| Foreword |
|
xxix | |
| Preface |
|
xxxi | |
| Introduction |
|
xxxv | |
| Part I Technical Foundations |
|
1 | (218) |
|
Chapter 1 Introduction to Concepts and Relationships |
|
|
3 | (42) |
|
Roles and Responsibilities |
|
|
4 | (7) |
|
Network and Wireless Architects |
|
|
4 | (1) |
|
Security, Risk, and Compliance Roles |
|
|
5 | (3) |
|
Risk and Compliance Roles |
|
|
5 | (1) |
|
Chief Information Security Officer Roles |
|
|
6 | (1) |
|
Security Operations and Analyst Roles |
|
|
7 | (1) |
|
Identity and Access Management Roles |
|
|
8 | (1) |
|
Operations and Help Desk Roles |
|
|
8 | (1) |
|
|
|
9 | (1) |
|
Help Desk and End-User Support Roles |
|
|
9 | (1) |
|
External and Third Parties |
|
|
9 | (2) |
|
Technology Manufacturers and Integrators |
|
|
10 | (1) |
|
Vendor Management and Supply Chain Security Considerations |
|
|
10 | (1) |
|
Security Concepts for Wireless Architecture |
|
|
11 | (19) |
|
Security and IAC Triad in Wireless |
|
|
11 | (3) |
|
Integrity in Secure Wireless Architecture |
|
|
12 | (1) |
|
Availability in Secure Wireless Architecture |
|
|
13 | (1) |
|
Confidentiality in Secure Wireless Architecture |
|
|
13 | (1) |
|
Using the IAC Triad to Your Advantage |
|
|
14 | (1) |
|
Aligning Wireless Architecture Security to Organizational Risk |
|
|
14 | (3) |
|
Identifying Risk Tolerance |
|
|
14 | (1) |
|
Factors Influencing Risk Tolerance |
|
|
15 | (1) |
|
Assigning a Risk Tolerance Level |
|
|
15 | (2) |
|
Considering Compliance and Regulatory Requirements |
|
|
17 | (2) |
|
Compliance Regulations, Frameworks, and Audits |
|
|
17 | (2) |
|
The Role of Policies, Standards, and Procedures |
|
|
19 | (3) |
|
|
|
20 | (1) |
|
|
|
20 | (1) |
|
|
|
20 | (1) |
|
Example with Wireless Security |
|
|
21 | (1) |
|
|
|
22 | (1) |
|
Why and When to Segment Traffic |
|
|
22 | (1) |
|
Methods to Enforce Segmentation |
|
|
22 | (1) |
|
|
|
23 | (4) |
|
|
|
24 | (1) |
|
Authentication of Devices |
|
|
25 | (1) |
|
Authentication of Administrative Users |
|
|
26 | (1) |
|
Authentication of the Servers (for Captive Portals and/or 802.1X RADIUS) |
|
|
26 | (1) |
|
Authentication of the Wireless Infrastructure Components |
|
|
26 | (1) |
|
|
|
27 | (3) |
|
Cryptographic Keys, Key Exchanges, and Key Rotation |
|
|
27 | (1) |
|
Cryptographic Algorithms and Hashes |
|
|
27 | (1) |
|
|
|
28 | (2) |
|
Wireless Concepts for Secure Wireless Architecture |
|
|
30 | (13) |
|
Wireless Standards and Protocols |
|
|
30 | (4) |
|
Wireless Standards and Technologies |
|
|
30 | (2) |
|
Generations of 802.11 WLANs |
|
|
32 | (1) |
|
NAC and IEEE 802.1X in Wireless |
|
|
33 | (1) |
|
|
|
34 | (1) |
|
|
|
34 | (1) |
|
Personal (Passphrase) Wi-Fi Security |
|
|
35 | (1) |
|
Enterprise (802.1X) Wi-Fi Security |
|
|
35 | (1) |
|
|
|
35 | (2) |
|
|
|
36 | (1) |
|
|
|
36 | (1) |
|
|
|
36 | (1) |
|
|
|
37 | (1) |
|
|
|
37 | (1) |
|
Network Topology and Distribution of Users |
|
|
37 | (8) |
|
|
|
38 | (1) |
|
Remote Branch Environments |
|
|
39 | (1) |
|
Remote Worker Environments |
|
|
40 | (1) |
|
The Issue of Connectivity |
|
|
41 | (2) |
|
|
|
43 | (2) |
|
Chapter 2 Understanding Technical Elements |
|
|
45 | (56) |
|
Understanding Wireless Infrastructure and Operations |
|
|
45 | (11) |
|
Management vs. Control vs. Data Planes |
|
|
46 | (2) |
|
|
|
46 | (1) |
|
|
|
46 | (1) |
