Wireless & Physical Security

Permissions Down, Control Up

Attack paths shrink as soon as permissions, segments and management channels are consistently configured.

For Wireless & Physical Security the basis remains the same: less implicit trust and more visibility into anomalous behavior.

This way you limit not only the chance of incidents, but especially the scope and duration when something goes wrong.

Immediate measures (15 minutes)

• Start with MFA, least privilege and tiering for admin accounts.
• Enforce segmentation and explicit firewall rules on critical paths.
• Embed logging, detection and recovery testing as a structural operation.

Why this matters

The core of Wireless & Physical Security is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Wi-Fi Security

Evolution of wireless encryption

The golden rule: WPA3-Enterprise with 802.1X/RADIUS for business networks. WPA3-SAE for guest networks and small offices. Anything below that is a security incident that has not yet been discovered.

802.1X/RADIUS for enterprise Wi-Fi

802.1X replaces a shared password with individual authentication. Each user has their own credentials, certificates, or both. This allows you to revoke individual access without changing the password for everyone.

# hostapd configuration for WPA3-Enterprise
# /etc/hostapd/hostapd.conf

interface=wlan0
driver=nl80211
ssid=CORP-SECURE
hw_mode=a
channel=36

# WPA3-Enterprise (IEEE 802.11i with Suite B)
wpa=2
wpa_key_mgmt=WPA-EAP-SUITE-B-192
rsn_pairwise=GCMP-256
group_cipher=GCMP-256
ieee80211w=2                    # Management Frame Protection required
beacon_prot=1

# RADIUS
ieee8021x=1
auth_server_addr=10.0.30.10
auth_server_port=1812
auth_server_shared_secret=CHANGE_THIS_SECRET
acct_server_addr=10.0.30.10
acct_server_port=1813
acct_server_shared_secret=CHANGE_THIS_SECRET

# Band steering and roaming
bss_transition=1
rrm_neighbor_report=1

Guest network isolation

Guest networks must be completely isolated from the production network. No shared VLAN, no shared DHCP scope, no routing to internal subnets.

# Separate SSID for guests with dedicated VLAN
# /etc/hostapd/hostapd-guest.conf

interface=wlan0
bss=wlan0_guest
ssid=GUEST-WIFI
wpa=2
wpa_key_mgmt=SAE
rsn_pairwise=CCMP
sae_password=GuestAccess2026

# Isolation
ap_isolate=1                    # Clients cannot see each other
bridge=br-guest                 # Separate bridge interface to VLAN 50

# Firewall: guest network may only reach the internet, not internal
nft add rule inet filter forward iifname "br-guest" oifname "br-corp" drop
nft add rule inet filter forward iifname "br-guest" oifname "eth0" accept

Rogue Access Point Detection

A rogue access point is an unauthorized wireless access point on your network. Two variants:

1. Internally placed -- an employee who plugs a consumer router under their desk "because the Wi-Fi signal is so weak"
2. Evil Twin -- an attacker who sets up an access point with the same SSID as your corporate network to intercept credentials

Wireless Intrusion Prevention System (WIPS)

A dedicated WIPS monitors the radio spectrum and detects unauthorized access points, deauthentication attacks and suspicious probing.

Kismet as periodic scanner

# Run Kismet for rogue AP detection
kismet -c wlan0mon --override datasources=wlan0mon

# Kismet REST API: list all detected APs
curl -s -u admin:changeme \
  http://localhost:2501/devices/views/phydot11_accesspoints/devices.json \
  | jq '.[] | {ssid: .dot11.device.advertised_ssid_map[].dot11.advertisedssid.ssid,
               bssid: .kismet.device.base.macaddr,
               channel: .kismet.device.base.channel}'

Evil Twin detection

You detect Evil Twin attacks by:

• BSSID monitoring: a second AP with the same SSID but a different MAC address
• Signal strength anomalies: a "corporate AP" that is suddenly much stronger than normal
• Certificate validation: WPA2/3-Enterprise with server certificate pinning prevents clients from connecting to an Evil Twin

Network Access Control (NAC)

NAC determines who and what may be on your network. Without NAC, anyone who plugs a network cable into a wall outlet or connects to Wi-Fi can enter the network.

