CWNP CWNA – Security Part 3
So protecting data privacy on a wired network is a lot easier because of the physical access to the wired medium. In other words, it’s not radiating radio frequency for anybody with an antenna to be able to hear. So it’s a little more restricted. In fact, you actually probably have to be into the server room. For some of you. With smaller networks, you might call it the closet, but it’s much more restricted, whereas wireless transmissions are available to anybody who is close enough to be able to hear the radio frequency. And there’s, by the way, outside of a directional type of antenna, not a lot you can do about that. So we want to have some sort of encryption.
They call it a cipher encryption to try to obscure the information. In other words, if somebody is listening to it and they download and copy, which, by the way, is very easy to do, they would have full access if it was not sent with encryption. So what they would download and copy would be encrypted, and then hopefully, it would take them many years to be able to break that encryption. So we should make that a mandatory thing to have the proper type of data privacy. Now, a cipher or an encryption algorithm is what we use to be able to do the encryption.
There are many, many different types, and over the years, wireless technology has used a variety of different types of ciphers to protect their traffic. The problem is, is that as technology gets faster and faster and faster, it becomes easier to break that encryption. So we have to, in an industry like this, continue to get better and better and better at how we do encryption. So it’s kind of like a race, but that’s okay. Originally, wep was the algorithm of choice for securing the communications.
Today, it takes an average laptop five minutes to be able to break through a web encryption. Now, it wasn’t actually the cipher, the rc four, the river cipher, version four, that was really the weak part of that. It was the way in which they exchanged their keys and information that made it very easy. rc four is still a great algorithm. In fact, I just called the Rivus cipher.
So it comes from three people, rivus and edelman and shamir, who came up with the rsa protocol, which is still very, very popular and very strong. But this person came up with the one that we still use for going and doing things like online banking or something with the secure socket layer. So it wasn’t that the algorithm was bad.
It was how wireless web secured the key. And by the way, with every encryption algorithm, everybody knows how it works. So it’s actually the strength of the key that makes it strong. And in this case, it was how they went back and forth and exchanged the key.
That was a weak method of doing it that made it very bad, at least by today’s standards. So now we use what’s called the aes algorithm. Now, by the way, aes, the Advanced Encryption standard, was just something that nist had said, this is what we want an encryption algorithm to do. Many, many people put in their submission for encryption to match the aes standards. And the one that was chosen was called randall by the person who actually came up with it. That now is the standard, or what makes up the standard. But there were other types, like Idea and many others that felt like they could win. But anyway, so randall is what we use. It is a block cipher.
And I don’t want to make this suddenly an encryption class, but I want to give you information that you go look up and understand that aes was an outline, and the government found one, somebody who made an algorithm that matched the guideline. So there’s a block cipher that offers a lot stronger protection. What’s really cool about it is that I just told you the key is what people don’t know. They all know how the algorithm works, but the key is what they don’t know. And it started off with 128 bit key, which is a key that technically is something that could be 39 digits long. I mean, huge. And then that algorithm now could also support longer and longer keys.
We’re up to 512 bits. I have no idea how big that key is. But the problem is, as the key gets longer, it takes a lot more computational power to be able to encrypt something. But at the same time, as the key gets longer, then it’s going to be harder and harder to be able to break. One of the founders of a company called intel, maybe you’ve heard about them. I don’t know his first name, last name Moore. He came up with something called moore’s Law that said every two years, the speed of processing is going to double and the size of the chip is going to shrink by half.
And pretty much we’re beating that actual standard. And so when you think about the original types of protocols for cracking, back in the days when we had very by our standard today, very slow processors now for just a couple of can buy a tablet that has four processing queues or cores and a lot of memory.
And that little tablet, if I had taken it back ten years ago, I would have cracked almost every encryption protocol you had in a matter of minutes. So that goes back to moore’s Law. We have to continue to grow with that. Now, I’ll get off of that little soapbox about encryption, but just let you know that aes, right now, as a standard, is the strongest one that we have that is publicly available.
