Network Security Architecture

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

114 εμφανίσεις

Network Security Architecture

Chapter 13

What Will I Learn?

You will learn that five major
facets are needed for
wireless security.

1.
A
strong
encryption
solution
is needed to protect the
data
frames
.

2.
A
mutual
authentication solution
is
needed to ensure
that only
legitimate users
are authorized to use network
resources.

3.
A
segmentation
solution
is necessary to
further restrict
users
as to what resources they may
access
and where
they can go.

4.
802.11
wireless networks can be further protected with
continuous

monitoring

5.
E
nforcemen
t

of

WLAN security
policies
.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

2

What Will I Learn?



Discuss legacy
802.11 authentication and encryption
solutions and why they are
weak
.



We will view the
stronger

802.1X/EAP authentication
solutions, the benefits
of
dynamic
encryption
-
key
generation.



The
802.11
-
2007 standard
defines
a layer
2 robust
security network using either
802.1X/EAP or PSK
authentication

and
defines
CCMP/AES
or TKIP/RC4
dynamic encryption
.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

3

What Will I Learn?


Proper infrastructure and
interface security
as well as VPN
technology in a WLAN environment
.



Understand
the capabilities and limitations of
devices
that will be
deployed within a wireless network.



Devices segmented
into
separate
VLANs by using 802.1X/EAP
authentication and CCMP/AES encryption.



VoIP
phones,
mobile
scanners, mobile printers, handheld devices
,
not
equipped
to
handle
advanced
security capabilities.



Designs
must take into account
all components
to ensure the most
dynamic and secure network.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

4

Key Terms


4
-
Way Handshake


802.11i


802.1X


Advanced Encryption Standard (AES)


algorithm


authentication server


authentication, authorization, and


accounting
(AAA)


authenticator


Counter Mode with Cipher Block


Chaining Message Authentication Code


Protocol
(CCMP)


Extensible Authentication Protocol (EAP)


Initialization Vector (IV)


Internet Protocol Security (
IPSec
)


MAC Service Data Unit (MSDU)


Message Integrity Check (MIC)


Microsoft Point
-
to
-
Point


Encryption (MPPE)

per session per user


Point
-
to
-
Point Tunneling Protocol (PPTP)


port
-
based access control


preshared

key (PSK)


RC4 algorithm


robust security network (RSN)


robust security network


associations (RSNAs)


role
-
based access control (RBAC)


RSN Information Element (IE)


supplicant


Temporal Key Integrity Protocol (TKIP)


transition security network (TSN)


virtual local area network (VLAN)


virtual private network (VPN)


Wi
-
Fi Protected Access (WPA)


Wired Equivalent Privacy (WEP)


WPA2

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

5

Key Topics

1
. 802.11 Security Basics

2
. Legacy 802.11 Security

3
. Robust Security

4
. Segmentation

5
. Infrastructure Security

6
. VPN Wireless Security


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

6

Discussion Topics


802.11 security
basics


Data
privacy


Authentication, authorization, and
accounting (AAA
)


Segmentation


Monitoring and
policy


Legacy 802.11
security


Legacy
authentication


Static WEP
encryption


MAC
filters


SSID
cloaking


Robust
security


Robust security network (RSN
)


Authentication and
authorization


802.1X/EAP
framework


EAP
types


Dynamic encryption
-
key
generation


4
-
Way
Handshake


WPA/WPA2
-
Personal


TKIP
encryption


CCMP
encryption


Segmentation


VLANs


RBAC


Infrastructure
security


Physical
security


Interface
security


VPN wireless
security


Layer 3 VPNs

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

7

802.11 Security
Basics

When you’re securing a wireless 802.11 network, five major
components are typically

required:


Data privacy


Authentication, authorization, and accounting (AAA)


Segmentation


Monitoring


Policy


Proper protection is necessary to ensure data privacy, so strong
encryption is needed.



Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

8

802.11 Security
Basics

The
function of most wireless networks is to provide a portal into
another
network infrastructure
.


An
authentication solution is needed to authorized users through the portal
via a wireless access point.


