Bookstore

Reduce organizational cybersecurity risk and build comprehensive WiFi, private cellular, and IOT security solutionsWireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise offers readers an essential guide to planning, designing, and preserving secure wireless infrastructures. It is a blueprint to a resilient and compliant architecture that responds to regulatory requirements, reduces organizational risk, and conforms to industry best practices. This book emphasizes WiFi security, as well as guidance on private cellular and Internet of Things security.Readers will discover how to move beyond isolated technical certifications and vendor training and put together a coherent network that responds to contemporary security risks. It offers up-to-date coverage--including data published for the first time--of new WPA3 security, Wi-Fi 6E, zero-trust frameworks, and other emerging trends. It also includes:* Concrete strategies suitable for organizations of all sizes, from large government agencies to small public and private companies* Effective technical resources and real-world sample architectures* Explorations of the relationships between security, wireless, and network elements* Practical planning templates, guides, and real-world case studies demonstrating application of the included conceptsPerfect for network, wireless, and enterprise security architects, Wireless Security Architecture belongs in the libraries of technical leaders in firms of all sizes and in any industry seeking to build a secure wireless network.

Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise

Foreword xxixPreface xxxiIntroduction xxxvPart I Technical Foundations 1Chapter 1 Introduction to Concepts and Relationships 3Roles and Responsibilities 4Network and Wireless Architects 4Security, Risk, and Compliance Roles 5Operations and Help Desk Roles 8Support Roles 9External and Third Parties 9Security Concepts for Wireless Architecture 11Security and IAC Triad in Wireless 11Aligning Wireless Architecture Security to Organizational Risk 14Factors Influencing Risk Tolerance 15Assigning a Risk Tolerance Level 15Considering Compliance and Regulatory Requirements 17Compliance Regulations, Frameworks, and Audits 17The Role of Policies, Standards, and Procedures 19Segmentation Concepts 22Authentication Concepts 23Cryptography Concepts 27Wireless Concepts for Secure Wireless Architecture 30NAC and IEEE 802.1X in Wireless 33SSID Security Profiles 34Security 35Endpoint Devices 35Network Topology and Distribution of Users 37Summary 43Chapter 2 Understanding Technical Elements 45Understanding Wireless Infrastructure and Operations 45Management vs. Control vs. Data Planes 46Cloud-Managed Wi-Fi and Gateways 48Controller Managed Wi-Fi 52Local Cluster Managed Wi-Fi 53Remote APs 55Summary 55Understanding Data Paths 56Tunneled 58Bridged 59Considerations of Bridging Client Traffic 59Hybrid and Other Data Path Models 61Filtering and Segmentation of Traffic 62Summary 71Understanding Security Profiles for SSIDs 72WPA2 and WPA3 Overview 73Transition Modes and Migration Strategies for Preserving Security 76Enterprise Mode (802.1X) 77Personal Mode (Passphrase with PSK/SAE) 87Open Authentication Networks 94Chapter 3 Understanding Authentication and Authorization 101The IEEE 802.1X Standard 102Terminology in 802.1X 103High-Level 802.1X Process in Wi-Fi Authentication 105RADIUS Servers, RADIUS Attributes, and VSAs 107RADIUS Servers 107RADIUS Servers and NAC Products 108Relationship of RADIUS, EAP, and Infrastructure Devices 110RADIUS Attributes 111RADIUS Vendor-Specific Attributes 115RADIUS Policies 116RADIUS Servers, Clients and Shared Secrets 118Other Requirements 121Additional Notes on RADIUS Accounting 122Change of Authorization and Disconnect Messages 123EAP Methods for Authentication 127Outer EAP Tunnels 129Securing Tunneled EAP 132Inner Authentication Methods 133Legacy and Unsecured EAP Methods 137Recommended EAP Methods for Secure Wi-Fi 138MAC-Based Authentications 140MAC Authentication Bypass with RADIUS 140MAC Authentication Without RADIUS 147MAC Filtering and Denylisting 147Certificates for Authentication and Captive Portals 148RADIUS Server Certificates for 802.1X 148Endpoint Device Certificates for 802.1X 151Best Practices for Using Certificates for 802.1X 152Captive Portal Server Certificates 158Best Practices for Using Certificates for Captive Portals 159In Most Cases, Use a Public Root CA Signed Server Certificate 159Understand the Impact of MAC Randomization on Captive Portals 159Captive Portal Certificate Best Practices Recap 161Summary 162Captive Portal Security 163Captive Portals for User or Guest Registration 163Captive Portals for Acceptable Use Policies 165Captive Portals for BYOD 166Captive Portals for Payment Gateways 167Security on Open vs. Enhanced Open Networks 167Access Control for Captive Portal Processes 167LDAP Authentication for Wi-Fi 168The 4-Way Handshake in Wi-Fi 168The 4-Way Handshake Operation 168The 4-Way Handshake with WPA2-Personal and WPA3-Personal 170The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise 171Summary 171Chapter 4 Understanding Domain and Wi-Fi Design Impacts 173Understanding Network Services for Wi-Fi 173Time Sync Services 174Time Sync Services and Servers 175Time Sync Uses in Wi-Fi 175DNS Services 177DHCP Services 180DHCP for Wi-Fi Clients 181Planning DHCP for Wi-Fi Clients 184DHCP for AP Provisioning 185Certificates 186Understanding Wi-Fi Design Impacts on Security 187Roaming Protocols' Impact