So one more time. The vlans are used, as I said, to create different broadcast domains. And that was the original purpose. Because again, if I sent a broadcast into your switch, the rules of broadcast is that they have to flood, meaning forward that broadcast out every port except for the one that came in. And so everybody had to hear it, whether they wanted to or not. But now we’re using it to restrict the access, as I described before, without worrying about the physical topology of the network. They are again, a layer too. They are one of the most used portions of security when it comes to an ethernet network. For security and for segmentation.
Another thing we look at is the rbac. Unfortunately, there are too many acronyms that have multiple meanings. In this case, the R stands for a role. In some situations, the R might stand for a rule. A rulebased. Access control is what’s on a firewall. A rolebased access control list is based on who you are. So it’s another approach, in this case, the role. Role based to restrict the access to a system depending on who you are, being an authorized user. Now, many of your wireless networks or vendors that create the access points might have different ways of doing role based. It could be just on user by user basis. Or I could make what they call a role.
A role is a list of permission, if you would, of what you can do and put users into the role, and then that’s what you’re allowed. But either way, it’s all about permissions. Now, separate roles could be created, such as maybe a role for salespeople, a role for the administrator, which we would hope has full access for marketing. And you just put users in there and then whatever the permissions are, that’s what they get.
Now your access points and other types of hardware that you use for wireless can be expensive in the enterprise realm it could be 2000 or more dollars. And of course, if you were to watch this video ten years from now after inflation, you’d probably say, oh, that’s nothing but it sounds like a lot to me right now. So they’re usually mounted when you put them in near a ceiling and here’s the reason why I bring it up people might steal them.
Yeah, that’s true. I mean, the access point is a piece of hardware, $2,000 access point. I take it at home and I have this really cool wireless network. So usually we mount them somewhere where we hope people won’t see them. But there are enclosure units with locks that you can screw into the wall to make it hard for people to be able to steal them.
And remember, if you can touch it, you own it. That’s another important aspect of any piece of network where routers and switches can be safely put behind a locked door. We can’t do that with an access point. So you have to make sure you try to safeguard yourself against theft. Now, how easy is a theft, do you think? Well, let me just tell you I was at a hotel in Portland and my internet service at night, right, the free Internet stopped working. So I picked up the phone to be able to call the front desk and ask if they could do something to fix that.
The phone didn’t work. So that tells me there was more of a problem in that their entire IP network went down. So I went to the front desk, it was like 1130, almost midnight and I said, this isn’t working. And the person said, well yeah, I don’t know how to fix it. I called somebody, they’ll be in the morning. And I’m like, you know, that’s not going to work for me.
I tried to hint that maybe I was a little bit of an expert on this and so he told me back on my floor how many tiles to count through the hallway until I got to the tile where the access point was. How easy is that to steal? I got on the chair for my bedroom, got up there opening the tile. Sure enough there was the access point. So I just did what everybody would normally do when it’s not their networks and they don’t care about how while it works.
I rebooted it and then I went back to my room and all was good. But if I had wanted to that was a really nice access point. I could have taken that if I needed to. So my point is that even though you might think it’s hidden, you got to be careful. You don’t know what the weakest part of your security is. And having something as an enclosure I think becomes important as well.
Now, the other thing you have to remember is, how do you access these access points? What I told you is that we should not be able to get to them through the actual wireless antenna that that’s meant for everybody to connect through. And hopefully, you remember my little story about the Thai restaurant in huntsville. So you should have a physical management interface if you can. Hopefully it’s on a different management subnet so you can reach it and only you can. But it is important that you do have a way of getting there.
Now, depending again on the vendor, you might have a web page that opens at minimum, for everybody. You’ll have what they call a command line interface, where it’s a terminal connection. You can type your commands in. And if you have a remote network management service and it’s working with snmp I call snmp, by the way, security not my problem. Now, I wish I could hear you all laugh, but it’s the simple network management protocol. You can make some configuration changes from that as well.
Now, the eight or 211 212 standard clearly defined. What layer two security solutions. We should use the use of the upper layer virtual private network. The secured vpn can also be deployed, but we’re not recommending it anymore because we have great security through the access point or through the wireless lan controller using the same encryption as a vpn does.
