Download presentation
Presentation is loading. Please wait.
1
Wireless Technology
2
Similarities Between WLAN and LAN
A wireless LAN is an 802 LAN. Transmits data using RF carriers vs. data over the wire Looks like a wired network to the user Defines physical and data link layer Uses MAC addresses The same protocols/applications run over both WLANs and LANs. IP (network layer) IPSec VPNs (IP-based) Web, FTP, SNMP (applications) Wireless LANs are 802 LANs. The data in WLANs is sent over radio waves. In wired LANs the data is sent over wires. But the network interface of WLANs looks similar to wired LANs for the user. Both WLANs and wired LANs define the physical and data link layers and use MAC addresses. The same protocols and applications can be used over LANs and WLANs. Examples of such protocols are the IP and IP Security (IPSec) protocol for virtual private networks (VPNs). Examples of applications are Web, FTP, and Simple Network Management (SNMP) management.
3
Current Standards – 802.11a,b,g
Radio Network Speed 860 Kbps 900 MHz 1 and 2 Mbps 2.4 GHz Proprietary 1 and 2 Mbps 11 Mbps 54 Mbps Standards-based 2.4 GHz 5 GHz IEEE Begins Drafting Ratified 802.11a,b Ratified 802.11g Ratified 1986 1988 1990 1992 1994 1996 1998 2000 2003 802.11a Up to 54 Mbps 5 GHz Not compatible with either b or g 802.11b Up to 11 Mbps 2.4 GHz 802.11g 802.11n, the newest protocol, utilizes both 2.4-GHz and 5-GHz bands. The WLAN evolution started in the 1980s using 900-MHz Direct Sequence Spread Spectrum (DSSS) technology. The 900-MHz systems were fairly easy to deploy, because one access point could cover large areas and no licenses were required in the approved countries. However, only a few countries allowed the technology. As time progressed, the need for faster speeds, open standards, and global acceptance forced the manufacturers of WLAN products to engineer new products for the 2.4-GHz band. The move to 2.4 GHz in the 1990s put WLAN products into a “cleaner” radio frequency (RF) environment, making it possible to deploy data collection systems without interference from 900-MHz transmissions. The 2.4-GHz technology was also well received because the throughput grew from 860 kbps to 1 Mbps and 2 Mbps. When frequency and speeds are increased, coverage distances are decreased, but the new data collection opportunities that the faster throughput helped to create justified the extra access points that were needed. However, end users were still concerned about using a proprietary system. In 1992, the IEEE began drafting the standard to eliminate the issue of proprietary technology and design an open standard for WLANs. In July 1997, the IEEE ratified the 2.4-GHz standard that included DSSS technology at the physical layer. This standard specified 1 Mbps as the standard speed and 2 Mbps as a “turbo” mode. In September 1999, the IEEE ratified the a standard (54 Mbps at 5 GHz) and the b standard (11 Mbps at 2.4 GHz). In June 2003, the IEEE ratified the g standard (54 Mbps at 2.4 GHz). This standard is backward compatible with b systems, because both standards use the same 2.4-GHz frequency band. 802.11g is backwards compatible with b 802.11n is backward compatible with existing a/b/g
4
Radio Frequency Issues
As signal strength decreases, so will the transmission rate. An b client’s speed may drop from 11 Mbps to 5.5 Mbps, to 2 Mbps, or even 1 Mbps. This can all be associated with a combination of factors including: Distance Line of Sight Obstructions Reflection Multpath Reflection Refraction (partially blocked by obstruction) Diffraction (bending of signal) Noise and Interference
5
Wireless Access Points
An access point (AP) is a WLAN device that can act as the center point of a stand-alone wireless network. An AP can also be used as the connection point between wireless and wired networks. In large installations, the roaming functionality provided by multiple APs allows wireless users to move freely throughout the facility, while maintaining seamless, uninterrupted access to the network. Cisco APs come in several models. The 1100 Series supports IEEE b. The 1200 Series, supports a and b in the same unit. It also supports inline power injection, to save on AC wiring costs, and both RJ45 and 10/100 Ethernet connectors
6
Wireless Bridges The Cisco Aironet 1300 Series Wireless Bridge is designed to connect two or more networks that are typically located in different buildings. It delivers high data rates and superior throughput for data-intensive, line-of-sight applications. The bridges connect hard-to-wire sites, noncontiguous floors, satellite offices, school or corporate campus settings, temporary networks, and warehouses. They can be configured for point-to-point or point-to-multipoint applications.
