CWNP CWNA – Security

1. Security

Now in this module we’re going to take a look at security when it comes to the wireless networks. So we’re going to first give you the security basics. We’ll talk about some of the legacy. Not a lot because it’s legacy for a reason. It doesn’t work anymore. We’ll look at this thing called the rsn, the robust security network which is really important to us. And then after we leave the wireless network and get into the wired network we’re going to talk traffic segmentation, infrastructure security and some other technologies like vpns that we can use to help protect our traffic.

2. 802.11 Security Basics Part1

Now, generally when we talk about security, we like to draw this triangle and use an acronym that sounds really cool called CIA oops. It didn’t make my A very well. And so what we’re looking at is the data, in this particular case, the data that would be transmitted over the wireless network. The C Confidentiality is where we look at things like encryption. Encryption.

By encrypting our data, we’re hoping that if anybody intercepts it because it is radio frequency so anybody with an antenna could hear it if they’re close enough, we don’t want them to be able to easily crack that information. In fact, while we’re talking about the actual encryption and we’re talking about data, we have a saying in this business, and that is that your data should be secured at rest. What does that mean? That means it’s on a hard drive, so it should be encrypted on a hard drive.

I mean, we can do everything we want to make our network secure, but if somebody downloads an important file and they leave it on their laptop and it’s not encrypted and somebody steals the laptop and you’ve seen plenty of news stories about the FBI, the va, everybody else, then it’s basically gone. It also should be encrypted in transmission, which is what we’re focusing on, transmitting it across the radio frequency.

The other thing that is a little hard to do and confidentiality doesn’t really help you too much with this, but the other time that data has to be secure is when it’s in use. What do I mean by in use? I mean, if it’s on your computer monitor and you’re reading it and somebody walks by and reads it off your screen, that could be a compromise to the data. As an example, a couple of weeks ago I was at an Air Force base in Kansas and because I don’t have that top top secret clearance, but they wanted my help at troubleshooting something, I had to get a special pass.

And then they actually turned a red light on in the network operating center so that everybody knew to basically hide their screens or get rid of their confidential stuff before I walked in. That was a little embarrassing. I mean, they couldn’t do the work because I was sitting there and there’s a little red light going on. But that was because they were trying to protect that data while it was in use. Anyway, that’s one of them. So again, we’re going to worry about encrypting the data as it’s being transmitted over the radio frequency.

The integrity or the eye means that we want to know if that data was altered. Even if it’s been encrypted, somebody could still alter that information. But we have things like the crc or the fcs to be able to determine their hashing algorithms to determine if something happened. And then the A actually has a couple of different meanings. If you really want to know but for us it’s the authentication, authorization and accounting, meaning that we know who’s there, we know what their permissions are and we’re keeping track of what they do.

So that was a lot about those first two when it comes to security. Now, once you get on the wired network, sometimes the people in the world of wireless say, well, we’ve done our job to protect information. Now it’s the infrastructure’s turn. And so we’re going to talk a little bit about segmentation like things with vlans or firewalls access control lists.

We’re going to talk a little bit about monitoring so we can keep track of who’s doing what. And a lot of the decisions of how we do this really deal with a security policy which by itself does nothing. It’s usually a piece of paper that somebody has said this is what you will or you won’t do. And and we’ll keep track of what their recommendations are for how we determine to protect our information.

3. 802.11 Security Basics Part2

Now one of the things we have to remember is that the wireless portal must be protected. And when they say that, they’re I think at least by that wording, forgetting something very important. But I’ll talk about that as we’re going in here. It says it must be protected and authentication solutions are needed to make sure only authorized devices and users can pass through the portal. All right, so I get that if I have a bunch of computer readers and they’re going to associate with my access point, we want to make sure that they’re not unauthorized. In other words, just somebody randomly driving by and connecting the access point.

But the way in which I read that wording is that they’re worried about the traffic that passes through the access point into the wired network. In other words, the access point is making sure that the only data it sends are from those authenticated and authorized devices. But one thing else that we should always look at, and it’s not really the big focus, unfortunately here, is what if somebody tries to connect to the access point? In other words, they’re going to try to break into the management, guess the administrator password and change the settings of the access point.

That too should be protected. And normally it’s easy to do because what we’ll say is that the only person that can administer it must come in through a wired connection and not the wireless. And I say that after a friend of mine and myself went to NASA over in huntsville, Alabama. Not that that’s important, but we went out to lunch together at a Thai restaurant and they offered a free hot spot and we got there. And when we got there, the ssid for the free hot spot said, links us. Now that’s a default ssid. And so we thought to ourselves, well, they probably still changed the administrator username and password. But they didn’t.

