- "Do I Know This Already?" Quiz
- Physical Security Measures
- Logical Security Concepts
- Wireless Security Protocols and Authentication
- Malware Removal and Prevention
- Social Engineering Threats and Vulnerabilities
- Microsoft Windows OS Security Settings
- Security Best Practices to Secure a Workstation
- Securing Mobile Devices
- Data Destruction and Disposal
- Configuring Security on SOHO Networks
- Exam Preparation Tasks
- Review All the Key Topics
- Define Key Terms
- Answer Review Questions
Wireless Security Protocols and Authentication
220-1002: Objective 2.3: Compare and contrast wireless security protocols and authentication methods.
Wireless security has evolved over the past few years to adapt to the increasingly available tools that can hack into a wireless network. An administrator cannot safely install a wireless network using the default settings. The following sections describe the security options available on a wireless network.
Protocols and Encryption
An encrypted wireless network relies on the exchange of a passphrase between the client and the wireless access point (WAP) or router before the client can connect to the network. There are several standards for encryption:
WEP: Wired Equivalent Privacy (WEP) was the original encryption standard for wireless Ethernet (WiFi) networks. WEP encryption has aged, however, and is no longer strong enough to resist attacks from hackers. This is because the encryption keys are short, and some of the transmissions for the handshaking process are unencrypted. WEP encryption should not be considered secure for a wireless network.
WPA versions: As a replacement to WEP, WiFi Protected Access (WPA) was developed in 2003. It is available in three strengths:
WPA uses the Temporal Key Integrity Protocol (TKIP) encryption, which was designed to provide better encryption than WEP.
WPA2 was released in 2004 and uses Advanced Encryption Standard (AES) encryption. WPA2’s AES encryption is much stronger than WPA’s; it uses 128-bit blocks and supports variable key lengths of 128, 192, and 256 bits. It allows up to 63 alphanumeric characters (including punctuation marks and other characters) or 64 hexadecimal characters. WPA2 also supports the use of a RADIUS authentication server in corporate environments.
WPA3, which was released in January 2018, uses 128-bit encryption (192-bit in an enterprise version) and has a different method for sharing security keys than the other types of encryption. WPA3 is designed to add better privacy and protection against attacks on public WiFi networks. WPA3 is not currently part of the A+ 220-1002 exam objectives, but its use is expanding as new hardware supporting it becomes common.
TKIP and AES encryption are quite different. TKIP is somewhat like WEP in design so that it can operate on legacy hardware lacking computing power. TKIP is no longer considered secure. AES is much more secure and has been adopted by the U.S. government as the encryption standard.
There are four different authentication methods for access to a wireless network: single-factor, multifactor, RADIUS, and TACACS. These methods also apply to wired networks.
Single-factor authentication is basic username and password access to a computer or network. For years, this was sufficient—and it is still used in many environments. But the rise of online banking and shopping drew more advanced hacking methods, and single-factor authentication is now rare in online commerce.
A multifactor authentication system uses two or more authentication methods and is far more secure than single-factor authentication. An example of this would be a person using a digital code from a fob and typing a username and password to gain access to a system. The combination of the password and the digital token makes it very difficult for imposters to gain access to a system.
As mentioned earlier in the chapter, Google Authenticator is an app that is downloaded to a device and provides a shared secret key. The user can log in with his or her username and password, and the app runs an authenticating algorithm as well. This multifactor authentication is more secure than earlier versions of software tokens, which could be stolen.
Remote Authentication Dial-In User Service (RADIUS) dates back to the days of dial-up modem access to networks in the early 1990s. It has been widely distributed and has been updated over the years and is still in use. A user who wants to access a network or an online service can contact a RADIUS server and enter username and password information when requested. The server authenticates (or declines) the user and advises the network or service to allow the client in (or not).
Terminal Access Controller Access Control System (TACACS) solved a problem that occurred as network use expanded in the 1980s. While the name and acronym seem convoluted, it does describe the function and process pretty well. In early network computing, when a user logged into a network, each time he or she accessed a different resource or host on that network, the user had to re-authenticate. Dial-up was slow, and logging in was a time-consuming process. With TACACS, a user who was already authenticated into the network was automatically logged into other resources in the system as well. The user’s terminal access was taken care of by the network’s access control system.
TACACS in its original form is quite insecure, but it has been updated and re-released in proprietary form by Cisco Systems as TACACS+.