After
authorization VLANs and identity
-
based mechanisms are needed to
further restrict access.


Wireless
networks
require continuous
monitoring by a wireless intrusion
detection system.


All
of these security components need to be
cemented

with
policy
enforcement
.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

9

Data
Privacy

802.11 wireless networks operate in license
-
free frequency
bands.


Access
to wireless transmissions is available to anyone
within
listening range.


Using
cipher encryption is mandatory to provide data privacy.



The two most common algorithms are the RC4 algorithm
(Ron’s
code or
Rivest

cipher) and the Advanced Encryption Standard (AES) algorithm.



Some ciphers encrypt data in a continuous stream, while others encrypt data
in blocks.



Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

10

Data
Privacy

The
RC4 algorithm is a streaming
cipher
used to protect Internet
traffic, such
as Secure
Sockets Layer (
SSL) and used
to protect 802.11 wireless data
incorporated
into two encryption methods known as WEP and TKIP.



The AES
algorithm is
a block cipher
much
stronger protection than the RC4
streaming cipher.


AES is used to encrypt
wireless
data known as Counter Mode with Cipher
Block Chaining Message Authentication Code Protocol (CCMP).



The AES algorithm encrypts data in fixed data blocks with choices in
encryption key strength of 128, 192, or 256 bits.



Control frames
are
not encrypted. The information that needs to be protected
is the upper
-
layer information inside the body of 802.11 data frames
.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

11

Authentication, Authorization, and Accounting
(AAA
)

Authentication is the verification of user identity and credentials
-

usernames
and passwords or digital certificates.



It is necessary to
use very
strong authentication methods so that only
legitimate users
will
be authorized onto network resources.



Multifactor
authentication, which requires at least two sets of different
credentials to be presented,
this authorization
involves granting access to
network resources and services.



A record is kept of user
identity and resources accessed
, and at what time.



Keeping an accounting trail is often a requirement of many industry
regulations.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

12

Segmentation

It
is important
to separate users into
groups.



Once authorized onto network resources, users can be
further restricted as to what resources may be
accessed.


Segmentation
can be achieved through: firewalls,
routers, VPNs, and VLANs.



The most common wireless segmentation strategy used
in 802.11 enterprise WLANs
is at
layer 3 using virtual
LANs (VLANs).


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

13

Monitoring and
Policy

Encryption, AAA, and segmentation security components will
provide data privacy and secure network resources.


A full
-
time
monitoring solution is still needed to protect against
possible attacks against a WLAN.


Numerous
layer 1 and layer 2 attacks are possible.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

14

Legacy
Authentication

Open System authentication provides authentication
without performing any type of client verification.


It
is essentially a two
-
way exchange between the client
and the access point.


The
client sends an authentication request, and the
access point then sends an authentication response.


Open
System authentication


Wired Equivalent Privacy
(WEP)


Shared
Key authentication


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

15

Static WEP
Encryption

The three main intended goals of WEP encryption include
confidentiality, access control,
and

data integrity
.


Unfortunately, WEP has
a number few weaknesses:

:

1.
IV
collisions attack

2.
Because
the 24
-
bit
Initialization vector
is in cleartext and is different
in every frame, all 16 million IVs will eventually repeat themselves in
a busy WEP encrypted network
.

3.

Because of the limited size of the IV space, IV collisions occur, and
an attacker can recover the secret key much easier when IV collisions
occur in wireless networks
.

4.
Weak key attack
.
Because of the RC4 key
-
scheduling algorithm,
weak IV keys are generated.




Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

16

Static WEP Encryption key and
Initialization Vector

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

17

Transmission Key

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

18

WEP Encryption Process

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

19

MAC
Filters

This address is a 12
-
digit hexadecimal number.


MAC
addresses can be spoofed, or
impersonated
and
do
-
able by any amateur hacker..


Because
of spoofing and because of all the
administrative work that is involved with setting up
MAC
filters
MAC
filtering is not considered a
reliable
means of security for wireless enterprise
networks.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

20

Robust
Security

The current standard requires the use of an
802.1X/EAP

authentication method in the enterprise


Use a
preshared

key or a
passphrase

in a SOHO environment.


