Upload
mae-marshall
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Confidential Information ® 2007 Xirrus, Inc. All Rights Reserved
Xirrus TrainingXirrus Training- Wi-Fi Basics- Wi-Fi Basics
Hans Van DammeSenior Wifi Application EngineerHans Van DammeSenior Wifi Application Engineer
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
3
#1: RF Propagation – Transmission#1: RF Propagation – TransmissionTransmission Basics
Radio Waves Travel at speed of lightRadios tune to specific frequency Data is modulated and encoded
Basic Radio Card ComponentsAntennaAmplifiers (Transmit and Receive)Radio Baseband (converts analog waves to digital “bits” )
Transmission BasicsRadio Waves
Travel at speed of lightRadios tune to specific frequency Data is modulated and encoded
Basic Radio Card ComponentsAntennaAmplifiers (Transmit and Receive)Radio Baseband (converts analog waves to digital “bits” )
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
4
#1: RF Propagation – Range#1: RF Propagation – RangeTransmission Basics
RangeOperating distance between two radios that wish to communicate
Access Point to StationStation to Station
Coverage Total area wherein radios can maintain connection to Access Point
Transmission BasicsRange
Operating distance between two radios that wish to communicateAccess Point to StationStation to Station
Coverage Total area wherein radios can maintain connection to Access Point
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
5
#1: RF Propagation – Inhibitors#1: RF Propagation – InhibitorsRange Inhibitors
Multi-pathInterference Attenuation
Range Inhibitors Multi-pathInterference Attenuation
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
6
#1: RF Propagation – Enhancers#1: RF Propagation – EnhancersRange Enhancers
Additional transmit powerBetter antenna gain Better receiver sensitivity
Range EnhancersAdditional transmit powerBetter antenna gain Better receiver sensitivity
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
7
#2: The RF Link – Range Dynamics#2: The RF Link – Range DynamicsFundamentals
RF Power is measured in dBm0dBm = 1 milliwatt of power+10dB = 10 times the power20dBm = 100milliwatts of power (FCC limit)-3dBm = ½ of a milliwatt of power
Signal Power Dissipation Inverse of the square of the distance
Signal Strength Expected power at receiverRSSI = Receive Signal Strength Indicator (dBm)
Path LossExpected Signal Loss between Two Receivers
Link BudgetTX Power + TX Antenna Gain – Path Loss + RX Antenna Gain = Expected Useable Signal at Receiver
FundamentalsRF Power is measured in dBm
0dBm = 1 milliwatt of power+10dB = 10 times the power20dBm = 100milliwatts of power (FCC limit)-3dBm = ½ of a milliwatt of power
Signal Power Dissipation Inverse of the square of the distance
Signal Strength Expected power at receiverRSSI = Receive Signal Strength Indicator (dBm)
Path LossExpected Signal Loss between Two Receivers
Link BudgetTX Power + TX Antenna Gain – Path Loss + RX Antenna Gain = Expected Useable Signal at Receiver
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
8
#2: The RF Link – SNR#2: The RF Link – SNRSignal to Noise Ratio (SNR)
Indicates how much useable signal is availableHigher data rates require higher SNR values
Signal to Noise Ratio (SNR)Indicates how much useable signal is availableHigher data rates require higher SNR values
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
9
#2: The RF Link – Capacity#2: The RF Link – CapacityRange versus Capacity
The greater the coverage area……the more wireless stations can be covered…the less bandwidth available to each user…the lower data rates will be at the edge…the more likely the chances of “hidden nodes”
Range versus CapacityThe greater the coverage area…
…the more wireless stations can be covered…the less bandwidth available to each user…the lower data rates will be at the edge…the more likely the chances of “hidden nodes”
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
10
#1 and #2: RF – Best Practices#1 and #2: RF – Best PracticesRecommendations
Gain is good: use high gain antenna systems Receiver sensitivity is important
Use better radio chipsets if possible
Design coverage for signal strengths of at least -70dBm or betterSNR of at least 20dB is desired = 36Mbps or better data ratesUse multiple radios to provide capacity for larger spaces
RecommendationsGain is good: use high gain antenna systems Receiver sensitivity is important
Use better radio chipsets if possible
Design coverage for signal strengths of at least -70dBm or betterSNR of at least 20dB is desired = 36Mbps or better data ratesUse multiple radios to provide capacity for larger spaces
Array Controller+ Wireless Switch
Radio Modules
High GainSectoredAntennas