|
|
|
47 | (1) |
|
Cloud-Managed Wi-Fi and Gateways |
|
|
48 | (4) |
|
Today's Cloud-Managed Benefits for Enterprise |
|
|
48 | (2) |
|
Architectures with Cloud Management |
|
|
50 | (1) |
|
The Role of Gateway Appliances with Cloud-Managed APs |
|
|
51 | (1) |
|
|
|
52 | (1) |
|
Local Cluster Managed Wi-Fi |
|
|
53 | (2) |
|
|
|
55 | (1) |
|
|
|
55 | (1) |
|
|
|
56 | (16) |
|
|
|
58 | (1) |
|
|
|
59 | (2) |
|
Considerations of Bridging Client Traffic |
|
|
59 | (2) |
|
Hybrid and Other Data Path Models |
|
|
61 | (1) |
|
Filtering and Segmentation of Traffic |
|
|
62 | (9) |
|
The Role of ACLs and VLANs in Segmentation |
|
|
62 | (1) |
|
Filtering Traffic within Wireless and Wired Infrastructures |
|
|
63 | (1) |
|
Filtering with Inter-Station Blocking on Wireless |
|
|
64 | (1) |
|
Filtering with SSIDs/VLANs on Wireless |
|
|
65 | (1) |
|
Filtering with ACLs on Wireless |
|
|
65 | (1) |
|
Controlling Guest Portals with DNS on Wireless |
|
|
66 | (1) |
|
Filtering with VLANs on Switches |
|
|
67 | (1) |
|
Filtering with ACLs on Routing Devices |
|
|
68 | (2) |
|
Filtering with Policies on Firewalls |
|
|
70 | (1) |
|
Filtering with Network Virtualization Overlay on Wired Infrastructure |
|
|
71 | (1) |
|
|
|
71 | (1) |
|
Understanding Security Profiles for SSIDs |
|
|
72 | (26) |
|
|
|
73 | (3) |
|
Security Benefits of Protected Management Frames |
|
|
75 | (1) |
|
Transition Modes and Migration Strategies for Preserving Security |
|
|
76 | (1) |
|
|
|
77 | (10) |
|
Planning Enterprise (802.1X) Secured SSIDs |
|
|
77 | (2) |
|
Untangling the Enterprise (802.1X) SSID Security Options |
|
|
79 | (3) |
|
Enhancements with WPA3-Enterprise |
|
|
82 | (1) |
|
WPA3-Enterprise 192-bit Mode |
|
|
82 | (1) |
|
Deciphering the Acronyms of 192-bit Mode |
|
|
83 | (2) |
|
WPA2 to WPA3-Enterprise Migration Recommendations |
|
|
85 | (2) |
|
Personal Mode (Passphrase with PSK/SAE) |
|
|
87 | (7) |
|
Planning Personal/Passphrase-Secured SSIDs |
|
|
87 | (1) |
|
Enhancements with WPA3-Personal |
|
|
88 | (4) |
|
WPA2 to WPA3-Personal Migration Recommendations |
|
|
92 | (2) |
|
Open Authentication Networks |
|
|
94 | (1) |
|
Legacy Open Authentication Networks |
|
|
94 | (1) |
|
Wi-Fi Enhanced Open Networks |
|
|
95 | (3) |
|
|
|
98 | (3) |
|
Chapter 3 Understanding Authentication and Authorization |
|
|
101 | (72) |
|
|
|
102 | (5) |
|
|
|
103 | (2) |
|
High-Level 802.1X Process in Wi-Fi Authentication |
|
|
105 | (2) |
|
|
|
106 | (1) |
|
RADIUS Servers, RADIUS Attributes, and VSAs |
|
|
107 | (16) |
|
|
|
107 | (1) |
|
RADIUS Servers and NAC Products |
|
|
108 | (2) |
|
Relationship of RADIUS, EAP, and Infrastructure Devices |
|
|
110 | (1) |
|
|
|
111 | (4) |
|
|
|
111 | (2) |
|
RADIUS Attributes for Dynamic VLANs |
|
|
113 | (2) |
|
RADIUS Vendor-Specific Attributes |
|
|
115 | (1) |
|
|
|
116 | (2) |
|
RADIUS Servers, Clients and Shared Secrets |
|
|
118 | (3) |
|
Specifying RADIUS Clients |
|
|
118 | (2) |
|
|
|
120 | (1) |
|
|
|
121 | (1) |
|
|
|
121 | (1) |
|
|
|
121 | (1) |
|
|
|
122 | (1) |
|
Additional Notes on RADIUS Accounting |
|
|
122 | (1) |
|
Change of Authorization and Disconnect Messages |
|
|
123 | (4) |
|
EAP Methods for Authentication |
|
|
127 | (13) |
|
|
|
129 | (3) |
|
|
|
129 | (1) |
|
|
|
130 | (1) |
|
|
|
130 | (1) |
|
|
|
131 | (1) |
|
|
|
132 | (1) |
