Wireless Security Architecture
John Wiley & Sons Inc (Verlag)
978-1-119-88305-0 (ISBN)
Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise offers readers an essential guide to planning, designing, and preserving secure wireless infrastructures. It is a blueprint to a resilient and compliant architecture that responds to regulatory requirements, reduces organizational risk, and conforms to industry best practices. This book emphasizes WiFi security, as well as guidance on private cellular and Internet of Things security.
Readers will discover how to move beyond isolated technical certifications and vendor training and put together a coherent network that responds to contemporary security risks. It offers up-to-date coverage—including data published for the first time—of new WPA3 security, Wi-Fi 6E, zero-trust frameworks, and other emerging trends. It also includes:
Concrete strategies suitable for organizations of all sizes, from large government agencies to small public and private companies
Effective technical resources and real-world sample architectures
Explorations of the relationships between security, wireless, and network elements
Practical planning templates, guides, and real-world case studies demonstrating application of the included concepts
Perfect for network, wireless, and enterprise security architects, Wireless Security Architecture belongs in the libraries of technical leaders in firms of all sizes and in any industry seeking to build a secure wireless network.
JENNIFER (JJ) MINELLA is an internationally recognized authority on network and wireless security, author, and public speaker. She is an advisory CISO and information security leader with over fifteen years’ experience working with organizations creating network security and leadership strategies. She is Founder and Principal Advisor of Viszen Security.
Foreword xxix
Preface xxxi
Introduction xxxv
Part I Technical Foundations 1
Chapter 1 Introduction to Concepts and Relationships 3
Roles and Responsibilities 4
Network and Wireless Architects 4
Security, Risk, and Compliance Roles 5
Operations and Help Desk Roles 8
Support Roles 9
External and Third Parties 9
Security Concepts for Wireless Architecture 11
Security and IAC Triad in Wireless 11
Aligning Wireless Architecture Security to Organizational Risk 14
Factors Influencing Risk Tolerance 15
Assigning a Risk Tolerance Level 15
Considering Compliance and Regulatory Requirements 17
Compliance Regulations, Frameworks, and Audits 17
The Role of Policies, Standards, and Procedures 19
Segmentation Concepts 22
Authentication Concepts 23
Cryptography Concepts 27
Wireless Concepts for Secure Wireless Architecture 30
NAC and IEEE 802.1X in Wireless 33
SSID Security Profiles 34
Security 35
Endpoint Devices 35
Network Topology and Distribution of Users 37
Summary 43
Chapter 2 Understanding Technical Elements 45
Understanding Wireless Infrastructure and Operations 45
Management vs. Control vs. Data Planes 46
Cloud-Managed Wi-Fi and Gateways 48
Controller Managed Wi-Fi 52
Local Cluster Managed Wi-Fi 53
Remote APs 55
Summary 55
Understanding Data Paths 56
Tunneled 58
Bridged 59
Considerations of Bridging Client Traffic 59
Hybrid and Other Data Path Models 61
Filtering and Segmentation of Traffic 62
Summary 71
Understanding Security Profiles for SSIDs 72
WPA2 and WPA3 Overview 73
Transition Modes and Migration Strategies for Preserving Security 76
Enterprise Mode (802.1X) 77
Personal Mode (Passphrase with PSK/SAE) 87
Open Authentication Networks 94
Chapter 3 Understanding Authentication and Authorization 101
The IEEE 802.1X Standard 102
Terminology in 802.1X 103
High-Level 802.1X Process in Wi-Fi Authentication 105
RADIUS Servers, RADIUS Attributes, and VSAs 107
RADIUS Servers 107
RADIUS Servers and NAC Products 108
Relationship of RADIUS, EAP, and Infrastructure Devices 110
RADIUS Attributes 111
RADIUS Vendor-Specific Attributes 115
RADIUS Policies 116
