WEBVTT 00:00.199 --> 00:04.440 >> Let's continue our discussion of wireless security. 00:04.440 --> 00:06.690 A lot of times we're concerned with 00:06.690 --> 00:09.420 wireless devices on the network and making sure 00:09.420 --> 00:11.490 that users are authenticated and making 00:11.490 --> 00:14.505 sure that data that's transmitted is encrypted. 00:14.505 --> 00:16.980 A lot of times our focus is on making 00:16.980 --> 00:19.140 sure that the users are the right users. 00:19.140 --> 00:22.095 We don't allow malicious entities on the network. 00:22.095 --> 00:24.060 But what we don't always think about is 00:24.060 --> 00:26.730 how much trust we have in our access points. 00:26.730 --> 00:28.740 I'm used to providing my username and 00:28.740 --> 00:31.395 a password to authenticate to an access point. 00:31.395 --> 00:33.000 But where do I get assurance that 00:33.000 --> 00:36.340 the access point is the legitimate access point? 00:36.830 --> 00:39.115 We have these issues with what I 00:39.115 --> 00:41.705 referred to as rogue access points. 00:41.705 --> 00:43.700 Maybe you're at a Starbucks. 00:43.700 --> 00:45.260 I create an access point with 00:45.260 --> 00:48.055 an SSID of coffee shop Wi-Fi. 00:48.055 --> 00:51.200 If you're not specifically looking for Starbucks or 00:51.200 --> 00:54.410 the Starbucks devices down or if I were closest to you, 00:54.410 --> 00:57.695 my SSID would appear at the top of the list. 00:57.695 --> 00:59.510 Many times people just click on 00:59.510 --> 01:01.645 the first network that makes sense. 01:01.645 --> 01:04.740 You'll see this in airports and hotels. 01:04.740 --> 01:07.580 You need to be very suspicious unless you've been 01:07.580 --> 01:10.840 told the name of the access point and you verified it. 01:10.840 --> 01:12.935 But even if that's the case, 01:12.935 --> 01:14.270 we still have the possibility of 01:14.270 --> 01:16.525 the device being an evil twin. 01:16.525 --> 01:19.430 This is a type of rogue access point that has 01:19.430 --> 01:22.415 the SSID of a legitimate access point. 01:22.415 --> 01:25.610 It's very easy to configure an SSID. 01:25.610 --> 01:27.560 There's no process to make sure there's 01:27.560 --> 01:30.570 no other SSID with the same name. 01:32.060 --> 01:36.290 What will happen is once you connect to a specific SSID, 01:36.290 --> 01:38.390 by default, your network card will connect you 01:38.390 --> 01:41.245 to the same SSID again if it's available. 01:41.245 --> 01:43.310 If I know that the access point for 01:43.310 --> 01:45.140 the Wi-Fi network at your work, 01:45.140 --> 01:46.520 and I create an access point with 01:46.520 --> 01:48.520 the same name and I'm closer to you, 01:48.520 --> 01:51.125 then you are likely to connect to my device. 01:51.125 --> 01:54.235 That's a classic man in the middle attack. 01:54.235 --> 01:58.230 It's so easy to get users to use rogue access points. 01:58.230 --> 01:59.840 Then if that's the case, 01:59.840 --> 02:02.765 none of the other stuff about authentication matters, 02:02.765 --> 02:06.235 because all your data is coming through my system. 02:06.235 --> 02:08.510 We really want to be concerned about 02:08.510 --> 02:10.160 the fact that many times we 02:10.160 --> 02:11.360 can't get assurance that 02:11.360 --> 02:13.690 the access points is the correct one. 02:13.690 --> 02:15.620 What we should have is the use of 02:15.620 --> 02:17.630 certificates in our environment that are going to 02:17.630 --> 02:18.950 allow access points in 02:18.950 --> 02:22.120 DNS servers to authenticate to clients. 02:22.120 --> 02:24.890 Something called NDES or 02:24.890 --> 02:26.990 network device enrollment support is 02:26.990 --> 02:28.760 a protocol that allows devices like 02:28.760 --> 02:32.105 access points to authenticate using certificates. 02:32.105 --> 02:35.185 We really prefer mutual authentication. 02:35.185 --> 02:37.530 I'll authenticate to the access point. 02:37.530 --> 02:39.770 But that access point needs to provide some sort of 02:39.770 --> 02:42.835 certificate to ensure it's correct access point. 02:42.835 --> 02:44.720 But there's a lot of overhead and 02:44.720 --> 02:47.315 time involved in managing certificates. 02:47.315 --> 02:49.310 One of the better methods for mitigating 02:49.310 --> 02:52.585 these risks is to scan the network for your devices. 02:52.585 --> 02:55.400 This involves constantly scanning the network and 02:55.400 --> 02:57.950 knowing the amount of access points that you should have, 02:57.950 --> 03:01.135 and noticing if there are any additional ones added. 03:01.135 --> 03:03.560 It's just about monitoring and staying on 03:03.560 --> 03:06.540 top of these potential security issues. 03:07.360 --> 03:11.695 Let's wrap up this section on wireless security. 03:11.695 --> 03:14.630 We know we have additional challenge of securing 03:14.630 --> 03:16.370 wireless communications than when we have 03:16.370 --> 03:19.075 a network that is connected by cables. 03:19.075 --> 03:21.634 We primarily think about encryption, 03:21.634 --> 03:26.645 where we have our choices of WEP, WPA, and WPA2. 03:26.645 --> 03:28.850 Now we have WPA3. 03:28.850 --> 03:31.220 But it hasn't made it onto the exam yet. 03:31.220 --> 03:33.845 You do not need to worry about that right now. 03:33.845 --> 03:36.470 Under authentication, we think about 03:36.470 --> 03:38.270 centralized authentication under 03:38.270 --> 03:41.480 the IEEE standard 802.1 x, 03:41.480 --> 03:44.450 also known as EAP over LAN, 03:44.450 --> 03:47.225 where we bring in a central authentication server, 03:47.225 --> 03:49.040 like a radius server to provide 03:49.040 --> 03:52.540 a centralized point of authentication and policy. 03:52.540 --> 03:55.085 Then last but not least, 03:55.085 --> 03:57.170 we talked about some common threats. 03:57.170 --> 04:00.305 We talked about rogue access points and evil twins, 04:00.305 --> 04:03.005 which are particularly difficult to detect 04:03.005 --> 04:04.370 because they have the same name 04:04.370 --> 04:06.580 as legitimate access points. 04:06.580 --> 04:08.700 Then NDES. 04:08.700 --> 04:10.010 It's a protocol that allows 04:10.010 --> 04:11.630 devices like access points and 04:11.630 --> 04:12.860 other servers to enroll in 04:12.860 --> 04:15.965 certificates that they can use for authentication. 04:15.965 --> 04:19.080 That's a good mitigation strategy.