SlideShare a Scribd company logo

PACE-IT, Security+1.5: Wireless Security Considerations

Download as PPTX, PDF
Pace IT at Edmonds Community College
Pace IT at Edmonds Community College

CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology) "Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53" Learn more about the PACE-IT Online program: www.edcc.edu/pace-it

Related slideshows

PACE-IT, Security+1.4: Common Network Protocols (part 2)
PACE-IT, Security+1.4: Common Network Protocols (part 2)PACE-IT, Security+1.4: Common Network Protocols (part 2)
PACE-IT, Security+1.4: Common Network Protocols (part 2)
 
PACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and TrainingPACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and Training
 
PACE-IT: Common Network Vulnerabilities
PACE-IT: Common Network VulnerabilitiesPACE-IT: Common Network Vulnerabilities
PACE-IT: Common Network Vulnerabilities
 
1 of 14
Wireless security considerations.
Page 2 Instructor, PACE-IT Program – Edmonds Community College Areas of Expertise Industry Certifications  PC Hardware  Network Administration  IT Project Management  Network Design  User Training  IT Troubleshooting Qualifications Summary Education  M.B.A., IT Management, Western Governor’s University  B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
Page 3 – The unique challenge of wireless. – Security for wireless. PACE-IT.
Page 4 Wireless security considerations.
Page 5 Wireless networks can represent a special challenge in the network hardening process. End users will often install their own access point (AP) for convenience, allowing them to connect to the network wirelessly on their own. These rogue APs can create a vulnerability in the network as a whole. Conducting periodic site surveys, using a combination of hardware and software, can help to locate rogue APs so they can be removed. Site surveys can also be used to ensure that wireless network signals are only present where they should be. The only wireless signals that should be present in any environment are those that are authorized. Wireless security considerations.
Page 6 Wireless security considerations.
Page 7 – Default username and passwords. » All networking devices come with a default administrator username and password. » A best practice is to change or disable the default administrator username and password when setting up the device. – SSID (service set identifier) broadcasts. » A wireless access point (WAP) will broadcast the names (i.e., the SSIDs) of available networks. • By default, the SSID is broadcast in clear text, creating a vulnerability. » A best practice is to set the WAP to hide the SSID beaconing; this will prevent the casual user from seeing the wireless network. • Even with the beacon set to be hidden, with the proper hardware and software, an attacker can still read the broadcasts. Wireless security considerations.
Page 8 – Device placement. » WAPs with omnidirectional antennas should be placed at the center of the desired coverage area. • Omnidirectional antennas broadcast in all directions uniformly. » WAPs with directional antennas can be placed toward the edge of the desired coverage area. • Directional antennas broadcast in a specific direction only. – Power level controls. » Most WAPs come with the ability to adjust the power levels of the RF signal. • RF power levels should be set to reduce (or increase) the wireless coverage area to what is desired. – MAC filtering. » All WAPs come with the ability to limit which Layer 2 MAC addresses can connect to the wireless network. • While this can increase the security of the wireless network, MAC addresses can be spoofed. • MAC filtering may not be appropriate in all situations. Wireless security considerations.
Page 9 – WEP (Wired Equivalent Privacy). » An older encryption standard that utilized a pre-shared key (PSK) to encrypt messages between the WAP and the connecting device. • Used the RC4 algorithm for the encryption. » It is easily broken (cracked) and should not be used. – WPA (Wireless Protected Access). » An older encryption standard used as an intermediate replacement for WEP. » Introduced TKIP (Temporal Key Integrity Protocol) as an additional security measure. • TKIP creates a new security key for every packet that is sent. » It can be broken and should not be used, unless absolutely necessary. Wireless security considerations.
Page 10 – WPA2-Personal. » The current wireless encryption standard for the home or small business utilizing a PSK. • Introduced Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) as a means of addressing the weaknesses present in WEP and WPA. » Cannot be easily cracked, but given enough time and computing resources, it can also be broken. – WPA-Enterprise. » The current wireless encryption standard for larger businesses. » Users are required to be authenticated before being allowed to connect to the wireless network. • Authentication can occur using different methods that fall within the 802.1x standard. » The WAP will pass requests to log on to an authentication server (commonly a RADIUS server) to authenticate the user before allowing access. Wireless security considerations.
Page 11 – Extensible Authentication Protocol (EAP). » A common authentication protocol used by WPA2 to allow access to wireless networks. • EAP packets are encapsulated within 802.1x packets, which are forwarded to an authentication server. » LEAP (Lightweight EAP) is a Cisco proprietary method of implementing EAP. It was developed before the 802.1x standard was developed. » PEAP (Protected EAP) is a method of encapsulating EAP packets with TLS in order to increase security. – Additional wireless network security. » Captive portals can be used to require users to authenticate through a Web page when attempting to join a network. • A common method used in publicly available wireless networks. » VPN (virtual private network) over wireless can be used to further increase wireless security. • Wireless network access must be through a VPN; this adds an additional level of security in the network. Wireless security considerations.
Page 12 Wireless security considerations. Adding wireless to a network increases the challenge of hardening that network. Often, users will install their own AP in order to more easily use their own mobile devices on the network. Periodic site surveys should be conducted to remove rogue APs in the workplace. Only authorized wireless networks should be present in any work environment. Topic The unique challenge of wireless. Summary Default usernames and passwords should be changed or disabled. The SSID beacon may be set to hidden (but it will still be there). Device placement and antenna type can help to keep the wireless signal where it belongs. The power level on some WAPs can also be adjusted to prevent the signal from going where it does not belong. MAC filtering may be used to limit which devices can connect to the network. WEP is an older encryption standard that should not be used. WPA is an older encryption standard that should not be used. WPA2 (Personal or Enterprise) is the current standard for wireless networks. EAP is a common authentication standard used in conjunction with 802.1x. Captive portals can be used to make users authenticate through a Web page. Requiring wireless users to connect through a VPN may provide additional security. Security for wireless.
Page 13 THANK YOU!
This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

