350-401 ENCOR – Cisco CCIE Enterprise – Security part 6
January 27, 2023

20. Wireless Authentication Methods

Let us learn about wireless authentication method. Now, we know that WEP was started and most of the hardware at that point of time was supporting WEP based authentication methodology. But we know that what’s the problem with WEP, it does not have powerful encryption method. It is using RC four and again the length of the bit encryption bit is small. So then Cisco has introduced some more secure authentication method that is the LEP Leap lightweight EAP. Now in this case, what is happening that the authentication server and client they are changing their username and password and they are doing some sort of mutual authentication. Now, after some point of time it was found that there is a problem with LEP and it is recommended do not use this.

So the industry then they move to new authentication method and that new authentication method is for example authentication by secure channel method. Now, at this point of time, actually the actual secure authentication method has been introduced and at this point of time you will find that now we have the concept of inner and outer tunnel. So you have some sort of outer tunnel and then after that you have the inner tunnel. You have two type of authentication. Or you can see that twice you have authentication, the external and the internal. Now when we are talking about eFAST at that time actually again, you will come to know in the upcoming authentication method is that we have something called Pack File Pakistan for Protected Access credentials and it’s something like dynamic. That all the client should have that pack file. And that is, again, to access the network that will be authenticated from any of the secure server or any of the identity services or servers. Correct. Now, what is happening in eFAST is that we have phase one. Here you can see clearly that we have phase one and two. In phase zero, the package generated or provisioned and installed on the client. So all the clients they have the pack correct. Phase one after Supplicant we know who is the Supplicant after Supplicant and as authentication server say for example Ice. So after the Supplicant and Ice have authenticated each other, they negotiate a TLS.

So they are going to form a transport layer security TLS who Supplicant and authentication server in phase two. Now, in phase two you can see this is nothing but the outer TLS. And then you have phase two where the end user can be authenticated through TLS for additional security. That is nothing but the inner channel. Okay? So here you can see in the notes that we have two separate authentication process. One between the as and Supplicant and another within the end users. Now, these occurs in a nested fashion. Okay? And again you can see that one is the outside tunnel and the inner tunnel inside the TLS tunnel. Now, what are the key components we have with the pack? So Pac has three components. One is pack key up to 32 octave key used to establish the tunnel. Then we have the Pac OPEC inside that it contains the credentials and finally we have the pack info inside Pac user we have the key lifetime and a variable length field that used to pass the information over the pack. Who is going to issue that? So pack issuer and the lifetime we have. Correct. So remember, the key thing here is three phases because in all upcoming and whatever we are using at this point of time, the authentication method with wireless technology, they are using the same type of methodology that has been used here. Okay. So next again you will see the evolution of the authentication. So we have eFAST and then we have Peep. Peep is protected, everything is going to the same. The only thing that we are going to use here is that we are going to use the certification process.

So a is authentication server or Ice presents a digital certificate to authenticate itself with the supplicant in the outer authentication. Remember outer and inner. So outer authentication they are going to use the certificate and then they will form the TLS and then the inner authentication will happen and that’s the key. Outer and inner. And these are the phases we have. So in phase zero, what will happen that whenever the outer actually in phase one, so actually with help of CA certificate authority the certification process will happen and then the outlet TLS will get formed. Correct. Now here you can notice that only the as has the certificate for Peep. In this case the client does not have or use a certificate of its own.

So it must be authenticated within the TLS tunnel using one of the following method. So we have Ms chap version two, that is Microsoft challenge authentication protocol and GTC generic token card, a hardware device that generates OTP for the users or manually generated password. Correct. So remember, everything is saying that now you have the certificate and then you have the TLS tunnel. Now the next and the most secure version of the authentication we have is the EP TLS. Okay. Now what is happening in this EP TLS? So here you can see that when we have the EP TLS, in that case, again we have the certificate. Now in this case we are going to use certificate everywhere. So the difference here is that EPTLS transport security goes one step further by requiring certificate on the Ace and on every client device. Now if you have thousands of thousands of clients, that may be a complex solution that you are going to have the certificate to all the client.

So there should be some optimization method to do that. Yes, we have that. So EPTLS is considered to be the most secure wireless authentication method first thing. And since you have the certificate to the say authentication server and the client so you should have some sort of public key infrastructure. So someone has to manage the certificate for the server and the client so the complexity will get reduced. But yeah, e TLS is the most secure method we have and there may be chances that few of the hardware who is not supporting Eeptls. So in that case we can go one step back and we can use peep. But most of the places you’ll find and in the secure It infrastructure you’ll find that EEP TLS is being used.

