Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
138 CHAPTER 8 Security Standards and Services<br />
■ Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.<strong>11</strong>w<br />
■ The IEEE 802.<strong>11</strong>b standard is only for the open and shared-key authentication<br />
scheme, which is nonextensible.<br />
■ The IEEE 802.<strong>11</strong>w is a proposed amendment to the existing 802.<strong>11</strong><br />
standards to increase security.<br />
■ The 802.<strong>11</strong>w defines enhancements for integrity, authenticity and confidentiality<br />
of the data, and ensure protection from replay attacks.<br />
EXTENSIBLE AUTHENTICATION PROTOCOL<br />
EAP is an authentication protocol designed to support several different authentication<br />
mechanisms. It runs directly over the data link layer and does not require<br />
the use of IP.<br />
EAP comes in several different forms:<br />
■ EAP over IP (EAPoIP)<br />
■ Message Digest Algorithm/Challenge Handshake Authentication Protocol<br />
(EAP-MD5-CHAP)<br />
■ EAP–TLS<br />
■ EAP–Tunneled Transport Layer Security (TTLS)<br />
■ RADIUS<br />
■ Cisco EAP-Flexible Authentication via Secure Tunneling (FAST)<br />
EAP can support per-packet authentication and integrity protection, but it is<br />
not extended to all types of EAP messages. For example, negative acknowledgment<br />
(NACK) and notification messages cannot use per-packet authentication<br />
and integrity. Per-packet authentication and integrity protection works for the<br />
following (packet is encrypted unless otherwise noted):<br />
■<br />
■<br />
■<br />
■<br />
■<br />
TLS and IKE derive session key<br />
TLS ciphersuite negotiations (not encrypted)<br />
IKE ciphersuite negotiations<br />
Kerberos tickets<br />
Success and failure messages that use a derived session key (through<br />
Wireless Encryption Protocol (WEP))<br />
PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL<br />
Protected Extensible Authentication Protocol (PEAP) uses TLS to create an<br />
encrypted channel between the client supplicant and the RADIUS server.<br />
Security and ease of deployment make PEAP a popular choice for authentication.<br />
The advantages of PEAP are as follows:<br />
■<br />
■<br />
Windows 2008, Windows Server 2003, Windows 2000, Windows XP, and<br />
Pocket PC 2002 offer support for PEAP (either natively or with a system<br />
update), so there is no need for you to install third-party client software.<br />
NPS in Windows 2008 and IAS in Windows 2003 are the Microsoft implementation<br />
of the RADIUS protocol. Windows 2000 Server and Windows