CompTIA® Security+ Exam Notes : Given a scenario, install and configure wireless security settings

6. Cryptography and PKI

6.3 Given a scenario, install and configure wireless security settings

The standard 802.1x corresponds to wireless network access protocols. Various wireless LAN protocols are given below:

1. IEEE 802.11 - supports data rate up to 2 Mbps in the 2.4 GHz frequency band.

2. IEEE 802.11a - supports data rates up to 54 Mbps in the 5 GHz frequency band.

3. IEEE 802.11b - supports data rates up to 11 Mbps in the 2.4 GHz frequency band.

4. IEEE802.11n - supports data rates 2.4 to 5 GHz

5. IEEE802.11ac - bandwidth rated up to 6.9 Gbps at 5 GHz band

6. IEEE 802.3 - describes CSMA/CD Ethernet standard.

7. IEEE 802.5 - describes Token Ring networks.

8. IEEE 802.4 - is a standard for Token bus networks.

Note that IEEE 802.11x, 802.11xx standards pertain to wireless LANs.

Cryptographic Protocols:

CCMP: Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (Also known as CCM Protocol) is an encryption protocol that forms part of the 802.11i standard for wireless local area networks (WLANs), particularly those using WiMax technology. The CCMP algorithm is based on the U.S. federal government's Advanced Encryption Standard (AES).

TKIP (Temporal Key Integrity Protocol): TKIP is an encryption protocol included as part of the IEEE 802.11i standard for wireless LANs (WLANs). It was designed to provide more secure encryption than the notoriously weak Wired Equivalent Privacy (WEP), the original WLAN security protocol.

WEP (Wired Equivalent Protection): is a security standard for 802.11 WAP networks. WEP key length should be at least 40 bits long. Wireless networks broadcast messages using radio, and therefore more susceptible to eavesdropping than wired networks. WEP was intended to provide confidentiality comparable to that of a traditional wired network. WEP is 802.11's optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support. If a user activates WEP, the NIC encrypts the payload (frame body and CRC) of each 802.11 frame before transmission using an RC4 stream cipher provided by RSA Security. The receiving station, such as an access point or another radio NIC, performs decryption upon arrival of the frame. Note that, 802.11 WEP only encrypts data between 802.11 stations. Once the frame enters the wired side of the network, such as between access points, WEP no longer applies.

WPA and WPA2: Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i . WPA is forward compatible with the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared.802.11i includes dynamic key exchange, stronger encryption, and user authentication. It is not backward compatible with WPA. The 802.11i standard is widely known as WPA2

The key features of the WPA protocol are given below:

1. It supports both static and dynamic key distribution

2. It provides Device Authentication, as well as User Authentication.

3. It uses TKIP (Temporal Key Integrity Protocol) encryption for dynamic key exchange. Note that WPA2 uses AES encryption where as WPA uses TKIP. AES encryption is a stronger encryption protocol.

4. WPA is forward compatible with WPA2.

Authentication Protocols:

EAP: The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.

PEAP: PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

LEAP: LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

EAP-Fast: EAP-FAST, also known as Flexible Authentication via Secure Tunneling, is an Extensible Authentication Protocol (EAP) developed by Cisco. It is used in wireless networks and point-to-point connections to perform session authentication. Its purpose is to replace the Lightweight Extensible Authentication Protocol (LEAP).

EAP-TLS: EAP-TLS uses the TLS public key certificate authentication mechanism within EAP to provide mutual authentication of client to server and server to client. With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.

EAP-TTLS: EAP-TTLS (Tunneled Transport Layer Security) developed as an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or tunnel), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.

EAP-MD-5 (Message Digest): EAP-MD-5 is an EAP authentication type that provides base-level EAP support. EAP-MD-5 is typically not recommended for Wi-Fi LAN implementations because it may allow the user's password to be derived. It provides for only one-way authentication - there's no mutual authentication of Wi-Fi client and the network. And very importantly it doesn't provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys.

IEEE 802.1x: 802.11x is generic term to refer to the IEEE 802.11 standard for defining communication over a wireless LAN (WLAN). 802.11, commonly known as Wi-Fi, specifies an interface between two wireless clients. These standards are used to implement WLAN communication in 2.4, 3.6 and 5 GHz frequency bands. This is the standard that pertains to wireless LANs.


Captive portal: A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. The captive portal is presented to the client and is stored either at the gateway or on a web server hosting the web page. Captive portals are mostly used for wireless hotspot and to manage the internet access on campus grounds, hospital wireless networks, school wireless networks, or even for larger organizations.

