Wireless Networking
Wireless Security
Basically non existent
Signal Degradation
*Distance* - The farther from the WAP you get, the weaker the signal you get. Most APs have a very limited maximum range that equals less than 100 meters for most systems. *Walls and Other Barriers* - The more walls and other office barriers a wireless signal has to pass through, the more attenuated the signal becomes. Indoor office area with lots of walls, the range of your wireless network could be as law as 25ft. *Protocols Used* - The various 802.11 protocols have different maximum ranges. *Interference* - Because 802.11 wireless protocols operate in the 900MHz, 2.4GHz, and 5GHz ranges, Bluetooth, cordless telephones, cell phones, other wireless LANs and any other device that transmits a radio frequency (RF) near the frequency bands that 802.11 protocol use. Even microwave ovens.
Site Survey
*Information Gathering* - This is the 1st step, and during this stage you must determine 3 key factors. * The cope of the network, including all applications that will be used, data types that will be present, and how sensitive these data types are to delay. * The areas that must be covered and the expected capacity at each location. * The types of wireless devices that will need to be supported, such as, for example, laptops, iPads/iPhones, IP Phones, and barcode readers. During this phase, a key goal would be to crate a coverage model that maps to all areas that need coverage, along with those that don't, and have the client sign off in agreement to this document before anything else. *Predeployment Site Survey* - In this phase use live APs to verify the optimal distances between their prospective locations. The base instillation should consider the expected speed at the edge of the cell, the anticipated number of devices, and other information gathered in step 1. After placing the 1st AP, place the next 1 based on the distance from the 1st, considering any interference found. *Postdeployment Site Survey* - Confirm and verify that the original design and placements are working problem free, when all stations are using the network. Usually this never happens but changes will be needed to be made-sometimes significant ones-in order to optimize the performance of a WLAN operating under full capacity.
Wireless Threats
*Rouge APs* - APs that have been connected to the wired infrastructure without your knowledge. It could have been placed there by a determined hacker who snuck into the facility and put it in an out-of-the-way location or, more innocently, by an employee who just wants wireless access and doesn't get how dangerous doing this is. The hackers AP was placed to entice your wireless clients to associate with their rouge AP instead. It's achieved by placing their AP on a different channel from your legitimate APs and then setting its SSID in accordance with your SSID. Wireless clients identify the network by the SSID, not the MAC of the AP or the IP, so jamming the channel that your AP is on will cause your stations to roam to the bad guy's AP instead. With proper DHCP software installed on the AP, the hacker can issue the clients an address, and once that's been done, the bad guy has basically "kidnapped" your client over to their network and can freely perform a peer-to-peer attack. Mitigation: 1 way to keep rogue APs out of the wireless network is to employ a wireless LAN controller (WLC) to manage your APs. Because APs communicate using LWAPP or the newer CAPWAP, it just so happens that one of the message types they share is called Radio Resource Management (RRM). Basically, your APs monitor all channels by momentarily switching from their configured channel and by collecting packets to check for rouge activity. If an AP is detected that isn't usually managed by the controlled, it's classified as a rogue, and if a wireless control system is in use, that rogue can be plotted on a floor plan and located. Also it enables your APs to prevent workstations from associating with the newly exposed rogue APs.
