Wireless Security Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> We've talked a little bit about some of
00:00
the technology surrounding wireless networks.
00:00
Now, we'll talk about wireless security.
00:00
We have two main aspects to consider with
00:00
wireless security; encryption and authentication.
00:00
The very first cryptosystem
00:00
that was designed for wireless
00:00
was called WEP, Wired Equivalent Privacy.
00:00
It's almost as if a salesperson came up with
00:00
that name because the name sounds like
00:00
it's trying to sell you on the fact that you would get
00:00
the same level encryption with
00:00
it as you would have with wired networks.
00:00
Obviously, that's not the case.
00:00
When you have a wired network,
00:00
just that physical cable,
00:00
as a measure of security that you
00:00
don't have with the wireless network.
00:00
Other things that were wrong with WEP
00:00
were that you had to share authentication passwords,
00:00
and it had a weak initialization vector.
00:00
Now, we haven't talked about cryptography yet,
00:00
but the initialization vector
00:00
adds randomness to the process.
00:00
The more randomness you
00:00
have with the encryption, the better.
00:00
But if you don't have a strong initialization vector,
00:00
then you get repetitions and patterns.
00:00
Another issue with WEP is
00:00
that it used an algorithm called RC4.
00:00
This particular algorithm is
00:00
something called a stream cipher.
00:00
Is very fast but easy to break.
00:00
We traded off security for speed
00:00
>> by using this algorithm.
00:00
>> Also, WEP used weak short keys.
00:00
You could either operate in one of two modes.
00:00
Low encryption mode or 64 bit,
00:00
or high encryption mode, 128-bit.
00:00
Neither of these, by today's standards, are strong.
00:00
But particularly, low encryption mode was very weak.
00:00
WEP is not a good choice today.
00:00
Another issue with WEP is that it used static keys.
00:00
There was no dynamic negotiation of keys.
00:00
We knew when WEP came out
00:00
that it wasn't where we wanted it to be,
00:00
but we also knew we were a long way from having
00:00
the technology to truly secure wireless communication.
00:00
What we did was put a band-aid on WEP by coming
00:00
up with WPA, Wi-Fi Protected Access.
00:00
It's an improvement over WEP in a couple of ways.
00:00
WPA strengthened the initialization vector
00:00
by making it longer.
00:00
It also introduced a protocol called TKIP,
00:00
Temporal Key Integrity Protocol.
00:00
This is a temporary dynamically negotiated key.
00:00
The downside is that it still used the RC4 algorithm.
00:00
It had to continue using this algorithm
00:00
so that it could be backwards compatible with WEP.
00:00
Then WPA2 brought two elements
00:00
that really improved the security.
00:00
The first was AES, Advanced Encryption Standard.
00:00
This is a much stronger algorithm than RC4.
00:00
I mentioned that RC4 was a stream cipher.
00:00
Well, cipher is just another word for algorithm.
00:00
An algorithm refers to the
00:00
>> math that the encryption uses.
00:00
>> RC4 was very fast but easier to break.
00:00
AES is slower but much stronger.
00:00
Also, WPA2 replaced
00:00
TKIP with a new stronger protocol called CCMP.
00:00
It has a crazy long name for that acronym,
00:00
Counter Mode Cipher Block Chaining
00:00
Message Authentication Code Protocol.
00:00
Just remember CCMP.
00:00
We've got those three modes for encryption.
00:00
Then we have authentication.
00:00
Now, remember, authentication is proving
00:00
your identity or proving you are who you say you are.
00:00
Specifically, when you have
00:00
remote access devices that
00:00
want to join your local area network,
00:00
you want to make sure that they are authenticated
00:00
and authorized systems joining the network.
00:00
There's less security with remote access.
00:00
If you have to be physically wired to the network,
00:00
then there's security measures that would
00:00
prevent or detect an intruder.
00:00
But when you're allowing people to connect
00:00
via VPN or Wi-Fi,
00:00
those physical security measures
00:00
don't interfere with an attacker.
00:00
You have to make sure that you
00:00
have strong technical controls.
00:00
What you want is consistency in your policies,
00:00
strong authentication,
00:00
and strong rules governing
00:00
the connection of these devices.
00:00
What you do is bring in a
00:00
>> device called a RADIUS server.
00:00
>> In this diagram, you can see these applicants.
00:00
These supplicants are the remote devices
00:00
that are trying to access the LAN.
00:00
When I say remote,
00:00
I mean they're not physically connected to the network.
00:00
You might have Wi-Fi clients,
00:00
dial-up, or VPN.
00:00
Normally, they would connect
00:00
>> to a network access device,
00:00
>> like an access point or AP for Wi-Fi,
00:00
or a remote access server,
00:00
or RAS for dial-up,
00:00
or a VPN server for VPN clients.
00:00
Those applicants initiate the connection
00:00
to the wireless LAN.
00:00
Traditionally, we would have gone to
00:00
each one of these authenticators,
00:00
each access point, each RAS,
00:00
each VPN, and configure security policies for them.
00:00
These policies would say who or
00:00
what devices can connect and when they are connected.
00:00
It would be really cumbersome to configure
00:00
these policies for each authenticator.
00:00
Instead, we point
00:00
those authenticators to a
00:00
>> central authentication service.
00:00
>> The most common device that does this is a RADIUS.
00:00
RADIUS actually stands for
00:00
Remote Authentication Dial End User Service.
00:00
The illustration on the left shows these applicants,
00:00
the authenticators, and the use of
00:00
a RADIUS central authentication service.
00:00
The configuration is defined
00:00
within the IEEE standard called
00:00
802.1x The standard definitely comes up on the test.
00:00
I want you to make a couple of
00:00
associations to remember it.
00:00
When you hear 802.1x, think RADIUS.
00:00
Also, think EAPoL,
00:00
which stands for Extensible
00:00
Authentication Protocol over LAN.
00:00
EAP protocol is
00:00
a very commonly used protocol for authentication,
00:00
and it's very flexible.
00:00
Also, remember central authentication for
00:00
remote access and associate
00:00
that with the 802.1x standard.
00:00
A word to the wise.
00:00
Wireless technology falls in the 802.11 range.
00:00
But remember that RADIUS is 802.1x.
00:00
It's not then in wireless standard.
00:00
But if you're not paying attention,
00:00
you'll mix them up. Really it's separate.
00:00
This is for EAP over LAN or EAP over Ethernet.
00:00
All that means is, those authenticators are boarding
00:00
the EAP requests across the
00:00
>> network to the RADIUS server.
00:00
>> Be sure to keep those separate
00:00
and not mix them up on the test.
Up Next