CWNA Guide to Wireless LANs, Second Edition Chapter Seven thru Ten Review

CWNA Guide to Wireless CWNA Guide to Wireless LANs, Second EditionLANs, Second Edition

Chapter Seven thru TenChapter Seven thru TenReviewReview

22

Note:Note: Many of the test questions will come Many of the test questions will come

from these chartsfrom these charts I will still be updating the slides I will still be updating the slides

through Monday night. But only through Monday night. But only minor changes will be made.minor changes will be made.

33

What is a Site Survey?What is a Site Survey? When installing a WLAN for an organization, When installing a WLAN for an organization,

areas of dead space might not be toleratedareas of dead space might not be tolerated• Ensure Ensure blanket coverageblanket coverage, meet , meet per-user per-user

bandwidthbandwidth requirements, requirements, minimize “bleeding”minimize “bleeding” of of signalsignal

FactorsFactors affecting wireless coverage goals: affecting wireless coverage goals:• Devices emitting RF signalsDevices emitting RF signals• Building structure (walls, construction materials)Building structure (walls, construction materials)• Open or closed office doorsOpen or closed office doors• Stationary versus mobile machinery/equipmentStationary versus mobile machinery/equipment• Movement of mobile walls (e.g., cubicles)Movement of mobile walls (e.g., cubicles)

44

What is a Site Survey? What is a Site Survey? FactorsFactors affecting wireless coverage goals: affecting wireless coverage goals:

• Expansion of physical plant or growth of Expansion of physical plant or growth of organizationorganization

• Existing WLANsExisting WLANs Both inside organization, and within nearby Both inside organization, and within nearby

organizationsorganizations Site survey:Site survey: Process of planning a WLAN Process of planning a WLAN

to meet design goalsto meet design goals• Effectiveness of a WLAN often linked to Effectiveness of a WLAN often linked to

thoroughness of the site surveythoroughness of the site survey

55

What is a Site Survey? What is a Site Survey? Design goals for a site survey:Design goals for a site survey:

• Achieve Achieve best possible performancebest possible performance from WLAN from WLAN• Certify that installation will Certify that installation will operate as promisedoperate as promised• Determine Determine best locationbest location for APs for APs• Develop networks optimized for variety of Develop networks optimized for variety of

applicationsapplications• Ensure Ensure coveragecoverage will fulfill organization’s will fulfill organization’s

requirementsrequirements• Locate unauthorized APsLocate unauthorized APs

66

What is a Site Survey? What is a Site Survey? Design goals for a site survey (continued):Design goals for a site survey (continued):

• Map nearby wireless networks to determine Map nearby wireless networks to determine existing radio interferenceexisting radio interference

• Reduce radio interference asReduce radio interference as much as possible much as possible• Make wireless network secureMake wireless network secure

Survey provides realistic understanding of Survey provides realistic understanding of infrastructure required for proposed wireless infrastructure required for proposed wireless linklink• Assists in predicting Assists in predicting network capabilitynetwork capability and and

throughputthroughput• Helps determine exact Helps determine exact location of APslocation of APs and power and power

levels requiredlevels required

77

What is a Site Survey? What is a Site Survey? When to perform a site survey:When to perform a site survey:

• Before installing a new wireless networkBefore installing a new wireless network• Before changing an existing wireless Before changing an existing wireless

networknetwork• When there are significant changes in When there are significant changes in

personnelpersonnel• When there are changes in network When there are changes in network

needsneeds• After making physical changes to a After making physical changes to a

buildingbuilding

88

Site Survey Tools: Wireless ToolsSite Survey Tools: Wireless Tools

Most basic tool is Most basic tool is APAP itself itself::• Position in various locationsPosition in various locations• monitor signal as you move monitor signal as you move • APs should have ability to adjust output powerAPs should have ability to adjust output power• APs should have external antenna connectorsAPs should have external antenna connectors

NotebookNotebook computer with wireless NIC also computer with wireless NIC also essential for testingessential for testing• Previously configured and testedPreviously configured and tested

99

Site Survey Tools: Site Survey Tools: Measurement ToolsMeasurement Tools

Site Survey Analyzers: Site Survey Analyzers: Specifically Specifically designed for conducting WLAN site surveysdesigned for conducting WLAN site surveys• Software often built into APSoftware often built into AP• Receive Signal Strength Indicator (RSSI)Receive Signal Strength Indicator (RSSI)

valuevalue• Full-featured site survey analyzer software Full-featured site survey analyzer software

settings:settings: Destination MAC AddressDestination MAC Address Continuous Link TestContinuous Link Test Number of PacketsNumber of Packets Packet SizePacket Size Data RetriesData Retries

