WiFi Terminology 8109
UNII Band
The Unlicensed National Information Infrastructure radio bands include frequencies in the 5 GHz range used by 802.11a, n, and ac standards.
Diversity
Using multiple antennae to reduce interference and improve both transmission and reception of signals.
Closed Network
A closed network requires users to have authentication information before they can get onto the network.
Workgroup Bridge
A pair of APs that provide connectivity between two different wireless segments are a workgroup bridge. Entire offices can be connected wirelessly using workgroup bridges, or small office on another floor of a building, or across the street from the main office, may be connected using workgroup bridges rather than by running cables. These are extremely popular in downtown areas where offices are spread out across multiple buildings that are still close together, and where the cost of running fibre or copper cables is excessive.
ESS
An extended service set (ESS) refers to a network with two or more APs working cooperatively. They share access to the same VLAN, use the same SSID, and can support fast handoff between clients that move from the coverage range of one AP to another.
War Driving
Another hobbyist pursuit, war drivers will use their cars, wireless equipment, and mapping software to map out the wireless coverage of an area. Some groups have collaborated to map out entire cities. The resulting map may be shared amongst group members or published to the Internet and will identify, as closely as possible, the location of APs, their SSIDs, and whether the networks are open or closed.
NFC
Near Field Communication is a technology used most often with mobile devices to exchange data based on proximity, or even physical contact. NFC technology is being built into mobile phones for data transfer, touch to pay technologies, and smartcard reading. NFC is also being incorporated into some APs to make setting up a client easier. See WPS.
Network Name
See ESSID and SSID.
Bridge
A network device that interconnects two dissimilar network types. An AP can act as a bridge between the wired and wireless networks, but can also serve as a wireless connection between two wired segments. See Workgroup Bridge.
Pre-shared Key
A pre-shared key (PSK) is a passphrase that is shared ahead of need. PSKs are typically used in WEP, WPA, and WPA2 protected networks, where each client that wishes to join the network has the same PSK.
Rogue
A rogue client is one that attempts or succeeds in accessing a wireless network without authority to do so. A rogue AP is one installed onto the wired network without authority, and can be a maliciously placed device by someone attempting to penetrate the network, or by a non-malicious user who simply wanted to get wireless access to the wired network but did not involve IT or go through appropriate processes.
Bluetooth
A standard for short range wireless connectivity between devices, used with mice, keyboards, mobile phones, printers, speakers, and more. Bluetooth uses frequencies in the same ISM band as 802.11b and g Wi-Fi networks.
Hotspot
An AP set up specifically to provide Internet access to users. Hotspots are popular in coffee shops, restaurants, and other publicly accessible locations, and usually do not require any authentication or offer any encryption. They provide the convenience of free Internet access to attract customers.
802.1x
An IEEE standard for port-based authentication to the network. It can be used in Ethernet switches to restrict access to the wired network as well as in wireless access points to restrict access to the Wi-Fi network. 802.1x can use username/password or certificates to authenticate to the network. It is typically used in combination with wireless encryption schemes to provide confidentiality and integrity.
MAC Address Filtering
An approach to restricting access to a wireless network by only permitting clients to connect if their MAC address is on a list. MAC address filtering is not scalable, and since most wireless NICs can be configured to use any MAC, easily defeated by anyone within range that can pick up transmissions from an authorized client and simply use their MAC address.
BSSID
BSSID stands for Basic Service Set Identifier and is the MAC address of the AP.
Direct Sequence Spread Spectrum (DSSS)
DSSS is the modulation technique used by 802.11b networks to transmit data. It is resistant to interference, and permits sharing of a channel amongst multiple purposes, however it requires more bandwidth to transmit than the actual data being transmitted.
Frequency Hopping Spread Spectrum (FHSS)
FHSS is the modulation technique used by Bluetooth and other technologies that use the same frequency ranges as 802.11 networks. Transmissions hop across multiple frequencies several times per second, and can work well at short ranges even in the presence of multiple competing systems trying to use the same frequency ranges.
MIMO
Multiple Input/Multiple Output signaling that uses several transceivers and antennae to improve throughput and range of the wireless network. Both APs and clients can use MIMO, though it is most often a feature of APs.
AES
The Advanced Encryption Standard is a symmetric block encryption protocol used in WPA2 and other protocols to encrypt data with a high degree of protection and a low CPU overhead.
ESSID
The Extended Service Set Identifier is the "name" of the wireless network, and is used by all APs that provide access to the same infrastructure in an ESS. It can be advertised by APs in their beacons, or suppressed so that clients must 'know' the ESSID before associating with an AP. See ESS.