802.1X wired

# Cisco IOS -- 802.1X on switch ports
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

interface GigabitEthernet0/1
 description Workstation port with 802.1X
 switchport mode access
 switchport access vlan 10
 authentication port-control auto
 dot1x pae authenticator
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication timer reauthenticate 3600
 mab

FreeRADIUS configuration

# /etc/freeradius/3.0/clients.conf
client switch-core {
    ipaddr = 10.0.30.254
    secret = RADIUS_SHARED_SECRET
    nastype = cisco
}

# /etc/freeradius/3.0/sites-enabled/default
# EAP-TLS authentication (certificates)
authorize {
    eap {
        default_eap_type = tls
    }
}

# /etc/freeradius/3.0/mods-enabled/eap
eap {
    default_eap_type = tls
    tls-config tls-common {
        private_key_file = /etc/freeradius/3.0/certs/server.key
        certificate_file = /etc/freeradius/3.0/certs/server.pem
        ca_file = /etc/freeradius/3.0/certs/ca.pem
        check_cert_cn = %{User-Name}
    }
}

Managing MAB (MAC Authentication Bypass) safely

MAB is a fallback for devices that do not support 802.1X: printers, IP phones, IoT sensors. The MAC address is sent as username and password to RADIUS. MAB is not secure -- MAC addresses are trivially spoofable -- but it is better than no control. Devices that authenticate via MAB should be in a restricted VLAN with strict ACLs.

Bluetooth & IoT

Bluetooth and IoT devices represent a growing attack surface that often falls outside the IT department's visibility.

BLE sniffing

# Ubertooth One: Bluetooth Low Energy sniffing
ubertooth-btle -f -c /tmp/ble-capture.pcap

# nRF Sniffer: capture BLE traffic
nrf_sniffer_ble --extcap-interface /dev/ttyACM0 --fifo /tmp/ble.pcap

IoT segmentation best practices

Zigbee and Z-Wave

Zigbee networks often use the default trust center link key (ZigBeeAlliance09). Any sniffer with a CC2531 USB dongle can decode the traffic. Change the link key, use Zigbee 3.0 with Install Codes, and segment the network.

Physical Access Control

The best firewall in the world does not help if someone with a stolen badge can walk into the server room.

Layers of physical security

Preventing tailgating

Tailgating -- following through a secured door behind an authorized person -- is the most effective physical attack. Defenses:

• Mantraps/Airlocks: airlocks where only one person can pass through at a time
• Turnstiles with badge scan: physical one-person-at-a-time enforcement
• Culture: employees must be trained to check badges and challenge visitors
• Cameras with analytics: detection of multiple people going through a door simultaneously

Server room security

• Access logging: who was in the server room when, with audit trail
• Cameras: visible and with storage of at least 90 days
• Climate control: monitor temperature and humidity, alerts on deviations
• Fire detection: gas suppression system (FM-200/Novec) instead of water
• Emergency power: UPS and generator with regular tests

USB & Removable Media

In 2008, a USB stick was found in a parking lot of a U.S. military base in the Middle East. Someone plugged it into a computer. The malware -- later named Agent.btz -- spread through the entire classified network of the Pentagon. It took fourteen months to clean up. The operation was named Buckshot Yankee and led to the establishment of US Cyber Command.

A USB stick in a parking lot. Fourteen months of cleanup.

Managing USB risks

USB blocking via Group Policy (Windows)

# GPO: Block USB storage
# Computer Configuration > Administrative Templates > System > Removable Storage Access

# Via registry (directly applicable):
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" `
    -Name "Deny_All" -Value 1 -Type DWord

# More specific approach: only block USB Mass Storage
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" `
    -Name "Start" -Value 4 -Type DWord    # 4 = disabled

# Whitelist specific USB devices via Device Installation Restrictions
# Computer Configuration > Admin Templates > System > Device Installation > Device Installation Restrictions
# "Allow installation of devices that match any of these device IDs"

USB blocking via udev (Linux)

