Principles of Information Security: Wireless Security (WPA3, EAP, Rogue APs)

Wireless Security (WPA3, EAP, Rogue APs)

Wireless Security Study Guide: WPA3, EAP, Rogue APs

For CISSP, Security+, CEH, and Real-World Defense

What This Is

Wireless security protects data transmitted over Wi-Fi, Bluetooth, and other radio-frequency (RF) networks from eavesdropping, unauthorized access, and attacks. A real-world example: In 2017, the KRACK attack exploited weaknesses in WPA2 to decrypt traffic, exposing passwords and credit card numbers. Weak wireless security can lead to data breaches, lateral movement in networks, and compliance violations (e.g., PCI DSS, HIPAA). This guide covers WPA3 (the latest Wi-Fi security standard), EAP (authentication frameworks), and rogue access points (malicious Wi-Fi hotspots).

Key Terms & Concepts

• WPA3 (Wi-Fi Protected Access 3): The latest Wi-Fi security protocol (IEEE 802.11ax), replacing WPA2. Uses SAE (Simultaneous Authentication of Equals) instead of PSK (Pre-Shared Key) to resist brute-force attacks. Supports 192-bit encryption (for enterprise) and Opportunistic Wireless Encryption (OWE) for open networks (e.g., coffee shops).

• EAP (Extensible Authentication Protocol): A framework (RFC 3748) for wireless authentication, often used with 802.1X (port-based access control). Common EAP types:

• EAP-TLS: Uses digital certificates (most secure, but complex).
• PEAP (Protected EAP): Encapsulates EAP in a TLS tunnel (e.g., PEAP-MSCHAPv2).
• EAP-TTLS: Similar to PEAP but supports legacy authentication (e.g., PAP, CHAP).

• EAP-SIM: Uses SIM cards for authentication (common in cellular networks).

• 802.1X: IEEE standard for port-based network access control (NAC). Requires supplicant (client), authenticator (AP/switch), and authentication server (RADIUS). Used in enterprise Wi-Fi (e.g., Eduroam).

• Rogue Access Point (Rogue AP): An unauthorized Wi-Fi access point (AP) installed on a network, often by employees ("shadow IT") or attackers. Can bypass firewalls and enable evil twin attacks (malicious AP mimicking a legitimate one). Detected via wireless intrusion detection systems (WIDS) like Cisco Prime or Aruba AirWave.

• Evil Twin Attack: A rogue AP with the same SSID (network name) and BSSID (MAC address) as a legitimate AP. Tricks users into connecting, enabling man-in-the-middle (MITM) attacks. Defended via client-side certificate validation (EAP-TLS) or Wi-Fi Protected Setup (WPS) disabling.

• PMF (Protected Management Frames): IEEE 802.11w standard that encrypts management frames (e.g., deauthentication packets) to prevent deauthentication attacks (e.g., forcing clients to reconnect to an evil twin). Mandatory in WPA3.

• SAE (Simultaneous Authentication of Equals): WPA3’s replacement for PSK. Uses Dragonfly Key Exchange (a zero-knowledge proof) to resist offline dictionary attacks. Even if an attacker captures the handshake, they can’t brute-force the password.

• OWE (Opportunistic Wireless Encryption): WPA3 feature for open networks (e.g., airports). Encrypts traffic between client and AP without authentication, preventing passive eavesdropping. Still vulnerable to active MITM attacks.

• RADIUS (Remote Authentication Dial-In User Service): Protocol (RFC 2865) for centralized authentication, authorization, and accounting (AAA). Used with 802.1X (e.g., FreeRADIUS, Microsoft NPS). Ports: UDP 1812 (authentication), 1813 (accounting).

• WPS (Wi-Fi Protected Setup): A push-button or PIN-based method to simplify Wi-Fi setup. Vulnerable to brute-force attacks (e.g., Reaver tool). Disable WPS in all deployments.

• Wireless Deauthentication Attack: Attackers send spoofed deauthentication frames to disconnect clients, forcing them to reconnect (and reveal the handshake for WPA2 cracking). Mitigated by PMF (802.11w).

• Wi-Fi Pineapple: A tool (by Hak5) used for rogue AP attacks, MITM, and credential harvesting. Often used in penetration testing (CEH) and red teaming.

Step-by-Step: Securing a Wireless Network

1. Assess Requirements & Risks
2. Determine if the network is enterprise (802.1X, RADIUS) or SOHO (WPA3-Personal).
3. Identify compliance needs (e.g., PCI DSS requires WPA2/3-Enterprise for payment systems).

4. Conduct a site survey (tools: Ekahau, NetSpot) to detect rogue APs and interference.

5. Deploy WPA3 (or WPA2-Enterprise as Fallback)

6. Enterprise: Use WPA3-Enterprise with EAP-TLS (certificates) or PEAP-MSCHAPv2 (if certificates are impractical).
7. Personal/SOHO: Use WPA3-Personal with a strong passphrase (?12 chars, mixed case/symbols).
8. Disable WPA2/PSK if possible (backward compatibility introduces risks).