7
Wireless Workgroup Bridges
The Cisco 1300 Series Wireless Bridge is designed to connect two or more networks that are typically located in different buildings. It delivers high data rates and superior throughput for data-intensive, line-of-sight applications. The bridges connect hard-to-wire sites, noncontiguous floors, satellite offices, school or corporate campus settings, temporary networks, and warehouses. They can be configured for point-to-point or point-to-multipoint applications. The Cisco Aironet Workgroup Bridge (WGB) connects to the Ethernet port of a device that does not have a WLAN NIC. The Cisco WGB provides a single MAC address connection into an access point and onto the LAN backbone. It cannot be used in a peer-to-peer mode connection and must communicate with an autonomous Cisco Aironet Access Point or Cisco Aironet Bridge in access point mode. The Cisco Aironet WGB does not operate with access points of other vendors. Another WGB configuration allows multiple wired machines to be attached to the same radio device. This configuration is ideal for connecting remote workgroups to a wired LAN. To use a WGB with multiple MAC addresses, you must connect the WGB to a hub or switch with an Ethernet patch cable. If the WGB is connected directly to an Ethernet client node, you must use an Ethernet crossover cable.
8
Service Set Identifier (SSID)
SSID is used to logically separate WLANs. The SSID must match on client and access point. Access point can broadcast SSID in beacon. Client can be configured without SSID. SSID, short for service set identifier, is the name of the wireless cell. It is a 32-character unique identifier attached to the header of packets sent over a WLAN that logically separates WLANS and acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. The access point can broadcast the SSID in the beacons. Beacons are broadcasts that the access points send to announce the available services. If the SSID is broadcast in the beacons, clients can be configured without an SSID (null-SSID), detect all access points, and learn the SSID from the beacons of the access point. Knowing the SSID name does not necessarily mean that clients will be able to join the network. It depends on how the network administrator has configured their WLAN, particularly WEP security. SSID broadcasts can be disabled on the access point but this approach does not work if the client needs to see the SSID in the beacon. SSIDs should not be the only form of security used on a WLAN. SSID is case sensitive.
9
Basic Topologies Basic Infrastructure Topology (BSS)
Peer-to-Peer (Ad Hoc) Topology (IBSS) Peer-to-Peer (Ad Hoc) Topology (IBSS) – A wireless service set can consist of nothing more than two or more PCs, each with a wireless network card. This configuration, which does not include an AP, is called an Independent BSS (IBSS). Operating systems such as Windows 98 or Windows XP have made this type of peer-to-peer network very easy to set up. This topology can be used for a small office or home office, to allow a laptop to be connected to the main PC, or for several individuals, to simply share files. However, coverage limitations are a drawback in this type of a network since everyone must be able to hear everyone else. Basic Infrastructure Topology (BSS) – The basic service set (BSS) is the building block of an LAN. Slide shows a BSS with three stations that are members of the BSS, in addition to the AP. The BSS covers a single cell, as indicated by the circle. When a device moves out of its BSS, it can no longer communicate with other members of the BSS. A BSS uses infrastructure mode, a mode that needs an access point (AP). All stations communicate through the AP. The stations do not communicate directly. A BSS has one service set ID (SSID). Extended Infrastructure Topology (ESS) – An extended service set (ESS) is defined as two or more BSSs that are connected by a common distribution system, as illustrated above. This allows the creation of a wireless network of arbitrary size and complexity. As with a BSS, all packets in an ESS must go through one of the APs. Extended Infrastructure Topology (ESS)
10
WiFi (802.11) Media Access Control
WiFi is often referred to as wireless Ethernet, as it is a development of the Ethernet standard. Within a WiFi network, all devices are connected using the same RF frequency to a common Access Point (AP). All communication between the PCs is via the AP. As all the devices in the network share the same frequency, then they cannot all transmit at the same time as their signals will interfere. Therefore, WiFi networks operate in half-duplex, using an access method similar called CSMA/CA. Access Point Wireless networks need to use an access control method. Wireless systems are half-duplex, and do not listen when they are transmitting. All hosts pass information to each other via the AP, however they must be able to receive each others signals in order to carry out carrier sense.
