Introduction

In business environments, wireless and especially Wi-Fi networks are configured and maintained by a breadth of technology professionals-from Wi-Fi specialists to the sole IT professional left to juggle everything from networking to managing endpoints, applications, and servers. This book brings deep technical details to the seasoned wireless professional and summarizes best practices in easy-to-follow advice for those wearing many hats.

After fifteen years of stale Wi-Fi security suites and a limited focus on IoT security, the world of wireless is finally putting the spotlight on security. But designing secure wireless networks isn't nearly as straightforward as it seems. The newest WPA3 security suite greatly enhances security, but also introduces complexity as organizations move from legacy security to the latest standards.

This book reframes and redefines architecting secure wireless, opposing outdated guidance in favor of more robust security practices meant to address today's and tomorrow's evolving wireless networks. Its contents walk professionals through the decision-making steps of architecting secure networks, starting from risk and compliance considerations to detailed technical configurations. Along the way, it offers practical guidance, best practices, and specific recommendations for a variety of environments, vendor implementations, and security needs.

Overview of the Book and Technology

Securing wireless networks today requires a new way of thinking and a new set of tools. The best tool in the architect's toolbox is knowledge, and that's what this book delivers.

Along with recommendations for designing with best practices, Wireless Security Architecture also offers deep technical journeys into areas of encryption, authentication, authorization, segmentation, certificates, roaming, hardening, and more. Each chapter offers practical guidance along with technical details, empowering professionals to make informed decisions about how best to secure their environments.

One unique aspect of this book is that the full work is presented in a conversational tone, eliminating the rigidity of academic wording that can be a barrier to easy comprehension. Also, all chapters have been written by a single author, and common connected topics are woven and cross-referenced throughout.

This book addresses the full breadth of enterprise wireless products, with a strong focus on Wi-Fi. In it, architecture and security design considerations are offered for:

• Controller-managed Wi-Fi
• Cloud-managed Wi-Fi
• Autonomously managed Wi-Fi
• Small, medium, and large environments
• Specific manufacturers including Cisco, Aruba, Juniper Mist, and Extreme, among others
• Specific industries such as healthcare, government, and education
• Non-traditional endpoints and IoT devices

How This Book Is Organized

Wireless Security Architecture is sure to become the definitive guide for designing and maintaining secure wireless networks in any size organization. With content for wireless specialists and technology generalists alike, this book covers deep technical topics with appropriate introductory concepts that will allow non-wireless IT professionals to learn and follow along. And while it includes foundational knowledge, extraneous historical details such as the history of WEP have been deliberately omitted to keep the reader's focus on current technologies.

To remain vendor-neutral, the language used in this book is based on natural language. Where appropriate, in the more technical areas of the book, current vendor terminology and features are called out, allowing readers to easily find and further research topics within the context of their environment. Some vendors' configuration guides exceed 2,000 pages for a single product, and most enterprise Wi-Fi deployments incorporate several integrated solutions for management and monitoring, easily bringing the total to more than 5,000 pages of documentation-which often don't include details on security hardening.

At times, the terminology used may be purposefully deviant from a particular vendor feature name to avoid confusion. As one example, Cisco has a feature called Infrastructure MFP, which is easily confused with (but very different from) the IEEE 802.11w standard for Management Frame Protection (MFP), also known as Protected Management Frames (PMF) by the Wi-Fi Alliance. To avoid confusion, PMF is used when referring to 802.11w.

You may also notice some acronyms are intentionally repeated along with their full text, breaking traditional editorial conventions. Just within wireless, acronyms can be frequently re-used: "PSK" for example may mean pre-shared key but can also refer to phase-shift keying. Introducing security and IoT disciplines only complicates matters further: in this book "SOC" could mean security operations center, or system on a chip. To avoid confusion and make the text more accessible to a broad audience, these are often spelled out repeatedly.

The following is a brief summary of each chapter's content. In many cases, the chapters build on one another, adding technical context at each step. Expect to see topics repeated as the book progresses but presented in evolving context along the way. To help readers that may be skipping to specific portions of the book, cross references are included.

Part I, "Technical Foundations," introduces technical foundations for the reader and encompasses Chapters 1-4.

Chapter 1, "Introduction to Concepts and Relationships," is a level-set to get diverse professionals on the same page with foundational concepts of information security, high-level technical concepts that impact security, and an overview of wireless technologies and architectures. This chapter sets the tone by defining identity, authentication, and offering an entry to cryptography concepts.

The first technical content, Chapter 2, "Understanding Technical Elements," provides the underpinning of all content that follows with a deeper dive into data paths, segmentation methodologies, and the first dive into security profiles for Wi-Fi including the new WPA3 security suite.

Chapter 3, "Understanding Authentication and Authorization," is filled with every detail a professional ever wanted to know about authentication and authorization, including 802.1X, EAP, RADIUS, certificates, and MAC-based authentications.

Rounding out Part I, Chapter 4, "Understanding Domain and Wi-Fi Design Impacts," explains the symbiotic relationship of secure wireless architecture to network design elements and RF planning, with a strong focus on secure roaming protocols.

In Part II, "Putting It All Together," the reader is taken on the journey of planning the network and security architecture based on technical concepts from Part I.

Chapter 5, "Planning and Design for Secure Wireless," walks the reader through the author's own design methodology for planning secure wireless. It includes pointed questions to ask during scoping, and several planning templates and worksheets for the reader to use or modify-including complex policy matrices as well as simplified planners.

Hardening the infrastructure is the focus of Chapter 6, "Hardening the Wireless Infrastructure," with extensive guidance, tiered recommendations, and relevant vendor-specific sidebars.

Part III, "Ongoing Maintenance and Beyond," picks up where planning and design of Parts I and II left off.

Chapter 7, "Monitoring and Maintenance of Wireless Networks," addresses monitoring and maintenance of wireless networks including pen testing and audits, along with ongoing management with WIPS, and specific recommendations for logging, alerting, and reporting. As an added bonus, troubleshooting tips are included here as well.

Chapter 8, "Emergent Trends and Non-Wi-Fi Wireless," segues into the less evergreen topics, covering the more variable technologies of IoT and emergent trends such as remote workforces, BYOD, and zero trust.

The appendices present four topic areas, starting with Appendix A, "Notes on Configuring 802.1X with Microsoft NPS." Appendix B, "Additional Resources," offers hints on navigating IETF and IEEE documents, and Appendix C, "Sample Architectures," includes the much-requested examples of secure wireless architectures. A few niche topics are covered in Appendix D, "Parting Thoughts and Call to Action."

Why Read This Book

This book delivers insightful knowledge based on hundreds of real-world implementations and aggregates data and recommendations from thousands of pages of standards, vendor documents, and best practices white papers.

Offering a blend of relevant technical details alongside summarized best practices, the book offers advice within the context of a flexible framework that allows network and security architects to adapt and layer concepts as needed to meet their needs.

Whether you're a Wi-Fi professional, network admin, security architect, or anything in between-this book will be your go-to resource for planning and maintaining secure wireless networks.

What's on the Website

In addition to the material provided in the...