CompTIA® Security+ Exam Notes : Given a scenario, install and configure wireless security settings

6. Cryptography and PKI

6.3 Given a scenario, install and configure wireless security settings

The standard 802.1x corresponds to wireless network access protocols. Various wireless LAN protocols are given below:

1. IEEE 802.11 - supports data rate up to 2 Mbps in the 2.4 GHz frequency band.

2. IEEE 802.11a - supports data rates up to 54 Mbps in the 5 GHz frequency band.

3. IEEE 802.11b - supports data rates up to 11 Mbps in the 2.4 GHz frequency band.

4. IEEE802.11n - supports data rates 2.4 to 5 GHz

5. IEEE802.11ac - bandwidth rated up to 6.9 Gbps at 5 GHz band

6. IEEE 802.3 - describes CSMA/CD Ethernet standard.

7. IEEE 802.5 - describes Token Ring networks.

8. IEEE 802.4 - is a standard for Token bus networks.

Note that IEEE 802.11x, 802.11xx standards pertain to wireless LANs.

Cryptographic Protocols:

CCMP: Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (Also known as CCM Protocol) is an encryption protocol that forms part of the 802.11i standard for wireless local area networks (WLANs), particularly those using WiMax technology. The CCMP algorithm is based on the U.S. federal government's Advanced Encryption Standard (AES).

TKIP (Temporal Key Integrity Protocol): TKIP is an encryption protocol included as part of the IEEE 802.11i standard for wireless LANs (WLANs). It was designed to provide more secure encryption than the notoriously weak Wired Equivalent Privacy (WEP), the original WLAN security protocol.

WEP (Wired Equivalent Protection): is a security standard for 802.11 WAP networks. WEP key length should be at least 40 bits long. Wireless networks broadcast messages using radio, and therefore more susceptible to eavesdropping than wired networks. WEP was intended to provide confidentiality comparable to that of a traditional wired network. WEP is 802.11's optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support. If a user activates WEP, the NIC encrypts the payload (frame body and CRC) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. Note that, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies.

WPA and WPA2: Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i . WPA is forward compatible with the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared.802.11i includes dynamic key exchange, stronger encryption, and user authentication. It is not backward compatible with WPA. The 802.11i standard is widely known as WPA2

The key features of the WPA protocol are given below:

1. It supports both static and dynamic key distribution

2. It provides Device Authentication, as well as User Authentication.

3. It uses TKIP (Temporal Key Integrity Protocol) encryption for dynamic key exchange. Note that WPA2 uses AES encryption where as WPA uses TKIP. AES encryption is a stronger encryption protocol.

4. WPA is forward compatible with WPA2.

Authentication Protocols:

EAP: The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.

PEAP: PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

LEAP: LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

EAP-Fast: EAP-FAST, also known as Flexible Authentication via Secure Tunneling, is an Extensible Authentication Protocol (EAP) developed by Cisco. It is used in wireless networks and point-to-point connections to perform session authentication. Its purpose is to replace the Lightweight Extensible Authentication Protocol (LEAP).

EAP-TLS: EAP-TLS uses the TLS public key certificate authentication mechanism within EAP to provide mutual authentication of client to server and server to client. With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.

EAP-TTLS: EAP-TTLS (Tunneled Transport Layer Security) developed as an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.

IEEE 802.1x: 802.11x is generic term to refer to the IEEE 802.11 standard for defining communication over a wireless LAN (WLAN). 802.11, commonly known as Wi-Fi, specifies an interface between two wireless clients. These standards are used to implement WLAN communication in 2.4, 3.6 and 5 GHz frequency bands. This is the standard that pertains to wireless LANs.

Configuration of wireless security settings:

Example 1:Configure security encryption to WPA 2 with pass phrase "SECPLUS"

You need to know how to configure basic security setting such as WPA (Short for Wi-Fi Protected Access) or WPA2. You can typically select the appropriate setting from a drop down box and then enter the appropriate pass phrase. The security settings entered on the access point must be used on all the devices that connect to the access point.

Both WPA and WPA2 operate in either Personal or Enterprise modes. Most home and small business networks use Personal mode using a passphrase or password.

Big enterprises add additional security to WAPs with WPA Enterprise or WPA2 Enterprise. Enterprise mode provides additional security by adding an authentication server such as RADIUS, and requiring each user to authenticate with a username and password.

Enterprise mode requires a server typically configured as a Remote Authentication Dial-In User Service (RADIUS) server, which is configured separately from the access point. The RADIUS server has access to the user's authentication credentials and can verify when a user has entered authentication information correctly

Steps involved in configuring encryption level to WPA2:

1. In Wireless Access point window click "Wireless" tab

Configure security encryption to WPA 2 with pass phrase SECPLUS step 1

2. In "Wireless" window click "Wireless Security" tab.

Configure security encryption to WPA 2 with pass phrase SECPLUS step 2

3. In "Wireless Security" window select WPA2 - PSK as encryption mode from "Security Mode" drop down and enter "SECPLUS" as Pass Phrase and click "Save & Exit" button.

Configure security encryption to WPA 2 with pass phrase SECPLUS step 3

Note: The exercise uses "Linksys" Access point for demonstration purpose only. The settings are similar in any other home wireless access points or Wi-Fi routers. Knowing the functionality of the wireless access point is important.

Example 2: Enable MAC Address Filtering in the WAP device, so that the machines matching the MAC addresses are permitted to communicate using the wireless network.

The following MAC addresses need to be allowed:

a. 18:F4:6A:1A:A2:12

b. 1E:F4:6A:1A:A2:12

c. 1F:F4:6A:1A:A2:12

d. 1D:F4:6A:1A:A2:12

Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is "hard-coded" into the device and sent automatically to a Wi-Fi access point when the device tries to connect to the network.

Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is inplace, the AP only allows devices on the safe list to connect, or blocks all devices on the black list.

To enable MAC address filtering and to allow the devices with matching MAC addresses, perform these steps (these steps are generic in nature, and likely to change from one device type to another):

1. In wireless Access point window click "Wireless" tab.

Enable MAC Address Filtering in the WAP device step 1

2. Click "Wireless MAC Filter" tab in wireless window.

Enable MAC Address Filtering in the WAP device step 2

3. In MAC Filter window

step 1: Click Enable radio button

step 2 : Click Permit only radio button

step 3 : Click Edit MAC Filter List button

Enable MAC Address Filtering in the WAP device step 3

4. MAC Address List window appears , enter the address of the device as mentioned in the question and click on Save settings button.

Enable MAC Address Filtering in the WAP device step 4

5. Click again "Save & Exit" button in wireless Access point window.

Enable MAC Address Filtering in the WAP device step 5

Note: Encryption protocols like WPA2 (Short for Wi-Fi Protected Access 2), reduced the necessity for using MAC filtering. Hackers may break into MAC filtering device by sniffing addresses of connected devices and then spoofing or masquerading as one of them.

Previous   Contents   Next


Security+ Cram Notes Contents
certexams ad

simulationexams ad