Wireless Security Architecture

JENNIFER (JJ) MINELLA is an internationally recognized authority on network and wireless security, author, and public speaker. She is an advisory CISO and information security leader with over fifteen years’ experience working with organizations creating network security and leadership strategies. She is Founder and Principal Advisor of Viszen Security.

Foreword xxix

Preface xxxi

Introduction xxxv

Part I Technical Foundations 1

Chapter 1 Introduction to Concepts and Relationships 3

Roles and Responsibilities 4

Network and Wireless Architects 4

Security, Risk, and Compliance Roles 5

Operations and Help Desk Roles 8

Support Roles 9

External and Third Parties 9

Security Concepts for Wireless Architecture 11

Security and IAC Triad in Wireless 11

Aligning Wireless Architecture Security to Organizational Risk 14

Factors Influencing Risk Tolerance 15

Assigning a Risk Tolerance Level 15

Considering Compliance and Regulatory Requirements 17

Compliance Regulations, Frameworks, and Audits 17

The Role of Policies, Standards, and Procedures 19

Segmentation Concepts 22

Authentication Concepts 23

Cryptography Concepts 27

Wireless Concepts for Secure Wireless Architecture 30

NAC and IEEE 802.1X in Wireless 33

SSID Security Profiles 34

Security 35

Endpoint Devices 35

Network Topology and Distribution of Users 37

Summary 43

Chapter 2 Understanding Technical Elements 45

Understanding Wireless Infrastructure and Operations 45

Management vs. Control vs. Data Planes 46

Cloud-Managed Wi-Fi and Gateways 48

Controller Managed Wi-Fi 52

Local Cluster Managed Wi-Fi 53

Remote APs 55

Summary 55

Understanding Data Paths 56

Tunneled 58

Bridged 59

Considerations of Bridging Client Traffic 59

Hybrid and Other Data Path Models 61

Filtering and Segmentation of Traffic 62

Summary 71

Understanding Security Profiles for SSIDs 72

WPA2 and WPA3 Overview 73

Transition Modes and Migration Strategies for Preserving Security 76

Enterprise Mode (802.1X) 77

Personal Mode (Passphrase with PSK/SAE) 87

Open Authentication Networks 94

Chapter 3 Understanding Authentication and Authorization 101

The IEEE 802.1X Standard 102

Terminology in 802.1X 103

High-Level 802.1X Process in Wi-Fi Authentication 105

RADIUS Servers, RADIUS Attributes, and VSAs 107

RADIUS Servers 107

RADIUS Servers and NAC Products 108

Relationship of RADIUS, EAP, and Infrastructure Devices 110

RADIUS Attributes 111

RADIUS Vendor-Specific Attributes 115

RADIUS Policies 116

RADIUS Servers, Clients and Shared Secrets 118

Other Requirements 121

Additional Notes on RADIUS Accounting 122

Change of Authorization and Disconnect Messages 123

EAP Methods for Authentication 127

Outer EAP Tunnels 129

Securing Tunneled EAP 132

Inner Authentication Methods 133

Legacy and Unsecured EAP Methods 137

Recommended EAP Methods for Secure Wi-Fi 138

MAC-Based Authentications 140

MAC Authentication Bypass with RADIUS 140

MAC Authentication Without RADIUS 147

MAC Filtering and Denylisting 147

Certificates for Authentication and Captive Portals 148

RADIUS Server Certificates for 802.1X 148

Endpoint Device Certificates for 802.1X 151

Best Practices for Using Certificates for 802.1X 152

Captive Portal Server Certificates 158

Best Practices for Using Certificates for Captive Portals 159

In Most Cases, Use a Public Root CA Signed Server Certificate 159

Understand the Impact of MAC Randomization on Captive Portals 159

Captive Portal Certificate Best Practices Recap 161

Summary 162

Captive Portal Security 163

Captive Portals for User or Guest Registration 163

Captive Portals for Acceptable Use Policies 165

Captive Portals for BYOD 166

Captive Portals for Payment Gateways 167

Security on Open vs. Enhanced Open Networks 167

Access Control for Captive Portal Processes 167

LDAP Authentication for Wi-Fi 168

The 4-Way Handshake in Wi-Fi 168

The 4-Way Handshake Operation 168

The 4-Way Handshake with WPA2-Personal and WPA3-Personal 170

The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise 171

Summary 171

Chapter 4 Understanding Domain and Wi-Fi Design Impacts 173

Understanding Network Services for Wi-Fi 173

Time Sync Services 174

Time Sync Services and Servers 175

Time Sync Uses in Wi-Fi 175

DNS Services 177

DHCP Services 180

DHCP for Wi-Fi Clients 181

Planning DHCP for Wi-Fi Clients 184

DHCP for AP Provisioning 185

Certificates 186

Understanding Wi-Fi Design Impacts on Security 187

Roaming Protocols’ Impact on Security 188

Fast Roaming Technologies 193

System Availability and Resiliency 203

RF Design Elements 205

AP Placement, Channel, and Power Settings 205

Wi-Fi 6E 207

Rate Limiting Wi-Fi 208

Other Networking, Discovery, and Routing Elements 213

Summary 217

Part II Putting It All Together 219

Chapter 5 Planning and Design for Secure Wireless 221

Planning and Design Methodology 222

Discover Stage 223

Architect Stage 224

Iterate Stage 225

Planning and Design Inputs (Define and Characterize) 227

Scope of Work/Project 228

Teams Involved 230

Organizational Security Requirements 233

Current Security Policies 235