|
Inner Authentication Methods |
|
|
133 | (4) |
|
|
|
134 | (1) |
|
|
|
135 | (1) |
|
|
|
135 | (1) |
|
|
|
136 | (1) |
|
Legacy and Unsecured EAP Methods |
|
|
137 | (1) |
|
Recommended EAP Methods for Secure Wi-Fi |
|
|
138 | (2) |
|
MAC-Based Authentications |
|
|
140 | (8) |
|
MAC Authentication Bypass with RADIUS |
|
|
140 | (7) |
|
Overview of Typical MAB Operations |
|
|
142 | (1) |
|
Vendor Variations of MAC Operations |
|
|
142 | (1) |
|
Security Considerations for MAB |
|
|
143 | (2) |
|
Recommendations when Using MAB |
|
|
145 | (2) |
|
MAC Authentication Without RADIUS |
|
|
147 | (1) |
|
MAC Filtering and Denylisting |
|
|
147 | (1) |
|
Certificates for Authentication and Captive Portals |
|
|
148 | (15) |
|
RADIUS Server Certificates for 802.1X |
|
|
148 | (3) |
|
Endpoint Device Certificates for 802.1X |
|
|
151 | (1) |
|
Best Practices for Using Certificates for 802.1X |
|
|
152 | (6) |
|
Never Use Wildcard Certificates |
|
|
153 | (1) |
|
Never Use Self-Signed Certificates |
|
|
153 | (1) |
|
Always Validate Server Certificates |
|
|
154 | (1) |
|
Most Often, Use Domain-Issued Certificates for RADIUS Servers |
|
|
154 | (3) |
|
Use Revocation Lists, Especially for Endpoint Certificates |
|
|
157 | (1) |
|
Captive Portal Server Certificates |
|
|
158 | (1) |
|
Best Practices for Using Certificates for Captive Portals |
|
|
159 | (3) |
|
In Most Cases, Use a Public Root CA Signed Server Certificate |
|
|
159 | (1) |
|
Understand the Impact of MAC Randomization on Captive Portals |
|
|
159 | (2) |
|
Captive Portal Certificate Best Practices Recap |
|
|
161 | (1) |
|
|
|
162 | (1) |
|
|
|
163 | (5) |
|
Captive Portals for User or Guest Registration |
|
|
163 | (2) |
|
Guest Self-Registration Without Verification |
|
|
163 | (1) |
|
Guest Self-Registration with Verification |
|
|
163 | (1) |
|
Guest Sponsored Registration |
|
|
164 | (1) |
|
Guest Pre-Approved Registration |
|
|
164 | (1) |
|
|
|
164 | (1) |
|
Captive Portals for Acceptable Use Policies |
|
|
165 | (1) |
|
|
|
166 | (1) |
|
Captive Portals for Payment Gateways |
|
|
167 | (1) |
|
Security on Open vs. Enhanced Open Networks |
|
|
167 | (1) |
|
Access Control for Captive Portal Processes |
|
|
167 | (1) |
|
LDAP Authentication for Wi-Fi |
|
|
168 | (1) |
|
The 4-Way Handshake in Wi-Fi |
|
|
168 | (3) |
|
The 4-Way Handshake Operation |
|
|
168 | (2) |
|
The 4-Way Handshake with WPA2-Personal and WPA3-Personal |
|
|
170 | (1) |
|
The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise |
|
|
171 | (1) |
|
|
|
171 | (2) |
|
Chapter 4 Understanding Domain and Wi-Fi Design Impacts |
|
|
173 | (46) |
|
Understanding Network Services for Wi-Fi |
|
|
173 | (14) |
|
|
|
174 | (3) |
|
Time Sync Services and Servers |
|
|
175 | (1) |
|
|
|
175 | (2) |
|
|
|
177 | (3) |
|
DNS for Wi-Fi Clients and Captive Portals |
|
|
177 | (2) |
|
|
|
179 | (1) |
|
|
|
179 | (1) |
|
|
|
180 | (6) |
|
|
|
181 | (3) |
|
Planning DHCP for Wi-Fi Clients |
|
|
184 | (1) |
|
|
|
185 | (1) |
|
|
|
186 | (1) |
|
Understanding Wi-Fi Design Impacts on Security |
|
|
187 | (30) |
|
Roaming Protocols' Impact on Security |
|
|
188 | (5) |
|
Roaming Impact on Latency-Sensitive Applications |
|
|
189 | (1) |
|
Roaming and Key Exchanges on WPA-Personal Networks |
|
|
190 | (1) |
|
Roaming and Key Exchanges on WPA-Enterprise Networks |
