Upload
marian-morrison
View
219
Download
0
Embed Size (px)
DESCRIPTION
3 What is a Site Survey? When installing a WLAN for an organization, areas of dead space might not be tolerated When installing a WLAN for an organization, areas of dead space might not be tolerated Ensure blanket coverage, meet per-user bandwidth requirements, minimize “bleeding” of signalEnsure blanket coverage, meet per-user bandwidth requirements, minimize “bleeding” of signal Factors affecting wireless coverage goals: Factors affecting wireless coverage goals: Devices emitting RF signalsDevices emitting RF signals Building structure (walls, construction materials)Building structure (walls, construction materials) Open or closed office doorsOpen or closed office doors Stationary versus mobile machinery/equipmentStationary versus mobile machinery/equipment Movement of mobile walls (e.g., cubicles)Movement of mobile walls (e.g., cubicles)
Citation preview
CWNA Guide to Wireless CWNA Guide to Wireless LANs, Second EditionLANs, Second Edition
Chapter Seven thru TenChapter Seven thru TenReviewReview
22
Note:Note: Many of the test questions will come Many of the test questions will come
from these chartsfrom these charts I will still be updating the slides I will still be updating the slides
through Monday night. But only through Monday night. But only minor changes will be made.minor changes will be made.
33
What is a Site Survey?What is a Site Survey? When installing a WLAN for an organization, When installing a WLAN for an organization,
areas of dead space might not be toleratedareas of dead space might not be tolerated• Ensure Ensure blanket coverageblanket coverage, meet , meet per-user per-user
bandwidthbandwidth requirements, requirements, minimize “bleeding”minimize “bleeding” of of signalsignal
FactorsFactors affecting wireless coverage goals: affecting wireless coverage goals:• Devices emitting RF signalsDevices emitting RF signals• Building structure (walls, construction materials)Building structure (walls, construction materials)• Open or closed office doorsOpen or closed office doors• Stationary versus mobile machinery/equipmentStationary versus mobile machinery/equipment• Movement of mobile walls (e.g., cubicles)Movement of mobile walls (e.g., cubicles)
44
What is a Site Survey? What is a Site Survey? FactorsFactors affecting wireless coverage goals: affecting wireless coverage goals:
• Expansion of physical plant or growth of Expansion of physical plant or growth of organizationorganization
• Existing WLANsExisting WLANs Both inside organization, and within nearby Both inside organization, and within nearby
organizationsorganizations Site survey:Site survey: Process of planning a WLAN Process of planning a WLAN
to meet design goalsto meet design goals• Effectiveness of a WLAN often linked to Effectiveness of a WLAN often linked to
thoroughness of the site surveythoroughness of the site survey
55
What is a Site Survey? What is a Site Survey? Design goals for a site survey:Design goals for a site survey:
• Achieve Achieve best possible performancebest possible performance from WLAN from WLAN• Certify that installation will Certify that installation will operate as promisedoperate as promised• Determine Determine best locationbest location for APs for APs• Develop networks optimized for variety of Develop networks optimized for variety of
applicationsapplications• Ensure Ensure coveragecoverage will fulfill organization’s will fulfill organization’s
requirementsrequirements• Locate unauthorized APsLocate unauthorized APs
66
What is a Site Survey? What is a Site Survey? Design goals for a site survey (continued):Design goals for a site survey (continued):
• Map nearby wireless networks to determine Map nearby wireless networks to determine existing radio interferenceexisting radio interference
• Reduce radio interference asReduce radio interference as much as possible much as possible• Make wireless network secureMake wireless network secure
Survey provides realistic understanding of Survey provides realistic understanding of infrastructure required for proposed wireless infrastructure required for proposed wireless linklink• Assists in predicting Assists in predicting network capabilitynetwork capability and and
throughputthroughput• Helps determine exact Helps determine exact location of APslocation of APs and power and power
levels requiredlevels required
77
What is a Site Survey? What is a Site Survey? When to perform a site survey:When to perform a site survey:
• Before installing a new wireless networkBefore installing a new wireless network• Before changing an existing wireless Before changing an existing wireless
networknetwork• When there are significant changes in When there are significant changes in
personnelpersonnel• When there are changes in network When there are changes in network
needsneeds• After making physical changes to a After making physical changes to a
buildingbuilding
88
Site Survey Tools: Wireless ToolsSite Survey Tools: Wireless Tools
Most basic tool is Most basic tool is APAP itself itself::• Position in various locationsPosition in various locations• monitor signal as you move monitor signal as you move • APs should have ability to adjust output powerAPs should have ability to adjust output power• APs should have external antenna connectorsAPs should have external antenna connectors
NotebookNotebook computer with wireless NIC also computer with wireless NIC also essential for testingessential for testing• Previously configured and testedPreviously configured and tested
99
Site Survey Tools: Site Survey Tools: Measurement ToolsMeasurement Tools
Site Survey Analyzers: Site Survey Analyzers: Specifically Specifically designed for conducting WLAN site surveysdesigned for conducting WLAN site surveys• Software often built into APSoftware often built into AP• Receive Signal Strength Indicator (RSSI)Receive Signal Strength Indicator (RSSI)
valuevalue• Full-featured site survey analyzer software Full-featured site survey analyzer software
settings:settings: Destination MAC AddressDestination MAC Address Continuous Link TestContinuous Link Test Number of PacketsNumber of Packets Packet SizePacket Size Data RetriesData Retries
1010
Site Survey Tools: Site Survey Tools: Measurement ToolsMeasurement Tools
Site Survey Analyzers (continued):Site Survey Analyzers (continued):• Full-featured site survey analyzer software Full-featured site survey analyzer software
settings (continued):settings (continued): Data RateData Rate Delay Between PacketsDelay Between Packets Packet Tx TypePacket Tx Type
• Unicast or multicastUnicast or multicast Percent Success ThresholdPercent Success Threshold
• Basic survey analyzer software contains Basic survey analyzer software contains far fewer featuresfar fewer features
1111
Site Survey Tools: Site Survey Tools: Measurement ToolsMeasurement Tools
Spectrum Analyzers: Spectrum Analyzers: Scan radio Scan radio frequency spectrum and provides frequency spectrum and provides graphical display of resultsgraphical display of results• Typically measure signal-to-noise ratioTypically measure signal-to-noise ratio• Single-frequency analyzers measure Single-frequency analyzers measure
signal-to-noise ratio at specified signal-to-noise ratio at specified frequencyfrequency
• Helpful in identifying interference Helpful in identifying interference problemsproblems
Thus, helps properly position/orient APThus, helps properly position/orient AP
1212
Site Survey Tools: Site Survey Tools: Measurement Tools (continued)Measurement Tools (continued)
Network Analyzers: Network Analyzers: Can be used to Can be used to pick up packets being transmitted by pick up packets being transmitted by other WLANs in area other WLANs in area • Provide additional information on Provide additional information on
transmissionstransmissions• Packet sniffers or protocol analyzersPacket sniffers or protocol analyzers• Not used in placement of APNot used in placement of AP
1313
Site Survey Tools: Site Survey Tools: Documentation ToolsDocumentation Tools
Create a “hard copy” of site survey results Create a “hard copy” of site survey results • Make available for future referenceMake available for future reference• No industry-standard form for site survey No industry-standard form for site survey
documentationdocumentation Site survey report should include:Site survey report should include:
• Purpose of reportPurpose of report• Survey methodsSurvey methods• RF coverage details (frequency and channel RF coverage details (frequency and channel
plan)plan)• Throughput findingsThroughput findings• Sources of interferenceSources of interference
1414
Site Survey Tools: Site Survey Tools: Documentation ToolsDocumentation Tools
Site survey report should include Site survey report should include (continued):(continued):• Problem zonesProblem zones• Marked-up facility drawings with access point Marked-up facility drawings with access point
placementplacement• Access point configurationAccess point configuration