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
12
#3: 802.11a/b/g – Overview#3: 802.11a/b/g – Overview
802.11bRatified in 1999Operates in 2.4GHz spectrumData Rates: 1, 2, 5.5, 11Mbps
802.11aRatified in 1999Operates in 5GHz spectrumData Rates: 6, 9, 12, 18, 24, 36, 48, 54Mbps
802.11gRatified in 2003Operates in 2.4GHz spectrumData Rates: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54MbpsBackward compatible with 802.11b
802.11bRatified in 1999Operates in 2.4GHz spectrumData Rates: 1, 2, 5.5, 11Mbps
802.11aRatified in 1999Operates in 5GHz spectrumData Rates: 6, 9, 12, 18, 24, 36, 48, 54Mbps
802.11gRatified in 2003Operates in 2.4GHz spectrumData Rates: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54MbpsBackward compatible with 802.11b
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
13
#3: 802.11a/b/g – Client / AP Interaction#3: 802.11a/b/g – Client / AP InteractionContention Management
Clients join the network by an authentication/association process. All wireless devices must follow specific rules for transmitting to avoid and mitigate collisions on the medium (‘the air’).
Contention ManagementClients join the network by an authentication/association process. All wireless devices must
follow specific rules for transmitting to avoid and mitigate collisions on the medium (‘the air’).
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
14
#3: 802.11a/b/g – Best Practices#3: 802.11a/b/g – Best Practices
Recommendations802.11b-only is nearly unavailable802.11b/g is end of life Buy 802.11a/b/g adapters at a minimumBetter yet, buy 802.11a/b/g/n adapters
Recommendations802.11b-only is nearly unavailable802.11b/g is end of life Buy 802.11a/b/g adapters at a minimumBetter yet, buy 802.11a/b/g/n adapters
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
15
#4: 802.11 Channels – Capacity / Allocation#4: 802.11 Channels – Capacity / AllocationNon-overlapping Channels
802.11a = 23
802.11b/g = 3
Total Capacity802.11a = 1.24Gbps
802.11g = 162Mbps
802.11g (w / 11b) = 42Mbps
802.11b = 33Mbps
Non-overlapping Channels802.11a = 23
802.11b/g = 3
Total Capacity802.11a = 1.24Gbps
802.11g = 162Mbps
802.11g (w / 11b) = 42Mbps
802.11b = 33Mbps
802.11a
802.11g
802.11b
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
16
#4: 802.11 Channels – Cell Planning #4: 802.11 Channels – Cell Planning 802.11b/g Channels Available = 3
Distance to cell with same channel is less than a single cellSensitive to co-channel interference (from other
cells on the same channel)If energy is weak, seen as interferenceIf energy is strong, stations will deferBleed-over retards higher data ratesGreatly reduces overall network capacity
802.11a Channels Available = 23High Performance: 8 times the capacityFar less interference from cells on same channelMore channels to avoid interference
802.11b/g Channels Available = 3Distance to cell with same channel is less than a
single cellSensitive to co-channel interference (from other
cells on the same channel)If energy is weak, seen as interferenceIf energy is strong, stations will deferBleed-over retards higher data ratesGreatly reduces overall network capacity
802.11a Channels Available = 23High Performance: 8 times the capacityFar less interference from cells on same channelMore channels to avoid interference
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
17
#4: 802.11 Channels – Interference Issues #4: 802.11 Channels – Interference Issues 802.11b/g uses the 2.4 GHz ISM band
Common devices cause interferenceBluetooth devicesCordless phonesMicrowave ovensX10 wireless video camerasHAM radio operators
Interference collides with the intended signalTransmissions are garbled and data packets are retransmittedReduced end-user throughput and increased latency of data traversing the RF network
802.11a uses the 5GHz UNII bandRelatively interference free
802.11b/g uses the 2.4 GHz ISM bandCommon devices cause interference
Bluetooth devicesCordless phonesMicrowave ovensX10 wireless video camerasHAM radio operators
Interference collides with the intended signalTransmissions are garbled and data packets are retransmittedReduced end-user throughput and increased latency of data traversing the RF network
802.11a uses the 5GHz UNII bandRelatively interference free
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
18
#4: Channels – Best Practices#4: Channels – Best PracticesRecommendations
Graduate to the 5GHz spectrum (802.11a now, 802.11n next) to achieve:8X increased capacitySignificantly reduced interferenceSimplified channel planning
Use multiple radios on different channels in a given cell to increase capacityLimit the number of users per radio to about 12-15Lower this limit if using voice to about 8-10
