WEBVTT 0:00:02.840000 --> 0:00:07.260000 Hello and welcome to this video titled the need for and components of 0:00:07.260000 --> 0:00:09.760000 wireless land security. 0:00:09.760000 --> 0:00:12.920000 In this video I have four major topics I'd like to go over. 0:00:12.920000 --> 0:00:17.440000 I'll start by explaining why we need wireless land security, where the 0:00:17.440000 --> 0:00:22.480000 differences between secured and unsecured wireless lands, what expectations 0:00:22.480000 --> 0:00:31.620000 do various people have when they have wireless land security. 0:00:31.620000 --> 0:00:35.600000 So let's start out with answering the question of why, why do we need 0:00:35.600000 --> 0:00:37.020000 wireless land security? 0:00:37.020000 --> 0:00:41.760000 Well to answer that it really helps to compare and contrast wireless lands 0:00:41.760000 --> 0:00:43.420000 with wired lands. 0:00:43.420000 --> 0:00:47.460000 The two are not the same and fundamentally they have very different security 0:00:47.460000 --> 0:00:52.000000 needs. So let's start by looking at wired lands as an example. 0:00:52.000000 --> 0:00:56.700000 Now in a wired land each host is connected to a unique switch port. 0:00:56.700000 --> 0:01:01.500000 So if we think that if we imagine for example that this right here is 0:01:01.500000 --> 0:01:08.160000 a physical ethernet switch connected to three hosts, A, B and C and those 0:01:08.160000 --> 0:01:13.840000 hosts might be laptops, servers, MacBooks, maybe even IP phones. 0:01:13.840000 --> 0:01:17.640000 But in this particular case in today's world we don't really use hubs 0:01:17.640000 --> 0:01:22.340000 anymore. Individual hosts are wired directly to a switch port. 0:01:22.340000 --> 0:01:27.920000 So on this cable right here the only devices on that cable are host A 0:01:27.920000 --> 0:01:31.420000 and the switch at the other end of that cable. 0:01:31.420000 --> 0:01:33.980000 Alright so let's keep going. 0:01:33.980000 --> 0:01:41.920000 Host within the same VLAN, now it's important within the same VLAN, have 0:01:41.920000 --> 0:01:45.180000 no visibility to each other's unicast traffic. 0:01:45.180000 --> 0:01:48.520000 Now we know that if you're on a VLAN yes you will see each other's broadcast 0:01:48.520000 --> 0:01:51.020000 traffic. But what about unicast traffic? 0:01:51.020000 --> 0:01:56.060000 So for example when host A is sending a unicast ethernet frame directly 0:01:56.060000 --> 0:02:02.120000 to host B's MAC address, only host A and host B will see that. 0:02:02.120000 --> 0:02:06.860000 Because of the way that the switch forwards frames host C on the top there 0:02:06.860000 --> 0:02:09.580000 will never have visibility to that ethernet frame. 0:02:09.580000 --> 0:02:13.100000 So he can be sniffing all day long with Wireshark or whatever packet capture 0:02:13.100000 --> 0:02:16.500000 program he wants and he will have no visibility to that communication 0:02:16.500000 --> 0:02:19.200000 between A and B. 0:02:19.200000 --> 0:02:22.580000 That's just the nature of wired ethernet switching. 0:02:22.580000 --> 0:02:30.200000 Also devices are physically not connected to that switch have no networking 0:02:30.200000 --> 0:02:37.480000 capability. In other words if I have another host, maybe right here, here's 0:02:37.480000 --> 0:02:40.500000 host D and host D isn't even cable to the switch yet. 0:02:40.500000 --> 0:02:45.760000 He has no wire. Well then he clearly can't sniff or see any of the information 0:02:45.760000 --> 0:02:49.480000 going between A, B and C because he's not even connected to the network 0:02:49.480000 --> 0:02:54.380000 at all. As far as the network concerns he doesn't even exist. 0:02:54.380000 --> 0:02:56.160000 So that's our review of wired networking. 0:02:56.160000 --> 0:03:00.460000 Now when you think of wireless it's a whole different ball game. 0:03:00.460000 --> 0:03:06.180000 In a wireless LAN all hosts share the same medium. 