5.3.2. Network Access Control (NAC)
💡 First Principle: Wireless networks broadcast signals that travel beyond physical walls — anyone within radio range can attempt to receive and inject wireless traffic without any physical access to your facility. Wireless security controls must compensate for the fact that the physical medium is inherently shared and public, unlike a wired cable where physical access is required to intercept.
Wireless security protocol evolution:
| Protocol | Year | Encryption | Authentication | Status |
|---|---|---|---|---|
| WEP | 1999 | RC4 (flawed) | Shared key | ❌ Broken — crackable in minutes |
| WPA | 2003 | TKIP (RC4 improvements) | PSK or 802.1X | ❌ Deprecated |
| WPA2 | 2004 | AES-CCMP | PSK or 802.1X | ⚠️ Acceptable for home; enterprise needs 802.1X |
| WPA3 | 2018 | AES-GCMP-256 | SAE (KRACK resistant) | ✅ Current standard |
WPA2 vs. WPA3 key improvements:
| Feature | WPA2 | WPA3 |
|---|---|---|
| Personal key exchange | 4-way handshake (KRACK vulnerable) | SAE (Simultaneous Authentication of Equals) — forward secrecy |
| Offline dictionary attacks | Possible if handshake captured | SAE makes offline dictionary attacks infeasible |
| Open network protection | No encryption on open networks | OWE (Opportunistic Wireless Encryption) encrypts even open networks |
| Enterprise encryption | AES-128 CCMP | AES-256 GCMP + SHA-384 |
| Management frame protection | Optional (802.11w) | Mandatory |
Enterprise wireless security (WPA2/3-Enterprise with 802.1X):
Authentication flow: wireless client → authenticator (WAP) → authentication server (RADIUS) → directory (Active Directory/LDAP). The RADIUS server validates credentials and issues access or denial. Each user authenticates individually — no shared PSK, so revoking one user's access doesn't require changing passwords for all users.
EAP (Extensible Authentication Protocol) variants for 802.1X:
| EAP Type | Certificate Required | What It Protects | Recommendation |
|---|---|---|---|
| EAP-TLS | Both client and server | Strongest mutual auth | ✅ Preferred for enterprise |
| PEAP | Server only | Client creds protected in TLS tunnel | ✅ Acceptable |
| EAP-TTLS | Server only | Various inner auth methods | ✅ Acceptable |
| EAP-MD5 | None | None — passwords sent as MD5 | ❌ Deprecated |
| LEAP (Cisco) | None | Vulnerable to offline dictionary | ❌ Deprecated |
Wireless attack categories:
| Attack | Description | Defense |
|---|---|---|
| Evil twin / rogue AP | Attacker deploys AP with same SSID as legitimate network | 802.1X mutual auth; WIDS to detect rogue APs; certificate validation on client |
| Deauthentication attack | Forged deauth frames force clients to reconnect (then capture handshake) | WPA3 with management frame protection (MFP); 802.11w |
| KRACK | Key Reinstallation Attack on WPA2 4-way handshake | WPA3 (SAE eliminates this); patched WPA2 clients |
| Wardriving | Scanning for vulnerable wireless networks | Not specifically preventable; use WPA3-Enterprise |
| Jamming | Radio frequency interference to deny service | Frequency hopping; DSSS/FHSS; detect via WIDS |
| WPS PIN attack | WPS PIN brute-force attack (8-digit PIN with halved search space) | Disable WPS |
Wireless site security design:
- SSID broadcast: Disabling SSID broadcast provides minimal security (SSID visible in probe frames) — do not rely on this
- MAC filtering: Weak control — MACs are trivially spoofed; not a real authentication mechanism
- Channel selection: Use non-overlapping channels (1, 6, 11 for 2.4GHz); 5GHz has more non-overlapping channels; 6GHz (Wi-Fi 6E) provides even more
- Coverage design: Tune transmit power to minimize signal bleed outside physical perimeter; too-strong signal visible from parking lot/street
⚠️ Exam Trap: WEP is completely broken and should not be used under any circumstances. If a scenario mentions WEP, the correct answer is always "replace WEP with WPA3" — there is no compensating control for WEP's fundamental cryptographic flaws. WPA2-Personal with a strong passphrase is acceptable for home use; enterprise environments require WPA2/3-Enterprise with 802.1X and individual user authentication.
Reflection Question: A healthcare clinic uses WPA2-Personal with a shared passphrase on its wireless network. Nurses use tablets to access the EHR system. A departing nurse took their tablet home. What are the specific security risks this creates, what is the immediate remediation, and what architectural change would prevent this problem from recurring?