11
Local area networks (LAN)
802.11b/g Channels 802.11a Channels If a single cell does not provide enough coverage, any number of cells can be added to extend the range. It is recommended that adjacent BSS cells have a 10 to 15 percent overlap, as shown in above. This allows remote users to roam without losing RF connectivity. Bordering cells should be set to different non-overlapping channels, or frequencies, for best performance Adding an AP is also a way to add wireless devices and extend the range of an existing wired system. If a single cell does not provide enough coverage, any number of cells can be added to extend the range. It is recommended that adjacent BSS cells have a 10 to 15 percent overlap.
12
Wireless repeater 50% overlap Not covered by 802.11 standards
A wireless repeater is simply an access point that is not connected to the wired backbone. This setup requires a 50% overlap of the AP on the backbone and the wireless repeater. (So they can reach each other). The user can set up a chain of several repeater access points, however, the throughput for client devices at the end of the repeater chain will be quite low, as each repeater must receive and re-transmit each frame. For each repeater added to the chain, throughput is cut in half - it is recommended that not more than two hops be used. In an environment where extended coverage is needed, but access to the backbone is not practical or available, a wireless repeater can be used. A wireless repeater is simply an access point that is not connected to the wired backbone. This setup requires a 50% overlap of the AP on the backbone and the wireless repeater. The user can set up a chain of several repeater access points. However, the throughput for client devices at the end of the repeater chain will be quite low. This is because each repeater must receive and then re-transmit each packet on the same channel. For each repeater added to the chain, throughput is cut in half. It is recommended that not more than two hops be used. When configuring repeater access points use the following guidelines: Use repeaters to serve client devices that do not require high throughput. Repeaters extend the coverage area of the WLAN, but they drastically reduce throughput. Use repeaters when client devices that associate with the repeaters are Cisco Aironet clients. Non-Cisco client devices sometimes have trouble communicating with repeater access points. Use omnidirectional antennas, like the ones that ship with the access point, for repeater access points. Generally within buildings, the availability of Ethernet connections is fairly pervasive. Repeaters can be used to extend APs from the building edge, to the surrounding outdoor portions of the building, for temporary use. For example, one customer could use repeater-mode APs to extend coverage into the parking lot during spring sales for a grocery store. The client association is assigned to the wired/root AP and not to the AP acting like a repeater.
13
Cisco WLAN Implementation
Cisco offers 2 “flavors” of wireless solutions: Distributed WLAN solution Autonomous AP Wireless LAN Solution Engine (WLSE) Centralized WLAN solution Lightweight AP Wireless LAN Controller (WLC) Cisco offers two WLAN implementations The distributed WLAN solution is based on autonomous access points and uses the Wireless LAN Solution Engine (WLSE) for management. The distributed model was the original WLAN implementation offered by Cisco under the product name Aironet. The Academy course, Fundamentals of Wireless LANS, covers the distributed model. While this model is still fully supported by Cisco, the trend is for customers to migrate to the Centralized WLAN solution. The centralized WLAN solution is based on lightweight access points and wireless LAN controllers. Cisco begain offering the centralized solution after the acquisition of Airespace. The primary difference between the distributed and centralized solutions can be seen in the division of labor between the access point and the controller.