RADIUS Servers, Clients and Shared Secrets 118
Other Requirements 121
Additional Notes on RADIUS Accounting 122
Change of Authorization and Disconnect Messages 123
EAP Methods for Authentication 127
Outer EAP Tunnels 129
Securing Tunneled EAP 132
Inner Authentication Methods 133
Legacy and Unsecured EAP Methods 137
Recommended EAP Methods for Secure Wi-Fi 138
MAC-Based Authentications 140
MAC Authentication Bypass with RADIUS 140
MAC Authentication Without RADIUS 147
MAC Filtering and Denylisting 147
Certificates for Authentication and Captive Portals 148
RADIUS Server Certificates for 802.1X 148
Endpoint Device Certificates for 802.1X 151
Best Practices for Using Certificates for 802.1X 152
Captive Portal Server Certificates 158
Best Practices for Using Certificates for Captive Portals 159
In Most Cases, Use a Public Root CA Signed Server Certificate 159
Understand the Impact of MAC Randomization on Captive Portals 159
Captive Portal Certificate Best Practices Recap 161
Summary 162
Captive Portal Security 163
Captive Portals for User or Guest Registration 163
Captive Portals for Acceptable Use Policies 165
Captive Portals for BYOD 166
Captive Portals for Payment Gateways 167
Security on Open vs. Enhanced Open Networks 167
Access Control for Captive Portal Processes 167
LDAP Authentication for Wi-Fi 168
The 4-Way Handshake in Wi-Fi 168
The 4-Way Handshake Operation 168
The 4-Way Handshake with WPA2-Personal and WPA3-Personal 170
The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise 171
Summary 171
Chapter 4 Understanding Domain and Wi-Fi Design Impacts 173
Understanding Network Services for Wi-Fi 173
Time Sync Services 174
Time Sync Services and Servers 175
Time Sync Uses in Wi-Fi 175
DNS Services 177
DHCP Services 180
DHCP for Wi-Fi Clients 181
Planning DHCP for Wi-Fi Clients 184
DHCP for AP Provisioning 185
Certificates 186
Understanding Wi-Fi Design Impacts on Security 187
Roaming Protocols’ Impact on Security 188
Fast Roaming Technologies 193
System Availability and Resiliency 203
RF Design Elements 205
AP Placement, Channel, and Power Settings 205
Wi-Fi 6E 207
Rate Limiting Wi-Fi 208
Other Networking, Discovery, and Routing Elements 213
Summary 217
Part II Putting It All Together 219
Chapter 5 Planning and Design for Secure Wireless 221
Planning and Design Methodology 222
Discover Stage 223
Architect Stage 224
Iterate Stage 225
Planning and Design Inputs (Define and Characterize) 227
Scope of Work/Project 228
Teams Involved 230
Organizational Security Requirements 233
Current Security Policies 235
Endpoints 236
Users 239
System Security Requirements 239
Applications 240
Process Constraints 240
Wireless Management Architecture and Products 241
Planning and Design Outputs (Design, Optimize, and Validate) 241
Wireless Networks (SSIDs) 247
System Availability 249
Additional Software or Tools 249
Processes and Policy Updates 250
Infrastructure Hardening 251
Correlating Inputs to Outputs 252
Planning Processes and Templates 254
Requirements Discovery Template (Define and Characterize) 254
Sample Network Planning Template (SSID Planner) 261
Sample Access Rights Planning Templates 262
Notes for Technical and Executive Leadership 267
Planning and Budgeting for Wireless Projects 268
Consultants and Third Parties Can Be Invaluable 271
Selecting Wireless Products and Technologies 271
Expectations for Wireless Security 275
Summary 279
Chapter 6 Hardening the Wireless Infrastructure 281
Securing Management Access 282
Enforcing Encrypted Management Protocols 283
Eliminating Default Credentials and Passwords 293
Controlling Administrative Access and Authentication 296
Securing Shared Credentials and Keys 301
Addressing Privileged Access 303
Additional Secure Management Considerations 307
Designing for Integrity of the Infrastructure 308
Managing Configurations, Change Management, and Backups 309
Configuring Logging, Reporting, Alerting, and Automated Responses 313
Verifying Software Integrity for Upgrades and Patches 314