EAP
The Extensible Authentication Protocol (EAP) can be used to provide authentication to the wireless network when employing WPA-Enterprise and WPA2-Enterprise.
802.11b
The IEEE standard for wireless networking in the 2.4 GHz range. 802.11b networks support up to 11 Mbps throughput and operate in the ISM band.
802.11g
The IEEE standard for wireless networking in the 2.4 GHz range. 802.11g networks support up to 54 Mbps throughput and operate in the ISM band.
WiMax
The WAN or community deployment of wireless networking, WiMax was initially started by Intel and is now designated by the IEEE as 802.16. WiMax offers ranges measured in miles and bandwidth of up to 1 Gbps. WiMax deployments are limited at present, but can include last mile services, regional mesh networks, and municipal access for entire cities.
TLS
Transport Layer Security is a protocol designed to encrypt and authenticate all kinds of network traffic at the transport layer, and is the successor to SSL. It uses certificates to exchange public keys, which are then used to encrypt session keys.
WAP
WAP can refer to the Wireless Application Protocol, or can be used to mean Wireless Access Point.
War Chalking
War chalking is a hobbyist pursuit using sidewalk chalk to "mark" areas of wireless network access. War chalking uses a series of pictograms or icons to represent open and closed networks, and includes the SSID and sometimes the information needed to access the network.
WEP
Wired Equivalent Privacy is the original encryption scheme implemented in wireless networks. Using RC4 and either a 40bit or 104 bit pre-shared key, WEP provides about the same level of privacy as using a hub does on a wired network. Easily broken, WEP is typically only deployed in home networks.
Beacon
A beacon is transmitted by an AP ten times per second, and advertises the existence of the AP on a particular channel or channels. It includes information needed by clients to associate and may include the ESSID, the supported channels and data rates, and whether it is open or requires authentication.
Channel
A channel is the network path for wireless transmissions. Each Wi-Fi standard has numerous channels, each of which is a central frequency. There are 11 channels in 802.11b and g networks in the United States and Canada; 14 in most other countries. There are 9 channels in 802.11a networks in the United States, with various counts for other regions of the world. Some countries including the US can have additional channels in the 5 GHz range if they employ DFS. Channels have a bandwidth-the greater the bandwidth, the greater the potential throughput. See 20 MHz and 40 MHz channels.
Authentication
A client may be required to authenticate to the wireless network before it can pass data between itself and other hosts. Authentication can be open, but can also require a certificate, username/password, or pre-shared key.
Access Point
A device that acts as the bridge between wireless clients and the wired network. Often abbreviated as AP.
Passphrase
A password or combination of words used to provide authentication to a wireless network WEP uses fixed 40 or 104 bit passphrases, while WPA and WPA2 can use arbitrary length passphrases.
Ad Hoc Mode
A peer to peer mode of networking using Wi-Fi networking but no access point. Ad Hoc networks can include more than two devices.
Repeater
A wireless network device that receives signals and retransmits them, without providing direct access to the wired network. Repeaters are typically used to increase the range wireless networks can cover.
Zero-Day Vulnerability/Exploit
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Concurrent Operation
Also called Dual Band, APs that can use both 2.4 and 5 GHz bands are capable of concurrent operation. These can offer 802.11n capabilities to compatible clients while also servicing legacy clients using 802.11 b, g, and a.
Open Network
An open wireless network permits association and authentication without requiring a passphrase, certificate, or credentials. Open networks are often called hotspots and provide free Internet access to anyone within range. Many coffee shops and restaurants will deploy these to attract customers. They may still incorporate a captive portal. See hotspots.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.
CCMP - An encryption protocol that uses AES.
Collision Avoidance
Collision avoidance (CA) is the method wireless devices typically employ to ensure data transmissions do not interfere with others. CA schemes can use a Clear to Send/Ready to Send (CTS/RTS) scheme where they signal readiness to transmit data, but must wait to be acknowledged by a central controller (AP) before transmitting actual data. Contrast this with Ethernet and its collision detection (CD) scheme where hosts transmit and then listen to see if others are also transmitting, and then sending a jamming signal to indicate a collision, and falling back a random period of time before trying again.
EAP-FAST
EAP-FAST is Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. It is one possible EAP scheme used in wireless networks for authentication. It is being promoted by Cisco as a replacement for LEAP.
EAP-TLS
EAP-TLS is Extensible Authentication Protocol-Transport Layer Security. It is one possible EAP scheme used in wireless networks for authentication, and uses client certificates. It is widely deployed across most major Wi-Fi vendors.
EAP-TTLS/MS-CHAPv2
EAP-TTLS/MS-CHAPv2 is Extensible Authentication Protocol-Tunneled TLS using MSCHAPv2. It is one possible EAP scheme used in wireless networks for authentication, and uses a username/password (typically authenticated by Active Directory) to provide authentication.