0:03:06.180000 --> 0:03:09.680000 So a common characteristic of wireless whether you're talking about older 0:03:09.680000 --> 0:03:15.260000 wireless standards like 802.11a or G or B or the newer wireless standards 0:03:15.260000 --> 0:03:19.740000 like 802.11ac or AD or AX coming out. 0:03:19.740000 --> 0:03:21.480000 They all share one thing in common. 0:03:21.480000 --> 0:03:27.140000 If I have five hosts or 50 hosts all connected to the same wireless LAN 0:03:27.140000 --> 0:03:32.000000 that my access point is advertising they're all sharing the same airspace. 0:03:32.000000 --> 0:03:36.660000 So when my laptop starts communicating on that wireless LAN there's nothing 0:03:36.660000 --> 0:03:41.820000 I can do to prevent anything else within range of hearing that radio frequency 0:03:41.820000 --> 0:03:44.340000 hearing my communication. 0:03:44.340000 --> 0:03:47.700000 It's not like I'm directly connected to a wire that nobody else is on. 0:03:47.700000 --> 0:03:49.660000 Everybody's going to hear that radio frequency. 0:03:49.660000 --> 0:03:50.960000 I can't stop it. 0:03:50.960000 --> 0:03:54.640000 I can't limit it from propagating out beyond my antenna once my antenna 0:03:54.640000 --> 0:03:58.780000 starts radiating that energy into the air. 0:03:58.780000 --> 0:04:03.720000 Another difference hosts connected to a wireless LAN can see each other's 0:04:03.720000 --> 0:04:06.380000 frames. They see all of each other's frames. 0:04:06.380000 --> 0:04:08.420000 It's not like a wired LAN. 0:04:08.420000 --> 0:04:13.940000 Right in a wired LAN the only frames I'm going to see if I have wire shark 0:04:13.940000 --> 0:04:17.380000 or some other sniffer program turned on and I'm capturing everything I 0:04:17.380000 --> 0:04:20.780000 see on my wire connected to that switch. 0:04:20.780000 --> 0:04:25.080000 The only thing I'm going to see that does not belong to me are multicasts 0:04:25.080000 --> 0:04:29.940000 and broadcasts. Unicasts if they don't belong to me I'm not going to see 0:04:29.940000 --> 0:04:33.540000 them. Well in a wireless LAN because everything goes into the radio waves 0:04:33.540000 --> 0:04:35.160000 you're going to see everything. 0:04:35.160000 --> 0:04:39.240000 Broadcast, multicast, unicast, data frames, management frames, control 0:04:39.240000 --> 0:04:44.460000 frames, everybody sees everything. 0:04:44.460000 --> 0:04:47.420000 And so here's the and here is also another point. 0:04:47.420000 --> 0:04:52.060000 In the wired LAN if I had a PC or laptop that wasn't physically connected 0:04:52.060000 --> 0:04:56.360000 to my switch, didn't have a cable going to that switch there was no way 0:04:56.360000 --> 0:05:00.640000 he was going to see any of the data going through that switch makes kind 0:05:00.640000 --> 0:05:01.360000 of common sense. 0:05:01.360000 --> 0:05:03.380000 He didn't have a physical connectivity to it. 0:05:03.380000 --> 0:05:08.540000 Well in a wireless LAN as long as a device has an antenna and has an ability 0:05:08.540000 --> 0:05:13.020000 to be within range of a certain frequency spectrum it can hear what's 0:05:13.020000 --> 0:05:14.540000 going on in the wireless LAN. 0:05:14.540000 --> 0:05:18.940000 In other words I could have a laptop that's not even connected to the 0:05:18.940000 --> 0:05:23.800000 access point. I'm not even associated to the SSID but if I'm within range 0:05:23.800000 --> 0:05:29.360000 of hearing the radio frequencies are being used on that SSID I can sniff 0:05:29.360000 --> 0:05:34.140000 that traffic. I can see it very different than a wired LAN. 0:05:34.140000 --> 0:05:35.820000 Okay so now let's move on. 0:05:35.820000 --> 0:05:39.880000 So wired LANs fall into two sort of very high level categories. 0:05:39.880000 --> 0:05:42.800000 Secured and unsecured. 0:05:42.800000 --> 0:05:47.680000 Now when I say secured that doesn't necessarily mean that it has encryption 0:05:47.680000 --> 0:05:51.540000 on it. Actually no, secured does mean encryption. 0:05:51.540000 --> 0:05:53.600000 So let's talk about what the differences are between those. 0:05:53.600000 --> 0:05:56.860000 Let's start with unsecured wireless LANs. 0:05:56.860000 --> 0:06:03.720000 These are what we typically call open wireless LANs. 0:06:03.720000 --> 0:06:09.100000 So this would be unsecured no password free to use. 0:06:09.100000 --> 0:06:12.660000 So this might be found in for example a public place like an airport or 0:06:12.660000 --> 0:06:14.580000 a restaurant or a coffee shop. 0:06:14.580000 --> 0:06:18.800000 So an unsecured wireless LAN is something that you don't necessarily have 0:06:18.800000 --> 0:06:19.860000 to have a password for. 0:06:19.860000 --> 0:06:23.100000 Now you're probably not going to find too many of those around. 0:06:23.100000 --> 0:06:27.660000 Most wireless LANs these days at an absolute minimum have some kind of 0:06:27.660000 --> 0:06:31.500000 authentication where somewhere posted on a whiteboard or on a wall or 0:06:31.500000 --> 0:06:35.060000 something they'll tell you what the passphrase is for that wireless LAN 0:06:35.060000 --> 0:06:36.620000 so you can get on. 0:06:36.620000 --> 0:06:40.340000 But just because you're given a passphrase don't let that trick you into 0:06:40.340000 --> 0:06:44.080000 thinking that your data is secured and that people won't be able to see 0:06:44.080000 --> 0:06:47.020000 what you're sending that's not necessarily the case. 0:06:47.020000 --> 0:06:52.560000 Now a secured wireless LAN number one it may or may not advertise their 0:06:52.560000 --> 0:06:54.480000 presence. What does that mean? 0:06:54.480000 --> 0:06:58.800000 Well what access points do so we're talking about a typical wireless LAN 0:06:58.800000 --> 0:07:01.500000 that uses a central point of an access point that everybody's connected 0:07:01.500000 --> 0:07:06.680000 to. Access points send out special management frames called beacons. 0:07:06.680000 --> 0:07:10.840000 They're sent out pretty frequently every 100 milliseconds so 10 times 0:07:10.840000 --> 0:07:14.980000 per second an access point is sending out a beacon. 0:07:14.980000 --> 0:07:17.820000 And in that beacon there's a lot of fields in that beacons for example 0:07:17.820000 --> 0:07:24.240000 what signal strength he supports what frequency he supports a lot of stuff. 0:07:24.240000 --> 0:07:28.380000 Now there's also a field in there that indicates what the name or what 0:07:28.380000 --> 0:07:31.940000 we call the SSID is of that wireless LAN. 0:07:31.940000 --> 0:07:35.460000 Now when the network administrator was first configuring that access point 0:07:35.460000 --> 0:07:39.820000 and configuring that wireless LAN they gave it a name every wireless LAN 0:07:39.820000 --> 0:07:44.320000 has to have an SSID that's a descriptive name but when you configure that 0:07:44.320000 --> 0:07:47.920000 descriptive name as part of the configuration process you have a choice 0:07:47.920000 --> 0:07:51.700000 is usually a checkbox or a pull down menu or something that gives you 0:07:51.700000 --> 0:07:56.280000 as a network administrator the ability to either advertise or not advertise 0:07:56.280000 --> 0:08:01.620000 that SSID. So if you say yes I want to advertise that SSID that means 0:08:01.620000 --> 0:08:05.620000 within that beacon frame that's going out 10 times a second your SSID's 0:08:05.620000 --> 0:08:09.780000 name will be right there and then when someone goes and looks at the available 0:08:09.780000 --> 0:08:13.540000 wireless LANs on their laptop or their tablet they'll see the name of 0:08:13.540000 --> 0:08:17.120000 your wireless LAN as long as they're within range of hearing that beacon 0:08:17.120000 --> 0:08:21.500000 but alternatively sometimes for security purposes people say you know 0:08:21.500000 --> 0:08:26.520000 what I only want my employees to be aware of this