1
00:00:00,780 --> 00:00:06,150
Before we move on to those security solutions to fulfill their promises would be good to mention those

2
00:00:06,150 --> 00:00:06,760
that don't

3
00:00:11,310 --> 00:00:18,830
disabling SS our broadcasting has already been brought up even if we turned the broadcast off the SS

4
00:00:18,910 --> 00:00:27,090
ID would still be admitted as these ideas are in clear text and probe request probe response Association

5
00:00:27,090 --> 00:00:30,430
request and re Association request packets.

6
00:00:30,570 --> 00:00:33,310
You can't hide it.

7
00:00:33,380 --> 00:00:41,190
The first thing I'd like you to remember from this course is a warning not to turn off the CD broadcasting.

8
00:00:41,210 --> 00:00:46,490
At best this will not affect your VLAN security but if you're less lucky you can decrease the security

9
00:00:46,490 --> 00:00:47,360
substantially

10
00:00:52,110 --> 00:00:56,890
static IP addresses can also be used to enhance security.

11
00:00:56,960 --> 00:01:02,160
Almost all access points provide DHC server services.

12
00:01:02,180 --> 00:01:09,430
This means that they allow connected clients to automatically configure the IP protocol you HTP servers

13
00:01:09,430 --> 00:01:13,650
however are definitely not built with security in mind.

14
00:01:13,670 --> 00:01:17,530
It would then seem logical to disable the server.

15
00:01:17,530 --> 00:01:24,340
This however does little to improve security even though in this case an attacker who connects to an

16
00:01:24,340 --> 00:01:30,640
access point would have to manually configure IP address and default gateway the information needed

17
00:01:30,640 --> 00:01:35,460
for configuration is transmitted by an access point and clear text in UDP packets

18
00:01:38,280 --> 00:01:45,580
UDP is a broadcast protocol and can certainly be received publicly this method only manages to delay

19
00:01:45,580 --> 00:01:47,390
an attack by a minute or two.

20
00:01:52,000 --> 00:01:57,570
The third solution is a MAC address control as you can see in the picture above.

21
00:01:57,660 --> 00:02:01,420
All access points support adding a trusted MAC address list.

22
00:02:02,660 --> 00:02:10,030
This method is sometimes exaggeratedly referred to as a MAC address based authentication mechanism.

23
00:02:10,050 --> 00:02:15,620
What it really amounts to is simple filtering as you know from previous lectures.

24
00:02:15,630 --> 00:02:19,090
It's very easy to change a MAC address.

25
00:02:19,240 --> 00:02:22,820
It's just as easy to capture it as it's not secured in any manner.

26
00:02:23,550 --> 00:02:28,220
We're an OSA model there too occupied by WPA WPA too.

27
00:02:28,240 --> 00:02:37,580
Or rent the security measures protect data transmitted in upper layers but not in the second layer enabling

28
00:02:37,580 --> 00:02:43,810
the filtering of MAC addresses will simply make your life harder in large vans.

29
00:02:43,810 --> 00:02:51,470
There are many different Wi-Fi clients for example people from other branches of the company the MAC

30
00:02:51,470 --> 00:02:54,110
address white list should be updated manually.

31
00:02:55,390 --> 00:03:02,240
There's no automatic mechanism for that keeping a network like that would consume enormous amounts of

32
00:03:02,240 --> 00:03:06,470
effort time and the security benefits that come with it are negligible

33
00:03:11,000 --> 00:03:12,650
another approach you might come across.

34
00:03:12,650 --> 00:03:15,950
Is that since we can't control radio wave access.

35
00:03:16,040 --> 00:03:22,010
We should at least try to reduce the range of reception you can do this by lowering the strength of

36
00:03:22,010 --> 00:03:24,300
the signal emitted by access points.

37
00:03:25,960 --> 00:03:33,060
We can also use special paints to coat the rooms that contain access points and servers these pants

38
00:03:33,060 --> 00:03:36,290
are quite expensive and it's doubtful whether they're truly effective.

39
00:03:38,610 --> 00:03:43,620
They do block out transmitted signals to some degree but they don't Warum that an outside user will

40
00:03:43,620 --> 00:03:45,770
not be able to connect to your access point.

41
00:03:48,030 --> 00:03:54,380
Artificially reducing access point and signal strength only makes it difficult for authorized users.

42
00:03:54,490 --> 00:04:02,640
They'll have problems connecting to a network an attacker can always afford a bigger antenna.

43
00:04:02,840 --> 00:04:04,540
And we're back to the rule.

44
00:04:04,580 --> 00:04:06,590
The bigger the antenna the better.