Cisco WLAN Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there folks my name is Dan Goodman and I want to welcome you to another rousing edition of Stormwind studios succinct held online remote training sessions or shorts if you just want to call them that this is the 16th and final short in the wireless LAN essentials series of shorts where we focus on all things Cisco wireless land security now some of these topics we've kind of sprinkled in throughout various shorts and you'll see them in other areas as well but just like every other course you find yourself in we talked about all these cool things and in that the very last minute we're like oh yeah we should probably secure this stuff while we're at it so we'll identify some security features and options that are available to us via the Cisco wireless LAN deployments this will definitely be a little bit longer than the other shorts because not only is all the bad stuff on wired networks applicable to wireless networks but wireless networks have their own vulnerabilities that wire ones do not we'll do a brief overview of wireless security and then we're gonna take a look at some of the options at our disposal for authentication privacy and integrity and then finally the VPN options now one thing I definitely want to throw out as kind of a disclaimer of sorts is there are some weak security options that we are purposely excluding from this short things like WEP open authentication web authentication they could pop up on a certification exam for some reason I don't know why they would do that but they are still out there in some way shape or form we're not including them here because what sense does it make to discuss something we shouldn't use we've already covered enough things to cover why should we spend time saying hey there's this thing out there but you shouldn't use it here's the things you should use I'm just gonna choose the latter and focus on the things we should use many of these legacy options for lack of a better term are still configurable options but once again just because they're there doesn't mean you should use them in any way shape or form so the first thing that we want take a look at is kind of an overview of wireless security and one thing I definitely want to throw out in the early goings is that this short could be fairly short because no matter what we do we have to remember this fact our wireless signals are free-floating in the air where anyone with the right equipment can intercept them that horrifying fact aside we've actually sprinkled in some of the security in passing during our earlier shorts in fact if you think back to our wireless LAN design discussion we that incorporates things like physical security because when we determine coverage and where our signal is accessible from that's really physical security additionally security needs to be a comprehensive approach just like we find on wired networks we don't look at it and say oh there's this and others that we're not going to use that we don't rely upon a single mechanism or feature we're trying to build in that defense-in-depth just like we do in other areas as much as possible we need to identify the endpoints of a wireless connection identify the end user protect data from eavesdroppers and protect data from tampering so that means wireless security is going to boil down to three main things trust privacy and integrity or to use the correct terminology authentication and encryption now with that in mind this diagram breaks down what is considered to be pre robust and robust security options the earlier options were great when we were just happy to communicate sans wires but obviously something more robust was eventually needed these early options like WEP and open system authentication and shared key didn't require any additional hardware or really any additional overhead to implement and if you think about it you know in the early goings wireless networking was very expensive so anytime we could leverage what we already had it was definitely going to be a plus we also got a figure that wire snicks and access points they're kind of two sides of a different coin they're not two sides of the same coin they have different capabilities they have different power levels and all those sorts of things factored in so what we're going to focus on here as I've mentioned a couple of times already are the more robust security options beginning with authentication we have a couple of different options here now for those of you guys who have taken other Cisco courses you're probably familiar with 802 One X 8'o 2.1 x implements network access control at layer two through the implementation of the 802 dot 1x protocol network connectivity is going to be permitted or denied based upon the user and/or machine identity depending upon how you've configured it each user device is going to be authenticated and its port will be associated to a VLAN unfortunately 802 dot 1 X by itself lacks the methods for wireless clients to send their credentials so it needs to be combined with something else in order to support wireless LANs so that's where 802 dot 1 X with extensible authentication protocol or EAP comes into play I Triple E added the internet Engineering Task Force IETF EAP it's a mouthful of an acronym there to 802 dot 1x so we had to combine three