Wireless & Network Security
Key Takeaways
- WPA3 is the recommended wireless security standard — it uses SAE for authentication, provides forward secrecy, and offers Enhanced Open (OWE) for encrypting open networks.
- Enterprise wireless security uses 802.1X authentication with a RADIUS server, providing individual user credentials instead of a shared pre-shared key (PSK).
- Firewalls filter network traffic based on rules — configure to block all traffic by default and only allow what is explicitly needed (deny by default, allow by exception).
- A VPN encrypts all traffic between a remote user and the corporate network, protecting data in transit on untrusted networks (public Wi-Fi, internet).
- Common network attacks include man-in-the-middle (intercepting communications), DNS spoofing (redirecting traffic), ARP poisoning (mapping MAC addresses incorrectly), and DDoS (overwhelming a service with traffic).
Last updated: March 2026
Wireless & Network Security
Wireless Security Best Practices
Security Protocol Selection
- WPA3-Enterprise — Best (802.1X + RADIUS, 192-bit encryption)
- WPA3-Personal — Excellent (SAE, forward secrecy)
- WPA2-Enterprise — Good (802.1X + RADIUS, AES)
- WPA2-Personal — Acceptable (PSK + AES)
- WPA — Avoid (TKIP, vulnerabilities)
- WEP — NEVER USE (broken, crackable in minutes)
Wireless Hardening Checklist
| Action | Purpose |
|---|---|
| Change default SSID | Removes manufacturer identification |
| Change default admin password | Prevents unauthorized router access |
| Enable WPA3 (or WPA2 minimum) | Encrypts wireless traffic |
| Use a strong passphrase | 12+ characters, complex |
| Enable MAC filtering | Additional layer (not reliable as sole security) |
| Disable WPS (Wi-Fi Protected Setup) | WPS PIN is vulnerable to brute force |
| Update firmware regularly | Patches security vulnerabilities |
| Reduce signal strength | Limits coverage to needed area only |
| Enable AP isolation | Prevents wireless clients from seeing each other |
802.1X / RADIUS Authentication
Enterprise-grade wireless security:
| Component | Role |
|---|---|
| Supplicant | Client device requesting access |
| Authenticator | Access point or switch (passes auth requests) |
| Authentication Server | RADIUS server that validates credentials |
Process: Client connects → AP forwards credentials to RADIUS → RADIUS validates against directory (Active Directory) → Access granted or denied
Key Advantage: Each user has individual credentials (username/password or certificate) rather than a shared password. When an employee leaves, disable their account — no need to change the Wi-Fi password for everyone.
Firewall Configuration
Firewall Types
| Type | Description | Example |
|---|---|---|
| Host-based | Software firewall on individual computer | Windows Defender Firewall, iptables |
| Network-based | Hardware appliance protecting entire network | Cisco ASA, Fortinet, pfSense |
Firewall Rules
| Rule Component | Description |
|---|---|
| Source IP | Where traffic originates |
| Destination IP | Where traffic is going |
| Port | Service being accessed (80, 443, 22, etc.) |
| Protocol | TCP, UDP, ICMP |
| Action | Allow or Deny |
Best Practice: Deny all traffic by default, then create explicit allow rules for needed services. This is called a "deny all, permit by exception" approach.
Windows Firewall
- Accessed via Control Panel or
wf.msc(Windows Defender Firewall with Advanced Security) - Separate rules for Domain, Private, and Public network profiles
- Inbound rules control incoming connections; Outbound rules control outgoing connections
- Can create rules by program, port, predefined, or custom
Common Network Attacks
| Attack | Description | Prevention |
|---|---|---|
| Man-in-the-Middle (MitM) | Attacker intercepts communications between two parties | Use HTTPS/TLS, VPN, certificate pinning |
| DNS Spoofing/Poisoning | Corrupts DNS cache to redirect traffic to malicious sites | DNSSEC, clear DNS cache, use trusted DNS |
| ARP Poisoning | Falsifies ARP messages to redirect LAN traffic | Dynamic ARP inspection, static ARP entries |
| DDoS | Overwhelms a server/network with massive traffic | DDoS mitigation services, rate limiting |
| Deauthentication Attack | Forces wireless clients to disconnect from AP | WPA3, 802.11w management frame protection |
| Brute Force | Tries all possible password combinations | Account lockout, strong passwords, MFA |
| Dictionary Attack | Tries common words/phrases as passwords | Strong passwords, MFA |
| Rogue DHCP Server | Unauthorized DHCP server assigns incorrect network config | DHCP snooping on managed switches |
| Zero-Day | Exploits unknown vulnerability (no patch available) | Defense in depth, behavior-based detection, keep updated |
Data Destruction and Disposal
When decommissioning storage devices, data must be properly destroyed:
| Method | Description | Use Case |
|---|---|---|
| Standard Format | Marks space as available but data is recoverable | NOT secure |
| Low-Level Format | Writes zeros to every sector | HDD only (not SSDs) |
| Secure Erase (ATA) | Firmware-level complete erase | SSDs and HDDs |
| Degaussing | Strong magnetic field destroys data | HDDs and magnetic tapes (destroys device) |
| Physical Destruction | Shredding, drilling, incineration | All media types (most secure) |
| Encryption + Destroy Key | Encrypt drive, then destroy the encryption key | SSDs (crypto-erase) |
Exam Tip: Degaussing does NOT work on SSDs because SSDs use electronic storage, not magnetic storage. For SSDs, use secure erase or physical destruction.
Test Your Knowledge
In an 802.1X wireless authentication setup, what role does the RADIUS server play?
A
B
C
D
Test Your Knowledge
Which data destruction method does NOT work on solid-state drives (SSDs)?
A
B
C
D
Test Your Knowledge
What firewall approach denies all traffic by default and only allows explicitly permitted traffic?
A
B
C
D