Wireless Networking: Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> In our last section we
00:01
talked about encryption with wireless connections,
00:01
let's talk about authentication now.
00:01
Again, we're just focusing on Wi-Fi communication.
00:01
In this section we're going to talk about
00:01
the authentication standard 802.1x.
00:01
That's an IEEE standard,
00:01
which is the Institute of
00:01
Electrical and Electronic Engineers.
00:01
They've come up with the standard for
00:01
central authentication for Wi-Fi devices.
00:01
Then we'll also wrap up
00:01
this section with a quick discussion of Bluetooth.
00:01
For 802.1x, this is designed for
00:01
central authentication for remote access devices.
00:01
What we have over on the left is we have
00:01
our clients: we have Wi-Fi systems, we have dial-up.
00:01
I know nobody is thinking of
00:01
dial-up computers first and foremost,
00:01
but dial-up still exists
00:01
in areas that don't have high-speed access.
00:01
We can't just laugh off dial-up yet.
00:01
Then another remote access means is through VPNs.
00:01
We have these remote access clients.
00:01
For instance, a Wi-Fi client
00:01
has to connect to an access point.
00:01
A dial-up client has to connect to
00:01
a RAS or remote access server,
00:01
VPN client has to connect to a VPN server.
00:01
What we have is we have all these access points.
00:01
We can have as many as we want.
00:01
We have multiple remote access servers,
00:01
we have multiple VPNs.
00:01
What I would actually have to do
00:01
[NOISE] is I would have to go in and
00:01
configure my rules and
00:01
my authentication information on each access point.
00:01
Then I would have to configure
00:01
that same information on my remote access servers,
00:01
then I would have to configure
00:01
that information on my VPN servers.
00:01
That's in a decentralized environment where each
00:01
one of these devices operates independently.
00:01
Now, that gives me a lot of flexibility
00:01
because I can have different rules on
00:01
my access points and
00:01
different rules on my remote access servers.
00:01
I get a lot of flexibility,
00:01
but that tends to have a lot of
00:01
overhead and it's tougher to administer.
00:01
Instead, I bring in a central authentication server.
00:01
That authentication server is usually a RADIUS server.
00:01
RADIUS is the name of the service and
00:01
the protocol that allows
00:01
me to set up centralized authentication.
00:01
What I do is when I'm setting
00:01
up my access points in RAS and VPNs,
00:01
is instead of configuring the rule said,
00:01
I simply give them the IP address of my RADIUS server.
00:01
When a Wi-Fi client connects to an access point,
00:01
that access point puts
00:01
that virtual port on hold and says, ''Hang on.''
00:01
The access point then forwards
00:01
that request over to the RADIUS server.
00:01
That looks at its rule set and says yes,
00:01
no, or give me more information.
00:01
The access point, if
00:01
the RADIUS server says yes, allow access point,
00:01
then the access point will allow,
00:01
it'll open up that virtual port,
00:01
and allow the client to access the LAN.
00:01
This is the 802.1x standard.
00:01
You have a supplicant,
00:01
your access point in RAS and VPNs are called
00:01
authenticators because that's
00:01
where authentication use to happen,
00:01
but the authenticators now forward
00:01
the request to your central authentication server,
00:01
which is normally RADIUS.
00:01
Now, there was also a TACACS plus server
00:01
>> that Cisco has.
00:01
>> TACACS does a lot more than
00:01
>> just central authentication,
00:01
>> and Cisco tends to be proprietary.
00:01
I would definitely just focus on RADIUS.
00:01
Then RADIUS was supposed to have
00:01
a successor called diameter.
00:01
As in diameter is twice the RADIUS.
00:01
Couldn't just call it RADIUS 2,
00:01
we had to call it diameter.
00:01
Basically there were some issues with
00:01
RADIUS: it used UDP,
00:01
it didn't have an encrypted handshake process.
00:01
There were some problems with
00:01
RADIUS that diameter was supposed to fix.
00:01
But by the time diameter came out,
00:01
we already had so many workarounds for RADIUS,
00:01
and we already had support for RADIUS on our networks.
00:01
Diameter really never took
00:01
off because there just wasn't the support.
