- A
- AAA Server, 103, 118
- acceptable use policies (AUPs), captive portals for, 165–166
- access control, for captive portal processes, 167
- access control lists (ACLs), 22–23
- access hardware, 496
- Access Rights Planner, 262–267
- accounting, 122
- ad-hoc networks
- administrative access and authentication, controlling, 296–301
- administrative users, authentication of, 26
- AES-256-GCM, 83
- AirMagnet Planner, 413
- alerting
- best practices, 416–424
- configuring, 313–314
- analyst roles, 7–8
- Apple AirDrop, 391
- Apple MacOS, Fast Transition support and, 199
- Apple Wireless Direct Link (AWDL), 344
- appliance-based PEPs, 461
- application owners, 232
- Application Programming Interface (API), 176
- application protocols (APs)
- addressing default behavior, 325
- allowlisting, 322–323
- approving, 322–323
- authenticating, 326–327
- authorized, 392
- changing default credentials on, 295
- controlling ports in publicly accessible areas, 326
- enabling secure tunnels from, 324–325
- external, 393
- honeypot, 393
- impersonation, 385
- management VLAN, 186
- misconfigured, 384
- neighbor, 393
- placement of, as a planning and design output, 244
- port uplink redundancy, 204–205
- provisioning
- about, 321–325
- DHCP for, 185–186
- DNS for, 179
- quantities of, 269–270
- remote hardware, 41–42
- replacement of, 269
- rogue, 392
- securing, 321–325, 332–334
- spoofing, 385–386
- using certificates for, 324
- applications, as a planning and design input, 240
- Architect stage, in Design for Six Sigma (DFSS), 224–225
- architectures
- about, 531–532
- determining length of WPA3-Personal passphrases, 555–558
- for guest/Internet-only networks, 551–555
- for internal access networks, 531–551
- Aruba Networks, 80, 115, 299, 325, 383, 407, 440
- assessments. See testing and assessments
- association states, 95
- asymmetric-key algorithms, 28
- authentication and authorization
- about, 23–24, 101
- access control for captive portal processes, 167
- of administrative users, 26
- best practices
- for using certificates for 802.1X, 152–158
- for using certificates for captive portals, 159–162
- captive portals
- for acceptable use policies, 165–166
- for BYOD, 166–167
- for payment gateways, 167
- security of, 163–167
- server certificates, 158
- for user/guest registration, 163–165
- certificates for authentication, 148–163
- change of authorization, 123–127
- of devices, 25–26
- disconnecting messages, 123–127
- EAP support, 132
- EAP-FAST, 130
- EAP-GTC, 135–136
- EAP-MSCHAPv2, 135
- EAP-PEAP, 129–130
- EAP-POTP, 136–137
- EAP-TEAP, 131
- EAP-TLS, 134–135
- EAP-TTLS, 130
- endpoint device certificates for 802.1X, 151–152
- 4-Way Handshake in Wi-Fi, 168–171
- IEEE 802.1X standard, 102–107
- in InfoSec, 24
- inner authentication methods, 133–137
- LDAP authentication for Wi-Fi, 168
- legacy EAP methods, 137–138
- logging/accounting, 122
- MAC authentication bypass with RADIUS, 140–147
- MAC authentication without RADIUS, 147
- MAC filtering and denylisting, 147–148
- Mac-based authentication, 140–148
- network access control (NAC) products, 108–110
- outer EAP tunnels, 129–132
- as a planning and design output, 244
- RADIUS
- accounting, 122–123
- attributes, 111–114
- clients, 118–119
- policies, 116–118
- security, 121
- server certificates for 802.1X, 148–151
- servers, 107–110, 118–121
- shared secrets, 120
- vendor-specific attributes, 115–116
- recommended EAP methods for secure Wi-Fi, 138–140
- relationship of RADIUS, EAP, and infrastructure devices, 110–111
- securing tunneled EAP, 132–133
- security on open vs. enhanced open networks, 167
- server certificate, 121
- of servers, 26
- unsecured EAP methods, 137–138
- user directories, 121
- of users, 24–25
- of wireless infrastructure components, 26–27
- authentication and key management (AKM) suites, 79–80
- Authentication Server, 103
- authorization. See authentication and authorization
- authorized AP, 392
- automated responses, configuring, 313–314
- availability
- high, 203, 204
- in secure wireless architecture, 13
- B
- backups, managing, 309–313
- bandwidth, as an IoT consideration, 467
- baselines, configuration, 312
- basic service set identifiers (BSSIDs), 188–189
- battery life, as an IoT consideration, 466
- best practices
- for using certificates for 802.1X, 152–158
- for using certificates for captive portals, 159–162
- blocking
- ad-hoc networks, 341–342
- SSID inter-station, 344–346
- wireless bridging on clients, 342–344
