Details

<p>Foreword xxix</p> <p>Preface xxxi</p> <p>Introduction xxxv</p> <p><b>Part I Technical Foundations 1</b></p> <p><b>Chapter 1 Introduction to Concepts and Relationships 3</b></p> <p>Roles and Responsibilities 4</p> <p>Network and Wireless Architects 4</p> <p>Security, Risk, and Compliance Roles 5</p> <p>Operations and Help Desk Roles 8</p> <p>Support Roles 9</p> <p>External and Third Parties 9</p> <p>Security Concepts for Wireless Architecture 11</p> <p>Security and IAC Triad in Wireless 11</p> <p>Aligning Wireless Architecture Security to Organizational Risk 14</p> <p>Factors Influencing Risk Tolerance 15</p> <p>Assigning a Risk Tolerance Level 15</p> <p>Considering Compliance and Regulatory Requirements 17</p> <p>Compliance Regulations, Frameworks, and Audits 17</p> <p>The Role of Policies, Standards, and Procedures 19</p> <p>Segmentation Concepts 22</p> <p>Authentication Concepts 23</p> <p>Cryptography Concepts 27</p> <p>Wireless Concepts for Secure Wireless Architecture 30</p> <p>NAC and IEEE 802.1X in Wireless 33</p> <p>SSID Security Profiles 34</p> <p>Security 35</p> <p>Endpoint Devices 35</p> <p>Network Topology and Distribution of Users 37</p> <p>Summary 43</p> <p><b>Chapter 2 Understanding Technical Elements 45</b></p> <p>Understanding Wireless Infrastructure and Operations 45</p> <p>Management vs. Control vs. Data Planes 46</p> <p>Cloud-Managed Wi-Fi and Gateways 48</p> <p>Controller Managed Wi-Fi 52</p> <p>Local Cluster Managed Wi-Fi 53</p> <p>Remote APs 55</p> <p>Summary 55</p> <p>Understanding Data Paths 56</p> <p>Tunneled 58</p> <p>Bridged 59</p> <p>Considerations of Bridging Client Traffic 59</p> <p>Hybrid and Other Data Path Models 61</p> <p>Filtering and Segmentation of Traffic 62</p> <p>Summary 71</p> <p>Understanding Security Profiles for SSIDs 72</p> <p>WPA2 and WPA3 Overview 73</p> <p>Transition Modes and Migration Strategies for Preserving Security 76</p> <p>Enterprise Mode (802.1X) 77</p> <p>Personal Mode (Passphrase with PSK/SAE) 87</p> <p>Open Authentication Networks 94</p> <p><b>Chapter 3 Understanding Authentication and Authorization 101</b></p> <p>The IEEE 802.1X Standard 102</p> <p>Terminology in 802.1X 103</p> <p>High-Level 802.1X Process in Wi-Fi Authentication 105</p> <p>RADIUS Servers, RADIUS Attributes, and VSAs 107</p> <p>RADIUS Servers 107</p> <p>RADIUS Servers and NAC Products 108</p> <p>Relationship of RADIUS, EAP, and Infrastructure Devices 110</p> <p>RADIUS Attributes 111</p> <p>RADIUS Vendor-Specific Attributes 115</p> <p>RADIUS Policies 116</p> <p>RADIUS Servers, Clients and Shared Secrets 118</p> <p>Other Requirements 121</p> <p>Additional Notes on RADIUS Accounting 122</p> <p>Change of Authorization and Disconnect Messages 123</p> <p>EAP Methods for Authentication 127</p> <p>Outer EAP Tunnels 129</p> <p>Securing Tunneled EAP 132</p> <p>Inner Authentication Methods 133</p> <p>Legacy and Unsecured EAP Methods 137</p> <p>Recommended EAP Methods for Secure Wi-Fi 138</p> <p>MAC-Based Authentications 140</p> <p>MAC Authentication Bypass with RADIUS 140</p> <p>MAC Authentication Without RADIUS 147</p> <p>MAC Filtering and Denylisting 147</p> <p>Certificates for Authentication and Captive Portals 148</p> <p>RADIUS Server Certificates for 802.1X 148</p> <p>Endpoint Device Certificates for 802.1X 151</p> <p>Best Practices for Using Certificates for 802.1X 152</p> <p>Captive Portal Server Certificates 158</p> <p>Best Practices for Using Certificates for Captive Portals 159</p> <p>In Most