Heavy Wireless 002: Making The Transition To WPA3 With Jennifer Minella

Speaker 0 [Keith] (00:00:01) – Hello again. This is Keith Parsons with Heavy Wireless, a podcast that’s part of the Pack Pushers podcasting network. And today we’re gonna be talking about a deep dive that Jennifer Minnelli gave at W O P C, specifically on, uh, wifi security. Jennifer, how are you?

Speaker 1 [JJ] (00:00:18) – I’m doing great. Hi, Keith.

Speaker 0 (00:00:19) – Well, uh, a couple days ago I read a article you posted on LinkedIn about your reaction to the deep dive. You taught in some of the observations, and I thought this would make a great podcast for, we need more people to hear about the things you found out. Uh, so can you just kind of tell us about the deep dive, what was the contents, and, and then we’ll after that we’ll kinda lead into what the, the results and observations were?

Speaker 1 (00:00:45) – Absolutely. Yeah, it was, that was a fun thing. So that was my first, um, you know, teaching experience at W L P C. Um, and this content is at my Security Uncorked blog. So it’s a, the article you’re talking about is a very long one, and the observations we’re gonna talk through are kind of almost buried towards midway through. Um, so it’s great to kind of pull these out as actionable stuff. So the Deep Dive was based on my secure wifi design class, which was kind of a mini workshop style training. Um, and of course, before I was working with you for W L P C, the exercises were a little more like planning and kind of paper-based. Um, so we converted this to something that was more hands-on and I needed to kind of like zero in on something that we could get the students through in a, you know, a two half day session.

Speaker 1 (00:01:32) – So what we did was, um, I kind of pulled out based on, you know, the timing and the temperature of where we are in the world of security and wireless, and said, you know, what would be really great is let’s give people a hands-on opportunity to do a best practice w p a three security migration. So specifically going from W p a two to three on both, um, personal passphrase networks as well as the enterprise 8 0 2 1 x networks. And, you know, give everybody the opportunity to do that and see what that looks and feels like. And I also knew from obviously, you know, um, client environments and my test environments that some things weren’t going to work, but I mean, you, Keith, you know, like with engineers, we’ve gotta see it not work and feel it not work to understand it not working.

Speaker 0 (00:02:18) – Yeah. We, it’s, and that’s just, it’s just something we do.

Speaker 1 (00:02:22) – Yes, <laugh> you gotta break it before you know how to fix it. So I thought this would be a great opportunity to do that. Um, also kind of self-serving for the community and that I knew with a larger population of people and endpoints, we would have more data points with, you know, which endpoints were behaving or, or misbehaving as the case may be. Um, and so that was kind of the intent of the deep dive, and I think we got exactly what we walked in the door looking for there. So

Speaker 0 (00:02:46) – On the first day it was more a lecture-based kind of like your normal course, right?

Speaker 1 (00:02:51) – Yes.

Speaker 0 (00:02:51) – If people don’t, aren’t, aren’t attending WPC right now, is there a way they can take that same course material from you elsewhere?

Speaker 1 (00:02:58) – You know, right now, I, uh, there’s not, um, what I’m doing is, is trickling a lot of that out into the Security Uncorked blog. Um, and then distributing it, you know, kind of freely making a lot of that information publicly available, LinkedIn and other social media outlets. Um, I am writing a migration best practice white paper. I’m gonna make freely available to everybody. Um, but from the, the, the, the full class, which is really designed for architecture planning for security, um, I, I do deliver that with ions. Um, and I’ve done it with w you know, you guys at W L P C. Um, so I am not doing that out on my own currently, and there’s a few different reasons for that, but it is something I’ve actually been toying with. But the blog is the best place to get that free content.

Speaker 0 (00:03:44) – Okay. So you, you, you covered the concepts on the first day, and then how did you go about turning it into a hands-on, I mean, those, those are very academic subjects, you could do little planning worksheets. How did you turn that into physical doing things?

