📳Wireless Network Models
Wireless technologies operate in 3 major models: Point-to-Point, point-to-multipoint, or broadcast.
↔Point-to-Point
The Point-to-Point wireless model refers to a communication setup where data is transmitted between two specific endpoints or nodes wirelessly, without the need for physical cables or infrastructure.
In this model, the two endpoints establish a direct wireless connection to exchange information. ⇶ Point-to-Multipoint
The Point-to-Multipoint wireless network is a communication model where data is transmitted wirelessly from a central hub or access point to multiple remote endpoints or client devices.
In this model, a single access point serves as the central point of communication, allowing multiple devices to connect and receive data simultaneously. Central hub or access point: The point-to-multipoint wireless network consists of a central hub or access point that serves as the focal point for communication. This access point is responsible for transmitting data to multiple remote endpoints or client devices. Multiple remote endpoints: The network includes multiple remote endpoints or client devices, such as computers, laptops, smartphones, or Internet of Things (IoT) devices. These devices connect wirelessly to the central access point to receive data and participate in the network. In the point-to-multipoint model, the central access point broadcasts data to all connected client devices simultaneously. This broadcast transmission allows multiple devices to receive the same data without the need for individual point-to-point connections. 📺Broadcast
Broadcast network design refers to a network architecture where data or information is transmitted from a single source to all connected nodes within the network.
In this design, a central broadcasting entity sends the data, and all the connected nodes receive and process it Central broadcasting entity: The broadcast network design includes a central broadcasting entity, often referred to as the source or sender. This entity is responsible for generating or obtaining the data to be broadcasted. The central broadcasting entity transmits the data to all nodes within the network simultaneously. The data is typically sent over a shared communication medium, such as wired or wireless networks. One-to-all communication: In a broadcast network, the communication pattern is one-to-all, where the sender communicates with all the nodes in the network simultaneously. This allows for efficient dissemination of information without the need for point-to-point connections.
🔑Cryptographic Protocols
Cryptographic Wireless protocols are security mechanisms used to protect wireless network communications by encrypting data transmitted over the airwaves.
These protocols ensure that the information exchanged between wireless devices remains confidential, authentic, and secure from unauthorized access.
Here are some common cryptographic wireless protocols:
1️⃣Wi-Fi Protected Access (WPA):
WPA was introduced as an improved replacement for WEP.
It addresses some of the security vulnerabilities in WEP and provides stronger encryption. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption and adds message integrity checks. However, WPA is also considered weak against certain attacks and is no longer recommended for use. 2️⃣Wi-Fi Protected Access 2 (WPA2):
WPA2 is the current industry-standard wireless security protocol and is considered much more secure than WEP and WPA. It uses the Advanced Encryption Standard (AES) algorithm for encryption, providing robust security. WPA2 supports two authentication methods: Pre-Shared Key (PSK) mode, commonly used in home networks, and Enterprise mode, which utilizes an authentication server for individual user authentication. CCPMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol)
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is an encryption protocol used in conjunction with WPA2 (Wi-Fi Protected Access 2) to provide data confidentiality and integrity for wireless network communications. CCMP replaced the previous encryption protocol, TKIP (Temporal Key Integrity Protocol). It uses the Advanced Encryption Standard (AES) in Counter Mode (CTR) to encrypt individual data packets. AES is a symmetric encryption algorithm widely regarded as highly secure CCMP encrypts each packet with a unique encryption key, preventing unauthorized individuals from intercepting and understanding the data. CCMP is a crucial component of WPA2, providing strong encryption and data integrity for wireless network communications. Its use of AES, along with its robust key management and integrity checks, contributes to the overall security of WPA2-secured networks. 3️⃣WPA3
WPA3 is the latest iteration of wireless security protocols, designed to enhance wireless network security further. It addresses the vulnerabilities present in WPA2 and introduces several new security features. individualized data encryption for each user protection against offline dictionary attacks. It also improves security for open Wi-Fi networks and simplifies the process of adding devices to a network securely. SAE (Simultaneous Authentication of Equals)
SAE is a key component of the WPA3 (Wi-Fi Protected Access 3) security protocol. It is used as the primary authentication method in the WPA3-Personal mode, also known as WPA3-SAE. SAE replaces the Pre-Shared Key (PSK) authentication method used in WPA2 and provides stronger security against offline dictionary attacks while providing more robust and secure personal home Wi-Fi.
