Wireless Security – N10-008 CompTIA Network+ : 4.3

A wireless network includes a unique set of security concerns. In this video, you’ll learn about MAC filtering, wireless isolation, geofencing, and more.

A security feature you may find built into your access point is one that can filter based on MAC address. MAC stands for the Media Access Control address. And this is referring to the hardware address of a network interface card. This allows you to limit what MAC addresses can communicate on your wireless network. This requires you, as the administrator, to put in all of the MAC addresses that might be allowed on your network, so that all of the others can be filtered out.

If you have a new device you’re adding to your wireless network or you have a guest that needs to get on to your wireless network, you’ll need to administratively add their MAC address to this list. One of the problems with an access control list that’s based on MAC address is that it’s very easy to find an existing MAC address that’s communicating on the network.

You can use a very simple wireless LAN analyzer to view all of the MAC addresses communicating. Simply wait for one of those devices to leave and then you can configure your device with the same MAC address. This allows you to circumvent these MAC address filters because you’re now using a trusted MAC address on your device.

It’s difficult to call this a security feature. If anything, we can refer to it as security through obscurity. This describes the security method that once you know how the method is performed, you can easily defeat it. And ultimately, security through obscurity is not security at all.

One way to limit people connecting to your wireless network is to limit where the signal happens to go. So we need to be very careful about where we place antennas on our wireless access points. Normally, we would configure the power levels on these access points to only allow us to connect from inside of the building.

We don’t want someone to be on the outside in the parking lot able to communicate to our internal networks. This might require you to walk around the building to determine where the strongest signals might be and to adjust the antennas to limit the scope of that signal outside of the building.

We also might want to place antennas so that they’re not interfering with other frequencies that might be in use. If we look at a 2.4 gigahertz network, which has a limited number of non-overlapping channels, we know that we can only put traffic on channels 1, channel 6, and channel 11.

So if we wanted to put a series of access points into this building, we might want to put the antennas so that they’re not overlapping between channels 1, 6, and 11. And you can see in this diagram, we’ve been able to separate all of these channels so that we can have the best coverage and the least amount of interference.

Another security feature you may find in your wireless access point is the ability to provide wireless isolation. This means that a person connecting to a wireless network would not be able to communicate with other devices on this wireless network. You might be able to communicate to the internet, but you wouldn’t be able to communicate to anyone else on that wireless network.

You might see this option used in a hotel or some other public area where your wireless access point is being used by many different people and none of those people know each other. This would commonly not be a configuration that you would set up at work, especially, if you have a requirement to connect to other people on that wireless network.

Some access points allow you to have a working network and a guest network. And commonly, the guest network would not have access to other networks on that access point. This is almost always the default setting, so that you can have an internal trusted network, but you could also allow access from guests and other people that may need to connect to the internet. This will allow them to have internet access, but would prevent them from accessing any devices on your private network.

The security settings on your wireless access point are very important. We want to be sure that we’re providing the best security for the clients on this wireless network. Normally, when you would connect in a public access point, you would be using an open system. You don’t have to use any particular password to gain access to this network, but you’re also not able to encrypt any of the traffic going over this network.

On small or private networks, you might want to use a Pre-Shared Key, or PSK. Sometimes you’ll see this referred to as a personal network configuration. And commonly, this would be used in conjunction with WPA/2 or WPA/3. You would hand out this pre-shared key to everyone who needs access to the network. And this would also allow them to communicate over an encrypted channel.

In an enterprise or office environment, you don’t want to share the same passphrase with everyone. In that case, you would probably use 802.1X. You may see this also referred to as an Enterprise configuration for WPA/2 or WPA/3. This requires users to authenticate with a username and password that’s unique to them. And it’s usually checked against a central database, such as a radius database or an active directory database.

The authentication used to gain access to a wireless network commonly uses EAP, or the Extensible Authentication Protocol. This is a framework for authentication that’s used for more than just wireless networks. But it’s one that’s very common to find on WPA/2 or WPA/2 networks. It’s an RFC standard. And you’ll find there are about five different EAP types used between WPA/2 and WPA/3 to allow people to gain access to a wireless network.

If we’re on an 802.1X network and we need some authentication protocol to be able to access a backend database of users and passwords, we would need to use some version of EAP. So if you’re on your enterprise network or you’re using the wireless network in your office, then you’re probably authenticating using some type of EAP.

On some wireless networks, we might want to allow or disallow access to that network based on where someone might physically be. We can do this by using geofencing. This allows us to identify the location of a user, often using GPS, and then provide access or deny access based on where they might physically be located. We can even enable or disable certain features of a mobile device or device connected to the wireless network using this geofencing.

For example, if someone is inside of the building, we might want to restrict or prevent someone from taking pictures with their camera. But when they leave the building, they’re outside of the scope of that geofencing, and their camera would work as normal. We can also integrate this with authentication. If we want to check to see if someone is physically in the building, we can check that with the GPS and then allow or disallow their authentication.

Another security feature you’ve probably seen on a wireless network is a captive portal. This is a message that appears when you first connect to the network that asks you to authenticate, usually with a username, password, or some other type of authentication factor. This is usually based on a table of allowed devices that’s maintained within the access point, and if your device is not on the list of allowed devices, then it presents this captive portal page so that you can authenticate to the network.

This will often present a username, a password prompt, and, in some cases, you can include other authentication factors as well. Once all of that authentication is properly confirmed, that person is now allowed access to the wireless network. That’s usually maintained for a certain amount of time. For example, you may have access to the network for 24 hours, and then after that 24 hours, you will need to re-authenticate through the captive portal.

We have an increasing number of devices that are connecting to our wireless networks and, very often, these are the IoT devices, or Internet of Things devices. If you look at IoT devices in your home, you may have things like garage door openers, appliances, door locks, lights, and other components that are connected to your wireless network.

One challenge with these IoT devices is that a manufacturer of a garage door may not be familiar with all of the intricacies associated with network security. So we may want to provide additional security for these IoT devices.

At a minimum, we might want to be sure that our IoT devices are on one wireless network and all of our private laptops and storage devices are on a completely separate network. This means if someone does gain access to one of the IoT devices, they would have a limited scope of what they would be able to access inside of our home.

Most of our home devices don’t have the ability to set up a separate VLAN. But they may have a guest network, which is almost the same thing. It’s a separate wireless network that has access to the internet, but it doesn’t have access to our internal network. This is a bit different than a DMZ or a screened-subnet because a screened-subnet is designed to be accessed from the internet. A guest network would have no access from the internet. It would be outbound access only.