- Bluetooth, 470–475
- Bluetooth Impersonation Attack (BIA), 474
- Bluetooth Low Energy (BLE), 470–475
- Bonjour, 347–350
- Border Gateway Protocol (BGP), 217
- BrakTooth, 473–474
- bridged communications, controlling, 339–353
- bring your own device (BYOD)
- about, 278–279
- as an emergent trend, 445–455
- captive portals for, 166–167
- defining in your organization, 259–261, 448–449
- with internal access, 547–549
- with Internet-only access, 553–555
- legal considerations for, 449–451
- policies for, 446
- recommendations for securing, 452–455
- technical considerations for securing, 451–452
- broadcast
- de-authentication and disassociation, 387
- DHCP through, 183
- broadcast integrity protocol (BIPP), 318–319
- C
- California Consumer Protection Act (CCPA), 17
- Called-Station-ID, 112
- Calling-Station-ID, 112
- campus environments, 38
- captive portals
- about, 26
- for acceptable use policies, 165–166
- access control for, 167
- best practices for using certificates for, 159–162
- for BYOD, 166–167
- DNS for, 177–179
- for payment gateways, 167
- security of, 163–167
- server certificates, 158
- for user/guest registration, 163–165
- cellular LANs, 481–499, 541
- cellular technology, 480, 559–561
- Center for Internet Security (CIS), 18
- central monitoring and alerting, 379–383
- certificate signing request (CSR), 151
- certificates
- about, 186–187
- for authentication, 148–163
- generating for encrypted management, 283–287
- using for APs, 324
- Certified Wireless IoT Connectivity Professional (CWICP), 434
- Certified Wireless IoT Design Professional (CWIDP), 434
- Certified Wireless IoT Integration Professional (CWIIP), 434
- Certified Wireless IoT Solutions Administrator (CWISA), 434
- Certified Wireless Network Professionals (CWNP), 433, 436
- CFRS, 404
- change management, 309–313
- change of authorization (CoA), 123–127
- Characterize phase, in Design for Six Sigma (DFSS), 224
- Chief Executive Officer (CEO), 6–7
- Chief Information Officer (CIO), 6–7
- Chief Information Security Officer (CISO), 6–7, 231
- Chief Security Officer (CSO), 6–7
- Chief Technology Officer (CTO), 6–7
- choose your own device (CYOD) model, 446–447
- cipher suites, 79–80
- Cisco, 115, 299, 325, 383
- Cisco Discovery Protocol (CDP), 213–215
- classification, endpoints and, 239
- ClearPass Policy Manager (CPPM), 299
- client spoofing, 386
- clients
- blocking wireless bridging on, 342–344
- credential sharing and porting, 360–362
- with interfaces bridges, 388–390
- with invalid MAC address, 386–387
- misassociation of, 390–391
- RADIUS, 118–119
- requiring DHCP for, 359–360
- rogue, 384
- cloaking SSIDs, 356–359
- closed box test, 375
- cloud native products, 459
- CloudExtreme, 299
- cloud-managed edge architectures, 440–441
- cloud-routed products, 459
- Commercial National Security Algorithm (CNSA), 82
- common vulnerabilities and exploits (CVEs), 370–372
- community, as resources, 436
- company-owned, business use only (COBO), 447
- company-owned, personally enabled (COPE) devices, 447
- compliance
- regulations for, 17–19
- resources on, 525–528
- compliance officer, 231
- CompTIA Security+, 435
- conferences, as resources, 436
- confidentiality, in secure wireless architecture, 13–14
- configurations, managing, 309–313
- connectivity, issue of, 41
- Connectivity Standards Alliance, 475
- consultants, 271
- consumerization, 339
- contractors, 544–547
- control plane security, 321–322
- Controlled Port function, 106
- credential vaulting, 301–303
- credentials
- eliminating default, 293–296
- sharing and porting, 360–362
- cryptography
- about, 27, 28–29
- cryptographic algorithms and hashes, 27–28
- cryptographic keys, 27
- key exchanges, 27
- key rotation, 27
- current security policies, as a planning and design input, 235
- cyber insurance, 528–529
- cyber security training, 435
- Cybersecurity Framework (CSF), 18
- Cybersecurity Maturity Model Certification (CMMC), 6, 17, 369
- D
- data
- ownership/management of, 450
- privacy of, 451
- data paths
- about, 56–57, 71
- bridged, 59–61
- controlling guest portals with DNS on wireless, 66–67
- filtering
- with ACLs on routing devices, 68–70
- with ACLs on wireless, 65–66
- with inter-station blocking on wireless, 64–65
- with network virtualization overlay on wired infrastructure, 71
- with policies on firewalls, 70–71
- with SSIDs/VLANs on wireless, 65
- with VLANs on switches, 67–68
- within wireless/wired infrastructures, 63–64