🔐Authentication Protocols
Extensible Authentication Protocol (EAP): EAP is not a wireless encryption protocol itself but a framework for authentication methods used in wireless networks. It allows for more secure and flexible authentication mechanisms, such as EAP-TLS (Transport Layer Security) and EAP-PEAP (Protected Extensible Authentication Protocol). EAP is commonly used in enterprise networks and provides a framework for integrating various authentication methods within wireless security protocols like WPA2 and WPA3. The Extensible Authentication Protocol (EAP) is a widely used framework for authentication in network communication protocols. In the context of the 802.1X authentication process, EAP plays a vital role in facilitating secure and flexible authentication for devices connecting to a network. Here's how EAP is used by 802.1X as part of the authentication process:
802.1X Overview: The 802.1X protocol is used for port-based network access control, primarily in wired and wireless LANs. It provides a framework for authenticating devices before allowing them access to the network. With 802.1X, devices are not granted full network access until they successfully complete the authentication process. EAP as an Authentication Framework: 802.1X utilizes EAP as its authentication framework, enabling various authentication methods to be employed within the protocol. EAP is an extensible protocol that supports multiple authentication mechanisms, such as passwords, digital certificates, smart cards, and token-based authentication. 🧬EAP variants
🚇PEAP (Protected Extensible Authentication Protocol)
PEAP (Protected Extensible Authentication Protocol) is an authentication protocol commonly used in wireless networks and virtual private networks (VPNs) to provide secure authentication of clients. It is an extension of the Extensible Authentication Protocol (EAP) and operates within a secure Transport Layer Security (TLS) tunnel.
By encapsulating the EAP messages within a secure TLS tunnel, PEAP protects the authentication process from eavesdropping and man-in-the-middle attacks. It ensures the confidentiality and integrity of the exchanged authentication data, providing a secure authentication mechanism for wireless networks and VPNs. Here's how PEAP works:
Client-Server Connection: The client device initiates a connection to the server, typically through a wireless access point or VPN gateway. The server is often a Remote Authentication Dial-In User Service (RADIUS) server or an authentication server. EAP Start: The client sends an EAP Start message to the server, indicating that it wishes to initiate the authentication process. Server Certificate Validation: The server responds by sending its digital certificate to the client. The client verifies the server's certificate to ensure it is valid and issued by a trusted certificate authority (CA). This step establishes a secure TLS tunnel between the client and server. Mutual Authentication: Once the TLS tunnel is established, the client and server perform mutual authentication. The client sends its identity to the server using an EAP-Response/Identity message. Server Challenge: The server generates a random challenge and sends it to the client within an EAP-Request/Identity message. Client Response: The client responds to the server's challenge by generating a session key and encrypting it with the server's public key obtained from the server's certificate. The client sends this encrypted session key to the server in an EAP-Response message. Server Validation: The server decrypts the session key using its private key, verifying the client's response. If the validation is successful, the server acknowledges the client's authentication. Inner Authentication: After the initial authentication, PEAP allows for the use of various EAP methods for the inner authentication, such as EAP-MSCHAPv2 or EAP-TLS. The client and server negotiate and select an appropriate EAP method to continue the authentication process within the secure TLS tunnel. Inner Authentication Exchange: The client and server perform the selected inner authentication method, exchanging the necessary authentication information (e.g., username, password, digital certificates) within the EAP messages. Authentication Result: Based on the success or failure of the inner authentication, the server sends an authentication result to the client through the EAP-Success or EAP-Failure message. By encapsulating the EAP messages within a secure TLS tunnel, PEAP protects the authentication process from eavesdropping and man-in-the-middle attacks. It ensures the confidentiality and integrity of the exchanged authentication data, providing a secure authentication mechanism for wireless networks and VPNs.