Use building layout Use building layout blueprintsblueprints as tools as tools Advisable to create database to store site Advisable to create database to store site
survey information and generate reportssurvey information and generate reports
1515
Site Survey Tools: Site Survey Tools: Documentation ToolsDocumentation Tools
Figure 7-9: Sample site survey form
1616
Performing a Site Survey: Performing a Site Survey: Gathering DataGathering Data
Obtaining Business Requirements: Obtaining Business Requirements: Determine business reasons why WLAN Determine business reasons why WLAN being proposed or extendedbeing proposed or extended• If this step skipped, almost impossible to If this step skipped, almost impossible to
properly design and implement the networkproperly design and implement the network• Primary data gathering method is Primary data gathering method is interviewinginterviewing• Must determine type of mobility required Must determine type of mobility required
within organizationwithin organization• Must determine per-user bandwidth Must determine per-user bandwidth
requirementsrequirements May be different “types” of users with different May be different “types” of users with different
bandwidth requirementsbandwidth requirements
1717
Performing a Site Survey: Performing a Site Survey: Gathering DataGathering Data
Defining Security Requirements: Consider Defining Security Requirements: Consider type of data encryption and type of type of data encryption and type of authentication that will take place across authentication that will take place across WLANWLAN• Consider existing security policies and proceduresConsider existing security policies and procedures
Gathering Site-Specific Documentation:Gathering Site-Specific Documentation:• BlueprintsBlueprints, facility drawings, and other documents, facility drawings, and other documents
Show specific building infrastructure componentsShow specific building infrastructure components• Inspecting the siteInspecting the site
Document changes to blueprints and get visual Document changes to blueprints and get visual perspectiveperspective
1818
Performing a Site Survey: Performing a Site Survey: Gathering Data (continued)Gathering Data (continued)
Gathering Site-Specific Documentation Gathering Site-Specific Documentation (continued):(continued):• Behind-the-scenes site inspectionBehind-the-scenes site inspection
Documenting Documenting Existing Network Existing Network CharacteristicsCharacteristics: : • New or expanded WLAN will “dovetail” into New or expanded WLAN will “dovetail” into
network already in placenetwork already in place• Determine degree to which WLAN will interact Determine degree to which WLAN will interact
with other wired networkswith other wired networks• Legacy systems may require additional Legacy systems may require additional
equipment to support WLANequipment to support WLAN
1919
Performing a Site Survey: Performing a Site Survey: Performing the SurveyPerforming the Survey
Collecting RF Information:Collecting RF Information:• Note objects in and layout of roomNote objects in and layout of room
Use Use digital cameradigital camera• Position APPosition AP
Initial location will depend on antenna typeInitial location will depend on antenna type Document starting position of APDocument starting position of AP
• Using notebook computer with site survey Using notebook computer with site survey analyzer software running, walk slowly away analyzer software running, walk slowly away from APfrom AP
Observe data displayed by analyzer programObserve data displayed by analyzer program• Data rate, signal strength, noise floor, and signal-to-Data rate, signal strength, noise floor, and signal-to-
noise rationoise ratio
2020
Performing a Site Survey: Performing a Site Survey: Performing the SurveyPerforming the Survey
Collecting RF Information :Collecting RF Information :• Continue moving until data collected for all Continue moving until data collected for all
areasareas• Data collected used to produce:Data collected used to produce:
Coverage pattern:Coverage pattern: Area where signal can be Area where signal can be received from the APreceived from the AP
Data rate boundaries: Data rate boundaries: Range of coverage for a Range of coverage for a specific transmission speedspecific transmission speed
Throughput:Throughput: Number of packets sent and received Number of packets sent and received and data rates for eachand data rates for each
Total transmission range:Total transmission range: Farthest distance at Farthest distance at which signal can be received by wireless devicewhich signal can be received by wireless device
2121
Performing a Site Survey: Performing a Site Survey: Performing the SurveyPerforming the Survey
Collecting Non-RF Information:Collecting Non-RF Information: Outdoor Surveys: Outdoor Surveys:
• Similar to indoor surveysSimilar to indoor surveys• Must consider: Must consider: climatic conditions, trees, climatic conditions, trees,
different possibilities for antenna different possibilities for antenna positions, Permits and Zoningpositions, Permits and Zoning
CWNA Guide to Wireless LANs, CWNA Guide to Wireless LANs, Second EditionSecond Edition
Chapter EightChapter EightWireless LAN Security and Wireless LAN Security and
VulnerabilitiesVulnerabilities
2323
Security Principles: What is Security Principles: What is Information Security?Information Security?
Information security: Information security: Task of Task of guarding digital informationguarding digital information• Ensures protective measures properly Ensures protective measures properly
implementedimplemented• Protects Protects confidentiality, integrity,confidentiality, integrity, and and
availabilityavailability ( (CIACIA)) on the devices that on the devices that store, manipulate, and transmit the store, manipulate, and transmit the information through products, people, information through products, people, and proceduresand procedures
2424
Security Principles: Challenges Security Principles: Challenges of Securing Informationof Securing Information
Trends influencing increasing difficultly in Trends influencing increasing difficultly in information security:information security:• Speed of attacksSpeed of attacks• Sophistication of attacksSophistication of attacks• Faster detection of weaknessesFaster detection of weaknesses
Day zero attacksDay zero attacks• Distributed attacksDistributed attacks
The “many against one” approach The “many against one” approach Impossible to stop attack by trying to identify and block Impossible to stop attack by trying to identify and block
sourcesource
2525
Security Principles: Categories Security Principles: Categories of Attackersof Attackers
Six categories of attackers:Six categories of attackers:• HackersHackers
Not malicious; expose security flawsNot malicious; expose security flaws• CrackersCrackers• Script kiddiesScript kiddies• SpiesSpies• EmployeesEmployees• CyberterroristsCyberterrorists
2626
Security Principles: Security Security Principles: Security OrganizationsOrganizations
Many security organizations exist to Many security organizations exist to provide security information, assistance, provide security information, assistance, and trainingand training• Computer Emergency Response Team Computer Emergency Response Team
Coordination Center (CERT/CC)Coordination Center (CERT/CC)• Forum of Incident Response and Security Forum of Incident Response and Security
Teams (FIRST)Teams (FIRST)• InfraGardInfraGard• Information Systems Security Association Information Systems Security Association
(ISSA)(ISSA)• National Security Institute (NSI)National Security Institute (NSI)• SysAdmin, Audit, Network, Security (SANS) SysAdmin, Audit, Network, Security (SANS)
InstituteInstitute
2727
Basic IEEE 802.11 Security Basic IEEE 802.11 Security ProtectionsProtections
Data transmitted by a WLAN could be Data transmitted by a WLAN could be intercepted and viewed by an attackerintercepted and viewed by an attacker• Important that basic wireless security Important that basic wireless security
protections be built into WLANsprotections be built into WLANs Three categories of WLAN protections:Three categories of WLAN protections:
• Access controlAccess control• Wired equivalent privacy (WEP)Wired equivalent privacy (WEP)• AuthenticationAuthentication
Some protections specified by IEEE, while Some protections specified by IEEE, while others left to vendorsothers left to vendors
2828
Access ControlAccess Control Intended to guard Intended to guard availability availability of informationof information Wireless access control: Limit user’s admission to Wireless access control: Limit user’s admission to
APAP• FilteringFiltering
Media Access Control (MAC) address filtering: Media Access Control (MAC) address filtering: Based on a node’s unique MAC addressBased on a node’s unique MAC address
2929
Access ControlAccess Control MAC address filtering considered to MAC address filtering considered to