|
|
191 | (2) |
|
Fast Roaming Technologies |
|
|
193 | (10) |
|
|
|
193 | (1) |
|
|
|
194 | (2) |
|
Opportunistic Key Caching |
|
|
196 | (1) |
|
|
|
197 | (1) |
|
Summary of Fast Roaming Protocols |
|
|
198 | (1) |
|
Support for Fast Transition and Other Roaming |
|
|
199 | (1) |
|
Changes in Roaming Facilitation with WPA3 and Enhanced Open Networks |
|
|
200 | (1) |
|
Recommendations for Fast Roaming in Secure Wi-Fi |
|
|
201 | (2) |
|
System Availability and Resiliency |
|
|
203 | (2) |
|
Uptime, High Availability, and Scheduled Downtime |
|
|
203 | (1) |
|
Scheduled Maintenance and Testing |
|
|
203 | (1) |
|
AP Port Uplink Redundancy |
|
|
204 | (1) |
|
|
|
205 | (8) |
|
AP Placement, Channel, and Power Settings |
|
|
205 | (2) |
|
|
|
207 | (1) |
|
|
|
208 | (5) |
|
Other Networking, Discovery, and Routing Elements |
|
|
213 | (9) |
|
|
|
213 | (3) |
|
|
|
216 | (1) |
|
Dynamic Routing Protocols |
|
|
217 | (1) |
|
Layer 3 Roaming Mobility Domains |
|
|
217 | (1) |
|
|
|
217 | (2) |
| Part II Putting It All Together |
|
219 | (146) |
|
Chapter 5 Planning and Design for Secure Wireless |
|
|
221 | (60) |
|
Planning and Design Methodology |
|
|
222 | (5) |
|
|
|
223 | (1) |
|
|
|
223 | (1) |
|
|
|
224 | (1) |
|
|
|
224 | (1) |
|
|
|
225 | (1) |
|
|
|
225 | (2) |
|
|
|
226 | (1) |
|
|
|
227 | (1) |
|
Planning and Design Inputs (Define and Characterize) |
|
|
227 | (14) |
|
|
|
228 | (2) |
|
|
|
230 | (3) |
|
CISO, Risk, or Compliance Officer |
|
|
231 | (1) |
|
|
|
231 | (1) |
|
Identity and Access Management Team |
|
|
231 | (1) |
|
Network Architect and Network Operations Team |
|
|
232 | (1) |
|
|
|
232 | (1) |
|
|
|
232 | (1) |
|
Other System or Application Owners |
|
|
232 | (1) |
|
Vendors, Integrators, and Other Contractors |
|
|
233 | (1) |
|
Organizational Security Requirements |
|
|
233 | (2) |
|
Current Security Policies |
|
|
235 | (1) |
|
|
|
236 | (3) |
|
|
|
236 | (1) |
|
|
|
236 | (1) |
|
|
|
236 | (1) |
|
|
|
237 | (1) |
|
|
|
237 | (1) |
|
|
|
237 | (1) |
|
|
|
237 | (1) |
|
|
|
238 | (1) |
|
|
|
238 | (1) |
|
|
|
238 | (1) |
|
|
|
239 | (1) |
|
|
|
239 | (1) |
|
System Security Requirements |
|
|
239 | (1) |
|
|
|
240 | (1) |
|
|
|
240 | (1) |
|
Wireless Management Architecture and Products |
|
|
241 | (1) |
|
Planning and Design Outputs (Design, Optimize, and Validate) |
|
|
241 | (11) |
|
Wireless Connectivity Technology |
|
|
241 | (1) |
|
Endpoint Capability Requirements |
|
|
242 | (1) |
|
Wireless Management Model and Products |
|
|
243 | (1) |
|
RF Design and AP Placement |
|
|
244 | (1) |
|
|
|
244 | (1) |
|
|
|
245 | (1) |
|
Wired Infrastructure Requirements |
|
|
245 | (2) |
|
Domain and Network Services |
|
|
247 | (1) |
|
Wireless Networks (SSIDs) |
|
|
247 | (2) |
|
|
|
249 | (1) |
|
Additional Software or Tools |
|
|
249 | (1) |
|
Processes and Policy Updates |
|
|
250 | (1) |
|
|
|
251 | (1) |
|
Correlating Inputs to Outputs |
|
|
252 | (2) |
|
Planning Processes and Templates |
|
|
254 | (13) |
|
Requirements Discovery Template (Define and Characterize) |
|
|
254 | (7) |
|
Sample Enterprise Requirements Discovery Template |
|
|
255 | (2) |
|
Sample Healthcare Requirements Discovery Template |
|
|
257 | (2) |
|
Defining BYOD in Your Organization |
|
|
259 | (2) |
|
Sample Network Planning Template (SSID Planner) |
|
|
261 | (1) |
