CWNP CWNA – Security Part 2

6. 802.11 Security Basics Part5

Now, when we continue to talk about security, something else we should look at is segmentation. And that’s what happens when we get on the wired network. segmentation is our best method, the most chosen method of separating user traffic while inside of a network. We most often do that with what we call a virtual local area network. And so it’s a layer to switching technology to make sure that traffic gets isolated lated from one part of the network to another part. Now, you should also have a full time monitoring solution to be able to protect against possible attacks that might come after the wire’s network.

And what I mean by that is that you have your access point, you have maybe your wireless lan controller, you have switches, you have routers, you have firewalls, you have servers like Windows servers or unix servers and they all generate logs when they see something that’s unusual. And there are devices like one company uses a product called splunk that will gather all of these logs and actually correlate it to let you know if there looks like something suspicious going on through the entire fabric of the network. Again, not just a wireless solution, but it’s solution for security.

7. 802.11 Security Basics Part6

Now, one of the things to remember is that every network card in the wifi and the ethernet has what they call a physical address or a burn in address. But we like to call it the Mac, the media Access Control. It is written in hexadecimal. It’s twelve digits long, it’s a 48 bit number. And everyone has their own unique. It will tell you not only what company made the card, but within that company which card number it was. They’re giving it like a serial number. Now, we can use that information a little bit for security. And this is one of those warm, fuzzy security things. It’s called Mac filtering.

What we do is we can make on the access point a list of those Mac addresses that are allowed to come into the network and block everybody else. Or you do the other way, you could allow a bunch of them and deny others. I mean, whatever combination you get to choose. The problem with that, it’s very easy for you through software to change the Mac address that you present. So a burn in address is just that. It’s burned into the rom, the firmware of that card. But what is presented to the outside world can be changed, changed through software. So by doing Mac spoofing, you can get in no matter what they’ve done with Mac filtering.

8. Robust Security Part1

Now, in the eight to Eleven 2012 standard, we talk about what enterprise authentication methods should be used, as well as the type of authentication should be used for home use, different things. In an enterprise, you usually have some sort of directory service. Like with Microsoft, you might have active directory that we can use to verify usernames and passwords. At home, not so much. So we might use pre shared key or a local database. The current standard, though, says that we want to use what is called the extensible Authentication Protocol, or ep as a method of being able to exchange your username password or pre shared key from the machine wanting to get to the access point all the way through to the machine that’s going to verify your identity.

Now, prior to that ratification of that amendment, we came out, or I say we, it wasn’t just me, but anyway, we came out with an amendment called the wpa, the wifi Protected Access. Now, that was kind of a stepping stone to the official wpa Two. The purpose of it, though, was to get everybody off a web and we said, okay, we’re really coming up with a good idea about security, but until we get to that really good idea, don’t use Web, use wpa. And so you might still see some access points that say, hey, you can do wpa or you can do wpa Two. wba two is better for you because it has an actual standard, whereas wpa did not have that standard.

Now, we also began using a switching or bridging type of security called 802 one x, anything that is ieee 802 One, not eleven, but one, deals with bridging and switching. So what they did is they had a port based authentication, meaning that on a physical switch, if you plugged into a port, you would have to prove who you are before that port would come on and send you to the rest of the network. Well, in a way, your access port or access point, I’m sorry, is connected to a switch port, and so we can still use that same technology to help improve security.

9. Robust Security Part2

The 811 standard for 2012 anyway, defines what are known as robust security networks, or rsns. They also will talk about the robust security network associations, or the Rsnas. Now, that might be where two stations have to authenticate and associate with each other as well as find a way to create a dynamic encryption key through what they call a fourway handshake. Now, this is true tricky because we want things to be secure.

When it comes to most encryption, the person who is encrypting the data uses an encryption key that the other side has to have the same key to decrypt this symmetric encryption. The question though is how do they both communicate the key? Because I can’t send it to you in clear text and say here’s the key, and hope that the hacker wasn’t listening. So they go through this four way handshake process to create a temporary type of encrypted session, usually using asymmetric encryption, to then send the actual encryption key. And that takes a couple of back and forth conversations to be able to do.

10. Robust Security Part3

So the 802 one x standard is, like I said, not a wireless, it’s a switching and it has three components. I’ll quickly draw them here and you’ll see a better picture. So you’re going to have the computer, which would be the supplicant that wants to authenticate and have access to network resources. So it does that when it connects to the access point.