14
Comparison of the WLAN Solutions
Autonomous WLAN: Autonomous access point Configuration of each access point Independent operation Management via CiscoWorks WLSE and WDS Access point redundancy Lightweight WLAN: Lightweight access point Configuration via Cisco Wireless LAN Controller Dependent on Cisco Wireless LAN Controller Management via Cisco Wireless LAN Controller Cisco Wireless LAN Controller redundancy Autonomous WLAN: Autonomous access points are configured per access point. Their Cisco IOS software operates independently. CiscoWorks WLSE performs centralized configuration, monitoring, and management. WDS facilitates radio monitoring and management communication between the autonomous access points and CiscoWorks WLSE. WDS is a feature that is enabled in any access point that forwards aggregated RF information from a grouping of access points to CiscoWorks WLSE. Lightweight WLAN: You configure lightweight access points by using the Cisco Wireless LAN Controller. The access points usually depend on the controller for control and data transmission. Only in Remote-Edge Access Point (REAP) mode does a lightweight access point not depend on the Cisco Wireless LAN Controller for data transmission. The controller implements monitoring and security. Centralized configuration, monitoring, and management can be performed through Cisco WCS. Cisco Wireless LAN Controllers can be installed with redundancy within wireless LAN controller groups.
15
Why Lightweight APs? A WLAN controller system is used to create and enforce policies across many different lightweight access points. With centralized intelligence, functions essential to WLAN operations such as security, mobility, and quality of service (QoS), can be efficiently managed across an entire wireless enterprise. Splitting functions between the access point and the controller, simplifies management, improves performance, and increases security of large WLANs. Traditional WLAN solutions distribute all traffic handling, RF control, security, and mobility functions to the access point itself. However, this architecture limits visibility of traffic to an individual access point only. This means: Individual access points, when used without a management device, must be managed individually, which can increase operations costs and staffing requirements. Networkwide attacks and interference are not visible across a system –Single point of enforcement for security policies across Layer 1, Layer 2, and Layer 3 –Unable to detect and mitigate denial of service (DoS) attacks across an entire WLAN A system cannot correlate or predict activity across an enterprise –Limits the ability to enable optimized, real-time load balancing –Clients cannot perform fast handoffs, which are required to support real-time applications such as voice and video There is an inherent security risk if an access point is stolen or compromised
16
Cisco Centralized WLAN Model
The control traffic between the access point and the controller is encapsulated by Lightweight Access Point Protocol (LWAPP). And encrypted via the Advanced Encryption Standard (AES). The data traffic between the access point and controller is also encapsulated with LWAPP, but not encrypted. The Centralized WLAN architecture divides processing of the protocol between two devices, the AP and a centralized Cisco WLAN controller (WLC). The controller is a required component and is used to control access points in the WLAN. This architecture uses a new protocol, Lightweight Access Point Protocol (LWAPP), for communication between the AP and the controller. The AP handles the portions of the protocol that have real-time requirements, including: The frame exchange handshake between a client and AP when transferring a frame over the air The transmission of Beacon frames The buffering and transmission of frames for clients in power save operation The response to Probe Request frames from clients Forwarding notification of received Probe Requests to the controller Providing real-time signal quality information to the controller with every received frame Monitoring each of the radio channels for noise, interference and other WLANs, Monitoring for the presence of other APs All remaining functionality is handled in the controller, whereby time-sensitivity is not a concern, and controller-wide visibility is required. Some of the MAC-layer functions provided in the WLAN controller include: authentication association and reassociation (mobility) frame translation and bridging
17
Wireless Mesh Networking
Each access point runs the Cisco Adaptive Wireless Path protocol (AWP). AWP allows access points to communicate with each other to determine the best path back to the wired network. After the optimal path is established, AWP continues to run in the background to establish alternative routes back to the roof-top access point (RAP) if the topology changes or conditions cause the link strength to diminish. Mesh networks require lightweight APs and wireless LAN controllers. A mesh networking infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node. Nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. This approach results in a network that can span a large distance, especially over rough or difficult terrain. Mesh networks are also extremely reliable because each node is connected to several other nodes. If one node drops out of the network because of hardware failure or any other reason, its neighbors simply find another route. Extra capacity can be installed by simply adding more nodes. Mesh networks allow many possible paths from a given node to other nodes. Paths through the mesh network can change in response to traffic loads, radio conditions, or traffic prioritization. Wireless mesh networks differ from other wireless networks in that only a subset of the nodes needs to be connected to the wired network. The network can cover more distance by using nodes that are not connected to the wired network. Unlicensed bandwidth and wireless routing allow microcells to interconnect over wireless backhaul links.