|
Sample Access Rights Planning Templates |
|
|
262 | (5) |
|
Sample Access Rights Planner for NAC |
|
|
264 | (1) |
|
Sample Access Rights Planner for NAC in Higher Education |
|
|
265 | (1) |
|
Sample Simplified Access Rights Planner |
|
|
266 | (1) |
|
Notes for Technical and Executive Leadership |
|
|
267 | (12) |
|
Planning and Budgeting for Wireless Projects |
|
|
268 | (3) |
|
Involve Wireless Architects Early to Save Time and Money |
|
|
268 | (1) |
|
Collaboration Is King for Zero Trust and Advanced Security Programs |
|
|
268 | (1) |
|
Stop Planning 1:1 Replacements of APs |
|
|
269 | (1) |
|
Penny Pinching on AP Quantities Sacrifices Security |
|
|
269 | (1) |
|
Always Include Annual Budget for Training and Tools |
|
|
270 | (1) |
|
Consultants and Third Parties Can Be Invaluable |
|
|
271 | (1) |
|
Selecting Wireless Products and Technologies |
|
|
271 | (4) |
|
Wi-Fi Isn't the Only Wireless Technology |
|
|
272 | (1) |
|
The Product Your Peer Organization Uses May Not Work for You |
|
|
273 | (1) |
|
Don't Buy Into Vendor or Analyst Hype |
|
|
273 | (1) |
|
Interoperability Is More Important Now than Ever |
|
|
274 | (1) |
|
Expectations for Wireless Security |
|
|
275 | (7) |
|
Consider PSK Networks to Be the "New WEP" |
|
|
275 | (1) |
|
You're Not as Secure as You Think |
|
|
276 | (1) |
|
Get Control of Privileged Access, Especially Remote |
|
|
277 | (1) |
|
Make Sure You've Addressed BYOD |
|
|
278 | (1) |
|
|
|
279 | (2) |
|
Chapter 6 Hardening the Wireless Infrastructure |
|
|
281 | (84) |
|
Securing Management Access |
|
|
282 | (26) |
|
Enforcing Encrypted Management Protocols |
|
|
283 | (10) |
|
Generating Keys and Certificates for Encrypted Management |
|
|
283 | (4) |
|
|
|
287 | (2) |
|
|
|
289 | (2) |
|
Enabling Secure File Transfers |
|
|
291 | (1) |
|
Enabling SNMPv3 vs. SNMPv2c |
|
|
291 | (2) |
|
Eliminating Default Credentials and Passwords |
|
|
293 | (3) |
|
Changing Default Credentials on Wireless Management |
|
|
293 | (2) |
|
Changing Default Credentials on APs |
|
|
295 | (1) |
|
Removing Default SNMP Strings |
|
|
296 | (1) |
|
Controlling Administrative Access and Authentication |
|
|
296 | (5) |
|
Enforcing User-Based Logons |
|
|
297 | (2) |
|
Creating a Management VLAN |
|
|
299 | (2) |
|
Defining Allowed Management Networks |
|
|
301 | (1) |
|
Securing Shared Credentials and Keys |
|
|
301 | (2) |
|
Addressing Privileged Access |
|
|
303 | (4) |
|
Securing Privileged Accounts and Credentials |
|
|
303 | (2) |
|
Privileged Access Management |
|
|
305 | (1) |
|
|
|
306 | (1) |
|
Additional Secure Management Considerations |
|
|
307 | (1) |
|
Designing for Integrity of the Infrastructure |
|
|
308 | (31) |
|
Managing Configurations, Change Management, and Backups |
|
|
309 | (4) |
|
Configuration Change Management |
|
|
309 | (3) |
|
|
|
312 | (1) |
|
Configuration Backups and Rollback Support |
|
|
312 | (1) |
|
Monitoring and Alerting for Unauthorized Changes |
|
|
313 | (1) |
|
Configuring Logging, Reporting, Alerting, and Automated Responses |
|
|
313 | (1) |
|
Verifying Software Integrity for Upgrades and Patches |
|
|
314 | (2) |
|
Verifying Software Integrity |
|
|
314 | (1) |
|
Upgrades and Security Patches |
|
|
315 | (1) |
|
Working with 802.11w Protected Management Frames |
|
|
316 | (5) |
|
|
|
317 | (1) |
|
|
|
