Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise

Reduce organizational cybersecurity risk and build comprehensive WiFi, private cellular, and IOT security solutions Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise offers readers an essential guide to planning, designing, and preserving secure wireless infrastructures. It is a blueprint to a resilient and compliant architecture that responds to regulatory requirements, reduces organizational risk, and conforms to industry best practices. This book emphasizes WiFi security, as well as guidance on private cellular and Internet of Things security. Readers will discover how to move beyond isolated technical certifications and vendor training and put together a coherent network that responds to contemporary security risks. It offers up-to-date coverage—including data published for the first time—of new WPA3 security, Wi-Fi 6E, zero-trust frameworks, and other emerging trends. It also includes: Concrete strategies suitable for organizations of all sizes, from large government agencies to small public and private companies Effective technical resources and real-world sample architectures Explorations of the relationships between security, wireless, and network elements Practical planning templates, guides, and real-world case studies demonstrating application of the included concepts Perfect for network, wireless, and enterprise security architects, Wireless Security Architecture belongs in the libraries of technical leaders in firms of all sizes and in any industry seeking to build a secure wireless network.

Table of Contents:
Foreword xxix Preface xxxi Introduction xxxv Part I Technical Foundations 1 Chapter 1 Introduction to Concepts and Relationships 3 Roles and Responsibilities 4 Network and Wireless Architects 4 Security, Risk, and Compliance Roles 5 Operations and Help Desk Roles 8 Support Roles 9 External and Third Parties 9 Security Concepts for Wireless Architecture 11 Security and IAC Triad in Wireless 11 Aligning Wireless Architecture Security to Organizational Risk 14 Factors Influencing Risk Tolerance 15 Assigning a Risk Tolerance Level 15 Considering Compliance and Regulatory Requirements 17 Compliance Regulations, Frameworks, and Audits 17 The Role of Policies, Standards, and Procedures 19 Segmentation Concepts 22 Authentication Concepts 23 Cryptography Concepts 27 Wireless Concepts for Secure Wireless Architecture 30 NAC and IEEE 802.1X in Wireless 33 SSID Security Profiles 34 Security 35 Endpoint Devices 35 Network Topology and Distribution of Users 37 Summary 43 Chapter 2 Understanding Technical Elements 45 Understanding Wireless Infrastructure and Operations 45 Management vs. Control vs. Data Planes 46 Cloud-Managed Wi-Fi and Gateways 48 Controller Managed Wi-Fi 52 Local Cluster Managed Wi-Fi 53 Remote APs 55 Summary 55 Understanding Data Paths 56 Tunneled 58 Bridged 59 Considerations of Bridging Client Traffic 59 Hybrid and Other Data Path Models 61 Filtering and Segmentation of Traffic 62 Summary 71 Understanding Security Profiles for SSIDs 72 WPA2 and WPA3 Overview 73 Transition Modes and Migration Strategies for Preserving Security 76 Enterprise Mode (802.1X) 77 Personal Mode (Passphrase with PSK/SAE) 87 Open Authentication Networks 94 Chapter 3 Understanding Authentication and Authorization 101 The IEEE 802.1X Standard 102 Terminology in 802.1X 103 High-Level 802.1X Process in Wi-Fi Authentication 105 RADIUS Servers, RADIUS Attributes, and VSAs 107 RADIUS Servers 107 RADIUS Servers and NAC Products 108 Relationship of RADIUS, EAP, and Infrastructure Devices 110 RADIUS Attributes 111 RADIUS Vendor-Specific Attributes 115 RADIUS Policies 116 RADIUS Servers, Clients and Shared Secrets 118 Other Requirements 121 Additional Notes on RADIUS Accounting 122 Change of Authorization and Disconnect Messages 123 EAP Methods for Authentication 