18
Wireless LAN Security Threats
Threats to WLAN security include the following: War drivers trying to find open access points for free Internet access Hackers trying to exploit weak encryption to access sensitive data via the WLAN Employees installing access points for home use without the necessary security configuration on the enterprise network
19
Wireless Security Protocols
Today, the standard that should be followed in most enterprise networks is the i standard. This is similar to the Wi-Fi Alliance WPA2 standard. For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database. The flaws with WEP shared key encryption were two-fold. First, the algorithm used to encrypt the data was crackable. Second, scalability was a problem. The 32-bit WEP keys were manually managed, so users entered them by hand, often incorrectly, creating calls to technical support desks. Following the weakness of WEP-based security, there was a period of interim security measures. Vendors such as Cisco, wanting to meet the demand for better security, developed their own systems while simultaneously helping to evolve the i standard. On the way to i, the TKIP encryption algorithm was created, which was linked to the Wi-Fi Alliance WiFi Protected Access (WPA) security method.
20
Layer-2 LWAPP Architecture
As more products emerge that use lightweight access points with centralized WLAN intelligence, there is a need for an industry standard that governs how these devices communicate with one another. The LWAPP is a draft being considered for standardization within the IETF working group to address this issue. Authored initially by Airespace (acquired by Cisco Systems in March 2005) and NTT DoCoMo, LWAPP standardizes the communications protocol between access points and WLAN systems (controllers, switches, routers, etc.) LWAPP can operate at Layer 2 or Layer 3. When deployed in a Layer 2 architecture: Layer 2 LWAPP is in an Ethernet frame. The WLAN controller and the access point must be in the same broadcast domain and IP subnet, but the APs do not require IP addresses. Access Points don’t require IP addressing Controllers need to be on EVERY subnet on which APs reside L2 LWAPP was the first step in the evolution of the architecture; many current products do not support this functionality
21
Layer-3 LWAPP Architecture
Layer 3 LWAPP is in a UDP/IP frame. The WLAN controller and access point can be in the same or different broadcast domains and IP subnets. The access point must have an IP address. Access Points require IP addressing APs can communicate w/ WLC across routed boundaries L3 LWAPP is more flexible than L2 LWAPP and all products support this LWAPP operational ‘flavor’
22
Evolution of Wireless LAN Security
Initial (1997) Interim (2001) Interim (2003) Present Encryption (WEP) 802.1x EAP Wi-Fi Protected Access (WPA) Wireless IDS Identification and protection against attacks, DoS AES strong encryption Authentication Dynamic key management No strong authentication Static, breakable keys Not scalable Dynamic keys Improved encryption User authentication 802.1x EAP (LEAP, PEAP) RADIUS Standardized Improved encryption Strong, user authentication (e.g., LEAP, PEAP, EAP-FAST) IEEE i WPA2 (2004) Initially, IEEE security relied on static keys for both encryption and authentication. The authentication method was not strong and the keys were eventually compromised. Because the keys were administered statically, this method of security was not scalable to large enterprise environments. Cisco introduced enhancements that allowed for the use of IEEE 802.1x authentication protocols and dynamic keys and 802.1x Extensible Authentication Protocol (EAP) authentication. Cisco also introduced methods to overcome the exploitation of the encryption keys with key hashing (per-packet keying [PPK]) and message integrity checks (MIC). These methods are today known as Cisco Key Integrity Protocol (CKIP) and Cisco Message Integrity Check (CMIC). The committee began the process of upgrading the security of the WLAN. The Wi-Fi Alliance introduced WPA as an interim solution. This standard was a subset of the expected i security standard for WLANs that use 802.1x authentication and improved encryption. WPA consists of user authentication, MIC, Temporal Key Integrity Protocol (TKIP), and dynamic keys. It is similar to the Cisco enhancements but implemented differently. WPA also includes a passphrase or preshared key user authentication for home users, which is not recommended for enterprise security. Today IEEE i has been ratified and Advanced Encryption Standard (AES) has replaced WEP as the latest and most secure method of encrypting data. Wireless intrusion detection systems are available to identify and protect the WLAN from attacks. The Wi-Fi Alliance certifies i devices under WPA2.