- hybrid models, 61–62
- models, 61–62
- as a planning and design output, 245
- role of ACLs/VLANs in segmentation, 62–63
- tunneled, 58–59
- dedicated systems, 379–383
- Defense Federal Acquisition Regulation Supplement (DFARS), 6
- Define phase, in Design for Six Sigma (DFSS), 223–224
- denial of service (DoS) attempts, 390
- deployment architectures, 484
- design. See planning and design
- Design for Six Sigma (DFSS), 222–227, 254
- Design phase, in Design for Six Sigma (DFSS), 225
- devices, authentication of, 25–26, 469
- DHCP services
- about, 180–181
- for AP provisioning, 185–186
- planning for Wi-Fi clients, 184–185
- requiring for clients, 359–360
- for Wi-Fi clients, 181–184
- Diameter, 118
- Diffie-Hellman Ephemeral Key Exchange (DHE), 83
- digital signature algorithm (DSA), 83
- direct routing, 506
- directories, server settings for, 430–431
- direct-routed products, 459–460
- disconnecting messages, 123–127
- Discover stage, in Design for Six Sigma (DFSS), 223–224
- discovery protocols, 213–215
- distribution of users, 37–43
- DNS beaconing, 180
- DNS cache poisoning, 180
- DNS hijacking, 180
- DNS services
- about, 177
- for AP provisioning, 179
- for captive portals, 177–179
- security of, 179–180
- for Wi-Fi clients, 177–179
- DNS tunneling, 180
- domain administrators, 232
- domain services, as a planning and design output, 247
- domain-issued certificates, for RADIUS servers, 154–156
- downtime, scheduled, 203
- dynamic routing protocols, 217
- E
- edge IP protocols, 505–506
- edge ports, securing access to, 332–334
- edge switch, 326, 329
- e-discovery, 450
- 802.1AR, 285
- 802.1X
- about, 26, 29, 33–34, 35, 36, 77, 102–107, 327, 425–428
- best practices for using certificates for, 152–158
- configuring with Microsoft NPS, 513–520
- deciphering acronyms of 192-but Mode, 83–84
- endpoint device certificates for, 151–152
- enhancements with WPA3-Enterprise, 82
- history of, 105
- options for, 79–81
- planning Enterprise (802.1X) Secured SSIDs, 77–79
- RADIUS server certificates for, 148–151
- terminology in, 103–104
- WPA2 to WPA3-Enterprise Migration recommendations, 85–87
- WPA3-Enterprise 192-bit Mode, 82–83
- 802.1X Authenticator, 103
- 802.1X Supplicant, 103
- 802.11 standard, 32, 95, 272, 523–524
- 802.11R, 321
- 802.11w. See Wi-Fi Protected Access version 2 (WPA2); Wi-Fi Protected Access version 3 (WPA3)
- Ekahau Pro, 413
- elliptic curve cryptography (ECC), 84
- Elliptic Curve Diffie-Hellman Ephemeral Key Exchange (ECDHE), 83
- Elliptic Curve Digital Signature Algorithm (ECDSA), 83
- emergent trends
- about, 439
- impacting wireless, 440–465
- employee lifecycle, 451
- encoding, 378–379
- encrypted frames, 319
- encrypted management protocols, enforcing, 283–293
- endpoint device certificates, for 802.1X, 151–152
- endpoints
- authentication of devices, 25–26
- capability requirements, as a planning and design output, 242–243
- configuring, 515–516
- as a planning and design input, 236–239
- that support 802.1X/EAP, 514–515
- end-user support roles, 9
- Enhanced Interior Gateway Routing Protocol (EIGRP), 217
- enhanced open networks, changes in roaming facilitation with, 200–201
- enterprise risk management, 16
- Epiq Solutions, 404
- executive leadership, 267–279
- extended detection and response (XDR), 408, 409–410
- Extensible Authentication Protocol (EAP)
- about, 103–104
- EAP-FAST (Flexible Authentication via Secure Tunnel), 130
- EAP-GTC (Generic Token Card), 135–136
- EAP-MSCHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2), 135
- EAP-PEAP (Protected EAP), 129–130
- EAP-POTP (Protected One-Time Password), 136–137
- EAP-TEAP (Tunneled EAP), 131
- EAP-TLS (Transport Layer Security), 134–135
- EAP-TTLS (Tunneled Transport Layer Security), 130
- methods for authentication, 127–140
- Mutual Cryptographic Binding, 522
- securing tunneled, 132–133
- support for, 132
- unsecured methods, 137–138
- external AP, 393
- external server authentication, 328
- Extreme Networks, 383
- ExtremeCloud, 292
- F
- Fast BSS Transition, 197–198, 202
- Fast Reconnect mechanism, 193–194
- fast roaming technologies
- about, 193, 198–199
- changes in facilitation of, 200–201
- Fast BSS Transition, 197–198
- Fast Reconnect mechanism, 193–194
- opportunistic key caching (OKC), 196–197
- pairwise master key (PMK) caching, 194–196
- recommendations for, 201–202
- support for, 199–200
- Fast Transition
- about, 190
- packet analysis of, 200
- support for, 199–200