wireless LAN I'll tell 0:08:26.520000 --> 0:08:29.980000 them what the name is so they can manually type it into their laptop or 0:08:29.980000 --> 0:08:33.840000 something but if someone's just scanning and seeing what wireless LANs 0:08:33.840000 --> 0:08:38.060000 are available I don't want them to see my SSID I can't stop them necessarily 0:08:38.060000 --> 0:08:42.880000 from getting my beacon but I don't want the SSID being inside of that 0:08:42.880000 --> 0:08:45.760000 beacon and that is an option when you create a wireless LAN and a controller 0:08:45.760000 --> 0:08:50.380000 and access point you could deselect the box for broadcasting the SSID 0:08:50.380000 --> 0:08:54.000000 which means the beacons will still go out but the name of your wireless 0:08:54.000000 --> 0:08:57.560000 LAN will not be in there so for somebody to connect to that wireless LAN 0:08:57.560000 --> 0:09:02.220000 they'd already have to know what the name is in advance. 0:09:02.220000 --> 0:09:07.440000 Secured wireless LANs will always have some form of authentication it 0:09:07.440000 --> 0:09:10.680000 could be something as simple as a real simple passphrase it could be something 0:09:10.680000 --> 0:09:14.400000 as much more complex as an exchange of digital certificates or something 0:09:14.400000 --> 0:09:20.040000 like that and secured wireless LANs by the very nature will encrypt your 0:09:20.040000 --> 0:09:25.980000 data between the Wi-Fi client which is your laptop your pc and the access 0:09:25.980000 --> 0:09:29.580000 point and this is also a very important point sometimes people who are 0:09:29.580000 --> 0:09:33.220000 new to Wi-Fi they think oh I'm connecting to a secured wireless LAN which 0:09:33.220000 --> 0:09:38.220000 means that my data is encrypted starting at my client my laptop all the 0:09:38.220000 --> 0:09:41.380000 way to its destination wherever that destination might be might be some 0:09:41.380000 --> 0:09:45.700000 server owned by google or something that's three thousand miles away well 0:09:45.700000 --> 0:09:51.260000 Wi-Fi security does not provide end-to -end encryption like that when we're 0:09:51.260000 --> 0:09:54.860000 talking about encryption in the world of Wi-Fi it's simply between your 0:09:54.860000 --> 0:09:59.600000 client and the access point once the access point gets your Wi-Fi frames 0:09:59.600000 --> 0:10:05.200000 and converts them into wired frames it decrypts it and outputs your data 0:10:05.200000 --> 0:10:09.760000 and plaintext into the wired frame as it sends it out onto the distribution 0:10:09.760000 --> 0:10:13.800000 system the distribution system is the name of the wired network that's 0:10:13.800000 --> 0:10:20.440000 sitting behind the access point and secured wireless LANs obvuskate there's 0:10:20.440000 --> 0:10:24.500000 a big word for you obvuskate visibility of your data that simply means 0:10:24.500000 --> 0:10:28.180000 that your data is encrypted so if someone's sniffing it and we can't really 0:10:28.180000 --> 0:10:31.100000 stop them from sniffing it if they if they're within range of the radio 0:10:31.100000 --> 0:10:34.220000 frequency they won't be able to tell what you're doing the data will look 0:10:34.220000 --> 0:10:39.860000 like it's garbled to them all right so when we think of wireless LAN security 0:10:39.860000 --> 0:10:45.100000 the the goals or objectives behind wireless LAN security are very different 0:10:45.100000 --> 0:10:51.460000 depending on whose perspective it is so if we're talking about the network 0:10:51.460000 --> 0:10:55.580000 administrator the network administrator has very different needs for Wi 0:10:55.580000 --> 0:11:01.040000 -Fi security than just a typical user who's connecting to it so they can 0:11:01.040000 --> 0:11:04.280000 get internet access for example what are some of the things that the network 0:11:04.280000 --> 0:11:07.940000 administrator is thinking about when they're thinking