things into one there it is important to note that EAP does not necessarily define the authentication method which when you look at the name of the acronym doesn't make any sense but let me explain it just identifies the headers used in the authentication in a format that 802 dot 1x understands so for lack of a better term EAP is really the translator between the wireless headers and the wired headers and they translate it in such a way that 802 dot 1x can recognize oh this piece of information is that that piece of information is this authenticating who we need to authenticate and denying everybody else so for lack of a better term to extend 802 dot 1x down to the wireless lans via EAP we're going to get mutual authentication for clients and the access points we're gonna get centralized management and we're gonna get policy control so it is an extension of 802 dot 1x but really all it is is the interpretation of the same information so it's the same thing just in a different format that's what I'm trying to say here now the word extensible means that there's a variety of EAP options beginning with leap or lightweight EAP this was a Cisco proprietary authentication method where the credentials would be supplied to an authentication server too many authenticates in one sentence the server and client would exchange challenges that must be encrypted in return it is considered depreciated but if you take a look at that previous slide with the pre robust options definitely better than those legacy options like WEP and open authentication leap is considered depreciated but definitely better than those ones EEP flexible authentication by secure telling or eat fast the credentials in this case get passed via a protected access credential or pack with inner and outer authentication a shared secret would be generated by the authentication server that is used for the mutual authentication so the client can recognize the access point the access point can recognize the client basically this is going to occur in three phases phase 0 is where the PAC gets generated to establish that initial tunnel phase 1 is where mutual authentication occurs and we establish a transport layer security or TLS tunnel phase 2 is where the users are actually authenticated via that TLS tunnel so it is a tunnel within a tunnel the initial tunnel sets up the communication between the two devices once that tunnel is up we build a second tunnel so that the credentials are sent as securely as possible because as I mentioned no matter what we do those signals are free floating in the air so we want to make them as secure as possible now in order to implement eat fast you do require a raid a server that is capable of operating as a eat fast server so make sure you evaluate that as part of your overall design we also have protected EEP or peep as the acronym is called similar inner and outer authentication to eat fast but in this case the authentication server presents digital certificates in the outer authentication now the client itself doesn't require a certificate and is instead authenticated via that TLS tunnel that we just had but we have two options there we have MS chat version 2 microsoft challenge authentication protocol version 2 I think I forgot an H in there challenge handshake authentication protocol version 2 and then GTC a generic token card now we can also implement one-time passwords with peek finally we have EEP TLS which didn't you just say TLS yes I did but there's a difference here this is considered the most secure option when you're factoring in to eat discussion with peope the servers have certificates installed on them but the clients are forced to use other methods it's kind of the what good good is man I cannot talk today what is good for the goose is good for the gander why are the server's authenticating one way and the clients are authenticating a different way that just presents a number of concerns everybody should have to meet the same standards now the implementation of this requires certificates on the authentication server and every client device but the problem that you're going to run into is not every wireless device is capable of having a digital certificate installed on them now keep in mind that you can set up these security methods on a wireless LAN basis by Wireless LAN basis you know your internal users can use eep with TLS maybe your guest users one use one of the lesser forms you also need to look at the types of devices you know things like RFID tags or Wireless scanners come to mind not every single one of them is capable of having a digital certificate installed on them so they couldn't even authenticate if they wanted to so what we've attempted to do here is kind of summarize all of these options available to us with eep we summarize some of the main features that you knew you should consider in your deployment other options are depreciated or simply not as popular as the ones we've included here in the table basically if you had to describe this in a nutshell ETLs peep and eat fast all support what's called Cisco centralized key management or CC km one controller essentially will maintain a database of the clients and the keys and that database gets provided to the other controllers and trickles down to their access points as needed now in order to take advantage of CC