- Federal Energy Regulations Commission (FERC), 305
- Federal Information Processing Standard (FIPS), 289
- 5G technology, 480
- fixed environments, Fast Roaming and, 202
- form factors
- about, 36
- as an IoT consideration, 466
- endpoints and, 236
- Forrester, 274
- Fortinet FortiAuthenticator, 299
- 4D (Discover, Design, Develop, and Deploy), 222
- 4-Way Handshake in Wi-Fi, 168–171
- frameworks, 18–19
- FreeRADIUS, 299
- G
- General Data Protection Regulation (GDPR), 17, 305
- general-use networks, Fast Roaming and, 202
- Google Transparency Report, 94
- Group Policy, 156
- groups, endpoints and, 239
- guest networks, architectures for, 551–555
- guest registration, captive portals for, 163–165
- H
- handheld testers, 410–412
- hardening
- about, 281–282
- additional security configurations, 354–362
- best practices for tiered, 353–354
- controlling peer-to-peer and bridged communications, 339–353
- designing for integrity of infrastructure, 308–338
- securing management access, 282–308
- hardware-based IDs, certificate tied to, 285
- hash functions, 28, 314
- hash-based message authentication code (HMAC), 83
- headless devices, 36, 539–544
- Health Insurance Portability and Accountability Act (HIPAA), 6, 369
- help desk, 8–9, 232
- hiding SSIDs, 356–359
- home automation, 475–477
- honeypot AP, 393
- HTTPS, enabling, 287–288
- I
- IANS Research, 274
- IBwave, 414
- identification, in InfoSec, 24
- identity and access management (IAM), 8, 231
- illegal activity, 451
- industrial automation, 501–502
- InfoSec, 24
- infrastructure devices, locking access to, 334–337
- infrastructure hardening, as a planning and design output, 251
- inner authentication methods, 133–137
- inputs
- correlating to outputs, 252–253
- planning and design, 227–241
- Institute of Electrical And Electronics Engineers (IEEE)
- about, 30–31
- standards and documents, 522–524
- integrated systems, 379–383
- integrators, 233
- integrity
- designing for, 308–338
- in secure wireless architecture, 12–13
- integrity, availability, and confidentiality (IAC) Triad, 11–14
- integrity group transient key (IGTK), 318–319
- internal access
- architectures for networks, 531–551
- BYOD/personal devices with, 547–549
- internal domain CAs, certificates issued from, 286
- International Telecommunication Union (ITU-R), 32
- Internet Engineering Task Force (IETF)
- about, 31–32
- RFCs, 521–522
- Internet of Things (IoT)
- about, 463
- considerations for, 466–467, 507–508
- enterprise technologies, 465–508
- LAN-based, 463–465, 468–470
- protocol-routed, 465
- protocol-translated, 465
- public cellular for, 477–481
- training and certification, 434
- Internet-only networks, architectures for, 551–555
- interoperability, 274–275
- IP local connectivity, 506
- IPv4, 505
- IPv6, 216, 505
- ISA100.11a, 501–502
- (ISC)2 Systems Security Certified Practitioner (SSCP), 435
- ISO 27001, 525–527
- Iterate stage, in Design for Six Sigma (DFSS), 225–227
- K
- key exchanges
- about, 27
- on WPA-Enterprise networks, 191–193
- on WPA-Personal networks, 190–191
- keys
- generating for encrypted management, 283–287
- rotating, 27
- L
- LAN-based IoT, 463–465, 468–470
- latency-sensitive applications
- Fast Roaming and, 201
- roaming impact on, 189–190
- layer 3 roaming mobility domains, 217
- LDAP authentication, for Wi-Fi, 168
- leased licensed spectrum, 489
- legacy EAP methods, 137–138
- legacy open authentication networks, 94–95
- Let's Encrypt, 153
- Link Layer Discovery Protocol (LLDP), 213–215
- LLDP Media Endpoint Discovery (MED), 213–215
- local area networks (LANs), 505
- local server authentication, 328
- location
- as an IoT consideration, 467
- endpoints and, 237
- logging
- about, 122
- best practices, 416–424
- configuring, 313–314
- loop protection, 216
- LoRaWAN, 500–501
- Low power WANs (LP-WANs), 272
- low rate wireless personal networks (LR-WPANs), 272
- M
- MAC address
- about, 25
- authentication without RADIUS, 147
- binding APs to ports/switches with, 327–329
- filtering and denylisting, 147–148
- formatting, 429
- randomization, 159–161, 562–564
- MAC Authentication Bypass (MAB)
- about, 327
- headless devices with, 541
- with RADIUS, 140–147
- settings for, 429–430
- supporting with 802.1X in medium-security networks, 537
- MAC-based authentication
- about, 140–148
- headless devices with other, 543
- troubleshooting, 428–431
- malformed packets and fuzzing, 388
- managed user, with managed device, 533–539
