Wireless Security – CompTIA Security+ SY0-501 – 6.3

There are many different methods of providing wireless security. In this video, you’ll learn about wireless security modes, captive ports, and WPS.

<< Previous Video: Wireless Authentication Protocols Next: PKI Components >>

If you’re configuring a wireless access point at your home or at your office, you may have a number of different options available for authentication. You can see a number of those are listed on my wireless access point. If you don’t want to provide any type of security, you can have an open system, where you don’t need any type of authentication or password to gain access to the wireless network.

If we have a wireless network at home, we’re usually using WPA or WPA2, and it’s usually named WPA-Personal or WPA-PSK. That stands for Pre-Shared Key. It’s using WPA2 encryption, but it requires a key that everyone will use to gain access. And everyone on your network needs to know this key before they can ever use the wireless network.

At a place of business, there are a number of security problems with using a shared key that everyone would have access to. In those cases, we would choose WPA-Enterprise. This is also WPA-802.1X. This allows users to authenticate using their normal network credentials, and we’re using 802.1X to be able to provide that authentication.

Another option for authentication on many wireless networks is you open up a browser, and you get a pop-up message that asks for a username and password. This is a captive portal, and we commonly see this used on wireless networks or networks where you need access to the internet. This captive portal server maintains a list of everyone who has access to the network and people that don’t have access to the network. And if you have not currently authenticated, it prompts a message on the screen that asks you to provide your username and your password.

Many captive portals can also integrate additional authentication factors, so you may need your pseudo-random key generator that’s on your mobile phone or the one that’s attached to your key ring. Once you’ve authenticated with the proper credentials, you now gain access to the network. Captive portal usually has a way to log you out automatically after a certain amount of time, or there may be a log out button that you can press in your browser.

During the evolution of wireless networks, we once thought that maybe using shared passphrases might be too difficult for people who are trying to connect to the network. So we created a new method of authentication called WPS. This stands for Wi-Fi Protected Setup. It was originally called Wi-Fi Simple Config. The idea is that this would be an easy way to connect to a wireless network instead of going through the process of adding a passphrase to a wireless configuration.

There are a number of different ways to authenticate using WPS. One of these is using an eight digit pin that is configured on the access point, and you would simply add that 8 digit pin onto your mobile device. Another form of authentication with WPS used a button that you would push on the front of the access point, and other access points supported near-field communication, or NFC. Older types of WPS authentication allowed you to plug a USB key into the wireless access point, but that method is no longer used today.

Unfortunately, in December of 2011, a significant flaw was found with WPS that had really been part of the design of WPS since the very beginning. We mentioned earlier that there is a personal identification number that’s used for authentication using WPS. This is an eight digit number. But in reality, it’s a seven digit number, and the last number is a checksum. That means these seven digits would give you about 10 million possible combinations.

But the WPS validation process actually looked at the first half of the number and then the second half of the number. So with only four digits, you have 10,000 possibilities, and the second number was really three digits and a checksum. So those three digits gave us 1,000 different possibilities. This meant that we only really needed to go through 11,000 possibilities, so it became very easy to brute force access to a WPS enabled wireless network.

Initially, most wireless access points weren’t considering that there would be a brute force attack with the WPS. So there was no lockout function, and you could go through the entire list in a number of hours. Today, most wireless access points have a brute force lockout counter, but the best practice is to disable WPS entirely on your wireless access points.