Comparing 802.11 Standards
802.11 standard: 802.11 Ratified: 1997 Frequency Band: 2.4GHz No. of Channels: 3 Transmission: IR, FHSS, DSSS Data Rates (Mbps): 1, 2 802.11 standard: 802.11b Ratified: 1999 Frequency Band: 2.4GHz No. of Channels: 3 Transmission: DSSS Data Rates (Mbps): 1, 2, 5.5, 11 802.11 standard: 802.11a Ratified: 1999 Frequency Band: 5GHz No. of Channels: Up to 23 Transmission: OFDM Data Rates (Mbps): 6, 9, 12, 18, 26, 36, 48, 54 802.11 standard: 802.11g Ratified: 2003 Frequency Band: 2.4GHz No. of Channels: 3 Transmission: DSSS, OFDM Data Rates (Mbps): DSSS (1, 2, 5.5, 11) OFDM (6, 9, 12, 5.5, 11) 802.11 standard: 802.11n Ratified: 2010 Frequency Band: 2.4GHz - 5GHz No. of Channels: Varies Transmission: DSSS, CCK, OFDM Data Rates (Mbps): 100+ 802.11 standard: 802.11ac Ratified: 2013 Frequency Band: 5GHz No. of Channels: Varies Transmission: OFDM Data Rates (Mbps): 1000+
5GHz (802.11a)
802.11a was ratified in 1999, but 1st 802.11a product didn't begin appearing on the market until late 2001 and they were pricey. 802.11a delivers a maximum data rate of 54Mbps with 12 non overlapping frequency channels. Lower Band 5.15-5.25 (Indoor) Middle Band 5.25-5.35 (Indoor and Outdoor) Upper Band 5.725-5.825 (Outdoor) Operating in the 5GHz radio band, 802.11a is also immune to interference from devices that operate in the 2.4GHz band like microwave ovens, cordless phones, and Bluetooth devices. 802.11a isn't backwards compatible with 802.11b because they are a different frequencies. 802.11a works well still in the same physical location as 802.1b without issue. 802.11a has the ability to data-rate shift while moving. The 802.11a products allow the person operation at 54Mbps to shift to 48Mbps, 36Mbps, 24Mbps, 18Mbps, 12Mbps, 9Mbps and finally 6Mbps farthest from the AP.
2.4GHz (802.11g)
802.11g standard was ratified in June of 2003 and is backwards compatible to 802.11b. The 802.11g standard delievers the same 54Mbps maximum data rate as you'll find in the 802.11a range but runs in the 2.4GHz-the same as 802.11b Because 802.11b/g operates in the same 2.4GHz unlicensed band, migrating to 802.11g is affordable choice for organizations. You can software upgrade 802.11b to 802.11g since it uses a different chip set. 802.11g products can be commingled with 802.11b products in the same network. If you have 4 users running 802.11g cards and 1 user starts using an 802.11b card, everyone connected to the same AP is then forces to run the 802.11b CSMA/CA method. It's recommended to disable the 802.11b-only modes on all APs 802.11b uses a modulation technique called *Direct Sequence Spread Spectrum (DSSS)* that's just not as robust as the *Orthogonal Frequency Division Multiplexing (OFDM)* modulation used by both 802.11g and 802.11a. When 802.11g clients are operating at the 802.11b rates (11, 5.5, 2 & 1Mbps), they're actually using the same modulation 802.11b uses. Even though 802.11b throughput in theory is 11Mbps and 802.11g is 54Mbps about 70% or more of the RF badwidth is used for management of the wireless network itself. The actualy bandwidth the user experiences using an application is called *goodput*. In the United States, only 11 channels are configurable, with 1, 6, and 11 being non-overlapping. This allows you to have 3 AP in the same area without experiencing interference. If you configure 1 AP with channel 1, then the next AP would be configured in channel 11, the channel farthest from that configured on the 1st AP.
2.4GHz/5GHz (802.11n)
802.11n builds on previous 802.11 standards by adding *multiple input, multiple output (MIMO)*, which employs multiple transmitters and receiver antennas to increase data throughput. 802.11n can have up to 8 antennas, but most APs use 4. These are referred to as smart antennas, if you have 4 of them 2 are used to send and 2 are used to receive at the same time. This set allows for much higher data rates than 802.11a/b/g, by providing 250Mbps (in theory). *802.11 allows for communication at both the 2.4GHz and 5GHz frequencies by using channel bonding.* *40MHz Channels* - 802.11g and 802.11a use 20MHz channels, which means that 11Mbps are unused or wasted. 802.11n aggregares two carriers to double the speed from 54Mbps to 108Mbps. Add the 11Mbps that we gain from not wasting the side tones and we have 119Mbps. *MAC Efficiency* - 802.11 protocols require acknowledgment of each and every frame. 802.11n can pass many packets before an acknowledgment is required, which saves you on overhead. This is called *block acknowledgment*. *Multiple-Input, Multiple-Output (MIMO)* - Several frames are sent by several antennae over several paths and are then recombines by another set of antennae to optimize throughput and multipath resistance. This is called *spatial multiplexing*.
