Network hardening techniques II.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications

PC Hardware

Network Administration

IT Project Management

Network Design

User Training

IT Troubleshooting

Qualifications Summary

Education

M.B.A., IT Management, Western Governor’s University

B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions.

Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Network hardening techniques II.

– Encryption basics.

– Wireless network hardening.

– Security policies.

PACE-IT.

Page 4

Encryption basics.Network hardening techniques II.

Page 5

Encryption basics.

Encryption is the process of taking a message and scrambling the data so that it can’t be read if intercepted.

Encryption relies upon the fact that the receiver of the scrambled data has the key that allows it to unscramble the data and put the message back together.

The strength of the encryption is usually determined by the strength of the key. The strength of the key is measured in the number of bits that it takes to generate the key. The more bits it has, the stronger the key is.

Network hardening techniques II.

Page 6

Encryption basics.

– Encryption types.» Symmetrical: both ends use the same key to encrypt

and decrypt messages; PSK (Pre-shared key) is symmetrical in nature.

» Asymmetrical: two different security keys are used in an arrangement called PKI (public key infrastructure). The private key encrypts the message and the public key decrypts the message.

• On the return, the original receiver encrypts with the original sender’s public key, which then gets decrypted with the private key.

– Asymmetrical encryption key types.» EAP-TLS (Extensible Authentication Protocol-Transport

Layer Security): requires the use of a certificate authority (CA) that is trusted by both parties.

• The CA provides the certificates to both parties that allow for the generation of both the public and private security keys.

• Very secure, but it is difficult to manage and maintain.» TTLS (Tunneling Transport Layer Security): as secure as

EAP-TLS, but only the authentication server receives a certificate for the key generation process and it is easier to manage.

Network hardening techniques II.

Page 7

Wireless network hardening.Network hardening techniques II.

Page 8

Wireless network hardening.

Wireless networks can represent a special challenge in the network hardening process.

The goal of most hardening techniques is to keep nefarious elements from ever seeing the network traffic. But with wireless networks, that is all but impossible as the traffic is broadcast over known radio frequency (RF) channels. This traffic is subject to capture, and the transmissions inform any who care that an active wireless network is present.

There are steps that can be taken—encrypting the traffic—to make sure that, even if the network traffic is captured, it cannot be read. This helps keep the network traffic safe and the network from being breached.

Network hardening techniques II.

Page 9

Wireless network hardening.

– MAC address filtering.» MAC address filtering can be used to limit which

devices can connect to the wireless network.• If an unknown MAC address attempts to connect to

the network, it is ignored by the wireless access point (WAP).

• While MAC filtering can be effective, it can be difficult to manage and it is also possible to spoof MAC addresses.

– Basic authentication and encryption.

» WEP (wired equivalent privacy): an encryption standard that uses either a 40-bit or 128-bit encryption key and the RC4 algorithm to authenticate and encrypt devices. It uses a pre-shared key (PSK) as a password or passphrase to authenticate users.

• It is easily cracked and should not be used.» WPA (Wi-Fi Protected Access): an authentication and

encryption standard that improved upon WEP, but still uses PSK and the RC4 algorithm. It also introduced Temporal Key Integrity Protocol (TKIP), which generates a new security key—with a strength of 128-bits or greater—for every packet.

• It is not as easily cracked as WEP, but it can still be cracked and should not be used.

Network hardening techniques II.

Page 10

Wireless network hardening.

– Basic authentication and encryption continued.

» WPA2-Personal is an authentication and encryption standard that improved upon WPA. It does not rely upon the RC4 encryption algorithm, but it does use the AES (Advanced Encryption Standard) as its algorithm. It can use the PSK method, but this is not required (and it can also dynamically assign security keys).

• While it is theoretically possible to crack WPA2-Personal, it would be extremely difficult to do so; this should be the minimum level of security on any wireless network.

– Advanced authentication and encryption.

» WPA2-Enterprise forms a portion of the 802.1x standard. It is used to authenticate users on a wireless network and uses one of the forms of Extensible Authentication Protocol (EAP) in setting up the encryption.

• A central authentication server is required for 802.1x, which allows for greater control over the authentication process.

• EAP is actually a set of definitions for how security keys will be exchanged in order for encryption to take place.

Network hardening techniques II.

Page 11

Security policies.Network hardening techniques II.

Page 12

Security policies.

While security policies are only written documents, they can actually do quite a bit to harden a network against a breach.

Security policies document or outline what is allowed or not allowed to occur on the network from a security point of view. They are usually crafted at the upper layer of management with the help of knowledgeable IT personnel.

Security policies give administrators the authority to put into place measures to protect the security of the network. In many cases, they also give administrators the authority to enforce the policies that lead to a hardened network.

Network hardening techniques II.

Page 13

What was covered.Network hardening techniques II.

Encryption is the process of keeping an intercepted message from being read and understood. Encryption relies upon the receiver of the message having the key to unscramble the data. The encryption key may be symmetrical (the same key is used) or asymmetrical (two different keys are used). Asymmetrical key generation may use EAP-TLS or TTLS.

Topic

Encryption basics.

Summary

By their very nature, wireless network transmissions are easy to intercept. In order to keep the network secure, different methods may be used. One of those methods is MAC filtering and another is encryption. Basic encryption types for wireless networks include: WEP, WPA, and WPA2-Personal. WPA2-Enterprise is a more advanced form of encryptions and involves the use of an authentication server.

Wireless network hardening.

Network security policies establish what is and what is not allowed on networks. These documents are usually written at the upper layers of management in an organization. Security policies allow administrators to put security measures in place and often give them the authority to enforce those policies.

Security policies.

Page 14

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.

PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.