TLS, ______ only needs a single digital certificate on the authentication server. We don't have to deploy separate digital certificates to all of these other devices on our network. We would use the digital certificate on the authentication server to be able to create and send information over this TLS tunnel.
EAP-TLS
requires digital certificates on all devices. This is because we perform a mutual authentication when connecting to the network. Once the mutual authentication is complete, a TLS tunnel is then built to send the user authentication details. If you've ever managed a network where every device had its own digital certificate, you know this is not a trivial task. You need a Public Key Infrastructure, or a formal PKI, so that you can properly, manage, deploy, and revoke any of these certificates that may be in use in your environment. We also have to consider that some older devices may not allow for the use of digital certificates, and therefore, they would not be able to connect to the network and authenticate using _____.
Open
that means that anyone can connect to the wireless network and they don't need any type of authentication.
Enterprise
would be 802.1X. If we can figure out wireless access point to have no security or listed as open security, that means that anyone can connect to the wireless network and they don't need any type of authentication.
Extensible Authentication Protocol (EAP)
A framework for transporting authentication protocols that defines the format of the messages. an authentication framework, not a specific authentication mechanism, frequently used in wireless networks and point-to-point connections. It provides some common functions and negotiation of authentication methods called ____ methods. The ____ protocol can support multiple authentication mechanisms without having to pre-negotiate a particular one. There are currently about 40 different methods defined.
IEEE 802.1X
A standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN
Captive portals
If you're on a third party wireless network, especially one that's used in a coffee shop a hotel or some other temporary basis, then you're probably using a ____ _____ to be able to provide this authentication. A ______ ________ is a method of providing authentication using a separate login screen from your browser. The access point that you're authenticating to will check to see if you have previously authenticated. And if you haven't it will redirect you to this portal page when you open your browser. It's common for this login page to ask for a username or password and many _______ ______ support the use of additional authentication factors as well. Once this information is typed in to the _______ _______ and that information is confirmed then you have access to the wireless network. These _________ _________ often have a time out function associated with them.
Wireless access point (WAP) placement
This means we may need to work around any frequencies that are already in use, or we may have to put our access point in a location that will minimize the amount of interference. And like most things associated with technology, these things tend to change over time. So you may want to perform additional site surveys later on down the line to make sure that nothing has changed, and that your wireless network is performing optimally. To avoid any type of interference between access points, we need to make sure that access points that are near each other are not using the same frequencies. If we look at the frequencies available for 2.4 GHz, you can see it's a very small number of channels that don't overlap with each other.
Channel overlays
To avoid any type of interference between access points, we need to make sure that access points that are near each other are not using the same frequencies. If we look at the frequencies available for 2.4 GHz, you can see it's a very small number of channels that don't overlap with each other. In the United States, channel 1, channel 6, and channel 11 have no interference between each other. So if you're running one access point at channel 1, and another at channel 6, you'll want to configure your third access point use channel 11. If you're using an access point that supports 5 GHz, you have many more channels available. Anything not in red in this picture are available in the 5 GHz range, giving you much more flexibility for installing wireless access points with those frequencies. Here's a view of two separate access points that are configured without using overlapping channels. One of these is using channel 6, and the other is using channel 11. What you don't want to do, is go into this network, install a new access point, configure for channel 8, and you can see that that new access point overlaps and interferes with both of the access points that were there previously.
WiFi protected access II (WPA2)
Wireless security protocol that supports 802.11i encryption standards to provide greater security. This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP) for stronger encryption. a security type on our wireless networks that's been around for a very long time. this began certification in 2004. This uses an encryption called CCMP block cipher mode. This stands for Counter mode with Cipher block chaining Message authentication code Protocol, or Counter/CBC-MAC protocol. That's a very long name that effectively means you're using CCMP over _____. CCMP uses a number of different protocols to provide the security we need for our wireless networks. For example, the confidentiality of the data is encrypting with the AES protocol and the integrity that we're using on the network, for the message integrity check or the MIC, uses CBC-MAC.
