WEBVTT 1 00:00:00.540 --> 00:00:02.490 In this lesson we're going to talk all 2 00:00:02.490 --> 00:00:04.710 about how to secure your wireless networks 3 00:00:04.710 --> 00:00:06.900 from some of the threats against them. 4 00:00:06.900 --> 00:00:09.930 Now, wireless networks offer us a lot of convenience 5 00:00:09.930 --> 00:00:13.050 but it also brings a ton of security risks 6 00:00:13.050 --> 00:00:15.720 because unlike a wire network, as long as I'm within 7 00:00:15.720 --> 00:00:18.600 the footprint of that wireless signal, I can connect 8 00:00:18.600 --> 00:00:21.780 to it with my smartphone, my tablet, or my laptop. 9 00:00:21.780 --> 00:00:24.180 To protect your network, you really need to make sure 10 00:00:24.180 --> 00:00:26.250 you know what your devices are connecting to 11 00:00:26.250 --> 00:00:28.260 and once they're connected, you want to make sure 12 00:00:28.260 --> 00:00:31.470 that the data being sent is going to be encrypted. 13 00:00:31.470 --> 00:00:33.420 Now the first thing we want to do is make sure 14 00:00:33.420 --> 00:00:36.240 that whatever we're transmitting is being done privately 15 00:00:36.240 --> 00:00:38.280 to increase the security of our networks. 16 00:00:38.280 --> 00:00:39.360 One of the ways we do this 17 00:00:39.360 --> 00:00:41.700 is what's called a pre-shared key. 18 00:00:41.700 --> 00:00:44.040 Now, a pre-shared key is where both end points, 19 00:00:44.040 --> 00:00:46.529 both your access point and your client on your laptop 20 00:00:46.529 --> 00:00:49.590 or smartphone have the same encryption key. 21 00:00:49.590 --> 00:00:52.230 If I use a password on one side and the same password 22 00:00:52.230 --> 00:00:55.080 on the other and they match that is using the same 23 00:00:55.080 --> 00:00:58.200 pre-shared key to create that encryption tunnel. 24 00:00:58.200 --> 00:00:59.460 Now there are a couple of problems 25 00:00:59.460 --> 00:01:01.350 when you use a pre-shared key though. 26 00:01:01.350 --> 00:01:04.710 First, scalability becomes a big problem for us. 27 00:01:04.710 --> 00:01:07.530 Let's say I have an office where I have 50 different users 28 00:01:07.530 --> 00:01:09.690 and they're all connected to the wireless network 29 00:01:09.690 --> 00:01:12.150 and all of them are using that same pre-shared key. 30 00:01:12.150 --> 00:01:14.160 But let's say tomorrow I go into work 31 00:01:14.160 --> 00:01:15.990 and I fire one of the employees. 32 00:01:15.990 --> 00:01:18.210 Now, that employee knows the pre-shared key, 33 00:01:18.210 --> 00:01:19.650 so guess what we have to do? 34 00:01:19.650 --> 00:01:21.480 We have to change the pre-shared key 35 00:01:21.480 --> 00:01:23.850 and because I have to change that pre-shared key, 36 00:01:23.850 --> 00:01:26.550 all 50 of the other employees now need to be told what 37 00:01:26.550 --> 00:01:28.950 that new key is and so we can all change it. 38 00:01:28.950 --> 00:01:31.710 It's like changing the key to your front door of your house. 39 00:01:31.710 --> 00:01:32.940 If you have 10 family members, 40 00:01:32.940 --> 00:01:35.400 you now have to make 10 copies of that key. 41 00:01:35.400 --> 00:01:37.410 Since all of your clients are using the same password 42 00:01:37.410 --> 00:01:39.630 and that same key, it makes it really difficult 43 00:01:39.630 --> 00:01:42.120 for us to change and do proper key management. 44 00:01:42.120 --> 00:01:43.470 That's one of the big reasons why we don't 45 00:01:43.470 --> 00:01:46.590 use pre-shared keys in large environments. 46 00:01:46.590 --> 00:01:49.350 But if you're in a small office or a home office environment 47 00:01:49.350 --> 00:01:51.930 like your house or a small office of 10 employees 48 00:01:51.930 --> 00:01:54.660 or less you may go ahead and use a pre-shared key 49 00:01:54.660 --> 00:01:57.030 because it's really easy to configure networks that way 50 00:01:57.030 --> 00:01:59.070 'cause you only have a couple of devices. 