Hello and welcome back. My name is Tyler McMinn with Aruba, and this is the Aruba Mobility Essentials part 2. This is our sixth video in this second part series on wireless LAN usage, we're going to dive into encryption. Up to the last video, the deep-ish dive on authentication encryption is a natural topic to follow that. Let's jump on in. Wireless LAN usage. This is going to look at the different types of security that we would apply based on what type of wireless local area network that we're trying to set up. Your client usage and security should go hand in hand because wireless has inherent security flaw that these cable connections do not have. With a cable connection, there's a sense of, I know where the other end of this cable goes, no one can see the data off of this cable, which isn't entirely true, but most of the time, yeah, you are correct. Whereas with wireless, with his radio, it's invisible, I don't know if it's going across town or if it's dying out in the room next door, I can't see the radio waves the same way I can see a cable. To some extent, cables give us a bit of a false sense of security because we'll run a cable, but there's no encryption on these cables, unless you have very specialized requirements in your network with Mac, Sac, or something like that, you generally don't encrypt from switch to switch or from switch to port that you plug into. Whereas with radio, because it's exposed, were already on top of it, since Day 1, since 1999 when the ISM bands really came out with a total Ivan B and G, we started encrypting our wireless. The idea of client usage and security has gone hand in hand almost since Day 1. It didn't start very well with WEP, but we've improved it since. Three common types of deployments you usually see out there. You've got employees, where it needs to be super secure, super locked down, very rigid. Guests, which are generally open and use at your own risk versus the devices themselves that are connecting in the corporate network there, where we'd like to lock them down if possible but some older devices have just enough capability to jump on a network and they don't really have a lot in the way of certificates or the ability to do good encryption, so we got to apply whatever security we can. To match this up with employees, we generally will use the strongest encryption that we can. This is a standard I triple E standard called 802.1X for the authentication piece. I know the security piece I mentioned was 802.11i, we'll come back to that. But 802.1X is a wired standard that's been adopted for wireless and now is actually finding more popularity on the wired side these days as well. We're using that authentication of Extensible Authentication Protocol. I finished the last video talking a bit about EAP over the LAN. Well, that's what EAP is. It's this stack of protocols that you can choose from to be what strength of authentication you want compared to how much hustle and maintenance it would require. You can go light, which is usernames and passwords and not as much maintenance or you can go very strong with certificate-based authentication, but a lot more time, a lot more maintenance, a lot more issues that can come up. With guests, the idea of Captive Portal, this is a redirect to a splash page or a login page where the user is either just prompted to agree to an acceptable use policy or you might just have them fill out maybe some information like an e-mail address or a name or something, but we don't really check any of that. Or you could actually have a username and password that's generated for the user that they have to know to get online. What are you really giving them? It's not strong encryption or anything, but you're giving them access to the Internet. If somebody were to hack your guest network, they're just going to be sent out to the Internet anyway. In any of these cases, we could choose to encrypt as opposed to the guest one. For the guests one, it's not as important to encrypt the guest network because the idea of encryption is you're protecting your users from the bad guy. With employees, they're the good guys, and with guest, we don't really know if they're good guys or bag guys. With guests, we generally just leave it open in that regard. With devices that don't really open up web login pages, there's no one on them, its a printer or whatever, and they don't have the capability in some cases to be able to do cryptographically strong encryption. What are we're left with is for devices to do a pre-share key. That's just like you might have in your house. Now your house, using a pre-shared key as a shared key for authentication is one thing, but the encryption is still strong. The authentications not necessarily great, but the encryption is still valid. We'll look at the encryption with WPA2, or the newest standard that was just ratified, WPA3. Generally, WPA2 is fine, except that the standard does allow for weaker encryption algorithms which could expose your network to risk whereas, with WPA3, we only support the strongest level of encryption available and it introduces features like opportunistic wireless encryption and Simultaneous Authentication of Equals. OWE you could set up open WPA3, where it's open, there's no key that you have to type in. Your users can just join, but yet we encrypt every user from each other. That's pretty cool. Simultaneous Authentication of Equals is essentially pre-shared keys, but you have much better protection where it's much harder for me knowing the pre-shared key to hack the information of another user, even if we have the same pre-shared key. WPA3, like many of these newer standards, fixes a lot of the shortcomings that we had in WPA2. Do not do WPA. I mean, I guess any security is better than nothing but one major problem with WPA, other than some gaping security issues, is that it's slow. It only supports non-high throughput or non very high throughput speeds, which means that you're going to be limited to that 54 megabits per second with WPA, it's software-based. The only downside with WPA3, there are a lot of client devices that don't support it. If that's the case, you might allow for both as an interim or just stick with WPA2 until you know your clients support it. Let's take a look at these real quickly. You've got 802.1X Extensible Authentication, very secure government grade. While this standard has been around for 20 plus years, because of its flexibility, you can improve your certificates. You can increase the encryption and in security, sometimes it is a good thing that it's been around for a while because no one's been able to find a flaw in the major iterations of this standard. Data Encryption, typically done with AES, which is your hardware-based very fast symmetric key encryption there, and then we use a standard certificate format known as X.509 certificates that most legacy devices may not support, but most clients should. Your mobile devices, your laptops, tablets, they should all support it. With guests, we don't want to hassle with certificates and all of this. We'll typically use Captive Portal for guests, not very secure, but it doesn't really have to be because we're only going to authorize them with a guest role. That means our firewall is only going to allow them to go out to the Internet. That protects us from the good and the bad guys that might jump on our guest network there. Usually, we don't bother with encryption. You could encrypt it with a pre-shared key or something, but then who do you get the key to? Everybody? It's like if I hang the key to my house on my front door, then why lock the door? But teach their own. Then lastly, that pre-shared key does really have a good place when it's used with these smaller Internet of Things devices, or older devices that are legacy and don't support 802.1X. If your device supports 802.1X, do 802.1X. If it doesn't, then a simple pre-shared key. The other option to keep in mind with this is my home network. I use pre-shared keys in my home because I don't want to hassle with sign-up a radius server and doing that Client Authentication, mainly because if the radius server goes down or becomes unreachable, then everybody in my house complains very loudly. They wonder why it's so complicated. At the end of the day, what am I really protecting anyway? A pre-shared key in that environment, I'm not that worried about. With WPA, WPA2 or 3, no authentication, it's basically just encryption. Technically, there's a shared key phase that occurs when you do your login with WPA2 or WPA3 pre-shared keys. The keys just must be shared between devices, often used when the client does not support 802.1X. Yeah, it is definitely better than not, but for the most part, use WPA2 or WPA3, those are going to be faster. In 2012, the IEEE Wi-Fi alliance deprecated the following technologies, meaning that for the last 8-9 years, WEP is not recommended. TKIP, which is your WPA encryption standard and the authentication for WPA Wi-Fi protected access. These are all deprecated, DO NOT USE THESE. There's typically no compelling reason to use them in most environments. Every now and then I'll run into something like old 20-year-olds scanner in a warehouse or something that has to do what it has to do and I do all sorts of other things to make sure that I'm protecting that device. Hopefully, this has been a review for some of you, if not going through and showing you in more detail, how this encryption interacts after we just got off of our discussion on authentication. That's going to be it for this video and the next video we're going to cover redundancy. We're going to pull it back away from the encryption and the security stuff, and we're going to look at an aspect of security just uptime. Like how can I make sure that my wireless is available? If I do lose an access point, how can I make sure that no one even notices? I hope you guys liked this video. Let's go ahead and stop here and I'll see you guys in the next one.