127 Outer EAP Tunnels 129 Securing Tunneled EAP 132 Inner Authentication Methods 133 Legacy and Unsecured EAP Methods 137 Recommended EAP Methods for Secure Wi-Fi 138 MAC-Based Authentications 140 MAC Authentication Bypass with RADIUS 140 MAC Authentication Without RADIUS 147 MAC Filtering and Denylisting 147 Certificates for Authentication and Captive Portals 148 RADIUS Server Certificates for 802.1X 148 Endpoint Device Certificates for 802.1X 151 Best Practices for Using Certificates for 802.1X 152 Captive Portal Server Certificates 158 Best Practices for Using Certificates for Captive Portals 159 In Most Cases, Use a Public Root CA Signed Server Certificate 159 Understand the Impact of MAC Randomization on Captive Portals 159 Captive Portal Certificate Best Practices Recap 161 Summary 162 Captive Portal Security 163 Captive Portals for User or Guest Registration 163 Captive Portals for Acceptable Use Policies 165 Captive Portals for BYOD 166 Captive Portals for Payment Gateways 167 Security on Open vs. Enhanced Open Networks 167 Access Control for Captive Portal Processes 167 LDAP Authentication for Wi-Fi 168 The 4-Way Handshake in Wi-Fi 168 The 4-Way Handshake Operation 168 The 4-Way Handshake with WPA2-Personal and WPA3-Personal 170 The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise 171 Summary 171 Chapter 4 Understanding Domain and Wi-Fi Design Impacts 173 Understanding Network Services for Wi-Fi 173 Time Sync Services 174 Time Sync Services and Servers 175 Time Sync Uses in Wi-Fi 175 DNS Services 177 DHCP Services 180 DHCP for Wi-Fi Clients 181 Planning DHCP for Wi-Fi Clients 184 DHCP for AP Provisioning 185 Certificates 186 Understanding Wi-Fi Design Impacts on Security 187 Roaming Protocols’ Impact on Security 188 Fast Roaming Technologies 193 System Availability and Resiliency 203 RF Design Elements 205 AP Placement, Channel, and Power Settings 205 Wi-Fi 6E 207 Rate Limiting Wi-Fi 208 Other Networking, Discovery, and Routing Elements 213 Summary 217 Part II Putting It All Together 219 Chapter 5 Planning and Design for Secure Wireless 221 Planning and Design Methodology 222 Discover Stage 223 Architect Stage 224 Iterate Stage 225 Planning and Design Inputs (Define and Characterize) 227 Scope of Work/Project 228 Teams Involved 230 Organizational Security Requirements 233 Current Security Policies 235 Endpoints 236 Users 239 System Security Requirements 239 Applications 240 Process Constraints 240 Wireless Management Architecture and Products 241 Planning and Design Outputs (Design, Optimize, and Validate) 241 Wireless Networks (SSIDs) 247 System Availability 249 Additional Software or Tools 249 Processes and Policy Updates 250 Infrastructure Hardening 251 Correlating Inputs to Outputs 252 Planning Processes and Templates 254 Requirements Discovery Template (Define and Characterize) 254 Sample Network Planning Template (SSID Planner) 261 Sample Access Rights Planning Templates 262 Notes for Technical and Executive Leadership 267 Planning and Budgeting for Wireless Projects 268 Consultants and Third Parties Can Be Invaluable 271 Selecting Wireless Products and Technologies 271 Expectations for Wireless Security 275 Summary 279 Chapter 6 Hardening the Wireless Infrastructure 281 Securing Management Access 282 Enforcing Encrypted Management Protocols 283 Eliminating Default Credentials and Passwords 293 Controlling Administrative Access and Authentication 296 Securing Shared Credentials and Keys 301 Addressing Privileged Access 303 Additional Secure Management Considerations 307 Designing for Integrity of the Infrastructure 308 Managing Configurations, Change Management, and Backups 309 Configuring Logging, Reporting, Alerting, and Automated Responses 313 Verifying Software Integrity for Upgrades and Patches 314 Working with 802.11w Protected Management Frames 316 Provisioning and Securing APs to Manager 