On Classroom EducationBy CWNP On 11/06/2009 - 5 Comments
I had a bit of a work vacation two weeks ago. I spent the week auditing a CWSP class with David Coleman (author of the CWNA study guide). Unfortunately, taking a week to do something like this doesn’t mean that my other responsibilities magically disappear, so it made for a busy week and a long commute through the bottomless traffic pit that is Hotlanta. No less, it was a great experience just sitting in the back, observing and participating in the structured and systematic 802.11 security education.
My favorite part of these classes is the first day, as different personalities pile into the room. You get a chance to take inventory of the week to come and see what you’re up against. I’m finding that IT is no discriminator of people. Surprisingly, we had a pretty normal set of attendees that week, but Forrest’s mom nailed it down with her comment about boxes of chocolates. You get all kinds in these classes. Some folks show up early and want to argue minutia for hours on end, while others crash in late after long nights of cocktails. Either way, unique IT folks spending a week together can be fun. :)
Regardless of the peers with whom you spend the week, instructors make all the difference in the value of the class. David was reaching the end of the new CWSP book (set to release sometime near the beginning of next year) the week of class, so I’m pretty sure 802.11 security was oozing out of his ears. This made him a wealth of information on many of the details. On the other hand, I imagine he was ready to put the topic of security to bed for a few months. Writing a very detailed book like that probably made him want to throw up when he heard the word EAP. In fact, I came back from lunch one day and he was in the fetal position in the corner of the room asking why his editors wouldn’t just leave him alone. We lifted his spirits with some candy apples. :)
Whenever I attend a class like that or read a good security book it makes me want to consume every bit of information available on the topic. Of course, that wanes after a few days of catching up in the daily grind, but these classes help me to realize just how much there is to know and just how little of it I actually know. In fact, it reminds me of a great quote by one of my favorite authors. “The man who thinks he knows something does not yet know as he ought to know” (anyone know who wrote that?). In other words, as you gain insight about a complex topic, you begin to realize just how much there is to know about that topic. So, if you think you know it all, you’re just wrong. If you actually know something about it, you’ll acknowledge that you don’t know much. Twisted logic perhaps, but true.
Here’s a sample of the grueling, mind-numbing, and exciting topics we talked about all week.
· EAP types – we walked through each of the 7 or 8 most popular EAP types looking at the complete frame exchange for each one. We talked about tunneled vs. non-tunneled EAP types, vulnerabilities in the process, what is and isn’t hashed, whether the username is exposed, whether mutual authentication occurs, whether dynamic encryption keys are produced, what types of authentication are supported, etc. As a fundamental security mechanism for WLANs, the importance of understanding EAP types can’t be underestimated.
· Roaming and Fast BSS Transitions (FT) – we looked at and dissected the common types of fast roaming… preauthentication, PMK caching (fast roam back), opportunistic key caching (OKC), 802.11r, and proprietary mechanisms as well. When you get to 802.11r, you’ll need a locksmith to figure out all those keys, key associations, and key IDs. Oh, and the new key establishment handshakes are fun too.
· Encryption – we talked about the workflow of each of the common encryption processes, looking at why WEP is deprecated, what improvements TKIP made on it (and why it’s still not perfect), and how CCMP creates strong data confidentiality.
Of course, we also talked about the WLAN security basics: network attacks, WIPS, endpoint security, remote networks, weak protocols, understanding frame traces, device management, etc. We cracked LEAP, WPA, and WEP, performed deauths, jamming attacks, spoofed MACs, NAV-based attacks, and on and on.
Unfortunately, I was only an auditing member of the class and not a paying student, so I could only harass David in limited quantities. I had to play the deferential back-of-the-room class auditor so he didn't throw me out. Maybe it was better that way… I wouldn’t want him in the corner crying again. In all seriousness, having an expert instructor teach these topics in an orderly and systematic fashion is a highly valuable experience. A few members of the class spoke out about the great knowledge they gained during the week. They noted several vulnerabilities in their current security solution, so I’m sure the week paid for itself many times over. If you have a chance, find a learning center and enroll. You’ll be glad you did.