My friend not me, by the way, but my friend said, well, let’s go see. And so he connected to the default address of every linksys router and then tried the default admin admin password to see if he could get in. And you know what? He was able to. We don’t want that when we talk about protecting that wireless portal, not just for traffic moving through, but you should protect that portal from people trying to actually access it and make changes at that point. And I don’t know. Neither does he. We didn’t go any further, but at that point we might have been able to get into the rest of the network that belongs to that Thai restaurant. So we have to look at it from every aspect when we talk about protecting it. So after a user, though, for the traffic that transmits through it to pass through the portal, we then have to worry about this wired network and whether or not we have a way of segmenting the traffic. Maybe through vlans or firewalls or identitybased mechanisms just to make sure that they cannot get into the unauthorized parts of our network.

4. 802.11 Security Basics Part3

So protecting data privacy on a wired network is a lot easier because of the physical access to the wired medium. In other words, it’s not radiating radio frequency for anybody with an antenna to be able to hear. So it’s a little more restricted. In fact, you actually probably have to be into the server room. For some of you. With smaller networks, you might call it the closet, but it’s much more restricted, whereas wireless transmissions are available to anybody who is close enough to be able to hear the radio frequency. And there’s, by the way, outside of a directional type of antenna, not a lot you can do about that. So we want to have some sort of encryption. They call it a cipher encryption to try to obscure the information. In other words, if somebody is listening to it and they download and copy, which, by the way, is very easy to do, they would have full access if it was not sent with encryption. So what they would download and copy would be encrypted, and then hopefully, it would take them many years to be able to break that encryption.

So we should make that a mandatory thing to have the proper type of data privacy. Now, a cipher or an encryption algorithm is what we use to be able to do the encryption. There are many, many different types, and over the years, wireless technology has used a variety of different types of ciphers to protect their traffic. The problem is, is that as technology gets faster and faster and faster, it becomes easier to break that encryption. So we have to, in an industry like this, continue to get better and better and better at how we do encryption.

So it’s kind of like a race, but that’s okay. Originally, wep was the algorithm of choice for securing the communications. Today, it takes an average laptop five minutes to be able to break through a web encryption. Now, it wasn’t actually the cipher, the rc four, the river cipher, version four, that was really the weak part of that. It was the way in which they exchanged their keys and information that made it very easy. rc four is still a great algorithm. In fact, I just called the Rivus cipher.

So it comes from three people, rivus and edelman and shamir, who came up with the rsa protocol, which is still very, very popular and very strong. But this person came up with the one that we still use for going and doing things like online banking or something with the secure socket layer. So it wasn’t that the algorithm was bad. It was how wireless web secured the key. And by the way, with every encryption algorithm, everybody knows how it works. So it’s actually the strength of the key that makes it strong. And in this case, it was how they went back and forth and exchanged the key.

That was a weak method of doing it that made it very bad, at least by today’s standards. So now we use what’s called the aes algorithm. Now, by the way, aes, the Advanced Encryption standard, was just something that nist had said, this is what we want an encryption algorithm to do. Many, many people put in their submission for encryption to match the aes standards. And the one that was chosen was called randall by the person who actually came up with it.

That now is the standard, or what makes up the standard. But there were other types, like Idea and many others that felt like they could win. But anyway, so randall is what we use. It is a block cipher. And I don’t want to make this suddenly an encryption class, but I want to give you information that you go look up and understand that aes was an outline, and the government found one, somebody who made an algorithm that matched the guideline. So there’s a block cipher that offers a lot stronger protection. What’s really cool about it is that I just told you the key is what people don’t know. They all know how the algorithm works, but the key is what they don’t know. And it started off with 128 bit key, which is a key that technically is something that could be 39 digits long.

I mean, huge. And then that algorithm now could also support longer and longer keys. We’re up to 512 bits. I have no idea how big that key is. But the problem is, as the key gets longer, it takes a lot more computational power to be able to encrypt something. But at the same time, as the key gets longer, then it’s going to be harder and harder to be able to break. One of the founders of a company called intel, maybe you’ve heard about them. I don’t know his first name, last name Moore. He came up with something called moore’s Law that said every two years, the speed of processing is going to double and the size of the chip is going to shrink by half.