51 00:01:59.070 --> 00:02:00.720 Now when we look at wireless security, 52 00:02:00.720 --> 00:02:04.110 there are three main methods that we can use for doing this. 53 00:02:04.110 --> 00:02:08.250 The first is WEP, and then we have WPA and WPA2. 54 00:02:08.250 --> 00:02:09.570 When we deal with WEP, we're talking 55 00:02:09.570 --> 00:02:11.850 about Wired Equivalent Privacy. 56 00:02:11.850 --> 00:02:13.680 This was the original wireless security 57 00:02:13.680 --> 00:02:15.240 that was invented all the way back 58 00:02:15.240 --> 00:02:18.840 with the first version of wifi with 802.11. 59 00:02:18.840 --> 00:02:21.600 Now, it claimed that it was as secure as wired networks, 60 00:02:21.600 --> 00:02:24.240 hence the name "wired equivalent privacy." 61 00:02:24.240 --> 00:02:26.580 But the truth is it is not secure 62 00:02:26.580 --> 00:02:29.550 and these days you should never ever be using WEP 63 00:02:29.550 --> 00:02:32.070 because it is a very insecure protocol. 64 00:02:32.070 --> 00:02:35.250 Now, the way WEP works is that it uses a pre-shared key. 65 00:02:35.250 --> 00:02:38.880 Everyone has the same key and it's a static 40 bit key 66 00:02:38.880 --> 00:02:41.370 which is very small and easy to brute force 67 00:02:41.370 --> 00:02:44.130 or guess using a strong computer. 68 00:02:44.130 --> 00:02:46.410 Over time to make WEP more secure, 69 00:02:46.410 --> 00:02:49.470 they upgraded the key from 40 bits to 64 bits 70 00:02:49.470 --> 00:02:52.560 and then again to 128 bits and that solved 71 00:02:52.560 --> 00:02:54.628 the key length problem, but it didn't solve 72 00:02:54.628 --> 00:02:58.440 a different problem known as the initialization vector. 73 00:02:58.440 --> 00:02:59.850 Now the way WEP works is it 74 00:02:59.850 --> 00:03:02.820 uses a 24 bit initialization vector 75 00:03:02.820 --> 00:03:05.400 which is a series of 24 ones and zeros 76 00:03:05.400 --> 00:03:08.040 and they are going to be called this initialization vector. 77 00:03:08.040 --> 00:03:10.590 This is sent in clear text and if you capture enough 78 00:03:10.590 --> 00:03:12.540 of these initialization vectors you can 79 00:03:12.540 --> 00:03:15.750 actually crack the encryption key and backwards guess 80 00:03:15.750 --> 00:03:18.960 the pre-shared key that you used for your password of WEP. 81 00:03:18.960 --> 00:03:21.642 In fact, using Aircrack NG, you can do this in 82 00:03:21.642 --> 00:03:24.990 about two to three minutes with most modern laptops. 83 00:03:24.990 --> 00:03:28.020 Now, the next one we want to talk about is WPA. 84 00:03:28.020 --> 00:03:31.590 WPA or Wifi Protected Access was the replacement 85 00:03:31.590 --> 00:03:33.150 for WEP because of the weakness 86 00:03:33.150 --> 00:03:35.850 with this 24 bit initialization vector. 87 00:03:35.850 --> 00:03:37.920 To overcome this, they introduced something known 88 00:03:37.920 --> 00:03:41.280 as TKIP, the temporal key integrity protocol. 89 00:03:41.280 --> 00:03:44.790 Now TKIP is replacing that 24 bit initialization vector 90 00:03:44.790 --> 00:03:47.610 with a new vector that's 48 bits long. 91 00:03:47.610 --> 00:03:49.260 This doubled the strength of it 92 00:03:49.260 --> 00:03:50.850 but that's still considered pretty weak 93 00:03:50.850 --> 00:03:53.280 when it comes down to modern computing. 94 00:03:53.280 --> 00:03:54.870 The other thing they did was they added 95 00:03:54.870 --> 00:03:57.420 a new encryption type called RC4, 96 00:03:57.420 --> 00:04:00.870 or Rivest Cipher 4 and it's pretty good, but again, 97 00:04:00.870 --> 00:04:03.630 by today's standards this is considered weak. 98 00:04:03.630 --> 00:04:06.690 WPA also wanted to add some integrity to your devices 99 00:04:06.690 --> 00:04:09.090 and they did that by making sure nobody can conduct 100 00:04:09.090 --> 00:04:11.820 a man in the middle attack and change the information. 