WEBVTT

00:00.109 --> 00:02.650
>> We've talked a little
bit about some of

00:02.650 --> 00:05.320
the technology surrounding
wireless networks.

00:05.320 --> 00:08.635
Now, we'll talk about
wireless security.

00:08.635 --> 00:11.590
We have two main aspects
to consider with

00:11.590 --> 00:15.400
wireless security; encryption
and authentication.

00:15.400 --> 00:17.420
The very first cryptosystem

00:17.420 --> 00:18.835
that was designed for wireless

00:18.835 --> 00:22.635
was called WEP, Wired
Equivalent Privacy.

00:22.635 --> 00:25.000
It's almost as if a
salesperson came up with

00:25.000 --> 00:27.160
that name because
the name sounds like

00:27.160 --> 00:29.290
it's trying to sell you on
the fact that you would get

00:29.290 --> 00:30.700
the same level encryption with

00:30.700 --> 00:33.425
it as you would have
with wired networks.

00:33.425 --> 00:36.075
Obviously, that's not the case.

00:36.075 --> 00:38.005
When you have a wired network,

00:38.005 --> 00:39.340
just that physical cable,

00:39.340 --> 00:40.900
as a measure of
security that you

00:40.900 --> 00:43.610
don't have with the
wireless network.

00:43.710 --> 00:46.880
Other things that
were wrong with WEP

00:46.880 --> 00:49.460
were that you had to share
authentication passwords,

00:49.460 --> 00:52.175
and it had a weak
initialization vector.

00:52.175 --> 00:55.475
Now, we haven't talked
about cryptography yet,

00:55.475 --> 00:57.305
but the initialization vector

00:57.305 --> 00:59.030
adds randomness to the process.

00:59.030 --> 01:00.560
The more randomness you

01:00.560 --> 01:03.020
have with the
encryption, the better.

01:03.020 --> 01:06.185
But if you don't have a
strong initialization vector,

01:06.185 --> 01:08.675
then you get repetitions
and patterns.

01:08.675 --> 01:11.090
Another issue with WEP is

01:11.090 --> 01:13.880
that it used an
algorithm called RC4.

01:13.880 --> 01:15.590
This particular algorithm is

01:15.590 --> 01:17.435
something called
a stream cipher.

01:17.435 --> 01:20.795
Is very fast but easy to break.

01:20.795 --> 01:22.880
We traded off security for speed

01:22.880 --> 01:24.574
>> by using this algorithm.

01:24.574 --> 01:28.385
>> Also, WEP used
weak short keys.

01:28.385 --> 01:31.180
You could either operate
in one of two modes.

01:31.180 --> 01:33.995
Low encryption mode or 64 bit,

01:33.995 --> 01:37.490
or high encryption
mode, 128-bit.

01:37.490 --> 01:40.835
Neither of these, by today's
standards, are strong.

01:40.835 --> 01:44.525
But particularly, low
encryption mode was very weak.

01:44.525 --> 01:47.405
WEP is not a good choice today.

01:47.405 --> 01:51.350
Another issue with WEP is
that it used static keys.

01:51.350 --> 01:54.830
There was no dynamic
negotiation of keys.

01:54.830 --> 01:57.350
We knew when WEP came out

01:57.350 --> 01:59.525
that it wasn't where
we wanted it to be,

01:59.525 --> 02:01.970
but we also knew we were
a long way from having

02:01.970 --> 02:05.495
the technology to truly secure
wireless communication.

02:05.495 --> 02:09.140
What we did was put a
band-aid on WEP by coming

02:09.140 --> 02:12.995
up with WPA, Wi-Fi
Protected Access.

02:12.995 --> 02:16.670
It's an improvement over
WEP in a couple of ways.

02:16.670 --> 02:19.460
WPA strengthened the
initialization vector

02:19.460 --> 02:20.965
by making it longer.

02:20.965 --> 02:24.155
It also introduced a
protocol called TKIP,

02:24.155 --> 02:26.885
Temporal Key Integrity Protocol.

02:26.885 --> 02:30.815
This is a temporary
dynamically negotiated key.

02:30.815 --> 02:34.655
The downside is that it still
used the RC4 algorithm.

02:34.655 --> 02:37.040
It had to continue
using this algorithm

02:37.040 --> 02:40.499
so that it could be backwards
compatible with WEP.

02:40.510 --> 02:44.090
Then WPA2 brought two elements

02:44.090 --> 02:45.875
that really improved
the security.

02:45.875 --> 02:49.910
The first was AES, Advanced
Encryption Standard.

02:49.910 --> 02:53.300
This is a much stronger
algorithm than RC4.

02:53.300 --> 02:56.330
I mentioned that RC4
was a stream cipher.

02:56.330 --> 02:59.350
Well, cipher is just
another word for algorithm.

02:59.350 --> 03:01.260
An algorithm refers to the

03:01.260 --> 03:03.434
>> math that the
encryption uses.

03:03.434 --> 03:07.140
>> RC4 was very fast
but easier to break.

03:07.140 --> 03:10.830
AES is slower but much stronger.

03:10.830 --> 03:13.520
Also, WPA2 replaced

03:13.520 --> 03:17.810
TKIP with a new stronger
protocol called CCMP.

03:17.810 --> 03:20.525
It has a crazy long
name for that acronym,

03:20.525 --> 03:22.820
Counter Mode Cipher
Block Chaining

03:22.820 --> 03:25.415
Message Authentication
Code Protocol.

03:25.415 --> 03:28.710
Just remember CCMP.

03:29.750 --> 03:32.850
We've got those three
modes for encryption.

03:32.850 --> 03:34.720
Then we have authentication.

