CompTIA Security+ SY0-601 – 3.4 Install and configure wireless security settings

1. Wireless Security

In this video, I’m going to be talking about wireless security and a whole lot of it. Now, wireless security is basic, simple configurations on your wireless devices. So we’re going to be taking a look at my sonic wall to configure its wireless security. I’m going to show you guys how to configure it using both homebase method, which is going to be more of a pre shared key, and then we’ll take a look at how to do it, more of an enterprise way, and a bunch of terms you’re going to need to know for your exam. So let’s go ahead and get started. Let’s get into this device so we could know what we’re doing. Okay, so here’s the cryptographic protocols we’re going to be taking a look at. But I need to get into this device here. You know what? I don’t need any of these things. Get into this device here.

Okay, so I’ve logged into this device here and I’m going to go to wireless and we’re going to go to wireless security. And in here now, this is where we’re going to spend all the time. So a couple of things you notice your objective doesn’t even have as part of a cryptographic. It doesn’t even have WPA or web. But you notice that this device is new as this device is. It still has Web, but it doesn’t have WPA. I found that to be pretty strange. It could have WEP, but it doesn’t have WPA. But WEP is still there and WEP is actually used on really old legacy devices. And you saw how easy it was to crack WEP when we did it. Okay, so let’s get started. Let’s talk about the cryptographic protocols. Now, you notice that this particular device only supports WPA Two.

Now, there is a WPA Three, and a lot of you may not have heard of that yet, but then again, it depends how old this video stays in production. WPA Three is not that popular, not yet anyhow. WPA Two is what most of us, 99. 9% of us are using right now. WPA Two is based on AES encryption, and it uses something called it uses something called counter mode, cipher blockchain and message authentication code protocol, a lot of words. And what that means is they just abbreviate that as CCMP, and this uses AES encryption and it doesn’t allow pre shared keys. So this is basically default, but we’re using. Now, they did release a new the WiFi Alliance released a new version of it called WPA Three. Now, it’s not vastly different than the original WPA Two, but it still uses AES encryption with the data.

But then it replaced the CCMP with something called simultaneous authentication of equals. All you need to know about that is that it’s just more secure than the CCMP. The CCMP, the presured key was an issue. So now they have made that more secure. Now the problem with WPA Three and why you’re probably not seeing it as widely used is because it has some vulnerabilities. Now I’m not going to go down into this rabbit hole but it’s the crack attack and the dragon blood or vulnerabilities I should say is vulnerabilities against WPA Three. So that’s why you probably haven’t seen it yet. So when you’re securing your wireless router like I have here in my Sonic Wall, you want to make sure that you always stay with WPA Two for now. Now I do have a couple of options. Let’s take a look at how to secure this so we can do a WPA Two with a preshared key.

Now this is the default option that most of us will use. You’ll just at home, you’ll just put in the pre shared key and then you can come up with a key here and I’m just going to put the word like password and that’ll be it. Now you notice that the encryption is AES. Notice this is going to be the CCMP. You do have that option of TKIP but TKIP is mostly used in WPA One. I’m sorry. Yes, that’s right. WPA one. So I’m just going to leave this here. This is fine. Now this would be the pre shared key. Now the next thing I want to talk about is going to be how we authenticate. So that pre shared key is one way of doing the authentication, right? So you can authenticate. When people want to join the they click on it. So right now my wireless network is called Sonic Wall. Notice I’ve been changed.

That So when people click on my Sonic Wall, they’re going to have to put in the password here. I’m going to put that in there as a password. So they would have to put in they click on it. They’re going to have to put in the word password. So this is a pre shared key. Now the problem with pre shared key is that a pre shared key means that it’s one key to all the users. So you can’t individualize who is accessing the network, right? Because you think about this. When we authenticate to our computers, we’re individualized by user account but authenticate into your wireless network. Now everybody is basically using the same password. Now at home it’s fine. At a small business where everybody knows each other it’s probably just fine. But in a big network you don’t want that the big network, you want to individualize the authentication.

And for this you’re going to want to use something else. And this is going to bring me to the enterprise configuration. In particularly, we’re going to use WPA two EAP. Now EAP stands for Extensible Authentication Protocol. And you notice that by going here I now have to install a Radius server. You see this as Radius Server IP address and I got to put in the Radius Server IP address and I got to put in the secret. So I have a Windows Server here. And I’m going to show you what a Radius Server looks like. So Windows Server does have the ability to become a Radius Server. So I’m going to go in here. So in my Windows Server, this is my server manager. I’m going to go in here and we’re going to go to management, say, add roles and features.

We’re going to click on Next, add a role, and we’re going to basically set up a Radius Server here. So we’re going to click here. We are going to go down here to Network Policy and Access Server. Okay? So this here is what’s going to give me that Radius Server that I want. And I’m going to click on next. Next. Now, this here is basically see, network policy. That’s a Radius server. We can use this. Now, you can use Radius Servers not just for wireless, but you can also use them to do VPN authentication, right? So you don’t have to just use a Radius Server for wireless. Now, what the radio server is going to do is that it’s going to allow us to do individualized authentication.