1010


Site Survey Analyzers (continued):Site Survey Analyzers (continued):• Full-featured site survey analyzer software Full-featured site survey analyzer software

settings (continued):settings (continued): Data RateData Rate Delay Between PacketsDelay Between Packets Packet Tx TypePacket Tx Type

• Unicast or multicastUnicast or multicast Percent Success ThresholdPercent Success Threshold

• Basic survey analyzer software contains Basic survey analyzer software contains far fewer featuresfar fewer features

1111


Spectrum Analyzers: Spectrum Analyzers: Scan radio Scan radio frequency spectrum and provides frequency spectrum and provides graphical display of resultsgraphical display of results• Typically measure signal-to-noise ratioTypically measure signal-to-noise ratio• Single-frequency analyzers measure Single-frequency analyzers measure

signal-to-noise ratio at specified signal-to-noise ratio at specified frequencyfrequency

• Helpful in identifying interference Helpful in identifying interference problemsproblems

Thus, helps properly position/orient APThus, helps properly position/orient AP

1212

Site Survey Tools: Site Survey Tools: Measurement Tools (continued)Measurement Tools (continued)

Network Analyzers: Network Analyzers: Can be used to Can be used to pick up packets being transmitted by pick up packets being transmitted by other WLANs in area other WLANs in area • Provide additional information on Provide additional information on

transmissionstransmissions• Packet sniffers or protocol analyzersPacket sniffers or protocol analyzers• Not used in placement of APNot used in placement of AP

1313

Site Survey Tools: Site Survey Tools: Documentation ToolsDocumentation Tools

Create a “hard copy” of site survey results Create a “hard copy” of site survey results • Make available for future referenceMake available for future reference• No industry-standard form for site survey No industry-standard form for site survey

documentationdocumentation Site survey report should include:Site survey report should include:

• Purpose of reportPurpose of report• Survey methodsSurvey methods• RF coverage details (frequency and channel RF coverage details (frequency and channel

plan)plan)• Throughput findingsThroughput findings• Sources of interferenceSources of interference

1414


Site survey report should include Site survey report should include (continued):(continued):• Problem zonesProblem zones• Marked-up facility drawings with access point Marked-up facility drawings with access point

placementplacement• Access point configurationAccess point configuration

Use building layout Use building layout blueprintsblueprints as tools as tools Advisable to create database to store site Advisable to create database to store site

survey information and generate reportssurvey information and generate reports

1515


Figure 7-9: Sample site survey form

1616

Performing a Site Survey: Performing a Site Survey: Gathering DataGathering Data

Obtaining Business Requirements: Obtaining Business Requirements: Determine business reasons why WLAN Determine business reasons why WLAN being proposed or extendedbeing proposed or extended• If this step skipped, almost impossible to If this step skipped, almost impossible to

properly design and implement the networkproperly design and implement the network• Primary data gathering method is Primary data gathering method is interviewinginterviewing• Must determine type of mobility required Must determine type of mobility required

within organizationwithin organization• Must determine per-user bandwidth Must determine per-user bandwidth

requirementsrequirements May be different “types” of users with different May be different “types” of users with different

bandwidth requirementsbandwidth requirements

1717

Performing a Site Survey: Performing a Site Survey: Gathering DataGathering Data

Defining Security Requirements: Consider Defining Security Requirements: Consider type of data encryption and type of type of data encryption and type of authentication that will take place across authentication that will take place across WLANWLAN• Consider existing security policies and proceduresConsider existing security policies and procedures

Gathering Site-Specific Documentation:Gathering Site-Specific Documentation:• BlueprintsBlueprints, facility drawings, and other documents, facility drawings, and other documents

Show specific building infrastructure componentsShow specific building infrastructure components• Inspecting the siteInspecting the site

Document changes to blueprints and get visual Document changes to blueprints and get visual perspectiveperspective

1818

Performing a Site Survey: Performing a Site Survey: Gathering Data (continued)Gathering Data (continued)

Gathering Site-Specific Documentation Gathering Site-Specific Documentation (continued):(continued):• Behind-the-scenes site inspectionBehind-the-scenes site inspection

Documenting Documenting Existing Network Existing Network CharacteristicsCharacteristics: : • New or expanded WLAN will “dovetail” into New or expanded WLAN will “dovetail” into

network already in placenetwork already in place• Determine degree to which WLAN will interact Determine degree to which WLAN will interact

with other wired networkswith other wired networks• Legacy systems may require additional Legacy systems may require additional

equipment to support WLANequipment to support WLAN

1919

Performing a Site Survey: Performing a Site Survey: Performing the SurveyPerforming the Survey