317 | (1) |
|
|
|
318 | (1) |
|
|
|
319 | (1) |
|
WPA3, Transition Modes, and 802.11w |
|
|
319 | (1) |
|
Caveats and Considerations for 802.11w |
|
|
320 | (1) |
|
Provisioning and Securing APs to Manager |
|
|
321 | (4) |
|
Approving or Allowlisting APs |
|
|
322 | (2) |
|
Using Certificates for APs |
|
|
324 | (1) |
|
Enabling Secure Tunnels from APs to Controller or Tunnel Gateway |
|
|
324 | (1) |
|
Addressing Default AP Behavior |
|
|
325 | (1) |
|
Adding Wired Infrastructure Integrity |
|
|
325 | (6) |
|
Authenticating APs to the Edge Switch |
|
|
326 | (3) |
|
Specifying Edge Port VLANs |
|
|
329 | (2) |
|
Planning Physical Security |
|
|
331 | (6) |
|
Securing Access to Network Closets |
|
|
331 | (1) |
|
Securing Access to APs and Edge Ports |
|
|
332 | (2) |
|
Locking Front Panel and Console Access on Infrastructure Devices |
|
|
334 | (3) |
|
Disabling Unused Protocols |
|
|
337 | (2) |
|
Controlling Peer-to-Peer and Bridged Communications |
|
|
339 | (14) |
|
A Note on Consumer Products in the Enterprise |
|
|
339 | (2) |
|
|
|
341 | (1) |
|
Blocking Wireless Bridging on Clients |
|
|
342 | (2) |
|
Filtering Inter-Station Traffic, Multicast, and mDNS |
|
|
344 | (10) |
|
SSID Inter-Station Blocking |
|
|
344 | (2) |
|
Peer-Based Zero Configuration Networking |
|
|
346 | (1) |
|
Disabling and Filtering Bonjour and mDNS Protocols |
|
|
347 | (3) |
|
Disabling and Filtering UPnP Protocols |
|
|
350 | (1) |
|
A Message on mDNS and Zeroconf from a Pen Tester |
|
|
351 | (1) |
|
Recommendations for Securing Against Zeroconf Networking |
|
|
352 | (1) |
|
Best Practices for Tiered Hardening |
|
|
353 | (1) |
|
Additional Security Configurations |
|
|
354 | (8) |
|
Security Monitoring, Rogue Detection, and WIPS |
|
|
355 | (1) |
|
Considerations for Hiding or Cloaking SSIDs |
|
|
356 | (3) |
|
Requiring DHCP for Clients |
|
|
359 | (1) |
|
Addressing Client Credential Sharing and Porting |
|
|
360 | (2) |
|
|
|
362 | (3) |
| Part III Ongoing Maintenance and Beyond |
|
365 | (148) |
|
Chapter 7 Monitoring and Maintenance of Wireless Networks |
|
|
367 | (72) |
|
Security Testing and Assessments of Wireless Networks |
|
|
367 | (9) |
|
|
|
368 | (2) |
|
Vulnerability Assessments |
|
|
370 | (3) |
|
Internal Vulnerability Assessment |
|
|
372 | (1) |
|
External Vulnerability Assessment |
|
|
373 | (1) |
|
|
|
373 | (2) |
|
|
|
375 | (1) |
|
Ongoing Monitoring and Testing |
|
|
376 | (1) |
|
Security Monitoring and Tools for Wireless |
|
|
376 | (40) |
|
Wireless Intrusion Prevention Systems |
|
|
377 | (28) |
|
WIDS vs. WIPS vs. Wired IPS |
|
|
377 | (1) |
|
|
|
378 | (1) |
|
Integrated vs. Overlay vs. Dedicated |
|
|
379 | (5) |
|
Attacks WIPS Can Detect and Prevent |
|
|
384 | (8) |
|
Wireless Rogues and Neighbors |
|
|
392 | (4) |
|
WIPS Mitigation and Containment |
|
|
396 | (2) |
|
Legal Considerations of Over-the-Air Mitigation |
|
|
398 | (2) |
|
Spectrum Analyzers and Special-Purpose Monitoring |
|
|
400 | (4) |
|
|
|
404 | (1) |
|
Synthetic Testing and Performance Monitoring |
|
|
405 | (2) |
|
Security Logging and Analysis |
|
|
407 | (3) |
|
|
|
408 | (1) |
|
Security Event Correlation and Analysis |
|
|
408 | (2) |
|
|
|
410 | (6) |
|
|
|
410 | (2) |
|
RF Design and Survey Software |
|
|
412 | (3) |
|
Network Protocol Analyzers |
|
|
415 | (1) |
|