RecommendationsGraduate to the 5GHz spectrum (802.11a now, 802.11n next) to achieve:
8X increased capacitySignificantly reduced interferenceSimplified channel planning
Use multiple radios on different channels in a given cell to increase capacityLimit the number of users per radio to about 12-15Lower this limit if using voice to about 8-10
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
19
#5: 802.11 Networking – Client Connection #5: 802.11 Networking – Client Connection Client Association
Clients join the Wi-Fi infrastructure through an authentication/association processProbe Requests/Responses sent periodically by stations to update information about wireless
environment
Client AssociationClients join the Wi-Fi infrastructure through an authentication/association processProbe Requests/Responses sent periodically by stations to update information about wireless
environment
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
20
#5: 802.11 Networking – SSIDs#5: 802.11 Networking – SSIDsSSIDs
Clients associate to an SSID (Service Set Identifier) – a label that uniquely defines a virtual Wi-Fi network, similar to a VLAN on a wired network. SSIDs can operate across:
Multiple APsMultiple channelsMultiple radios
SSIDsClients associate to an SSID (Service Set Identifier) – a label that uniquely defines a virtual Wi-Fi
network, similar to a VLAN on a wired network. SSIDs can operate across:
Multiple APsMultiple channelsMultiple radios
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
21
#5: 802.11 Networking – Roaming#5: 802.11 Networking – RoamingScanning
Wi-Fi client radios continually scan the air to detect available networks (SSIDs) within range, maintaining information about each
RoamingAfter a Wi-Fi client associates with a radio/SSID, it remains connected to that radio unless it determines there is another one with a better signal strengthIf the signal strength is above a certain threshold, the client will switch (roam) to that new radio
ScanningWi-Fi client radios continually scan the air to detect available networks (SSIDs) within range, maintaining information about each
RoamingAfter a Wi-Fi client associates with a radio/SSID, it remains connected to that radio unless it determines there is another one with a better signal strengthIf the signal strength is above a certain threshold, the client will switch (roam) to that new radio
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
22
#5: 802.11 Networking – Best Practices#5: 802.11 Networking – Best PracticesRecommendations
Use separate SSIDs to partition different groups of users, each with their corresponding security level, QoS level, access restrictions, etc.Tie each SSID to its own VLAN in the wired networkKeep the number of different SSIDs to a minimum – usually 2-3Do not use disabled SSID broadcasting as security – anyone with a wireless sniffer can detect the SSIDDo not use default SSIDs – change them to something not associated with your organization’s nameAdjust station driver settings to control roaming behavior
RecommendationsUse separate SSIDs to partition different groups of users, each with their corresponding security level, QoS level, access restrictions, etc.Tie each SSID to its own VLAN in the wired networkKeep the number of different SSIDs to a minimum – usually 2-3Do not use disabled SSID broadcasting as security – anyone with a wireless sniffer can detect the SSIDDo not use default SSIDs – change them to something not associated with your organization’s nameAdjust station driver settings to control roaming behavior
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Xirrus Array TrainingXirrus Array Training
30 Minute Break 30 Minute Break
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
25
#6: Authentication – Standards#6: Authentication – StandardsIEEE 802.11i defines the security provisions for Wi-Fi, including:
AuthenticationEncryption and Key Management
Commercial implementations of 802.11i are most commonly referred to by the Wi-Fi Alliance’s terminology, which they certify:
WPA and WPA2 = Wi-Fi Protected Access (2)
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
26
#6: Authentication – 802.11i Security#6: Authentication – 802.11i Security802.11i
Ratified in 2004Provides much stronger security than the original 802.11 standard (WEP)Uses IEEE 802.1X authentication (Pre-shared Key (PSK) version for SOHO use only)
Four primary phases:
802.11iRatified in 2004Provides much stronger security than the original 802.11 standard (WEP)Uses IEEE 802.1X authentication (Pre-shared Key (PSK) version for SOHO use only)
Four primary phases:
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
27 27
#6: Authentication – Fundamentals#6: Authentication – FundamentalsWhat is Authentication?