about hmm should 0:11:07.940000 --> 0:11:12.220000 i implement security what feature should i use where should i do it well 0:11:12.220000 --> 0:11:15.020000 these are some of the common things that the network administrator would 0:11:15.020000 --> 0:11:20.340000 think about they only want authorized people onto the wireless LAN maybe 0:11:20.340000 --> 0:11:24.680000 just their employees should have access to it they only want to provide 0:11:24.680000 --> 0:11:28.640000 authorized resources via the wireless LAN maybe if you connect to this 0:11:28.640000 --> 0:11:32.020000 wireless LAN over here you're only authorized to go to maybe these handful 0:11:32.020000 --> 0:11:36.520000 of servers and you're not allowed to get to some other resources on the 0:11:36.520000 --> 0:11:41.800000 wired network maybe the network administrator wants to restrict the quantity 0:11:41.800000 --> 0:11:45.880000 of wireless LAN clients especially if you're talking about something like 0:11:45.880000 --> 0:11:50.400000 a stadium or a coliseum that might have tens of thousands of people in 0:11:50.400000 --> 0:11:54.240000 it and hundreds of access points maybe even thousands of access points 0:11:54.240000 --> 0:11:59.540000 circling that coliseum one of the design ideas is we don't want any particular 0:11:59.540000 --> 0:12:04.240000 access point becoming overloaded with clients because remember everybody 0:12:04.240000 --> 0:12:08.820000 is sharing the same airspace if i just have two clients connected to an 0:12:08.820000 --> 0:12:12.340000 access point those two clients can go pretty fast they can get pretty 0:12:12.340000 --> 0:12:15.020000 fast bandwidth because they're not really contending with each other that 0:12:15.020000 --> 0:12:19.520000 often now that same access point is supporting 100 clients within its 0:12:19.520000 --> 0:12:23.260000 circle of influence now everybody's going to be going pretty slow because 0:12:23.260000 --> 0:12:26.300000 they're going to be fighting over each other so part of Wi-Fi security 0:12:26.300000 --> 0:12:30.620000 is maybe putting a cap or an upper limit on the maximum quantity of people 0:12:30.620000 --> 0:12:35.800000 that can associate with that access point also the network administrator 0:12:35.800000 --> 0:12:39.180000 might want to implement some sort of feature to be able to detect rogue 0:12:39.180000 --> 0:12:43.240000 access points a rogue access point is an access point that has been put 0:12:43.240000 --> 0:12:48.000000 into place and yet it's not controlled by the company some employee brought 0:12:48.000000 --> 0:12:51.420000 it in in their backpack somebody walked into the coffee shop and set up 0:12:51.420000 --> 0:12:54.740000 their own access point but it's an access point that is not an authorized 0:12:54.740000 --> 0:12:59.600000 controlled access point we call that a rogue access point now what about 0:12:59.600000 --> 0:13:02.920000 you you're the network user you're going to the coffee shop you're going 0:13:02.920000 --> 0:13:07.360000 to uh your your company's headquarters what are you typically concerned 0:13:07.360000 --> 0:13:11.200000 with if you even bother to think about wireless land security at all well 0:13:11.200000 --> 0:13:14.220000 you're probably not considering all the stuff that the network administrators 0:13:14.220000 --> 0:13:18.240000 considering the stuff that's on the top of your mind is you want your 0:13:18.240000 --> 0:13:22.700000 data safe you want it encrypted that's probably about it that's probably 0:13:22.700000 --> 0:13:24.980000 really the only main thing you think about when you think about wireless 0:13:24.980000 --> 0:13:29.560000 land security is hey i can't stop people from seeing my radio energy and 0:13:29.560000 --> 0:13:35.140000 my frames but i do want to make sure they can't interpret or read what 0:13:35.140000 --> 0:13:40.900000 they're looking at so that's your primary concern