Speaker 1 (00:04:01) – That’s a great question, and it was a little bit challenging. It took me a while to work through that. Um, so I had to kind of narrow the scope down because the, if I deliver all of my content, it’s easily for full day’s worth of content with, without, without labs. Um, so I had to kind of, you know, focus the con the instructional part of the content down and then figure out how to do the hands-on lab. The first big hurdle was how do we take, you know, 30 people who are all using and, and in some cases from different manufacturers and get their hands on something that they can, you know, get up and running with quickly. Because you know how it is with any new platform, sometimes it takes, you know, a few days, at least a few hours just to <laugh> figure your way around a user interface.

Speaker 1 (00:04:46) – Um, so it was great. Um, you know, in my role with clients and my role, uh, with, with VARs and integrators, you know, I get hands on a lot of different stuff. I support, uh, environments with a lot of different stuff. Um, and Juniper has been, the MIS platform has been kind of my, my favorite. Um, it’s easy, but it has all of the enterprise features we need. Um, so it’s kind of in that nice little middle area of we could get people up and running, um, quickly with it, but it also had all of the knobs we needed. So, you know, they were kind enough, um, when you guys were working with them to, to get them to, you know, sponsor this and, and provide the hardware for it. Um, so that was the first hurdle was what are we, which pieces parts are we gonna use to do this?

Speaker 1 (00:05:29) – Their cloud-based architecture made it easy. We just needed internet, um, and we were off and running with that. And then it was really just working through what made sense. And, you know, everything that I do, um, the book that this is based on the original training class and the lab, really all of it’s based on real world stuff. I mean, I’m, I’m, you know, came from 20 plus years of an integrator. Um, I still work with clients directly, so I basically created hands-on labs that would mimic what we would do testing in, in a lab prior to a production change.

Speaker 0 (00:06:04) – I’d like to just stop for a moment and, and back up. And I was on, on, on a call talking with, uh, Peter McKenzie, who’s developed a bunch of courseware along the way. And he, he made a, he made a, a pretty pithy statement that I liked, and I think it fits in this scenario. He said, training should be how to do something and it just happens to be on this platform. So the things you did in the course could, could anyone, even the ones who are other vendors, do it on their platforms in addition to mist?

Speaker 1 (00:06:35) – Yeah, absolutely. That’s a great point. I love, yeah, I love Peter’s, uh, take on this cuz it’s mine as well. Yeah. I wanted, no matter who walked in the door, if they were using Cisco controllers, Aruba controllers, Aruba Central, extreme, ruckus, whatever they were using, I wanted to make sure that this lab and the activities reflected any, any other architecture and environment. I mean, obviously how you, where you go and, and do things is different. Um, but I wanted it to be reproducible in any other enterprise grade wireless solutions. So, um, you know, I specifically stayed away from any of the, you know, ver you know, Juniper. Every manufacturer owns their little, you know, they put their little magic sprinkles on top of everything. Um, so I made sure we didn’t do sprinkles and we just did the vanilla. Everybody has access to these features. Mm-hmm.

Speaker 0 (00:07:24) – <affirmative>. Okay, sorry, I didn’t mean to interrupt there. And so you’re building out these labs to allow people to do this transition. Um, I’m guessing you started with a pre WPA three baseline?

Speaker 1 (00:07:39) – We did. Yeah, we did. So the lab starts off with, uh, so once we get into the environment, the lab, um, starts off with taking a W p a two personal network. So that’s, you know, a WPA two network using a passphrase. Um, and we connect a bunch of stuff to it. And I had told the, the students ahead of time, I stayed in contact with them, um, for weeks each week leading up to the event. Um, and so I said, bring whatever you can comfortably pack that’s gonna be like i o t type devices, uh, smart home things, anything you can fit in your bag and you’re, you’re comfortable bringing here, let’s test it. Uh, and so that was where they really, they really showed up and shined because we had, you know, James Garinger who had a whole rainbow of Apple devices from, you know, caveman era up until now.