RADIUS federation: RADIUS Federation is a federation service where access to the network is gained by using WAPs. RADIUS federation allows users to use their normal credentials across trusted networks. It uses IEEE 802.1x as the authentication method with a RADIUS database at the back-end.

EAP-TLS: EAP-TLS is an IETF open standard. It also uses TLS to secure the authentication process. It is one the most secure methods because it typically employs client-side certificates. This means that the attacker must also possess that client-side certificate key to break the TLS channel.

WPA2-PSK: WPA stands for "Wi-Fi Protected Access", and PSK is short for "Pre-Shared Key."

WPA2-PSK [AES] is the recommended secure method of making sure no one can actually listen to your wireless data while it's being transmitted back and forth between your router and other devices on your network.

EAP-PEAP: EAP-Protected Extensible Authentication Protocol (EAP-PEAP) is a protocol that creates an encrypted (and more secure) channel before the password-based authentication occurs. PEAP is an 802.1X authentication method that uses server-side public key certificate to establish a secure tunnel in which the client authenticates with server.

Configuration of wireless security settings:

Example 1:Configure security encryption to WPA 2 with pass phrase "SECPLUS"

You need to know how to configure basic security setting such as WPA (Short for Wi-Fi Protected Access) or WPA2. You can typically select the appropriate setting from a drop down box and then enter the appropriate pass phrase. The security settings entered on the access point must be used on all the devices that connect to the access point.

Both WPA and WPA2 operate in either Personal or Enterprise modes. Most home and small business networks use Personal mode using a passphrase or password.

Big enterprises add additional security to WAPs with WPA Enterprise or WPA2 Enterprise. Enterprise mode provides additional security by adding an authentication server such as RADIUS, and requiring each user to authenticate with a username and password.

Enterprise mode requires a server typically configured as a Remote Authentication Dial-In User Service (RADIUS) server, which is configured separately from the access point. The RADIUS server has access to the user's authentication credentials and can verify when a user has entered authentication information correctly

Steps involved in configuring encryption level to WPA2:

1. In Wireless Access point window click "Wireless" tab

Configure security encryption to WPA 2 with pass phrase SECPLUS step 1

2. In "Wireless" window click "Wireless Security" tab.

Configure security encryption to WPA 2 with pass phrase SECPLUS step 2

3. In "Wireless Security" window select WPA2 - PSK as encryption mode from "Security Mode" drop down and enter "SECPLUS" as Pass Phrase and click "Save & Exit" button.

Configure security encryption to WPA 2 with pass phrase SECPLUS step 3

Note: The exercise uses "Linksys" Access point for demonstration purpose only. The settings are similar in any other home wireless access points or Wi-Fi routers. Knowing the functionality of the wireless access point is important.

Example 2: Enable MAC Address Filtering in the WAP device, so that the machines matching the MAC addresses are permitted to communicate using the wireless network.

The following MAC addresses need to be allowed:

a. 18:F4:6A:1A:A2:12

b. 1E:F4:6A:1A:A2:12

c. 1F:F4:6A:1A:A2:12

d. 1D:F4:6A:1A:A2:12

Every Wi-Fi device is assigned a MAC (Media Access Control) address, a unique 12-digit hexadecimal identifier issued by the IEEE, the standards body that developed the Wi-Fi protocol. The MAC address is "hard-coded" into the device and sent automatically to a Wi-Fi access point when the device tries to connect to the network.

Using the access point configuration software, you can create a safe list of allowed client devices or a black list of banned devices. If MAC filtering is activated, regardless of what encryption security is inplace, the AP only allows devices on the safe list to connect, or blocks all devices on the black list.

To enable MAC address filtering and to allow the devices with matching MAC addresses, perform these steps (these steps are generic in nature, and likely to change from one device type to another):

1. In wireless Access point window click "Wireless" tab.

Enable MAC Address Filtering in the WAP device step 1

2. Click "Wireless MAC Filter" tab in wireless window.

Enable MAC Address Filtering in the WAP device step 2

3. In MAC Filter window

step 1: Click Enable radio button

step 2 : Click Permit only radio button

step 3 : Click Edit MAC Filter List button

Enable MAC Address Filtering in the WAP device step 3

4. MAC Address List window appears , enter the address of the device as mentioned in the question and click on Save settings button.

Enable MAC Address Filtering in the WAP device step 4

5. Click again "Save & Exit" button in wireless Access point window.

Enable MAC Address Filtering in the WAP device step 5

Note: Encryption protocols like WPA2 (Short for Wi-Fi Protected Access 2), reduced the necessity for using MAC filtering. Hackers may break into MAC filtering device by sniffing addresses of connected devices and then spoofing or masquerading as one of them.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad