Wireless Essentials
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is used to provide user authentication for an 802.1X port-based access control solution. EAP is a flexible layer 2 authentication protocol that resides under P2P protocol (PPP).
WLAN Roaming
In wireless LAN technology, roaming is the term for what happens when a device moves from one basic service set to another. Not part of original 802.11 spec (2003)
WLAN Infrastructure Modes
Independent Basic Set Service (IBSS) Basic Set Service (BSS) Extended Set Service (ESS)
Microsoft Point-to-Point encryption (MPPE)
MPPE is a 128-bit encryption method that uses the RC4 algorithm. MPPE is used with P2P tunneling protocol (PPTP) VPN technology.
MBBS
Mesh Basic Service Set Ratified by the 802.11-2011, One AP is usually connected to the wired infrastructure called mesh root, portal or gate with the other Mesh APs connecting to provide a wireless backhaul.
Automatic Power Save Delivery (APSD)
More current, robust version of PS Mode Works with devices that are Quality of Service (QoS) aware Works with time-bound applications that are subject to latency, such as voice and video.
IBSS Security
No centralized control and no security management features Security is left up to the individual user or device Can be a concern for many enterprise installations The use of an IBSS may be against corporate security policy.
Initialization Vector (IV)
The IV is utilized by the RC4 steaming cipher that WEP encryption uses. The IV is a block of 24 bits that is combined with a static key. It is sent in cleartext and is different on every frame. The effective key strength of combining the IV with the 40-bit static key is 64-bit encryption. TKIP uses an extended IV.
MAC Service Data Unit (MSDU)
The MSDU contains data from the LLC and layers 3-7. A simple definition of MSDU is the data payload that contains the IP packet plus some LLC data.
Throughput
The amount of information actually being transmitted or received.
Distribution System
The common infrastructure to which access points are connected and can be wired or wireless.
Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP)
The default encryption method defined under 802.11i amendment. This method uses the AES Cipher. CCMP/AES uses a 128-bit encryption key size and encrypts in 128-bit fixed-length blocks. An 8-byte Message Integrity Check is used that is considered much stronger than the one used in TKIP. CCMP/AES is the default encryption method defined by WPA2.
Passive Scanning
The discovery phase of wireless networking WLAN device listens for information about networks What is your evidence that this is working on your device? SSIDs pop up in device to select. If known signal and device is not picking up, could be a device issue.
Dynamic Rate Switching (DRS)
When a wireless device moves through the Basic Service Area (BSA) or the distance from the access point increases, the data rate will decrease.
Supplicant
When an 802.1X/EAP solution is deployed, a host with software that is requesting authentication and access to network resources is known as the supplicant.
Radio Frequency Channel
-The IBSS configuration requires a user to set the specific RF channel that will be used by all devices that are part of the same IBSS network -All devices in any common IBSS must be communicating on the same channel.
Service Set Identifier (SSID)
-The name or segmentation of WLAN devices -Every device that wishes to be part of the same wireless LAN will use the same SSID -The SSID is case sensitive and has a maximum limit of 32 characters or, as specified in the IEEE 802.11 standard, 32 octets -Oolie: In C programming a letter is considered a char and 8 bits.
Distribution System Medium (DSM)
A logical physical medium used to connect APs (ex. 802.3).
preshared keys (PSKs)
A method of distributing encryption passphrases or keys by manually typing the matching passphrases or keys on both the access point and all client stations that will need to be able to associate to the wireless network. This information is shared ahead of time (preshared) by using a manual distribution method such as telephone, email, or face to face conversations.
robust security network (RSN)
A robust security network (RSN) is a network that only allows for the creation of robust security network associations (RSNAs). An RSN utilizes CCMP\AES encryption as well as 802.1X/EAP authentication.
Authorization, Authentication and Accounting (AAA)
A security concept. Authorization involves granting access to network resources and services. Before authorization to network resources can be granted, proper authentication must occur. Authentication is the verification of user identity and credentials. Accounting is tracking the use of network resources by users. It is an important aspect of network security, used to keep a paper trail of who used what resources and when and where.
robust security network associations (RSNAs)
As defined by the 802.11i security amendment, two stations (STAs) must establish a procedure to authenticate an associate with each other as well as create dynamic encryption keys through a process known as 4-Way Handshake. This association between two stations is referred to as a robust security network association (RSNA).
Bridge Mode
AP radio is converted into a wireless bridge, adds extra MAC-layer intelligence. Gives capability to learn and maintain tables about MAC addresses from the wired network.
per session per user
After an EAP frame exchange where mutual authentication is required, both the AS and the supplicant known information about each other because of the exchanging of credentials. This newfound information is used as seeding material or keying material to generate a matching dynamic encryption key for both the supplicant and the authentication server. These dynamic keys are generated per session per user, meaning that every time a client station authenticates, a new key is generated and every user has a unique and separate key.
RC4
Algorithm is a streaming cipher used in technologies that are often used to protect Internet traffic, such as Secure Sockets Layer (SSL). The RC4 algorithm is used to protect 802.11 wireless data and is incorporated into two encryption methods known as WEP and TKIP.
Extended Rate Physical (ERP) Protection Mechanism 802.11b/g Mixed Mode
Allows both 802.11b / g at same time Throughput will decrease when 802.11b and 802.11g intermixed
transition security network (TSN)
An 802.11 wireless network that allows for the creation of pre-robust security network associations (pre-RSNAs) as well as RSNAs is known as a transition security network. A TSN supports 802.11i-defined security as well as legacy security such as WEP within the same BSS.
Integrated Service (IS)
Defined by 802.11-2007 Enables delivery of MSDUs (layer 3-7 info)between the Distribution system (DS) via a portal.
Extended Rate Physical (ERP) Protection Mechanism 802.11b Only Mode
Disables all ERP-OFDM data rates: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps Only allows DSSS 1,2 Mbps and HR/DSSS 5.5 and 11 Mbps Not typically used, limits AP.
Wireless LAN Modes of Operation - IBSS
Does not use access points and consists of only wireless LAN devices or client computers Not typically used for enterprise wireless LAN deployments Certain parameters must be set on the devices that wish to participate in an IBSS Must have SSID, RF Channel, and Security Configuration to network
Extended Rate Physical (ERP) Protection Mechanism 802.11g Only Mode
Opposite of 802.11b Only Enables all ERP-OFDM Disables DSSS and HR/DSSS No backward capability required
Point-to-Point Tunneling Protocol (PPTP)
PPTP is a layer 3 VPN technology. It uses 128-bit Microsoft point-to-point encryption (MPPE), which uses the RC4 algorithm. MPPE encryption is considered adequate but not strong. PPTP also uses MS-CHAP version 2 for user authentication, which is susceptible to offline dictionary attacks.
Wi-Fi Protected Access (WPA)
Prior to the ratification of the 802.11i amendment, the Wi-Fi alliance introduced WPA certification as a snapshot of the not yet released 802.11i amendment, supporting only the TKIP/RC4 dynamic encryption key management. 802.1X/EAP authentication was required in the enterprise, and passphrase authentication was required in a SOHO environment.
role-base access control (RBAC)
RBAC is an approach to restricting system access to authorized users. The three main components of RBAC approach are users, roles and permissions. Separate roles can be created such as the sales role or marketing role. Individuals or groups of users are assigned to one of these roles. Permissions can be defined as firewall permissions, Layer 2 Permissions, layer 3 permissions and bandwidth permissions and can be time based. The permissions are then mapped to the roles. When wireless users authenticate via the WLAN, they inherit the permissions of whatever roles they have been assigned to.
Distribution System Services (DSS)
Systems services built insides an access point usually in the form of software. Provides switchlike intelligence. Used to manage Client associations, reassociations and disassociations.
Temporal Key Integrity Protocol (TKIP)
TKIP is an enhancement of WEP encryption that address many of the known weaknesses of WEP. TKIP starts with a 128-bit temporal key that is combined with a 48-bit Initialization Vector (IV) and source and destination MAC addresses in a complicated process known as per-packet key mixing. TKIP also uses sequencing and uses a stronger data integrity check known as the Message Integrity Check (MIC). TKIP is mandatory encryption method under WPA and is optional under WPA2.
Message Integrity Check (MIC)
TKIP uses a data integrity check known as Message Integrity Check (MIC) to mitigate known bit-flipping attacks against WEP. The MIC is sometimes referred to by the nickname Michael.
port-based access control
The 802.1X standard defines port-based access control. 802.1X provides an authorization framework that allows or disallows traffic to pass through a port and thereby access network resources. 802.1X defines two virtual ports: an uncontrolled port and a controlled port. The uncontrolled port allows EAP authentication traffic to pass through, while the controlled port blocks all other traffic until the supplicant has been authenticated.
Advanced Encryption Standard (AES)
The AES algorithm, originally named Rijandael Algorithm, is a block cipher that offers much stronger protection than the RC4 Streaming cipher. AES is used to encrypt 802.11 wireless data by using an encryption method known as Counter mode with Cipher Block Chaining - Message Authentication Code (CCMP). The AES algorithm encrypts data in fixed data blocks with choices in encryption key strength of 128.192. or 256 bits.
Data Rates
The speed in which wireless devices are designed to exchange information
4 - Way Handshake
Under the 802.11i amendment, two stations (STAs) must establish a procedure to authenticate and associate with each other as well as create dynamic encryption keys through a process known as the 4-Way Handshake.
Data Frames
Used to carry data payload between devices *Special data type frame - null function frame* Helps implement power save features QoS frame
Control Frames
Used to control access to the wireless medium and acknowledge data Used with protection mechanisms to allow device coexistence Examples include RTS - Request to send CTS - Clear to send ACK - Acknowledge
Wireless Repeater
Used to extend cell coverage where a 802.3 backhaul is not available. Must share the frequency with AP and have a 50% cell overlap.
Wired Equivalent Privacy (WEP)
WEP is a layer 2 encryption method that uses the RC4 streaming cipher. The original 802.11 standard defined 64-bit and 128-bit WEP. WEP encryption has been cracked and is not considered a strong encryption method.
Power Saving Operation Active Mode (AM)
WLAN devices are always in an "awake" state Desktop vs laptop / mobile
Power Save (PS) Mode
WLAN devices will doze or enter a low power state for very short periods of times Listens for beacon frame letting device know messages are buffered AP provides device with association ID (similar to MAC address for switch) Device sends PS-Poll (Power Save Polling) msg Considered legacy based on new WiFi QoS Saves battery power at the 'expense' or additional AP / Device overhead tradeoff.
Authentication Server (AS)
When 802.1X/EAP solution is deployed, an authentication server validates the credentials of the supplicant that is requesting access and notifies the authenticator that the supplicant has been authorized. The authentication server will maintain a user database or may proxy with an external user database to authenticate user credentials.
Internet Protocol Security (IPsec)
is a Layer 3 VPN technology. IPsec can use RC4, DES, 3DES and AES ciphers for encryption. It provides for encryption, encapsulation, data integrity, and device authentication.
Wi-Fi Protected Access 2 (WPA2)
is based on security mechanisms that were originally defined in the IEEE 802.11i amendment defining a robust security network (RSN). 2 versions of WPA2 exist. WPA2-personal defines security for a small office, home office SOHO environment, and WPA2-Enterprise defines stronger security for enterprise corporate networks. Each certified product is required to support WPA2-Personal or WPA2-Enterprise.