The
802.11
-
2007 standard also requires
CCMP/AES
encryption
the
default encryption method, while
TKIP/RC4 is an optional
encryption method.



After 802.11i was ratified,
WPA2 a
more complete
implementation of the 802.11i amendment
that supports
both CCMP/AES and TKIP/RC4 dynamic encryption
-
key
generation was introduced.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

21

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

22

Authentication and
Authorization

Authorization involves granting access to network resources and
services.


Before
authorization to network resources can be granted,
proper authentication must occur.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

23

802.1X/EAP
Framework

The
802.1X framework consists of three main
components:



1.
Supplicant

A host with software that is
requesting authentication and access to network
resources.

Each
supplicant has unique
authentication credentials that are verified by
the authentication
server.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

24

802.1X/EAP
Framework

The
802.1X framework consists of three main components:



2.
Authenticator

A device that blocks or allows traffic to pass through its port
entity.
The
authenticator maintains two virtual ports: an uncontrolled port
and a controlled port.


The
uncontrolled port allows EAP authentication traffic to pass through,
while the controlled port blocks all other traffic until the supplicant has
been
authenticated.


3. Authentication
server (AS)

A server that validates the credentials of the
supplicant that
is
requesting access and notifies the authenticator that
the supplicant has been authorized.
The
authentication server will
maintain a user database or may proxy with an external user
database
to
authenticate user credentials
.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

25

802.1X Comparison


Autonomous AP
and WLAN Controller

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

26

WLAN Bridging and 802.1X

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

27

802.1X/EAP Authentication

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

28

EAP
Types

EAP (
Extensible

Authentication
Protocol).


The
key word in EAP is extensible.


EAP
is a layer 2 protocol that is very flexible, and many
different favors of EAP
exist:


Cisco’s
Lightweight Extensible Authentication Protocol
(LEAP), are
proprietary


Protected
Extensible Authentication Protocol (PEAP), are
considered standard
-
based.


Some
may provide for only one
-
way authentication, while
others provide two
-
way authentication.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

29

Dynamic
Encryption
-
Key
Generation

A by
-
product of
802.1X/EAP


EAP
protocols that utilize mutual authentication provide
“seeding material”
used
to generate encryption keys
dynamically.


The
use of static keys is typically an administrative
nightmare.



Dynamic
WEP was never standardized but was used by
vendors until
TKIP

and
CCMP

became available to the
marketplace.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

30

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

31

4
-
Way
Handshake

Two STAs must establish a procedure to authenticate and associate with each other as well as
create dynamic encryption keys through a process known as the 4
-
Way Handshake.


RSNAs
utilize a dynamic encryption
-
key management method that actually involves the creation
of five separate keys.



Part of the RSNA process involves the creation of two master keys known as the Group Master
Key (GMK) and the Pairwise Master Key (PMK).


These
keys are created as a result of 802.1X/EAP authentication.


A
PMK can also be created from a
preshared

key (PSK) authentication method instead of
802.1X/EAP authentication.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

32

4
-
Way
Handshake

These
master keys are the seeding material used to create the
final dynamic
keys that are actually
used for encryption and decryption.


The final encryption
keys are known as the
Pairwise Transient Key (PTK)
and the
Group Temporal
Key (GTK).


The
PTK

is used to encrypt/decrypt
unicast traffic
, and the
GTK

is used to encrypt/decrypt
broadcast and multicast
traffic.



The 4
-
Way Handshake will always be the
final four
frames exchanged
during either 802.1X/EAP
authentication or PSK authentication.


Whenever
TKIP/RC4 or CCMP/AES dynamic keys are created, the 4
-
Way Handshake must occur.


Every
time a client radio roams from one AP to another,
a new 4
-
Way Handshake must occur

so
that new unique dynamic keys can be
generated
.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

33

WPA/WPA2
-
Personal

This method involves
manually typing
matching
passphrases on both the access point and all client
stations that will need to be able to associate to the
wireless network.