Speaker 1 (00:08:26) – Uh, Jason came in with all kinds of miscellaneous devices, including an echo show, um, and some smart home, um, plugs. So we had all sorts of things to test with, of course with normal, you know, endpoints that people had. So we put everything on these WPA two networks and every student had their own. Uh, and we, you know, in the lab guide there’s a place to document, you know, what that, that we got everything on there and we have, you know, opportunity to capture that. And then we take that WPA two personal network and we change it to a transition mode. So the transition mode for WPA three would be supporting both WPA a two and three together on the same S S I D being broadcast. Is

Speaker 0 (00:09:10) – There, I just have a, a little side question. Mm-hmm. <affirmative> years ago, what, 15, 18 years ago, we had a transition from WPA one to WPA two transition and there was a transition mode as well. So if anyone’s what went through that cycle, one of the downsides was if you left it on and you weren’t supposed to and you kept it on, you had the worst of both worlds. Is is this new transition to W P A three better in that sense, or kind of the same, just a temporary fix?

Speaker 1 (00:09:45) – Yeah, Keith, I feel like asking people how they feel about transition mode is like asking for their favorite, um, flavor of ice cream <laugh>. Oh,

Speaker 0 (00:09:52) – Okay.

Speaker 1 (00:09:53) – Um, but it, it’s kind of polarizing because, you know, there are, well for example, you know, no secret, you know, Steven Orr who was my, uh, a mentor but also my primary technical editor for the book, the leader of the wifi alliance security group, a Cisco distinguished engineer, you know, he hates transition mode. He, if, if, if he had, you know, his magic wand or his stanos glove, like he would just snap and get rid of any, anything that downgraded newer security. I kind of approach it from, you know, working with large enterprise where some organizations have tens of thousands or hundreds of thousands of these things on the network and we can’t just snap our fingers and move them to something new. We have, we have, we have to do something. So, you know, from that standpoint, there’s using a transition mode network that supports two different kind of degrees or levels of security, has its pros and has its cons.

Speaker 1 (00:10:48) – And that’s one of those things that I think everybody has a take a risk-based approach for to understand for their organization, for the network, for the endpoints and the assets and the data that are accessible through that network. How much do we care about that? And is transition mode an acceptable risk level? Um, in, you know, in all of my guidance I kind of just acknowledge, look, some organizations are gonna have to do this. Um, but really what needs to happen is to have a plan and just like you said, we need to revisit the environment and monitor it. It needs to be a project until you’re off of transition mode. And you know, sometimes Keith, the answer is to still maintain a W P A two network and I’m gonna, you know, we can talk about that cuz that was one of the, um, recommendations and outcomes from the testing we did.

Speaker 0 (00:11:37) – So you’re, you’re testing a, a bunch of clients and they all did, did you have any fail in the W P A two phase?

Speaker 1 (00:11:44) – No, everybody was happy and hunky dory when we were on a WPA two network. No problem. O okay.

Speaker 0 (00:11:50) – Moved on to the transition mode.

Speaker 1 (00:11:52) – Yeah, so we took the same network, didn’t change anything in terms of, you know, name or, or you know, the, the bands that was on or anything else. And we just said, okay, now from the security standpoint, instead of it being W P A two, we’re gonna make it w p a three personal transition, which again, supports two and three together. Um, and then what we saw was pretty interesting. So a lot of endpoints made that leap and we could see them. So, you know, in the missed UI and in anybody’s, I’m sure you can see, you can set the column view to see how the client joined. So if you have a mixed use S S I D, you can see which ones joined with WPA A two and which ones joined with WPA three. So let’s say, I’m gonna make up this number, but let’s say, you know, there were, um, you know, 20 endpoints in the, in the sample population here, they were happy on W P A two personal, we did the transition mode, we probably lost a third ish of them, which is a quarter to a third has been consistent, you know, depending on the types of devices I’ve tested with before.

Speaker 1 (00:12:58) – Um,

Speaker 0 (00:12:58) – And you think that’s what was the cause because they were happy on two and they should have still been happy on two.