Explain it to me like I’m 5.
Imagine you have a secret clubhouse where only your trusted friends are allowed. When your friends want to enter the clubhouse, they need to prove that they are really your friends and not someone pretending to be your friend.
PEAP is like a special secret code that helps your friends prove their identity. Here's how it works:
When a friend wants to enter the clubhouse, they first knock on the door and say, "I want to come in!" This is like the friend starting the authentication process. You, as the doorkeeper, ask your friend to show their special ID card. This ID card has a picture of your friend and a special mark on it to make sure it's real. This is like the server sending its digital certificate to the friend. Your friend shows you the ID card, and you check it to make sure it's real. You look at the picture and the special mark on the card to make sure it's not fake. This is like the friend verifying the server's certificate. Once you're sure the ID card is real, you and your friend have a secret handshake to make sure you both trust each other. This handshake creates a special secure tunnel between you and your friend, where you can talk in private. This is like establishing a secure TLS tunnel between the client and server. Now that you trust each other, you and your friend exchange secret passwords or other secret information. This is like the friend and the server exchanging authentication information. After all the secret information is exchanged, you decide if your friend can enter the clubhouse or not. If everything is okay and you trust your friend, you say, "You can come in!" This is like the server telling the client that the authentication is successful.
⚡EAP-FAST
EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) is an authentication protocol commonly used in wireless networks. It aims to provide fast and flexible authentication while maintaining a high level of security.
EAP-FAST was developed as an improvement over its predecessor, LEAP (Lightweight Extensible Authentication Protocol), to address some of its vulnerabilities.
Initialization: The authentication process begins when a client device, such as a laptop or smartphone, attempts to connect to a wireless network. The client sends an authentication request to the network access point (NAS) or authentication server. Mutual Authentication: EAP-FAST establishes a secure tunnel between the client and the server, known as the Protected Access Credential (PAC). The server sends its digital certificate to the client to initiate mutual authentication. The client verifies the server's certificate to ensure its authenticity and establish a secure communication channel. PAC Provisioning: To enable fast re-authentication in subsequent sessions, the server provides the client with a PAC, which contains encryption keys and other authentication information. The client securely stores the PAC for future use. Session Resumption: In subsequent authentication attempts, the client and server can use the PAC to quickly establish a secure connection without repeating the full authentication process. This allows for faster authentication and reduces the overhead associated with cryptographic operations. Secure Tunneling: EAP-FAST uses secure tunneling to protect authentication data during transmission. It employs various cryptographic algorithms, such as RC4 or AES, to encrypt the exchanged messages within the secure tunnel. This ensures the confidentiality and integrity of the authentication process, safeguarding against eavesdropping and tampering. Flexible Authentication Methods: EAP-FAST supports multiple authentication methods, such as password-based authentication (EAP-MSCHAPv2) or digital certificate-based authentication (EAP-TLS). The choice of authentication method depends on the network configuration and security requirements. Trusted Server Infrastructure: EAP-FAST relies on a trusted infrastructure, typically a Remote Authentication Dial-In User Service (RADIUS) server or an authentication server, to validate client credentials and make authorization decisions. The server performs user authentication using the chosen EAP method within the secure tunnel. Authentication Result: After the authentication process, the server sends an authentication result to the client. If the authentication is successful, the client is granted access to the network resources. Otherwise, access is denied.
📰 EAP-TLS
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) implements certificate-based authentication as well as mutual authentication of the device and network.