be a basic means of controlling be a basic means of controlling accessaccess• Requires pre-approved authenticationRequires pre-approved authentication• Difficult to provide temporary access for Difficult to provide temporary access for
“guest” devices“guest” devices
3030
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP) Guard the confidentiality of Guard the confidentiality of
informationinformation• Ensure only authorized parties can view itEnsure only authorized parties can view it
Used in IEEE 802.11 to encrypt Used in IEEE 802.11 to encrypt wireless transmissionswireless transmissions• ““Scrambling”Scrambling”
3131
WEP: CryptographyWEP: Cryptography Cryptography:Cryptography: Science of transforming Science of transforming
information so that it is secure while being information so that it is secure while being transmitted or storedtransmitted or stored• scrambles” datascrambles” data
Encryption: Encryption: Transforming Transforming plaintextplaintext to to ciphertextciphertext
Decryption:Decryption: Transforming Transforming ciphertextciphertext to to plaintextplaintext
Cipher:Cipher: An encryption algorithm An encryption algorithm• Given a Given a keykey that is used to encrypt and that is used to encrypt and
decrypt messagesdecrypt messages• Weak keys: Weak keys: Keys that are easily discovered Keys that are easily discovered
3232
WEP: ImplementationWEP: Implementation IEEE 802.11 cryptography objectives:IEEE 802.11 cryptography objectives:
• EfficientEfficient• ExportableExportable• OptionalOptional• Reasonably strongReasonably strong• Self-synchronizingSelf-synchronizing
WEP relies on secret key “shared” WEP relies on secret key “shared” between a wireless device and the APbetween a wireless device and the AP• Same key installed on device and APSame key installed on device and AP• Private key cryptography Private key cryptography or or symmetric symmetric
encryptionencryption
3333
WEP: ImplementationWEP: Implementation WEP shared secret keys must be at least WEP shared secret keys must be at least
40 bits40 bits• Most vendors use 104 bitsMost vendors use 104 bits
Options for creating WEP keys:Options for creating WEP keys:• 40-bit WEP shared secret key (5 ASCII 40-bit WEP shared secret key (5 ASCII
characters or 10 hexadecimal characters)characters or 10 hexadecimal characters)• 104-bit WEP shared secret key (13 ASCII 104-bit WEP shared secret key (13 ASCII
characters or 16 hexadecimal characters)characters or 16 hexadecimal characters)• Passphrase (16 ASCII characters)Passphrase (16 ASCII characters)
APs and wireless devices can store up to APs and wireless devices can store up to four shared secret keysfour shared secret keys• Default keyDefault key used for all encryption used for all encryption
3434
WEP: ImplementationWEP: Implementation When encrypted frame arrives at When encrypted frame arrives at
destination:destination:• Receiving device separates IV from ciphertext Receiving device separates IV from ciphertext • Combines IV with appropriate secret key Combines IV with appropriate secret key
Create a Create a keystreamkeystream• Keystream used to extract text and ICVKeystream used to extract text and ICV• Text run through CRC Text run through CRC
Ensure ICVs match and nothing lost in transmissionEnsure ICVs match and nothing lost in transmission Generating keystream using the PRNG is Generating keystream using the PRNG is
based on the based on the RC4 cipher algorithmRC4 cipher algorithm• Stream CipherStream Cipher
3535
Vulnerabilities of IEEE 802.11 Vulnerabilities of IEEE 802.11 SecuritySecurity
IEEE 802.11 standard’s security IEEE 802.11 standard’s security mechanisms for wireless networks mechanisms for wireless networks have fallen short of their goalhave fallen short of their goal
Vulnerabilities exist in:Vulnerabilities exist in:• AuthenticationAuthentication• Address filteringAddress filtering• WEP WEP
3636
Open System Authentication Open System Authentication VulnerabilitiesVulnerabilities
Inherently weakInherently weak• Based only on match of SSIDsBased only on match of SSIDs• SSID beaconed from AP during passive SSID beaconed from AP during passive
scanningscanning Easy to discoverEasy to discover
Vulnerabilities:Vulnerabilities:• Beaconing SSID is default mode in all APsBeaconing SSID is default mode in all APs• Not all APs allow beaconing to be turned offNot all APs allow beaconing to be turned off
Or manufacturer recommends against itOr manufacturer recommends against it• SSID initially transmitted in plaintext SSID initially transmitted in plaintext
(unencrypted)(unencrypted)
3737
Other Wireless Attacks: Denial Other Wireless Attacks: Denial of Service (DoS) Attackof Service (DoS) Attack
Standard DoS attack attempts to make a Standard DoS attack attempts to make a server or other network device unavailable server or other network device unavailable by flooding it with requestsby flooding it with requests• Attacking computers programmed to request, Attacking computers programmed to request,
but not respondbut not respond Wireless DoS attacks are different:Wireless DoS attacks are different:
• JammingJamming: : Prevents wireless devices from Prevents wireless devices from transmittingtransmitting
• Forcing a device to continually dissociate and Forcing a device to continually dissociate and re-associate with APre-associate with AP
3838
Wireless Security ProblemsWireless Security Problems Common Techniques to Compromise Common Techniques to Compromise
Wireless Data Networks:Wireless Data Networks:• Rogue Access Point InsertionRogue Access Point Insertion• Traffic SniffingTraffic Sniffing• Traffic Data InsertionTraffic Data Insertion• ARP-Snooping (via “Dsniff”) – trick wired ARP-Snooping (via “Dsniff”) – trick wired
network to pass data over wirelessnetwork to pass data over wireless
3939
Security OverviewSecurity OverviewAuthenticationAuthentication
Determines:Determines:• If you are who you say you areIf you are who you say you are• If (and What) access rights are grantedIf (and What) access rights are granted
Examples are:Examples are:• ““Smart Card” - SecureIdSmart Card” - SecureId®® Server/Cards Server/Cards• S/Key – One time passwordS/Key – One time password• Digital CertificatesDigital Certificates
4040
WEPWEP(Wired Equivalent Privacy)(Wired Equivalent Privacy)
RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption Algorithm Algorithm <<http://www.cebrasoft.co.uk/encryption/rc4.htmhttp://www.cebrasoft.co.uk/encryption/rc4.htm>>
Shared (but Shared (but staticstatic) secret 64 or 128-bit key to ) secret 64 or 128-bit key to encrypt and decrypt the dataencrypt and decrypt the data• 24-bit ‘initialization vector’ (semi-random) leaving only 24-bit ‘initialization vector’ (semi-random) leaving only
40 or 104 bits as the ‘real key’40 or 104 bits as the ‘real key’ WEP Key Cracking SoftwareWEP Key Cracking Software
• WEPCrack / AirSnort / Aircrack (as well as others)WEPCrack / AirSnort / Aircrack (as well as others)• Cracking Time:Cracking Time: 64-bit key = 2 64-bit key = 2 secondsseconds
128-bit key = 128-bit key = ~ 3-10 ~ 3-10 minutesminutes
www.netcraftsmen.net/welcher/papers/wlansec01.htmlwww.netcraftsmen.net/welcher/papers/wlansec01.html and and www.tomsnetworking.com/Sections-article111-page4.phpwww.tomsnetworking.com/Sections-article111-page4.php
4141
WPA and WPA2WPA and WPA2(WiFi Protected Access)(WiFi Protected Access)
Created by the Created by the WiWi--FiFi Alliance Alliance industry group industry group due to excessive delays in 802.11i approvaldue to excessive delays in 802.11i approval
WPA and WPA2 designed to be backward WPA and WPA2 designed to be backward compatible with WEPcompatible with WEP
Closely mirrors the official Closely mirrors the official IEEEIEEE 802.11i 802.11i standards but with EAP (Extensible standards but with EAP (Extensible Authentication Protocol)Authentication Protocol)
Contains both authentication and encryption Contains both authentication and encryption componentscomponents
Designed to address WEP vulnerabilitiesDesigned to address WEP vulnerabilities
4242
WPA / WPA2 EncryptionWPA / WPA2 Encryption
WPAWPA• Mandates Mandates TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)
Scheduled Shared Key Change Scheduled Shared Key Change (i.e.; every 10,000 data packets)(i.e.; every 10,000 data packets)• Optionally specifies AES (Advanced Encryption Optionally specifies AES (Advanced Encryption
Standard) capabilityStandard) capability WPA will essentially fall back to WEP-level WPA will essentially fall back to WEP-level
security if even a single device on a network security if even a single device on a network cannot use WPAcannot use WPA
WPA2WPA2 Mandates both TKIP and AES capabilityMandates both TKIP and AES capability
WPA / WPA2 networks will drop any altered packet WPA / WPA2 networks will drop any altered packet or shut down for 30 seconds whenever a message or shut down for 30 seconds whenever a message alteration attack is detected.alteration attack is detected.