Speaker 1 (00:13:04) – Exactly. So what we kind of dug into, and of course, you know, I went, I went to Magic Peter and, and asked him about this as well, and a couple of the manufacturers. So if a WPA two endpoint doesn’t make that happy transition to a transition mode, which is also advertising too, where we’re, what we’re seeing is that the endpoint is misbehaving, so it should just ignore an advertised a K M that it doesn’t understand. So if it sees, you know, the Cipher suites for W P A two and WPA a three, it should go, I don’t know what the three is, but look, I know what the, I know what the two is, we can do that, let’s do that. But some endpoints are, are they just misbehave and they just completely spazz out when they see something they don’t understand. And I kind of likened it to, you know, if you have a, a sign, you know, if you’re traveling at an international airport and the signs are in maybe German and French and English, um, and I speak English, uh, I, I used to but barely now speak German and I definitely don’t speak any French.

Speaker 1 (00:14:11) – So a normal endpoint is gonna look at the sign and go, okay, I don’t know what the rest of that is, but there’s English, I’m gonna follow the English. Um, the misbehaving endpoint sees the sign and even though there’s English and the endpoint knows English, it just spas out and it says, I don’t know what the rest of this is. And it stops trying to associate.

Speaker 0 (00:14:31) – Did you see that? Uh, just to back up to the last transition from one to two, I don’t remember seeing very many clients who, who when we gave them a, a transition from one and two option that they were WPA one capable and they just worked after we turned on transition mode. I didn’t, I don’t remember this 20, 30% having difficulty.

Speaker 1 (00:14:53) – No, I don’t either. And I, it it’s been so long ago because we’ve had W P A two for forever 2020 years I think. Yeah, I know. Um, you know, I don’t remember, but I also think, I think that a <laugh>, this is terrible. So many people were still on WEP that I think

Speaker 0 (00:15:13) – <laugh>

Speaker 1 (00:15:14) – Anything was, there was this other, there was this other layer of complexity happening and a lot of upgrades of those endpoints. Um, so, you know, w p a the original was kind of short-lived and, and that standpoint. And so no, I don’t remember having this amount of trouble. Now, I don’t know, were they different a k m suites, were they the same? Was it, oh, it

Speaker 0 (00:15:36) – Was actually from, there was even a transition mode from WEP to WPA one <laugh>, yeah. And all the old web guys just, I’ll keep being wep. The problem was many of our customers kept transition mode for a decade with we still being supported the entire time and they didn’t do that risk assessment you had mentioned. So, so you, you in in the lab, you did this, then you found this percent. What was the next step you did in the lab?

Speaker 1 (00:16:04) – Well, we, we dug into that a little more to understand which, so we kind of documented which endpoints weren’t making that transition. Um, then we,

Speaker 0 (00:16:15) – Did you find any telltale signs of these are the kinds that ha had problems or was across the board?

Speaker 1 (00:16:24) – No, and I remember we’re kind of, you know, in, in the grand world of statistics we’re dealing with, it’s

Speaker 0 (00:16:30) – A very small sample set.

Speaker 1 (00:16:31) – <laugh>, it’s a small sample size, so, you know, but, but it is in indicative of what I’ve seen in multiple small sample sizes at this point as we’re working with this with clients. Um, don’t, there’s no pattern as far as I can tell. I think, you know, from the Apple standpoint, um, you know, I think James was able to, to kind of draw a line and figure out that the, the operating systems that were created prior to WPA three being out, because it’s, even though we’re just starting to really use it, it’s been ratified as a, as a standard for a while now. Um, that, that was kind of the dividing line for those devices. But so much of, you know, but that’s kind of a normal user compute device and to me that’s expected. Right. And, and, and so pretty far back, you know, those devices would, would still support the transition mode in WPA three.

Speaker 0 (00:17:25) – So how far back did James find on, I mean, I know he brought a whole box of old Apple things.

Speaker 1 (00:17:31) – He did. You know, I need to, I need to go, I think there’s a Twitter thread on this and I know that we, we talked about it on stage at at W L P C, so, um, and that video is floating

Speaker 0 (00:17:42) – Around so people can see that little blurb that came up. I just thought it was, it was, it was pretty far back though. Yeah, it still works. Yeah, it was.