on Security 188Fast Roaming Technologies 193System Availability and Resiliency 203RF Design Elements 205AP Placement, Channel, and Power Settings 205Wi-Fi 6E 207Rate Limiting Wi-Fi 208Other Networking, Discovery, and Routing Elements 213Summary 217Part II Putting It All Together 219Chapter 5 Planning and Design for Secure Wireless 221Planning and Design Methodology 222Discover Stage 223Architect Stage 224Iterate Stage 225Planning and Design Inputs (Define and Characterize) 227Scope of Work/Project 228Teams Involved 230Organizational Security Requirements 233Current Security Policies 235Endpoints 236Users 239System Security Requirements 239Applications 240Process Constraints 240Wireless Management Architecture and Products 241Planning and Design Outputs (Design, Optimize, and Validate) 241Wireless Networks (SSIDs) 247System Availability 249Additional Software or Tools 249Processes and Policy Updates 250Infrastructure Hardening 251Correlating Inputs to Outputs 252Planning Processes and Templates 254Requirements Discovery Template (Define and Characterize) 254Sample Network Planning Template (SSID Planner) 261Sample Access Rights Planning Templates 262Notes for Technical and Executive Leadership 267Planning and Budgeting for Wireless Projects 268Consultants and Third Parties Can Be Invaluable 271Selecting Wireless Products and Technologies 271Expectations for Wireless Security 275Summary 279Chapter 6 Hardening the Wireless Infrastructure 281Securing Management Access 282Enforcing Encrypted Management Protocols 283Eliminating Default Credentials and Passwords 293Controlling Administrative Access and Authentication 296Securing Shared Credentials and Keys 301Addressing Privileged Access 303Additional Secure Management Considerations 307Designing for Integrity of the Infrastructure 308Managing Configurations, Change Management, and Backups 309Configuring Logging, Reporting, Alerting, and Automated Responses 313Verifying Software Integrity for Upgrades and Patches 314Working with 802.11w Protected Management Frames 316Provisioning and Securing APs to Manager 321Adding Wired Infrastructure Integrity 325Planning Physical Security 331Locking Front Panel and Console Access on Infrastructure Devices 334Disabling Unused Protocols 337Controlling Peer-to- Peer and Bridged Communications 339A Note on Consumer Products in the Enterprise 339Blocking Ad-Hoc Networks 341Blocking Wireless Bridging on Clients 342Filtering Inter-Station Traffic, Multicast, and mDNS 344Best Practices for Tiered Hardening 353Additional Security Configurations 354Security Monitoring, Rogue Detection, and WIPS 355Considerations for Hiding or Cloaking SSIDs 356Requiring DHCP for Clients 359Addressing Client Credential Sharing and Porting 360Summary 362Part III Ongoing Maintenance and Beyond 365Chapter 7 Monitoring and Maintenance of Wireless Networks 367Security Testing and Assessments of Wireless Networks 367Security Audits 368Vulnerability Assessments 370Security Assessments 373Penetration Testing 375Ongoing Monitoring and Testing 376Security Monitoring and Tools for Wireless 376Wireless Intrusion Prevention Systems 377Recommendations for WIPS 404Synthetic Testing and Performance Monitoring 405Security Logging and Analysis 407Wireless-Specific Tools 410Logging, Alerting, and Reporting Best Practices 416Events to Log for Forensics or Correlation 417Events to Alert on for Immediate Action 419Events to Report on for Analysis and Trending 422Troubleshooting Wi-Fi Security 424Troubleshooting 802.1X/EAP and RADIUS 425Troubleshooting MAC-basedAuthentication 428Troubleshooting Portals, Onboarding, and Registration 431Troubleshooting with Protected Management Frames Enabled 431Training and Other Resources 432Technology Training Courses and Providers 432Vendor-Specific Training and Resources 435Conferences and Community 436Summary 437Chapter 8 Emergent Trends and Non-Wi- Fi Wireless 439Emergent Trends Impacting Wireless 440Cloud-Managed Edge Architectures 440Remote Workforce 441Process Changes to Address Remote Work 443Recommendations for Navigating a Remote Workforce 444Bring Your Own Device 445Zero Trust Strategies 455Internet of Things 463Enterprise IoT Technologies and Non-802.11 Wireless 465IoT Considerations 466Technologies and Protocols by Use Case 467Features and Characteristics Impact on Security 502Other Considerations for Secure IoT Architecture 507Final Thoughts from the Book 508Appendix A Notes on Configuring 802.1X with Microsoft NPS 513Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles 513Endpoints That Support 802.1X/EAP 514A Way to Configure the Endpoints for the Specified Connectivity 515An Authentication Server That Supports RADIUS 517Appendix B Additional Resources 521IETF RFCs 521IEEE Standards and Documents 522Wi-Fi Alliance 524Blog, Consulting, and Book Materials 524Compliance and Mappings 525Cyber Insurance and Network Security 528Appendix C Sample Architectures 531Architectures for Internal Access Networks 532Managed User with Managed Device 533Headless/Non-User- Based Devices 539Contractors and Third Parties 544BYOD/Personal Devices with Internal Access 547Guidance on WPA2-Enterprise and WPA3-Enterprise 549Guidance on When to Separate SSIDs 550Architectures for Guest/Internet-only Networks 551Guest Networks 551BYOD/Personal Devices with Internet-only Access 553Determining Length of a WPA3-Personal Passphrase 555Appendix D Parting Thoughts and Call to Action 559The Future of Cellular and Wi-Fi 559MAC Randomization 562Index 567