Tackle Wireless LAN security in this course that teaches the essential concepts and protocols from the inside out. Learn about 802.11 frame formats and transmission protocols in order to gain an understanding of where vulnerabilities might lie, and then apply that knowledge to WLAN security design concepts that make life difficult for hackers at every turn.

In addition to learning the intricacies of the 802.11 standard, WPA/WPA2, and 802.11i, you will build a secure WLAN from the ground up. You will configure and crack a series of security methods during hands-on lab exercises before a robust WPA2 Enterprise network emerges at the end of the week. You will learn to use a variety of professional grade analysis tools and open source attack tools as you test different wireless security protocols.

Preparing for the CWSP certification? This course is excellent as part of an overall study strategy for the CWNP certification CWSP. The course includes a CWSP study guide, certification practice exam, and test voucher, and many CWSP concepts are covered with lab emphasis on real-world solutions. Many CWNA and CWNE concepts are covered as well.

What You'll Learn

• Radio frequency modulation and signal analysis
• Wireless security standards, including 802.11i, WPA, and WPA2
• The 802.11 arbitration process that is used by WLAN devices for channel access
• Detailed information about 802.11 frame formats
• 802.11 frame types and sub-types
• Design principles that ensure WLAN security
• Wired Equivalent Privacy (WEP) protocols and why WEP is not secure
• WPA protocols and how they solve the problems with WEP
• WPA2 protocols and how they should be configured to prevent attacks
• 802.1X/EAP methods, including which EAP type is appropriate in common WLAN deployments
• Methods for preventing, detecting, responding to, and auditing state-of-the-art WLAN attacks
• Wireless intrusion detection and why it's essential for maintaining a secure network

Who Needs to Attend

• Administrators: network, systems, infrastructure, security, and LAN/WLANs
• Designers: network, systems, and infrastructure
• Developers: wireless software and hardware products
• Consultants and integrators: IT, wireless, and security
• Decision makers: infrastructure managers, IT managers, security directors, chief security officers, and chief technology officers

Prerequisites

• Wireless LAN Foundations

Follow-On Courses

There are no follow-ons for this course.

Course Outline

1. The Wireless Link

• 2.4 GHz Channels
  • 2.4 GHz Networks
• 5 GHz Channels
  • 802.11a Networks
  • RF Modulation
  • OFDM Modulation Types
• Data Encoding
  • DSSS Coding Types
  • OFDM Convolutional Coding
  • MIMO WLANs

2. The 802.11 Frame Format

• The OSI Model
  • Networking Basics
  • The Wi-Fi Effect
  • The 802.11 PHY Layer
• DSSS and OFDM Preambles
  • DSSS Preamble
  • OFDM Preamble
  • DSSS and OFDM Preamble Differences
• Physical Layer Information
  • PHY Layer Troubleshooting
• The Wi-Fi MAC Header
• Fields and Subfields
  • Frame Control Field Frame Control Flags
• Duration/ID Field
  • Duration Values
• 802.11 Addressing
  • Wireless Addresses
  • Wired Addresses
  • IBSS Addressing
• Sequence Control Field
  • Use in Troubleshooting
• QoS Control Field (802.11e)
• HT Control Field
• Frame Check Sequence
  • Corruption Basics

3. 802.11 Frame Types

• 802.11 Management Frames
  • Management Frame Structure
• Beacon Frames
  • Beacon Information
  • Capability Information
  • Standard Information Elements
  • Additional Information Elements
• Active Scanning Frames
  • Probe Request Frames
  • Probe Response Frames
• Authentication and Association
  • Authentication Frames
  • Association Request Frames
  • Association Response Frames
• Action Frames
• Roaming
  • Reassociation
• Connection Termination
  • Deauthentication
  • Disassociation
• Management Frame Summary
• Control Frames
  • Acknowledgments
  • Block Acknowledgments
• Request-to-Send/Clear-to-Send
  • RTS/CTS Thresholds
• Power Save Poll Frames
  • Next Generation Power Save
• Data Frames
  • Contention-Based Data
• QoS Data Frames