Roaming
In a wireless network with multiple APs, a client that is moving from the coverage area provided by one AP to that provided by another is roaming. It must disassociate from the first AP before it can associate to the next AP.
Router
In the context of SOHO, a wireless router is an AP that also performs Internet connection sharing, and can run a DHCP service, a captive portal service,
Captive Portal
In wireless networking, a captive portal is a process running on an AP that can intercept and redirect clients who have associated to a web page where they must agree to terms of service, provide a password, or even purchase access. These are common in hotels, airports, guest networks, and other locations that offer Internet access but want to charge a fee, restrict it to authorized users, or require the user to accept their AUP. See hotspot.
Lightweight Extensible Authentication Protocol
LEAP was developed by Cisco to provide authentication to networks using WEP for encryption. It is vulnerable to dictionary attacks and has been replaced by EAP-FAST.
QoS
Quality of Service enables networks to prioritize certain traffic types above others, so that things which are mission critical or latency sensitive gain preferred access to the network over things that are lower priority or can tolerate delay. This is especially useful in Wi-Fi networks using voice or video; the quality of both suffer when encountering latency. APs that offer QoS can provide more access to clients that need it than to those that do not. See 802.11d.
RADIUS
Remote Authentication Dial In User Service. A very old protocol for centralizing authentication and authorization management. The RADIUS server acts as a remote service for these functions.
802.11a
The IEEE standard for wireless networking in the 5 GHz range. 802.11a networks can support up to 54 Mbps throughput and operate in the UNII bands.
802.11n
The IEEE standard for wireless networking that can use both the 2.4 GHz and 5 GHz ranges, with MIMO. 802.11n compatible access points and clients can support throughput rates of up to 600 Mbps, and clients are backwards compatible with older access points that can only do 802.11 a, b, or g.
ISM Band
The Industrial, Scientific, and Medical frequency bands are unlicensed bands used by a variety of devices for wireless connectivity. In the 2.4 GHz ISM band, 802.11b and g network devices, Bluetooth devices, NFC devices, baby monitors, and microwave ovens all compete for bandwidth.
SSID
The Service Set Identifier (SSID) is the name of the wireless network. It can be contained in the beacons sent out by APs, or it can be 'hidden' so that clients who wish to associate must first know the name of the network. Early security guidance was to hide the SSID of your network, but modern networking tools can detect the SSID by simply watching for legitimate client association, as SSIDs are transmitted in cleartext.
TKIP
The Temporal Key Integrity Protocol was developed as a replacement for WEP but is no longer considered secure and has been removed from 802.11 standards. See WPA.
Range
The distance between an AP and a client (or between two APs, see Workgroup Bridge) over which Wi-Fi transmissions can be successful. The greater the range, the greater the attenuation of a signal and the lower the overall throughput will be.
MITM
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server,. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
802.11ac
The most recent update to the IEEE standard for wireless networking in the 5 GHz range. 802.11ac networks can support up to 1 Gbps throughput using multiple channels, 500 Mbps using a single channel, and operate in the UNII bands. It will use 80 and 160 MHz channels and MIMO to achieve higher throughput rates.
Association
The process a client goes through to begin exchanging data with an Access Point. A client will listen for beacons from an AP for the SSID that it wants to use, and then will exchange hello packets with the AP with the strongest signal and/or supported data rates. Association can be open, or can require a pre-shared key. Once associated, the client may be required to successfully authenticate before the AP will pass data between the client and the rest of the network.
WPA
Wi-Fi Protected Access is a security protocol for wireless networks that was designed to replace WEP. It uses TKIP to encrypt data and is much more resistant to attacks that WEP is, but still has cryptographic vulnerabilities that make it undesirable for use. WPA was an IEEE 802.11i draft. WPA Personal typically uses an initial PSK to establish authentication, but the protocol has been extended to use EAP methods where available.
WPA2
Wi-Fi Protected Access v2 is currently the strongest encryption protocol available to wireless networks, and is the current 802.11i standard. It uses AES encryption for data and is considered cryptographically strong. WPA2 Personal uses a PSK to establish initial authentication, but WPA2 Enterprise can use various EAP methods to ensure a strong authentication without the need for a PSK.
WPS
Wi-Fi Protected Setup makes it easier for users to add Wi-Fi clients to WPA and WPA2 protected wireless networks. It was intended to help non-technical home users deploy WPA security, but is vulnerable to a brute-force attack and should not be used. WPS can use a PSK, encryption settings transferred using a USB key, a PIN, NFC, or with a simple push button approach.