4343
WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d) Personal Pre-shared KeyPersonal Pre-shared Key
• User–entered 8 – 63 ASCII Character User–entered 8 – 63 ASCII Character Passphrass Produces a 256-bit Pre-Shared KeyPassphrass Produces a 256-bit Pre-Shared Key
• To minimize/prevent key cracking, use a To minimize/prevent key cracking, use a minimumminimum of 21 characters for the passphase of 21 characters for the passphase
• Key GenerationKey Generation passphrase, SSID, and the SSIDlength is hashed 4096 passphrase, SSID, and the SSIDlength is hashed 4096
times to generate a value of 256 bitstimes to generate a value of 256 bits WPA Key Cracking SoftwareWPA Key Cracking Software
• coWPAtty / WPA Cracker (as well as others)coWPAtty / WPA Cracker (as well as others)
4444
WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)
Now Now FiveFive WPA / WPA2 Enterprise WPA / WPA2 Enterprise StandardsStandards
1.1. EAP-TLSEAP-TLSa.a. Original EAP ProtocolOriginal EAP Protocolb.b. Among most secure but seldom Among most secure but seldom
implemented as it needs a Client-implemented as it needs a Client-side certificate ie; smartcard side certificate ie; smartcard (SecurId Key Fob (SecurId Key Fob http://www.http://www.securidsecurid.com/.com/))
CWNA Guide to Wireless LANs, CWNA Guide to Wireless LANs, Second EditionSecond Edition
Chapter NineChapter NineImplementing Wireless LAN SecurityImplementing Wireless LAN Security
4646
ObjectivesObjectives List wireless security solutionsList wireless security solutions Tell the components of the Tell the components of the
transitional security modeltransitional security model Describe the personal security modelDescribe the personal security model List the components that make up List the components that make up
the enterprise security modelthe enterprise security model
4747
Wireless Security SolutionsWireless Security Solutions IEEE 802.11a and 802.11b standards IEEE 802.11a and 802.11b standards
included WEP specificationincluded WEP specification• Vulnerabilities quickly realizedVulnerabilities quickly realized• Organizations implemented “quick fixes”Organizations implemented “quick fixes”
Did not adequately address encryption and Did not adequately address encryption and authenticationauthentication
IEEE and Wi-Fi Alliance started working on IEEE and Wi-Fi Alliance started working on comprehensive solutionscomprehensive solutions• IEEE 802.11i and IEEE 802.11i and Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)
Foundations of today’s wireless securityFoundations of today’s wireless security
4848
WEP2WEP2 Attempted to overcome WEP limitations Attempted to overcome WEP limitations
• adding two new security enhancementsadding two new security enhancements WEP WEP key increased to 128 bitskey increased to 128 bits KerberosKerberos authenticationauthentication User issued “ticket” by Kerberos serverUser issued “ticket” by Kerberos server Presents ticket to network for a servicePresents ticket to network for a service
• Used to authenticate userUsed to authenticate user No more secure than WEPNo more secure than WEP
• Collisions still occurCollisions still occur• Dictionary-based attacks availableDictionary-based attacks available
4949
Dynamic WEPDynamic WEP Solves weak IV problem by rotating keys Solves weak IV problem by rotating keys
frequentlyfrequently• More difficult to crack encrypted packetMore difficult to crack encrypted packet
Different keys for unicast and broadcastDifferent keys for unicast and broadcast traffictraffic• Unicast WEP key unique to each user’s sessionUnicast WEP key unique to each user’s session
Dynamically generated and changed frequentlyDynamically generated and changed frequently• For example - When roaming to a new APFor example - When roaming to a new AP
• Broadcast WEP key must be same for all users on a Broadcast WEP key must be same for all users on a particular subnet and APparticular subnet and AP
5050
Dynamic WEP (continued)Dynamic WEP (continued) Can be implemented without Can be implemented without
upgrading device drivers or AP upgrading device drivers or AP firmwarefirmware• No-cost and minimal effort to deployNo-cost and minimal effort to deploy
Does not protect against man-in-the-Does not protect against man-in-the-middle attacksmiddle attacks
Susceptible to DoS attacksSusceptible to DoS attacks
5151
IEEE 802.11iIEEE 802.11i Provides good wireless security modelProvides good wireless security model
• Robust security network (RSN)Robust security network (RSN)• Addresses both encryption and authenticationAddresses both encryption and authentication
Encryption accomplished by replacing RC4 Encryption accomplished by replacing RC4 with a block cipherwith a block cipher• Manipulates entire block of plaintext at one Manipulates entire block of plaintext at one
timetime Block cipher used is Advanced Encryption Block cipher used is Advanced Encryption
Standard (AES)Standard (AES)• Three step processThree step process• Second step consists of multiple rounds of Second step consists of multiple rounds of
encryptionencryption
5252
IEEE 802.11i (continued)IEEE 802.11i (continued)
Table 9-1: Time needed to break AES
5353
IEEE 802.11i (continued)IEEE 802.11i (continued) IEEE 802.11i authentication and key IEEE 802.11i authentication and key
management is accomplished by management is accomplished by IEEE IEEE 802.1x 802.1x standardstandard• Implements Implements port securityport security
Blocks all traffic on port-by-port basis until client Blocks all traffic on port-by-port basis until client authenticated using credentials stored on authenticated using credentials stored on authentication serverauthentication server
Key-caching: Key-caching: Stores information from a Stores information from a device on the network, for faster re-device on the network, for faster re-authenticationauthentication
Pre-authentication:Pre-authentication: Allows a device to Allows a device to become authenticated to an AP before become authenticated to an AP before moving to itmoving to it
5454
IEEE 802.11i (continued)IEEE 802.11i (continued)
Figure 9-2: IEEE 802.1x
5555
Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Subset of 802.11i that addresses Subset of 802.11i that addresses
encryption and authenticationencryption and authentication Temporal Key Integrity Protocol (TKIP): Temporal Key Integrity Protocol (TKIP):
Replaces WEP’s encryption key with 128-Replaces WEP’s encryption key with 128-bit per-packet keybit per-packet key• Dynamically generates new key for each Dynamically generates new key for each
packet packet Prevents collisionsPrevents collisions
• Authentication server can use 802.1x to Authentication server can use 802.1x to produce unique master key for user sessionsproduce unique master key for user sessions
• Creates automated key hierarchy and Creates automated key hierarchy and management systemmanagement system
5656
Wi-Fi Protected Access Wi-Fi Protected Access (continued)(continued)
Message Integrity Check (MIC): Message Integrity Check (MIC): Designed to prevent attackers from Designed to prevent attackers from capturing, altering, and resending data capturing, altering, and resending data packetspackets• Replaces CRC from WEPReplaces CRC from WEP• CRC does not adequately protect data integrityCRC does not adequately protect data integrity
Authentication accomplished via IEEE Authentication accomplished via IEEE 802.1x or 802.1x or pre-shared key (PSK) pre-shared key (PSK) technologytechnology• PSK passphase serves as PSK passphase serves as seedseed for generating for generating
keyskeys
5757
Wi-Fi Protected Access 2 Wi-Fi Protected Access 2 (WPA2)(WPA2)
Second generation of WPA securitySecond generation of WPA security• Based on final IEEE 802.11i standardBased on final IEEE 802.11i standard• Uses AES for data encryption Uses AES for data encryption • Supports IEEE 802.1x authentication or Supports IEEE 802.1x authentication or
PSK technologyPSK technology• Allows both AES and TKIP clients to Allows both AES and TKIP clients to
operate in same WLANoperate in same WLAN
5858
Summary of Wireless Security Summary of Wireless Security Solutions (continued)Solutions (continued)
Table 9-3: Wireless security solutions
Table 9-2: Wi-Fi modes
5959
Transitional Security ModelTransitional Security Model Transitional wireless implementationTransitional wireless implementation
• Should be temporaryShould be temporary Until migration to stronger wireless security Until migration to stronger wireless security
possiblepossible• Should implement basic level of security Should implement basic level of security
for a WLANfor a WLAN Including authentication and encryptionIncluding authentication and encryption
6060
Authentication: Shared Key Authentication: Shared Key AuthenticationAuthentication
First and perhaps most important First and perhaps most important stepstep• Uses WEP keysUses WEP keys