Collecting RF Information:Collecting RF Information:• Note objects in and layout of roomNote objects in and layout of room

Use Use digital cameradigital camera• Position APPosition AP

Initial location will depend on antenna typeInitial location will depend on antenna type Document starting position of APDocument starting position of AP

• Using notebook computer with site survey Using notebook computer with site survey analyzer software running, walk slowly away analyzer software running, walk slowly away from APfrom AP

Observe data displayed by analyzer programObserve data displayed by analyzer program• Data rate, signal strength, noise floor, and signal-to-Data rate, signal strength, noise floor, and signal-to-

noise rationoise ratio

2020


Collecting RF Information :Collecting RF Information :• Continue moving until data collected for all Continue moving until data collected for all

areasareas• Data collected used to produce:Data collected used to produce:

Coverage pattern:Coverage pattern: Area where signal can be Area where signal can be received from the APreceived from the AP

Data rate boundaries: Data rate boundaries: Range of coverage for a Range of coverage for a specific transmission speedspecific transmission speed

Throughput:Throughput: Number of packets sent and received Number of packets sent and received and data rates for eachand data rates for each

Total transmission range:Total transmission range: Farthest distance at Farthest distance at which signal can be received by wireless devicewhich signal can be received by wireless device

2121


Collecting Non-RF Information:Collecting Non-RF Information: Outdoor Surveys: Outdoor Surveys:

• Similar to indoor surveysSimilar to indoor surveys• Must consider: Must consider: climatic conditions, trees, climatic conditions, trees,

different possibilities for antenna different possibilities for antenna positions, Permits and Zoningpositions, Permits and Zoning

CWNA Guide to Wireless LANs, CWNA Guide to Wireless LANs, Second EditionSecond Edition

Chapter EightChapter EightWireless LAN Security and Wireless LAN Security and

VulnerabilitiesVulnerabilities

2323

Security Principles: What is Security Principles: What is Information Security?Information Security?

Information security: Information security: Task of Task of guarding digital informationguarding digital information• Ensures protective measures properly Ensures protective measures properly

implementedimplemented• Protects Protects confidentiality, integrity,confidentiality, integrity, and and

availabilityavailability ( (CIACIA)) on the devices that on the devices that store, manipulate, and transmit the store, manipulate, and transmit the information through products, people, information through products, people, and proceduresand procedures

2424

Security Principles: Challenges Security Principles: Challenges of Securing Informationof Securing Information

Trends influencing increasing difficultly in Trends influencing increasing difficultly in information security:information security:• Speed of attacksSpeed of attacks• Sophistication of attacksSophistication of attacks• Faster detection of weaknessesFaster detection of weaknesses

Day zero attacksDay zero attacks• Distributed attacksDistributed attacks

The “many against one” approach The “many against one” approach Impossible to stop attack by trying to identify and block Impossible to stop attack by trying to identify and block

sourcesource

2525

Security Principles: Categories Security Principles: Categories of Attackersof Attackers

Six categories of attackers:Six categories of attackers:• HackersHackers

Not malicious; expose security flawsNot malicious; expose security flaws• CrackersCrackers• Script kiddiesScript kiddies• SpiesSpies• EmployeesEmployees• CyberterroristsCyberterrorists

2626

Security Principles: Security Security Principles: Security OrganizationsOrganizations

Many security organizations exist to Many security organizations exist to provide security information, assistance, provide security information, assistance, and trainingand training• Computer Emergency Response Team Computer Emergency Response Team

Coordination Center (CERT/CC)Coordination Center (CERT/CC)• Forum of Incident Response and Security Forum of Incident Response and Security

Teams (FIRST)Teams (FIRST)• InfraGardInfraGard• Information Systems Security Association Information Systems Security Association

(ISSA)(ISSA)• National Security Institute (NSI)National Security Institute (NSI)• SysAdmin, Audit, Network, Security (SANS) SysAdmin, Audit, Network, Security (SANS)

InstituteInstitute

2727

Basic IEEE 802.11 Security Basic IEEE 802.11 Security ProtectionsProtections

Data transmitted by a WLAN could be Data transmitted by a WLAN could be intercepted and viewed by an attackerintercepted and viewed by an attacker• Important that basic wireless security Important that basic wireless security

protections be built into WLANsprotections be built into WLANs Three categories of WLAN protections:Three categories of WLAN protections:

• Access controlAccess control• Wired equivalent privacy (WEP)Wired equivalent privacy (WEP)• AuthenticationAuthentication

Some protections specified by IEEE, while Some protections specified by IEEE, while others left to vendorsothers left to vendors

