CWNA Guide to Wireless LAN's Second Edition - Chapter 9
Transcript of CWNA Guide to Wireless LAN's Second Edition - Chapter 9
![Page 1: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/1.jpg)
CWNA Guide to Wireless LANs, Second Edition
Chapter NineImplementing Wireless LAN Security
![Page 2: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/2.jpg)
CWNA Guide to Wireless LANs, Second Edition 2
Objectives
• List wireless security solutions
• Tell the components of the transitional security model
• Describe the personal security model
• List the components that make up the enterprise security model
![Page 3: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/3.jpg)
CWNA Guide to Wireless LANs, Second Edition 3
Wireless Security Solutions
• IEEE 802.11a and 802.11b standards included WEP specification– Vulnerabilities quickly realized– Organizations implemented “quick fixes”
• Did not adequately address encryption and authentication
• IEEE and Wi-Fi Alliance started working on comprehensive solutions– IEEE 802.11i and Wi-Fi Protected Access (WPA)
• Foundations of today’s wireless security
![Page 4: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/4.jpg)
CWNA Guide to Wireless LANs, Second Edition 4
WEP2
• Attempted to overcome WEP limitations by adding two new security enhancements– WEP key increased to 128 bits– Kerberos authentication
• User issued “ticket” by Kerberos server
• Presents ticket to network for a service
– Used to authenticate user
• No more secure than WEP– Collisions still occur– New dictionary-based attacks available
![Page 5: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/5.jpg)
CWNA Guide to Wireless LANs, Second Edition 5
Dynamic WEP
• Solves weak IV problem by rotating keys frequently– More difficult to crack encrypted packet
• Uses different keys for unicast and broadcast traffic– Unicast WEP key unique to each user’s session
• Dynamically generated and changed frequently
– Broadcast WEP key must be same for all users on a particular subnet and AP
![Page 6: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/6.jpg)
CWNA Guide to Wireless LANs, Second Edition 6
Dynamic WEP (continued)
Figure 9-1: Dynamic WEP
![Page 7: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/7.jpg)
CWNA Guide to Wireless LANs, Second Edition 7
Dynamic WEP (continued)
• Can be implemented without upgrading device drivers or AP firmware– No-cost and minimal effort to deploy
• Does not protect against man-in-the-middle attacks
• Susceptible to DoS attacks
![Page 8: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/8.jpg)
CWNA Guide to Wireless LANs, Second Edition 8
IEEE 802.11i
• Provides solid wireless security model– Robust security network (RSN)– Addresses both encryption and authentication
• Encryption accomplished by replacing RC4 with a block cipher– Manipulates entire block of plaintext at one time
• Block cipher used is Advanced Encryption Standard (AES)– Three step process– Second step consists of multiple rounds of
encryption
![Page 9: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/9.jpg)
CWNA Guide to Wireless LANs, Second Edition 9
IEEE 802.11i (continued)
Table 9-1: Time needed to break AES
![Page 10: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/10.jpg)
CWNA Guide to Wireless LANs, Second Edition 10
IEEE 802.11i (continued)
• IEEE 802.11i authentication and key management is accomplished by IEEE 802.1x standard– Implements port security
• Blocks all traffic on port-by-port basis until client authenticated using credentials stored on authentication server
• Key-caching: Stores information from a device on the network, for faster re-authentication
• Pre-authentication: Allows a device to become authenticated to an AP before moving to it
![Page 11: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/11.jpg)
CWNA Guide to Wireless LANs, Second Edition 11
IEEE 802.11i (continued)
Figure 9-2: IEEE 802.1x
![Page 12: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/12.jpg)
CWNA Guide to Wireless LANs, Second Edition 12
Wi-Fi Protected Access (WPA)
• Subset of 802.11i that addresses encryption and authentication
• Temporal Key Integrity Protocol (TKIP): Replaces WEP’s encryption key with 128-bit per-packet key– Dynamically generates new key for each packet
• Prevents collisions– Authentication server can use 802.1x to produce
unique master key for user sessions– Creates automated key hierarchy and management
system
![Page 13: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/13.jpg)
CWNA Guide to Wireless LANs, Second Edition 13
Wi-Fi Protected Access (continued)