WiFi protected access III (WPA3)
brings new capabilities to improve cybersecurity in personal networks. More secure encryption of passwords and enhanced protection against brute-force attacks combine to safeguard your home Wi-Fi. It changes the encryption just a bit. It uses a different block cipher mode called GCMP. This is your Galois Counter Mode Protocol and it is an update to the encryption method used with WPA2 in an effort to make this just a bit stronger encryption than the older WPA2 protocol. The methods used for encryption and integrity are similar in many ways to WPA2, the confidentiality of the data still uses AES, but the message integrity check has changed to Galois message authentication code or GMAC. One of the significant security updates to _____ addressed a number of challenges with keeping WPA2 secure.
- Controller and access point security
so we'll often have HTTPS to provide encrypted communication between our browser and the wireless controller. And if we step away from this configuration, there's usually a timeout period where if no input goes by, there will be an automatic log out from the wireless controller. On the access points themselves, we want to be sure that we are using strong passwords, or some other type of very strong authentication method. And we'll use our wireless controller to make sure that all of those devices are always updated to the latest firmware.
Protected Extensible Application Protocol (PEAP)
using TLS to be able to send this information, but instead of it being based on a shared secret with the PAC, we're using the same method as a traditional web server by using a digital certificate. This digital certificate is only needed on the server. Your clients do not need separate digital certificates to be able to use ____.
WiFi analyzers
will provide useful information about wireless signals around you.
Counter-mode/CBC-MAC protocol (CCMP)
Uses AES w/128 bit keys An encryption protocol used in Wi-Fi uses a number of different protocols to provide the security we need for our wireless networks. For example, the confidentiality of the data is encrypting with the AES protocol and the integrity that we're using on the network, for the message integrity check or the MIC, uses CBC-MAC. an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC (CCM mode) of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol.
EAP-FAST
A Cisco-designed replacement for Lightweight EAP (LEAP). _____ supports certificates, but they are optional. This is a way to make sure that the authentication server and the supplicant, are able to transfer information between each other over a secure tunnel. This is accomplished with a shared secret referred to as a Protected Access Credential, or a PAC. The supplicant receives the PAC and then sets up a Transport Layer Security Tunnel. This TLS tunnel is very similar to the TLS mechanism that's used to encrypt information within a browser. Once this TLS tunnel is in place, everything sent across is encrypted, and then authentication details are sent over that TLS tunnel. It's common to see ____ used with a centralized authentication server, such as RADIUS, where you can have both the authentication database and _____ services running on that RADIUS server.
Pre-shared key (PSK)
A shared secret that has been previously shared between parties and is used to establish a secure channel. giving everyone the same password. We refer to this as a ____ ___ because we've created the key previously. And then we hand that key out to anyone who needs access to the network. These ________ ___ or shared passwords are commonly used for networks that we might have at our home. In our corporate environment however, we need additional security. We need to make sure that everyone has a different authentication method for logging in. We want to be sure that if someone was to leave the company we could disabled their access but still allow access for everyone else.
Simultaneous Authentication of Equals (SAE)
A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discovering pre-shared keys. So how do we create a session key that's used on both sides of the conversation without actually sending that session key across the network? To be able to do this, we use a method called ____. If you're familiar with Diffie-Hellman key exchange, you may find that ____ sounds a little familiar, that's because it is derived from that Diffie-Hellman process. We add some additional capabilities though, that go a little bit farther than Diffie-Hellman so that we can add some authentication components to the conversation. And of course, everyone on the network is generating a different session key even if everybody is using exactly the same pre-shared key to connect to the wireless network. This was added to the IEEE 802.11 standard, and you'll sometimes hear this key exchange process referred to as the dragonfly handshake.
WiFi Protected Setup (WPS)
A way to set up a secure wireless network by using a button personal identification number, or USB key to automatically configure devices to connect a network o be able to make this process a bit easier for the administrator and for the users a type of authentication was created called ____. This is a format that used to be called Wi-Fi simple config. The idea is that it would be much easier to use this method of authentication rather than using pre-shared keys 802.1X authentication or some other type of authentication method. ____ allows different methods to be used for authentication. For example, you could use a personal identification number that you would put into the mobile device and that gains you access to the wireless network. Or you might have to push a button on the access point itself while you're configuring the settings on your wireless device.
Remote Authentication Dial-in User Server (RADIUS) Federation
commonly uses 802.1X as the authentication method. So you're using EAP to authenticate, and you're very commonly authenticating to a RADIUS server on the back end. A common implementation of _____ ________ can be found with eduroam. This was built so that educators who were visiting a different campus could use their original username and password to be able to authenticate, regardless of what campus they may travel to.