The document discusses various network hardening techniques, including encryption basics, wireless network hardening, and security policies. For encryption basics, it explains that encryption scrambles data and relies on keys to unscramble it at the receiving end. It discusses symmetrical and asymmetrical encryption. For wireless network hardening, it describes methods like MAC address filtering and different types of wireless encryption standards. It notes security policies establish allowed network activities and give administrators authority to enforce security measures.
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
5. Page 5
Encryption is the process of
taking a message and
scrambling the data so that
it can’t be read if
intercepted.
Encryption relies upon the fact that the receiver of the
scrambled data has the key that allows it to unscramble
the data and put the message back together.
The strength of the encryption is usually determined by the
strength of the key. The strength of the key is measured in
the number of bits that it takes to generate the key. The
more bits it has, the stronger the key is.
Network hardening techniques II.
6. Page 6
– Encryption types.
» Symmetrical: both ends use the same key to encrypt and
decrypt messages; PSK (Pre-shared key) is symmetrical in
nature.
» Asymmetrical: two different security keys are used in an
arrangement called PKI (public key infrastructure). The private
key encrypts the message and the public key decrypts the
message.
• On the return, the original receiver encrypts with the original
sender’s public key, which then gets decrypted with the
private key.
– Asymmetrical encryption key types.
» EAP-TLS (Extensible Authentication Protocol-Transport Layer
Security): requires the use of a certificate authority (CA) that is
trusted by both parties.
• The CA provides the certificates to both parties that allow for
the generation of both the public and private security keys.
• Very secure, but it is difficult to manage and maintain.
» TTLS (Tunneling Transport Layer Security): as secure as EAP-
TLS, but only the authentication server receives a certificate for
the key generation process and it is easier to manage.
Network hardening techniques II.
8. Page 8
Wireless networks can
represent a special challenge
in the network hardening
process.
The goal of most hardening techniques is to keep nefarious
elements from ever seeing the network traffic. But with
wireless networks, that is all but impossible as the traffic is
broadcast over known radio frequency (RF) channels. This
traffic is subject to capture, and the transmissions inform
any who care that an active wireless network is present.
There are steps that can be taken—encrypting the traffic—to
make sure that, even if the network traffic is captured, it
cannot be read. This helps keep the network traffic safe and
the network from being breached.
Network hardening techniques II.
9. Page 9
– MAC address filtering.
» MAC address filtering can be used to limit which devices can
connect to the wireless network.
• If an unknown MAC address attempts to connect to the
network, it is ignored by the wireless access point (WAP).
• While MAC filtering can be effective, it can be difficult to
manage and it is also possible to spoof MAC addresses.
– Basic authentication and encryption.
» WEP (wired equivalent privacy): an encryption standard that
uses either a 40-bit or 128-bit encryption key and the RC4
algorithm to authenticate and encrypt devices. It uses a pre-
shared key (PSK) as a password or passphrase to authenticate
users.
• It is easily cracked and should not be used.
» WPA (Wi-Fi Protected Access): an authentication and
encryption standard that improved upon WEP, but still uses
PSK and the RC4 algorithm. It also introduced Temporal Key
Integrity Protocol (TKIP), which generates a new security key—
with a strength of 128-bits or greater—for every packet.
• It is not as easily cracked as WEP, but it can still be cracked
and should not be used.
Network hardening techniques II.
10. Page 10
– Basic authentication and encryption
continued.
» WPA2-Personal is an authentication and encryption standard
that improved upon WPA. It does not rely upon the RC4
encryption algorithm, but it does use the AES (Advanced
Encryption Standard) as its algorithm. It can use the PSK
method, but this is not required (and it can also dynamically
assign security keys).
• While it is theoretically possible to crack WPA2-Personal, it
would be extremely difficult to do so; this should be the
minimum level of security on any wireless network.
– Advanced authentication and encryption.
» WPA2-Enterprise forms a portion of the 802.1x standard. It is
used to authenticate users on a wireless network and uses one
of the forms of Extensible Authentication Protocol (EAP) in
setting up the encryption.
• A central authentication server is required for 802.1x, which
allows for greater control over the authentication process.
• EAP is actually a set of definitions for how security keys will
be exchanged in order for encryption to take place.
Network hardening techniques II.
12. Page 12
While security policies are
only written documents,
they can actually do quite a
bit to harden a network
against a breach.
Security policies document or outline what is allowed or not
allowed to occur on the network from a security point of view.
They are usually crafted at the upper layer of management with
the help of knowledgeable IT personnel.
Security policies give administrators the authority to put into place
measures to protect the security of the network. In many cases,
they also give administrators the authority to enforce the policies
that lead to a hardened network.
Network hardening techniques II.
13. Page 13
Network hardening techniques II.
Encryption is the process of keeping an intercepted message from being
read and understood. Encryption relies upon the receiver of the message
having the key to unscramble the data. The encryption key may be
symmetrical (the same key is used) or asymmetrical (two different keys are
used). Asymmetrical key generation may use EAP-TLS or TTLS.
Topic
Encryption basics.
Summary
By their very nature, wireless network transmissions are easy to intercept.
In order to keep the network secure, different methods may be used. One of
those methods is MAC filtering and another is encryption. Basic encryption
types for wireless networks include: WEP, WPA, and WPA2-Personal.
WPA2-Enterprise is a more advanced form of encryptions and involves the
use of an authentication server.
Wireless network hardening.
Network security policies establish what is and what is not allowed on
networks. These documents are usually written at the upper layers of
management in an organization. Security policies allow administrators to
put security measures in place and often give them the authority to enforce
those policies.
Security policies.
15. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.