Implement Wireless Security (16.2)–Cisco Configure Network and Device Security

Cisco Network

To mitigate these wireless vulnerabilities, you can use several mitigation techniques.

Open Authentication (16.2.1)

In addition to MAC address filtering, another way to control who can connect to your network is to implement authentication. Authentication is the process of permitting entry to a network based on a set of credentials. This process is used to verify that the device that is attempting to connect to the network is trusted.

The use of a username and password is a most common form of authentication. In a wireless environment, authentication still ensures that the connected host is verified but handles the verification process in a slightly different manner. Authentication, if enabled, must occur before the client is allowed to connect to the WLAN. There are different types of wireless authentication methods, including open authentication, PSK, EAP, and SAE. PSK, EAP, and SAE are beyond the scope of this course.

By default, wireless devices do not require authentication. Any and all clients are able to associate, as shown in Figure 16-11. This is referred to as open authentication. Open authentication should be used only on public wireless networks such as those found in many schools and restaurants. It can also be used on networks where authentication will be done by other means after a device is connected to the network. The setup utility on many routers disables open authentication and automatically sets up more secure user authentication on the wireless LAN.

   

Figure 16-11 Open Authentication

Authentication and Association (16.2.2)

After authentication is enabled, regardless of the method used, the client must successfully pass authentication before it can associate with the AP and join your network. If both authentication and MAC address filtering are enabled, authentication occurs first.

When authentication is successful, the AP then checks the MAC address against the MAC address table. After verification, the AP adds the host MAC address into its host table. The client is then said to be associated with the AP and can connect to the network.

Figure 16-12 shows the authentication and association process.

   

Figure 16-12 The Wireless Authentication and Association Process

Authentication Protocols (16.2.3)

Early wireless routers used a form of encryption known as Wired Equivalency Protocol (WEP) to secure wireless transmissions between clients and access points. WEP is a security feature that encrypts network traffic as it travels through the air. WEP uses preconfigured keys to encrypt and decrypt data. A WEP key is entered as a string of numbers and letters and is generally 64 bits or 128 bits long. In some cases, WEP supports 256-bit encryption keys.

However, there are weaknesses within WEP, including the use of a static key on all WEP-enabled devices on the wireless LAN. Threat actors can use applications, which are readily available on the Internet, to discover the WEP key. After attackers have extracted the key, they have complete access to all transmitted information. The latest authentication is WPA3, which includes both personal and enterprise versions.

Go to the online course to view an animation of a wireless sniffer obtaining and using the WEP key.

One way to overcome this vulnerability is to change the key frequently. Another way is to use a more advanced and secure form of encryption known as Wi-Fi Protected Access (WPA).

WPA2 also uses encryption keys from 64 bits up to 256 bits. However, WPA2, unlike WEP, generates new, dynamic keys each time a client establishes a connection with the AP. For this reason, WPA2 is considered more secure than WEP because it is significantly more difficult to crack. The version of WPA2 designed for home networks is designated as WPA2-PSK. The PSK indicates that this encryption method is based on a preshared key—in this case, your configured passphrase.

Packet Tracer—Configure Basic Wireless Security (16.2.4)

In this activity, you will configure wireless security using WPA2 Personal.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *