دانلود کتاب Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise

فهرست مطالب :

Cover
Title Page
Copyright Page
About the Author
About the Technical Editor
Acknowledgments
Contents at a Glance
Contents
Foreword
Preface
Who This Book Is For
Distinctive Features
Introduction
Overview of the Book and Technology
How This Book Is Organized
Why Read This Book
What’s on the Website
Congratulations
Part I Technical Foundations
Chapter 1 Introduction to Concepts and Relationships
Roles and Responsibilities
Network and Wireless Architects
Security, Risk, and Compliance Roles
Risk and Compliance Roles
Chief Information Security Officer Roles
Security Operations and Analyst Roles
Identity and Access Management Roles
Operations and Help Desk Roles
Network Operations Teams
Help Desk and End-User Support Roles
External and Third Parties
Technology Manufacturers and Integrators
Vendor Management and Supply Chain Security Considerations
Security Concepts for Wireless Architecture
Security and IAC Triad in Wireless
Integrity in Secure Wireless Architecture
Availability in Secure Wireless Architecture
Confidentiality in Secure Wireless Architecture
Using the IAC Triad to Your Advantage
Aligning Wireless Architecture Security to Organizational Risk
Identifying Risk Tolerance
Factors Influencing Risk Tolerance
Assigning a Risk Tolerance Level
Considering Compliance and Regulatory Requirements
Compliance Regulations, Frameworks, and Audits
The Role of Policies, Standards, and Procedures
Policies
Standards
Procedures
Example with Wireless Security
Segmentation Concepts
Why and When to Segment Traffic
Methods to Enforce Segmentation
Authentication Concepts
Authentication of Users
Authentication of Devices
Authentication of Administrative Users
Authentication of the Servers (for Captive Portals and/or 802.1X RADIUS)
Authentication of the Wireless Infrastructure Components
Cryptography Concepts
Cryptographic Keys, Key Exchanges, and Key Rotation
Cryptographic Algorithms and Hashes
Tying It All Together
Wireless Concepts for Secure Wireless Architecture
Wireless Standards and Protocols
Wireless Standards and Technologies
Generations of 802.11 WLANs
NAC and IEEE 802.1X in Wireless
SSID Security Profiles
Open Wi-Fi Security
Personal (Passphrase) Wi-FiSecurity
Enterprise (802.1X) Wi-FiSecurity
Endpoint Devices
Form Factors
User-basedvs. Headless
RF Capabilities
Security Capabilities
Ownership
Network Topology and Distribution of Users
Campus Environments
Remote Branch Environments
Remote Worker Environments
The Issue of Connectivity
Summary
Chapter 2 Understanding Technical Elements
Understanding Wireless Infrastructure and Operations
Management vs. Control vs. Data Planes
Management Plane
Control Plane
Data Plane
Cloud-Managed Wi-Fi and Gateways
Today’s Cloud-Managed Benefits for Enterprise
Architectures with Cloud Management
The Role of Gateway Appliances with Cloud-Managed APs
Controller Managed Wi-Fi
Local Cluster Managed Wi-Fi
Remote APs
Summary
Understanding Data Paths
Tunneled
Bridged
Considerations of Bridging Client Traffic
Hybrid and Other Data Path Models
Filtering and Segmentation of Traffic
The Role of ACLs and VLANs in Segmentation
Filtering Traffic within Wireless and Wired Infrastructures
Filtering with Inter-Station Blocking on Wireless
Filtering with SSIDs/VLANs on Wireless
Filtering with ACLs on Wireless
Controlling Guest Portals with DNS on Wireless
Filtering with VLANs on Switches
Filtering with ACLs on Routing Devices
Filtering with Policies on Firewalls
Filtering with Network Virtualization Overlay on Wired Infrastructure
Summary
Understanding Security Profiles for SSIDs
Understanding the Term Personal Networks
WPA2 and WPA3 Overview
Security Benefits of Protected Management Frames
Transition Modes and Migration Strategies for Preserving Security
Enterprise Mode (802.1X)
Planning Enterprise (802.1X) Secured SSIDs
Untangling the Enterprise (802.1X) SSID Security Options
Enhancements with WPA3-Enterprise
WPA3-Enterprise192-bit Mode
Deciphering the Acronyms of 192-bit Mode
WPA2 to WPA3-Enterprise Migration Recommendations
Personal Mode (Passphrase with PSK/SAE)
Planning Personal/Passphrase-Secured SSIDs
Enhancements with WPA3-Personal
WPA2 to WPA3-Personal Migration Recommendations
Open Authentication Networks
Legacy Open Authentication Networks
Wi-Fi Enhanced Open Networks
Summary
Chapter 3 Understanding Authentication and Authorization
The IEEE 802.1X Standard
Terminology in 802.1X
High-Level 802.1X Process in Wi-Fi Authentication
802.1X as the Iron Gate
RADIUS Servers, RADIUS Attributes, and VSAs
RADIUS Servers
RADIUS Servers and NAC Products
Relationship of RADIUS, EAP, and Infrastructure Devices
RADIUS Attributes
Common RADIUS Attributes
RADIUS Attributes for Dynamic VLANs
RADIUS Vendor-Specific Attributes
RADIUS Policies
RADIUS Servers, Clients and Shared Secrets
Specifying RADIUS Clients
RADIUS Shared Secrets
Other Requirements
User Directories
Server Certificate
Logging/Accounting
Additional Notes on RADIUS Accounting
Change of Authorization and Disconnect Messages
EAP Methods for Authentication
Outer EAP Tunnels
EAP-PEAP
EAP-TTLS
EAP-FAST
EAP-TEAP
Securing Tunneled EAP
Inner Authentication Methods
EAP-TLS
EAP-MSCHAPv2
EAP-GTC
EAP-POTP
Legacy and Unsecured EAP Methods
Recommended EAP Methods for Secure Wi-Fi
MAC-Based Authentications
MAC Authentication Bypass with RADIUS
Overview of Typical MAB Operations
Vendor Variations of MAC Operations
Security Considerations for MAB
Recommendations when Using MAB
MAC Authentication Without RADIUS
MAC Filtering and Denylisting
Certificates for Authentication and Captive Portals
RADIUS Server Certificates for 802.1X
Endpoint Device Certificates for 802.1X
Best Practices for Using Certificates for 802.1X
Never Use Wildcard Certificates
Never Use Self-SignedCertificates
Always Validate Server Certificates
Most Often, Use Domain-Issued Certificates for RADIUS Servers
Use Revocation Lists, Especially for Endpoint Certificates
Captive Portal Server Certificates
Best Practices for Using Certificates for Captive Portals
In Most Cases, Use a Public Root CA Signed Server Certificate
Understand the Impact of MAC Randomization on Captive Portals
Captive Portal Certificate Best Practices Recap
Summary
Captive Portal Security
Captive Portals for User or Guest Registration
Guest Self-RegistrationWithout Verification
Guest Self-Registrationwith Verification
Guest Sponsored Registration
Guest Pre-Approved Registration
Guest Bulk Registration
Captive Portals for Acceptable Use Policies
Captive Portals for BYOD
Captive Portals for Payment Gateways
Security on Open vs. Enhanced Open Networks
Access Control for Captive Portal Processes
LDAP Authentication for Wi-Fi
The 4-Way Handshake in Wi-Fi
The 4-Way Handshake Operation
The 4-Way Handshake with WPA2-Personal and WPA3-Personal
The 4-Way Handshake with WPA2-Enterprise and WPA3-Enterprise
Summary
Chapter 4 Understanding Domain and Wi-Fi Design Impacts
Understanding Network Services for Wi-Fi
Time Sync Services
Time Sync Services and Servers
Time Sync Uses in Wi-Fi
DNS Services
DNS for Wi-Fi Clients and Captive Portals
DNS for AP Provisioning
DNS Security
DHCP Services
DHCP for Wi-Fi Clients
Planning DHCP for Wi-Fi Clients
DHCP for AP Provisioning
Certificates
Understanding Wi-Fi Design Impacts on Security
Roaming Protocols’ Impact on Security
Roaming Impact on Latency-Sensitive Applications
Roaming and Key Exchanges on WPA-Personal Networks
Roaming and Key Exchanges on WPA-Enterprise Networks
Fast Roaming Technologies
Fast Reconnect
PMK Caching (Roam-back)
Opportunistic Key Caching
Fast BSS Transition
Summary of Fast Roaming Protocols
Support for Fast Transition and Other Roaming
Changes in Roaming Facilitation with WPA3 and Enhanced Open Networks
Recommendations for Fast Roaming in Secure Wi-Fi
System Availability and Resiliency
Uptime, High Availability, and Scheduled Downtime
Scheduled Maintenance and Testing
AP Port Uplink Redundancy
RF Design Elements
AP Placement, Channel, and Power Settings
Wi-Fi6E
Rate Limiting Wi-Fi
Other Networking, Discovery, and Routing Elements
Discovery Protocols
Loop Protection
Dynamic Routing Protocols
Layer 3 Roaming Mobility Domains
Summary
Part II Putting It All Together
Chapter 5 Planning and Design for Secure Wireless
Planning and Design Methodology
Discover Stage
Phase 1: Define
Phase 2: Characterize
Architect Stage
Phase 3: Design
Iterate Stage
Phase 4: Optimize
Phase 5: Validate
Planning and Design Inputs (Define and Characterize)
Scope of Work/Project
Teams Involved
CISO, Risk, or Compliance Officer
Security Analyst or SOC
Identity and Access Management Team
Network Architect and Network Operations Team
Domain Administrators
Help Desk
Other System or Application Owners
Vendors, Integrators, and Other Contractors
Organizational Security Requirements
Current Security Policies
Endpoints
Wireless Connection Type
Form Factor
Operating System
Ownership
Management
Location
User-Attachedor Not
Roaming Capabilities
Security Capabilities
Quantities
Classification or Group
Users
System Security Requirements
Applications
Process Constraints
Wireless Management Architecture and Products
Planning and Design Outputs (Design, Optimize, and Validate)
Wireless Connectivity Technology
Endpoint Capability Requirements
Wireless Management Model and Products
RF Design and AP Placement
Authentication
Data Paths
Wired Infrastructure Requirements
Domain and Network Services
Wireless Networks (SSIDs)
System Availability
Additional Software or Tools
Processes and Policy Updates
Infrastructure Hardening
Correlating Inputs to Outputs
Planning Processes and Templates
Requirements Discovery Template (Define and Characterize)
Sample Enterprise Requirements Discovery Template
Sample Healthcare Requirements Discovery Template
Defining BYOD in Your Organization
Sample Network Planning Template (SSID Planner)
Sample Access Rights Planning Templates
Sample Access Rights Planner for NAC
Sample Access Rights Planner for NAC in Higher Education
Sample Simplified Access Rights Planner
Notes for Technical and Executive Leadership
Planning and Budgeting for Wireless Projects
Involve Wireless Architects Early to Save Time and Money
Collaboration Is King for Zero Trust and Advanced Security Programs
Stop Planning 1:1 Replacements of APs
Penny Pinching on AP Quantities Sacrifices Security
Always Include Annual Budget for Training and Tools
Consultants and Third Parties Can Be Invaluable
Selecting Wireless Products and Technologies
Wi-Fi Isn’t the Only Wireless Technology
The Product Your Peer Organization Uses May Not Work for You
Don’t Buy Into Vendor or Analyst Hype
Interoperability Is More Important Now than Ever
Expectations for Wireless Security
Consider PSK Networks to Be the “New WEP”
You’re Not as Secure as You Think
Get Control of Privileged Access, Especially Remote
Make Sure You’ve Addressed BYOD
Summary
Chapter 6 Hardening the Wireless Infrastructure
Securing Management Access
Enforcing Encrypted Management Protocols
Generating Keys and Certificates for Encrypted Management
Enabling HTTPS vs. HTTP
Enabling SSH vs. Telnet
Enabling Secure File Transfers
Enabling SNMPv3 vs. SNMPv2c
Eliminating Default Credentials and Passwords
Changing Default Credentials on Wireless Management
Changing Default Credentials on APs
Removing Default SNMP Strings
Controlling Administrative Access and Authentication
Enforcing User-BasedLogons
Creating a Management VLAN
Defining Allowed Management Networks
Securing Shared Credentials and Keys
Addressing Privileged Access
Securing Privileged Accounts and Credentials
Privileged Access Management
Privileged Remote Access
Additional Secure Management Considerations
Designing for Integrity of the Infrastructure
Managing Configurations, Change Management, and Backups
Configuration Change Management
Configuration Baselines
Configuration Backups and Rollback Support
Monitoring and Alerting for Unauthorized Changes
Configuring Logging, Reporting, Alerting, and Automated Responses
Verifying Software Integrity for Upgrades and Patches
Verifying Software Integrity
Upgrades and Security Patches
Working with 802.11w Protected Management Frames
Wi-FiManagement Frames
Unprotected Frame Types
Protected Frame Types
Validated vs. Encrypted
WPA3, Transition Modes, and 802.11w
Caveats and Considerations for 802.11w
Provisioning and Securing APs to Manager
Approving or Allowlisting APs
Using Certificates for APs
Enabling Secure Tunnels from APs to Controller or Tunnel Gateway
Addressing Default AP Behavior
Adding Wired Infrastructure Integrity
Authenticating APs to the Edge Switch
Specifying Edge Port VLANs
Planning Physical Security
Securing Access to Network Closets
Securing Access to APs and Edge Ports
Locking Front Panel and Console Access on Infrastructure Devices
Disabling Unused Protocols
Controlling Peer-to-Peer and Bridged Communications
A Note on Consumer Products in the Enterprise
Blocking Ad-Hoc Networks
Blocking Wireless Bridging on Clients
Filtering Inter-Station Traffic, Multicast, and mDNS
SSID Inter-StationBlocking
Peer-Based Zero Configuration Networking
Disabling and Filtering Bonjour and mDNS Protocols
Disabling and Filtering UPnP Protocols
A Message on mDNS and Zeroconf from a Pen Tester
Recommendations for Securing Against Zeroconf Networking
Best Practices for Tiered Hardening
Additional Security Configurations
Security Monitoring, Rogue Detection, and WIPS
Considerations for Hiding or Cloaking SSIDs
Requiring DHCP for Clients
Addressing Client Credential Sharing and Porting
Summary
Part III Ongoing Maintenance and Beyond
Chapter 7 Monitoring and Maintenance of Wireless Networks
Security Testing and Assessments of Wireless Networks
Security Audits
Vulnerability Assessments
Internal Vulnerability Assessment
External Vulnerability Assessment
Security Assessments
Penetration Testing
Ongoing Monitoring and Testing
Security Monitoring and Tools for Wireless
Wireless Intrusion Prevention Systems
WIDS vs. WIPS vs. Wired IPS
Requirements for WIPS
Integrated vs. Overlay vs. Dedicated
Attacks WIPS Can Detect and Prevent
Wireless Rogues and Neighbors
WIPS Mitigation and Containment
Legal Considerations of Over-the-Air Mitigation
Spectrum Analyzers and Special-Purpose Monitoring
Recommendations for WIPS
Synthetic Testing and Performance Monitoring
Security Logging and Analysis
Security Event Logging
Security Event Correlation and Analysis
Wireless-Specific Tools
Handheld Testers
RF Design and Survey Software
Network Protocol Analyzers
Testing and Troubleshooting Applications
Logging, Alerting, and Reporting Best Practices
Events to Log for Forensics or Correlation
Secure Management Access
Infrastructure Integrity
Client Security and Other WIPS
Events to Alert on for Immediate Action
Secure Management Access
Infrastructure Integrity
Client Security and Other WIPS
Events to Report on for Analysis and Trending
Secure Management Access
Infrastructure Integrity
Client Security and Other WIPS
Troubleshooting Wi-Fi Security
Troubleshooting 802.1X/EAP and RADIUS
Things to Remember
Things to Troubleshoot
Troubleshooting MAC-based Authentication
MAC Address Formatting