Validates the identity of a user or device (you are who you say you are)
Executes mutually between the client and AP / infrastructure
802.11i authentication based on the 802.1x standard
Benefits Encryption key management
Password expiration and change (Microsoft)
Prevents Man in the Middle attacks and connecting to rogue APs
Provides Accounting and Audit information of every connection
Allows extended control of end usersTime of Day Access
Guest Access
What is Authentication?Validates the identity of a user or device (you are who you say you are)
Executes mutually between the client and AP / infrastructure
802.11i authentication based on the 802.1x standard
Benefits Encryption key management
Password expiration and change (Microsoft)
Prevents Man in the Middle attacks and connecting to rogue APs
Provides Accounting and Audit information of every connection
Allows extended control of end usersTime of Day Access
Guest Access
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
28 28
#6: Authentication – Infrastructure#6: Authentication – InfrastructureTypical Infrastructure
Authentication server can interface with Directory Services Central use of policies and permissionsAuthenticator can enforce policies at the edge (i.e. what VLAN a user should use)
Typical InfrastructureAuthentication server can interface with Directory Services Central use of policies and permissionsAuthenticator can enforce policies at the edge (i.e. what VLAN a user should use)
Authenticator
EthernetSwitch
Active Directory LDAP Server
AuthenticationServer
AuthenticatorAuthenticator
Supplicant
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
29 29
#6: Authentication – Wi-Fi Authentication#6: Authentication – Wi-Fi AuthenticationWi-Fi Authentication Framework
In a wired environment, user has to gain physical access to a port
In a wireless environment, it is much easier to gain access to the medium
802.11i makes use of 802.1x
Adapts EAP (used for port-level control of a wired network) to wireless
Authenticator (Access Point) provides multiple virtual ports, one per user
Key Exchange
Faster Roaming
Wi-Fi Authentication FrameworkIn a wired environment, user has to gain
physical access to a port
In a wireless environment, it is much easier to gain access to the medium
802.11i makes use of 802.1x
Adapts EAP (used for port-level control of a wired network) to wireless
Authenticator (Access Point) provides multiple virtual ports, one per user
Key Exchange
Faster Roaming
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
30 30
#6: Authentication – Wi-Fi Authentication#6: Authentication – Wi-Fi AuthenticationExtensible Authentication Protocol (EAP) TypesExtensible Authentication Protocol (EAP) Types
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
31
#6: Authentication – Best Practices#6: Authentication – Best PracticesRecommendations
Don’t compromise – for enterprise-grade security, use 802.11i / WPA2 and RADIUS for strongest security
RADIUS is FREE with Windows 2000, 2003 Server (Microsoft IAS)See Xirrus website for installation guidance: http://www.xirrus.com/library/wifitools.html
RADIUS can interface with Active Directory or other directory servicesFree RADIUS also can be used
Use PEAP with MSCHAPv2 for easiest administration (no client certificates required)Use authentication to enforce other access policiesEnsure replication and availability of Authentication Server
Scale for peak loadingRemote location considerations
RecommendationsDon’t compromise – for enterprise-grade security, use 802.11i / WPA2 and RADIUS for strongest security
RADIUS is FREE with Windows 2000, 2003 Server (Microsoft IAS)See Xirrus website for installation guidance: http://www.xirrus.com/library/wifitools.html
RADIUS can interface with Active Directory or other directory servicesFree RADIUS also can be used