Cases, Use a Public Root CA Signed Server Certificate 159</p> <p>Understand the Impact of MAC Randomization on Captive Portals 159</p> <p>Captive Portal Certificate Best Practices Recap 161</p> <p>Summary 162</p> <p>Captive Portal Security 163</p> <p>Captive Portals for User or Guest Registration 163</p> <p>Captive Portals for Acceptable Use Policies 165</p> <p>Captive Portals for BYOD 166</p> <p>Captive Portals for Payment Gateways 167</p> <p>Security on Open vs. Enhanced Open Networks 167</p> <p>Access Control for Captive Portal Processes 167</p> <p>LDAP Authentication for Wi-Fi 168</p> <p>The 4-Way Handshake in Wi-Fi 168</p> <p>The 4-Way Handshake Operation 168</p> <p>The 4-Way Handshake with WPA2-Personal and WPA3-Personal 170</p> <p>The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise 171</p> <p>Summary 171</p> <p><b>Chapter 4 Understanding Domain and Wi-Fi Design Impacts 173</b></p> <p>Understanding Network Services for Wi-Fi 173</p> <p>Time Sync Services 174</p> <p>Time Sync Services and Servers 175</p> <p>Time Sync Uses in Wi-Fi 175</p> <p>DNS Services 177</p> <p>DHCP Services 180</p> <p>DHCP for Wi-Fi Clients 181</p> <p>Planning DHCP for Wi-Fi Clients 184</p> <p>DHCP for AP Provisioning 185</p> <p>Certificates 186</p> <p>Understanding Wi-Fi Design Impacts on Security 187</p> <p>Roaming Protocols’ Impact on Security 188</p> <p>Fast Roaming Technologies 193</p> <p>System Availability and Resiliency 203</p> <p>RF Design Elements 205</p> <p>AP Placement, Channel, and Power Settings 205</p> <p>Wi-Fi 6E 207</p> <p>Rate Limiting Wi-Fi 208</p> <p>Other Networking, Discovery, and Routing Elements 213</p> <p>Summary 217</p> <p><b>Part II Putting It All Together 219</b></p> <p><b>Chapter 5 Planning and Design for Secure Wireless 221</b></p> <p>Planning and Design Methodology 222</p> <p>Discover Stage 223</p> <p>Architect Stage 224</p> <p>Iterate Stage 225</p> <p>Planning and Design Inputs (Define and Characterize) 227</p> <p>Scope of Work/Project 228</p> <p>Teams Involved 230</p> <p>Organizational Security Requirements 233</p> <p>Current Security Policies 235</p> <p>Endpoints 236</p> <p>Users 239</p> <p>System Security Requirements 239</p> <p>Applications 240</p> <p>Process Constraints 240</p> <p>Wireless Management Architecture and Products 241</p> <p>Planning and Design Outputs (Design, Optimize, and Validate) 241</p> <p>Wireless Networks (SSIDs) 247</p> <p>System Availability 249</p> <p>Additional Software or Tools 249</p> <p>Processes and Policy Updates 250</p> <p>Infrastructure Hardening 251</p> <p>Correlating Inputs to Outputs 252</p> <p>Planning Processes and Templates 254</p> <p>Requirements Discovery Template (Define and Characterize) 254</p> <p>Sample Network Planning Template (SSID Planner) 261</p> <p>Sample Access Rights Planning Templates 262</p> <p>Notes for Technical and Executive Leadership 267</p> <p>Planning and Budgeting for Wireless Projects 268</p> <p>Consultants and Third Parties Can Be Invaluable 271</p> <p>Selecting Wireless Products and Technologies 271</p> <p>Expectations for Wireless Security 275</p> <p>Summary 279</p> <p><b>Chapter 6 Hardening the Wireless Infrastructure 281</b></p> <p>Securing Management Access 282</p> <p>Enforcing Encrypted Management Protocols 283</p> <p>Eliminating Default Credentials and Passwords 293</p> <p>Controlling Administrative Access and Authentication 296</p> <p>Securing Shared Credentials and Keys 301</p> <p>Addressing Privileged Access 303</p> <p>Additional Secure