now when we talk about 0:13:40.900000 --> 0:13:45.400000 wireless land security there are three primary components to it that we 0:13:45.400000 --> 0:13:51.240000 need to take a look at number one wireless land security is composed of 0:13:51.240000 --> 0:13:55.000000 authentication so there's going to be some form of authentication in wireless 0:13:55.000000 --> 0:14:00.260000 land security and there's multiple ways that you can accomplish that data 0:14:00.260000 --> 0:14:04.320000 confidentiality as your data is going across you want to be confidential 0:14:04.320000 --> 0:14:07.980000 in other words we can't stop people from seeing it we don't want them 0:14:07.980000 --> 0:14:12.000000 to be able to understand it that's typically implemented via encryption 0:14:12.000000 --> 0:14:19.560000 and data integrity data integrity simply means that hey if i get a Wi 0:14:19.560000 --> 0:14:25.520000 -Fi frame from the access point what assurances do i have that this frame 0:14:25.520000 --> 0:14:30.420000 wasn't modified in transit that the data wasn't changed in transit now 0:14:30.420000 --> 0:14:33.840000 you might think well wait a second for drama wireless how was that even 0:14:33.840000 --> 0:14:39.360000 possible well when you receive a Wi-Fi frame you might think you're getting 0:14:39.360000 --> 0:14:43.260000 it from the access point but there are certain circumstances where people 0:14:43.260000 --> 0:14:47.820000 can put rogue access points in place that nobody knows about and they 0:14:47.820000 --> 0:14:52.800000 can trick you into connecting to their rogue access point you think you're 0:14:52.800000 --> 0:14:56.320000 connecting to the corporate access point in reality you're talking to 0:14:56.320000 --> 0:15:00.580000 the rogue and then the rogue access point in turn connects to the real 0:15:00.580000 --> 0:15:04.980000 access point so when data comes down from the wired network hits the real 0:15:04.980000 --> 0:15:08.960000 access point goes to the rogue access point so the rogue access point 0:15:08.960000 --> 0:15:13.580000 is just a client of the real authorized access point and now that rogue 0:15:13.580000 --> 0:15:17.000000 access point has the ability to capture that data and maybe make some 0:15:17.000000 --> 0:15:21.800000 changes to it before it replays it back to you and you're connected to 0:15:21.800000 --> 0:15:25.620000 that rogue so how can we detect that that's called data integrity detecting 0:15:25.620000 --> 0:15:31.900000 if something has been changed from when the frame was originally created 0:15:31.900000 --> 0:15:36.440000 now typically all of those things authentication data confidentiality 0:15:36.440000 --> 0:15:41.300000 and data integrity are accomplished and implemented after you've already 0:15:41.300000 --> 0:15:49.620000 associated to your wireless LAN to your SSID authentication can occur 0:15:49.620000 --> 0:15:59.600000 independently so there are wireless LANs out there for example but this 0:15:59.600000 --> 0:16:02.200000 you're not really going to be encrypting anything that Wi-Fi password 0:16:02.200000 --> 0:16:06.500000 just so you can get on to their wireless LAN but once you're on it and 0:16:06.500000 --> 0:16:10.640000 the wireless LAN knows who you are it's not necessarily encrypting anything 0:16:10.640000 --> 0:16:14.400000 so you could have a wireless LAN that's got the authentication piece but 0:16:14.400000 --> 0:16:19.380000 doesn't have the data confidentiality and integrity piece and in public 0:16:19.380000 --> 0:16:26.580000 Wi-Fi's most of the time that is the case now for wireless LAN does have 0:16:26.580000 --> 0:16:32.640000 encryption encryption and data integrity they do go together okay so wireless 0:16:32.640000 --> 0:16:39.600000 LAN protocols like WPA2 with CCMP those encryption protocols are rolled 0:16:39.600000 --> 0:16:45.220000 into data integrity they go hand in hand so that concludes this video