It uses certificates on both client and network device to generate keys that are then used for communication. EAP-TLS is used less frequently due to the certificate management challenges for deploying and managing certificates on large numbers of client devices. It provides mutual authentication and secure key exchange using digital certificates and the Transport Layer Security (TLS) protocol.
🎨EAP-TTLS
EAP-TTLS (EAP Tunneled Transport Layer Security) extends EAP-TLS, and unlike EAP-TLS, it does not require that client devices have a certificate to create a secure session.
This removes the overhead and management effort that EAP-TLS requires to distribute and manage endpoint certificates while still providing TLS support for devices. Additional Authentication Mechanisms: EAP-TTLS allows for flexibility in authentication methods. It supports various authentication mechanisms, making it suitable for environments where multiple authentication methods are desired. These mechanisms can include passwords, digital certificates, token-based authentication, or even legacy authentication methods like PAP (Password Authentication Protocol).
👨🏽👩🏾👧🏻👦🏿Difference between the Four EAP protocols
Use Cases:
PEAP: PEAP is commonly used in enterprise networks and wireless networks where password-based authentication is required. It offers an efficient and secure method to protect password-based credentials. EAP-FAST: EAP-FAST is often used in scenarios where fast password-based authentication is required, such as enterprise wireless networks or Virtual Private Networks (VPNs). It provides a secure method to protect password-based credentials. EAP-TTLS: EAP-TTLS is commonly used in enterprise networks, wireless networks, or VPNs where flexible authentication methods and secure tunneling are desired. EAP-TLS: EAP-TLS is commonly used in environments where strong certificate-based authentication is desired. It is commonly used in enterprise networks, secure web communication, or environments PEAP: PEAP is an authentication protocol that encapsulates other EAP methods, such as EAP-MSCHAPv2 or EAP-GTC, within a secure TLS tunnel. It allows for password-based authentication while providing enhanced security. EAP-FAST: EAP-FAST is a password-based authentication protocol that uses a secure tunneling mechanism to protect password-based credentials during the authentication process. EAP-TTLS: EAP-TTLS provides a secure tunnel for transmitting authentication data. It supports various authentication methods, including passwords, digital certificates, and token-based authentication. EAP-TLS: EAP-TLS is a certificate-based authentication protocol. It uses digital certificates to verify the identities of the client and server. Clients present their digital certificates to the server for authentication. PEAP: PEAP provides a secure TLS tunnel for transmitting authentication data. It protects the confidentiality and integrity of the exchanged information, ensuring a higher level of security for authentication. EAP-FAST: EAP-FAST focuses on protecting password-based credentials during the authentication process. It establishes a secure tunnel for exchanging credentials securely, providing protection against eavesdropping and credential theft. EAP-TTLS: EAP-TTLS provides a secure tunnel for transmitting authentication data, protecting the confidentiality and integrity of the exchanged information. It supports various authentication methods, allowing flexibility in selecting the appropriate method based on security requirements. EAP-TLS: EAP-TLS relies on digital certificates for client and server authentication. It ensures strong security by eliminating the need to transmit passwords over the network. The authentication process is based on the validation of digital certificates, ensuring the identities of the client and server. PEAP: PEAP does not require the management of digital certificates on the client side. It primarily focuses on protecting password-based authentication. EAP-FAST: EAP-FAST does not rely on client certificates for authentication. It focuses on protecting password-based credentials and does not require the management of digital certificates for clients. EAP-TTLS: EAP-TTLS may use client certificates for authentication, depending on the chosen authentication method. Certificate management is necessary if certificate-based authentication is employed. EAP-TLS: EAP-TLS heavily relies on digital certificates for client and server authentication. It requires the deployment and management of digital certificates, including client certificates, server certificates, and Certificate Authorities (CAs).
📶IEEE 802.1X
802.1X is an IEEE standard for access control and is used for both wired and wireless devices. In wireless networks, 802.1x is used to integrate with RADIUS servers, allowing enterprise users to authenticate and gain access to the network.