Testing and Troubleshooting Applications |
|
|
415 | (1) |
|
Logging, Alerting, and Reporting Best Practices |
|
|
416 | (8) |
|
Events to Log for Forensics or Correlation |
|
|
417 | (2) |
|
|
|
418 | (1) |
|
|
|
418 | (1) |
|
Client Security and Other WIPS |
|
|
418 | (1) |
|
Events to Alert on for Immediate Action |
|
|
419 | (3) |
|
|
|
419 | (1) |
|
|
|
420 | (1) |
|
Client Security and Other WIPS |
|
|
421 | (1) |
|
Events to Report on for Analysis and Trending |
|
|
422 | (2) |
|
|
|
423 | (1) |
|
|
|
423 | (1) |
|
Client Security and Other WIPS |
|
|
424 | (1) |
|
Troubleshooting Wi-Fi Security |
|
|
424 | (8) |
|
Troubleshooting 802.1X/EAP and RADIUS |
|
|
425 | (3) |
|
|
|
425 | (1) |
|
|
|
426 | (2) |
|
Troubleshooting MAC-based Authentication |
|
|
428 | (3) |
|
|
|
429 | (1) |
|
MAC Authentication Bypass AAA Settings |
|
|
429 | (1) |
|
Settings on the RADIUS and Directory Servers |
|
|
430 | (1) |
|
Troubleshooting Portals, Onboarding, and Registration |
|
|
431 | (1) |
|
Troubleshooting with Protected Management Frames Enabled |
|
|
431 | (1) |
|
Training and Other Resources |
|
|
432 | (5) |
|
Technology Training Courses and Providers |
|
|
432 | (3) |
|
Wi-Fi Training and Certification |
|
|
433 | (1) |
|
IoT Wireless Training and Certification |
|
|
434 | (1) |
|
Network and Cyber Security Training |
|
|
435 | (1) |
|
Vendor-Specific Training and Resources |
|
|
435 | (1) |
|
Conferences and Community |
|
|
436 | (1) |
|
|
|
437 | (2) |
|
Chapter 8 Emergent Trends and Non-Wi-Fi Wireless |
|
|
439 | (74) |
|
Emergent Trends Impacting Wireless |
|
|
440 | (25) |
|
Cloud-Managed Edge Architectures |
|
|
440 | (1) |
|
|
|
441 | (4) |
|
Challenges Supporting Work from Home and Remote Users |
|
|
442 | (1) |
|
Balancing Additional Work and the Tech Talent Shortage |
|
|
443 | (1) |
|
Process Changes to Address Remote Work |
|
|
443 | (1) |
|
Recommendations for Navigating a Remote Workforce |
|
|
444 | (1) |
|
|
|
445 | (10) |
|
Stats on BYOD and Policies |
|
|
445 | (1) |
|
Other Models for Ownership, Management, and Use |
|
|
446 | (2) |
|
Further Defining BYOD in Your Organization |
|
|
448 | (1) |
|
Legal Considerations for BYOD |
|
|
449 | (2) |
|
Technical Considerations for Securing BYOD |
|
|
451 | (1) |
|
Recommendations for Securing BYOD |
|
|
452 | (3) |
|
|
|
455 | (8) |
|
The Current State of Zero Trust |
|
|
455 | (1) |
|
|
|
456 | (1) |
|
Types of Zero Trust Products |
|
|
457 | (3) |
|
Segmentation Enforcement Models |
|
|
460 | (2) |
|
Zero Trust Strategy's Impact on Wireless |
|
|
462 | (1) |
|
|
|
463 | (2) |
|
|
|
463 | (2) |
|
|
|
465 | (1) |
|
|
|
465 | (1) |
|
Enterprise IoT Technologies and Non-802.11 Wireless |
|
|
465 | (43) |
|
|
|
466 | (1) |
|
Technologies and Protocols by Use Case |
|
|
467 | (35) |
|
|
|
468 | (2) |
|
|
|
470 | (5) |
|
Smart Building and Home Automation |
|
|
475 | (2) |
|
|
|
477 | (4) |
|
Private Cellular and Cellular LANs |
|
|
481 | (18) |
|
|
|
499 | (2) |
|
|
|
501 | (1) |
|
Features and Characteristics Impact on Security |
|
|
502 | (5) |
|
Physical Layer and RF Spectrums |
|
|
503 | (1) |
|
|
|
504 | (1) |
|
|
|
505 | (1) |
|
Topology and Connectivity |
|
|
506 | (1) |
|
Other Considerations for Secure IoT Architecture |
|
|
507 | (1) |
|
Final Thoughts from the Book |
|
|
508 | (5) |
