3.4 Given a scenario, install and configure wireless security settings Flashcards
Wi-Fi Protected Access (WPA2)
Wi-Fi Protected Access 2 (WPA2) is the name of the first official implementation of the 802.11i wireless security protocol standard developed by the IEEE. It has AES, a 128-bit symmetric block cipher that’s much more robust but is backward-compatible due to its inclusion of TKIP in its protocol suite. Like WPA, WPA2 also has two different implementations: WPA2-Personal (using a pre-shared key) and WPA2-Enterprise, which work the same way as they do in WPA.
Wi-Fi Protected Access 3 (WPA3)
WPA3 brings many improvements over WPA2. Most notably, Simultaneous Authentication of Equals (SAE) replaces PSK—at least for encryption. If you set up an “open” SSID with a WPA3-capable WAP, SAE automatically forces every WPA3-capable device connecting to that WAP to use a Diffie-Hellman–style authentication/encryption process. In other words, the day of the unencrypted wireless connection no longer exists in WPA3.
Counter-Mode/CBC-MAC Protocol (CCMP)
This mode is called the Counter Mode Cipher Block Chaining Message Authentication Code Protocol, which CompTIA shortens to Counter-mode/CBC-MAC Protocol (CCMP). CCMP uses a 128-bit key and 128-bit block size (since it is a block symmetric cipher, as opposed to the streaming RC4 symmetric cipher used in WEP and WPA), as well as 48-bit initialization vectors. The larger IV sizes help prevent replay attacks from being conducted against WPA2.
Simultaneous Authentication of Equals (SAE)
Most notably, Simultaneous Authentication of Equals (SAE) replaces PSK—at least for encryption. If you set up an “open” SSID with a WPA3-capable WAP, SAE automatically forces every WPA3-capable device connecting to that WAP to use a Diffie-Hellman–style authentication/encryption process. In other words, the day of the unencrypted wireless connection no longer exists in WPA3.
Extensible Authentication Protocol (EAP)
EAP recognizes that there are several different authentication methods, including certificate-based authentication and other multifactor authentication methods, such as smart cards and so on. EAP can still allow the traditional user name/password combination of authentication as well. EAP also allows for mutual authentication between devices as well as directory-based authentication services.
Protected Extensible Authentication Protocol (PEAP)
Protected Extensible Authentication Protocol (PEAP), another version that uses TLS, addressed problems with EAP and was developed as an open protocol by several vendors, such as Microsoft, RSA, and Cisco. PEAP is similar to EAP-TLS and requires a digital certificate on the server side of a connection to create a secure TLS tunnel.
EAP-FAST
Cisco has replaced LEAP with EAP-FAST (for Flexible Authentication via Secure Tunneling), which addresses LEAP’s security issues. EAP-FAST is lightweight but uses TLS tunnels to add security during authentication.
EAP-TLS
EAP Transport Layer Security (EAP-TLS) was for years the primary EAP variation used on high-security wireless networks. As the name implies, EAP-TLS uses the same TLS protocol used on secure Web pages. EAP-TLS requires both a server-side certificate and a client-side certificate (client-side certificates are rarely used on Web pages, but the TLS protocol certainly supports their use).
EAP-TTLS
EAP Tunneled Transport Layer Security (EAP-TTLS) may share a similar-sounding acronym to EAP-TLS, but it is a completely different EAP variation. EAP-TTLS goes beyond the TLS protocol, adding a tunnel to provide better security. EAP-TTLS only requires a server-side certificate. EAP-TTLS is considered to be functionally equivalent to PEAP.
IEEE 802.1X
The great thing is that, while 802.1X is probably encountered most often on corporate wireless networks as the preferred form of authentication and access management control, it is not a wireless standard at all and can be used in wired networks as well. This actually makes it easier for wireless and wired networks to interoperate, since they can use the same authentication methods and can connect to each other quite easily.
Remote Authentication Dial-in User Service (RADIUS) Federation
A federated system involves the use of a common authentication system and credentials database that multiple entities use and share. A RADIUS federation could connect those systems wirelessly using RADIUS servers.
Pre-shared Key(PSK) vs. Enterprise vs. Open
Look for a comparative question on the CompTIA Security+ exam that explores pre-shared key (PSK) vs. enterprise vs. open. This applies primarily to WPA2, not WPA3, but PSK means using personal mode, enterprise means connecting to a RADIUS server, and open means having no security at all (i.e., open season on your network).
WiFi Protected Setup(WPS)
The goal of WPS is to enable anyone to join a WPS-capable device to a WPS-enabled wireless network just by pressing two buttons. Press the button on the WAP, then press the button on the device you want to join to the network; your device connects to the SSID and takes on the WAP’s WPA2 encryption. Neat!
Captive Portals
A captive portal is a Web page that prompts clients to enter proper credentials to gain further access to the network. This enables the organization to control or limit access to clients accessing from an acceptable location and with proper authentication.
Site Surveys
In a site survey, a network tech makes a technical assessment of the area in which a wireless network will be installed and operating. Usually, the tech performs a site survey before installing the wireless network, although sometimes it might be performed periodically when looking at network performance or before expanding the wireless network to accommodate new access points or additional capacity.