Networks that support multiple Networks that support multiple devices should use all four keysdevices should use all four keys• Same key should not be designated as Same key should not be designated as
default on each devicedefault on each device
6161
Authentication: SSID BeaconingAuthentication: SSID Beaconing Turn off SSID beaconing by Turn off SSID beaconing by
configuring APs to not include itconfiguring APs to not include it• Beaconing the SSID is default mode for Beaconing the SSID is default mode for
all APsall APs Good practice to use cryptic SSIDGood practice to use cryptic SSID
• Should not provide any information to Should not provide any information to attackersattackers
6262
WEP EncryptionWEP Encryption Although vulnerabilities exist, should be turned Although vulnerabilities exist, should be turned
on if no other options for encryption are availableon if no other options for encryption are available• Use longest WEP key availableUse longest WEP key available• May prevent script kiddies or “casual” eavesdroppers May prevent script kiddies or “casual” eavesdroppers
from attackingfrom attacking
Table 9-4: Transitional security model
6363
Personal Security ModelPersonal Security Model Designed for single users or small Designed for single users or small
office home office (SOHO) settings office home office (SOHO) settings • Generally 10 or fewer wireless devicesGenerally 10 or fewer wireless devices
Two sections:Two sections:• WPA: Older equipmentWPA: Older equipment• WPA2: Newer equipmentWPA2: Newer equipment
6464
WPA Personal Security: PSK WPA Personal Security: PSK AuthenticationAuthentication
Uses passphrase (PSK) that is Uses passphrase (PSK) that is manually entered to generate the manually entered to generate the encryption keyencryption key• PSK used a PSK used a seedseed for creating encryption for creating encryption
keyskeys Key must be created and entered in Key must be created and entered in
AP and also on any wireless device AP and also on any wireless device (“shared”) prior to (“pre”) the (“shared”) prior to (“pre”) the devices communicating with APdevices communicating with AP
6565
WPA Personal Security: TKIP WPA Personal Security: TKIP EncryptionEncryption
TKIP is a substitute for WEP encryptionTKIP is a substitute for WEP encryption• Fits into WEP procedure with minimal changeFits into WEP procedure with minimal change
Device starts with two keys:Device starts with two keys:• 128-bit 128-bit temporal keytemporal key• 64-bit MIC64-bit MIC
Three major components to address Three major components to address vulnerabilities:vulnerabilities:• MICMIC• IV sequenceIV sequence• TKIP key mixingTKIP key mixing
TKIP required in WPATKIP required in WPA
6666
WPA2 Personal Security: PSK WPA2 Personal Security: PSK AuthenticationAuthentication
PSK intended for personal and SOHO users PSK intended for personal and SOHO users without enterprise authentication serverwithout enterprise authentication server• Provides strong degree of authentication protectionProvides strong degree of authentication protection
PSK keys automatically changed (PSK keys automatically changed (rekeyedrekeyed) and ) and authenticated between devices after specified authenticated between devices after specified period of time or after set number of packets period of time or after set number of packets transmitted (transmitted (rekey intervalrekey interval))
Employs consistent method for creating keysEmploys consistent method for creating keys• Uses Uses shared secret shared secret entered at AP and devicesentered at AP and devices
Random sequence of at least 20 characters or 24 Random sequence of at least 20 characters or 24 hexadecimal digitshexadecimal digits
6767
WPA2 Personal Security: AES-WPA2 Personal Security: AES-CCMP EncryptionCCMP Encryption
WPA2 personal security model encryption WPA2 personal security model encryption accomplished via AESaccomplished via AES
AES-CCMP: AES-CCMP: Encryption protocol in 802.11iEncryption protocol in 802.11i• CCMP based on Counter Mode with CBC-MAC (CCM) of CCMP based on Counter Mode with CBC-MAC (CCM) of
AES encryption algorithmAES encryption algorithm• CCM provides data privacyCCM provides data privacy• CBC-MAC provides data integrity and authenticationCBC-MAC provides data integrity and authentication
AES processes blocks of 128 bitsAES processes blocks of 128 bits• Cipher key length can be 128, 192 and 256 bitsCipher key length can be 128, 192 and 256 bits• Number of rounds can be 10, 12, and 14Number of rounds can be 10, 12, and 14
6868
WPA2 Personal Security: AES-WPA2 Personal Security: AES-CCMP Encryption (continued)CCMP Encryption (continued)
AES encryption/decryption computationally AES encryption/decryption computationally intensiveintensive• Better to perform in hardwareBetter to perform in hardware
Table 9-5: Personal security model
6969
Enterprise Security ModelEnterprise Security Model Most secure level of security that can be Most secure level of security that can be
achieved today for wireless LANsachieved today for wireless LANs• Designed for medium to large-size Designed for medium to large-size
organizationsorganizations• Intended for setting with authentication serverIntended for setting with authentication server
Like personal security model, divided into Like personal security model, divided into sections for WPA and WPA2sections for WPA and WPA2
Additional security tools available to Additional security tools available to increase network protectionincrease network protection
7070
WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication802.1x Authentication
Uses Uses port-basedport-based authentication authentication mechanismsmechanisms
Network supporting 802.1x standard Network supporting 802.1x standard should consist of three elements:should consist of three elements:• Supplicant: Supplicant: Wireless device which requires Wireless device which requires
secure network accesssecure network access• Authenticator: Authenticator: Intermediary device accepting Intermediary device accepting
requests from supplicantrequests from supplicant Can be an AP or a switchCan be an AP or a switch
• Authentication Server: Authentication Server: Accepts requests Accepts requests from authenticator, grants or denies accessfrom authenticator, grants or denies access
7171
WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication 802.1x Authentication
(continued)(continued) Supplicant is software on a client Supplicant is software on a client
implementing 802.1x frameworkimplementing 802.1x framework Authentication server stores list of Authentication server stores list of
names and credentials of authorized names and credentials of authorized usersusers• Remote Authentication Dial-In User Remote Authentication Dial-In User
Service (RADIUS) Service (RADIUS) typically usedtypically used Allows user profiles to be maintained in Allows user profiles to be maintained in
central database that all remote servers can central database that all remote servers can shareshare
7272
WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication802.1x Authentication
802.1x based on 802.1x based on Extensible Extensible Authentication Protocol (EAP)Authentication Protocol (EAP)• Several variations:Several variations:
EAP-Transport Layer Security (EAP-TLS)EAP-Transport Layer Security (EAP-TLS) Lightweight EAP (LEAP)Lightweight EAP (LEAP) EAP-Tunneled TLS (EAP-TTLS)EAP-Tunneled TLS (EAP-TTLS) Protected EAP (PEAP)Protected EAP (PEAP) Flexible Authentication via Secure Tunneling (FAST)Flexible Authentication via Secure Tunneling (FAST)
• Each maps to different types of user logons, Each maps to different types of user logons, credentials, and databases used in credentials, and databases used in authenticationauthentication
7373
WPA Enterprise Security: TKIP WPA Enterprise Security: TKIP EncryptionEncryption
TKIP is a “wrapper” around WEP TKIP is a “wrapper” around WEP • Provides adequate encryption Provides adequate encryption
mechanism for WPA enterprise securitymechanism for WPA enterprise security• Dovetails into existing WEP mechanismDovetails into existing WEP mechanism
Vulnerabilities may be exposed in the Vulnerabilities may be exposed in the futurefuture
7474
WPA2 Enterprise Security: WPA2 Enterprise Security: IEEE 802.1x AuthenticationIEEE 802.1x Authentication
Enterprise security model using WPA2 Enterprise security model using WPA2 provides most secure level of provides most secure level of authentication and encryption available on authentication and encryption available on a WLANa WLAN
IEEE 802.1x is strongest type of wireless IEEE 802.1x is strongest type of wireless authentication currently availableauthentication currently available
Wi-Fi Alliance certifies WPA and WPA2 Wi-Fi Alliance certifies WPA and WPA2 enterprise products using EAP-TLSenterprise products using EAP-TLS• Other EAP types not tested, but should run a Other EAP types not tested, but should run a
WAP or WAP2 environmentWAP or WAP2 environment
7575