9. Enable PMF (802.11w) to protect management frames.

10. Configure 802.1X & RADIUS

11. Set up a RADIUS server (e.g., FreeRADIUS, Microsoft NPS).
12. Configure the authenticator (AP/switch) to forward requests to RADIUS.
13. Deploy client certificates (for EAP-TLS) or server certificates (for PEAP/TTLS).

14. Disable weak EAP methods (e.g., EAP-MD5, LEAP).

15. Detect & Mitigate Rogue APs

16. Use WIDS/WIPS (Wireless Intrusion Detection/Prevention System) like Cisco Meraki or Aruba AirWave.
17. Enable client isolation (prevents clients from communicating with each other).
18. Physically inspect for unauthorized APs (e.g., in conference rooms).

19. Educate employees to report suspicious networks (e.g., "Free_WiFi" in the office).

20. Monitor & Maintain

21. Log authentication attempts (RADIUS accounting).
22. Set up alerts for deauthentication floods (possible attack).
23. Rotate PSKs (if using WPA3-Personal) every 6–12 months.
24. Update AP firmware to patch vulnerabilities (e.g., KRACK, FragAttacks).

Common Mistakes

• Mistake: Using WPA2-PSK in an enterprise environment. Correction: WPA2-PSK is for home networks. Enterprises should use WPA3-Enterprise + 802.1X to avoid shared keys and enable per-user authentication.

• Mistake: Enabling WPS for "convenience." Correction: WPS is insecure (PIN brute-forcing). Disable it in all deployments.

• Mistake: Assuming open networks (e.g., guest Wi-Fi) are safe with WPA3-OWE. Correction: OWE only encrypts traffic; it doesn’t authenticate the AP. Use captive portals + HTTPS for guest networks.

• Mistake: Not segmenting wireless traffic from the corporate LAN. Correction: Place APs on a DMZ or VLAN with strict firewall rules. Use NAC (Network Access Control) to enforce policies.

• Mistake: Ignoring physical security of APs. Correction: Rogue APs can be plugged into Ethernet ports. Use port security (MAC filtering) and 802.1X on switches.

Certification Exam Tips

1. CISSP:
2. Focus on risk management (e.g., "Which EAP method provides the highest security but requires PKI?"-EAP-TLS).
3. Know WPA3’s improvements over WPA2 (SAE, PMF, OWE).

4. Understand rogue AP detection methods (WIDS, physical inspection).

5. Security+:

6. Memorize EAP types (EAP-TLS, PEAP, EAP-TTLS) and their use cases.
7. Know WPA3-Personal vs. Enterprise (PSK vs. 802.1X).

8. Port numbers: RADIUS (1812/1813), TACACS+ (49).

9. CEH:

10. Attack tools: Aircrack-ng (WPA2 cracking), Wi-Fi Pineapple (rogue AP), Reaver (WPS brute-forcing).
11. Defenses: PMF, client isolation, certificate-based auth.

12. Scenario questions: "An attacker sets up an AP with the same SSID as a coffee shop. What attack is this?"-Evil twin.

13. Tricky Distinctions:

14. WPA3-Personal vs. WPA3-Enterprise: Personal uses SAE (no RADIUS); Enterprise uses 802.1X.
15. EAP-TLS vs. PEAP: TLS requires client certs; PEAP only requires server certs.
16. Rogue AP vs. Evil Twin: Rogue AP is unauthorized; evil twin is a rogue AP mimicking a legitimate one.

Quick Check Questions

1. A company wants to deploy Wi-Fi for employees with the highest security. They have a PKI in place. Which EAP method should they use?
2. A) PEAP-MSCHAPv2
3. B) EAP-TLS
4. C) EAP-MD5

5. D) LEAP Answer: B) EAP-TLS Explanation: EAP-TLS uses client and server certificates, providing the strongest authentication (but requires PKI).

6. An attacker sends deauthentication frames to force clients to reconnect to a rogue AP. Which WPA3 feature mitigates this attack?

7. A) SAE
8. B) OWE
9. C) PMF

10. D) WPS Answer: C) PMF (Protected Management Frames) Explanation: PMF encrypts management frames (e.g., deauthentication packets), preventing spoofing.

11. A retail store uses WPA2-PSK for its point-of-sale (POS) system. Which compliance requirement are they violating?

12. A) HIPAA
13. B) PCI DSS
14. C) GDPR
15. D) SOX Answer: B) PCI DSS Explanation: PCI DSS requires WPA2/3-Enterprise (not PSK) for payment systems to avoid shared keys.

Last-Minute Cram Sheet

1. WPA3-Personal = SAE (replaces PSK), resistant to brute-force.
2. WPA3-Enterprise = 802.1X + EAP (e.g., EAP-TLS, PEAP).
3. EAP-TLS = Certificates on client and server (most secure).
4. PEAP = Server cert only, encapsulates EAP in TLS (e.g., PEAP-MSCHAPv2).
5. Rogue AP = Unauthorized AP; evil twin = rogue AP mimicking a legitimate one.
6. PMF (802.11w) = Encrypts management frames (stops deauth attacks).
7. OWE = Encrypts open networks (e.g., airports) but no authentication.
8. RADIUS ports: UDP 1812 (auth), 1813 (accounting).
9. WPS is insecure – disable it!
10. Wi-Fi Pineapple = Tool for rogue AP attacks (CEH favorite).