A
formula is run that converts the passphrase to a
Pairwise Master Key
(PMK) used with the 4
-
Way
Handshake to create the final dynamic encryption keys.


An
802.1X/EAP solution as defined by WPA/WPA2
-
Enterprise is the preferred method of security in a
corporate and workplace environment.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

34

TKIP
Encryption

The optional encryption method defined for a robust security network
is
Temporal Key Integrity Protocol (TKIP).
This
method uses the RC4
cipher just as WEP encryption does.


TKIP
is an enhancement of WEP
encryption addressing many
of the
known weaknesses of WEP.


TKIP
starts with a 128
-
bit temporal key that is combined with a 48
-
bit
Initialization Vector (IV) and source and destination MAC addresses in
a complicated process known as
per
-
packet key mixing.


This
key
-
mixing process mitigates the known IV collision and weak key
attacks used against WEP.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

35

TKIP
Encryption


TKIP
also uses a sequencing method to mitigate the
reinjection attacks
used against WEP.


TKIP
uses a stronger data integrity check known as the
Message Integrity Check
(MIC) to mitigate known
bit
-
flipping
attacks against WEP.


The
MIC is sometimes referred to by the nickname Michael.


All
TKIP encryption keys are dynamically generated as a
final
result
of the 4
-
Way Handshake.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

36

CCMP
Encryption

The default encryption method defined under the 802.11i amendment is known as
Counter
Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).


This
method uses the Advanced Encryption Standard (AES) algorithm (
Rijndael

algorithm).
CCMP/AES uses a 128
-
bit encryption
-
key size and encrypts in 128
-
bit fixed
-
length blocks.


An
8
-
byte Message Integrity Check is used that is considered much stronger than the one used in
TKIP.


Also
, because of the strength of the AES cipher, per
-
packet key mixing is unnecessary.


All
CCMP encryption keys are dynamically generated as a
final result
of the 4
-
Way
Handsh
ake.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

37

How Enterprise Authentication and
Encryption Should be Deployed

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

38

Segmentation

The most common wireless segmentation strategy used in
802.11 enterprise WLANs is layer 3 segmentation using virtual
LANs (VLANs).


Segmentation
is also often intertwined
with
role
-
based
access
control (RBAC).


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

39

VLANs

Virtual local area networks (VLANs) are used to create separate broadcast domains in a layer 2
network and
used
to restrict access to network resources without regard to physical topology of
the network.


VLANs
are used extensively in switched 802.3 networks for both security and segmentation
purposes.



In a WLAN environment, individual SSIDs can be mapped to individual VLANs, and users can be
segmented by the SSID/VLAN pair, all while communicating through a single access point.


Each
SSID can also be configured with separate security settings.


A
common strategy is to
create a guest, voice, and data
VLAN



When using autonomous access points, the VLANs are created on a third
-
party managed switch
and then the VLANs are mapped to SSID and security settings that are configured on the
fat
access points
.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

40

Wireless VLANs

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

41

RBAC

Role
-
based access control (RBAC)
is
used
to
restrict
system access to authorized users.


The
majority of WLAN controller solutions have RBAC
capabilities.


The
three main components of an RBAC approach are
users, roles,
and

permissions
.



When used in a WLAN environment, role
-
based access
control can provide granular wireless user management.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

42

Infrastructure
Security

An often
-
overlooked aspect of wireless security is
protecting the infrastructure equipment.


In
addition to protecting Wi
-
Fi hardware from theft,
you must also secure the management interfaces so
that only authorized administrators have access.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

43

Physical
Security

Although access points are usually mounted in or near
the ceiling, theft can be a problem. Enclosure units with
locks can be mounted in the ceiling or to the wall.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

44

Interface
Security

Most infrastructure devices should also support some type of
encrypted management capabilities.


Newer
Wi
-
Fi hardware should support either

secure
command
-
shell, HTTPS, or SNMPv3.


Older
legacy equipment may not support encrypted login
capabilities.


It
is also a
highly recommended practice
to configure your
infrastructure devices
from only the wired side

and never
configure them wirelessly.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

45

VPN Wireless Security

VPNs are
typically not recommended

to provide wireless security in the
enterprise due to the overhead and because faster, more
-
secure layer 2
solutions are now available.


