Which of the following authentication protocols used in wireless networks best supports the Zero Trust principle? (Wentz QOTD)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. EAP-TLS.
EAP-TLS, EAP-TTLS, and PEAP are legitimate authentication protocols used in WPA2. EAP-TLS requires server and client-based certificates for mutual authentication and renders the highest security level among the three. EAP-TTLS and PEAP support mutual authentication without installing certificates on clients to loosen the system management overhead. As Zero Trust emphasizes verification and fine-grain access control, EAP-TLS is a better fit than EAP-TTLS or PEAP.
EAP Transport Layer Security (EAP-TLS)
EAP Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standard that uses the Transport Layer Security (TLS) protocol, and is well-supported among wireless vendors. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.
EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software. Until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo.
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage. The highest security available is when the “private keys” of client-side certificate are housed in smart cards.
EAP Tunneled Transport Layer Security (EAP-TTLS)
EAP Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom and is widely supported across platforms.
The client can, but does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client.
Protected Extensible Authentication Protocol (PEAP)
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
Lightweight Extensible Authentication Protocol (LEAP)
Cisco LEAP is an EAP-based authentication protocol used by 802.1X in wireless networks. It supports mutual authentication and works in the legacy cracked WEP.
NIST: Tenets of Zero Trust
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
NIST: A Zero Trust View of a Network
- The entire enterprise private network is not considered an implicit trust zone.
- Devices on the network may not be owned or configurable by the enterprise.
- No resource is inherently trusted.
- Not all enterprise resources are on enterprise-owned infrastructure.
- Remote enterprise subjects and assets cannot fully trust their local network connection.
- Assets and workflows moving between enterprise and nonenterprise infrastructure should have a consistent security policy and posture.
- WPA2-Enterprise Authentication Protocols Comparison
- Understanding the updated WPA and WPA2 standards
- Moving to WPA/WPA2-Enterprise Wi-Fi Encryption
- 802.1X Overview and EAP Types
- Cisco LEAP
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.