321 Adding Wired Infrastructure Integrity 325 Planning Physical Security 331 Locking Front Panel and Console Access on Infrastructure Devices 334 Disabling Unused Protocols 337 Controlling Peer-to- Peer and Bridged Communications 339 A Note on Consumer Products in the Enterprise 339 Blocking Ad-Hoc Networks 341 Blocking Wireless Bridging on Clients 342 Filtering Inter-Station Traffic, Multicast, and mDNS 344 Best Practices for Tiered Hardening 353 Additional Security Configurations 354 Security Monitoring, Rogue Detection, and WIPS 355 Considerations for Hiding or Cloaking SSIDs 356 Requiring DHCP for Clients 359 Addressing Client Credential Sharing and Porting 360 Summary 362 Part III Ongoing Maintenance and Beyond 365 Chapter 7 Monitoring and Maintenance of Wireless Networks 367 Security Testing and Assessments of Wireless Networks 367 Security Audits 368 Vulnerability Assessments 370 Security Assessments 373 Penetration Testing 375 Ongoing Monitoring and Testing 376 Security Monitoring and Tools for Wireless 376 Wireless Intrusion Prevention Systems 377 Recommendations for WIPS 404 Synthetic Testing and Performance Monitoring 405 Security Logging and Analysis 407 Wireless-Specific Tools 410 Logging, Alerting, and Reporting Best Practices 416 Events to Log for Forensics or Correlation 417 Events to Alert on for Immediate Action 419 Events to Report on for Analysis and Trending 422 Troubleshooting Wi-Fi Security 424 Troubleshooting 802.1X/EAP and RADIUS 425 Troubleshooting MAC-based Authentication 428 Troubleshooting Portals, Onboarding, and Registration 431 Troubleshooting with Protected Management Frames Enabled 431 Training and Other Resources 432 Technology Training Courses and Providers 432 Vendor-Specific Training and Resources 435 Conferences and Community 436 Summary 437 Chapter 8 Emergent Trends and Non-Wi- Fi Wireless 439 Emergent Trends Impacting Wireless 440 Cloud-Managed Edge Architectures 440 Remote Workforce 441 Process Changes to Address Remote Work 443 Recommendations for Navigating a Remote Workforce 444 Bring Your Own Device 445 Zero Trust Strategies 455 Internet of Things 463 Enterprise IoT Technologies and Non-802.11 Wireless 465 IoT Considerations 466 Technologies and Protocols by Use Case 467 Features and Characteristics Impact on Security 502 Other Considerations for Secure IoT Architecture 507 Final Thoughts from the Book 508 Appendix A Notes on Configuring 802.1X with Microsoft NPS 513 Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles 513 Endpoints That Support 802.1X/EAP 514 A Way to Configure the Endpoints for the Specified Connectivity 515 An Authentication Server That Supports RADIUS 517 Appendix B Additional Resources 521 IETF RFCs 521 IEEE Standards and Documents 522 Wi-Fi Alliance 524 Blog, Consulting, and Book Materials 524 Compliance and Mappings 525 Cyber Insurance and Network Security 528 Appendix C Sample Architectures 531 Architectures for Internal Access Networks 532 Managed User with Managed Device 533 Headless/Non-User- Based Devices 539 Contractors and Third Parties 544 BYOD/Personal Devices with Internal Access 547 Guidance on WPA2-Enterprise and WPA3-Enterprise 549 Guidance on When to Separate SSIDs 550 Architectures for Guest/Internet-only Networks 551 Guest Networks 551 BYOD/Personal Devices with Internet-only Access 553 Determining Length of a WPA3-Personal Passphrase 555 Appendix D Parting Thoughts and Call to Action 559 The Future of Cellular and Wi-Fi 559 MAC Randomization 562 Index 567

About the Author :
JENNIFER (JJ) MINELLA is an internationally recognized authority on network and wireless security, author, and public speaker. She is an advisory CISO and information security leader with over fifteen years’ experience working with organizations creating network security and leadership strategies. She is Founder and Principal Advisor of Viszen Security.