| Appendix A Notes on Configuring 802.1X with Microsoft NPS |
|
513 | (8) |
|
Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles |
|
|
513 | (1) |
|
Endpoints That Support 802.1X/EAP |
|
|
514 | (1) |
|
A Way to Configure the Endpoints for the Specified Connectivity |
|
|
515 | (2) |
|
An Authentication Server That Supports RADIUS |
|
|
517 | (4) |
| Appendix B Additional Resources |
|
521 | (10) |
|
|
|
521 | (1) |
|
Navigating and Reading RFCs |
|
|
521 | (1) |
|
|
|
522 | (1) |
|
IEEE Standards and Documents |
|
|
522 | (2) |
|
Navigating and Reading IEEE Standards |
|
|
523 | (1) |
|
|
|
523 | (1) |
|
|
|
523 | (1) |
|
|
|
524 | (1) |
|
Blog, Consulting, and Book Materials |
|
|
524 | (1) |
|
|
|
525 | (3) |
|
NIST SP 800-53 and ISO 27001 |
|
|
525 | (3) |
|
PCI Data Security Standards |
|
|
528 | (1) |
|
Cyber Insurance and Network Security |
|
|
528 | (3) |
| Appendix C Sample Architectures |
|
531 | (28) |
|
Architectures for Internal Access Networks |
|
|
532 | (19) |
|
Managed User with Managed Device |
|
|
533 | (6) |
|
|
|
533 | (1) |
|
High-Security Architecture |
|
|
534 | (2) |
|
Medium-Security Architecture |
|
|
536 | (2) |
|
Low-Security Architecture |
|
|
538 | (1) |
|
Headless/Non-User-Based Devices |
|
|
539 | (5) |
|
|
|
540 | (1) |
|
High-Security Architecture |
|
|
540 | (2) |
|
Medium-Security Architecture |
|
|
542 | (1) |
|
Low-Security Architecture |
|
|
543 | (1) |
|
Contractors and Third Parties |
|
|
544 | (3) |
|
|
|
545 | (1) |
|
High-Security Architecture |
|
|
545 | (1) |
|
Medium-Security Architecture |
|
|
546 | (1) |
|
Low-Security Architecture |
|
|
547 | (1) |
|
BYOD/Personal Devices with Internal Access |
|
|
547 | (2) |
|
|
|
547 | (1) |
|
High-Security Architecture |
|
|
548 | (1) |
|
Medium-Security Architecture |
|
|
548 | (1) |
|
Low-Security Architecture |
|
|
549 | (1) |
|
Guidance on WPA2-Enterprise and WPA3-Enterprise |
|
|
549 | (1) |
|
Migrating from WPA2-Enterprise to WPA3-Enterprise |
|
|
549 | (1) |
|
Supporting WPA2-Enterprise with WPA3-Enterprise |
|
|
550 | (1) |
|
Guidance on When to Separate SSIDs |
|
|
550 | (1) |
|
Architectures for Guest/Internet-only Networks |
|
|
551 | (8) |
|
|
|
551 | (2) |
|
|
|
551 | (1) |
|
High-Security Architecture |
|
|
552 | (1) |
|
Medium-Security Architecture |
|
|
552 | (1) |
|
Low-Security Architecture |
|
|
553 | (1) |
|
BYOD/Personal Devices with Internet-only Access |
|
|
553 | (2) |
|
|
|
553 | (1) |
|
High-Security Architecture |
|
|
554 | (1) |
|
Medium-Security Architecture |
|
|
555 | (1) |
|
Low-Security Architecture |
|
|
555 | (1) |
|
Determining Length of a WPA3-Personal Passphrase |
|
|
555 | (4) |
|
Why Passphrase Length Matters |
|
|
555 | (1) |
|
Considerations for Passphrase Length |
|
|
556 | (1) |
|
Recommendations for Passphrase Lengths |
|
|
557 | (2) |
| Appendix D Parting Thoughts and Call to Action |
|
559 | (8) |
|
The Future of Cellular and Wi-Fi |
|
|
559 | (3) |
|
Cellular Carrier Use of Unlicensed Spectrum |
|
|
559 | (1) |
|
Cellular Neutral Host Networks |
|
|
560 | (2) |
|
|
|
562 | (5) |
|
The Purpose of MAC Randomization |
|
|
562 | (1) |
|
How MAC Randomization Works |
|
|
562 | (1) |
|
The Future of Networking with MAC Randomization |
|
|
563 | (1) |
|
Security, Industry, and The Great Compromise |
|
|
564 | (3) |
| Index |
|
567 | |
Lisainfo e-raamatute kohta