Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List.

Slides:



Advertisements
Similar presentations
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Advertisements

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
USRobotics Professional Access Point  Yosi Rafael.
LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Wireless Design for Voice Last Update Copyright 2011 Kenneth M. Chipps Ph.D.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
Security+ Guide to Network Security Fundamentals, Third Edition
Security Awareness Chapter 5 Wireless Network Security.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Wireless Security Focus on Encryption Steps to secure a Wi-Fi Network.
Internet Protocol Security (IPSec)
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
WLAN What is WLAN? Physical vs. Wireless LAN
Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.
Wireless Security Techniques: An Overview Bhagyavati Wayne C. Summers Anthony DeJoie Columbus State University Columbus State University Telcordia Technologies,
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
1 Chapter Overview Wireless Technologies Wireless Security.
Dartmouth’s Wireless Network May 16, 2005 David W. Bourque.
Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Udit Verma( ) Aditya Gulati( ) Abhishek Meena( )
Wireless Networking.
Chapter 13 – Network Security
Common Devices Used In Computer Networks
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Virtual Networking. Module Objectives By the end of this module participants will be able to: Understand the use of virtual LANs Create VLAN subinterfaces.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Computer Concepts 2014 Chapter 5 Local Area Networks.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.
© Aastra – 2012 SIP-DECT 4.0 RFP 43 WLAN June 2012.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Wireless standards Unit objective Compare and contrast different wireless standards Install and configure a wireless network Implement appropriate wireless.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Guided by: Jenela Prajapati Presented by: (08bec039) Nikhlesh khatra.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Network Systems 3.01 Understand the physical components of a network.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
.  TJX used WEP security  They lost 45 million customer records  They settled the lawsuits for $40.9 million.
The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.
Lecture 24 Wireless Network Security
Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.
Lesson 10: Configuring Network Settings MOAC : Configuring Windows 8.1.
Wireless Networks Standards and Protocols & x Standards and x refers to a family of specifications developed by the IEEE for.
 Router › A router is the networking device that integrates two or more networks together, while controlling the data traffic over the entire network.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.
Chapter-7 Basic Wireless Concepts and Configuration.
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
Tightening Wireless Networks By Andrew Cohen. Question Why more and more businesses aren’t converting their wired networks into wireless networks?
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Wireless Access Point Product Overview
Wireless Ethernet Programming
Instructor Materials Chapter 6 Building a Home Network
Wireless Access Point Product Overview
How To Set Up A Wireless Network
Wireless LAN Security 4.3 Wireless LAN Security.
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Wireless

Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List the wireless controller discovery methods available on the FortiGate unit Understand the concepts of virtual access points and access point profiles Configure WLAN interfaces on the wireless controller or a FortiWiFi unit Explain how Rogue Access Point detection can be used to prevent users from logging into unknown access points

Wireless Increase in wireless devices on network Laptops, smartphones, mobile WiFi devices, tablets, cameras wireless VoIP devices, scanners… Increase productivity through uninterrupted access to applications and resources Users roaming throughout network Moving from one access point to another Reduce costs of wiring facilities

Increased Need For Security Wireless is a shared medium Subject to malicious attacks One user’s high usage of application traffic can reduce bandwidth available to others Access to network not contained Could be accessed by someone close by High compliance requirements based on jurisdiction

Wireless Concepts Bands and channels IEEE a, b, g, n Encryption modes WEP64, WEP128, WPA, WPA2 Control and Provisioning of Wireless Access Points (CAPWAP) Enables a controller to manage a collection of wireless points over UDP

Thick Access Points The access point into the wireless network is a standalone device Responsible for authentication, encryption and access control policies (all-in-one device) Each device requires independent management or a centralized management application Ideal for smaller service areas where only one or two access points are required Small offices, retail stores… FortiWiFi appliances provide Thick AP capabilities Wireless radio and FortiOS on a single device