Additional actions can be taken based on information about the users, such as placing them in groups or network zones, or taking other actions based on attributes once the user has been authenticated. IEEE 802.1X is widely used in wireless networks to provide secure authentication and access control for wireless clients. It enhances the security of wireless communications by ensuring that only authorized devices can connect to the network IEEE 802.1X is crucial in wireless networks as it provides strong authentication, access control, and encryption mechanisms. It helps organizations protect their wireless networks from unauthorized access, secure user identities, and enforce access policies. IEEE 802.1X integrates with RADIUS (Remote Authentication Dial-In User Service) to provide centralized authentication and authorization for network access control. RADIUS serves as the backend authentication server in the 802.1X authentication process. 🇺🇸 (Remote Authentication Dial-In User Service) RADIUS Federation
RADIUS provides a centralized authentication infrastructure, user database integration, and policy enforcement, enabling organizations to enforce consistent and secure network access control across their infrastructure.
RADIUS Federation offers a framework for secure collaboration and sharing of authentication and authorization information between organizations. It enhances user experience, simplifies management, and enables interoperability in multi-domain environments. By federating their RADIUS infrastructures, organizations can extend the benefits of their authentication systems beyond their own boundaries while maintaining control and security. When organizations want to work together, RADIUS servers can be federated to allow individuals from other organizations to authenticate to remote networks using their home organization's accounts and credentials Many higher education institutions provide a federated authentication service for wireless called eduroam, which allows students, faculty, and staff from any eduroam institution to authenticate and use the networks at any other eduroam supporting organization.
Methods
The three wireless authentication methods—PSK (Pre-Shared Key), Enterprise, and Open—differ in their security levels, management complexity, and user experience. Here's an explanation of the differences between these authentication methods:
3 Wireless Authentication Methods
PSK (Pre-Shared Key):
PSK authentication is commonly used in home or small office wireless networks. Security: PSK uses a shared passphrase or key that is manually configured on both the access point (AP) and client devices. The same key is used for all devices connecting to the network. Management: PSK networks are relatively easy to set up and manage as they require configuring a single key. However, distributing and updating the key on multiple devices can be challenging. User Experience: Users need to manually enter the shared key when connecting to the network. This method is less flexible for managing individual user accounts and can lead to compromised security if the passphrase is weak or shared with unauthorized individuals. Enterprise:
Enterprise authentication is commonly used in business or larger-scale networks. Security: Enterprise authentication utilizes an authentication server, such as RADIUS, to authenticate individual users or devices. It supports stronger authentication methods, including digital certificates or username/password combinations. Management: Enterprise networks require more complex setup and management due to the need for an authentication server and the configuration of individual user accounts. However, this approach allows for centralized management and control over user access and security policies. User Experience: Users are required to enter their individual credentials (username/password or digital certificates) when connecting to the network. This method provides better accountability, traceability, and control over user access, enhancing security and user management capabilities. Open WPS:
Open authentication is the most lenient method, where no authentication or encryption is implemented. Security: Open networks do not provide any authentication or encryption, leaving the network and transmitted data vulnerable to unauthorized access or eavesdropping. It is generally not recommended for sensitive or business-critical environments. Management: Open networks do not involve complex authentication setup or management as no authentication server or individual user accounts are required. User Experience: Users can connect to the network without entering any credentials or passphrase. This approach offers convenience but sacrifices security.
Captive Portals
Captive Portals redirect traffic to a website or registration page before allowing access to the network.
A Captive Portal is a web page or set of web pages that act as an intermediary between a user and the Internet, typically encountered when connecting to a public Wi-Fi network or accessing a restricted network.
Installation Considerations
🏭Site Surveys
Site Surveys involve moving throughout the entire facility or space to determine what existing networks are in place and to look at the physical structure for the location options for your access points.
3.4 Given a scenario, install and configure wireless security settings.