101 00:04:11.820 --> 00:04:14.760 To do that, they used a thing called the MIC, 102 00:04:14.760 --> 00:04:16.980 the message integrity check, which is a form 103 00:04:16.980 --> 00:04:19.050 of hashing the data before it was sent 104 00:04:19.050 --> 00:04:21.300 and that way you could verify it wasn't modified 105 00:04:21.300 --> 00:04:24.090 as it was in transit as it went through the network. 106 00:04:24.090 --> 00:04:26.460 Now, WPA also saw that there's a flaw 107 00:04:26.460 --> 00:04:28.320 with this pre-shared key and being able 108 00:04:28.320 --> 00:04:30.990 to send out new keys very quickly, so they added 109 00:04:30.990 --> 00:04:34.290 something known as enterprise mode inside WPA. 110 00:04:34.290 --> 00:04:36.270 With enterprise mode a user could 111 00:04:36.270 --> 00:04:38.820 actually authenticate before exchanging keys 112 00:04:38.820 --> 00:04:40.500 and they had then be able to create new keys 113 00:04:40.500 --> 00:04:43.680 temporarily between the client and the access point. 114 00:04:43.680 --> 00:04:46.740 This tried to solve that pre-shared key scalability issue 115 00:04:46.740 --> 00:04:49.650 but the end of the day WPA is still considered weak 116 00:04:49.650 --> 00:04:51.450 by today's standards and is replaced 117 00:04:51.450 --> 00:04:54.300 with a more modern version known as WPA2 118 00:04:54.300 --> 00:04:56.850 or Wifi Protected Access 2. 119 00:04:56.850 --> 00:04:59.160 Now, WPA2 is the current standard 120 00:04:59.160 --> 00:05:02.460 and those created as part of the 802.11i standard. 121 00:05:02.460 --> 00:05:04.770 It was first implemented, it was Wireless G, 122 00:05:04.770 --> 00:05:07.620 and then in Wireless N and Wireless AC. 123 00:05:07.620 --> 00:05:09.390 It requires stronger authentication 124 00:05:09.390 --> 00:05:11.970 and stronger encryption and integrity checks. 125 00:05:11.970 --> 00:05:15.300 The integrity checking is done through using CCMP. 126 00:05:15.300 --> 00:05:17.550 Now, CCMP stands for the Counter Mode 127 00:05:17.550 --> 00:05:19.080 with Cipher Blockchaining Message 128 00:05:19.080 --> 00:05:20.910 Authentication Code Protocol, 129 00:05:20.910 --> 00:05:22.817 which is a mouthful that you will not have 130 00:05:22.817 --> 00:05:25.560 to memorize for the exam or what it means. 131 00:05:25.560 --> 00:05:28.890 What you do need to remember is every time you see CCMP 132 00:05:28.890 --> 00:05:33.210 you should be thinking about this is part of WPA2 security. 133 00:05:33.210 --> 00:05:34.890 The second thing they did was they replaced 134 00:05:34.890 --> 00:05:37.680 that older encryption mechanism of RC4 135 00:05:37.680 --> 00:05:40.350 through VES Cipher 4 with the new one known 136 00:05:40.350 --> 00:05:43.410 as Advanced Encryption Standard or AES. 137 00:05:43.410 --> 00:05:47.047 Now AES uses 128 bit key and some newer models 138 00:05:47.047 --> 00:05:50.700 can actually use a 256 bit key or more. 139 00:05:50.700 --> 00:05:52.995 This gives you additional security and confidentiality 140 00:05:52.995 --> 00:05:56.280 of your data going over this wireless network. 141 00:05:56.280 --> 00:05:58.410 At the time of this particular recording, 142 00:05:58.410 --> 00:06:01.890 AES has still not been broken and WPA2, 143 00:06:01.890 --> 00:06:03.990 the algorithm itself has not been broken 144 00:06:03.990 --> 00:06:05.400 so it is a good thing to use 145 00:06:05.400 --> 00:06:07.950 if you have a long, strong password. 146 00:06:07.950 --> 00:06:09.810 Now, the only way that people are able to crack 147 00:06:09.810 --> 00:06:12.720 these networks currently is by using password attacks 148 00:06:12.720 --> 00:06:14.640 and that means they're trying to guess the passwords 149 00:06:14.640 --> 00:06:16.500 by guessing every possible option using 150 00:06:16.500 --> 00:06:19.350 a brute force attack or a dictionary attack. 151 00:06:19.350 --> 00:06:20.700 So, if you want to protect your networks, 152 00:06:20.700 --> 00:06:24.210 make sure you're using a good, long, strong password. 153 00:06:24.210 --> 00:06:27.390 WPA2 also supports two different modes depending 154 00:06:27.390 --> 00:06:29.370 on your network that you're going to be using it on. 155 00:06:29.370 --> 00:06:32.070 If you're using it in a home or small office environment, 156 00:06:32.070 --> 00:06:33.900 you're going to be using a pre-shared key 157 00:06:33.900 --> 00:06:35.520 where everybody has the same password. 158 00:06:35.520 --> 00:06:37.800 This is known as personal mode. 159 00:06:37.800 --> 00:06:40.260 The other way is by using it in a large environment 160 00:06:40.260 --> 00:06:42.030 where you're using enterprise mode 161 00:06:42.030 --> 00:06:43.500 and that's where each and every user 162 00:06:43.500 --> 00:06:46.560 gets a single username and password unique to them 163 00:06:46.560 --> 00:06:48.990 and they'll use a central authentication server 164 00:06:48.990 --> 00:06:52.170 using native WPA2 or offloading that 165 00:06:52.170 --> 00:06:55.320 to an 801.1x authentication server. 166 00:06:55.320 --> 00:06:56.360 For the exam, I want you 167 00:06:56.360 --> 00:06:59.040 to remember four things about wireless security 168 00:06:59.040 --> 00:07:00.120 and if you remember the four things 169 00:07:00.120 --> 00:07:02.340 on this chart you're going to do great. 170 00:07:02.340 --> 00:07:04.590 First, anytime you see the word open 171 00:07:04.590 --> 00:07:06.270 in reference to a wireless network, 172 00:07:06.270 --> 00:07:10.440 that means no security, no protection, no password. 173 00:07:10.440 --> 00:07:11.820 If you hear WEP, I want you 174 00:07:11.820 --> 00:07:14.580 to associate this with initialization vectors. 175 00:07:14.580 --> 00:07:15.990 That's the flaw in WEP 176 00:07:15.990 --> 00:07:17.880 and that's what you're going to hear about on the test. 177 00:07:17.880 --> 00:07:19.235 WEP is weak, WEP is bad. 178 00:07:19.235 --> 00:07:22.140 WEP uses initialization vectors. 179 00:07:22.140 --> 00:07:23.995 If you see WPA, I want you to think 180 00:07:23.995 --> 00:07:27.227 about TKIP and RC4 because TKIP was all used 181 00:07:27.227 --> 00:07:29.520 to replace the initialization vectors 182 00:07:29.520 --> 00:07:31.680 and RC4 was its form of encryption. 183 00:07:31.680 --> 00:07:35.070 Again, WPA is considered weak, don't use it. 184 00:07:35.070 --> 00:07:37.920 Next, if you see WPA2, you should be thinking 185 00:07:37.920 --> 00:07:41.250 about the acronyms of CCMP and AES. 186 00:07:41.250 --> 00:07:43.470 CCMP is an Integrity Protocol 187 00:07:43.470 --> 00:07:46.350 and AES is the encryption mechanism we use. 188 00:07:46.350 --> 00:07:48.720 This is your key to answering wireless questions 189 00:07:48.720 --> 00:07:50.760 for security on exam day. 190 00:07:50.760 --> 00:07:53.760 Next, let's talk a little bit about MAC address filtering. 191 00:07:53.760 --> 00:07:56.457 We can configure our access points with an ACL 192 00:07:56.457 --> 00:07:58.470 and this will be able to look at those addresses 193 00:07:58.470 --> 00:08:01.020 and permit or deny certain MAC addresses 194 00:08:01.020 --> 00:08:02.700 from connecting to the network. 195 00:08:02.700 --> 00:08:05.340 For instance, if my iPhone tries to connect to the network 196 00:08:05.340 --> 00:08:08.010 and it's not authorized or it's on the Deny list 197 00:08:08.010 --> 00:08:09.720 it won't be able to make that handshake 198 00:08:09.720 --> 00:08:11.460 and it won't be able to communicate. 