Management Considerations 307</p> <p>Designing for Integrity of the Infrastructure 308</p> <p>Managing Configurations, Change Management, and Backups 309</p> <p>Configuring Logging, Reporting, Alerting, and Automated Responses 313</p> <p>Verifying Software Integrity for Upgrades and Patches 314</p> <p>Working with 802.11w Protected Management Frames 316</p> <p>Provisioning and Securing APs to Manager 321</p> <p>Adding Wired Infrastructure Integrity 325</p> <p>Planning Physical Security 331</p> <p>Locking Front Panel and Console Access on Infrastructure Devices 334</p> <p>Disabling Unused Protocols 337</p> <p>Controlling Peer-to- Peer and Bridged Communications 339</p> <p>A Note on Consumer Products in the Enterprise 339</p> <p>Blocking Ad-Hoc Networks 341</p> <p>Blocking Wireless Bridging on Clients 342</p> <p>Filtering Inter-Station Traffic, Multicast, and mDNS 344</p> <p>Best Practices for Tiered Hardening 353</p> <p>Additional Security Configurations 354</p> <p>Security Monitoring, Rogue Detection, and WIPS 355</p> <p>Considerations for Hiding or Cloaking SSIDs 356</p> <p>Requiring DHCP for Clients 359</p> <p>Addressing Client Credential Sharing and Porting 360</p> <p>Summary 362</p> <p><b>Part III Ongoing Maintenance and Beyond 365</b></p> <p><b>Chapter 7 Monitoring and Maintenance of Wireless Networks 367</b></p> <p>Security Testing and Assessments of Wireless Networks 367</p> <p>Security Audits 368</p> <p>Vulnerability Assessments 370</p> <p>Security Assessments 373</p> <p>Penetration Testing 375</p> <p>Ongoing Monitoring and Testing 376</p> <p>Security Monitoring and Tools for Wireless 376</p> <p>Wireless Intrusion Prevention Systems 377</p> <p>Recommendations for WIPS 404</p> <p>Synthetic Testing and Performance Monitoring 405</p> <p>Security Logging and Analysis 407</p> <p>Wireless-Specific Tools 410</p> <p>Logging, Alerting, and Reporting Best Practices 416</p> <p>Events to Log for Forensics or Correlation 417</p> <p>Events to Alert on for Immediate Action 419</p> <p>Events to Report on for Analysis and Trending 422</p> <p>Troubleshooting Wi-Fi Security 424</p> <p>Troubleshooting 802.1X/EAP and RADIUS 425</p> <p>Troubleshooting MAC-based</p> <p>Authentication 428</p> <p>Troubleshooting Portals, Onboarding, and Registration 431</p> <p>Troubleshooting with Protected Management Frames Enabled 431</p> <p>Training and Other Resources 432</p> <p>Technology Training Courses and Providers 432</p> <p>Vendor-Specific Training and Resources 435</p> <p>Conferences and Community 436</p> <p>Summary 437</p> <p><b>Chapter 8 Emergent Trends and Non-Wi- Fi Wireless 439</b></p> <p>Emergent Trends Impacting Wireless 440</p> <p>Cloud-Managed Edge Architectures 440</p> <p>Remote Workforce 441</p> <p>Process Changes to Address Remote Work 443</p> <p>Recommendations for Navigating a Remote Workforce 444</p> <p>Bring Your Own Device 445</p> <p>Zero Trust Strategies 455</p> <p>Internet of Things 463</p> <p>Enterprise IoT Technologies and Non-802.11 Wireless 465</p> <p>IoT Considerations 466</p> <p>Technologies and Protocols by Use Case 467</p> <p>Features and Characteristics Impact on Security 502</p> <p>Other Considerations for Secure IoT Architecture 507</p> <p>Final Thoughts from the Book 508</p> <p><b>Appendix A Notes on Configuring 802.1X with Microsoft NPS 513</b></p> <p>Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles 513</p> <p>Endpoints That Support 802.1X/EAP 514</p> <p>A Way to Configure the Endpoints for the Specified