4. 802.11 Arbitration

• 802.11 Channel Access
  • 802.11 Arbitration
• CSMA/CA
  • A Clear Channel
• The Arbitration Process
  • Interframe Spacing
  • Random Backoff Time
  • Winning Arbitration
  • Acknowledgements
  • After the Acknowledgement
• An Arbitration Example
  • Timelines
  • IFS Timelines
  • Frame Timelines
  • ACK Timelines
• Effects of Arbitration

5. 802.11e Quality of Service

• Enhanced Distributed Channel Access
  • AIFSN Lengths
  • The Contention Window (QoS)
• Other 802.11e Improvements
  • TXOP and CFB
  • Block Acknowledgements
  • CFB and BA Operation

6. Signal Analysis

• RF Signal Analysis
• RF Math Basics
  • Relationship of mW and Db
  • Use of RF Math: Signal Changes
  • Converting mW to dBm
  • Use of RF Math: mW to dBm Conversions
  • Approximating RF Math Calculations
• RSSI Values
  • Relationship of RSSI to Data Rates
• Signal Range
• Co-Channel Interference
  • Reading Interference
  • Spectrum Analyzer Usage

7. Connection Analysis

• The Wi-Fi Connection
  • Beyond Basic Troubleshooting
  • Connection Fundamentals
• Scanning Analysis
• Authentication and Association
• Secure Connections
  • PSK Connections
  • 802.1X/EAP Connections
• Roaming
  • Roaming Problems
• Connection Loss
  • Forged Deauthentification and Disassociation Frames

8. Performance Analysis

• WLAN Performance
• Network Load
  • Effects of Channel Overload
  • QBSS Load
• Dynamic Rate Selection
  • Use of the Wireless Channel
• Wi-Fi Overhead
  • Wi-Fi Collisions
  • Acknowledgements
• Protection Mechanism
  • Mixed Mode
• Performance Degradation
  • Interface Types
  • RTS/CTS

9. General Security Approach

• WLAN Security Fundamentals
• Wireless Security Approach
• Wireless Data Security
  • Data Security Approach
  • Network Security
  • Network Security Approach
• Endpoint Security

10. WLAN Infrastructure

• WLAN Security Infrastructure
  • WPA2 Enterprise
  • 802.1X/EAP
  • Basic Enterprise Architecture
  • Users Authenticate
  • LAN Protection
  • Data Protection
• Access points
  • Segmentation
  • Device Security
• WLAN Controllers
  • Security Benefits
  • Integrated Firewalls
• WLAN Management Systems
  • WNMS Deployment
• RADIUS Servers
  • Advanced Authorization Features
  • RADIUS Server Deployment
• Virtual LANs
  • Wireless VLAN Security
  • Wireless VLANs

11. 802.11 Security (WEP)

• Wired Equivalent Privacy
  • Goals of WEP
• WEP Authentication
  • Open System Authentication
  • Shared Key Authentication
  • 802.1X/EAP and WEP
• WEP Encryption
  • Rotating Initialization Vector
  • WEP Key Management
  • WEP Data Integrity
• Flaws on WEP
  • Minor Vulnerabilities
  • Major Vulnerabilities
  • The Double Major Vulnerabilities
  • Why Cover WEP?
  • Linear integrity check
  • Brute force attacks

12. RSN Authentication

• 802/11i Encryption Protocols
  • All Networks Accommodated
• Preshared Key
  • Small Networks
  • PSK Vulnerability
  • Preshared Key Design
• 802.1X
  • Extensible Authentication Protocol
  • 802.1X/EAP Design
• EAP Types
  • EAP-Cisco Wireless (EAP-LEAP)
  • EAP-FAST
  • EAP-TLS
  • EAP-TTLS
  • Protected EAP
  • Choosing an EAP Type

13. RSN Encryption

• 802.11i Encryption Protocols
• RC4 Encryption
  • Secure Stream Cipher
• Temporal Key Integrity Protocol
  • TKIP Operation
• Counter-Mode CBC-MAC Protocol
  • AES-CCMP Similarities to TKIP
  • AES-CCMP Operation
• Data Frame Encryption
  • WEP Encapsulation
  • TKIP Encapsulation
  • AES-CCMP Encapsulation
• 802.11i Encryption Summary
  • Automatic Encryption Selection
  • Encrypting in the Real World

