Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List.

Published byLee Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List."— Presentation transcript:

1 Wireless

2 Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List the wireless controller discovery methods available on the FortiGate unit Understand the concepts of virtual access points and access point profiles Configure WLAN interfaces on the wireless controller or a FortiWiFi unit Explain how Rogue Access Point detection can be used to prevent users from logging into unknown access points

3 Wireless Increase in wireless devices on network Laptops, smartphones, mobile WiFi devices, tablets, cameras wireless VoIP devices, scanners… Increase productivity through uninterrupted access to applications and resources Users roaming throughout network Moving from one access point to another Reduce costs of wiring facilities

4 Increased Need For Security Wireless is a shared medium Subject to malicious attacks One user’s high usage of application traffic can reduce bandwidth available to others Access to network not contained Could be accessed by someone close by High compliance requirements based on jurisdiction

5 Wireless Concepts Bands and channels IEEE 802.11a, b, g, n Encryption modes WEP64, WEP128, WPA, WPA2 Control and Provisioning of Wireless Access Points (CAPWAP) Enables a controller to manage a collection of wireless points over UDP

6 Thick Access Points The access point into the wireless network is a standalone device Responsible for authentication, encryption and access control policies (all-in-one device) Each device requires independent management or a centralized management application Ideal for smaller service areas where only one or two access points are required Small offices, retail stores… FortiWiFi appliances provide Thick AP capabilities Wireless radio and FortiOS on a single device

7 FortiWiFi Standard / CapabilityFortiWiFi 30B50B60C80C/81CM Thick AP Thin APoption Number of Wi-Fi radios1111 802.11a 802.11b/g 802.11n High Throughput 40 Mhz option WME/WMM Multimedia Extensions Max wireless speed54 Mbps 300 Mbps Simultaneous SSIDs7777 Background rogue AP detection PoE power option Serve as wireless controller for FortiAP

8 Thin Access Points Thin APs delegate tasks to a centralized wireless controller Authentication, security processing, channel assignment, transmitter power level, rogue AP detection Performs few complex tasks locally The controller is the centralized decision point Automates configuration and operation of the access points The FortiAP device functions as a Thin AP, tunneling all traffic to the controller on a FortiGate device FortiGate unit provides all security and management functionality

9 FortiAP Standard / CapabilityFortiAP 210B220B222B Thick AP Thin AP Number of WiFi radios122 802.11a 802.11b/g 802.11n High Throughput 40 Mhz option WME/WMM Multimedia Extensions Max wireless speed300 Mbps600 Mbps Simultaneous SSIDs8 (1 can be used for monitoring) 16 (2 can be used for monitoring) 16 (2 can be used for monitoring) Rogue AP detectionBackgroundBackground/ Dedicated Background/ Dedicated PoE power option Locationindoor Indoor/outdoor

10 FortiAP FortiAP-210B FortiAP-220B FortiAP-222B

11 FortiGate Wireless Controllers All current FortiGate units (supported by FortiOS 4.0 MR3) can act as wireless controllers for FortiAP devices FortiAP device passes client traffic directly to the FortiGate unit over a CAPWAP tunnel Traffic undergoes threat removal and policy examination before it is allowed back on the LAN Wired and wireless traffic are managed from a single management console FortiGate units with Power Over Ethernet (POE) interfaces (200B-POE) can power the connected FortiAP devices

12 Managed AP Topologies Direct connection FortiAP unit is connected directly to the FortiGate unit Number of APs matches number of internal ports on the FortiGate unit Switched connection FortiAP unit is connected to the wireless controller on the FortiGate by an Ethernet switch Must be a routable path between FortiAP device and the FortiGate unit Connection over WAN The FortiGate wireless controller is off-premises and connected by a VPN tunnel to a local FortiGate device

13 Controller Discovery FortiAP and FortiWiFi devices configured as an AP must locate a controller Broadcast request AP unit broadcasts a discovery request and the controller replies Controller and AP must be in same broadcast domain Multicast request AP unit sends a multicast request and the controller replies with a unicast discover response Controller and AP do not need to in the same broadcast domain if multicast routing is properly configured The default multicast destination IP address is 224.0.1.140

14 Controller Discovery Static IP address Administrator specifies the controller’s static IP address on the FortiAP unit FortiAP sends a unicast discover request message to the controller Routing must be configured in both directions DHCP When using DHCP to assign an IP address to the FortiAP unit, identify the IP address of the controller at the same time Useful when the AP is located remotely from the wireless controller IP address of the controller must be converted into hexadecimal

15 Wireless Coverage Typical wireless coverage area per access point is about 100 meters indoors, or 30 meters outdoors Bandwidth is shared amongst all users of the wireless data stream Select channels appropriate for the client devices When placing access points consider that physical barriers can impede the radio signal Ensure the access point is located in a prominent location within a room for maximum coverage

16 Wireless Controller Configuration Virtual Access Point 1 Virtual Access Point 2 Access Point profile 1 Physical Access Point units Radio settings Security settings

17 Virtual Access Points A Virtual Access Point defines the security settings that can be applied to one or more physical Access Points Each virtual AP creates its own a virtual network interface on the FortiGate unit Define DHCP services, firewall policies and other settings for the wireless LAN Provides different levels of services to different groups of users

