12. 14.11 Wireless Security Options
In this video, we want to consider some wireless security options. And the big goal that we have is we want to protect the information flowing through radio waves from any potential eavesdroppers or have anybody get access to the network that should not have access to the network. Let’s say, for example, that we have an access point in our building. Would you ever consider putting an Ethernet port in your parking lot where somebody could just drive up to your building and plug into your building’s network? Probably not, but that’s essentially what we’re doing if we have an unsecured access point, because the radio waves from that access point could radiate outside of the building and somebody might be sitting in the parking lot and attempting to get on the corporate network. A couple of quick ways we could address a situation like that is we could position the antenna in the access point somewhere else so it does not radiate outside of the building.
Or we could reduce the signal strength so its coverage area is less. But if somebody does get access to our wireless signal, we want to make sure that before they can get on the network that they authenticate themselves. They need to provide some user credentials to prove they belong on the network. And as we’re sending traffic across the wireless network, we want it to be encrypted. So if anybody were to intercept it, it would be all scrambled up and they would not be able to read the data if they did intercept it. Now let’s talk about some different options for doing authentication encryption and filtering wireless clients. To begin with, let’s go way back in time to the original 800 and 211 standard. The security mechanism built into that was called Web WEP wired Equivalent privacy.
The implication meaning that this is as private as being on a wired connection. That is not true at all. This is a very weak encryption. It is trivial to break. And the back story is it uses the RC four encryption algorithm, which is Ron’s code four. And RC four in itself is not bad. It’s the way it’s implemented in Web. You see, what happens is with Web we have a pre shared key, my wireless router or my wireless access point. It’s pre configured with this key. And if I want to get my iPhone or my laptop on the network, I put in that same key on my mobile device. And if the keys match, we’re going to be able to communicate somewhat securely on the network. And what Web does, it takes the original data, it takes that shared secret key, and it takes a 24 bit initialization vector or an IV, and it mathematically combines those and that’s what gets transmitted.
The weakness in WEP is largely because of the length of that initialization vector, it’s only 24 bits. The good news is that’s been improved upon over the years and we’ll check that out later in this video. But first, let’s think about that concept of a key. The way I described it, I said we had a pre shared key. This is also known as personal mode. This is where we have a key that is typed into the access point and typed into our wireless device. And if the keys match, these devices can communicate securely between one another. However, in an enterprise environment, this is not going to scale very well. If we had 1000 employees, we don’t want to hand out the same pre shared key to all 1000 employees. That key could become compromised.
Somebody might give it out, somebody might leave the company. And do we have to then go back and change the key on every device? No, it’s simply not scalable. So in an enterprise, we want to use enterprise mode. And with enterprise mode, we have an authentication server and the client is going to attempt to authenticate from that authentication server. It’s going to say, hey, I’d really like to join the network. Here is my username, here is my password as an example. And maybe we’ve got this Radius server acting as the authentication server and it’s going to generate a key that’s only good for this session and it’s only good between this client and this access point. So the session key is going to be unique to this session. Now, let’s define some terms. Here we have a Supplicant, an Authenticator, and an authentication server. This goes back to the IEEE 802 one x standard.
And in that standard, a Supplicant is a device that wants to get access to the network. That’s what it means to Supplicate, to ask something. Now, the Authenticator, I think, is almost misleading in its name because the Authenticator is not doing authentication. The Authenticator is simply passing the credentials on to the authentication server. And since this can work in both a wired network or a wireless network, sometimes the Authenticator is a layer two switch that’s configured for 802 one x. Or sometimes, as we see here, the Authenticator is an access point for wireless clients. And there are several different methods that can be used to hand out those keys and to authenticate the client. Those different methods are called EAPs extensible authentication protocols. And we’re going to take a look at a few EEP examples in an upcoming video.
For now, just realize that there are various ways that that Radius server, our authentication server, can authenticate the Supplicant and give it keys for the duration of the session. So, to review, we said that WEP we were not a fan because it was very weak. Well, after WEP came TKIP temporal key integrity protocol. This is vastly superior to WEP. And you might be surprised to learn that it also uses RC four. But it does it much better. It uses a 48 bit initialization vector and that doesn’t make it just twice as good as Web’s 24 bit initialization vector? No, it’s orders of magnitude more secure. But better than RC Four is AES, the advanced encryption standard. This is vastly superior to most of the other encryption standards out there today. And that’s what we use typically on today’s wireless networks. And when you’re setting up a wireless router or a wireless access point, you’re probably not going to be choosing Web, if that’s even an option for you.