Speaker 1 (00:17:51) – But all of the other stuff are those sort of, you know, air quote IOT type things and smart home devices where they’re just not, they, wireless connectivity was just never a priority aside from the device meeting. Its bare minimum connectivity requirements. And those are the endpoints that I think we’re gonna have the most trouble with.

Speaker 0 (00:18:15) – And the scary part of this, what you found out was we think transition mode is a pretty smooth option. Oh, we need to move, we’ll just turn on transition mode. But what you found is it, it’s gonna cause some issues just turning it on.

Speaker 1 (00:18:31) – Absolutely. And just for, you know, for context, another piece of anecdote is when I first started testing this in my lab the most, so I have a lot of smart plugs and smart lights and you know, stuff, consumer grade stuff. Mm-hmm. <affirmative> my newest as in like, just purchased a few months prior. Um, smart plug from Samsung. So my very newest smart plug from a known manufacturer would not work on transition mode, whereas a lot of the older random stuff I had would. So yeah, the pattern of saying, okay, if it’s a certain age or if it’s this, this newness or if it’s this manufacturer of that, it’s, there’s just no pattern. Yeah.

Speaker 0 (00:19:16) – That, that’s what definition of random is

Speaker 1 (00:19:20) – <laugh>. Yeah. Yeah. I wish I had a better answer for that. I, I did kind of poke and I’m still gonna keep poking and actually heat that might circle back with you after this and, and poke you a little bit and see, you know, I talked to, um, you know, Adrian and Peter and a couple of other folks, you know, in a, in a private chat and said, Hey, can we modify, because all I’m, all I’m recommending here is because some endpoints might fail. The best thing to do is just test it. Um, you know, whether, whether you’re using transition mode or WPA three, obviously I prefer you to move it to WPA three if you can, um, it, whatever you’re gonna do, just test it. And so we’re talking about can we modify one of the normal handheld testing devices to capture that data and then, you know, sanitize that data and maybe put it up in a public domain, uh, where Buddy could contribute to, yeah,

Speaker 0 (00:20:11) – Like the, the, there’s a, a client profiler built in the wbl PI that pretends to be a super ap, has it joined, it actually doesn’t join, it just captures the frame that allows you to say, oh, this client can do X, Y, Z. Uh, we could probably adjust that profiler to say I’m in transition mode and then see what happens.

Speaker 1 (00:20:34) – Yeah, and that’s what Adrian said. So, you know, the, the, there’s some scripting skills involved that are, you know, uh, beyond my pay grade and expertise in that. So I’m gonna have to, you know, maybe make a community effort outta this and see who wants to tackle that. So open call to anybody who wants to <laugh>, I do

Speaker 0 (00:20:49) – Think it would make a very nice community database. Like, uh, we, we use for years from a client database that said, here are the clients that can see these channels in five gig.

Speaker 1 (00:21:03) – Yep.

Speaker 0 (00:21:03) – We just need to augment that and say, oh, we, we also want to know how do they handle transition mode? So maybe we hit up Mike Bono and, and see if we can add, add a couple pits there. Cuz it is when a customer, uh, one of our customers, an end user wants to make this mode, we kind of need to know what’s gonna happen rather than just shoot and say, oh yeah, some of your clients won’t like it. That’s not a really positive thing for a consultant to do.

Speaker 1 (00:21:31) – No, and I’ve seen you, there have been a few professionals, you know, in our, in our space on, on Twitter or LinkedIn saying, well, everything that they’ve tested worked fine and that’s great, but I, but what I’m saying is the rest of us have data that, you know, that experience was not that smooth. And it really depends on what those endpoints are because you know, if my smart plug that turns the lights on the, the tree that I like to look at doesn’t come on no big deal. <laugh>, if I’m in an enterprise environment and we’re talking about something that drives, you know, facilities or operational technology or, or something else that’s business critical, that’s much more important and we wanna know that it’s gonna work or not work. And then if nothing else, my goodness, for all of the networking and wireless people and professionals out there, we don’t want a sudden rash of of user help desk tickets that are almost impossible to troubleshoot because you can’t troubleshoot this remotely if it’s, it stopped trying to associate