- management access
- about, 282–283
- additional considerations, 307–308
- addressing privileged access, 303–307
- controlling administrative access and authentication, 296–301
- eliminating default credentials and passwords, 293–296
- endpoints and, 237
- enforcing encrypted management protocols, 283–293
- securing shared credentials and keys, 301–303
- management VLANs, creating, 299–300
- mapping, resources on, 525–528
- mDNS protocols
- about, 347–352
- supporting in medium-security networks, 537–538
- mesh topology, 507
- MetaGeek Wi-Spy +Chanalyze, 402
- metropolitan area networks (MANs), 505
- Microsoft NPS, configuring 802.1X with, 513–520
- migration strategies, 76–77
- misconfigured AP, 384
- mobile device management (MDM), 25
- modulation, 378–379
- monitoring and maintenance
- about, 367
- alerting best practices, 416–424
- events
- to alert on for immediate action, 419–422
- to log for forensics or correlation, 417–419
- to report on for analysis and trending, 422–424
- logging best practices, 416–424
- ongoing, 376
- penetration testing, 375–376
- reporting best practices, 416–424
- scheduled, 203–204
- security audits, 368–370
- security logging and analysis, 407–410
- security testing and assessments, 367–376
- synthetic testing and performance monitoring, 405–407
- tools for, 376–416
- training and resources, 432–437
- troubleshooting security, 424–432
- vulnerability assessments, 370–373
- wireless intrusion prevention systems (WIPS), 377–405
- wireless-specific tools, 410–416
- Multicast DNS, 522
- multi-factor authentication (MFA), 308
- N
- NAS-IP-Address, 111
- NAS-Port, 112
- NAS-Port-Type, 112
- National Institute of Standards and Technology (NIST)
- neighbor AP, 393
- NetAlly, 402, 413
- NETCONF, 292–293
- network access control (NAC)
- about, 33–34
- access for contractors, 546
- products for, 108–110
- network architects, 4–5, 232
- network closets, 331–332
- network operations teams, 9, 232
- Network Planning Template, 261–262
- network protocol analyzers, 415
- network security training, 435
- network services
- as a planning and design output, 247
- for Wi-Fi, 173–187
- Network Time Protocol (NTP), 175–176
- network topology, 37–43, 502
- neutral host networks (NHNs), 498–499, 560–561
- “The New Future of Work” report, 442–443
- NodeBs, 496
- non-802.11 wireless technologies, 465–508
- non-user-based devices, 36, 539–544
- North American Energy Regulations Commission (NERC), 6, 305
- numeric comparison, 472
- O
- onboarding, troubleshooting, 431
- 192-bit mode, 82–84, 85
- on-prem products, 459–460
- open authentication networks
- about, 94
- legacy, 94–95
- Wi-Fi enhanced, 95–98
- Open Shortest Path First (OSPF), 217
- Open Wi-Fi security, 34
- operating system, endpoints and, 236–237
- operations roles, 8–9
- opportunistic key caching (OKC), 196–197
- Opportunistic Wireless Encryption, 522
- Optimize phase, in Design for Six Sigma (DFSS), 226–227
- organizational risk, aligning wireless architecture security to, 14–16
- organizational security requirements, as a planning and design input, 233–235
- Orr, Stephen, 216
- OUI Lookup Tool, 386
- out of band (OOB) pairing, 472
- outer EAP tunnels, 129–132
- outputs
- correlating to inputs, 252–253
- planning and design, 241–251
- overlay systems, 379–383
- over-the-air mitigation, 398–400
- ownership
- of devices, 37
- endpoints and, 237
- P
- packet analysis, of Fast Transition, 200
- pairwise master key (PMK) caching (roam-back), 194–196
- passkey entry, 472
- passwords
- eliminating default, 293–296
- length and complexity of, 294
- security of, 307
- patches, verifying software integrity for, 314–316
- Payment Card Industry Data Security Standard (PCI DSS), 6, 17, 369, 528
- payment gateways, captive portals for, 167
- Payment Services II Directive (PSD2), 369
- peer-based zero configuration networking, 346–347
- peer-to-peer communications, controlling, 339–353
- penetration testing, 375–376
- performance monitoring, 405–407
- personal area networks (PANs), 504
- personal devices. See bring your own device (BYOD)
- personal mode (passphrase with PSK/SAE), 87–93
- personal networks, 73
- personal (passphrase) Wi-Fi security, 35
- physical layer, 503–504
- physical security, planning, 331–337
- planning and design
- about, 221–222
- correlating inputs to outputs, 252–253
- impacts of, 187–217
- inputs, 227–241
- methodology for, 222–227
- outputs, 241–251
- processes and templates, 254–267