WPA2 Enterprise Security: WPA2 Enterprise Security: AES-CCMP EncryptionAES-CCMP Encryption
AES:AES: Block cipher that uses same key for Block cipher that uses same key for encryption and decryptionencryption and decryption• Bits encrypted in blocks of plaintext Bits encrypted in blocks of plaintext
Calculated independentlyCalculated independently• block size of 128 bitsblock size of 128 bits• Three possible key lengths: 128, 192, and 256 Three possible key lengths: 128, 192, and 256
bitsbits• WPA2/802.11i uses128-bit key lengthWPA2/802.11i uses128-bit key length• Includes four stages that make up one roundIncludes four stages that make up one round
Each round is iterated 10 timesEach round is iterated 10 times
7676
WPA2 Enterprise Security: WPA2 Enterprise Security: AES-CCMP Encryption AES-CCMP Encryption
(continued)(continued)
Table 9-6: Enterprise security model
7777
Other Enterprise Security Tools: Other Enterprise Security Tools: Virtual Private Network (VPN)Virtual Private Network (VPN)
Virtual private network (VPN): Virtual private network (VPN): Uses a Uses a public, unsecured network as if it were public, unsecured network as if it were private, secured networkprivate, secured network
Two common types:Two common types:• Remote-access VPN: Remote-access VPN: User-to-LAN connection User-to-LAN connection
used by remote usersused by remote users• Site-to-site VPN: Site-to-site VPN: Multiple sites can connect Multiple sites can connect
to other sites over Internetto other sites over Internet VPN transmissions are achieved through VPN transmissions are achieved through
communicating with communicating with endpointsendpoints
7878
Other Enterprise Security Tools: Other Enterprise Security Tools: Virtual Private NetworkVirtual Private Network
Endpoint: Endpoint: End of tunnel between VPN End of tunnel between VPN devicesdevices• Can local software, dedicated hardware device, Can local software, dedicated hardware device,
or even a firewallor even a firewall VPNs can be used in WLAN settingVPNs can be used in WLAN setting
• Tunnel though WLAN for added securityTunnel though WLAN for added security Enterprise trusted gateway: Enterprise trusted gateway: Extension Extension
of VPNof VPN• Pairs of devices create “trusted” VPN Pairs of devices create “trusted” VPN
connection between themselvesconnection between themselves• Can protect unencrypted packets better than a Can protect unencrypted packets better than a
VPN endpointVPN endpoint
7979
Other Enterprise Security Tools: Other Enterprise Security Tools: Wireless GatewayWireless Gateway
AP equipped with additional AP equipped with additional functionalityfunctionality• Most APs are wireless gatewaysMost APs are wireless gateways
Combine functionality of AP, router, network Combine functionality of AP, router, network address translator, firewall, and switchaddress translator, firewall, and switch
On enterprise level, wireless gateway On enterprise level, wireless gateway may combine functionality of a VPN may combine functionality of a VPN and an authentication serverand an authentication server• Can provide increased security for Can provide increased security for
connected APsconnected APs
8080
Other Enterprise Security Tools: Other Enterprise Security Tools: Wireless Intrusion Detection Wireless Intrusion Detection
System (WIDS)System (WIDS) Intrusion-detection system (IDS):Intrusion-detection system (IDS): Monitors Monitors
activity on network and what the packets are activity on network and what the packets are doingdoing• May perform specific function when attack detectedMay perform specific function when attack detected• May only report information, and not take actionMay only report information, and not take action
Wireless IDS (WIDS): Wireless IDS (WIDS): Constantly monitors RF Constantly monitors RF frequency for attacksfrequency for attacks• Based on database of attack signatures or on abnormal Based on database of attack signatures or on abnormal
behaviorbehavior• Wireless sensors Wireless sensors lie at heart of WIDSlie at heart of WIDS• Hardware-based have limited coverage, software-based Hardware-based have limited coverage, software-based
have extended coveragehave extended coverage
8181
Other Enterprise Security Tools: Other Enterprise Security Tools: Captive PortalCaptive Portal
Web page that wireless users are forced to Web page that wireless users are forced to visit before they are granted access to visit before they are granted access to InternetInternet
Used in one of the following ways:Used in one of the following ways:• Notify users of wireless policies and rulesNotify users of wireless policies and rules• Advertise to users specific services or productsAdvertise to users specific services or products• Authenticate users against a RADIUS serverAuthenticate users against a RADIUS server
Often used in public hotspotsOften used in public hotspots
CWNA Guide to Wireless CWNA Guide to Wireless LANs, Second EditionLANs, Second Edition
Chapter TenChapter TenManaging a Wireless LANManaging a Wireless LAN
8383
Monitoring the Wireless Monitoring the Wireless NetworkNetwork
Network monitoring provides valuable Network monitoring provides valuable data regarding current state of a data regarding current state of a networknetwork• Generate network Generate network baselinebaseline• Detect emerging problemsDetect emerging problems
Monitoring a wireless network can be Monitoring a wireless network can be performed with two sets of tools:performed with two sets of tools:• Utilities designed specifically for WLANsUtilities designed specifically for WLANs• Standard networking toolsStandard networking tools
8484
WLAN Monitoring ToolsWLAN Monitoring Tools Two classifications of tools: Two classifications of tools:
• Operate on wireless device itself Operate on wireless device itself • Function on APFunction on AP
Device and Operating System Device and Operating System Utilities:Utilities:• Most OSs provide basic utilities for Most OSs provide basic utilities for
monitoring the WLANmonitoring the WLAN• Some vendors provide more detailed Some vendors provide more detailed
utilitiesutilities
8585
WLAN Monitoring Tools WLAN Monitoring Tools Access Point UtilitiesAccess Point Utilities
• All APs have WLAN reporting utilitiesAll APs have WLAN reporting utilities• ““Status” information sometimes just a Status” information sometimes just a
summary of current AP configurationsummary of current AP configuration No useful monitoring informationNo useful monitoring information
• Many enterprise-level APs provide utilities that Many enterprise-level APs provide utilities that offer three types of information:offer three types of information:
Event logsEvent logs Statistics on wireless transmissionsStatistics on wireless transmissions Information regarding connection to wired Ethernet Information regarding connection to wired Ethernet
networknetwork
8686
Standard Network Monitoring Standard Network Monitoring ToolsTools
Drawbacks to relying solely on info from AP Drawbacks to relying solely on info from AP and wireless devices:and wireless devices:• Lack of Retention of dataLack of Retention of data• Laborious and time-intensive data collectionLaborious and time-intensive data collection• Data generally not collected in time mannerData generally not collected in time manner
““Standard” network monitoring tools:Standard” network monitoring tools:• Used on wired networks Used on wired networks • Proven to be reliableProven to be reliable• Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) • Remote Monitoring (RMON)Remote Monitoring (RMON)
8787
Simple Network Management Simple Network Management Protocol (SNMP)Protocol (SNMP)
Protocol allowing computers and network Protocol allowing computers and network equipment to gather data about network equipment to gather data about network performanceperformance• Part of TCP/IP protocol suitePart of TCP/IP protocol suite
Software agent Software agent loaded onto each network loaded onto each network device that will be managed using SNMPdevice that will be managed using SNMP• Monitors network traffic and stores info in Monitors network traffic and stores info in
management information base (MIB)management information base (MIB)• SNMP management station:SNMP management station: Computer with Computer with
the SNMP management softwarethe SNMP management software
8888
Simple Network Management Simple Network Management Protocol (continued)Protocol (continued)
SNMP management station communicates SNMP management station communicates with software agents on network devices with software agents on network devices • Collects data stored in MIBsCollects data stored in MIBs• Combines and produces statistics about Combines and produces statistics about
networknetwork Whenever network exceeds predefined Whenever network exceeds predefined
limit, triggers an limit, triggers an SNMP trapSNMP trap• Sent to management stationSent to management station