Speaker 0 (00:22:35) – And we, and we caused it and then <laugh> and, and the, the, the problem is to fix it means you just have to go totally back

Speaker 1 (00:22:43) – And it does. But Keith, let me throw this out there because one of the other observations we made is even if the endpoint supported transition mode and even when we reverted it to W P A two, a few people did that just, just to test mm-hmm. <affirmative>. So again, the advertised name stayed the same, everything else stayed the same, just the security parameters changed. Some endpoint said, no problem, some endpoints auto automatically connected and they, you know, sta from, from w p A two to transition, um, even back to WPA two no problem. A relatively large subset of endpoint required manual intervention

Speaker 0 (00:23:26) – End. And then you, you played this little game of two to transition and you took it back to two and they were still having trouble.

Speaker 1 (00:23:33) – Um, well some of them re re the ones that required manual intervention required it both places. And what that meant was the endpoint understood that something about the S S I D and the WLAN n advertisement changed even though the name was the same. And it, because of that it said, okay, something else over here changed. I’m not going to automatically reconnect to that. So when I say manual intervention, you know, it can be as simple as, you know, what’s the, they

Speaker 0 (00:24:03) – Had to like go tap desk this ID again or something. Yeah.

Speaker 1 (00:24:06) – But you can’t do that with all of those stupid i o t things that you have to kind of pre-configure through Bluetooth with your phone physically next to it.

Speaker 0 (00:24:15) – This is a little scary information.

Speaker 1 (00:24:18) – I I think it’s the kind of information that’s scary if you don’t know it’s there and if you do know, it’s just a, it’s information and a tool to move forward with. Well

Speaker 0 (00:24:26) – It’s, it’s a big warning saying when you make this transition, and we know we all eventually will be transitioning to, to WP three at some point, this is just one of those bugaboos we’re gonna have to deal with. And I like your idea just test, test, test, test. Cuz like your, your I I use a, a smart plug specifically for Christmas tree lights and in Alexa it’s called Christmas tree Lights. So it’s easy to remember, but it only comes out once a year. So I could have easily made a transition and thought all my devices are happy and waited months later before it failed and I would’ve not thought of this issue. Yeah. One, it’s a, it’s a cheap little plug. I probably just would’ve b thought it broken, bought a new one. But when you’re, you, when you’re enterprise and you have hundreds or thousands of something, you just can’t, that’s not the easy solution.

Speaker 1 (00:25:18) – It’s not. And then, you know, the other monkey wrench is if you have what? So in some of the iot OT security stuff, I’m, I’m doing, um, you know, some things with s training, cisa round tables, policy documents, um, classified iot, ot, a few different ways, including your, your land-based iot o t, which are things that are on wifi, usually stuff that’s connected by cellular. And then the other group of kind of catchall, which is protocol specific, and those are protocol routed or protocol translated iot OT devices that are things like Bluetooth and ZigBee and thread and the other stuff based on six low pan, um, some of the private, um, WIN endpoints and then industrial automation, those things, if there is a gateway or a translator involved, um, when they’re on wifi, don’t th they’re not on wifi all the time. They’re on wifi sometimes when they need to be. And so those things pop on and off the network and depending on, you know, the, the bandwidth consumed and the duty cycles of the endpoints and the nature of that application, you, it’s not a persistent device on wifi. So if you do something at a point in time, you may be missing a subset of endpoints depending on what they are

Speaker 0 (00:26:32) – And you really wouldn’t know for a while.

Speaker 1 (00:26:35) – Right.

Speaker 0 (00:26:36) – O one of the worst kind of cases to troubleshoot is that random. It, it’s just now not working and it could have been months, previous or weeks or whatever. Yeah. This is, this is a good topic to talk about now as we’re moving that way. Uh, if you, in your testing, did you also go full WPA three, no transition?