km the clients do require the Cisco compatible extension support and really the main benefit we get from that is faster roaming because the clients can authenticate and roam authenticate and roam much faster than any of the other options when you take a look at ETLs peep and eat fast they all support local controller authentication only ETLs does not support one-time passwords eeep fast does not require server certificates only ETLs requires client certificates protected access credentials are only supported with eat fast finally since each TLS is the most secure option it's also the most complicated one to deploy because as I mentioned a second ago every device needs to have those certificates installed on them now all of these characteristics should be factored into your deployment plan because you have to factor in client support we mentioned and I've mentioned again that not all clients support digital certificates so even though TLS is the most secure option in a funny way it may not be the best option you have to balance security and complexity too much of a good thing is a bad thing as the cliche goes different security methods for different client devices adds to complexity so if you are thinking hey I'm gonna go with eat with TLS you have to recognize that some client devices they're gonna get 86 they're not going to be able to connect and that's where the trade-off comes into play maybe those devices you don't want on your network to begin with or maybe you put them on a separate wireless LAN you balance you have to balance those two items with each other you also have to consider your authentication server support you may need to deploy an authentication server in order to support the EEP option you select so factoring in authentication the next thing we need to take a look at is privacy and integrity now after covering those authentication options how do we protect the data in open space and determine if it has been tampered with now technically wired equivalent privacy or WEP could be included in this discussion but it is one of those options we should not be using it's listed as a configurable option but take away anything from what I'm about to say here don't use it don't use weapon any way shape or form keep that in mind here momentarily temporal key integrity protocol or tkip is basically recognizing the earlier attempts at encryption in the early goings early attempts at encryption suffered from predictable patterns which really defeats the purpose if you take the most simplistic encryption and say oh every fourth word is going to be translated into this that's a very predictable pattern which defeats the entire purpose of encrypting something to begin with tkip was able to leverage the existing equipment that could be upgraded through simple firmware upgrades it was developed in conjunction with the I Triple E 802 dot 11 I task group as well as the Wi-Fi Alliance to replace WEP entirely now it does form the basis of what's known as wireless protected access or WPA but technically it was a separate entity it's kind of like when Batman joins the Justice League you know he's still Batman but sometimes he's part of the Justice League and sometimes he isn't same kind of thinking with t Koeppen and WPA now essentially tkip was an interim measure that provided a solution till WPA was ready for public consumption tkip uses dynamically generated and unique 128-bit encryption keys otherwise known as temporal keys hence the name a WEP on the other hand use static keys and Static when it comes to encryption you want to think bad because it's very simple very predictable now specifically tkip added a couple of features that have been rolled up into the more robust options we have now message integrity check or m.i.c adds a hash value to each frame to prevent tampering it really doesn't prevent it but it lets us know when somebody's tampered when the data so it is somewhat misleading in that regard there is a time stamp that intends to prevent replay attacks that will reuse or replay previously sent frames the sender's MAC address is included with the m.i.c to identify the frame source kind of a way do we trust the sender or do we not trust the sender and then there's a tkip sequence counter which is used once again to prevent replay attacks the key mixing algorithm is a unique 128-bit WEP key for each frame we also had a longer initialization vector otherwise known as an i.v this doubled what WEP had to 48 bits to counteract brute-force calculations now the reason I did this when I said WEP is because tkip still uses WEP keys for each frame it was depreciated back in the 802 11 2012 standard however it is definitely better than those options that I've chosen to ignore from this particular short moving onward and upward to Wi-Fi Protected access as I mentioned a second ago this was developed by the Wi-Fi Alliance mirrors the I Triple E standards and it is technically a certification rather than a protocol right it ensures the the equipment adheres to a common standard of security so it added or combine things it kind of took away the good added some new and those sorts of things we had pre shared key or 802 dot 1x authentication we could use tkip or something called counter mode with cipher block chaining message authentication code protocol or CCMP based a es for encryption