Implementing SNMP provides means to Implementing SNMP provides means to acquire wireless data for establishing acquire wireless data for establishing baseline and generating alertsbaseline and generating alerts
8989
Remote Monitoring (RMON)Remote Monitoring (RMON) SNMP-based tool used to monitor LANs connected SNMP-based tool used to monitor LANs connected
via a via a wide area network (WAN)wide area network (WAN)• WANs provide communication over larger geographical WANs provide communication over larger geographical
area than LANsarea than LANs Allows remote network node to gather network Allows remote network node to gather network
data at almost any point on a LAN or WANdata at almost any point on a LAN or WAN• Uses SNMP and incorporates special database for Uses SNMP and incorporates special database for
remote monitoringremote monitoring WLAN AP can be monitored using RMONWLAN AP can be monitored using RMON
• Gathers data regarding wireless and wired interfacesGathers data regarding wireless and wired interfaces
9090
Maintaining the Wireless Maintaining the Wireless NetworkNetwork
Wireless networks are not staticWireless networks are not static• Must continually be modified, adjusted, and Must continually be modified, adjusted, and
tweakedtweaked Modifications often made in response to Modifications often made in response to
data gathered during network monitoringdata gathered during network monitoring Two of most common functions:Two of most common functions:
• Updating AP firmwareUpdating AP firmware• Adjusting antennas to enhance transmissionsAdjusting antennas to enhance transmissions
9191
Upgrading FirmwareUpgrading Firmware FirmwareFirmware: Software embedded into : Software embedded into
hardware to control the devicehardware to control the device• Electronic “heart” of a hardware deviceElectronic “heart” of a hardware device• Resides on Resides on EEPROMEEPROM
Nonvolatile storage chipNonvolatile storage chip Most APs use a browser-based Most APs use a browser-based
management systemmanagement system Keep APs current with latest changes by Keep APs current with latest changes by
downloading the changes to the APsdownloading the changes to the APs
9292
Upgrading Firmware (continued)Upgrading Firmware (continued) General steps to update AP firmware:General steps to update AP firmware:
• Download firmware from vendor’s Web siteDownload firmware from vendor’s Web site• Select “Upgrade Firmware” or similar option Select “Upgrade Firmware” or similar option
from APfrom AP• Enter location of firmware fileEnter location of firmware file• Click Click Upgrade Upgrade buttonbutton
Enterprise-level APs often have enhanced Enterprise-level APs often have enhanced firmware update capabilitiesfirmware update capabilities• e.g., may be able to update System firmware, e.g., may be able to update System firmware,
Web Page firmware, and Radio firmware Web Page firmware, and Radio firmware separatelyseparately
9393
Upgrading Firmware (continued)Upgrading Firmware (continued) With many enterprise-level APs, once a With many enterprise-level APs, once a
single AP has been upgraded to the latest single AP has been upgraded to the latest firmware, can distribute to all other APs on firmware, can distribute to all other APs on the WLANthe WLAN• Receiving AP must be able to hear IP multicast Receiving AP must be able to hear IP multicast
issued by Distribution APissued by Distribution AP• Receiving AP must be set to allow access Receiving AP must be set to allow access
through a Web browserthrough a Web browser• If Receiving AP has specific security If Receiving AP has specific security
capabilities enabled, must contain in its capabilities enabled, must contain in its approved user lists a user with the same user approved user lists a user with the same user name, password, and capabilities as user name, password, and capabilities as user logged into Distribution APlogged into Distribution AP
9494
Upgrading Firmware (continued)Upgrading Firmware (continued) RF site tuning: RF site tuning: After firmware updates After firmware updates
applied, adjusting APs’ settingapplied, adjusting APs’ setting• Adjust radio power levels on all access pointsAdjust radio power levels on all access points
Firmware upgrades may increase RF coverage areasFirmware upgrades may increase RF coverage areas• Adjust channel settingsAdjust channel settings• Validate coverage areaValidate coverage area• Modify integrity and throughputModify integrity and throughput• Document changesDocument changes
9595
Adjusting Antennas: RF Adjusting Antennas: RF TransmissionsTransmissions
May need to adjust antennas in response May need to adjust antennas in response to firmware upgrades or changes in to firmware upgrades or changes in environmentenvironment• May require reorientation or repositioningMay require reorientation or repositioning• May require new type of antennaMay require new type of antenna
Radio frequency link between sender and Radio frequency link between sender and receiver consists of three basic elements:receiver consists of three basic elements:• Effective transmitting powerEffective transmitting power• Propagation lossPropagation loss• Effective receiving sensibilityEffective receiving sensibility
9696
Adjusting Antennas: RF Adjusting Antennas: RF Transmissions (continued)Transmissions (continued)
Figure 10-14: Radio frequency link
9797
Adjusting Antennas: RF Adjusting Antennas: RF Transmissions (continued)Transmissions (continued)
Link budget: Link budget: Calculation to determine if Calculation to determine if signal will have proper strength when it signal will have proper strength when it reaches link’s endreaches link’s end• Required information:Required information:
Antenna gainAntenna gain Free space path lossFree space path loss Frequency of the linkFrequency of the link Loss of each connector at the specified frequencyLoss of each connector at the specified frequency Number of connectors usedNumber of connectors used Path lengthPath length Power of the transmitterPower of the transmitter
9898
Adjusting Antennas: RF Adjusting Antennas: RF Transmissions (continued)Transmissions (continued)
Link budget (continued):Link budget (continued):• Required information (continued):Required information (continued):
Total length of transmission cable and loss per unit Total length of transmission cable and loss per unit length at specified frequencylength at specified frequency
For proper WLAN performance, link budget For proper WLAN performance, link budget must be greater than zeromust be greater than zero• System operating margin (SOM)System operating margin (SOM)• Good WLAN link has link budget over 6 dBGood WLAN link has link budget over 6 dB• Fade margin: Fade margin: Difference between strongest Difference between strongest
RF signal in an area and weakest signal that a RF signal in an area and weakest signal that a receiver can processreceiver can process
9999
Adjusting Antennas: RF Adjusting Antennas: RF Transmissions (continued)Transmissions (continued)
Attenuation (loss):Attenuation (loss): Negative Negative difference in amplitude between RF difference in amplitude between RF signalssignals• AbsorptionAbsorption• ReflectionReflection• ScatteringScattering• RefractionRefraction• DiffractionDiffraction• Voltage Standing Wave RatioVoltage Standing Wave Ratio
100100
Adjusting Antennas: Antenna Adjusting Antennas: Antenna TypesTypes
Rod antenna:Rod antenna: Antenna typically used on Antenna typically used on a WLANa WLAN• OmnidirectionalOmnidirectional• 360 degree radiation pattern360 degree radiation pattern• Transmission pattern focused along horizontal Transmission pattern focused along horizontal
planeplane• Increasing length creates “tighter” 360-degree Increasing length creates “tighter” 360-degree
beambeam Sectorized antennaSectorized antenna: “Cuts” standard : “Cuts” standard
360-degree pattern into four quarters360-degree pattern into four quarters• Each quarter has own transmitter and antennaEach quarter has own transmitter and antenna• Can adjust power to each sector independentlyCan adjust power to each sector independently
101101
Adjusting Antennas: Antenna Adjusting Antennas: Antenna Types (continued)Types (continued)
Panel antenna:Panel antenna: Typically used in outdoor areas Typically used in outdoor areas• ““Tight” beamwidthTight” beamwidth
Phase shifter: Phase shifter: Allows wireless device to use a Allows wireless device to use a beam steering antenna beam steering antenna to improve receiver to improve receiver performance performance • Direct transmit antenna pattern to targetDirect transmit antenna pattern to target
Phased array antenna:Phased array antenna: Incorporates network of Incorporates network of phase shifters, allowing antenna to be pointed phase shifters, allowing antenna to be pointed electronically in microseconds, electronically in microseconds, • Without physical realignment or movementWithout physical realignment or movement