Speaker 1 (00:26:56) – Uh, not for the, well, you know, I kind of let people loose, uh, and, and gave them some optional, um, guided labs to do if they got done early. But there was just so much to do that I don’t, you know, a lot of people didn’t do that. Um, so they were certainly free to do that and some people did, did test that. But the transition mode told us two things together. It told us if the endpoint would do WPA three, and it told us if it was going to misbehave with multiple a kms that it didn’t understand. So we kind of killed two birds with one lab in that mm-hmm. <affirmative>. Um, and then we moved on to enterprise with the 8 0 2 0.1 x authentication.

Speaker 0 (00:27:36) – And anything you found from there,

Speaker 1 (00:27:38) – Nothing crazy. So we didn’t have any failures in our lab. I have not had any failures. I mean, well certainly, let me, let me just define failure here. You know, if an endpoint, most of the endpoints that can do 8 0 2 0.1 x are user-based endpoints that are things like compute devices, phones, tablets, laptops, um, but even printers and voiceover IP phones as well. Um, but those things tend to be updated and patched more often. And so, you know, the result of that being hopefully that the n um, firmware has been updated and therefore those things are gonna support WPA three because remember again, you know, the WPA three has been out for quite a while now we’re just starting to use it. So if that, if that thing’s been updated anytime in the past, you know, year or two, it’s gonna understand WPA a three. So, you know, obviously if you go from W p A two enterprise to WPA three enterprise and the endpoint hasn’t been updated, the drivers haven’t been updated and doesn’t know WPA three, it’s not gonna work. So that’s kind of the, the, I mean we, we know that’s the obvious statement, but I want don’t wanna gloss over that. So when I say, you know, a failure going to a no,

Speaker 0 (00:28:56) – Nothing surprising,

Speaker 1 (00:28:58) – Nothing surprising, yes. We didn’t have anything, not work that we think should have worked. Um, I did have a couple of folks, um, that were from one organization in, in a class that had said they had hit some laptops that had the same behavior of that misbehaving, you know, client thing we saw in the personal network where they just kind of spazzed out with the unknown a kms. So there was a subset of like one particular type of laptop they had ordered at one time that did have that issue. Um, that’s the only an data I have from that so far. So, you know, making numbers up, you know, I kind of am telling people, you know, plan for, you know, 20%, maybe as high as 30% of your passphrase based things to not do well, going to, you know, transition motor w P three and then I think, you know, it’s a very small percentage, but it’s a not zero number when we’re talking about 8 0 2 1 x.

Speaker 0 (00:30:03) – Yeah. And, and, and, and that makes sense, uh, that that’s a whole different process and they, they are updated more current. I can still find, um, well this also leads to why we recommend other security practices, why PSK weren’t ever, you know, it’s, it’s not your go-to method of securing your wireless,

Speaker 1 (00:30:25) – Right? Yeah. PSK can die. And I mean, for anybody listening, you know, WPA three is where we need to be. It, we’re, we’re past, we should have already been on WPA three. Um, we’ve just kind of been gliding along and, you know, yes, there are some bumps and hurdles and roadblocks to it. It’s not as easy as just flipping the button and moving on. We have to do it methodically, but it’s better to do that now because we get a huge security increase, especially on the passphrase network. Um, so that’s like maybe a topic for another day or something you’ve already covered. Um, but, but the upgrade and security fra passphrase based network from two to three is just, they’re on, they’re on the, they’re not on the same scale. Yeah. So, you know, PSK best based networks can go away. Um, we should be on three or moving towards three now so that when we get to wifi six E and we’re looking at six gigahertz, which requires W P A three, we’re ready for that. And we’re not trying to make, you know, eight changes at one time. We, why not do the best of breed security? It’s been available, it’s mainstream. Do that now, then deal with the other complexities of the new technology later. I,

Speaker 0 (00:31:34) – I think the move to six E is finally the trigger where people are going, oh yeah, I have to deal with this WK three thing now.

Speaker 1 (00:31:42) – Yeah.