Although
not usually a recommended practice, VPNs are often used for WLAN
security because the VPN solution was already in place inside the wired
infrastructure.


VPNs
do have their place in Wi
-
Fi security and
should
definitely
be used for
remote access.


They
are also often used in wireless bridging environments.


The
two major types of VPN topologies are
router to router
or
client/server
based.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

46

Layer 3
VPNs

Provide
encryption, encapsulation, authentication, and data
integrity.


VPNs
use secure tunneling, which is the process of encapsulating one
IP packet within another IP packet.


The
original destination and source IP address of the first packet is
encrypted along with the data payload of the first packet.


VPN
tunneling therefore protects your original layer 3 addresses and
also protects the data payload of the original packet
.


The
payload that is being encrypted is the layer 4 to 7 information.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

47

Layer 3
VPNs


The
IP addresses of the second packet are seen in cleartext
and are used for
communications
between the tunnel end
points.


The
destination and source IP addresses of the second packet
will point to the virtual IP address of the VPN server and VPN
client software.



The two major types of layer 3 VPN technologies are Point
-
to
-
Point Tunneling Protocol (
PPTP
) and Internet Protocol Security
(
IPSec
).

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

48

Layer 3
VPNs

The two major types of layer 3 VPN technologies are
Point
-
to
-
Point Tunneling Protocol (PPTP) and Internet
Protocol Security (
IPSec
).


PPTP uses 128
-
bit Microsoft Point
-
to
-
Point
Encryption (MPPE), which uses the RC4 algorithm.


PPTP encryption is considered adequate but not
strong. PPTP uses MS
-
CHAP version 2 for user
authentication.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

49

Layer 3
VPNs

But,
the chosen authentication method can be compromised with offline
dictionary attacks.


VPNs
using PPTP technology typically are used in smaller SOHO
environments.


IPSec

VPNs use stronger encryption methods and more
-
secure methods
of authentication.


IPSec

supports
multiple
ciphers including DES, 3DES, and AES.


Device
authentication is achieved by using either a server
-
side certificate
or a
preshared

key
.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

50

Remote Access VPN Tunnel

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

51

What Did I Learn?

You
learned
that five major facets are needed for wireless
security.

1.
A
strong encryption solution
is needed to protect the
data frames
.

2.
A mutual
authentication solution
is needed to ensure
that only
legitimate users
are authorized to use network
resources.

3.
A
segmentation solution
is necessary to
further restrict
users
as to what resources they may access and where
they can go.

4.
802.11 wireless networks can be further protected with
continuous

monitoring

5.
Enforcemen
t

of

WLAN security policies
.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

52

What Did I Learn?


Legacy
802.11 authentication and encryption solutions
and why they are
weak
.



Stronger
802.1X/EAP authentication solutions and the
beneftis

of
dynamic
encryption
-
key generation, as well
as what is
defined
by the 802.11
-
2007 standard
and
the related WPA/WPA2
certifications
.



The
802.11
-
2007 standard
defines
a layer
2 robust
security network using either 802.1X/EAP or PSK
authentication and
defines CCMP/AES
or TKIP/RC4
dynamic encryption.


Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

53

What Did I Learn?


Proper infrastructure and
interface security as well as VPN technology in a
WLAN environment
.



Understand
the capabilities and limitations of
devices
that
will be
deployed
within
wireless
networks.



Devices can
be segmented into
separate
VLANs by using 802.1X/EAP
authentication and CCMP/AES encryption.



VoIP
phones,
mobile
scanners, mobile printers, handheld
devices not
equipped with the
ability
to handle
advanced security
capabilities.



D
esigns
must take into account
all
of these components to ensure the
most dynamic and secure network.

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

54

END

Ch

13
-

Network Security
Architecture

Next

Ch

14
-

Wireless Attacks, Intrusion
Monitoring & Policy

Customized by: Brierley

CWNA®: Certified Wireless Network
Administrator Official, Study Guide, David
D. Coleman & David A. Westcott, Sybex

55