CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
3. Page 3
– The unique challenge of wireless.
– Security for wireless.
PACE-IT.
5. Page 5
Wireless networks can
represent a special challenge
in the network hardening
process.
End users will often install their own access point (AP) for
convenience, allowing them to connect to the network
wirelessly on their own. These rogue APs can create a
vulnerability in the network as a whole.
Conducting periodic site surveys, using a combination of
hardware and software, can help to locate rogue APs so they
can be removed. Site surveys can also be used to ensure that
wireless network signals are only present where they should
be. The only wireless signals that should be present in any
environment are those that are authorized.
Wireless security considerations.
7. Page 7
– Default username and passwords.
» All networking devices come with a default administrator
username and password.
» A best practice is to change or disable the default administrator
username and password when setting up the device.
– SSID (service set identifier) broadcasts.
» A wireless access point (WAP) will broadcast the names (i.e.,
the SSIDs) of available networks.
• By default, the SSID is broadcast in clear text, creating a
vulnerability.
» A best practice is to set the WAP to hide the SSID beaconing;
this will prevent the casual user from seeing the wireless
network.
• Even with the beacon set to be hidden, with the proper
hardware and software, an attacker can still read the
broadcasts.
Wireless security considerations.
8. Page 8
– Device placement.
» WAPs with omnidirectional antennas should be placed at the
center of the desired coverage area.
• Omnidirectional antennas broadcast in all directions uniformly.
» WAPs with directional antennas can be placed toward the edge
of the desired coverage area.
• Directional antennas broadcast in a specific direction only.
– Power level controls.
» Most WAPs come with the ability to adjust the power levels of
the RF signal.
• RF power levels should be set to reduce (or increase) the
wireless coverage area to what is desired.
– MAC filtering.
» All WAPs come with the ability to limit which Layer 2 MAC
addresses can connect to the wireless network.
• While this can increase the security of the wireless network,
MAC addresses can be spoofed.
• MAC filtering may not be appropriate in all situations.
Wireless security considerations.
9. Page 9
– WEP (Wired Equivalent Privacy).
» An older encryption standard that utilized a pre-shared key
(PSK) to encrypt messages between the WAP and the
connecting device.
• Used the RC4 algorithm for the encryption.
» It is easily broken (cracked) and should not be used.
– WPA (Wireless Protected Access).
» An older encryption standard used as an intermediate
replacement for WEP.
» Introduced TKIP (Temporal Key Integrity Protocol) as an
additional security measure.
• TKIP creates a new security key for every packet that is sent.
» It can be broken and should not be used, unless absolutely
necessary.
Wireless security considerations.
10. Page 10
– WPA2-Personal.
» The current wireless encryption standard for the home or small
business utilizing a PSK.
• Introduced Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP) with Advanced
Encryption Standard (AES) as a means of addressing the
weaknesses present in WEP and WPA.
» Cannot be easily cracked, but given enough time and
computing resources, it can also be broken.
– WPA-Enterprise.
» The current wireless encryption standard for larger businesses.
» Users are required to be authenticated before being allowed to
connect to the wireless network.
• Authentication can occur using different methods that fall
within the 802.1x standard.
» The WAP will pass requests to log on to an authentication
server (commonly a RADIUS server) to authenticate the user
before allowing access.
Wireless security considerations.
11. Page 11
– Extensible Authentication Protocol (EAP).
» A common authentication protocol used by WPA2 to allow
access to wireless networks.
• EAP packets are encapsulated within 802.1x packets, which
are forwarded to an authentication server.
» LEAP (Lightweight EAP) is a Cisco proprietary method of
implementing EAP. It was developed before the 802.1x
standard was developed.
» PEAP (Protected EAP) is a method of encapsulating EAP
packets with TLS in order to increase security.
– Additional wireless network security.
» Captive portals can be used to require users to authenticate
through a Web page when attempting to join a network.
• A common method used in publicly available wireless
networks.
» VPN (virtual private network) over wireless can be used to
further increase wireless security.
• Wireless network access must be through a VPN; this adds
an additional level of security in the network.
Wireless security considerations.
12. Page 12
Wireless security considerations.
Adding wireless to a network increases the challenge of hardening that
network. Often, users will install their own AP in order to more easily use
their own mobile devices on the network. Periodic site surveys should be
conducted to remove rogue APs in the workplace. Only authorized wireless
networks should be present in any work environment.
Topic
The unique challenge of
wireless.
Summary
Default usernames and passwords should be changed or disabled. The
SSID beacon may be set to hidden (but it will still be there). Device
placement and antenna type can help to keep the wireless signal where it
belongs. The power level on some WAPs can also be adjusted to prevent
the signal from going where it does not belong. MAC filtering may be used
to limit which devices can connect to the network. WEP is an older
encryption standard that should not be used. WPA is an older encryption
standard that should not be used. WPA2 (Personal or Enterprise) is the
current standard for wireless networks. EAP is a common authentication
standard used in conjunction with 802.1x. Captive portals can be used to
make users authenticate through a Web page. Requiring wireless users to
connect through a VPN may provide additional security.
Security for wireless.
14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.