Use PEAP with MSCHAPv2 for easiest administration (no client certificates required)Use authentication to enforce other access policiesEnsure replication and availability of Authentication Server
Scale for peak loadingRemote location considerations
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
32
#7: Encryption – Encryption Basics#7: Encryption – Encryption Basics
What is Encryption?Wi-Fi data is easily captured and viewed if passed in the clear
Username/passwords, email headers, and message contents are all vulnerable
Encryption changes data to make it unintelligible to an unauthorized userEncryption mathematically alters the original data using a key to
encrypt/decrypt the data
The Key Is the KeyThe key is a unique value only known by sender/receiver and
used by the encryption algorithm to change the original informationThe longer the key, the harder to break
A 40 bit key has 240 combinations = 1.1 x 1012 = 1.1 trillionA 128 bit key has 2128 combinations = 3.4 x 1038 = 340 undecillion
What is Encryption?Wi-Fi data is easily captured and viewed if passed in the clear
Username/passwords, email headers, and message contents are all vulnerable
Encryption changes data to make it unintelligible to an unauthorized userEncryption mathematically alters the original data using a key to
encrypt/decrypt the data
The Key Is the KeyThe key is a unique value only known by sender/receiver and
used by the encryption algorithm to change the original informationThe longer the key, the harder to break
A 40 bit key has 240 combinations = 1.1 x 1012 = 1.1 trillionA 128 bit key has 2128 combinations = 3.4 x 1038 = 340 undecillion
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
33
#7: Encryption – Protocols#7: Encryption – ProtocolsAES/CCMP encryption (AES is the encryption standard adopted by the US government) provides the best data confidentiality for Wi-FiTKIP encryption provides a decent alternative for older, non-AES capable hardwareWEP encryption is dead – easily cracked with readily available software in just minutes
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
34
#7: Encryption – Key Management#7: Encryption – Key ManagementKey Management
Master Key is the starting point, and is originated:Dynamically via RADIUSStatically from Pre-Shared Key (PSK)
Transient (temporal) keys are derived from the master and used to encrypt the dataChanged per packet to provide best security
Key ManagementMaster Key is the starting point, and is originated:
Dynamically via RADIUSStatically from Pre-Shared Key (PSK)
Transient (temporal) keys are derived from the master and used to encrypt the dataChanged per packet to provide best security
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
35
#7: Encryption – Best Practices#7: Encryption – Best PracticesRecommendations
Use WPA2 Enterprise (AES/CCMP encryption) for best security
Use WPA/WPA2 Personal only in SOHO environmentsUse random, hard-to-guess passphrases of 20+ ASCII charactersUpdate passphrases periodically and if employee leaves, laptops lost, etc.
Don’t use WEP if at all possible – it is only barely better than nothingUse only for legacy and embedded devices if no other optionRefresh keys periodically and use filtering/firewalling to limit access
Use Open for guest or public access networks WPA/2 not practical since one must configure the supplicant (client)Internally, segregate guest traffic, routing/VLAN it away from corporate assetsExternally, require road warriors connecting to corporate assets to use a VPN
Use separate SSIDs mapped to VLANs for different security types to logically separate usersUse 802.1Q/p VLAN segregation and prioritization as wireless traffic enters the wired network
RecommendationsUse WPA2 Enterprise (AES/CCMP encryption) for best security
Use WPA/WPA2 Personal only in SOHO environmentsUse random, hard-to-guess passphrases of 20+ ASCII charactersUpdate passphrases periodically and if employee leaves, laptops lost, etc.
