Network Security 4.3
open system
When you're configuring the authentication type on your wireless devices, you'll have a number of options available. One configuration option may be to not require any type of authentication on the wireless network. And that would be defined as an open system, where no password was needed.
Protected EAP (PEAP)/EAP-MSCHAP
Another popular EAP type is PEAP. This is the Protected Extensible Authentication Protocol, or protected EAP. This was created by Cisco, Microsoft, and RSA Security to provide EAP within a TLS tunnel. This was commonly implemented on Microsoft devices as PEAPv0. You might also see it referred to as EAP-MSCHAPv2, because it authenticated to the Microsoft CHAP version two databases.
EAP-TLS (EAP-Transport Layer Security)
As wireless technology became more popular, there was an authentication method that also gained wide adoption. This was EAP-TLS. The TLS stands for Transport Layer Security. This is the same security that we use for our web servers. And we're using that now, also, for our wireless authentication. Some organizations, though, needed additional options for authentication. So we created EAP-TTLS. This is EAP Tunneled Transport Layer Security. This allowed us to tunnel other types of authentication methods through the existing encrypted EAP communication. A protocol that defines the use of a RADIUS server as well as mutual authentication, requiring certificates on both the server and every client.
CCMP-AES
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, and that effectively replaced the TKIP that we had in WPA. CCMPs block cipher mode uses a 128-bit key and a 128-bit block size. Because WPA2 was using a more advanced encryption algorithm, there were additional resources required by our wireless devices, and many organizations had to upgrade their access points to be able to take advantage of WPA2. But the features in WPA2 were well worth the upgrade. 1)We're able to have data confidentiality with AES encryption, 2) We have authentication features built into WPA2, 3) Access control is also a feature in the WPA2 protocol.
Shared System
If you're at home, or you're working in a small office, your wireless network may be configured with WPA2-Personal. You might see this also called WPA2-PSK. The PSK is for pre-shared key. This means that anybody who needs access to the network, needs to know that pre-shared key. And if you change that pre-shared key on the access point, you would have to also change all the configurations of the devices connecting to that wireless network. If you're in a much larger working environment, you're not going to give everybody the same key and expect that particular key to remain secure. In that particular case, you would use WPA2-Enterprise. You may see this referred to as WPA2-802.1X. That's because we're going to use 802.1X to provide network access control to this wireless network. You would log in with your normal username and password for your particular device. It will authenticate against a back-end AAA server. And then you'll gain access to the wireless network. If you leave the organization, then your access to all of the networks is also disabled. And if someone changes their own personal password, it doesn't change the authentication process for anybody else in the organization.
WPA2
The encryption protocol that became our long term solution for wireless security is WPA2. WPA2 uses CCMP to be able to encrypt the traffic going through our wireless networks. Instead of using RC4 as the encryption algorithm, WPA2 use uses AES, or the Advanced Encryption Standard.
TKIP
The short term bridge was WPA. WPA used TKIP, which was the Temporal Key Integrity Protocol, which took advantage of the RC4 stream cipher. With WPA, we got away from some of the problems we had with WEP. For example, we made sure that the initialization vector was much larger, and we used an encrypted hash along with the IV. Every packet would effectively get a unique 128-bit encryption key to make sure all of the communication remained secure. The key information that was sent across the network with the TKIP would change constantly, because it combined the secret key with the initialization vector. There was also a sequence counter added with TKIP so that no one could perform a replay attack on our wireless networks. There's also a 64-bit message integrity check on these WPA encrypted networks, which meant that no one could tamper with the packets as they were going through the wireless network. Unfortunately, TKIP came with its own set of vulnerabilities and eventually it was deprecated from the 802.11 standard.
WPA
WPA stands for Wi-Fi Protected Access. It was created in 2002, and it was created, because we had a pretty serious problem with an encryption method used prior to this called Wireless Equivalent Privacy, or WEP. We found a cryptographic vulnerability in WEP that effectively allowed all of our traffic to be decrypted. So we needed something that would allow us to bridge the gap between the broken WEP encryption and something that would be the successor or more permanent encryption type on these networks.
MAC Filtering
We spoke in an earlier video about performing MAC filtering on a wired network. But of course, you could perform filtering on a media access control address on a wireless network as well. You would normally define all of the allowed device's MAC addresses in your access point. And that, of course, would prevent any other MAC addresses from joining the network. You can, of course, use a wireless analyzer to view all of the MAC addresses communicating on your wireless network. So you may find that MAC filtering does not have the level of security that you would need. In fact, we commonly refer to this as security through obscurity, which, of course, is no security at all.
Geofencing
We're starting to see more mobile device managers take advantage of geofencing. They'll use the GPS functionality in a mobile device to determine whether someone gets access to the network or not. You can also integrate this into cameras. If the information inside of your building is very sensitive, you can disable the camera when someone happens to be at work. But you could, of course, also use this for authentication. Someone might have to be at least in your regional area to be able to log in to your wireless network. And if someone's GPS shows them to be outside of a particular area, you can restrict that access to your network.
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)
When WEP was replaced with more advanced encryption methods, Cisco updated their authentication to EAP-FAST. FAST stands for Flexible Authentication via Secure Tunneling. This provided a lightweight authentication method. But it also increased the security we needed for our wireless networks. a protocol similar to EAP TLS but only uses a single server-side certificate.
Extensible Authentication Protocol (EAP)
we also need to provide some way to authenticate onto the network. And to do that, we use a framework called EAP. This is the Extensible Authentication Protocol. This framework has many different methods that can be used to authenticate to a network. And there are many RFC standards that use EAP as the authentication method. For our wireless networks, both WPA and WPA2 use different forms of EAP to provide this authentication to our wireless networks. Cisco was an early adopter of wireless technologies. And on some of their first access points that used WEP encryption, they used LEAP, or Lightweight EAP, to provide authentication.