FortiWiFi Standard / CapabilityFortiWiFi 30B50B60C80C/81CM Thick AP Thin APoption Number of Wi-Fi radios a b/g n High Throughput 40 Mhz option WME/WMM Multimedia Extensions Max wireless speed54 Mbps 300 Mbps Simultaneous SSIDs7777 Background rogue AP detection PoE power option Serve as wireless controller for FortiAP

Thin Access Points Thin APs delegate tasks to a centralized wireless controller Authentication, security processing, channel assignment, transmitter power level, rogue AP detection Performs few complex tasks locally The controller is the centralized decision point Automates configuration and operation of the access points The FortiAP device functions as a Thin AP, tunneling all traffic to the controller on a FortiGate device FortiGate unit provides all security and management functionality

FortiAP Standard / CapabilityFortiAP 210B220B222B Thick AP Thin AP Number of WiFi radios a b/g n High Throughput 40 Mhz option WME/WMM Multimedia Extensions Max wireless speed300 Mbps600 Mbps Simultaneous SSIDs8 (1 can be used for monitoring) 16 (2 can be used for monitoring) 16 (2 can be used for monitoring) Rogue AP detectionBackgroundBackground/ Dedicated Background/ Dedicated PoE power option Locationindoor Indoor/outdoor

FortiAP FortiAP-210B FortiAP-220B FortiAP-222B

FortiGate Wireless Controllers All current FortiGate units (supported by FortiOS 4.0 MR3) can act as wireless controllers for FortiAP devices FortiAP device passes client traffic directly to the FortiGate unit over a CAPWAP tunnel Traffic undergoes threat removal and policy examination before it is allowed back on the LAN Wired and wireless traffic are managed from a single management console FortiGate units with Power Over Ethernet (POE) interfaces (200B-POE) can power the connected FortiAP devices

Managed AP Topologies Direct connection FortiAP unit is connected directly to the FortiGate unit Number of APs matches number of internal ports on the FortiGate unit Switched connection FortiAP unit is connected to the wireless controller on the FortiGate by an Ethernet switch Must be a routable path between FortiAP device and the FortiGate unit Connection over WAN The FortiGate wireless controller is off-premises and connected by a VPN tunnel to a local FortiGate device

Controller Discovery FortiAP and FortiWiFi devices configured as an AP must locate a controller Broadcast request AP unit broadcasts a discovery request and the controller replies Controller and AP must be in same broadcast domain Multicast request AP unit sends a multicast request and the controller replies with a unicast discover response Controller and AP do not need to in the same broadcast domain if multicast routing is properly configured The default multicast destination IP address is

Controller Discovery Static IP address Administrator specifies the controller’s static IP address on the FortiAP unit FortiAP sends a unicast discover request message to the controller Routing must be configured in both directions DHCP When using DHCP to assign an IP address to the FortiAP unit, identify the IP address of the controller at the same time Useful when the AP is located remotely from the wireless controller IP address of the controller must be converted into hexadecimal

Wireless Coverage Typical wireless coverage area per access point is about 100 meters indoors, or 30 meters outdoors Bandwidth is shared amongst all users of the wireless data stream Select channels appropriate for the client devices When placing access points consider that physical barriers can impede the radio signal Ensure the access point is located in a prominent location within a room for maximum coverage

Wireless Controller Configuration Virtual Access Point 1 Virtual Access Point 2 Access Point profile 1 Physical Access Point units Radio settings Security settings

Virtual Access Points A Virtual Access Point defines the security settings that can be applied to one or more physical Access Points Each virtual AP creates its own a virtual network interface on the FortiGate unit Define DHCP services, firewall policies and other settings for the wireless LAN Provides different levels of services to different groups of users

Service Set Identifier (SSID) Users who want to use a wireless network must configure their computers with the Service Set Identifier (SSID) or network name Broadcasting the SSID makes the connection easier since the client is presented with a list of networks being received Desirable for a public network The presence of the wireless network can be obscured by not broadcasting the SSID Network is still detectable Enter the SSID used to identify the wireless network when defining the virtual Access Point