Don’t use WEP if at all possible – it is only barely better than nothingUse only for legacy and embedded devices if no other optionRefresh keys periodically and use filtering/firewalling to limit access
Use Open for guest or public access networks WPA/2 not practical since one must configure the supplicant (client)Internally, segregate guest traffic, routing/VLAN it away from corporate assetsExternally, require road warriors connecting to corporate assets to use a VPN
Use separate SSIDs mapped to VLANs for different security types to logically separate usersUse 802.1Q/p VLAN segregation and prioritization as wireless traffic enters the wired network
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
36
Hands-On #3: Associate with SecurityHands-On #3: Associate with SecurityAssociate to the Xirrus Array with PSK
Double click the wireless icon in your system traySelect the “xirrus-wpa-psk” network from the listSelect “Connect”Enter passphrase (PSK) = xirrusarray
Associate to the Xirrus Array with PSKDouble click the wireless icon in your system traySelect the “xirrus-wpa-psk” network from the listSelect “Connect”Enter passphrase (PSK) = xirrusarray
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
37
#8: Wi-Fi Threats – Types#8: Wi-Fi Threats – TypesThreats to a corporate Wi-Fi network can come from many places:
1. Unauthorized APs – rogues, evil twins2. Unauthorized connections – ad hocs, neighbor APs3. Unauthorized clients – intruders, guests4. Misconfigured APs – no security, defaults5. Eavesdropping6. Forgery and replay
Threats to a corporate Wi-Fi network can come from many places:1. Unauthorized APs – rogues, evil twins2. Unauthorized connections – ad hocs, neighbor APs3. Unauthorized clients – intruders, guests4. Misconfigured APs – no security, defaults5. Eavesdropping6. Forgery and replay
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
38
#8: Wi-Fi Threats – Mitigation Techniques#8: Wi-Fi Threats – Mitigation Techniques
Tarpits use sensor radios to pull clients away from unauthorized/rogue APsTarpits use sensor radios to pull clients away from unauthorized/rogue APs
Sensor radios scan airwaves; signal strength data used to locate attackers
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
39
#8: Wi-Fi Threats – Best Practices#8: Wi-Fi Threats – Best PracticesNetwork Infrastructure
Proactively audit AP configurations for changesUse VLANs to segregate Wi-Fi traffic on the wired networkUse firewall filters, ACLs to restrict traffic to the wired networkUse routing to limit reachable IP addresses, ports, etc.
Wireless StationsUse VPNs for offsite accessEnsure use of personal firewalls, anti-virus softwareCentrally-administer Wi-Fi settings
Intrusion Detection/Intrusion Prevention Systems (IDS/IPS)Dedicate threat sensor radios to continuously monitor the air and feed an IDS/IPS systemAutomatically block unauthorized wireless activity
Network InfrastructureProactively audit AP configurations for changesUse VLANs to segregate Wi-Fi traffic on the wired networkUse firewall filters, ACLs to restrict traffic to the wired networkUse routing to limit reachable IP addresses, ports, etc.
Wireless StationsUse VPNs for offsite accessEnsure use of personal firewalls, anti-virus softwareCentrally-administer Wi-Fi settings
Intrusion Detection/Intrusion Prevention Systems (IDS/IPS)Dedicate threat sensor radios to continuously monitor the air and feed an IDS/IPS systemAutomatically block unauthorized wireless activity
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Part A: Wi-Fi Basics#1: RF Basics
#2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
41
#9: 802.11n – Standards#9: 802.11n – StandardsWi-Fi Industry Still Young and Growing
IEEE Task Groups are still in full swing 802.11n (High Throughput) 802.11v (Wireless Network Management) 802.11w (Protected Management Frames)802.11s (MESH Networking)VHT (Very High Throughput Study Group)
Wi-Fi Industry Still Young and GrowingIEEE Task Groups are still in full swing
802.11n (High Throughput) 802.11v (Wireless Network Management) 802.11w (Protected Management Frames)802.11s (MESH Networking)VHT (Very High Throughput Study Group)
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
42
#9: 802.11n – Data Rates#9: 802.11n – Data RatesRange and Data Rates
Longer Range or Higher Data RatesWi-Fi Certified data rates 300Mpbs Most compatible with 802.11aBackwards compatible with 802.11bg Future rates up to 600Mbps specified YOUR MILEAGE WILL VARY!
Range and Data RatesLonger Range or Higher Data RatesWi-Fi Certified data rates 300Mpbs Most compatible with 802.11aBackwards compatible with 802.11bg Future rates up to 600Mbps specified YOUR MILEAGE WILL VARY!