• Message Integrity Check (MIC): Designed to prevent attackers from capturing, altering, and resending data packets– Replaces CRC from WEP– CRC does not adequately protect data integrity
• Authentication accomplished via IEEE 802.1x or pre-shared key (PSK) technology– PSK passphase serves as seed for generating keys
![Page 14: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/14.jpg)
CWNA Guide to Wireless LANs, Second Edition 14
Wi-Fi Protected Access (continued)
Figure 9-3: Message Integrity Check (MIC)
![Page 15: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/15.jpg)
CWNA Guide to Wireless LANs, Second Edition 15
Wi-Fi Protected Access 2 (WPA2)
• Second generation of WPA security– Based on final IEEE 802.11i standard– Uses AES for data encryption – Supports IEEE 802.1x authentication or PSK
technology– Allows both AES and TKIP clients to operate in
same WLAN
![Page 16: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/16.jpg)
CWNA Guide to Wireless LANs, Second Edition 16
Summary of Wireless Security Solutions
• Wi-Fi Alliance categorizes WPA and WPA2 by modes that apply to personal use and to larger enterprises
Figure 9-4: Security timeline
![Page 17: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/17.jpg)
CWNA Guide to Wireless LANs, Second Edition 17
Summary of Wireless Security Solutions (continued)
Table 9-3: Wireless security solutions
Table 9-2: Wi-Fi modes
![Page 18: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/18.jpg)
CWNA Guide to Wireless LANs, Second Edition 18
Transitional Security Model
• Transitional wireless implementation– Should be temporary
• Until migration to stronger wireless security possible
– Should implement basic level of security for a WLAN• Including authentication and encryption
![Page 19: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/19.jpg)
CWNA Guide to Wireless LANs, Second Edition 19
Authentication: Shared Key Authentication
• First and perhaps most important step– Uses WEP keys
• Networks that support multiple devices should use all four keys– Same key should not be designated as default on
each device
![Page 20: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/20.jpg)
CWNA Guide to Wireless LANs, Second Edition 20
Authentication: SSID Beaconing
• Turn off SSID beaconing by configuring APs to not include it– Beaconing the SSID is default mode for all APs
• Good practice to use cryptic SSID– Should not provide any information to attackers
![Page 21: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/21.jpg)
CWNA Guide to Wireless LANs, Second Edition 21
Authentication: MAC Address Filtering
Figure 9-6: MAC address filter
![Page 22: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/22.jpg)
CWNA Guide to Wireless LANs, Second Edition 22
WEP Encryption
• Although vulnerabilities exist, should be turned on if no other options for encryption are available– Use longest WEP key available– May prevent script kiddies or “casual” eavesdroppers
from attacking
Table 9-4: Transitional security model
![Page 23: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/23.jpg)
CWNA Guide to Wireless LANs, Second Edition 23
Personal Security Model
• Designed for single users or small office home office (SOHO) settings – Generally 10 or fewer wireless devices
• Two sections:– WPA: Older equipment– WPA2: Newer equipment
![Page 24: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/24.jpg)
CWNA Guide to Wireless LANs, Second Edition 24
WPA Personal Security: PSK Authentication
• Uses passphrase (PSK) that is manually entered to generate the encryption key– PSK used a seed for creating encryption keys
• Key must be created and entered in AP and also on any wireless device (“shared”) prior to (“pre”) the devices communicating with AP
![Page 25: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/25.jpg)
CWNA Guide to Wireless LANs, Second Edition 25
WPA Personal Security: TKIP Encryption
• TKIP is a substitute for WEP encryption– Fits into WEP procedure with minimal change
• Device starts with two keys:– 128-bit temporal key– 64-bit MIC
• Three major components to address vulnerabilities:– MIC– IV sequence– TKIP key mixing
• TKIP required in WPA
![Page 26: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/26.jpg)
CWNA Guide to Wireless LANs, Second Edition 26
WPA Personal Security: TKIP Encryption (continued)
Figure 9-7: TKIP/MIC process
![Page 27: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/27.jpg)
CWNA Guide to Wireless LANs, Second Edition 27
WPA2 Personal Security: PSK Authentication
• PSK intended for personal and SOHO users without enterprise authentication server– Provides strong degree of authentication protection
• PSK keys automatically changed (rekeyed) and authenticated between devices after specified period of time or after set number of packets transmitted (rekey interval)