Providing Capacity
A big issue is providing enough capacity in areas where many wireless stations will be competing for the air waves. Devices share access to the RF environment with all other devices in the BSS, as well as with the AP, so really, the only way to increase capacity is by increasing the number of APs in the area requiring serious density. It basically comes down to placing APs on non-overlapping channels while still sharing the same SSID.
Wireless Antennas
Act as both transmit and receive. There are 2 broad classes of antennas: *Omni Directional (point-to-multipoint)*, and *Directional*, or *Yagi (point -to-point)*. Yagi antennas usually provide greater range than Omni antennas of equal gain because Yagi focus all their power in a single direction, whereas Omnis must disperse the same amount of power in all directions at the same time. A down side to using a directional antenna is that you have to be more precise when aligning communication points. Yagi is really only good for point-to-point. Most APs use Omnis, because often, clients and other APs could be located in any direction at any given moment. Both Omnis and Yagis are rated according to their signal gain with respect to an actual or theoretical laboratory reference antenna. Range is also affected by the bit rate of the underlying technology, with higher bit rates extending shorter distances. Both antennas are also rated in units of decibel isotropic (dBi) or decibel dipole (dBd), based on the type of reference antenna (isotropic or dipole) of equivalent frequency that was initially used to rate the production antenna. A positive value for either unit of measure represents a gain in signal strength with respect to the reference antenna. Isotropic means "exhibiting properties ( as velocity of light transmission) with the same values when measured along axes in all directions." Isotropic antennas are not able to be produced in reality, but their properties can be engineered from antenna theory for reference purpose. Antennas operating with frequencies below 1GHz are measured in dBd while those operating above 1GHz are measured in dBi. This rule doesn't always work definitively, sometimes you have to compare the strength of one antenna measured in dBd with another measures in numerically equivalent dBi in order to determine which one is stronger. At the same operating frequency, a dipole antenna has about 2.2dB gain over a 0dBi theoretical isotropic antenna, which means you can easily convert from dBd to dBi by adding 2.2 to the dBd rating. Conversely, subtract 2.2 from the dBi rating and you get the equivalent dBd rating 7dBd Yagi (equivalent to 9.2dBi Yagi) 7dBi Yagi (loger range than 7dBi Omni) 4.8dBd Omni (equivalent to a 7dBi Omni) 4.8dBi Omni (equivalent to a 2.6dBd Omni)
Wireless Agencies and Standards
Agency: Institute of Electrical and Electronics Engineering (IEEE) Purpose: Creates and maintains operational standards Website: www.ieee.org Agency: Federal Communications Commision Purpose: Regulates the use of wireless devices in the US Website: www.fcc.gov Agency: European Telecommunications Standard Institute (ETSi) Purpose: Chartered to produce common standards in Europe Website: www.etsi.org Agency: Wi-Fi Alliance Purpose: Promotes and test for WLAN interoperability Website: www.wi-fi.com Agency: WLAN Association (WLANA) Purpose: Educates and raises consumer awareness regarding WLANs Website: www.wlana.org
Site Survey Tools
AirMagnet Survey and Ekahau Site Survey tools make it possible to do a client walk through with the unit running and you can click each location on the map. These tools will gather Received Signal Strength Indicator (RSSI) and Signal-to-Noise Ratio (SNR) from each AP in the range, and at the end, a global heat map coverage will be displayed.
Open Access
All Wi-Fi Certified small-office, home-office (SOHO) wireless LAN products are shipped in "open-access" mode, with their security features turned off. Although this mode is okay for public places like coffee shops. It is not acceptable for an enterprise organization or private home network.
Wi-Fi Protected Access or WPA2 Pre-Shared Key
Another form of basic security that's realy just an add-on to the specifications. WPA/WPA2 Pre-Shared Key (PSK) is a better form of wireless security than any other basic security. If you are only using MAC address filters and/or WEP, and you find interlopers are still using your network and dragging down performance, adding this layer of security should help tremendously. *Wi-Fi Protected Access (WPA)* is a standard developed by the Wi-Fi alliance, formerly known as the Wireless Ethernet Compatibility Alliance (WECA). WPA provides a standard for authentication and encryption of WLANs that's intended to solve known security problems. The standard takes into account the well-publicized AirSnort and man-in-the-middle WLAN attacks. So we use WPA2 to help us today with security issues. The PSK verifies users via a password or code on both the client machine and AP. A client gains access to the network only if its password matches the APs password. The PSK also provides keying material that TKIP or Advanced Encryption Standard (AES) uses to generate an encryption key for each packet of transmitted data. Although more secure than static WEP, PSK still has a lot in common with static WEP in the the PSK is stored on the clients station and can be compromised if the client station is lost or stolen. You have a choice of TKIP or AEA as the encryption and can chose up to a 64-character key.