# /etc/udev/rules.d/99-usb-block.rules
# Block all USB mass storage devices
ACTION=="add", SUBSYSTEMS=="usb", DRIVERS=="usb-storage", \
    RUN+="/bin/sh -c 'echo 0 > /sys$DEVPATH/authorized'"

# Whitelist: allow specific USB device based on vendor:product
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5581", \
    RUN+="/bin/sh -c 'echo 1 > /sys$DEVPATH/authorized'"

# Reload udev rules
udevadm control --reload-rules && udevadm trigger

Endpoint Detection

Modern EDR solutions detect USB Rubber Ducky attacks by looking for: - HID devices that generate thousands of keystrokes per second - USB devices that register as both a keyboard and a storage device simultaneously - Unknown USB vendor/product ID combinations

Clean Desk & Dumpster Diving

Clean desk is not a housekeeping measure. It is a security measure. Post-its with passwords on monitors, login credentials on whiteboards, confidential documents in the printer tray -- these are all data leaks that no technical control can prevent.

Clean desk policy

• Lock screens: automatic lockout after 5 minutes of inactivity
• Store documents: confidential papers in lockable cabinets
• Printers: secure printing with badge authentication (pull printing)
• Whiteboards: photograph and erase after meetings
• Waste disposal: cross-cut shredders (P-4 or higher) for paper, degaussing or physical destruction for media

Enforcing screen lock

# GPO: Screensaver with password after 300 seconds (5 minutes)
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaveTimeOut" -Value "300"
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaverIsSecure" -Value "1"
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "ScreenSaveActive" -Value "1"

# Linux: automatic screen lock via GNOME
gsettings set org.gnome.desktop.session idle-delay 300
gsettings set org.gnome.desktop.screensaver lock-enabled true
gsettings set org.gnome.desktop.screensaver lock-delay 0

Dumpster diving

Dumpster diving -- searching through waste for usable information -- is legal in most jurisdictions and stunningly effective. Organizations routinely discard: internal phone directories, organization charts, network diagrams, printouts of emails, hardcopy of password resets, and printed configurations.

Defense: cross-cut shredders on every floor, awareness among employees, and contractual agreements with the cleaning company about waste disposal.

Checklist

The beauty of the TJX case is the timeline. The attack began in July 2005. The company discovered it in December 2006. For eighteen months the sniffers sat on the payment terminals, while every debit card that went through a reader was copied to a server in Eastern Europe. The company had firewalls. It had antivirus software. It had a security policy. What it did not have was a proper wireless network. One WEP network in a parking garage.

Physical security suffers from the same problem as network segmentation: everyone knows it is important, but the budget always goes to something else. To a new SIEM platform. To a next-generation firewall. To an AI-powered threat detection engine that was demonstrated on the trade show floor with an impressive dashboard. Meanwhile the door of the server room is ajar because the lock is broken, and it has been that way since March.

There is a universal law in information security that I call the Law of the Weakest Point: the security of a system is exactly as strong as the weakest link. And that weakest link is almost never technical. It is the USB stick in the parking lot. The employee who holds the door open. The WEP network in the parking garage. The post-it with the password on the monitor. It is the physical world undermining the digital one.

Every euro you spend on a firewall without locking the server room is a euro you might as well have put through the shredder. Although -- if you at least have that shredder, you are already ahead of most organizations.

Summary

Wireless and physical security form the often forgotten foundations beneath every digital defense. WPA3-Enterprise with 802.1X/RADIUS is the standard for business wireless networks; anything below that is an invitation. Guest networks must be completely isolated on a separate VLAN. Rogue access point detection via WIPS or periodic scans with Kismet prevents unauthorized devices from infiltrating your network. Network Access Control via 802.1X on wired ports determines who may be on your network. IoT and Bluetooth devices belong in a segmented network with strict outbound filtering. USB mass storage must be blocked via Group Policy or udev rules. Physical access control -- badge systems, mantraps, server room security -- forms the last line of defense that no software can replace. Clean desk policy, secure printing and cross-cut shredders prevent the lowest-barrier forms of information theft. The lesson from TJX is simple: it does not matter how good your digital security is if someone can walk into your network from the parking garage.