• Employs consistent method for creating keys– Uses shared secret entered at AP and devices
• Random sequence of at least 20 characters or 24 hexadecimal digits
![Page 28: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/28.jpg)
CWNA Guide to Wireless LANs, Second Edition 28
WPA2 Personal Security: AES-CCMP Encryption
• WPA2 personal security model encryption accomplished via AES
• AES-CCMP: Encryption protocol in 802.11i– CCMP based on Counter Mode with CBC-MAC
(CCM) of AES encryption algorithm– CCM provides data privacy– CBC-MAC provides data integrity and authentication
• AES processes blocks of 128 bits– Cipher key length can be 128, 192 and 256 bits– Number of rounds can be 10, 12, and 14
![Page 29: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/29.jpg)
CWNA Guide to Wireless LANs, Second Edition 29
WPA2 Personal Security: AES-CCMP Encryption (continued)
• AES encryption/decryption computationally intensive– Better to perform in hardware
Table 9-5: Personal security model
![Page 30: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/30.jpg)
CWNA Guide to Wireless LANs, Second Edition 30
Enterprise Security Model
• Most secure level of security that can be achieved today for wireless LANs– Designed for medium to large-size organizations– Intended for setting with authentication server
• Like personal security model, divided into sections for WPA and WPA2
• Additional security tools available to increase network protection
![Page 31: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/31.jpg)
CWNA Guide to Wireless LANs, Second Edition 31
WPA Enterprise Security: IEEE 802.1x Authentication
• Uses port-based authentication mechanisms
• Network supporting 802.1x standard should consist of three elements:– Supplicant: Wireless device which requires secure
network access– Authenticator: Intermediary device accepting
requests from supplicant• Can be an AP or a switch
– Authentication Server: Accepts requests from authenticator, grants or denies access
![Page 32: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/32.jpg)
CWNA Guide to Wireless LANs, Second Edition 32
WPA Enterprise Security: IEEE 802.1x Authentication (continued)
Figure 9-8: 802.1x protocol
![Page 33: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/33.jpg)
CWNA Guide to Wireless LANs, Second Edition 33
WPA Enterprise Security: IEEE 802.1x Authentication (continued)
• Supplicant is software on a client implementing 802.1x framework
• Authentication server stores list of names and credentials of authorized users– Remote Authentication Dial-In User Service
(RADIUS) typically used• Allows user profiles to be maintained in central
database that all remote servers can share
![Page 34: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/34.jpg)
CWNA Guide to Wireless LANs, Second Edition 34
WPA Enterprise Security: IEEE 802.1x Authentication (continued)
• 802.1x based on Extensible Authentication Protocol (EAP)– Several variations:
• EAP-Transport Layer Security (EAP-TLS)
• Lightweight EAP (LEAP)
• EAP-Tunneled TLS (EAP-TTLS)
• Protected EAP (PEAP)
• Flexible Authentication via Secure Tunneling (FAST)
– Each maps to different types of user logons, credentials, and databases used in authentication
![Page 35: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/35.jpg)
CWNA Guide to Wireless LANs, Second Edition 35
WPA Enterprise Security: TKIP Encryption
• TKIP is a “wrapper” around WEP – Provides adequate encryption mechanism for WPA
enterprise security– Dovetails into existing WEP mechanism
• Vulnerabilities may be exposed in the future
![Page 36: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/36.jpg)
CWNA Guide to Wireless LANs, Second Edition 36
WPA2 Enterprise Security: IEEE 802.1x Authentication
• Enterprise security model using WPA2 provides most secure level of authentication and encryption available on a WLAN
• IEEE 802.1x is strongest type of wireless authentication currently available
• Wi-Fi Alliance certifies WPA and WPA2 enterprise products using EAP-TLS– Other EAP types not tested, but should run a WAP
or WAP2 environment
![Page 37: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/37.jpg)
CWNA Guide to Wireless LANs, Second Edition 37
WPA2 Enterprise Security: AES-CCMP Encryption
• AES: Block cipher that uses same key for encryption and decryption– Bits encrypted in blocks of plaintext
• Calculated independently
– block size of 128 bits– Three possible key lengths: 128, 192, and 256 bits– WPA2/802.11i uses128-bit key length– Includes four stages that make up one round
• Each round is iterated 10 times