14. RSN Key Management

• 802.11i Amendment
  • Fast Transition Basics
  • Fast Transition Options
  • Fast, Secure Roaming
  • Encryption and Network Access
• Robust Security Network
  • RSN Key Material
• Key Management Handshakes
  • The 4-Way Handshake
  • Group Key Handshake
  • PeerKey Handshake
• Key Management Summary

15. Network Security

• Network Security
  • Prevention: Unauthorized Access
  • Integrating the WLAN
  • Separating the WLAN
• MAC Address Spoofing
  • Network Segmentation Options
  • Network Rogue APs
  • Evil Twin Rogue APs
  • Rogue AP Response
  • DoS Response
• RF Denial of Service
  • Client Testing Software
  • DoS: Connection Loss
  • Handling DoS
  • Auditing: Wireless IDS and WNMS
  • WIDS Rogue Prevention

16. Wireless Data Security

• Wireless Data Security
  • General Security
• Wireless Data Security
  • Encryption Options
• Endpoint Security
  • ESS
  • NAC
  • Wireless Date Security: Auditing
  • Auditing: Protocol Analyzers
  • Auditing: Wireless IDS/IPS

Labs

Day 1

Lab 1: Analyzer Setup: Wildpackets Omnipeek

Set up Wildpackets Omnipeek for WLAN monitoring.

Lab 2: Analyzer Setup: AirMagnet WiFi Analyzer

Set up AirMagnet WiFi Analyzer for WLAN monitoring.

Day 2

Lab 3: Wireless IDS Setup: AirMagnet Enterprise

Set up AirMagnet Enterprise server and sensors for intrusion detection.

Lab 4: Guest WLAN Configuration: Web-Based Authentication

Set up a Cisco 2100 Series WLAN controller for web-based authentication.

Lab 5: Network Intrusion: AP Discovery

Use AirMagnet WiFi Analyzer to scan for vulnerable WLANs.

Lab 6: Network Intrusion: Circumventing Web-Based Authentication

Masquerade as an authorized user to gain network access.

Lab 7: Wireless Monitoring: Identify a MAC Address Spoofing Attack

Use Wildpackets Omnipeek to identify MAC address spoofing.

Day 3

Lab 8: Home WLAN Configuration: WPA Personal

Set up a Cisco 2100 Series WLAN controller for PSK authentication.

Lab 9: Network Intrusion: PSK Cracking and TKIP Decryption

Crack a PSK passphrase and gain network access. Decrypt TKIP-encrypted data.

Lab 10: Enterprise WLAN Configuration: WPA2 Enterprise

Set up a Cisco 2100 Series WLAN controller for WPA2 Enterprise security.

Lab 11: Network Intrusion: Denial of Service

Block WLAN access using client-testing software and the CommView for Wi-Fi packet generator.

Day 4

Lab 12: Network Intrusion: Rogue AP

Access the network via a network-based rogue AP.

Lab 13: Network-Based Rogue AP Countermeasures

Configure wired 802.1X to block network-based rogue APs.

Lab 14: VoWLAN Configuration

Set up a Cisco 2100 Series WLAN controller for open VoWLAN access.

Lab 15: Wireless Data Intrusion: VoWLAN Eavesdropping

Record and play back VoWLAN calls using Wildpackets Omnipeek.

Lab 16: Secure WLAN Setup: WPA2 Personal Configuration

Configure a strong PSK with AES-CCMP encryption to prevent attacks.

Lab 17: Non-Broadcasting SSID configuration

Set up a Cisco 2100 Series WLAN controller with a hidden SSID and connect.

Day 5

Lab 18: End User Attack: Client Discovery

Use AirMagnet WiFi Analyzer to scan for vulnerable stations.

Lab 19: End User Attacks: Evil Twin Rogue AP and Man-in-the-Middle

Forward a hijacked user on to an authorized WLAN.

Lab 20: Evil Twin Rogue AP Countermeasures

Identify, locate, and block an Evil Twin rogue AP using AirMagnet Enterprise WIDS.

Lab 21: End User Attack: 802.1X/EAP Hijacking

Use AP software and RADIUS software to create an Evil Twin rogue AP running 802.1X/EAP.

Lab 22: Secure WLAN Setup: WPA2 Enterprise Client Configuration

Configure a WLAN client utility to avoid hijacking when using 802.1X/EAP authentication.