- technical and executive leadership, 267–279
- PMK Security Association (PMKSA) caching, 195
- PMKID, 195–196
- policies
- for RADIUS, 116–118
- role of, 19–21
- updates for, as a planning and design output, 250–251
- Policy Decision Point (PDP), 456
- Policy Enforcement Point (PEP), 456
- Policy Matrix, 262
- port entities, 104
- portals, troubleshooting, 431
- pre-shared keys (PSKs), 275–276
- private cellular, 272, 481–499
- private WANs, 499–501
- privileged access
- about, 277–278, 303
- privileged access management (PAM), 305–307
- remote, 306–307
- securing privileged accounts and credentials, 303–305
- privileged access management (PAM), 305–307
- privileged accounts and credentials, securing, 303–305
- procedures, role of, 19–21
- processes
- constraints, as a planning and design input, 240
- planning, 254–267
- updates, as a planning and design output, 250–251
- production networks, Fast Roaming and, 201
- protected frame types, 318–319
- Protected Management Frames (PMFs)
- benefits of, 75–76
- troubleshooting, 431–432
- protocol-routed Internet of Things (IoT), 465
- protocols
- disabling unused, 337–338
- wireless, 30–34
- protocol-translated IoT, 465
- proxy, DHCP through, 183
- public cellular, for IoT, 477–481
- Public Key Infrastructure (PKI)
- about, 25
- certificates issued from, 286
- public root CAs
- about, 159
- certificates issued from, 286
- public/private key pairs, keys generated on devices using, 286
- Q
- Qualified Security Assessors (QSAs), 17
- quantities, endpoints and, 238
- R
- radio resource management (RRM) protocols, 205–206
- radios, 378–379
- RADSEC, 118, 121
- rate limiting Wi-Fi, 208–213
- registration, troubleshooting, 431
- regulatory requirements, 17–19
- Regulatory Technical Standards for Secure Customer Authentication (RTS SCA), 369
- remote AP hardware, 41–42
- Remote Authentication Dial-In User Service (RADIUS)
- about, 26, 104, 297–299
- accounting for, 122–123
- attributes for, 111–114
- Attributes for IEEE 802 Networks, 522
- authentication server that supports, 517–520
- clients, 118–119
- 802.1X/EAP and, 425–428
- MAC authentication bypass with, 140–147
- MAC authentication without, 147
- policies for, 116–118
- security for, 121
- server certificates for 802.1X, 148–151
- server settings, 430–431
- servers, 107–110, 118–121
- shared secrets, 120
- types, 522
- vendor-specific attributes, 115–116
- remote branch environments, 39
- remote Wi-Fi VPN Client, 42–43
- remote worker environments, 40–41
- remote workforce, as an emergent trend, 441–445
- reporting
- best practices, 416–424
- configuring, 313–314
- Requirements Discovery Template, 254–261
- resiliency, system availability and, 203–205
- resources
- blogs, 524
- book materials, 524
- compliance and mappings, 525–528
- consulting materials, 524
- cyber insurance and network security, 528–529
- IEEE standards and documents, 522–524
- IETF RFCs, 521–522
- Wi-Fi Alliance, 524
- revocation lists, 157–158
- RF capabilities, 36–37
- RF design
- AP placement, channel, and power settings, 205–207
- as a planning and design output, 244
- rate limiting Wi-Fi, 208–213
- roaming and, 206
- survey software and, 412–415
- Wi-Fi 6E, 207–208
- RF spectrums, 503–504
- risk and compliance roles, 5–6
- risk officer, 231
- risk tolerance
- assigning level of, 15–16
- factors influencing, 15
- identifying, 14
- Rivest-Shamir-Adleman (RSA), 83
- roaming capabilities, endpoints and, 238
- roaming protocols
- about, 188–189
- impact on latency-sensitive applications, 189–190
- on WPA-Enterprise networks, 191–193
- on WPA-Personal networks, 190–191
- rogue AP, 384, 392
- rogue client, 384
- rogue detection, 355–356
- roles and responsibilities
- about, 4
- Chief Information Security Officer, 6–7
- end-user support, 9
- help desk, 9
- identity and access management (IAM), 8
- network architects, 4–5
- network operations teams, 9
- risk and compliance, 5–6
- security operations/analyst, 7–8
- supply chain security, 10–11
- technology manufacturers and integrators, 10
- vendor management, 10–11
- wireless architects, 4–5
- rollback support, 312–313
- S
- SANS, 435
- Sarbanes-Oxley (SOX), 305, 369
- scheduled downtime, 203
- scheduled maintenance, 203–204
- scheduled testing, 203–204
- scope of work/project, as a planning and design input, 228–230
- secure file transfers, enabling, 290
- Secure Hash Algorithm (SHA-384), 83
- securing tunneled EAP, 132–133
- security. See also specific topics
- about, 10