102102
Adjusting Antennas: Antenna Adjusting Antennas: Antenna Types (continued)Types (continued)
Radiation pattern emitting from antennas Radiation pattern emitting from antennas travels in three-dimensional “donut” formtravels in three-dimensional “donut” form• Azimuth and elevationAzimuth and elevation planes planes
Antenna Accessories:Antenna Accessories:• Transmission problem can be resolved by Transmission problem can be resolved by
adding “accessories” to antenna systemadding “accessories” to antenna system• Provide additional power to the antenna, Provide additional power to the antenna,
decrease power when necessary, or provide decrease power when necessary, or provide additional functionalityadditional functionality
103103
Adjusting Antennas: Antenna Adjusting Antennas: Antenna Types (continued)Types (continued)
Figure 10-17: Azimuth and elevation pattern
104104
Adjusting Antennas: RF Adjusting Antennas: RF AmplifierAmplifier
Increases amplitude of an RF signalIncreases amplitude of an RF signal• Signal gainSignal gain
Unidirectional amplifier: Unidirectional amplifier: Increases Increases RF signal level before injected into RF signal level before injected into transmitting antennatransmitting antenna
Bidirectional amplifier: Bidirectional amplifier: Boosts RF Boosts RF signal before injected into device signal before injected into device containing the antennacontaining the antenna• Most amplifiers for APs are bidirectionalMost amplifiers for APs are bidirectional
105105
Adjusting Antennas: RF Adjusting Antennas: RF AttenuatorsAttenuators
Decrease RF signalDecrease RF signal• May be used when gain of an antenna did not May be used when gain of an antenna did not
match power output of an APmatch power output of an AP Fixed-loss attenuators: Fixed-loss attenuators: Limit RF power Limit RF power
by set amountby set amount Variable-loss attenuators: Variable-loss attenuators: Allow user to Allow user to
set amount of lossset amount of loss Fixed-loss attenuators are the only type Fixed-loss attenuators are the only type
permitted by the FCC for WLAN systemspermitted by the FCC for WLAN systems
106106
Adjusting Antennas: Cables and Adjusting Antennas: Cables and ConnectorsConnectors
Basic rules for selecting cables and Basic rules for selecting cables and connectors:connectors:• Ensure connector matches electrical capacity Ensure connector matches electrical capacity
of cable and device, along with type and of cable and device, along with type and gender of connectorgender of connector
• Use high-quality connectors and cables Use high-quality connectors and cables • Make cable lengths as short as possibleMake cable lengths as short as possible• Make sure cables match electrical capacity of Make sure cables match electrical capacity of
connectorsconnectors• Try to purchase pre-manufactured cables Try to purchase pre-manufactured cables • Use Use splitters splitters sparinglysparingly
107107
Adjusting Antennas: Lightning Adjusting Antennas: Lightning ArrestorArrestor
Antennas can inadvertently pick up high Antennas can inadvertently pick up high electrical discharges electrical discharges • From nearby lightning strike or contact with From nearby lightning strike or contact with
high-voltage electrical sourcehigh-voltage electrical source Lightning Arrestor: Lightning Arrestor: Limits amplitude Limits amplitude
and disturbing interference voltages by and disturbing interference voltages by channeling them to groundchanneling them to ground• Designed to be installed between antenna Designed to be installed between antenna
cable and wireless devicecable and wireless device One end (3) connects to antennaOne end (3) connects to antenna Other end (2) connects to wireless deviceOther end (2) connects to wireless device Ground lug (1) connects to grounded cableGround lug (1) connects to grounded cable
108108
Establishing a Wireless Security Establishing a Wireless Security PolicyPolicy
One of most important acts in One of most important acts in managing a WLANmanaging a WLAN• Should be backbone of any wireless Should be backbone of any wireless
networknetwork• Without it, no effective wireless securityWithout it, no effective wireless security
109109
General Security Policy General Security Policy ElementsElements
Security policy: Security policy: Document or series of Document or series of documents clearly defining the defense documents clearly defining the defense mechanisms an organization will employ mechanisms an organization will employ to keep information secureto keep information secure• Outlines how to respond to attacks and Outlines how to respond to attacks and
information security duties/responsibilities of information security duties/responsibilities of employeesemployees
Three key elements: Three key elements: • Risk assessmentRisk assessment• Security auditingSecurity auditing• Impact analysisImpact analysis
110110
Risk AssessmentRisk Assessment
Determine nature of risks to organization’s Determine nature of risks to organization’s assetsassets• First step in creating security policyFirst step in creating security policy
Asset: Asset: Any item with positive economic Any item with positive economic valuevalue• Physical assetsPhysical assets• DataData• SoftwareSoftware• HardwareHardware• PersonnelPersonnel
Assets should be assigned numeric values Assets should be assigned numeric values indicating relative value to organizationindicating relative value to organization
111111
Risk Assessment (continued)Risk Assessment (continued)
Factors to consider in determining relative Factors to consider in determining relative value:value:• How critical is this asset to the goals of the How critical is this asset to the goals of the
organization?organization?• How much profit does it generate?How much profit does it generate?• How much revenue does it generate?How much revenue does it generate?• What is the cost to replace it?What is the cost to replace it?• How much does it cost to protect it?How much does it cost to protect it?• How difficult would it be to replace it?How difficult would it be to replace it?• How quickly can it be replaced?How quickly can it be replaced?• What is the security impact if this asset is What is the security impact if this asset is
unavailable?unavailable?
112112
Risk Assessment (continued)Risk Assessment (continued)
Table 10-1: Threats to information security
113113
Security AuditingSecurity Auditing Determining what current security Determining what current security
weaknesses may expose assets to threatsweaknesses may expose assets to threats• Takes current snapshot of wireless security of Takes current snapshot of wireless security of
organizationorganization Each threat may reveal multiple Each threat may reveal multiple
vulnerabilitiesvulnerabilities Vulnerability scanners: Vulnerability scanners: Tools that can Tools that can
compare an asset against database of compare an asset against database of known vulnerabilitiesknown vulnerabilities• Produce discovery report that exposes the Produce discovery report that exposes the
vulnerability and assesses its severityvulnerability and assesses its severity
114114
Impact AnalysisImpact Analysis Involves determining likelihood that Involves determining likelihood that
vulnerability is a risk to organizationvulnerability is a risk to organization Each vulnerability can be ranked:Each vulnerability can be ranked:
• No impactNo impact• Small impactSmall impact• SignificantSignificant• MajorMajor• CatastrophicCatastrophic
Next, estimate probability that Next, estimate probability that vulnerability will actually occurvulnerability will actually occur• Rank on scale of 1 to 10Rank on scale of 1 to 10
115115
Impact Analysis (continued)Impact Analysis (continued) Final step is to determine what to do Final step is to determine what to do
about risksabout risks• Accept the riskAccept the risk• Diminish the riskDiminish the risk• Transfer the riskTransfer the risk
Desirable to diminish all risks to some Desirable to diminish all risks to some degreedegree• If not possible, risks for most important If not possible, risks for most important
assets should be reduced firstassets should be reduced first
116116
Functional Security Policy Functional Security Policy ElementsElements
Baseline practices: Baseline practices: Establish benchmark Establish benchmark for actions using wireless networkfor actions using wireless network• Can be used for creating Can be used for creating design and design and
implementation practicesimplementation practices Foundation of what conduct is acceptable on the Foundation of what conduct is acceptable on the
WLANWLAN Security policy must specifically identify Security policy must specifically identify
physical securityphysical security• Prevent unauthorized users from reaching Prevent unauthorized users from reaching
equipment in order to use, steal, or vandalize itequipment in order to use, steal, or vandalize it