Page 798 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 798
they are available.
WPS
Wi-Fi Protected Setup (WPS) is a security standard for wireless
networks. It is intended to simplify the effort involved in adding new
clients to a well-secured wireless network. It operates by
autoconnecting the first new wireless client to seek the network once
the administrator triggered the feature by pressing the WPS button on
the base station. However, the standard also calls for a code or
personal identification number (PIN) that can be sent to the base
station remotely in order to trigger WPS negotiation without the need
to physically press the button. This led to a brute-force guessing attack
that could enable a hacker to guess the WPS code in hours (usually
less than six hours), which in turn enabled the hacker to connect their
own unauthorized system to the wireless network.
The PIN code is composed of two four-digit segments,
which can be guessed one segment at a time with confirmation
from the base station.
WPS is a feature that is enabled by default on most wireless access
points because it is a requirement for device Wi-Fi Alliance
certification. It’s important to disable it as part of a security-focused
predeployment process. If a device doesn’t offer the ability to turn off
WPS (or the Off switch doesn’t work), upgrade or replace the base
station’s firmware or replace the whole device.
Generally, leave WPS turned off. Each time you upgrade your
firmware, perform your security-focused predeployment process again
to ensure that all settings, including WPS, are set properly. If you need
to add numerous clients to a network, you can temporarily reenable
WPS—just be sure to disable it immediately afterward.
Using Captive Portals
A captive portal is an authentication technique that redirects a newly