- aligning to organizational risk, 14––16
- assessments of, 373–374
- authentication, 23–27
- of captive portals, 163–167
- compliance requirements, 17–19
- cryptography, 27–29
- of devices, 37
- distribution of users, 37–43
- DNS, 179–180
- endpoint devices, 35–37
- endpoints and, 238
- IAD Triad, 11–14
- logging and analysis of, 407–410
- monitoring, 355–356
- network topology, 37–43
- on open vs. enhanced open networks, 167
- for RADIUS, 121
- regulatory requirements, 17–19
- role of policies, standards, and procedures, 19–21
- segmentation, 22–23
- SSID security profiles, 34–35
- wireless standards and protocols, 30–34
- security analyst, 231
- security audits, 368–370
- security information and event management (SIEM), 7, 408, 409
- security operations centers (SOCs), 7–8, 231
- security orchestration, automation, and response (SOAR), 7, 408, 409
- Security Transition Modes, 565
- segmentation
- about, 22–23
- enforcement models, 460–461
- policies for, 470
- self-signed certificates, 153, 284
- sensor placement, 379
- server certificates
- about, 121
- for captive portals, 158
- servers
- authentication of, 26
- RADIUS, 107–110, 118–121
- service set identifiers (SSIDs)
- about, 34, 72–73, 98–99, 188–189
- enterprise mode (802.1X), 77–87
- enterprise-secured networks (802.1X), 35
- guidance on, 550–551
- hiding and cloaking, 356–359
- impersonation, 385
- inter-station blocking, 344–346
- migration strategies, 76–77
- open authentication networks, 94–98
- Open Wi-Fi security, 34
- personal mode (passphrase with PSK/SAE), 87–93
- personal (passphrase) Wi-Fi security, 35
- as a planning and design output, 247–249
- transition modes, 76–77
- WPA2/WPA3, 73–76
- 7Signal, 407
- shared credentials and keys, 301–303
- shared/coordinated spectrum, 489
- Sigfox, 500
- Signal Hound, 404
- Simple Network Time Protocol (SNTP), 175–176
- 6loWPAN, 476–477
- smart building, 475–477
- SNMP, removing default strings, 296
- SNMPv2c, 296
- SNMPv3, 291–293
- software
- patching, 469
- as a planning and design output, 249–250
- updating, 469
- verifying integrity for upgrades and patches, 314–316
- software-based PEPs, 460–461
- spectrum analyzers, 400–403
- SSH
- enabling, 289–290
- key management, 302–303
- standards
- role of, 19–21
- wireless, 30–34
- Subject Alternative Name (SAN), 151
- subscriber identity module (SIM), 25–26
- supply chain security, 10–11
- survey software, RF design and, 412–415
- SweynTooth, 473–474
- switches, 331
- symmetric-key algorithms, 28
- synthetic testing, 405–407
- System and Organization Controls (SOCs), 369
- system availability
- as a planning and design output, 249
- resiliency and, 203–205
- system logon banners, 307
- system owners, 232
- system security requirements, as a planning and design input, 239–240
- T
- TACACS+, 26, 297–299
- TalentLMS, 443
- tamper-evident labels (TELs), 337
- teams involved, as a planning and design input, 230–233
- Tech Field Day, 436
- technical elements, 45
- technical leadership, 267–279
- technology
- manufacturers and integrators, 10
- wireless standards and, 30–32
- Telnet, enabling, 289–290
- templates, planning, 254–267
- terminology, 3–4
- testing and assessments
- of applications, 415–416
- scheduled, 203–204
- of wireless security, 367–376
- third parties, 271, 544–547
- third-party CAs, certificates issued from, 286
- Thread, 476–477
- 3GPP (3rd Generation Partnership Project), 32
- tiered hardening, 353–354
- time sync services
- about, 174
- servers and, 175
- uses in Wi-Fi, 175–177
- tools. See also specific tools
- about, 376–377
- as a planning and design output, 249–250
- wireless intrusion prevention systems (WIPS), 377–405
- training resources
- about, 432
- conferences and community, 436
- technology courses and providers, 432–435
- vendor-specific, 435–436
- Transition Modes, 76–77, 319–320
- Transport Layer Security (TLS), 83
- troubleshooting
- of applications, 415–416
- MAC-based authentication, 428–431
- onboarding, 431
- portals, 431
- protected management frames (PMFs), 431–432
- registration, 431
- Trusted Platform Module (TPM) chips, 25
- Trustwave's SpiderLabs, 349–350
- U
- Uncontrolled Port function, 106
- Universal Plug-n-Play (UPnP) protocols, 350–351
- unlicensed spectrum, 489
- unprotected frametypes, 317–318
- unsecured EAP methods, 137–138
- upgrades, verifying software integrity for, 314–316
- uptime, 203
- user directories, 121
- user-attachment, endpoints and, 237