The reason we don’t recommend the vpn is because it causes more over for the client and the receiver to be able to deal with. And it’s not as fast as if you were going through the wpa two type of security. So it’s not a recommended practice. But it doesn’t mean you still can’t do that if you want to have secure connectivity.
When you do use a vpn, what will happen is your original packet, that original packet that had your IP address, your layer for transport protocol, had your data units, all of that would be encrypted. And then between the sender or the router and what it is that you’re connecting to over here, maybe even a file firewall of the server. They would negotiate with their public IP addresses, a new set of addresses to put on the front so that the Internet could use the unencrypted addresses to get routed through all the routers that you might have to get to, to get there. And when it gets to the destination, they would then take that off and decrypt this packet. So that’s basically saying that you’re your first packet, as it says here, is encapsulated inside the second or outer packet.
Now, there are other type of vpn technologies that we can use, unlike the ipsec, which I kind of described, that offers a little bit easier time. It’s still very secure. One of them is called the ssl vpn. Now, the one I just described, the ipsec vpn, you had to install software on both sides that knew how to negotiate the encryption. And in some cases, I’ve been to facilities where the company gives you a laptop, but you can’t install software on there because it’s against the rules or restrictions. And so that’s no good. The ssl vpn, a little bit different, is using your web browser, whatever you like, the Chrome, the firefox, the Internet Explorer, whatever it is that you use. So you already have the software the client on there, so there’s nothing extra to install. And it makes it very easy to make that secure connection. It’s.
Now I have already mentioned about the guest access and many companies today like to provide a wifi guest access as a convenience to the people that come to visit them. They also allow you internet access to visitors, contractors, students, salespeople, but they don’t let you into the inside network. And remember we did that through the use of vlans almost every time.
So we know that visitors want to be able to access the internet. We know that they want to be able to get to their email. And so what they’ll do is they’ll create an extra or a different ssid for the guest vlan and then allow that person to connect to that ssid, which will have its own unique Vlan and then be able to get out to the Internet.
Now, your vlan guest user traffic should be segmented, as I said, into a vlan. I used to like to call it vlan jail. Now, I mean, it’s a little bit different jail, because you can get out to the Internet, but you can’t get anywhere else. It will be tied to a separate subnet different IP address, so you have nothing to do with the internal part of the network and so that traffic can maybe go to their dmz. For those of you overseas, the dmz, and from there to be able to get out to the rest of the network, you’ll have firewall policies that allow that traffic to go through, so they’re a little bit usually not as restrictive even for the employees. That connection you make will usually have access to a dhcp server and a dns server, so you’ll have those appropriate connections. You’ll probably be given a private, private IP address to use as you’re acting as a guest and getting natted as you’re going out. But the important thing is that that vlan and all of your other security devices will not allow you to go from the guest vlan to the internal network.
Another option we have for security, and I mentioned it before, is when we have something like a wireless LAN controller. Now, you’ll see this a lot at hotels or even other companies that have a guest vlan or guest wireless LAN, and that is that when you connect, you’re going to have to go to the wireless LAN controller and put in some sort of identification. It’s not going to be an account that belongs to anybody in the company. It might be what they call even the guest account where they give everybody the same username or password, or they might make it up on the fly where they put your new credentials in so they can at least keep track of what you’re doing while you’re there. When you connect and you get the authentication, you’re actually not quite there when you connect to the access point connects us to the wireless LAN controller. And you’re first web page you try to go to is going to have a pop up window. And we call that for everybody. We call that captive portal.
So here’s another example of the captive portal where you would put in maybe a username password. You might actually be given something like an access code. So, like some of the lounges at the airports I go to, they’ll have displayed there a code that I have to type in that’s only good for that day. And then when you get through that, you’re going to get redirected to whatever other website it was that you originally wanted to get to.
So in this module we talked a lot about security, some of the eight to eleven security basics. I didn’t dwell on the legacy so much because it’s worthless by today’s standards. We looked at the rsn, the robust security network once past the access point, we got into the infrastructure for traffic segmentation, talked about some of the other options for infrastructure security, and even the use of a vpn for wireless security.
Popular posts
Recent Posts