9 hours 49 minutes
having talked about some of the technologies surrounding wireless, The next thing that we need to discuss is wireless security.
When we think about security, you've got two main aspects. Encryption and authentication.
The very first crypto system that was designed for wireless was called W E. P. Wired equivalent privacy. It's like somebody who is a salesperson came up with that name because Wired Equivalent, what they're trying to sell is what you would get the same security with wireless that you would if it was bound to a network cable.
Obviously, that's not the case. It wasn't the case when it was ratified or implemented, and it's still not the case
when we're bound to cable often Just thought physical security of having to traverse a specific cable adds a degree of security.
Other things that were wrong with W. E. P is that it came out as the best show in town because it was the only show in town, even though we knew that there were weaknesses.
First of all, we had to share authentication passwords and using the same passwords is never good.
The second issue is that it had a weak initialization vector. We really haven't gone into cryptography yet, but an initialization vector adds randomness to the process.
The more randomness you have with encryption, the better.
If you don't have a strong initialization vector, then you get repetitions. You're more likely to have patterns
at a weak initialization vector.
The other issue with WPP is that used an algorithm called R C for this particular algorithm is something called a stream cipher. A stream cipher is very, very fast, but it's very insecure and easy to reverse. Basically, we turned it off speed for security with RC four, so that's a definite weakness in the realm of protection.
Also, W E P used week short keys.
The keys for W E P could either operate in one of two modes. Low encryption mode, which was 64 bit or high encryption mode, which was 128 bit. Neither of those are particularly strong by today's standards, but certainly low encryption mode is very, very weak. Even for the time,
WP is just not a good choice today.
Another issue with W. E. P. Not mentioned here, is that use static keys.
There was no dynamic negotiation of keys. It was the same key for the data that was transmitted. We knew when W. E. P. Came out that it wasn't where we wanted it to be. But we also knew we were a long way away from really having the technology to truly secure wireless communication.
So we put a Band Aid on WP called WP a WiFi protected access W P A. Is an improvement over W E p in a couple of ways. First of all, WP a strengthened initialization vector by making it longer W p. A. Also introduced a protocol called T K i p
temporal Key Integrity Protocol. If you listen to that temporal key temporary key dynamically negotiated keys that we don't have to use the same staticky over and over again.
The downside was that it's still used RC four, and the reason for that is it had to be backwards compatible with W E. P. Because so many people had invested in all these wireless devices, only to find out that the security was lacking. WP a needed to be backwards compatible because there were so many products on the market using W e p.
What we really was waiting for was W P a two
w p a. To brought out two elements to the scene that really improved the security.
The first was A s advanced encryption standard. There is a much stronger algorithm than RC four. RC four was a stream cyber cyber is just another word for algorithm. And an algorithm is just another word for the math that encryption uses. It's the magic of encryption. Essentially
RC four. Very fast, but easier to break A s is slower, much stronger
W p A. To also replace T k i. P with the new, stronger protocol called CCMP.
CCMP has a crazy long meaning for that acronym. Something like Counter mode, cipher block, chaining, message, authentication, code protocol. Just remember it as CCMP.
We've got those three modes for encryption and we have to think about authentication. Remember, authentication is proving my identity. I want to prove who I am, who I say I am
well, specifically when you have remote access devices that want to join your local area network, you just want to make sure that they are authenticated and authorized systems joining the network. There's less security with remote access
if you have to be physically wired into the network, their physical security mechanisms that would detect or prevent an intruder. When you're allowing people to dial up or connected via VPN or even WiFi those physical security measures. Don't interview with an attacker. So we've got to make sure that we have strong technical controls.
What I want is consistency for my policies.
I want to make sure that we have strong authentication. I want to make sure that we have rules governing the disconnection of those devices
what I'm going to bring in as a device called a radius server with our supplicants. The supplicants are those remote devices trying to access the L. A N. When I say remote, I mean they're not physically connected to the network. You might have WiFi clients dial up and VPN.
Normally, they would connect to a network access device like an access point for WiFi or a remote access server for dial up or VPN server for VPN clients. The supplicants initiate the connection that they are trying to access the L. A. N.
The authenticators where they connect traditionally would have gone to each one of the authenticators, each access point each. Ras VPN and configured security policy.
John Smith can log on from eight AM to five PM Administrators have 24 hour access. This particular Matt can connect to the address or can connect to the device. Sessions are idle. More than five minutes disconnect them. These are all sort of policies.
It would be very cumbersome to go to each of one of the authenticators and configure everyone. Instead, we point there's authenticators to a central authentication service.
The most common device that serves as a central authentication servers. Radius Radius actually stands for remote authentication. Dial in user service.
The illustration that I have over on the left with your supplicants, your authenticators and then the use of central authentication. Server like radius is defined in an eye. Tripoli Standard eight oh, 2.1 x
This definitely comes up on the test, and there are few things I want you to associate when you hear a to 2.1 x think radius. Think a a p o l. That stands for extensible authentication protocol over Elian. Extensible authentication protocol is a very commonly used protocol today for authentication, and it's very, very flexible.
You can authenticate a lot of different ways. There are a lot of different flavors of the AP.
Back in Chapter one, we talked about authentication protocols and remote access. You may want to go back and revisit that section for a little bit more on the AP. At any rate, the standard is eight Oh, 2.1 x Think radius supplicants, authenticators authenticating service central authentication for remote access. All of this is right here together,
a word to the wise. We just talked about wireless technology in the 802.11 range. If you don't stop and really take this in Radius is eight oh, 2.1 x. It's not that wireless standard, but if you're not paying attention, you might think that's the wireless technology. But really, it's separate.
This is for E A P over L A N or E A P over Ethernet. All that means is those authenticators are forwarding the AP requests across your network to the radius server.