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
43
#9: 802.11n – Capacity#9: 802.11n – Capacity
802.11n Capacity26 channels * 150Mbps = 3.9 Gbps
(23) 5GHz channels + (3) 2.4GHz channels
802.11a Capacity23 channels * 54Mbps = 1.2 Gbps
802.11g Capacity3 channels * 54Mbps = 162 Mbps
802.11b Capacity3 channels * 11Mbps = 33 Mbps
802.11n Capacity26 channels * 150Mbps = 3.9 Gbps
(23) 5GHz channels + (3) 2.4GHz channels
802.11a Capacity23 channels * 54Mbps = 1.2 Gbps
802.11g Capacity3 channels * 54Mbps = 162 Mbps
802.11b Capacity3 channels * 11Mbps = 33 Mbps
150
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
#9: 802.11n – Physical Layer (Radio)#9: 802.11n – Physical Layer (Radio)
Classic 802.11 Transmitter Data Stream sent out of one antennaBest antenna on receiver selected
Classic 802.11 Transmitter Data Stream sent out of one antennaBest antenna on receiver selected
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
#9: 802.11n – 802.11n and MIMO#9: 802.11n – 802.11n and MIMO802.11n and MIMO and Signal Processing
Multiple antennasGreatly Improves receiver sensitivity (ability to hear)
802.11n and MIMO and Signal ProcessingMultiple antennasGreatly Improves receiver sensitivity (ability to hear)
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
46
#9: 802.11n – Obtaining Higher Data Rates#9: 802.11n – Obtaining Higher Data Rates
Spatial MultiplexingSource data stream split and sent over
separate antennas at the same timeRecombined at receiver using MIMO
signal processingDoubles, triples, or quadruples the
data rate depending on the number of transmit antennas used
Channel BondingIncreasing the Bandwidth
Bonds two 20MHz channels to a 40MHz channel Slightly more than doubles the bandwidthPhased channel operation: ability to jump between 20 and 40Mhz channels
Spatial MultiplexingSource data stream split and sent over
separate antennas at the same timeRecombined at receiver using MIMO
signal processingDoubles, triples, or quadruples the
data rate depending on the number of transmit antennas used
Channel BondingIncreasing the Bandwidth
Bonds two 20MHz channels to a 40MHz channel Slightly more than doubles the bandwidthPhased channel operation: ability to jump between 20 and 40Mhz channels
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
47
#9: 802.11n – MAC Improvements#9: 802.11n – MAC ImprovementsReducing Overhead Improves Efficiency
Frame AggregationBlock ACKsReduced Inter-frame spacing
Reducing Overhead Improves EfficiencyFrame AggregationBlock ACKsReduced Inter-frame spacing
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
48
#9: 802.11n – Client Requirements#9: 802.11n – Client RequirementsWhat will my end users require if I install 802.11n APs?
Possibly nothingToday’s 802.11abg will interoperate with 802.11n Access Points
802.11n improves either side of the link (Access Point or Station)
Standard 802.11abg will obtain better throughput up to today’s data rates. Higher data rates can only be obtained when you have 802.11n on both sides of link
Phase in 802.11n stations when standard is ratifiedDon’t have to do a mass swap-out of existing
devices
What will my end users require if I install 802.11n APs?
Possibly nothingToday’s 802.11abg will interoperate with 802.11n Access Points
802.11n improves either side of the link (Access Point or Station)
Standard 802.11abg will obtain better throughput up to today’s data rates. Higher data rates can only be obtained when you have 802.11n on both sides of link
Phase in 802.11n stations when standard is ratifiedDon’t have to do a mass swap-out of existing
devices
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
49
#9: 802.11n – Cell Sizes#9: 802.11n – Cell SizesWhat about cell sizes – will I need to change the location of APs?