199 00:08:11.460 --> 00:08:13.230 Now, the problem with Mac filtering still 200 00:08:13.230 --> 00:08:15.150 resides with the fact that it's really easy 201 00:08:15.150 --> 00:08:17.520 to change your MAC address and spoof it. 202 00:08:17.520 --> 00:08:19.500 Knowledgeable users can change their Mac address 203 00:08:19.500 --> 00:08:21.960 really quickly using freely available tools 204 00:08:21.960 --> 00:08:24.630 and it really does take about five seconds to do. 205 00:08:24.630 --> 00:08:26.100 This will stop some people 206 00:08:26.100 --> 00:08:29.190 but it is not foolproof and it's not going to stop everybody. 207 00:08:29.190 --> 00:08:30.660 If you want to change your Mac address 208 00:08:30.660 --> 00:08:33.420 and you use tools like Mac Address Changer for Windows, 209 00:08:33.420 --> 00:08:36.210 Mac Daddy X for OSX and MAC systems, 210 00:08:36.210 --> 00:08:37.890 or Mac changer for Linux, 211 00:08:37.890 --> 00:08:40.560 these are all really easy tools to use. 212 00:08:40.560 --> 00:08:42.411 Mac addresses are not going to be a source 213 00:08:42.411 --> 00:08:46.500 of great protection for you, but according to the exam, 214 00:08:46.500 --> 00:08:48.840 it is a protection that you can use to form 215 00:08:48.840 --> 00:08:50.940 a part of your defense and depth strategy. 216 00:08:50.940 --> 00:08:53.100 So in the real world, don't worry too much 217 00:08:53.100 --> 00:08:55.230 about Mac filtering, but for the exam, 218 00:08:55.230 --> 00:08:57.450 they do consider it a good security measure. 219 00:08:57.450 --> 00:09:00.300 Next, we have disabling your SSID broadcast 220 00:09:00.300 --> 00:09:02.550 which is considered a minor security help 221 00:09:02.550 --> 00:09:04.410 as well to protect your networks. 222 00:09:04.410 --> 00:09:06.930 Now, according to the exam, just like MAC filtering 223 00:09:06.930 --> 00:09:08.730 they say this is a good thing to do. 224 00:09:08.730 --> 00:09:10.260 In the real world though it doesn't 225 00:09:10.260 --> 00:09:13.200 take very long to find a hidden SSID. 226 00:09:13.200 --> 00:09:15.390 Now, what exactly is an SSID? 227 00:09:15.390 --> 00:09:17.850 Well, it stands for the server set identifier 228 00:09:17.850 --> 00:09:20.520 and it's what your wireless network is actually called. 229 00:09:20.520 --> 00:09:22.260 For example, if you go to Starbucks, 230 00:09:22.260 --> 00:09:24.390 they have one called "Starbucks Guest" 231 00:09:24.390 --> 00:09:27.360 or if you go to my house, I have one called "Dion" 232 00:09:27.360 --> 00:09:29.160 and that way you can see that server set goes out 233 00:09:29.160 --> 00:09:31.920 and says, "Hey, Dion is here, should I connect to it?" 234 00:09:31.920 --> 00:09:33.120 And if you search for a network, 235 00:09:33.120 --> 00:09:35.700 you see all the list of names that are around you, right? 236 00:09:35.700 --> 00:09:38.670 Well, if you turn off the broadcast of the Server Set ID, 237 00:09:38.670 --> 00:09:40.230 it's not going to broadcast that out 238 00:09:40.230 --> 00:09:42.630 and it won't show up in your available networks. 239 00:09:42.630 --> 00:09:44.670 This way, the user has to manually type 240 00:09:44.670 --> 00:09:46.350 in the name to connect to your network 241 00:09:46.350 --> 00:09:48.210 so they have to actually know it's there. 242 00:09:48.210 --> 00:09:49.920 Now, the problem with this is that using 243 00:09:49.920 --> 00:09:52.680 wireless penetration techniques, it's really easy 244 00:09:52.680 --> 00:09:55.080 to find these and you'll still be able to connect to them. 245 00:09:55.080 --> 00:09:57.240 If all you're doing is disabling your broadcast, 246 00:09:57.240 --> 00:09:58.740 it's not very secure. 247 00:09:58.740 --> 00:10:01.320 But if you do this in combination with MAC filtering 248 00:10:01.320 --> 00:10:03.240 and having a good long, strong password, 249 00:10:03.240 --> 00:10:04.830 you're starting to layer the security 250 00:10:04.830 --> 00:10:06.903 and give you a better security posture.