Temporal Key Integrity Protocol (TKIP)
Because WEP defense is done, IEEE 802.11i and Wi-Fi alliance teamed up to create Temporal Key Integrity Protocol (TKIP). It was unveiled in 2002 and introduced as Wi-Fi Protected Access (WPA). In 2004 the final version was approved. It added even more defense like 802.1x and AES-CCMP (AES-Counter Mode CBC-MAC Protocol); IEEE 802.11i-2004. It was dubbed WPA2 It upgrades on the existing WEP by adding 128bit encryption. Also has RC4 algorithm used to power and define WEP remains the same. Works well because it changes each packets key. Packet keys are made up of 3 things: A base key, the transmitting device's MAC address, and the packet's serial number. TKIP-governed transmission ensures that each packet gets its very own 48-bit serial number, which is augmented with a sequence number whenever a new packet gets sent out, and not only serves as part of the key but also acts as the initialization vector which gets rid of the collision attacked that used to happen using WEP. Also prevents replay attacks. Each TKIPs base key created is unique, no one can recycle a commonly known key over and over again to gain access to a formerly vulnerable WEP wireless LAN. This is because TKIP throws the base key into the mix when it assembles each packet's unique key, meaning that even if a device has connected to a particular AP a bunch of times, it won't be permitted access again unless it has a completely new key granting it permission. Even the base key itself i a fusion of something called *nonces*-an assortment of random numbers gleaned from the workstations, the AP, and each of these devices' MAC addresses, so this should also be referred to as a *session secret*. Basically if you have got IEEE 802.1x authentication working that a session secret absolutely will be transmitted securely to each machine every time it initiates a connection to the wireless LAN by the authentication server-unless you're using pre-shared keys, that is, because if you happen to be using them, that important session secret always remains the same. Using TKIP with pre-shared keys is kind of like closing an automatically locking security door but not enabling its security settings and alarm.
802.11 Committees and Subcommittess
Committee: IEEE802.11a Purpose: 54Mbps, 5GHz standard Committee: IEEE 802.11ac Purpose: 1Gbps, 5GHz statdard Committee: IEEE 802.11b Purpose: Enhancements to 802.11 to support 5.5Mbps and 11Mbps Committee: IEEE 802.11c Purpose: Bridge operation procedures; included in the IEEE 802.1d standard Committee: IEEE 802.11d Purpose: International roaming extensions Committee: IEEE 802.11e Purpose: Quality of service Committee: IEEE 802.11f Purpose: Inter-Access Point Protcol Committee: IEEE 802.11g Purpose: 54Mpbs, 2.4GHz standards (backwards compatible with 802.11b) Committee: IEEE 802.11h Purpose: Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) at 5GHz Committee: IEEE 802.11i Purpose: Enhanced security Committee: IEEE 802.11j Purpose: Extensions for Japan and US public safety Committee: IEEE 802.11k Purpose: Radio resource measurement enhancements Committee: IEEE 802.11m Purpose: Maintenance of the standard; offs and ends Committee: IEEE 802.11n Purpose: Higher throughput improvements using multiple-input, multiple-output (MIMO) antennas Committee: IEEE 802.11p Purpose: Wireless Access for the Vehicular Environment (WAVE) Committee: IEEE 802.11r Purpose: Fast roaming Committee: IEEE 802.11s Purpose: ESS Extended Service Set Mesh Networking Committee: IEEE 802.11t Purpose: Wireless Performance Prediction (WPP) Committee: IEEE 802.u Purpose: Internetworking with non-802 networks (cellular, for example) Committee: IEEE 802.11v Purpose: Wireless network management Committee: IEEE 802.11w Purpose: Protected management frames Committee: 802.11y Purpose: 3650-3700 operation in the US
EAP-TLS
EAP Transport Layer Security (EAP-TLS) is the most secure method, but it's also the most difficult to configure and maintain. To use EAP-TLS, you must install a certificate on both the authentication server and the client. An authentication server pair of keys and a client pair of keys need to be generated 1st, signed using a PKI, and installed on the devices. On the station side, the keys can be issued for the machine itself and/or for the user. In the authentication stage, the station, along with the authentication server (RADIUS, etc.), exchange certificates and identify each other, Mutual authentication is a solid beneficial feature, which ensures that the station it's communicating with is the proper authentication server. After this process is completed, random session keys are created for encryption.