Endpoints 236

Users 239

System Security Requirements 239

Applications 240

Process Constraints 240

Wireless Management Architecture and Products 241

Planning and Design Outputs (Design, Optimize, and Validate) 241

Wireless Networks (SSIDs) 247

System Availability 249

Additional Software or Tools 249

Processes and Policy Updates 250

Infrastructure Hardening 251

Correlating Inputs to Outputs 252

Planning Processes and Templates 254

Requirements Discovery Template (Define and Characterize) 254

Sample Network Planning Template (SSID Planner) 261

Sample Access Rights Planning Templates 262

Notes for Technical and Executive Leadership 267

Planning and Budgeting for Wireless Projects 268

Consultants and Third Parties Can Be Invaluable 271

Selecting Wireless Products and Technologies 271

Expectations for Wireless Security 275

Summary 279

Chapter 6 Hardening the Wireless Infrastructure 281

Securing Management Access 282

Enforcing Encrypted Management Protocols 283

Eliminating Default Credentials and Passwords 293

Controlling Administrative Access and Authentication 296

Securing Shared Credentials and Keys 301

Addressing Privileged Access 303

Additional Secure Management Considerations 307

Designing for Integrity of the Infrastructure 308

Managing Configurations, Change Management, and Backups 309

Configuring Logging, Reporting, Alerting, and Automated Responses 313

Verifying Software Integrity for Upgrades and Patches 314

Working with 802.11w Protected Management Frames 316

Provisioning and Securing APs to Manager 321

Adding Wired Infrastructure Integrity 325

Planning Physical Security 331

Locking Front Panel and Console Access on Infrastructure Devices 334

Disabling Unused Protocols 337

Controlling Peer-to- Peer and Bridged Communications 339

A Note on Consumer Products in the Enterprise 339

Blocking Ad-Hoc Networks 341

Blocking Wireless Bridging on Clients 342

Filtering Inter-Station Traffic, Multicast, and mDNS 344

Best Practices for Tiered Hardening 353

Additional Security Configurations 354

Security Monitoring, Rogue Detection, and WIPS 355

Considerations for Hiding or Cloaking SSIDs 356

Requiring DHCP for Clients 359

Addressing Client Credential Sharing and Porting 360

Summary 362

Part III Ongoing Maintenance and Beyond 365

Chapter 7 Monitoring and Maintenance of Wireless Networks 367

Security Testing and Assessments of Wireless Networks 367

Security Audits 368

Vulnerability Assessments 370

Security Assessments 373

Penetration Testing 375

Ongoing Monitoring and Testing 376

Security Monitoring and Tools for Wireless 376

Wireless Intrusion Prevention Systems 377

Recommendations for WIPS 404

Synthetic Testing and Performance Monitoring 405

Security Logging and Analysis 407

Wireless-Specific Tools 410

Logging, Alerting, and Reporting Best Practices 416

Events to Log for Forensics or Correlation 417

Events to Alert on for Immediate Action 419

Events to Report on for Analysis and Trending 422

Troubleshooting Wi-Fi Security 424

Troubleshooting 802.1X/EAP and RADIUS 425

Troubleshooting MAC-based

Authentication 428

Troubleshooting Portals, Onboarding, and Registration 431

Troubleshooting with Protected Management Frames Enabled 431

Training and Other Resources 432

Technology Training Courses and Providers 432

Vendor-Specific Training and Resources 435

Conferences and Community 436

Summary 437

Chapter 8 Emergent Trends and Non-Wi- Fi Wireless 439

Emergent Trends Impacting Wireless 440

Cloud-Managed Edge Architectures 440

Remote Workforce 441

Process Changes to Address Remote Work 443

Recommendations for Navigating a Remote Workforce 444

Bring Your Own Device 445

Zero Trust Strategies 455

Internet of Things 463

Enterprise IoT Technologies and Non-802.11 Wireless 465

IoT Considerations 466

Technologies and Protocols by Use Case 467

Features and Characteristics Impact on Security 502

Other Considerations for Secure IoT Architecture 507

Final Thoughts from the Book 508

Appendix A Notes on Configuring 802.1X with Microsoft NPS 513

Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles 513

Endpoints That Support 802.1X/EAP 514

A Way to Configure the Endpoints for the Specified Connectivity 515

An Authentication Server That Supports RADIUS 517

Appendix B Additional Resources 521

IETF RFCs 521

IEEE Standards and Documents 522

Wi-Fi Alliance 524

Blog, Consulting, and Book Materials 524

Compliance and Mappings 525

Cyber Insurance and Network Security 528

Appendix C Sample Architectures 531

Architectures for Internal Access Networks 532

Managed User with Managed Device 533

Headless/Non-User- Based Devices 539

Contractors and Third Parties 544

BYOD/Personal Devices with Internal Access 547

Guidance on WPA2-Enterprise and WPA3-Enterprise 549

Guidance on When to Separate SSIDs 550

Architectures for Guest/Internet-only Networks 551

Guest Networks 551

BYOD/Personal Devices with Internet-only Access 553

Determining Length of a WPA3-Personal Passphrase 555

Appendix D Parting Thoughts and Call to Action 559

The Future of Cellular and Wi-Fi 559

MAC Randomization 562

Index 567