Because what the Radius Server does is that when you select to do a Radius or when you do EAP authentication, extensible Authentication Protocol basically allows you to use a Radius Server. It follows the standards of now this here is done installing. It follows the standards of the IEEE 802 one x. This here utilizes the Radius Server called Rd here for now. Now the other thing I want to mention before I get into all of these particulars here is you could use Radius, which stands for Remote Access Dial in User Service. Imagine how old this term is. That’s the dial in there. Federation. This would allow me to create trust between this different organization.

If you don’t remember what Federation means from earlier in the class. Okay, so let’s go. So Extensible Authentication Protocol allows you to individualize the authentication, passing the data to a Radius Server. And you can see that when I selected it, the moment I selected EAP, it says, hey man, you got to put me a Radius information in here. So just to give you just a quick heads up so you see what it looks like, right? So you want to just see, hey, what is exactly the Radius Server? Well, this is a radius server here. So it’s installed. We’ll go to Tools now and on this giant list we’re going to find Network Policy Server. There we go. Okay, so you notice you have standard configurations you have here, radius Server for dial up or VPNs. We can do. Radio serve 821 X communication.

We’re going to say configure 821 x and when you click on this, basically you can go and you can set this up. So we could say we want to set up our Radius Server for wireless communications, secure wireless. We’ll click on next. So Radius clients are the things that are going to be connected. This is going to be switches and access points. So we got to add in the name of the access point. So we’re going to say the friendly name. Is that sonic AP that came out? You know what, that sounds like a big ERP system. We’ll give it the IP address of the sonic ball. It wants me to have it in a template. We’ll just put the secret as password. You guys are probably thinking right now my password is password. So we have a Radius client in there. We’re going to click on Next.

Now what type of method? Now this is really where I wanted to talk to you because when you’re using EAP authentication, you have the ability to do smart cards. You have the ability to do certificate authentication. You notice how we can say, hey, Microsoft smart card certificate, that’s great with me. We can configure this and the type of certificates that we have, but that’s fine. So the server here has a certificate. We’re going to click on Next. And the good thing is that now we can use groups, active Directory groups in there. So we’re going to see advanced here. I’m going to find all the groups that I have on our system. So we’re going to say all the domain users. That means that anyone that has a valid Active Directory credentials can log in to our network.

So I’m going to say, okay, hopefully this works here. I know I had some DNS issues on here, but I’m just going to click on Next. Basically, I got to fix some DNS issues on this machine here. I changed the DNS server a while back. So you put the right group. We don’t need any type of traffic control. We’re just going to click on Finish. That’s it. It’s configured. So if I go in here and I go to Connection here’s my wireless connection policy that I just set up. And basically what this is going to do, what this is going to do to the authentication we’re using is they’re going to be authenticated against this, the authentication method. We could go in and select other methods. Ms. Chap and all this stuff is there, but we set it up so we can have those certificates.

So what I’m going to do is I’m going to go back here oh boy. Or Sonic logged me out because I haven’t used it. Okay, so if I was setting this up, let’s go to wireless. Okay, here we are. I’m already there. So we’re going to say WPA to EAP. So we’re going to put in that server’s IP address. I think that’s one that let’s just say 85 forgot servers IP. But you would just put in the server IP address to the Radius server and that password was password and you would just accept that. So here’s what we just did and here’s what it would mean. So when people join this wireless network. All right? They’re going to have to input. They’re going to have to put an Active Directory username and password.

Basically have to have an Active Directory user account. Because whereby I selected that group, we now have the ability to use certificates. So basically the certificate is going to help not to encrypt the data. So this brings me to this part right here. You see this part right here? Protected EAP requires the user certificates to do your authentication. Let me make something straight. This is just to authenticate to the wireless, not for the once you’re authenticated and you pass your username and the Radius server is saying, okay, he’s going to let him in, its job is done. After that, WPA two with the AES CCMP encryption kicks in and you use that to the rest of the network. This is just to authenticate. So we’re talking about how do we authenticate. So protected EAP requires the use of certificates. Now.

There is one called EAP Fast flexible authentication via Tummelin. Then you have TLS transport, layer security and TTLs blocking that T there. So this would be TTLs. A couple of quick things to know, the TTLs and the TLS. The TLS requires you to have certificates on both the server and the client. The other one is that you can now have just the server having certificates. You don’t need the client to have a certificate. So the TTLs tunnel in TLS is what that actually means. Now these are basically some different forms of authentication when it comes to your wireless. Now in corporate America, guys, corporates, not just corporate around the world will use EAP authentication. They will not use pre shared key, or at least I hope your company is not using pre shared key.