5GHz (802.11h)
FCC added 11 new channels in Feb of 2004, and in 2008, we were able to use these channels based on manufacturers release of more 802.11a 5GHz products. We gained 23 non overlapping channels. 2 new features came with 802.11h specification: *Dynamic Frequency Selection (DFS)* - Continuously monitors a device's operating range for any radar signal that are allowed to operate in portions of the 5GHz band as well as 802.11a before transmitting. If DFS discovers any radar signals, it'll either abandon the occupied channel or mark it as unavailable to prevent interference from occurring on the WLAN. *Transmit Power Control (TPC)* - Something already employed by phone industry. You can set the client machine's adapter and the access point's transmit power to cover various size ranges. Setting the AP transmit power to 5mW reduces cell range, which works great if you've got a compact area with high-density usage. TPC enables the client and the AP to communicate with less power meaning client machine can fine-tune its transmit power dynamically so it uses just enough energy to preserve its connection to the AP and conserve its battery power plus reduce interference on the neighboring WLAN cells.
The 802.11 Standards
IEEE 802.11 was the 1st, original standardized WLAN at 1Mbps and 2Mbs. It runs on 2.4 GHz radio frequency. It was ratified in 1997, although we didn't see many products pop up until 1999 when 802.11b was introduced. All committees of 802.11 were amended other than 802.11f and 802.11t, which were stand-alone documents.
Wireless Controllers
In a *stand-alone solution*, all the APs have a full operating system loaded and running, and each must be managed separately. In the *controller-based system*, the APs are what we refer to as lightweight, meaning they do not have a full operating system running on them. The controller and AP split duties-a solution known as *split MAC*. APs running with a controller are referred to as lightweight, but also you'll hear the term *thin AP*, whereas you'll hear the term *thick* when referring to APs that run a full OS. Administrator pushes change to AP controller, which in turn pushes out the configuration needed for each AP. In order for split MAC to work in a wireless controller network, the APs and controller run a protocol to enable them to communicate. The proprietary protocol that Cisco used was called Lightweight Access Point Protocol (LWAPP). LWAPP isn't used that much was replaced by non-proprietary Control and Provisioning of Wireless Access Points (CAPWAP).
Multiple Floors
In conditions where WLAN are located on multiple floors you have to think about channel usage in a 3-dimensional way. You will need to work with other WLAN admins to make this work. To prevent bleed from 1 floor to another, use semi-directional or patch antennas to control radiation patterns.
Wireless Antenna Types and Ranges
Model: AIR-ANT2410Y-R Gain: 10dBi Indoor range at 1Mbps: 800ft Indoor range at 11Mbps: 230ft Outdoor range at 2Mbps: Not specified Outdoor range at 11Mbps: Not specified Model: AIR-ANT1728 Gain: 5.2dBi Indoor range at 1Mbps: 497ft Indoor range at 11Mbps: 142ft Outdoor range at 2Mbps: Not specified Outdoor range at 11Mbps: Not specified Model: AIR-ANT4941 Gain: 2.2dBi Indoor range at 1Mbps: 350ft Indoor range at 11Mbps: 130ft Outdoor range at 2Mbps: Not specified Outdoor range at 11Mbps: Not specified Model: AIR-ANT2506 Gain: 5.2dBi Indoor range at 1Mbps: Not specified Indoor range at 11Mbps: Not specified Outdoor range at 2Mbps: 5,000ft Outdoor range at 11Mbps: 1,580ft Model: AIR-ANT24120 Gain: 12dBi Indoor range at 1Mbps: Not specified Indoor range at 11Mbps: Not specified Outdoor range at 2Mbps: 24,288ft Outdoor range at 11Mbps: 7,392ft
Ad Hoc Networks
No corporate security since it doesn't involve APs. Dangerous config usually done by unsophisticated users and can end up with peer-to-peer attack. If the laptop happens to connect to the corporate LAN through an Ethernet connection at the same time the ad hoc network is created, the 2 connections could be bridged by a hacker to gain them access into the wired LAN. Mitigation: When you've got a Cisco Unified Wireless Network (CUWN) in operation, ad hos networks can be identified over the air by the kind of frames they send. When these frames are identified, the CUWN can prevent harmful intrusions by sending out something known as deauthentication frames to keep your stations from associating via ad hoc mode.