And pretty much we’re beating that actual standard. And so when you think about the original types of protocols for cracking, back in the days when we had very by our standard today, very slow processors now for just a couple of can buy a tablet that has four processing queues or cores and a lot of memory. And that little tablet, if I had taken it back ten years ago, I would have cracked almost every encryption protocol you had in a matter of minutes. So that goes back to moore’s Law. We have to continue to grow with that. Now, I’ll get off of that little soapbox about encryption, but just let you know that aes, right now, as a standard, is the strongest one that we have that is publicly available.

5. 802.11 Security Basics Part4

One of the core concepts of the a part of that triangle was the authentication authorization and accounting or what we call a it’s a key concept of security on how we protect our networks. First, the authentication, which is very important, is where you actually provide an identity. Now the weakest part of this is when people just use a username and password password as their identity. But what we do with authentication is make sure that your combination of username and password matched what we have in our database and then we would say you are authenticated.

And we can do that with devices as well, not just users. So the device could have what we call a digital certificate, which is actually much more secure. But the point is that when a computer is connecting to an access point, the access point is going to ask for information of either the device or the user or both, and then go off to some aaa server to make sure that that combination is right, so that the access point will feel confident that you’re allowed to transmit information through it. Now, many of our better authentication systems use what we call multifactor authentication. Let me talk about that. When it comes to multifactor and authentication, we talk about you having to supply something you know well what you know is your username and password.

But unfortunately when we think about social engineering, people might convince you to give that information up. It’s really the weakest part. It might also be something you have. So when I go to military installations, even though a person has a username and password, they have what they call a CAC card, CAC, that basically is a certificatebased card that they have to plug into a reader to be able to use that and their username and password to be able to have access. The hope is if somebody were to maybe watch over your shoulder while you typing your password and then try to mimic what you did, they still don’t have the card. So we have to have both of those.

That would be multifactor. The other part of multifactor is something that you are, that gets us into the biometrics. You are your fingerprint, you are your retina or your iris or any of those other types of things. And so by having at least let’s say two of those as a requirement for authentication, then we have a better form of authentication. Makes it much more secure than if it was just username and password.

So you could have all three if you wanted to. In fact, there was a time I won’t tell you who the company is or what city it was in, but I was there for a two week contract to fix a management system. And as I was walking around bored one day I saw a room that was not labeled. All the other rooms were labeled with little plaques on the door to let you know what it is. And it’s kind of funny. Some people think security should be done by obscurity. Like the only door without a label is not important. Well, usually that’s the most important. Anyway, I looked through and I saw a little window in the door. I saw a hallway. And so I needed to have a card. So there’s the have.

I needed to have a card to get through the first door. And then at the end of that hallway I saw that there was a fingerprint scanner, something that you are, and it had a combination lock, something, you know. So they had to have all three to be able to get into the room, by the way, that I thought was the network operation center. And it was. So as I was looking through that little window, somebody came up behind me and said, can I help you? After I jumped because they scared me, I said, yeah, I wanted to see what the knock looked like. And so that person had the card to get into the first door, had the right fingerprint to get through the other part and knew the combination and took me right in even though I didn’t have an authorized badge to be able to get there.

So even though I tell you this makes a better system and I told you that story to tell you this, that it’s only as strong as your weakest link. So I’m just going to leave it there and tell you that people should be trained about security to be able to make anything more secure. Now that I’m done with that, let’s go on to authorization. So once I know who you are, as far as the authentication, authorization tells me what your permissions are, whether or not you’re allowed to have access to different network resources. In something like a Windows server, if somebody were to share a folder or files, they’re going to have what they call a Dackle, a discretionary Access Control list. That’s going to be a combination of username and their permissions. Permissions could be things like read, read, write, modify, those types of things. So we still want to keep looking at the security all the way through the process, which by the way, I know has nothing to do with the wireless.

But I thought while we’re talking about security, I should make sure that you all know that it goes beyond layer one, it goes beyond layer two. So it’s all about access what your permissions are. But before we can give you the permissions, the authorization, again, we have to go through the authentication, make sure we know who you are. The last part, accounting is keeping track of what you did. So my name is Ken. As I told you the introduction so you would have a list that says Ken opened this folder, can open this file is keeping track of what users or devices are doing.

So you can audit that at a later time. Sometimes you might be looking at it ahead of time to kind of see if there’s anything pending. So it’s a very important aspect of security to have that historical trail of who used what resource and when and where. I realize it can become a very big record, but depending on how much security you want, at least for some of your more sensitive data, I would hope that you think it’s worth it.