Working with 802.11w Protected Management Frames 316
Provisioning and Securing APs to Manager 321
Adding Wired Infrastructure Integrity 325
Planning Physical Security 331
Locking Front Panel and Console Access on Infrastructure Devices 334
Disabling Unused Protocols 337
Controlling Peer-to- Peer and Bridged Communications 339
A Note on Consumer Products in the Enterprise 339
Blocking Ad-Hoc Networks 341
Blocking Wireless Bridging on Clients 342
Filtering Inter-Station Traffic, Multicast, and mDNS 344
Best Practices for Tiered Hardening 353
Additional Security Configurations 354
Security Monitoring, Rogue Detection, and WIPS 355
Considerations for Hiding or Cloaking SSIDs 356
Requiring DHCP for Clients 359
Addressing Client Credential Sharing and Porting 360
Summary 362
Part III Ongoing Maintenance and Beyond 365
Chapter 7 Monitoring and Maintenance of Wireless Networks 367
Security Testing and Assessments of Wireless Networks 367
Security Audits 368
Vulnerability Assessments 370
Security Assessments 373
Penetration Testing 375
Ongoing Monitoring and Testing 376
Security Monitoring and Tools for Wireless 376
Wireless Intrusion Prevention Systems 377
Recommendations for WIPS 404
Synthetic Testing and Performance Monitoring 405
Security Logging and Analysis 407
Wireless-Specific Tools 410
Logging, Alerting, and Reporting Best Practices 416
Events to Log for Forensics or Correlation 417
Events to Alert on for Immediate Action 419
Events to Report on for Analysis and Trending 422
Troubleshooting Wi-Fi Security 424
Troubleshooting 802.1X/EAP and RADIUS 425
Troubleshooting MAC-based
Authentication 428
Troubleshooting Portals, Onboarding, and Registration 431
Troubleshooting with Protected Management Frames Enabled 431
Training and Other Resources 432
Technology Training Courses and Providers 432
Vendor-Specific Training and Resources 435
Conferences and Community 436
Summary 437
Chapter 8 Emergent Trends and Non-Wi- Fi Wireless 439
Emergent Trends Impacting Wireless 440
Cloud-Managed Edge Architectures 440
Remote Workforce 441
Process Changes to Address Remote Work 443
Recommendations for Navigating a Remote Workforce 444
Bring Your Own Device 445
Zero Trust Strategies 455
Internet of Things 463
Enterprise IoT Technologies and Non-802.11 Wireless 465
IoT Considerations 466
Technologies and Protocols by Use Case 467
Features and Characteristics Impact on Security 502
Other Considerations for Secure IoT Architecture 507
Final Thoughts from the Book 508
Appendix A Notes on Configuring 802.1X with Microsoft NPS 513
Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles 513
Endpoints That Support 802.1X/EAP 514
A Way to Configure the Endpoints for the Specified Connectivity 515
An Authentication Server That Supports RADIUS 517
Appendix B Additional Resources 521
IETF RFCs 521
IEEE Standards and Documents 522
Wi-Fi Alliance 524
Blog, Consulting, and Book Materials 524
Compliance and Mappings 525
Cyber Insurance and Network Security 528
Appendix C Sample Architectures 531
Architectures for Internal Access Networks 532
Managed User with Managed Device 533
Headless/Non-User- Based Devices 539
Contractors and Third Parties 544
BYOD/Personal Devices with Internal Access 547
Guidance on WPA2-Enterprise and WPA3-Enterprise 549
Guidance on When to Separate SSIDs 550
Architectures for Guest/Internet-only Networks 551
Guest Networks 551
BYOD/Personal Devices with Internet-only Access 553
Determining Length of a WPA3-Personal Passphrase 555
Appendix D Parting Thoughts and Call to Action 559
The Future of Cellular and Wi-Fi 559
MAC Randomization 562
Index 567
Erscheinungsdatum | 08.04.2022 |
---|---|
Vorwort | Stephen Orr |
Verlagsort | New York |
Sprache | englisch |
Maße | 188 x 234 mm |
Gewicht | 998 g |
Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
ISBN-10 | 1-119-88305-9 / 1119883059 |
ISBN-13 | 978-1-119-88305-0 / 9781119883050 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |
aus dem Bereich