Passive Attacks
Often used to gather information to be used in an active attack a hacker is planning for later, and they usually involve wireless sniffing. During the attack, the hacker captures large amounts of raw frames to analyze online with sniffing software used to discover a key and decrypt is "on the fly". Or the data will be analyzed offline, which simply means the bad guy will take the data away and analyze later. Mitigation: *IDS* - An intrusion detection system (IDS) is used to detect several types of malicious behaviors that can compromise the security and trust of your systems. These malicious behaviors include network attacks against vulnerable services; data-driven attacks on application; host-based attacks like privilege escalation; unauthorized logins; access to sensitive files; and malware like viruses, Trojan horses, and worms. *IPS* - An intrusion prevention system (IPS) is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real tine, to block or prevent those activities. A network-based IPS will operate inline to monitor all network traffic for malicious code or attacks. Where either is detected, it can drop the offending packets while still allowing all other traffic to pass. The goal of a security mechanism is to provide 3 features: * Confidentiality of data * Data integrity * An assured identification process When face with decisions about security, you need to consider 3 things: * The safety of the authentication process * The strength of the encryption mechanism * Its ability to protect the integrity of the data
Remote Authentication Dial-In User Service (802.1x)
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that offers us several security benefits: authorization, centralized access, and accounting supervision regarding the users and/or computers that connect to and access our networks' services. Once RADIUS has authenticated the user, it allows us to specify the type of rights a user or workstation has, plus control what it, or they, can do within the network, It also creates a record of all access attempt and actions. The provision of authentication, authorization, and accounting is called AAA, which is pronounced just like the automobile insurance company, "triple A," and it's part of the IEEE 802.1x security standards. RADIUS has become popular because of its AAA features and is often employed by ISPs, web servers, wireless network, and APs, as well as network ports-basically, by anybody who wants or needs AAA server.
Denial of Service
Sometimes hackers want to use jamming frequencies to cause a complete interruption of service. Mitigation: 1st if someone is jamming the frequency, there isn't much, if anything, you can do. However, may DoS, man-in-the-middle, and penetration attacks operate by deauthentication, or disassociating, stations from their networks. Some DoS attacks take the form of simply flooding the wireless network with probe requests or association frames, which effectively makes the overwhelmed network unavailable for normal transmission. These types of management frames are sent unauthenticated and unencrypted. Since deauthentication and disassociation frames are classified as management frames, the Management Frame Protection (MFP) mechanism can be used to prevent the deluge. There are 2 types of MFP you can use, referred to as *infrastructure* and *client*. *Infrastructure Mode* - This doesnt require configuration on the stations-only the AP. Controllers generate a specific signature for each WLAN, which is added to each management frame it sends, and any attempt to alter this is detected by the MIC of the frame so when an AP receives a management frame from an unknown SSID, it reports the event to the controller and an alarm is generated. When an AP receives an MFP protected frame from an unknown SSID, it queries the controller for the key. if the BSSID isn't recognized by the controller, it will return an "unknown BSSID" message, which causes the AP to drop the frame. *Client Mode* - Often rogue APs attempt to impersonate the company AP. with client MFP, all management frames between the AP and the station are protected because clients can detect and drop spoofed or invalid management frames.