Guest Networks Use virtual access points to separate guest and employee wireless networks Allows separate SSIDs, authentication options and QoS priorities Guest traffic does not interfere with higher priority employee traffic

Security Mode Wireless Equivalent Privacy (WEP) Uses an encryption key between the wireless device and the access point WEP64 used a key of ten hexidecimal digits WEP128 keys are 26 digits long Relatively easy to break Wi-Fi Protect Access (WPA) Provides two methods of authentication: RADIUS authentication (WPA-Enterprise) Pre-shared keys (WPA-Personal) Temporal Key Integrity Protocol (TKIP) Advance Encryption Standard (AES) WPA2 provides additional security improvements

Wireless Authentication Authentication methods apply to wireless networks the same they do for wired User can also be authenticated against local user group on FortiGate device External authentication servers (RADIUS, LDAP and TACAS+, Windows Active Directory) also available For each wireless LAN, create a user group and add the users who can access the WLAN Select a security mode for each SSID Guest Captive Portal option available Uses a web authentication form All traffic is blocked until the user opens a browser window

Access Point Profile The AP profile configures radio settings and selects the virtual AP to which the settings apply Separate settings for each radio on the FortiAP device The available channels will be displayed when band is selected Distributed Automatic Radio Resource Provisioning (DARRP) allows each FortiAP unit to automatically select the optimum Wi-Fi channel Channel selection is evaluated every five minutes, clients are automatically signaled to migrate to the new channel Reduces load on the controller Reduces chatter between the Access Points

Distributed Automatic Radio Resource Provisioning Distributed Automatic Radio Resource Provisioning (ARRP) allows each FortiAP units to select an optimum WiFi channel Units do not interfere with each other Reduces load on FortiGate wireless controller Reduces chatter between Aps Channel selected evaluated every 5 minutes Clients automatically signaled to migrate to a new channel

Configuring the WLAN interface on a Wireless Controller When a virtual AP is created, a virtual network interface with the same name is also created Configure the network interface on the wireless controller Addressing mode DNS Administrative Access

Configuring the WLAN interface on a standalone FortiWiFi Unit A standalone FortiWiFi unit contains and controls its own access points No need for virtual APs and AP profiles The wireless network interface configuration contains a single set of radio and security settings

MAC Filtering Permit or exclude a list of clients based on the MAC address of their computer Should be used in conjunction with other security measures Unauthorized users could capture MAC addresses from network traffic and use them to impersonate legitimate users Configured on a per-virtual AP interface basis

Rogue Access Point Detection FortiAP devices can scan for unknown access points Rogue APs can create a leakage point where a malicious user can steal confidential, regulated or proprietary data Scanning for rogue APs can be mandated by industry policies Scans can be dedicated or background Second radio on FortiAP device for dedicated monitoring On wire detection uses various correlation techniques to determine if an unknown access point is connected to a FortiWiFi or FortiAP wireless LAN

Rogue Access Point Suppression De-authentication frames can be sent to render unauthorized APs unusable by clients Clients can not connect The rogue AP’s MAC address is automatically blocked in the firewall policy Rogue AP feature activates when at least on radio is dedicated to rogue AP detection

Fast Roaming Users moving between APs must authenticate to each Delays can impair wireless voice traffic or time sensitive applications Pairwise Master Key (PMK) caching Wireless controller caches a negotiated master key Should the user roam away from that AP and back again, the client will not have to re-authenticate Users can also pre-authenticate to the next AP that the client may roam to PMK is derived in advance of the user movement and is cached Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller

Guest Networks Use virtual access points to separate guest and employee wireless networks Allows separate SSIDs, authentication options and QoS priorities Guest traffic does not interfere with higher priority employee traffic

Student Resources Click here Click here to view the list of resources used in this module