Speaker 0 (00:31:43) – Uh, because we’re, we’re seeing people want six E and they don’t even know, I mean, no one has a good easy answer, uh, especially for, you know, large organizations that are supporting edu, Rome with a single SS i d and then what do you do with WPA three? And it’s, it’s a big, big issue. But we have, we have some other episodes specifically on how to deal with edu, Rome <laugh>. Well, jj, how can people find you and your white papers and all this other information that you referred to?

Speaker 1 (00:32:16) – Thank you for asking. Um, there’s, there’s two, two or three great resources. Um, so I’ve mentioned the Security Uncorked blog, um, that has a lot of this content and, you know, 10 or 15 years of, of other content throughout, throughout the ages. Uh, networking securities, zero trust, network access control. Um, so all of that’s there. Like I said, I will be putting the migration guide there, um, for anybody that follows me on LinkedIn, I’m pretty easy to find, um, Jennifer Manila. So if you find me on LinkedIn and follow, I’m trying to push the content, uh, there as well. Um, and then of course, the book. So I published, uh, wireless security architecture book with Wiley, and that’s basically the culmination of 20 years of, you know, consulting in hundreds if not thousands of, um, organizations across all industries. You know, everything from charter schools to the Department of Energy.

Speaker 1 (00:33:14) – Um, I’ve worked with and, and managed either architected, designed, installed, or managed or co-managed their environment. Um, not just for wireless, but I feel like, you know, writing the book on wireless, there was just a huge gap in the industry. There’s so many great network architecture and network security books out there. Um, I just felt like there was really a gap on the wireless security side. Um, so this, you know, this book is really designed to help you design an architect primarily wifi, it addresses some other wireless as well, um, through the lens of security architecture. And so it, you know, it covers everything from the importance of a proper wifi design in terms of placement power and channel settings. Um, but all of the security architecture segmentation, best practices, uh, it’s a long book, but there are a lot of cheat sheets and little quick starts in the appendices and throughout the book and tables. And,

Speaker 0 (00:34:08) – And I, I think it’s, it’s filling a niche that we’ve had at, actually something was missing. There have been books on the how to do wireless security, uh, training, how to do it in specifically in Cisco, but not the why or the architecture site. So I think you filled in that, that that infrastructure piece of why we need to do different things. So, and highly recommended book, uh, thanks for doing it. I, I was amazed how fast you got that book out. That was, I, I can’t, I mean, I’ve worked on some books in the past, they take a long time and you really, you were like on, on, on, I don’t know what you were taking, but you got it out faster than most people ever do. Books <affirmative>.

Speaker 1 (00:34:50) – Yep. Well, a lot, a lot of the stuff I had to stop and look up, because what I did try to do is there are little excerpts, like little boxes. So it, it’s the why to and the how to conceptually and the best practice of, but I realized, you know, there, and a lot of the manufacturers, when I talk about, for example, hardening, hardening the infrastructure for what, for wireless, um, that’s not, you know, Cisco and Aruba and everybody have books that are 1500, 2000 pages and that information’s not in there. So I did research, you know, all of the platforms enough to be able to say, if you’re using, you know, Cisco, look for this term or phrase or commands. If you’re using Aruba, look for this. If you’re using, you know, extreme ruckus, juniper, whatever. Um, so where that’s most relevant, if it’s something that wasn’t intuitive defined, it did try to include that throughout because I wanted it to be actionable. I want people to be able to take this and, and make their environments more secure instead of just being taught conceptually and academically how things should work and not knowing how to go do it. Uh, and

Speaker 0 (00:35:55) – Well, and you need both. Yes. The, the vendors have have their peace without the why. And you did both the why and, and, and led to the how, not not the actual keystrokes, but in the area. Well, Jennifer, thank you for your time. You are definitely an expert in this field and we love having you on the show. We’ll probably see if we can get you to come back in the future.

Speaker 1 (00:36:15) – Thanks Keith. And bye everybody.

Speaker 0 (00:36:17) – Thanks. This has been Heavy Wireless, a packet Pushers, podcasting Network podcast. See you next episode.