- user-based devices, 36
- user-based logons, enforcing, 297–299
- users
- authentication of, 24–25
- captive portals for registration of, 163–165
- distribution of, 37–43
- as a planning and design input, 239
- V
- Validate phase, in Design for Six Sigma (DFSS), 227
- validated frames, 319
- validating server certificates, 154
- vendor management, 10–11, 233
- vendor-specific attributes (VSAs), 115–116
- vendor-specific training and resources, 435–436
- virtual LANs (VLANs)
- about, 22–23
- edge port, 329
- RADIUS attributes for dynamic, 113–114
- VLAN hopping, 330
- virtual private network (VPN), 27, 546
- vulnerability assessments
- about, 370–372
- external, 373
- internal, 372–373
- W
- wide area networks (WANs), 505
- Wi-Fi
- clients
- DHCP for, 181–185
- DNS for, 177–179
- design impacts on security, 187–217
- future of, 559–561
- infrastructure that supports Enterprise (802.1X) SSID security profiles, 513–514
- LDAP authentication for, 168
- management frames, 317
- network services for, 173–187
- rate limiting, 208–213
- recommendations for Fast Roaming in secure, 201–202
- recommended EAP methods for secure, 138–140
- 6E, 207–208
- time sync services in, 175–177
- training and certification, 433–434
- Wi-Fi Alliance (WFA), 31, 77, 93, 524
- Wi-Fi Protected Access version 2 (WPA2)
- about, 73–75, 319–320
- benefits of Protected Management Frames (PMF), 75–76
- considerations for, 320
- migration recommendations, 85–87, 92–93
- protected management frames, 316–321
- using with 802.11R, 321
- Wi-Fi Protected Access version 3 (WPA3)
- about, 73–75, 319–320
- benefits of Protected Management Frames (PMF), 75–76
- changes in roaming facilitation with, 200–201
- cipher suites, 79–80
- considerations for, 320
- determining length of passphrases, 555–558
- enhancements with, 82, 88–92
- guidance on, 549–550
- headless devices on, 541, 543
- migration recommendations, 85–87, 92–93
- 192-bit mode, 82–83
- Personal Only Mode, 91
- Personal Transition Mode, 91
- protected management frames, 316–321
- Transition Mode, 85–86
- using with 802.11R, 321
- Wi-Fi Protected Access-Enterprise (WPA-Enterprise)
- guidance on, 549–550
- roaming and key exchanges on, 191–193
- Wi-Fi Protected Access-Personal (WPA-Personal)
- PMKID attacks on, 195–196
- roaming and key exchanges on, 190–191
- Wi-Fi VPN Client, remote, 42–43
- Wi-Fi-enhanced open authentication networks, 95–98
- wildcard certificates, 153
- Windows, Fast Transition support and, 199
- wired infrastructure
- adding integrity to, 325–330
- as a planning and design output, 245–247
- wireless access networks (WANs)
- connections, 39–40
- private, 499–501
- wireless architects, 4–5, 268
- wireless bridges, 390
- wireless infrastructure and operations
- about, 45–46, 55–56
- architectures with cloud management, 50–51
- authentication of components, 26–27
- cloud-managed benefits, 48–49
- connection type
- for endpoints, 236
- as a planning and design output, 241–242
- control plane, 46–47
- controller managed Wi-Fi, 52–53
- data plane, 47–48
- LAN services, 39–40
- local cluster managed Wi-Fi, 53–54
- management
- architecture and products, as a planning and design input, 241
- model and products, as a planning and design output, 243
- management plane, 46
- remote APs, 55
- rogues/neighbors, 392–395
- role of gateway appliances with cloud-managed APs, 51–52
- technology
- expectations for, 275–279
- selecting, 271–275
- standards/protocols, 30–34
- types of, 272
- validating vendor files, 315
- wireless-specific tools
- about, 410
- handheld testers, 410–412
- network protocol analyzers, 415
- RF design and survey software, 412–415
- testing and troubleshooting applications, 415–416
- wireless intrusion detection systems (WIDS), 377–378
- wireless intrusion prevention systems (WIPS)
- about, 7, 355–356, 377
- attacks on, 384–391
- history of, 380
- mitigation and containment, 396–397
- recommendations for, 404–405
- requirements for, 378
- WIDS vs., 377–378
- wired IPS vs., 377–378
- Wireless LAN Professionals Conference (WLPC), 436
- WirelessHART, 501–502
- Wireshark, 126, 386
- Wyebot, 407
- Z
- zero touch provisioning (ZTP), 42
- zero trust
- about, 268, 455
- current state of, 455–456
- impact on wireless, 462–463
- language for, 456–457
- products, 457–460
- segmentation enforcement models, 460–461
- Zeroconf
- about, 351–353
- supporting with 802.1X in medium-security networks, 537–538
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.