MAC Authentication Bypass AAA Settings
Settings on the RADIUS and Directory Servers
Troubleshooting Portals, Onboarding, and Registration
Troubleshooting with Protected Management Frames Enabled
Training and Other Resources
Technology Training Courses and Providers
Wi-Fi Training and Certification
IoT Wireless Training and Certification
Network and Cyber Security Training
Vendor-Specific Training and Resources
Conferences and Community
Summary
Chapter 8 Emergent Trends and Non-Wi-Fi Wireless
Emergent Trends Impacting Wireless
Cloud-Managed Edge Architectures
Remote Workforce
Challenges Supporting Work from Home and Remote Users
Balancing Additional Work and the Tech Talent Shortage
Process Changes to Address Remote Work
Recommendations for Navigating a Remote Workforce
Bring Your Own Device
Stats on BYOD and Policies
Other Models for Ownership, Management, and Use
Further Defining BYOD in Your Organization
Legal Considerations for BYOD
Technical Considerations for Securing BYOD
Recommendations for Securing BYOD
Zero Trust Strategies
The Current State of Zero Trust
Zero Trust Language
Types of Zero Trust Products
Segmentation Enforcement Models
Zero Trust Strategy’s Impact on Wireless
Internet of Things
LAN-based IoT
Protocol-Translated IoT
Protocol-Routed IoT
Enterprise IoT Technologies and Non-802.11 Wireless
IoT Considerations
Technologies and Protocols by Use Case
LAN-based IoT
Bluetooth and BLE
Smart Building and Home Automation
Public Cellular for IoT
Private Cellular and Cellular LANs
Private WANs
Industrial Automation
Features and Characteristics Impact on Security
Physical Layer and RF Spectrums
Coverage
Edge IP Protocols
Topology and Connectivity
Other Considerations for Secure IoT Architecture
Final Thoughts from the Book
Appendix A Notes on Configuring 802.1X with Microsoft NPS
Wi-Fi Infrastructure That Supports Enterprise (802.1X) SSID Security Profiles
Endpoints That Support 802.1X/EAP
A Way to Configure the Endpoints for the Specified Connectivity
An Authentication Server That Supports RADIUS
Appendix B Additional Resources
IETF RFCs
Navigating and Reading RFCs
Helpful RFCs and Links
IEEE Standards and Documents
Navigating and Reading IEEE Standards
Helpful Links
IEEE 802.11 Standard
Wi-Fi Alliance
Blog, Consulting, and Book Materials
Compliance and Mappings
NIST SP 800-53 and ISO 27001
PCI Data Security Standards
Cyber Insurance and Network Security
Appendix C Sample Architectures
Architectures for Internal Access Networks
Managed User with Managed Device
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
Headless/Non-User-Based Devices
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
Contractors and Third Parties
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
BYOD/Personal Devices with Internal Access
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
Guidance on WPA2-Enterprise and WPA3-Enterprise
Migrating from WPA2-Enterpriseto WPA3-Enterprise
Supporting WPA2-Enterprisewith WPA3-Enterprise
Guidance on when to Separate SSIDs
Architectures for Guest/Internet-only Networks
Guest Networks
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
BYOD/Personal Devices with Internet-Only Access
Security Considerations
High-Security Architecture
Medium-Security Architecture
Low-Security Architecture
Determining Length of a WPA3-Personal Passphrase
Why Passphrase Length Matters
Considerations for Passphrase Length
Recommendations for Passphrase Lengths
Appendix D Parting Thoughts and Call to Action
The Future of Cellular and Wi-Fi
Cellular Carrier Use of Unlicensed Spectrum
Cellular Neutral Host Networks
MAC Randomization
The Purpose of MAC Randomization
How MAC Randomization Works
The Future of Networking with MAC Randomization
Security, Industry, and The Great Compromise
Index
EULA