Okay, so we just talked about this. So the methods of authentication, I just scrolled down there in case you missed that. Let me just show you. So preshirt key we just talked about this enterprise will use EAP with that Radius server. Never have an open wireless, even if it’s a guest network. Do not have an open wireless, then anybody can your guest network. You put a sign on a wall, it says it’s a guest network. The other thing that you have is going to be WiFi protected setup. This is not something to use. They don’t even make these on devices anymore. WiFi protected setup, come on. I remember some links. This router with these, you push a button, you would enter a code and it would configure it for you. The problem is these codes were very small and you could brute force these codes and hack the device. WPS is not secure and you should never use it.

Now, Captivate portals, I do like the idea of some of these devices. This one does not. Some of some devices does support Captivate portals. And what it is what it is is that it basically allows you to have a situation where when people connect to the network, they’re given a policy and they say, okay, would you implied by a policy? You ever been to a coffee shop where you’ve been to a hotel where you click on it and you get to input a room number or you got to agree to okay, I’m not going to use this to hack networks or whatnot some policy you got to read. Every time I get on the Amtrak to travel somewhere from our New York to a DC location, every time I join the Amtrak network, which I try never to do, they have a big captivate portal that says welcome to the Amtrak WiFi.

Do not use this bandwidth for bad reasons. Be nice to your passengers, blah, blah, blah. So captivate portals I think, are good to help to tell people the policy, but they could be bad because sometimes people spoof can be talking then in wireless attacks a lot of stuff. Guys, this video is a time length on this, 16 minutes. All right, so we’ve been talking a lot about wireless. Now coming remember a couple of the wireless things I didn’t go over is basic wireless things, things that change in the name of your Sid. Your books would say don’t broadcast don’t broadcast the Sid, do Mac, address filter and all the things that you can do. But you should have learned those in the previous A plus or your network plus or something. Okay, so this is wireless security. Let’s keep going.

2. Wireless Installation Considerations

In this video we’re going to be talking about things to consider when installing a wireless network. Now there are some things to consider. Some of these are pretty similar like site surveys and WiFi analyzers. But let’s take a look at what’s some terms that they want us to know. So the first thing up I have is when you’re installing a WiFi network, a couple of one thing to consider is just doing a site survey. Now site surveys are basic and I have a link here by the way, none of the tools I ever give you guys in this class are ever endorsed by me. I find great tools on here and I read a good reviews and some of these I’ve used and some of these I’ve not have gotten spoken reviews from other students about it. So here’s one that a student told me about that they considered very good as NetSpot. And this is a Wireless Survey, analysis and troubleshooting tool. And this is a free WiFi analyzer.

So this year you guys can try this out and basically analyze to see what’s happening around you in terms of wireless in your area. The other one is a heat map. Now heat maps are basically going to show you the strength of wireless signals. So here is a heat map per se and this one comes from Solar Winds Never Performance Monitor. There’s also another one here’s another one. Now what heat maps are is basically showing you how strong the signal is. Is the signal very strong or is the signal dying there? So maybe where you have the access point you have a very thick red hot signal and then as it’s getting blue or it’s getting colder and colder, in other words, you’re losing access there. This is an important thing to have when setting up a wireless network. That way you know how strong the signal is and where you need to.

When they install wireless networks, what they do is they mesh them together so the signals overlap each other. So no matter where you are, you can pick up your notebook and walk around but you’re jumping from access point to access point. For that to work, you need a wireless controller that holds the wireless sessions within them. So the wireless controller, the access points are connected to the controllers and the controllers are managing the wireless sessions so people can walk around from place to place. But you still need to know where to position the access point, right? You still need to know where do you want to actually place the access point to ensure that the heat maps are showing sufficient, quote unquote heat or signal for the workstations throughout your network.

And then you have wireless analyzers and these are basically going to be tools that shows you information about your wireless network and the networks around you very similar to the other one, the wireless survey. Now one thing here is channel overlays. Now channel overlays are changing the wireless channel. You may have a wireless network, you may see it gets slower. What you could do is change the channel on the wireless. So if you have a channel that has a lot of traffic, a lot of people is using, what some people do is they change the channel on the wireless network.Now to do that, I’ll show you on my sonic wall here. And this you can do on almost all of your wireless devices. It’s not something specific to my sonic wall, but you could use it on any device. Okay? So if I go in here right now, it says Radio Band, it says Radio Mode.

So if I go in here and I select Radio Band, you can do 20. But notice now I have all the different channels. If you find that you also have, by the way, if you use the 2. 5 or 5 GHz or the spectrum there, but different channels. If you find that the channel themselves are congested or you have too much slowdown of traffic, you could change the channel on that. Keep in mind that this doesn’t call any attacks or anything, it’s just there to increase the speed of your wireless. Now the controller and the wireless access point, the access points, security, you got to secure your access point, you got to secure the controllers. Simple common sense security things, keep them up to date, update the firmware anytime you want comes out, ensure to change the password on the devices is common things to do in security access point and the controller. Okay, so these were some things to consider when installing wireless networks.