Wireless & Network Security
Key Takeaways
- WPA3 is the current wireless standard: WPA3-Personal uses SAE (replacing the WPA2 4-way handshake) for forward secrecy, and Enhanced Open (OWE) encrypts otherwise-open networks; never deploy WEP.
- Enterprise wireless uses 802.1X with a RADIUS server so each user has unique credentials — disabling a departed employee's account is enough, with no need to rotate a shared PSK.
- Harden a SOHO router by changing the default admin password and SSID, disabling WPS, updating firmware, and choosing WPA2/WPA3; MAC filtering and SSID hiding are weak supplements, not real security.
- Firewalls should follow 'deny all, permit by exception'; Windows Defender Firewall (wf.msc) keeps separate inbound/outbound rules for Domain, Private, and Public profiles.
- Degaussing destroys data on magnetic HDDs and tape but does NOT work on SSDs; for SSDs use ATA Secure Erase, crypto-erase, or physical destruction.
Wireless Security: Pick the Right Protocol
Wireless protocol selection is a guaranteed 220-1202 question. Memorize this preference order from strongest to forbidden:
- WPA3-Enterprise — 802.1X + RADIUS, optional 192-bit suite for high security.
- WPA3-Personal — uses SAE (Simultaneous Authentication of Equals), giving forward secrecy and resistance to offline dictionary attacks.
- WPA2-Enterprise — 802.1X + RADIUS with AES-CCMP.
- WPA2-Personal — PSK + AES; acceptable but no forward secrecy.
- WPA (TKIP) — avoid; deprecated.
- WEP — never use; crackable in minutes.
WPA3 also adds Enhanced Open (Opportunistic Wireless Encryption / OWE), which encrypts traffic on an open guest network without a password, and Wi-Fi Easy Connect for headless IoT onboarding.
SOHO Router Hardening Checklist
| Action | Why it matters |
|---|---|
| Change default admin password | Default creds are published online |
| Change default SSID | Hides model/manufacturer hints |
| Enable WPA3 (WPA2 minimum) with a 12+ char passphrase | Encrypts the air |
| Disable WPS | The 8-digit PIN is brute-forceable |
| Update firmware | Patches router CVEs |
| Disable remote/WAN admin | Stops Internet-side management |
| Enable guest network isolation | Segments visitor devices |
| MAC filtering / hide SSID | Weak add-ons only — MACs are spoofable, SSIDs are still beaconed |
Trap: the exam treats MAC filtering and SSID suppression as not real security because both are trivially bypassed. They never substitute for WPA2/WPA3 encryption.
802.1X / RADIUS
| Role | Device |
|---|---|
| Supplicant | The client requesting access |
| Authenticator | The AP or switch relaying the request |
| Authentication server | RADIUS, validating against Active Directory |
Flow: supplicant → authenticator → RADIUS checks the directory → accept/reject. Because each user holds individual credentials or a certificate, offboarding is just disabling one account — no shared PSK to rotate across the whole office.
Firewalls
| Type | Where it runs | Example |
|---|---|---|
| Host-based | On one computer | Windows Defender Firewall, iptables |
| Network-based | Appliance at the edge | pfSense, Fortinet, Cisco ASA |
A firewall rule matches source IP, destination IP, port, protocol (TCP/UDP/ICMP), and action (allow/deny). The hardened design is deny all, permit by exception — block everything, then open only required ports such as 443. In Windows Defender Firewall (wf.msc) rules are scoped to Domain, Private, and Public profiles, with independent inbound and outbound rule sets.
Common Network Attacks
| Attack | Mechanism | Mitigation |
|---|---|---|
| Man-in-the-middle | Intercepts traffic between two parties | HTTPS/TLS, VPN, HSTS |
| DNS poisoning | Corrupts resolver cache to redirect | DNSSEC, trusted resolvers |
| ARP poisoning | Spoofs MAC-to-IP mappings on the LAN | Dynamic ARP inspection |
| DDoS | Floods a service from many hosts | Upstream scrubbing, rate limiting |
| Deauth attack | Forces Wi-Fi clients to drop | WPA3, 802.11w management frame protection |
| Rogue DHCP | Hands out bad gateway/DNS | DHCP snooping on switches |
| On-path evil twin | Fake AP captures credentials | WPA3-Enterprise, certificate validation |
| Zero-day | Exploits an unpatched flaw | Defense in depth, behavioral detection |
Secure Data Destruction
When retiring drives, the disposal method must match the media:
| Method | Works on | Note |
|---|---|---|
| Standard format | (insecure) | Data is recoverable |
| ATA Secure Erase | SSD and HDD | Firmware-level wipe |
| Degaussing | HDD, tape | Magnetic only — destroys the drive |
| Crypto-erase | SSD | Encrypt then destroy the key |
| Shred / drill / incinerate | All media | Most thorough, physical |
Critical SSD rule: degaussing has no effect on SSDs because flash stores data as electric charge, not magnetism. For SSDs, use Secure Erase, crypto-erase, or physical destruction.
Outsourced Destruction and Chain of Custody
When a third party destroys media, the exam expects a certificate of destruction (or recycling) documenting each serial number, the method used, and the date. This proves due diligence for compliance audits (HIPAA, PCI-DSS, GDPR). Maintain chain of custody from the moment a drive leaves service until it is verifiably destroyed, so no drive can quietly walk off with data intact.
VPNs and Securing Remote Access
A Virtual Private Network (VPN) builds an encrypted tunnel between a remote device and the corporate network, protecting data in transit across untrusted links such as public airport or coffee-shop Wi-Fi. Without a VPN, traffic on an open network is exposed to evil-twin and on-path attacks; with one, an eavesdropper sees only ciphertext.
| Remote-access concept | What it does |
|---|---|
| Client-to-site VPN | One user's device tunnels into the corporate LAN |
| Site-to-site VPN | Two offices link their networks over the Internet |
| Split tunneling | Only corporate traffic uses the tunnel; the rest goes direct |
| Full tunneling | All traffic routes through the corporate gateway for inspection |
For remote management, prefer encrypted protocols: SSH (port 22) instead of Telnet (23), RDP (3389) only over a VPN, and HTTPS (443) instead of HTTP (80) for web admin. These map directly to the "data in transit" protection state.
Public Wi-Fi scenario: a sales rep needs to reach internal files from a hotel. The correct answer is connect through the company VPN first, which encrypts the session end to end. Simply seeing a padlock on one website does not protect everything else the device sends, and an open hotel network leaves all unencrypted traffic readable.
Tie the chapter together with defense in depth: physical controls, strong authentication and least privilege, hardened wireless and firewalls, encryption of data at rest and in transit, and ongoing user education each handle a different layer — no single control is sufficient on its own, which is the recurring theme across all 28% of the Security domain.
An employee leaves the company. The office Wi-Fi uses WPA2-Enterprise with 802.1X and RADIUS. What is the simplest way to revoke that person's wireless access?
Which data destruction method is INEFFECTIVE on a solid-state drive?
A SOHO router is left with WPS enabled and a hidden SSID but no other changes. Why is this still insecure?