That access point is going to become the authenticator. When you try to make the connection, it’s going to challenge you for your information so you send that information in. Now that particular point, the authenticator has a little bit of a problem. It’s supposed to block the traffic that you would want to send to the network but it has to allow the traffic that would be your username and password to be able to get into the network and get authenticated.

So most authentication only traffic will be allowed to pass through where anything else you do is going to be blocked. So that means that they almost have two virtual ports, one for the uncontrolled, which is allowed for the eap authentication and the controlled, which is the vast majority of the traffic that you’re trying to get through. Now at that point they’re going to have to go to an authentication server most often as a radius server and then the information you provide will be sent to that server to verify that your identity is correct. That’s the authentication and it will return either a yes or a no as to whether or not you’re allowed to come in there. And then we’re pretty much at that point, if you got permitted able to open up that control port and begin to send your traffic in, you.

11. Robust Security Part4

So again, the client station is the supplicant. They try to make that connection to the access point. And as I said, the access point only allows that eap traffic a way of encrypting your username and password to the Radius Server. Now, the Radius Server might depend on your Active Directory or other directory service server to get the answer, which is fine. I mean, it either has its own local database or it uses your network database to be able to do that. That then comes back to the Radius Server with a yes or no. The radius server then sends back the yes or no.

And depending on that answer, you get your communications to go through. So that is kind of the part of what we do call the 802 one X. And it’s about one of the strongest things we can do. Now, if it was a controller base, you would still send your traffic or your request to get in there. You would still get the challenge for your credentials, but that would actually be sent to the wireless lan controller. The wireless land controller would then go to the Radius Server, which might go to the ldap server.

And then of course, we just get the replies as to whether or not you’re allowed to be able to come back in.

12. Robust Security Part5

Now, eap, the extensible authentication protocol was named that because it is very flexible. It might be the type of protocol that you would use on a fingerprint scanner to be able to get in through a door or to log on to a computer. It could be the one that reads the cards.

What it’s designed to do is be able to securely transmit what you’re using is your identity to a certain server that can then authenticate who you are. So it was on purpose that it was that flexible. Now, other companies, like cisco, for example, made some tweaks to how eep works.

As an example, they created something called the lightweight eap. A lot of people call it Leap. And then we found out, by the way, that there were some weaknesses to that. So they’re not using it anymore. Other open standards said, let’s have a protected eep. They call it peep, something that’s standard space that is actually very strong when it comes to the use of certificates on both sides instead of just one side.

13. Robust Security Part6

Now one of the things we have to remember is that the wireless portal must be protected. And when they say that, they’re I think at least by that wording, forgetting something very important. But I’ll talk about that as we’re going in here. It says it must be protected and authentication solutions are needed to make sure only authorized devices and users can pass through the portal. All right, so I get that if I have a bunch of computer readers and they’re going to associate with my access point, we want to make sure that they’re not unauthorized. In other words, just somebody randomly driving by and connecting the access point.

But the way in which I read that wording is that they’re worried about the traffic that passes through the access point into the wired network. In other words, the access point is making sure that the only data it sends are from those authenticated and authorized devices. But one thing else that we should always look at, and it’s not really the big focus, unfortunately here, is what if somebody tries to connect to the access point? In other words, they’re going to try to break into the management, guess the administrator password and change the settings of the access point. That too should be protected. And normally it’s easy to do because what we’ll say is that the only person that can administer it must come in through a wired connection and not the wireless.

And I say that after a friend of mine and myself went to NASA over in huntsville, Alabama. Not that that’s important, but we went out to lunch together at a Thai restaurant and they offered a free hot spot and we got there. And when we got there, the ssid for the free hot spot said, links us. Now that’s a default ssid. And so we thought to ourselves, well, they probably still changed the administrator username and password. But they didn’t. My friend not me, by the way, but my friend said, well, let’s go see. And so he connected to the default address of every linksys router and then tried the default admin admin password to see if he could get in. And you know what? He was able to.

We don’t want that when we talk about protecting that wireless portal, not just for traffic moving through, but you should protect that portal from people trying to actually access it and make changes at that point. And I don’t know. Neither does he. We didn’t go any further, but at that point we might have been able to get into the rest of the network that belongs to that Thai restaurant. So we have to look at it from every aspect when we talk about protecting it.

So after a user, though, for the traffic that transmits through it to pass through the portal, we then have to worry about this wired network and whether or not we have a way of segmenting the traffic. Maybe through vans or firewalls or identity based mechanisms just to make sure that they cannot get into the unauthorized parts of our network.