Wi-Fi Wi-Fi (short for “Wireless Fidelity") is the popular term for a high- frequency wireless local area network (WLAN) –Promoted by the Wi-Fi Alliance (Formerly WECA - Wireless Ethernet Carriers Association) Used generically when referring to any type of network, whether a, b, g, dual-band, etc. The term is promulgated by the Wi-Fi Alliance Wi-Fi users can roam from their networks to cellular networks. For example, let users begin working at an airport on a laptop via a Wi-Fi hotspot and then continue via a cellular network until they get to their office and can switch to a traditional LAN. Business networking no longer happens just in offices. It occurs in coffee shops, airports, hotels, and convention centers. Thus, as Wi-Fi equipped laptops and PDAs become commonplace, the demand for public Wi-Fi access points—also called hotspots—will grow.
Wi-Fi Wi-Fi standards use the Ethernet protocol and CSMA/CA (carrier sense multiple access with collision avoidance) for path sharing The b (Wi-Fi) technology operates in the 2.4 GHz range offering data speeds up to 11 megabits per second.
Wi-Fi Channels If two access points that use the same RF channel are too close, the overlap in their signals will cause interference, possibly confusing wireless cards in the overlapping area. To avoid this potential scenario, it is important that wireless deployments be carefully designed and coordinated. It is also critical to make sure that deployment does not cause conflicts with other pre-existing wireless implementations. Three channels on a single floor
Wireless LAN Topology Wireless LAN is typically deployed as an extension of an existing wired network as shown below.
What is ? refers to a family of specifications developed by the IEEE for wireless LAN technology specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. The IEEE accepted the specification in 1997.
Ad Hoc Network Ad Hoc Network An ad hoc network or an IBSS consists of stations within mutual communication range of each other via the wireless medium. Such a network is created spontaneously, without preplanning, for ad hoc temporary situations with limited needs to access the Internet. If a station moves out of its IBSS, meaning out of range, it can no longer communicate with the other IBSS members.
Infrastructure Network The infrastructure network or BSS includes an access point (AP) in addition to the stations. This AP acts as the BSS arbitrator, meaning that the AP will handle all the BSS traffic. The AP integrates the BSS within the distribution network. For example, all traffic between the BSS participants and the Internet will be delivered through the AP.
Distribution System The distribution system provides mobility by connecting access points. When a frame is given to the distribution system, it is delivered to the right access point and relayed by that access point to the intended destination. Most access points currently on the market operate as bridges. They have at least one wireless network interface and at least one Ethernet network interface. The Ethernet side can be connected to an existing network, and the wireless side becomes an extension of that network. Relaying frames between the two network media is controlled by a bridging engine.
Distribution System The access point has two interfaces connected by a bridging engine. Arrows indicate the potential paths to and from the bridging engine. Each associated station can transmit frames to the access point. Finally, the backbone port on the bridge can interact directly with the backbone network.
Inter-access point protocol A wireless station is associated with only one access point at a time. If a station is associated with one access point, all the other access points in the ESS need to learn about that station. In Figure, AP4 must know about all the stations associated with AP1. If a wireless station associated with AP4 sends a frame to a station associated with AP1, the bridging engine inside AP4 must send the frame over the backbone Ethernet to AP1 so it can be delivered to its ultimate destination
Network Boundaries Network Boundaries Because of the nature of the wireless medium, networks have fuzzy boundaries. In fact, some degree of fuzziness is desirable. A station moving from BSS2 to BSS4 is not likely to lose coverage; it also means that AP3 (or, for that matter, AP4) can fail without compromising the network too badly. On the other hand, if AP2 fails, the network is cut into two disjoint parts, and stations in BSS1 lose connectivity when moving out of BSS1 and into BSS3 or BSS4.
Network services Service Station or distribution service? Description Distribution Service used in frame delivery to determine destination address in infrastructure networks IntegrationDistribution Frame delivery to an IEEE 802 LAN outside the wireless network AssociationDistribution Used to establish the AP which serves as the gateway to a particular mobile station ReassociationDistribution Used to change the AP which serves as the gateway to a particular mobile station DisassociationDistributionRemoves the wireless station from the network AuthenticationStation Establishes identity prior to establishing association DeauthenticationStation Used to terminate authentication, and by extension, association PrivacyStationProvides protection against eavesdropping MSDU deliveryStationDelivers data to the recipient
Mobility Support Stations continuously monitor the signal strength and quality from all access points administratively assigned to cover an extended service area. Within an extended service area, provides MAC layer mobility. When the laptop moves out of AP1's basic service area and into AP2's at t=2, a BSS transition occurs. The mobile station use the reassociation service to associate with AP2, which then starts sending frames to the mobile station.
Mobility Support An ESS transition refers to the movement from one ESS to a second distinct ESS does not support this type of transition, except to allow the station to associate with an access point in the second ESS once it leaves the first. Maintaining higher-level connections requires support from the protocol suites in question. In the case of TCP/IP, Mobile IP is required to seamlessly support an ESS transition.