After Web, there was the option for WPA WiFi protected access. Now, this used TKIP to do the encryption. So it was much better than the Web version of RC Four. It had that stronger initialization vector. And one of the cool things about the way WPA used TKIP is that if we had older hardware that didn’t really have the processing power to handle the Advanced Encryption Standard, it could get enhanced encryption with TKIP using existing hardware. So it was sort of an interim step as we were moving from weak encryption with Web and lower powered hardware, because that older hardware, it could still run the RC Four algorithm. It was just doing it with more bits. But after WPA came WPA two WiFi protected access to and as of 2006, in order to be certified by the WiFi Alliance, a device had to support WPA Two. And if a device supported WPA Two, there is a requirement that it support AES. And we’ve already said that AES is going to require more processing power than TKIP. So WPA two can be more processor intensive than WPA. Do we have to upgrade everybody, though, right away? Not necessarily. Just because WPA Two is required to support AES, that doesn’t mean we always have to support it. You can configure many WPA Two access points out there to turn off AES and run TKIP, or you can enable both. So your older clients can use TCAP and your newer clients can use AES. But the best practice today is for everybody to use AES. And for a decade, this was the go to wireless security protocol. It was very resistant against attacks until 2016. Then there was a vulnerability discovered. It was called a crack vulnerability.
So what replaced WPA two. You guessed it. It was WPA three. And it still uses AES. And it uses specifically 128 bit AES for personal mode. In other words, pre shared key mode. But if you’re using it in the enterprise mode, you can have an enhanced version of AES 192 bit AES. Any security vulnerability that has been around for years with wireless devices is when an attacker might send management frames into the wireless device to try to disassociate a client from an access point, essentially knocking a client off of the access point.
And then when they try to reattach, the attacker may have a duplicate access point set up of their access point, and they’re wanting that victim as they try to reattach, to connect it to their access point. But with WPA Three, we now have protected management frames that prevents that type of thing from happening. There’s also a protection mechanism against brute force password attacks and it’s called simultaneous authentication of equals or SAE. Now again, the name I don’t think really describes what it’s doing because the specific protection it’s giving us is preventing somebody from doing a brute force attack offline. They actually have to be communicating on the network to try a password to see if it works.
So if somebody wanted to bombard an access point with hundreds of thousands of potential passwords, we’re going to be protected somewhat with WPA Three. And have you ever been in a public place like a coffee shop or an airport and you’ve been on a public WiFi or in a hotel, you’ve used a pre shared key that everybody uses. Well, there’s even protection for traffic using public networks with WPA Three. And if you’ve set up wireless routers for your home or your friend’s homes, you may have noticed that on those wireless routers there was often a button you would press and it was labeled WPS and that stood for Wi Fi Protected Setup. That was a way to more easily allow a client to join a network without having to dig into the configuration screen of that client. But there was a vulnerability there. Well, that’s been replaced with DPP device provisioning protocol.
So those are a few ways that we could do encryption of our data as it travels through the airwaves. But if somebody connects to the network and they are authenticated, let’s talk about how we can limit what areas of the network they can reach. You might have seen a guest network in different organizations. They’ve got their private network where you have to know a password or you have to provide your credentials, but they have a guest network for people visiting. And typically what this guest network does is give a client in that guest network access to the Internet but not access to the company’s private network. And interestingly, the guest network typically allows one wireless client in that guest network to talk to another wireless client in that guest network.
So that may be a bit of a security concern. We can address that security concern, though, with wireless client isolation here, we can take a wireless client and not only isolate it from the private network, we can isolate it from other wireless devices in the guest network, where it can only get out to the internet, in addition to something like a DHCP server on the local network and the default gateway. And one way that network administrators attempt to block unauthorized clients from joining the network is to check the client’s Mac address. This is called Mac filtering. Let’s say this wireless client wants to associate with this access point. Well, it sends in the request, but before the access point will allow it, it says, hold on, I need to see your Mac address. And that wireless client’s Mac address had better be on a white list of approved Mac addresses or not on a blacklist of denied Mac addresses, depending on which approach we’re using.
But Mac filtering is not considered to be a very strong protection for one reason. It is trivial for somebody to alter the Mac address that their computer is advertising. And unfortunately, a lot of network administrators out there, they have a false sense of security that they’re really protecting their network when it is easily defeated with Mac filtering. Something else we can do to limit who gets access to which portions of the network is something called Geofencing. Now, this could be for security based on the GPS inside of your device. You may have to be close to your company’s data center in order to access specific resources. If you’re not close to that data center, you’re not able to access those resources. So it can be used for security.