![Page 38: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/38.jpg)
CWNA Guide to Wireless LANs, Second Edition 38
WPA2 Enterprise Security: AES-CCMP Encryption (continued)
Table 9-6: Enterprise security model
![Page 39: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/39.jpg)
CWNA Guide to Wireless LANs, Second Edition 39
Other Enterprise Security Tools: Virtual Private Network (VPN)
• Virtual private network (VPN): Uses a public, unsecured network as if it were private, secured network
• Two common types:– Remote-access VPN: User-to-LAN connection used
by remote users– Site-to-site VPN: Multiple sites can connect to other
sites over Internet
• VPN transmissions are achieved through communicating with endpoints
![Page 40: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/40.jpg)
CWNA Guide to Wireless LANs, Second Edition 40
Other Enterprise Security Tools: Virtual Private Network (continued)
• Endpoint: End of tunnel between VPN devices– Can local software, dedicated hardware device, or
even a firewall
• VPNs can be used in WLAN setting– Tunnel though WLAN for added security
• Enterprise trusted gateway: Extension of VPN– Pairs of devices create “trusted” VPN connection
between themselves– Can protect unencrypted packets better than a VPN
endpoint
![Page 41: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/41.jpg)
CWNA Guide to Wireless LANs, Second Edition 41
Other Enterprise Security Tools: Wireless Gateway
• AP equipped with additional functionality– Most APs are wireless gateways
• Combine functionality of AP, router, network address translator, firewall, and switch
• On enterprise level, wireless gateway may combine functionality of a VPN and an authentication server– Can provide increased security for connected APs
![Page 42: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/42.jpg)
CWNA Guide to Wireless LANs, Second Edition 42
Other Enterprise Security Tools: Wireless Intrusion Detection System
(WIDS)• Intrusion-detection system (IDS): Monitors
activity on network and what the packets are doing– May perform specific function when attack detected– May only report information, and not take action
• Wireless IDS (WIDS): Constantly monitors RF frequency for attacks– Based on database of attack signatures or on
abnormal behavior– Wireless sensors lie at heart of WIDS– Hardware-based have limited coverage, software-
based have extended coverage
![Page 43: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/43.jpg)
CWNA Guide to Wireless LANs, Second Edition 43
Other Enterprise Security Tools: Captive Portal
• Web page that wireless users are forced to visit before they are granted access to Internet
• Used in one of the following ways:– Notify users of wireless policies and rules– Advertise to users specific services or products– Authenticate users against a RADIUS server
• Often used in public hotspots
![Page 44: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/44.jpg)
CWNA Guide to Wireless LANs, Second Edition 44
Summary
• IEEE 802.11i and Wi-Fi Protected Access (WPA), have become the foundations of today’s wireless security
• Dynamic WEP attempts to solve the weak initialization vector (IV) problem by rotating the keys frequently, making it much more difficult to crack the encrypted packet
• The IEEE 802.11i standard provided a more solid wireless security model, such as the block cipher Advanced Encryption Standard (AES) and IEEE 802.1x port security
![Page 45: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/45.jpg)
CWNA Guide to Wireless LANs, Second Edition 45
Summary (continued)
• WPA is a subset of 802.11i and addresses both encryption and authentication
• The transitional security model uses shared key authentication, turning off SSID beaconing, and implementing MAC address filtering
• The personal security model is designed for single users or small office home office (SOHO) settings of generally 10 or fewer wireless devices and does not include an authentication server
![Page 46: CWNA Guide to Wireless LAN's Second Edition - Chapter 9](https://reader033.fdocuments.us/reader033/viewer/2022061117/54685508b4af9fda3f8b5933/html5/thumbnails/46.jpg)
CWNA Guide to Wireless LANs, Second Edition 46
Summary (continued)
• The enterprise security model is intended for settings in which an authentication server is available; if an authentication server is not available the highest level of the personal security model should be used instead
• Additional security tools that can supplement the enterprise security model to provide even a higher degree of security include virtual private networks, wireless gateways, wireless intrusion detection systems (WIDS), and captive portals