21. Wireless Privacy & Integrity

Let us learn about wireless authentication method. Now, we know that WEP was started and most of the hardware at that point of time was supporting WEP based authentication methodology. But we know that what’s the problem with WEP, it does not have powerful encryption method. It is using RC four and again the length of the bit encryption bit is small. So then Cisco has introduced some more secure authentication method that is the LEP Leap lightweight EAP. Now in this case, what is happening that the authentication server and client they are changing their username and password and they are doing some sort of mutual authentication.

 Now, after some point of time it was found that there is a problem with LEP and it is recommended do not use this. So the industry then they move to new authentication method and that new authentication method is for example authentication by secure channel method. Now, at this point of time, actually the actual secure authentication method has been introduced and at this point of time you will find that now we have the concept of inner and outer tunnel. So you have some sort of outer tunnel and then after that you have the inner tunnel. You have two type of authentication. Or you can see that twice you have authentication, the external and the internal.

Now when we are talking about eFAST at that time actually again, you will come to know in the upcoming authentication method is that we have something called Pack File Pakistan for Protected Access credentials and it’s something like dynamic. That all the client should have that pack file. And that is, again, to access the network that will be authenticated from any of the secure server or any of the identity services or servers. Correct. Now, what is happening in eFAST is that we have phase one. Here you can see clearly that we have phase one and two. In phase zero, the package generated or provisioned and installed on the client. So all the clients they have the pack correct. Phase one after Supplicant we know who is the Supplicant after Supplicant and as authentication server say for example Ice. So after the Supplicant and Ice have authenticated each other, they negotiate a TLS.

So they are going to form a transport layer security TLS who Supplicant and authentication server in phase two. Now, in phase two you can see this is nothing but the outer TLS. And then you have phase two where the end user can be authenticated through TLS for additional security. That is nothing but the inner channel. Okay? So here you can see in the notes that we have two separate authentication process. One between the as and Supplicant and another within the end users.

Now, these occurs in a nested fashion. Okay? And again you can see that one is the outside tunnel and the inner tunnel inside the TLS tunnel. Now, what are the key components we have with the pack? So Pac has three components. One is pack key up to 32 octave key used to establish the tunnel. Then we have the Pac OPEC inside that it contains the credentials and finally we have the pack info inside Pac user we have the key lifetime and a variable length field that used to pass the information over the pack. Who is going to issue that? So pack issuer and the lifetime we have. Correct. So remember, the key thing here is three phases because in all upcoming and whatever we are using at this point of time, the authentication method with wireless technology, they are using the same type of methodology that has been used here. Okay. So next again you will see the evolution of the authentication. So we have eFAST and then we have Peep. Peep is protected, everything is going to the same. The only thing that we are going to use here is that we are going to use the certification process.

So a is authentication server or Ice presents a digital certificate to authenticate itself with the supplicant in the outer authentication. Remember outer and inner. So outer authentication they are going to use the certificate and then they will form the TLS and then the inner authentication will happen and that’s the key. Outer and inner. And these are the phases we have. So in phase zero, what will happen that whenever the outer actually in phase one, so actually with help of CA certificate authority the certification process will happen and then the outlet TLS will get formed. Correct. Now here you can notice that only the as has the certificate for Peep.

In this case the client does not have or use a certificate of its own. So it must be authenticated within the TLS tunnel using one of the following method. So we have Ms chap version two, that is Microsoft challenge authentication protocol and GTC generic token card, a hardware device that generates OTP for the users or manually generated password. Correct. So remember, everything is saying that now you have the certificate and then you have the TLS tunnel. Now the next and the most secure version of the authentication we have is the EP TLS. Okay. Now what is happening in this EP TLS? So here you can see that when we have the EP TLS, in that case, again we have the certificate. Now in this case we are going to use certificate everywhere.

So the difference here is that EPTLS transport security goes one step further by requiring certificate on the Ace and on every client device. Now if you have thousands of thousands of clients, that may be a complex solution that you are going to have the certificate to all the client. So there should be some optimization method to do that. Yes, we have that. So EPTLS is considered to be the most secure wireless authentication method first thing.

And since you have the certificate to the say authentication server and the client so you should have some sort of public key infrastructure. So someone has to manage the certificate for the server and the client so the complexity will get reduced. But yeah, e TLS is the most secure method we have and there may be chances that few of the hardware who is not supporting Eeptls. So in that case we can go one step back and we can use peep. But most of the places you’ll find and in the secure It infrastructure you’ll find that EEP TLS is being used.

22. 5.5 Welcome

Now we reach to five five. This is the last subsection in section five where we have to learn understand about security design related to threat defense, endpoint next generation firewall plastic.

And finally, we have to discuss about 80 two and xMAP and webot. So let’s begin and let’s start learning all these things one by one.

23. Components of Security Design Model

Let us understand the components of security design model or how should our design model look like. Now, if you see the traditional model, you’ll find that okay, you have your data center, you have your branches, whenever you are going to the internet, you are going via your data center. So either it’s a fixed network or it’s a roaming client. In both the case, whenever we used to go to internet for corporate traffic, it is going via the data center where I have the central firewall and then it is going outside. Now that is the old network, but when we are talking about the new network, then you can see that the circle means the perimeter has been increased.

 So everything, either it’s a branch or head office or HQ data center, et cetera, everything is secured that should be secured. But there is one catch here and what is the catch? Because the design is changing, we should change our security parameter or security model as well. So why design is changing? Because now we are shifting the load to the cloud as well. So here you can see either it’s a head office or it’s a branch or a roaming client. Everyone wants to go and access the resources over the cloud as well. So in this case, what is happening that we want to do some sort of local breakout to nearby available cloud and that’s the key we have. So you can see that now the perimeter has been increased. So you want to provide the security. Now in this realm, in this region where you have infrastructure, service software as a service, platform as a service, you want to go and use this resources directly.

Now again, you can see that we want to go and use all these resources directly, either say HQ or branch or roaming user. Everyone wants to connect with some sort of security plugins and they want to use the resources over the cloud or over the Internet as well. Now, if our resources are over Internet, that means our threat surface will be 100%, means we are exposed to the internet and maybe we are vulnerable, maybe we are favorable for the hackers as well. So they can easily go and exploit some sort of problem in our code, in our operating system and try to gain access in the network. Now, one solution that Cisco is giving is that we can go and use Cisco umbrella, but there are other solution as well. For example, Zscaler, another cloud security provider that we can go and integrate. And then in that cloud security provider we have multiple options. So for example, URL filtering, cloud based firewalling features, proxy feature, et cetera. So we have that capability and feature. Now, once we are exposed to the cloud, once we are exposed to the internet, at that time our challenges are increasing. Because we are prone for malware and ransomware attacks, there are chances of compromising our accounts network details someone can gain higher privilege to the network, to the hacking even. They can do the denial of service attack they can do denial of service attack related to DNS, related to any type of services as well. There are plenty of attacks, are there? If you go and install and run small bit of tool in your laptop, you can go and send this attack packet to any target because these are the publicly available tools that can be used. So here you can see that? Chances for malware and landsliver attack chances for compromising the accounts, chances for data breach because we have a gap in the visibility we are not providing actually the security layer so whenever you go and check the security recommendation. It is recommended that you should use security in layer. Suppose layer one breach. Layer two breach.

Layer three breach is still your secure. So what does it mean by security in layer? We’ll see in the upcoming slides. Now then we are pruned for different types of attacks like malware, pushing, callback, C two, et cetera because we don’t have because we haven’t divided our security in layer and that’s the key we have. So when we are talking to divide the parameter or divide the devices in layer so that means you can see here that you have last line, you have mid layer and then what is your first layer that you will see in the next slide. So that means that your last mile is the end point, is the user where you can go and put the antivirus software, you can put the amp endpoint software or maybe VPN is connected there.

So to the endpoint we should do the protection, we should provide some sort of security, not some sort of security but fair bit of security to the endpoint whenever any endpoint will go and open any type of web page, it should be secure, some digital certification should be there, et cetera. That’s the first thing for the last mile. So we can have the Amp end point, we can have the antivirus, et cetera. Then what about the mid layer? Mid layer you can see that if it is a data center then we can go and analyze the flow, we can have the proxy, we can have the sandboxing, we can have the next generation firewall, we can have some other security parameters or security devices as well.

 If it is a small branch or if it is a branch there also we can go and put routers, ACL list and other routers we can go and put some sort of June based firewalling as well, right? So these type of security enhancements and features we can put but still we are looking for first level of defense. So what will be the first line of defense or level of defense is the DNS. So here you can see that the DNS security will become the first level of defense because anyone will come and try to gain access from this path. So you want to have a secure layer at this particular path, and there are multiple options. Again, you can go and use any of the cloud security provider. One of the common cloud security provider is escaler. Cisco also has Cisco umbrella, but there are other vendors also that we can go and check. All right, so let’s stop here.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!