802.11n is not about higher transmit power, but about a better receiver (ability to listen)Plan to keep same AP locations if you have designed for 5GHz
802.11n cell will provide higher data rates and more user densityNeed to support legacy 11abg stations set the edgeEnterprise gear should automatically adjust cell sizes
Plan to redesign for 11n if you only have 2.4GHz (802.11bg)Do site survey for new locations
What about cell sizes – will I need to change the location of APs?802.11n is not about higher transmit power, but about a better receiver (ability to listen)Plan to keep same AP locations if you have designed for 5GHz
802.11n cell will provide higher data rates and more user densityNeed to support legacy 11abg stations set the edgeEnterprise gear should automatically adjust cell sizes
Plan to redesign for 11n if you only have 2.4GHz (802.11bg)Do site survey for new locations
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
50
#9: 802.11n – Best Practices#9: 802.11n – Best PracticesRecommendations
Client Devices Move away from 802.11b as it seriously degrades 802.11n (and 802.11g) performanceFold in new 802.11n client adapters that supports 5GHz (802.11a + 802.11n) for channel bondingAt least buy 802.11a/b/g adapters
Wired Network InfrastructurePull at least one Gigabit Ethernet connection to each Access Point location (Dual Gigabit is better)Implement switching as close to the edge as possible
Wireless NetworkBuy infrastructure gear that is upgradeable and provides local switching at the edgeUpgrade your sensor networks to 802.11nKeep cell sizes the same as you have today
Plan to support today’s 802.11a/b/g devicesMay need to resurvey if you just have 2.4GHz
Management and planning tools will need to comprehend 802.11n Should I Wait?
Start planning today! 802.11n is backwards compatible (improved PHY performance helps even today’s client devices)Buy modular and upgradeable infrastructure with a path to 802.11n
RecommendationsClient Devices
Move away from 802.11b as it seriously degrades 802.11n (and 802.11g) performanceFold in new 802.11n client adapters that supports 5GHz (802.11a + 802.11n) for channel bondingAt least buy 802.11a/b/g adapters
Wired Network InfrastructurePull at least one Gigabit Ethernet connection to each Access Point location (Dual Gigabit is better)Implement switching as close to the edge as possible
Wireless NetworkBuy infrastructure gear that is upgradeable and provides local switching at the edgeUpgrade your sensor networks to 802.11nKeep cell sizes the same as you have today
Plan to support today’s 802.11a/b/g devicesMay need to resurvey if you just have 2.4GHz
Management and planning tools will need to comprehend 802.11n Should I Wait?
Start planning today! 802.11n is backwards compatible (improved PHY performance helps even today’s client devices)Buy modular and upgradeable infrastructure with a path to 802.11n
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
51
#10: Architectures – The Future of Wi-Fi#10: Architectures – The Future of Wi-Fi“The only effective way to deliver high-performance Wi-Fi is to have a centrally managed intelligent edge network – just like your wired networks do”
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
52
#10: Architectures – Types#10: Architectures – TypesDistributed
Packet Processing at edgeControl plane at edgePolicy and security enforcement at edgeEncryption processing at edgeJust like Ethernet Switching Central management
Central Controller + Thin APsPacket Processing at coreControl plane at corePolicy and security enforcement at coreEncryption processing at coreCentral management
Centralized Processing Distributed Processing
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
53
#10: Architectures – Best Practices#10: Architectures – Best PracticesPreparing for Next Generation Wi-Fi
Be careful to understand latency and jitter that central controllers will create (especially for voice)Centralized controllers will require redundant units to avoid large points of failureBe wary of back end network bottlenecks for 802.11nRemote sites may be problematic for controllers located across a WANRecommendations:
Gigabit Ethernet connections are requiredLocally switch packets at edge (not deep into the network)Controllers should be integrated or local to Access Point
Preparing for Next Generation Wi-FiBe careful to understand latency and jitter that central controllers will create (especially for voice)Centralized controllers will require redundant units to avoid large points of failureBe wary of back end network bottlenecks for 802.11nRemote sites may be problematic for controllers located across a WANRecommendations:
Gigabit Ethernet connections are requiredLocally switch packets at edge (not deep into the network)Controllers should be integrated or local to Access Point
Confidential Information
® 2007 Xirrus, Inc. All Rights Reserved
Questions?
Questions?