More Related Content

PACE-IT, Security+1.5: Wireless Security Considerations

  • 2. Page 2 Instructor, PACE-IT Program – Edmonds Community College Areas of Expertise Industry Certifications  PC Hardware  Network Administration  IT Project Management  Network Design  User Training  IT Troubleshooting Qualifications Summary Education  M.B.A., IT Management, Western Governor’s University  B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
  • 3. Page 3 – The unique challenge of wireless. – Security for wireless. PACE-IT.
  • 4. Page 4 Wireless security considerations.
  • 5. Page 5 Wireless networks can represent a special challenge in the network hardening process. End users will often install their own access point (AP) for convenience, allowing them to connect to the network wirelessly on their own. These rogue APs can create a vulnerability in the network as a whole. Conducting periodic site surveys, using a combination of hardware and software, can help to locate rogue APs so they can be removed. Site surveys can also be used to ensure that wireless network signals are only present where they should be. The only wireless signals that should be present in any environment are those that are authorized. Wireless security considerations.
  • 6. Page 6 Wireless security considerations.
  • 7. Page 7 – Default username and passwords. » All networking devices come with a default administrator username and password. » A best practice is to change or disable the default administrator username and password when setting up the device. – SSID (service set identifier) broadcasts. » A wireless access point (WAP) will broadcast the names (i.e., the SSIDs) of available networks. • By default, the SSID is broadcast in clear text, creating a vulnerability. » A best practice is to set the WAP to hide the SSID beaconing; this will prevent the casual user from seeing the wireless network. • Even with the beacon set to be hidden, with the proper hardware and software, an attacker can still read the broadcasts. Wireless security considerations.
  • 8. Page 8 – Device placement. » WAPs with omnidirectional antennas should be placed at the center of the desired coverage area. • Omnidirectional antennas broadcast in all directions uniformly. » WAPs with directional antennas can be placed toward the edge of the desired coverage area. • Directional antennas broadcast in a specific direction only. – Power level controls. » Most WAPs come with the ability to adjust the power levels of the RF signal. • RF power levels should be set to reduce (or increase) the wireless coverage area to what is desired. – MAC filtering. » All WAPs come with the ability to limit which Layer 2 MAC addresses can connect to the wireless network. • While this can increase the security of the wireless network, MAC addresses can be spoofed. • MAC filtering may not be appropriate in all situations. Wireless security considerations.
  • 9. Page 9 – WEP (Wired Equivalent Privacy). » An older encryption standard that utilized a pre-shared key (PSK) to encrypt messages between the WAP and the connecting device. • Used the RC4 algorithm for the encryption. » It is easily broken (cracked) and should not be used. – WPA (Wireless Protected Access). » An older encryption standard used as an intermediate replacement for WEP. » Introduced TKIP (Temporal Key Integrity Protocol) as an additional security measure. • TKIP creates a new security key for every packet that is sent. » It can be broken and should not be used, unless absolutely necessary. Wireless security considerations.
  • 10. Page 10 – WPA2-Personal. » The current wireless encryption standard for the home or small business utilizing a PSK. • Introduced Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) with Advanced Encryption Standard (AES) as a means of addressing the weaknesses present in WEP and WPA. » Cannot be easily cracked, but given enough time and computing resources, it can also be broken. – WPA-Enterprise. » The current wireless encryption standard for larger businesses. » Users are required to be authenticated before being allowed to connect to the wireless network. • Authentication can occur using different methods that fall within the 802.1x standard. » The WAP will pass requests to log on to an authentication server (commonly a RADIUS server) to authenticate the user before allowing access. Wireless security considerations.
  • 11. Page 11 – Extensible Authentication Protocol (EAP). » A common authentication protocol used by WPA2 to allow access to wireless networks. • EAP packets are encapsulated within 802.1x packets, which are forwarded to an authentication server. » LEAP (Lightweight EAP) is a Cisco proprietary method of implementing EAP. It was developed before the 802.1x standard was developed. » PEAP (Protected EAP) is a method of encapsulating EAP packets with TLS in order to increase security. – Additional wireless network security. » Captive portals can be used to require users to authenticate through a Web page when attempting to join a network. • A common method used in publicly available wireless networks. » VPN (virtual private network) over wireless can be used to further increase wireless security. • Wireless network access must be through a VPN; this adds an additional level of security in the network. Wireless security considerations.
  • 12. Page 12 Wireless security considerations. Adding wireless to a network increases the challenge of hardening that network. Often, users will install their own AP in order to more easily use their own mobile devices on the network. Periodic site surveys should be conducted to remove rogue APs in the workplace. Only authorized wireless networks should be present in any work environment. Topic The unique challenge of wireless. Summary Default usernames and passwords should be changed or disabled. The SSID beacon may be set to hidden (but it will still be there). Device placement and antenna type can help to keep the wireless signal where it belongs. The power level on some WAPs can also be adjusted to prevent the signal from going where it does not belong. MAC filtering may be used to limit which devices can connect to the network. WEP is an older encryption standard that should not be used. WPA is an older encryption standard that should not be used. WPA2 (Personal or Enterprise) is the current standard for wireless networks. EAP is a common authentication standard used in conjunction with 802.1x. Captive portals can be used to make users authenticate through a Web page. Requiring wireless users to connect through a VPN may provide additional security. Security for wireless.
  • 14. This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.