03:34.720 --> 03:37.270
Now, remember,
authentication is proving

03:37.270 --> 03:41.095
your identity or proving you
are who you say you are.

03:41.095 --> 03:42.790
Specifically, when you have

03:42.790 --> 03:44.290
remote access devices that

03:44.290 --> 03:46.240
want to join your
local area network,

03:46.240 --> 03:48.114
you want to make sure that
they are authenticated

03:48.114 --> 03:50.410
and authorized systems
joining the network.

03:50.410 --> 03:53.260
There's less security
with remote access.

03:53.260 --> 03:56.065
If you have to be physically
wired to the network,

03:56.065 --> 03:57.670
then there's security
measures that would

03:57.670 --> 03:59.770
prevent or detect an intruder.

03:59.770 --> 04:01.720
But when you're allowing
people to connect

04:01.720 --> 04:03.580
via VPN or Wi-Fi,

04:03.580 --> 04:05.320
those physical security measures

04:05.320 --> 04:07.345
don't interfere
with an attacker.

04:07.345 --> 04:08.800
You have to make sure that you

04:08.800 --> 04:11.630
have strong technical controls.

04:11.970 --> 04:15.575
What you want is consistency
in your policies,

04:15.575 --> 04:17.045
strong authentication,

04:17.045 --> 04:18.380
and strong rules governing

04:18.380 --> 04:20.415
the connection of these devices.

04:20.415 --> 04:21.940
What you do is bring in a

04:21.940 --> 04:24.620
>> device called
a RADIUS server.

04:25.519 --> 04:28.935
>> In this diagram, you
can see these applicants.

04:28.935 --> 04:31.070
These supplicants are
the remote devices

04:31.070 --> 04:32.870
that are trying to
access the LAN.

04:32.870 --> 04:34.835
When I say remote,

04:34.835 --> 04:37.505
I mean they're not physically
connected to the network.

04:37.505 --> 04:39.425
You might have Wi-Fi clients,

04:39.425 --> 04:41.765
dial-up, or VPN.

04:41.765 --> 04:43.520
Normally, they would connect

04:43.520 --> 04:45.244
>> to a network access device,

04:45.244 --> 04:48.410
>> like an access
point or AP for Wi-Fi,

04:48.410 --> 04:50.330
or a remote access server,

04:50.330 --> 04:52.235
or RAS for dial-up,

04:52.235 --> 04:55.345
or a VPN server for VPN clients.

04:55.345 --> 04:57.650
Those applicants
initiate the connection

04:57.650 --> 04:59.240
to the wireless LAN.

04:59.240 --> 05:00.920
Traditionally, we
would have gone to

05:00.920 --> 05:02.840
each one of these
authenticators,

05:02.840 --> 05:05.090
each access point, each RAS,

05:05.090 --> 05:09.155
each VPN, and configure
security policies for them.

05:09.155 --> 05:11.390
These policies would say who or

05:11.390 --> 05:14.585
what devices can connect and
when they are connected.

05:14.585 --> 05:16.880
It would be really
cumbersome to configure

05:16.880 --> 05:18.935
these policies for
each authenticator.

05:18.935 --> 05:20.690
Instead, we point

05:20.690 --> 05:21.710
those authenticators to a

05:21.710 --> 05:23.450
>> central
authentication service.

05:23.450 --> 05:27.255
>> The most common device
that does this is a RADIUS.

05:27.255 --> 05:29.255
RADIUS actually stands for

05:29.255 --> 05:33.060
Remote Authentication
Dial End User Service.

05:33.700 --> 05:37.100
The illustration on the left
shows these applicants,

05:37.100 --> 05:38.960
the authenticators,
and the use of

05:38.960 --> 05:41.615
a RADIUS central
authentication service.

05:41.615 --> 05:43.550
The configuration is defined

05:43.550 --> 05:45.395
within the IEEE standard called

05:45.395 --> 05:50.105
802.1x The standard definitely
comes up on the test.

05:50.105 --> 05:51.470
I want you to make a couple of

05:51.470 --> 05:53.405
associations to remember it.

05:53.405 --> 05:57.210
When you hear 802.1x,
think RADIUS.

05:57.210 --> 05:59.410
Also, think EAPoL,

05:59.410 --> 06:01.445
which stands for Extensible

06:01.445 --> 06:04.565
Authentication
Protocol over LAN.

06:04.565 --> 06:06.260
EAP protocol is

06:06.260 --> 06:08.900
a very commonly used
protocol for authentication,

06:08.900 --> 06:10.580
and it's very flexible.

06:10.580 --> 06:13.130
Also, remember central
authentication for

06:13.130 --> 06:14.930
remote access and associate

06:14.930 --> 06:18.210
that with the 802.1x standard.

06:18.610 --> 06:20.810
A word to the wise.

06:20.810 --> 06:24.480
Wireless technology falls
in the 802.11 range.

06:24.480 --> 06:27.945
But remember that
RADIUS is 802.1x.

06:27.945 --> 06:30.195
It's not then in
wireless standard.

06:30.195 --> 06:31.940
But if you're not
paying attention,

06:31.940 --> 06:36.245
you'll mix them up.
Really it's separate.

06:36.245 --> 06:40.745
This is for EAP over LAN
or EAP over Ethernet.

06:40.745 --> 06:43.910
All that means is, those
authenticators are boarding

06:43.910 --> 06:45.830
the EAP requests across the

06:45.830 --> 06:47.854
>> network to the RADIUS server.

06:47.854 --> 06:49.775
>> Be sure to keep
those separate

06:49.775 --> 06:52.290
and not mix them up on the test.