23
WPA and WPA2 Authentication
User authentication is done via the 802.1x protocol. A supplicant for 802.1x or EAP is needed on the WLAN client. The access point is the authenticator, which communicates via RADIUS with the authentication, authorization, and accounting (AAA) server such as Cisco Secure ACS. Lightweight access points communicate with the WLAN controller, which acts as the authenticator. The client and the authentication server implement different versions of EAP. The EAP messages pass through the access point as the authenticator.
24
WPA and WPA2 Encryption After authentication of the WLAN client, the data is sent encrypted. The basic encryption algorithm RC4 was originally used in WEP. TKIP made the RC4 encryption more secure through increased size of initialization vector and per-packet key mixing while maintaining hardware compatibility. AES replaces the RC4 with a more cryptographically robust algorithm. WPA uses TKIP while WPA2 use AES or TKIP.
25
Wi-Fi Protected Access
What are WPA and WPA2? Authentication and encryption standards for Wi-Fi clients and APs 802.1x authentication WPA uses TKIP encryption WPA2 uses AES block cipher encryption Which should I use? Gold, for supporting NIC/OSs Silver, if you have legacy clients Lead, if you absolutely have no other choice. Gold WPA2/802.11i EAP-Fast AES Silver WPA EAP-Fast TKIP Lead Dynamic WEP EAP-Fast/LEAP VLANs + ACLs
26
WLAN Security Summary Basic Security Open Access Remote Access
Enhanced Security Basic Security 802.1x, TKIP Encryption, Mutual Authentication, Scalable Key Mgmt., Etc. Open Access 40-bit or 128-bit Static WEP Encryption, WPA No Encryption, Basic Authentication Security of wireless LANs has received a lot of bad press. However, Wireless LANs can be as secure as wired infrastructure if set up correctly. Prior to deploying an education institution needs to conduct a risk assessment of its environment and decide how much security it needs Note that 70% of businesses do not turn on the basic security available on all WLAN products. Open Access – this may be the most appropriate option where open access is required (i.e. “hotspots”) 802.11b Configurable Features Security Options -- SSID – Not a security handle, sent in the clear; Public/Private WLAN segregation Drawbacks -- “Promiscuous mode” drivers; Null association Basic Security – b Configurable Features (i.e. home users) Security Options – SSID, WEP Encryption (H/W or S/W); Public/Private WLAN Segregation Drawbacks -- Static keys – create security and management issues; Easily hacked Enhanced Security – Enhanced Features Security Options – 802.1x Authentication Framework ( TGi Baseline) Mutual Authentication – Dynamic, per user, per session, WEP key Automatic, frequent re-authentication Advantages – Multi-tiered security approach Maximum Security – Special Applications requiring maximum security Security Options: Tunneling Encryption Packet integrity User and device authentication Policy management Public “Hotspots” Home Use Enterprise Virtual Private Network (VPN) Business Traveler, Telecommuter Remote Access
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.