18 Service Set Identifier (SSID) Users who want to use a wireless network must configure their computers with the Service Set Identifier (SSID) or network name Broadcasting the SSID makes the connection easier since the client is presented with a list of networks being received Desirable for a public network The presence of the wireless network can be obscured by not broadcasting the SSID Network is still detectable Enter the SSID used to identify the wireless network when defining the virtual Access Point

19 Guest Networks Use virtual access points to separate guest and employee wireless networks Allows separate SSIDs, authentication options and QoS priorities Guest traffic does not interfere with higher priority employee traffic

20 Security Mode Wireless Equivalent Privacy (WEP) Uses an encryption key between the wireless device and the access point WEP64 used a key of ten hexidecimal digits WEP128 keys are 26 digits long Relatively easy to break Wi-Fi Protect Access (WPA) Provides two methods of authentication: RADIUS authentication (WPA-Enterprise) Pre-shared keys (WPA-Personal) Temporal Key Integrity Protocol (TKIP) Advance Encryption Standard (AES) WPA2 provides additional security improvements

21 Wireless Authentication Authentication methods apply to wireless networks the same they do for wired User can also be authenticated against local user group on FortiGate device External authentication servers (RADIUS, LDAP and TACAS+, Windows Active Directory) also available For each wireless LAN, create a user group and add the users who can access the WLAN Select a security mode for each SSID Guest Captive Portal option available Uses a web authentication form All traffic is blocked until the user opens a browser window

22 Access Point Profile The AP profile configures radio settings and selects the virtual AP to which the settings apply Separate settings for each radio on the FortiAP device The available channels will be displayed when band is selected Distributed Automatic Radio Resource Provisioning (DARRP) allows each FortiAP unit to automatically select the optimum Wi-Fi channel Channel selection is evaluated every five minutes, clients are automatically signaled to migrate to the new channel Reduces load on the controller Reduces chatter between the Access Points

23 Distributed Automatic Radio Resource Provisioning Distributed Automatic Radio Resource Provisioning (ARRP) allows each FortiAP units to select an optimum WiFi channel Units do not interfere with each other Reduces load on FortiGate wireless controller Reduces chatter between Aps Channel selected evaluated every 5 minutes Clients automatically signaled to migrate to a new channel

24 Configuring the WLAN interface on a Wireless Controller When a virtual AP is created, a virtual network interface with the same name is also created Configure the network interface on the wireless controller Addressing mode DNS Administrative Access

25 Configuring the WLAN interface on a standalone FortiWiFi Unit A standalone FortiWiFi unit contains and controls its own access points No need for virtual APs and AP profiles The wireless network interface configuration contains a single set of radio and security settings

26 MAC Filtering Permit or exclude a list of clients based on the MAC address of their computer Should be used in conjunction with other security measures Unauthorized users could capture MAC addresses from network traffic and use them to impersonate legitimate users Configured on a per-virtual AP interface basis

27 Rogue Access Point Detection FortiAP devices can scan for unknown access points Rogue APs can create a leakage point where a malicious user can steal confidential, regulated or proprietary data Scanning for rogue APs can be mandated by industry policies Scans can be dedicated or background Second radio on FortiAP device for dedicated monitoring On wire detection uses various correlation techniques to determine if an unknown access point is connected to a FortiWiFi or FortiAP wireless LAN

28 Rogue Access Point Suppression De-authentication frames can be sent to render unauthorized APs unusable by clients Clients can not connect The rogue AP’s MAC address is automatically blocked in the firewall policy Rogue AP feature activates when at least on radio is dedicated to rogue AP detection

29 Fast Roaming Users moving between APs must authenticate to each Delays can impair wireless voice traffic or time sensitive applications Pairwise Master Key (PMK) caching Wireless controller caches a negotiated master key Should the user roam away from that AP and back again, the client will not have to re-authenticate Users can also pre-authenticate to the next AP that the client may roam to PMK is derived in advance of the user movement and is cached Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller

30 Guest Networks Use virtual access points to separate guest and employee wireless networks Allows separate SSIDs, authentication options and QoS priorities Guest traffic does not interfere with higher priority employee traffic

31 Student Resources Click here Click here to view the list of resources used in this module

Download ppt "Wireless. Module Objectives By the end of this module participants will be able to: Explain the differences between thick and thin access points List."

Similar presentations

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”

WiFi VS Cellular “Bringing Secure Payment to the Point Of Service”
USRobotics Professional Access Point  Yosi Rafael.

USRobotics Professional Access Point  Yosi Rafael.
LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.

LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Wireless Design for Voice Last Update 2011.06.11 1.0.0 1Copyright 2011 Kenneth M. Chipps Ph.D. www.chipps.com.

Wireless Design for Voice Last Update Copyright 2011 Kenneth M. Chipps Ph.D.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Security Awareness Chapter 5 Wireless Network Security.

Security Awareness Chapter 5 Wireless Network Security.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Wireless Security Focus on Encryption Steps to secure a Wi-Fi Network.

Wireless Security Focus on Encryption Steps to secure a Wi-Fi Network.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
WLAN What is WLAN? Physical vs. Wireless LAN

WLAN What is WLAN? Physical vs. Wireless LAN
Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

Similar presentations

Ads by Google