But this is something we often see in shopping areas as well. Let’s say that we’ve got this shopping mall and the management at the shopping mall wants different ads to appear based on where you are in the shopping mall. So these different stores could have their own wireless signal going out in front of their store. And when you walk by, it’s going to be able to serve you up, possibly through a captive portal that we’ll talk about in just a moment. They’ll be able to serve you up advertisements, maybe a discount for their store. So Geofencing can be used for something like this in a shopping mall where we get appropriate content based on our location, but it can also be used for security, where we have to physically be in a location to access a resource. And I mentioned a captive portal. We typically see this in a hotel. We check into a hotel and we’re told that you get free WiFi with your room.
But when you first attach to the room, you might be presented with a screen that looks something like this. Maybe you have to enter a username or your membership number if you’re affiliated with that hotel chain. Maybe you need to put in your credentials like a Pin or a password and your room number, I’ve often seen it where you put in your last name and the room number. And this is called a captive portal before somebody just gets on your guest network and goes out to the Internet and does who knows what. This captive portal might require them to enter some information and it might require them to agree to a terms of use. So they’re agreeing not to do bad things on the network. And that’s a look at a few different ways that we can better protect our wireless networks.
13. 14.12 Extensible Authentication Protocols (EAPs)
In this video we want to talk about a few different EP methods where EP stands for Extensible Authentication Protocol. Let’s say that this client called a Supplicant wants to get access to a wireless network. What it’s going to do is send that request over to the Authenticator, which is a wireless access point in this case, which is going to forward that request over to a Radius server. That’s what we’re calling the authentication server. And that Radius server, if it authenticates that client and is satisfied that the client has provided appropriate credentials, it’s going to hand out a session key that’s going to be used in an encryption algorithm just for the duration of this session.
And just for this client. This is going to scale a lot better than having everybody type in a pre shared key that will not work very well for large organizations. And what we’re seeing here with the supplement the Authenticator and the authentication server, this is based on the 802 One X security standard and that says how we can authenticate clients gaining access to the network. Now in this example, I’m showing you wireless access. However, we could also use EEP types when we’re getting wired access. We could have a client plugged into a layer two Ethernet switch and that layer two Ethernet switch, it could be the Authenticator. And I think that word Authenticator is a little bit misleading because the Ethernet switch or in this case the access point, it’s not really doing authentication.
It’s sort of the intermediary between the Supplicant and the server that’s going to do the authentication. But the way the authentication server has a conversation with the client and validates its credentials, that’s defined in an EAP type. And we want to take a look at a few of those EAP types in this video to give you a better sense for what’s going on. One of the original EAP types was EEP Transport Layer Security or EEP TLS. Again, this was one of the first EP types that was proposed along with the One X standard.
And here a user can authenticate themselves with a Radius server. However, when that happens, it’s going to be using a digital certificate, which implies a trusted third party that can sign that digital certificate. So this is a little bit more challenging to set up than some other options because it does require a CA, a certificate authority. However, once that authentication is made, the client may have access not just to the network, but to all the resources on the network. They should have access to like different shared folders or their email because they can do a single sign on using EEP TLS and authenticate themselves using credentials that are in a Microsoft Active Directory database. Another type of EEP I want you to know about is EEP Fast, where Fast stands for flexible authentication via Secure Tunneling. And here the client is going to have what’s called a pack a protected access credential and that’s what it uses to request access to the network. And this request can happen in two or three phases if the client does not already have a pack. The optional phase zero is it can create one dynamically. But once a pre configured pack or a dynamically created pack is ready to go, then in phase one that pack is going to be used with AAAA server, like a Radius server, to set up a secure tunnel, a transport layer, security tunnel, TLS. And once we have that secure communications path in phase two the client is able to send the user information for authentication over that tunnel. Let’s take a look at one more.
This is called peep protected extensible authentication protocol. And this was a joint effort between Microsoft and Cisco and RSA. And the goal is to protect that authentication conversation over a TLS connection. And there are two types of Peep that I would want you to know about. The first one is Peep, version zero, also known as EEP Ms Chap. Where Ms Chap stands for Microsoft Challenge Handshake Authentication Protocol. This is a way for the user to have their credentials stored in Microsoft Active Directory. The other version is peep. Version one, also known as EP. Generic token card. And this gets us away from being necessarily a Microsoft environment.
It allows us to use an open standard for a directory server. It allows us to use LDAP, which is lightweight Directory Access Protocol, or OTP. One time password. We can use those for authentication getting away from a Microsoft only environment. And while this video is not a comprehensive treatment of all different EAP types out there, there are many more. Hopefully by taking a look at the sampling we can see that the end goal is the same. We want to have that session key generated to hand out to the Supplicant and the Authenticator so they can talk securely between themselves. And sometimes the EEP type might require an external CA if we’re using a digital certificate. Sometimes we might set up a TLS tunnel so we can have secure communication over that tunnel as a user is sending their credentials.
