7.4 Wireless Security Countermeasures
Key Takeaways
- WPA3-Enterprise with 802.1X and a RADIUS server provides per-user authentication, central credential revocation, and protection against offline passphrase attacks
- A wireless intrusion prevention system (WIPS) is the primary detective control for rogue APs, evil twins, and deauthentication floods by continuously monitoring the RF environment
- Protected Management Frames (802.11w), mandatory in WPA3, authenticate deauth/disassociation frames and directly defeat deauthentication denial-of-service
- Disabling WPS, disabling WEP/WPA-TKIP, enforcing server-certificate validation in 802.1X, and using long high-entropy passphrases close the most-tested attack paths
- MAC filtering and SSID hiding are cosmetic — MACs and SSIDs both leak in cleartext frames — and must never substitute for strong encryption, authentication, and monitoring
Building a Layered Wireless Defense
No single control secures Wi-Fi. CEH questions reward candidates who match a control to the attack it actually mitigates and who recognize weak or cosmetic controls. Map each countermeasure to a threat from 7.3.
Strong Authentication: WPA3-Enterprise with 802.1X / RADIUS
For organizational networks, WPA3-Enterprise with 802.1X and a RADIUS server is the gold standard:
- Each user authenticates with unique credentials or a certificate via an EAP method. EAP-TLS is strongest because it uses mutual certificates and avoids shared secrets; PEAP/EAP-TTLS tunnel password auth and depend on validating the server certificate.
- Compromised accounts are revoked centrally without re-keying the whole network.
- SAE and per-session keys remove the offline-passphrase attack path that PSK networks face.
- Server-certificate validation must be enforced on clients — otherwise an evil twin can present a fake RADIUS endpoint and harvest credentials (the single most common 802.1X misconfiguration).
Continuous Monitoring: WIPS
A wireless intrusion prevention system (WIPS) continuously scans the RF environment and is the primary detective/preventive control for rogue APs and evil twins. It maintains an authorized-AP inventory, alerts on duplicate SSIDs with unexpected BSSIDs, detects deauthentication floods and jamming (via noise-floor monitoring), and can actively contain rogue devices. Pair WIPS with periodic physical and wired-side audits to physically locate unauthorized hardware that a passive tool can only detect over the air.
Control-to-Attack Mapping
| Attack | Most direct countermeasure |
|---|---|
| Evil twin / rogue AP | WIPS detection + 802.1X server-certificate validation |
| Deauthentication DoS | Protected Management Frames (802.11w) / WPA3 |
| WPA2 handshake / PMKID offline crack | Long high-entropy passphrase; migrate to WPA3-SAE |
| WPS PIN / Pixie-Dust | Disable WPS entirely |
| WEP/TKIP cipher weakness | Require WPA2-CCMP minimum; prefer WPA3 |
| RF jamming | Spectrum monitoring; physically locate the source |
Architecture and Configuration Controls
Network Segmentation
Treat the wireless network as untrusted. Place Wi-Fi clients on segmented VLANs behind a firewall, isolate the guest network entirely from internal resources, and apply least-privilege access between segments. If the wireless layer is compromised, segmentation limits lateral movement and protects critical systems — the same defense-in-depth principle CEH applies throughout.
Secure Configuration Checklist
- Disable WEP and WPA-TKIP; require WPA2-CCMP at minimum, prefer WPA3 (and use WPA3 transition-disable once all clients support it, to block downgrade attacks).
- Disable WPS (Wi-Fi Protected Setup) — its PIN method is reducible to ~11,000 attempts and falls to Pixie-Dust offline.
- Enable Protected Management Frames (802.11w) to authenticate management frames and blunt deauthentication/disassociation abuse.
- Use long, high-entropy passphrases (a strong passphrase is the only thing standing between a captured handshake and compromise) — or move to 802.1X.
- Enforce server-certificate validation in every 802.1X client profile and pin the correct CA.
- Reduce signal leakage with antenna placement and transmit-power tuning so coverage does not spill far outside the building.
- Keep AP and client wireless firmware patched (mitigates KRACK-class and Dragonblood implementation issues).
The Limits of Weak Controls
| Control | Perceived benefit | Real limitation |
|---|---|---|
| MAC address filtering | Only known devices connect | MAC addresses are broadcast in cleartext and trivially spoofed; never a primary control |
| SSID hiding | Network is invisible | SSID still leaks in client probe and association frames; offers no real security and can even make clients more trackable |
| Reduced transmit power alone | Signal does not leave the building | Determined attackers use high-gain directional antennas to reach weak signals |
These measures may add minor friction but must never substitute for strong encryption, 802.1X authentication, PMF, and WIPS monitoring. On the exam, an answer choice offering MAC filtering or SSID hiding as the "fix" for a real attack is almost always wrong.
Choosing an EAP Method
In WPA2/WPA3-Enterprise the EAP method determines how strong the authentication really is, and CEH tests the trade-offs:
| EAP method | Credential | Server cert validation | Notes |
|---|---|---|---|
| EAP-TLS | Mutual X.509 certificates | Required (mutual) | Strongest; no password to phish or crack, but needs a client-cert PKI |
| PEAP (MSCHAPv2) | Username/password in a TLS tunnel | Critical — the tunnel's only protection | Common; insecure if clients skip server-cert validation |
| EAP-TTLS | Password/legacy in a TLS tunnel | Critical | Similar tunneling approach to PEAP |
The recurring lesson: any tunneled, password-based method (PEAP/TTLS) is only as safe as the client's server-certificate validation. Without it, the credentials inside the tunnel are exposed to an evil-twin RADIUS impersonator — which is why EAP-TLS, with no shared secret to steal, is preferred for high-security environments.
Authorized Wireless Assessment Workflow
A defender or authorized pentester validates these controls with a site survey: passively map all APs and their SSID/BSSID/channel/encryption (Kismet or airodump-ng), compare against the authorized inventory to surface rogues and evil twins, confirm WEP/WPS/TKIP are absent, verify PMF is enabled, and attempt a scoped, authorized handshake capture to confirm the passphrase resists offline cracking. Document findings against the control-to-attack map above.
Everything in this chapter is taught so you can find and close these gaps on networks you are permitted to test — never on networks you do not own or have written authorization to assess.
An organization relies solely on MAC address filtering to control which devices join its wireless network. Why does CEH consider this insufficient?
Which countermeasure most directly reduces the effectiveness of forged deauthentication frames against modern clients?
A network exposes WPS for easy device onboarding. During an authorized assessment the tester recovers the WPA2 passphrase in seconds despite it being long and random. What is the most direct remediation?
In a WPA3-Enterprise deployment, which client-side configuration is essential to prevent an evil twin from harvesting user credentials through a fake RADIUS endpoint?