| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 11.13 - Wireless Networks (Part 2 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series widens the wireless picture from Domain 4, moving past the building blocks into stronger protected access and the other radio technologies an organization emits. It covers how each technology authenticates, where each one leaks, and the layered habits that secure the whole radio environment rather than only the obvious network.
What this episode covers
- Stronger protected access (WPA3) — a new handshake that proves the password without sending it, plus protection for management frames.
- Port-based authentication (802.1X) — an authentication proxy that hands clients off to your existing identity infrastructure.
- EAP variants — a flexible framework of methods, including a tunneled option that adds the confidentiality a cleartext exchange lacks.
- Wi-Fi Protected Setup and MAC filtering — convenience features that offer false comfort and should be disabled or distrusted.
- Antennas and captive portals — omnidirectional versus directional placement, and a gate page that checkpoints new clients.
- Hardening a deployment — a stacked checklist of firmware, encryption, segmentation, detection, VPN, and logging.
- Bluetooth, spread spectrum, RFID and NFC — short-range radios that trade range for convenience and exposure.
Watch the full episode above for the worked examples and step-by-step explanations of each concept.
Frequently Asked Questions
What makes the newest protected access stronger?
The newest protected access hardens the weakest link, the password exchange. The real leap is a new handshake that no longer sends your password across the air to prove it; instead it runs a zero-knowledge exchange, so both sides confirm they know the secret without transmitting it. It also shields management frames, giving those housekeeping messages confidentiality, integrity, and origin checks.
How does port-based authentication plug into Wi-Fi?
It uses a handoff standard that blocks a client from touching resources until it authenticates, acting like an authentication proxy at the door. It does not check credentials itself; instead it hands the request off to your existing identity infrastructure, such as a central authentication server, certificates, smart cards, or tokens. Underneath sits a flexible framework that is a container for many authentication methods rather than one.
Why is Wi-Fi Protected Setup a liability?
Wi-Fi Protected Setup was meant to make adding a device painless, auto-connecting the first client after you press a button or enter a short code. That code splits into two halves an attacker can guess one segment at a time, with the base station confirming each half, so a brute-force attack can succeed in hours. It is on by default, so disabling it should be a standard step before deployment.
Can filtering by hardware address keep intruders out?
Not reliably. A hardware address filter is a list of approved device identifiers that the access point checks against, but it only fits small, static environments. The frame header carrying those addresses stays readable even under strong encryption, so an attacker can sniff an approved address and spoof it, and many modern phones rotate their address at random. Treat it as a mild speed bump, never a real gate.
What should you know about Bluetooth and its relatives?
Bluetooth links paired devices over short distances, and by default most implementations send data in the clear, often relying on trivial pairing codes. A low-energy variant sips power for wearables, sensors, and medical gear, and a related low-power standard for smart devices does encrypt its traffic. Attackers can capture packets, flood a device offline, push messages, steal data, or seize remote control, so minimize its use and switch it off when idle.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 11.13 - Wireless Networks (Part 2 of 3).