RF Link Quality On a wired Ethernet, it is reasonable to transmit a frame and assume that the destination receives it correctly. Radio links are different, especially when the frequencies used are unlicensed ISM bands In addition to the noise, multipath fading may also lead to situations in which frames cannot be transmitted because a node moves into a dead spot. Unlike many other link layer protocols, incorporates positive acknowledgments. All transmitted frames must be acknowledged, as shown in Figure 3-1. If any part of the transfer fails, the frame is considered lost.
The Hidden Node Problem In the figure, node 2 can communicate with both nodes 1 and 3, but something prevents nodes 1 and 3 from communicating directly. The obstacle itself is not relevant; it could be as simple as nodes 1 and 3 being as far away from 2 as possible, so the radio waves cannot reach the full distance from 1 to 3. From the perspective of node 1, node 3 is a "hidden" node. If a simple transmit-and-pray protocol was used, it would be easy for node 1 and node 3 to transmit simultaneously, thus rendering node 2 unable to make sense of anything. Furthermore, nodes 1 and 3 would not have any indication of the error because the collision was local to node 2.
The Hidden Node Problem In Figure, node 1 has a frame to send; it initiates the process by sending an RTS frame. If the target station receives an RTS, it responds with a CTS. Once the RTS/CTS exchange is complete, node 1 can transmit its frames without worry of interference from any hidden nodes. The multiframe RTS/CTS transmission procedure consumes a fair amount of capacity, especially because of the additional latency incurred before transmission can commence. RTS/CTS procedure by setting the RTS threshold if the device driver for your card allows you to adjust it.
Passive Scanning Passive scanning saves battery power because it does not require transmitting. In the passive scanning procedure, the station sweeps from channel to channel and records information from any Beacons it receives Beacons are designed to allow a station to find out everything it needs to match parameters with the basic service set (BSS) and begin communications
Active Scanning Move to the channel and wait for either an indication of an incoming frame or for the ProbeDelay timer to expire If the medium was never busy, there is no network. Move to the next channel. In infrastructure networks, the access points transmit Beacons and thus are also responsible for responding to itinerant stations searching the area with Probe Requests. IBSSs may pass around the responsibility of sending Beacon frames, so the station that transmits Probe Response frames may vary.
Joining After compiling the scan results, a station can elect to join one of the BSSs. Joining is a precursor to association Choosing which BSS to join is an implementation-specific decision and may even involve user intervention. Common criteria used in the decision are power level and signal strength.
Open-System Authentication Open-System Authentication In open-system authentication, the access point accepts the mobile station at face value without verifying its identity.
Shared-Key Authentication Shared-key authentication makes use of WEP and therefore can be used only on products that implement WEP.
Preauthentication Preauthentication Stations can authenticate with several access points during the scanning process so that when association is required, the station is already authenticated. As a result of preauthentication, stations can reassociate with access points immediately upon moving into their coverage area, rather than having to wait for the authentication exchange.
Association Once a mobile station has authenticated to an access point, it can issue an Association Request frame. When the association request is granted, the access point responds with a status code of 0 (successful) and the Association ID (AID). The AID is a numerical identifier used to logically identify the mobile station to which buffered frames need to be delivered
Basic Security MAC filters –Some APs provide the capability for checking the MAC address of the client before allowing it to connect to the network. –Using MAC filters is considered to be very weak security because with many Wi-Fi client implementations it is possible to change the MAC address by reconfiguring the card. –An attacker could sniff a valid MAC address from the wireless network traffic.
Recommended Security Practices Change the default password for the Admin account SSID Change the default Disable Broadcast Make it unique If possible, Change it often Enable MAC Address Filtering Enable WEP 128-bit Data Encryption. Please note that this will reduce your network performance Use the highest level of encryption possible Use a “Shared” Key Use multiple WEP keys Change it regularly
WEP – What? WEP (Wired Equivalent Privacy) referring to the intent to provide a privacy service to wireless LAN users similar to that provided by the physical security inherent in a wired LAN. WEP is the privacy protocol specified in IEEE to provide wireless LAN users protection against casual eavesdropping.
Overview of WEP Parameters Before enabling WEP on an network, you must first consider what type of encryption you require and the key size you want to use. Typically, there are three WEP Encryption options available for products: –Do Not Use WEP: The network does not encrypt data. For authentication purposes, the network uses Open System Authentication. –Use WEP for Encryption: A transmitting device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the wireless network uses Open System Authentication. –Use WEP for Authentication and Encryption: A transmitting device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the network uses Shared Key Authentication. Note: Some access points also support Use WEP for Authentication Only (Shared Key Authentication without data encryption).
IV Key Hashing/Temporal Key WEP Encryption Today IVBASE KEY STREAM CIPHER PLAINTEXT DATA CIPHERTEXT DATAXORRC4