5GHz (802.11ac)
Standard that works in the 5GHz range and delivers up to 1Gigabit (in theory) throughput that was approved by the 802.11 standard committee in January 2014. 802.11n had added fields in the wireless frame to identify 802.11a and 802.11g as high throughput (HT), wheres 802.11ac adds 4 fields to identify the frames as very high throguput (VHT). 802.11ac runs up to OFDM 256-QAM.
Service Set Identifiers, Wires Equivalent Privacy, and Media Access Control Address Authectication
The basic security of 802.11 included the use of a SSID, open or shared-key authentication, static WEP, and optional Media Access Control (MAC) Authentication/MAC Filtering. An SSID prevents access by and client device that doesn't have the SSID. By default the SSID is broadcasted by the AP which can be turned off. Even with SSID broadcasting turned off, a bad guy can discover the SSID by monitoring the network and just waiting for a client response to the AP because the information is sent in clear text. 2 types of authentication in 802.11: Open and shared key. Open authentication involves little more than supplying the correct SSID-but it's the most common method in use today. With shared-key authentication, the APP sends the client device a challenge-text packet that the client must then encrypt with the correct WEP key and return to the AP. W/o the correct key, authentication will fail and the client won't be allowed to associate with the AP. Shared-key authentication is still not considered secure because all an intruder ahs to do to get around this is detect both the clear-text challenge and the same challenge encrypted with a WEP ley and then decipher the WEP key. WEP isn't used in today's WLAN because of clear-text challenge. With open authentication the use of WEP prevents the client from sending and receiving data from the PA unless the client has the correct WEP key. A WEP key is composed of either 40 or 128 bits, and in its basic form, it's usually statically defined by the network admin to the AP and all clients that communicate with that AP. When static WEP keys are used, a network admin must enter the same keys on every device in the WLAN. There are scripts and software to do this task. Client MAC addresses can be statically typed into each AP, allowing MAC filtering, and any frames that show up to the AP without a known MAC in the filter table will be denied access. MAC layer info must be send in clear text so anyone with a wireless sniffer can just reach the client packets send to the AP and spoof their MAC address. If you have a small number of wireless clients and you don't deploy want to deploy an encryption-based access method, MAC address filters may be enough
Installing a Wireless Network
There are 2 main installation types, ad hoc and infrastructure mode, and each 802.11 wireless network device can be installed in one of these 2 modes, also called *service sets* *Ad Hoc Mode: Independent Basic Service Set* - Is the easiest way to install wireless 802.11 devices. In this mode, the wireless NICs can communicate directly without the need for an AP. i.e. 2 laptops in ad hoc mode could connect and transfer files as long as the other network settings, like protocols, were set up to enable this. This is called *Independent Basic Service Set (IBSS)* which is created as soon as 2 wireless devices communicate. When setting up the wireless NICs in the PC or devices, you set the mode you want so in ad hoc mode once the devices are 90m -100m of each other they are able to connect. *Infrastructure Mode: Basic Service Set* - All 802.11 equipment has the ability to operate in infrastructure mode also referred to as *Basic Service Set* (BSS), which is provided by an AP. The term *Basic Service Area (BSA)* is also used to define the area managed by the AP, but BSS is the most common term used to define the cell area. In this mode NICs communicate only with the AP directly vs with other NICs directly. In this mode wireless clients actually appear to the rest of the network as though they were standard, wired hosts. When you configure a client to operate in wireless infrastructure mode, you need to understand SSID and security. The *Service Set Identifier (SSID)* refers to the unique 32-character identifier that represents a particular wireless network and defines the basic service set. If you set all you APs to the same SSID, mobile wireless clients can roam around freely within the same network. Doing so created an *Extended Service Set (ESS)* and provides more coverage than a single AP. For users to be able to roam throught the wireless network from AP to AP without losing their connection to the network all APs must overlap by 10% of their signal or more.