man these acronyms and then also included the EM ICS that were introduced with T kit so circling back to that mouthful of an acronym ccmp technically a recursive acronym because it contains an acronym within an acronym and we can't ever have too many acronyms cbc-mac is the acronym for that cipher block chaining message buh-buh-buh-buh-buh portion of the acronym so when you read it it'll be CBC ma c MP that's how I get the C CMP so the CBC ma C basically adds message integrity we get the mi C as well as a frame check sequence to identify if and when tampering occurs now the other acronym I threw into the discussion there was the Advanced Encryption standard or AES this is a block cipher that replaced the RC form method as well as tkip it uses a 128-bit key and encrypts data in 128 bit blocks recognize that AES just like WPA is a standard not necessarily a protocol now WPA offered both tkip or CCMP because legacy devices that only support WEP of which tkip is kind of based upon could still take advantage of a bigger beefier more robust kind of a backwards compatible option now WPA was capable of operating in one of two modes personal mode is where we have pre-shared keys for client education very useful for smaller deployments and enterprise mode which basically took the 802 2.1 x8 based authentication and combined it with WPA obviously as the name applies antenna for much larger deployments when we get to wpa2 it kind of simplified things it said you know what those legacy devices that can only use tkip go buy a new laptop that's essentially what they said because they said you know what we're only using CCMP with AES that's it if you can't support those go find another wireless network to connect to it also certified the interoperability with EEP based authentication now I know some of you guys are thinking what about WPA 3 we're specifically not covering it here because in a nutshell that's a very fluid situation and it's not really come to fruition yet there's a lot of kinks to work out enough cliches we're skipping it because it's not listed in the Cisco documentation as of yet so moving on to the last topic we wanted to discuss VPNs VPNs are obviously present in Wired networks we seem to talk about VPN options in every course and we've mentioned them here a few times in earlier shorts our goal here is essentially to connect the dots between the benefits of a VPN for our wireless LANs the security options we've discussed in this short really focus on layer 2 and VPNs focus on layer 3 now technically you could add the VPN protection at layer 3 to the layer 2 protection or skip the layer 2 protection and only focus on the layer 3 protection provided by the VPNs now I'm willing to bet that most of us recognize the benefits of the standard of defense-in-depth and having more security is usually better than the alternative so just keep in mind that if you wanted to ignore everything I just said on the previous slide and just skip over the layer 2 stuff technically you could go this route but I'm willing to bet most of us will add this on top of the layer 2 stove now Cisco IOS security socket layer VPN provides SSL VPN remote access connectivity using only a web browser this is intended to simplify deployment of extended access to the enterprise network and it basically provides three modes of VPN access client lists thin client and tunnel load client list gives secure access to private web resources as well as web content useful form most browser-based content which pretty much everything nowadays there's also the Flint thin-client mode which extends the browser's cryptographic functionality to enable remote access to TCP based applications like pop3 SMTP IMAP telnet secure shell etc finally there's tunnel mode tunnel mode offers extensive application support through the dynamically downloaded Cisco anyconnect VPN client this is a lightweight centrally configured easy to support client it provides access to virtually any application you can think of any connect is actually powered by Cisco's adaptive security appliance or AAS a Cisco considers that to be the industry-leading firewall just in case you are wondering now for wireless lans the aasa' does offer very secure mobility solution components such as built-in modules that provide enhanced security superior connectivity features cisco web security persistent security and policy enforcement client list access virtual desktop infrastructure access cisco host scan mobile devices anything you can think of of course the aasa' can do it right now this is deployable as an on premise cisco web security appliance or WUSA or a cloud-based cisco cloud web security offering now for those of you guys who have been working with cisco for a while you're probably thinking what about the easy VPN the cisco easy VPN is retired and no longer supported so we've got the NE connect option to replace that all right folks that officially wraps up our final short on wireless LAN essentials now we will have other shorts covering other topics but as far as this one is concerned you don't have to go home but you have to get the heck out of here we'll see you soon okay

Info

Channel: StormWind Studios

Views: 2,198

Rating: undefined out of 5

Keywords:

Id: 6PNDUPi6Atk

Channel Id: undefined

Length: 24min 38sec (1478 seconds)

Published: Wed Jun 03 2020