00:01
When you're looking at 802.1x,
00:01
most likely your server is a RADIUS server.
00:01
Now, I will also mention,
00:01
the Wi-Fi client sends
00:01
their authentication information and
00:01
the access points or the RAS or the VPNs,
00:01
the authenticators, send those access requests,
00:01
that authentication information,
00:01
across the local area network to the RADIUS server.
00:01
They use the protocol EAP.
00:01
What this uses is EAPoL,
00:01
extensible authentication protocol over LAN.
00:01
The IEEE standard specifies EAPoL.
00:01
It doesn't specify our mandate RADIUS,
00:01
it just mandates a central authentication server,
00:01
but it specifies EAPoL.
00:01
Your supplicant connects to
00:01
your authenticator and
00:01
provides authentication information.
00:01
The authenticators put the port on hold,
00:01
send an EAPoL request
00:01
to RADIUS with the authentication information.
00:01
RADIUS comes back, neither
00:01
allows or denies the communication.
00:01
The authenticators open up their port or block it
00:01
depending on RADIUS decision
00:01
and allow the traffic through or deny it.
00:01
That is the 802.1x standard of EAPoL,
00:01
which is usually satisfied with a RADIUS server,
00:01
which stands for Remote Authentication
00:01
Dial-in user services.
00:01
Now, the last idea of our wireless
00:01
>> section is Bluetooth.
00:01
>> What's the best way to secure a Bluetooth device?
00:01
Turn it off. Just turn it off.
00:01
These little security features that we can
00:01
configure really don't serve to
00:01
sufficiently protect our Bluetooth devices
00:01
that are running because Bluetooth is
00:01
designed with a focus on ease of use
00:01
and connecting to devices rather than security.
00:01
Bluetooth can enter discovery mode
00:01
where it's looking to pair,
00:01
and a lot of times it has
00:01
automatic pairing which can be dangerous.
00:01
Devices may automatically pair to
00:01
your Bluetooth device not even
00:01
necessarily knowing about it.
00:01
Now, Bluejacking is sending spam to a Bluetooth device.
00:01
Again, you build it, they'll spam it.
00:01
Blue snarfing is connecting to
00:01
a Bluetooth device and stealing information from it.
00:01
Me stealing your contact list in your phone numbers.
00:01
Then blue bugging,
00:01
we really don't see that as a threat
00:01
today but ultimately what it would
00:01
do is take advantage of
00:01
Bluetooth devices serial connections,
00:01
and would allow an attacker to
00:01
use a specific command set that
00:01
work with serial connections to
00:01
make a Bluetooth device call a phone number,
00:01
or to allow transfer of information.
00:01
That was much more serious,
00:01
but security measures have
00:01
really remediated the risk of blue bugging.
00:01
This section focused on 802.1x,
00:01
which is IEP over LAN,
00:01
usually with a RADIUS server.
00:01
Then we wrapped up talking about Bluetooth as well,
00:01
just saying, your best protected from
00:01
Bluetooth threats by turning the thing off.
00:01
That my friends wraps up Chapter or Domain 4,
00:01
which is communications and network security.
00:01
This was a long chapter.
00:01
It's got a lot of information,
00:01
so make sure you go back and review this.
00:01
Lot of testable stuff.
00:01
We started off by talking about
00:01
>> the OSI reference model.
00:01
>> We talked about the seven layers and how there's
00:01
certain functionality that happens at
00:01
each of the layers on the OSI model.
00:01
We also talked about the TCPIP model and said
00:01
it really does the same thing.
00:01
It specifies standardization across different layers.
00:01
We talked about mapping the TCPIP model
00:01
>> to the OSI model.
00:01
>> After that, we talked about creating security
00:01
>> zones with our firewalls to isolate layers of trust,
00:01
>> trusted, semi trusted,
00:01
and untrusted are very commonly set up and configured.
00:01
We then looked at remote access protocols,
00:01
like Point-to-Point Protocol,
00:01
and then we talked about tunneling protocols,
00:01
and we talked about wireless networking
00:01
>> with encryption,
00:01
>> looking at encryption through WEP,
00:01
WPA, and WPA2,
00:01
and then stronger authentication with
00:01
wireless networks with RADIUS.
Up Next