Introduction to Wireless Technology
Transmitting a signal using the typical 802.11 specifications works a lot like it does with a basic Ethernet hub. Both 2 way comunication, use the same frequency to transmit and receive (half duplex). Wireless LANs (WLANs) use radio frequencies (RF) that are radiates into the air from an antenna that creates radio waves. We can increase the transmitting power and we'd be able to gain a greater transmitting distance, but doing so can create some nasty distortion. By using higher frequencies, we can attain higher data rates, but this is at the cost of decreased transmitting distances. If we use lower frequencies, we get to transmit greater distances but at a lower data rates. 802.11 was developed so there would be no licensing required in most countries-to ensure the user the freedom to install and operate without any licencing or operating fees. Because WLAN transmit over radio frequencies, they're regulated by the same types of laws used to govern things like AM/FM radios. FCC regulates the use of WLAN devices, and IEEE then creates standards based on what frequencies the FCC releases for public use. The FCC has released 3 unlicensed bands for public use: 900MHz, 2.4GHz, and 5GHz. the 900MHz and 2.4GHz are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5GHz band is known as the Unlicensed National Information Infrastructure (UNII) band.
Certificates and PKI
WPA2 can use Extensible Authentication Protocol (EAP) method for authentication. EAP isn't a single method but a framework that enhances the existing 802.1x framework. The EAP framework describes a basic set of actions that will take places, and each EAP type differs in the specifics of how it operates within the framework. These variables include things like whether they use passwords or certificates as well as the ultimate level of security provided. Some of the EAP methods require that certificates be used as the credential during authentication. This means that to implement those methods, you must have a Public Key Infrastructure (PKI) in your network. A PKI requires a certificate server that issues certificates to our users and/or devices. These certificates, which consist of a public/private key pair, must be securely installed on the devices and renewed at regular intervals. In symmetric encryption, the 2 encryption keys are the same, just as they are with WEP keys, but in asymmetric encryption , the key used to encrypt is different from the key used to decrypt. In PKI, asymmetric keys are used, and the keys are called a public/private key pair. Certificates are blinding regulations of a public/private key pair generated by a certificate server to user or computer. As long as 2 parties trust the same certificate source, called the trusted certificate authority (CA), they can trust the certificate they're presented with for authentication. These keys can also be used for encryption and as digital signatures. Certs as a form of authentication is considered the highest form of authentication when compared to username and passwords.
2.4GHz (802.11b)
Was widely deployed and operates in the 2.4GHz unlicensed radio band that delivers a maximum data rate of 11Mbps. Now 802.11b has a big brother (802.11g) which can do 10/100Mbps. An interesting thing about all 802.11 WLAN products is that they have the ability to data-rate-shift while moving. This allows the person operating at 11Mbps to shift to 5.5Mbps, then 2.2Mbps, and finally still communicate farthest from the AP at 1Mbps. Further, this rate shifting happens without losing the connection and with no interaction from the user. Rate shifting also occurs on a transmission-by-transmission basis. It means that the AP can support multiple clients at varying speeds depending upon the location of each client. The problem with all 802.11b communication lies in hot the Data Link Layer is dealt with. In order to to solve problems in the RF spectrum, a type of Ethernet collision detection was create called *Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)*. CSMA/CA also has an option implementation called a *Request to Send, Clear to Send (RTS/CTS)* because of the way that hosts must communicate with the AP. For every packet sent, an RTS/CTS and acknowledgement must be received, and because of thist rather cumbersom process, it's kind of hard to believe it all actually works when you use this! RTS >> CTS >> Data >> Ack
Location-Based WLAN
When using a location device such as the Cisco 2710, the restrictions get tighter. The additional requirements for the location device to operate properly are as follows: * APs should be placed at the edge even when they're not needd there for normal coverage purpose so that devices at the edge can be located. * The density of APs must be higher. Each AP should be 50 to 70 feet apart-much closer than is normally required. * Some APs will need to be set in monitor or scanner mode so that they won't transmit and interfere with other APs. All this means that the final placement will be denser and a bit more symmetrical than usual
Wireless Network Components
Wireless networks are less complex than wired networks because they require fewer components. To make a wireless network work properly you need 2 main devices. A wireless AP and a wireless NIC. *Wireless Access Points* - A bridge between the wireless clients and the wired network. An AP can operate as a repeater, bridge (switch), or router, depending on its hardware and its implementation. They are usually known as wireless routers. They're usually employed as Network Address Translation (NAT) servers by using 1 ISP-provided global address to multiplex numerous local IP addresses usually in the 192.168.x.x range. *Wireless Network Interface Card* - Wireless NIC does the same job as a NIC, but instead of having a socket to plug some cable into, the wireless NIC has a radio antenna.
