If you plan on taking the Security+ exam you should have a basic understanding of securing wireless networks. Much of this knowledge crosses over from Network+ but the Security+ exam focuses more on the security. Many blogs on this site include information on ports and port scanners determine what ports are open and in turn, what protocols or services are running on a system.
Securing Wireless Networks with Security Protocols
Since wireless networks broadcast over the air, anyone who has a wireless transceiver can intercept the transmissions. You can secure wireless networks with several different steps, but the most important step is to implement a security protocol. As an introduction, the available security protocols are:
- WEP. Considered compromised and should not be used
- WPA. Considered compromised, but stronger with AES (instead of TKIP)
- WPA2. Current standard and provides best security when used in Enterprise mode (with an 802.1X or RADIUS server)
Securing Wireless Networks with WEP
Wired Equivalent Privacy (WEP) was the original security protocol used to secure wireless networks. As the name implies, the goal was to provide the same level of privacy and security within a wireless network as you’d have in a wired network.
Unfortunately, WEP has significant vulnerabilities, and tools are widely available to break into WEP-protected networks. Due to the widely published vulnerabilities of WEP, it was deprecated in 2004. WPA was identified as an interim replacement, and WPA2 is a permanent replacement.
An important concept is that most encryption methods use both an algorithm and a key. Encryption algorithms are widely known, but the keys should be kept secret and changed regularly.
WEP uses the RC4 stream cipher for encryption of transmitted data. An important implementation rule with any stream cipher is that encryption keys should never be reused. A single key can encrypt and decrypt data, but if encryption always uses the same key to decrypt and decrypt the data, it becomes relatively easy for an attacker to crack the key and read the data. Even if the encryption reuses a key just once, it increases the ability of an attacker to crack it.
Remember this
WEP is weak and should not be used. It has several problems including the misuse of encryption keys with the otherwise secure RC4 symmetric encryption protocol. In an IV attack, the attacker uses packet injection, increasing the number of packets to analyze, and discovers the encryption key.
Securing Wireless Networks with WPA
Wi-Fi Protected Access (WPA) was an intermediate replacement for WEP. It provided an immediate solution to the weaknesses of WEP without requiring users to upgrade their hardware. Even when WPA replaced WEP, its developers recognized that WPA wasn’t solid enough to last for an extended period. Instead, WPA improved wireless security by giving users an alternative to WEP with existing hardware while the developers worked on creating the stronger WPA2 protocol.
When first released, WPA used RC4 stream encryption with Temporal Key Integrity Protocol (TKIP). This is the same RC4 that WEP implemented incorrectly resulting in vulnerabilities. However, TKIP implemented it correctly and did a better job of managing the encryption keys. Even though TKIP helped correct several of WEPs flaws, it was ultimately cracked.
Later implementations of WPA can use Advanced Encryption Standard (AES) instead of TKIP. Chapter 10 presents in AES in more depth, but in short, it is a very strong and efficient encryption algorithm. Many applications beyond WPA2 use AES to provide secure encryption and ensure confidentiality.
A benefit of TKIP is that it didn’t require new hardware. WEP users could upgrade software and/or firmware and implement WPA with TKIP without the need to replace the hardware. Newer hardware supports WPA2, so the usage of WPA and TKIP is waning. However, you may still see some legacy hardware using WEP, WPA, and TKIP. Several people have been successful at cracking WPA with TKIP, so whenever possible, it’s best to upgrade WPA to WPA2, or at least upgrade TKIP to AES.
Securing Wireless Networks with WPA2
Wi-Fi Protected Access v2 (WPA2) is the permanent replacement for WEP and WPA. WPA2 (also known as IEEE 802.11i) uses stronger cryptography than both WEP and WPA. The Wi-Fi Alliance requires all devices carrying its WI-FI CERTIFIED logo to meet WPA2 standards.
WPA2 supports Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is based on AES. In contrast, the first implementation of WPA used TKIP with RC4, and later implementations used AES. WPA2 also uses much more secure methods of managing the encryption keys.
Remember this
WPA provided an immediate replacement for WEP, and it didn’t require the replacement of hardware. WPA2 is a permanent replacement of WEP and is recommended for use instead of WEP or WPA. WPA2 supports CCMP (based on AES), which is much stronger than the older TKIP protocol.
While WPA2 provides significant security improvements over previous wireless encryptions, some enterprises need stronger security. Another step you can take is to enable authentication with Enterprise mode.
Securing Wireless Networks with Personal and Enterprise Modes
Both WPA and WPA2 operate in either Personal or Enterprise modes, and Enterprise mode provides additional security by adding authentication. As a reminder, authentication (presented in chapter 1) proves a userss identity with the use of credentials such as a username and password.
Personal mode uses a preshared key (PSK) and is rather simple to implement. You simply enter the same PSK in each of the wireless devices as you enter in the WAP. In this way, anyone with the PSK can access the wireless network. WPA-PSK or WPA2-PSK indicates Personal mode.
However, each of these users access the network anonymously, since a single PSK used by all users does not provide unique identification. In contrast, if users have usernames and passwords, the usernames provides identification of the users, and the passwords provide proof that the users are who they claim to be.
Enterprise mode (also called 802.1X mode) uses an 802.1X server (introduced in chapter 1) to provide authentication. In a wireless network, it acts like a RADIUS server, providing central authentication for the wireless clients. 802.1X servers can use multiple methods of authentication from simple usernames and passwords, to extensible authentication protocols (EAP) such as LEAP and PEAP.
Wireless authentication systems are more advanced than most home networks need, but many larger organizations use them. In other words, most home networks will use Personal mode while many organizations will use Enterprise mode to increase security. A combination of both a security protocol such as WPA2 and an 802.1X authentication server significantly reduces the chance of a successful access attack against a wireless system. Even WPA Enterprise using AES provides stronger security than WPA2-PSK.
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Remember this
Personal mode (or WPA-PSK and WPA2-PSK) uses a preshared key and does not provide individual authentication. WPA/WPA2 Enterprise mode is more secure than Personal mode, and it provides strong authentication. Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.
Similarly, some hotels and resorts use pay-as-you-go Wi-Fi access. For example, some Las Vegas hotels and Walt Disney resorts have wireless access for $15 per day. If you choose to pay for this service, you create an account with a username and password. To access the wireless network, you authenticate with these credentials.
| Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Realistic SY0-601 Security+ Practice Test Questions
- Performance-based questions.
- All of the flashcards from the study guide. View them in any Web browser. See demo here
- All of the audio from the study guide.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: (Learn by listening with over 4 1/2 hours of audio on Security+ topics)
- Flashcards: 31 Security+ Topic flashcards and 17 Security+ acronyms flashcards (free samples)
- Quality Practice Test Questions: Over 475 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards)