Connectivity 515</p> <p>An Authentication Server That Supports RADIUS 517</p> <p><b>Appendix B Additional Resources 521</b></p> <p>IETF RFCs 521</p> <p>IEEE Standards and Documents 522</p> <p>Wi-Fi Alliance 524</p> <p>Blog, Consulting, and Book Materials 524</p> <p>Compliance and Mappings 525</p> <p>Cyber Insurance and Network Security 528</p> <p><b>Appendix C Sample Architectures 531</b></p> <p>Architectures for Internal Access Networks 532</p> <p>Managed User with Managed Device 533</p> <p>Headless/Non-User- Based Devices 539</p> <p>Contractors and Third Parties 544</p> <p>BYOD/Personal Devices with Internal Access 547</p> <p>Guidance on WPA2-Enterprise and WPA3-Enterprise 549</p> <p>Guidance on When to Separate SSIDs 550</p> <p>Architectures for Guest/Internet-only Networks 551</p> <p>Guest Networks 551</p> <p>BYOD/Personal Devices with Internet-only Access 553</p> <p>Determining Length of a WPA3-Personal Passphrase 555</p> <p><b>Appendix D Parting Thoughts and Call to Action 559</b></p> <p>The Future of Cellular and Wi-Fi 559</p> <p>MAC Randomization 562</p> <p>Index 567</p>

<p><b>JENNIFER (JJ) MINELLA </b>is an internationally recognized authority on network and wireless security, author, and public speaker. She is an advisory CISO and information security leader with over fifteen years’ experience working with organizations creating network security and leadership strategies. She is Founder and Principal Advisor of Viszen Security.</p>

<p><b>Mitigate cybersecurity risks and prevent wireless attacks with effective and contemporary strategies</b></p> <p>In <i>Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise,</i> renowned information security leader Jennifer Minella delivers an essential guide for planning, designing, and maintaining secure wireless infrastructures. Perfect for companies of all sizes and in any industry, this book walks technology professionals through critical concepts in security and wireless design, offering powerful technical resources and real-world sample architectures. <p>This book provides recipes for resilient connectivity compliant with regulatory standards and industry best practices that reduce organizational risk. Drawing on the author’s fifteen years’ experience of hands-on experience in network architecting and implementation, as well as security consulting, it presents practical guidance for those responsible for creating secure wireless networks. <p>Readers will learn how to go beyond important—but isolated—technical certifications and vendor training to assemble a holistic enterprise architecture that responds to contemporary security risks. Its techniques are suitable for government agencies, global financial institutions, healthcare organizations, and small public and private firms. <p>Ideal for enterprise security architects, network architects, and wireless architects, <i>Wireless Security Architecture</i> also contains valuable content for technical leaders, including CISOs, CTOs, and CIOs. The author also provides: <ul><li>An introduction to modern security and wireless concepts</li> <li>Explorations of the relationships between security, wireless, and network elements</li> <li>Detailed design and planning guidance</li> <li>Best practices in security testing, monitoring, tools, and training</li> <li>Deep technical dives for troubleshooting</li> <li>Planning templates and guides</li> <li>Case studies demonstrating real world examples of secure wireless architectures</li></ul>

US