2828

Access ControlAccess Control Intended to guard Intended to guard availability availability of informationof information Wireless access control: Limit user’s admission to Wireless access control: Limit user’s admission to

APAP• FilteringFiltering

Media Access Control (MAC) address filtering: Media Access Control (MAC) address filtering: Based on a node’s unique MAC addressBased on a node’s unique MAC address

2929

Access ControlAccess Control MAC address filtering considered to MAC address filtering considered to

be a basic means of controlling be a basic means of controlling accessaccess• Requires pre-approved authenticationRequires pre-approved authentication• Difficult to provide temporary access for Difficult to provide temporary access for

“guest” devices“guest” devices

3030

Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP) Guard the confidentiality of Guard the confidentiality of

informationinformation• Ensure only authorized parties can view itEnsure only authorized parties can view it

Used in IEEE 802.11 to encrypt Used in IEEE 802.11 to encrypt wireless transmissionswireless transmissions• ““Scrambling”Scrambling”

3131

WEP: CryptographyWEP: Cryptography Cryptography:Cryptography: Science of transforming Science of transforming

information so that it is secure while being information so that it is secure while being transmitted or storedtransmitted or stored• scrambles” datascrambles” data

Encryption: Encryption: Transforming Transforming plaintextplaintext to to ciphertextciphertext

Decryption:Decryption: Transforming Transforming ciphertextciphertext to to plaintextplaintext

Cipher:Cipher: An encryption algorithm An encryption algorithm• Given a Given a keykey that is used to encrypt and that is used to encrypt and

decrypt messagesdecrypt messages• Weak keys: Weak keys: Keys that are easily discovered Keys that are easily discovered

3232

WEP: ImplementationWEP: Implementation IEEE 802.11 cryptography objectives:IEEE 802.11 cryptography objectives:

• EfficientEfficient• ExportableExportable• OptionalOptional• Reasonably strongReasonably strong• Self-synchronizingSelf-synchronizing

WEP relies on secret key “shared” WEP relies on secret key “shared” between a wireless device and the APbetween a wireless device and the AP• Same key installed on device and APSame key installed on device and AP• Private key cryptography Private key cryptography or or symmetric symmetric

encryptionencryption

3333

WEP: ImplementationWEP: Implementation WEP shared secret keys must be at least WEP shared secret keys must be at least

40 bits40 bits• Most vendors use 104 bitsMost vendors use 104 bits

Options for creating WEP keys:Options for creating WEP keys:• 40-bit WEP shared secret key (5 ASCII 40-bit WEP shared secret key (5 ASCII

characters or 10 hexadecimal characters)characters or 10 hexadecimal characters)• 104-bit WEP shared secret key (13 ASCII 104-bit WEP shared secret key (13 ASCII

characters or 16 hexadecimal characters)characters or 16 hexadecimal characters)• Passphrase (16 ASCII characters)Passphrase (16 ASCII characters)

APs and wireless devices can store up to APs and wireless devices can store up to four shared secret keysfour shared secret keys• Default keyDefault key used for all encryption used for all encryption

3434

WEP: ImplementationWEP: Implementation When encrypted frame arrives at When encrypted frame arrives at

destination:destination:• Receiving device separates IV from ciphertext Receiving device separates IV from ciphertext • Combines IV with appropriate secret key Combines IV with appropriate secret key

Create a Create a keystreamkeystream• Keystream used to extract text and ICVKeystream used to extract text and ICV• Text run through CRC Text run through CRC

Ensure ICVs match and nothing lost in transmissionEnsure ICVs match and nothing lost in transmission Generating keystream using the PRNG is Generating keystream using the PRNG is

based on the based on the RC4 cipher algorithmRC4 cipher algorithm• Stream CipherStream Cipher

3535

Vulnerabilities of IEEE 802.11 Vulnerabilities of IEEE 802.11 SecuritySecurity

IEEE 802.11 standard’s security IEEE 802.11 standard’s security mechanisms for wireless networks mechanisms for wireless networks have fallen short of their goalhave fallen short of their goal

Vulnerabilities exist in:Vulnerabilities exist in:• AuthenticationAuthentication• Address filteringAddress filtering• WEP WEP

3636

Open System Authentication Open System Authentication VulnerabilitiesVulnerabilities

Inherently weakInherently weak• Based only on match of SSIDsBased only on match of SSIDs• SSID beaconed from AP during passive SSID beaconed from AP during passive

scanningscanning Easy to discoverEasy to discover

Vulnerabilities:Vulnerabilities:• Beaconing SSID is default mode in all APsBeaconing SSID is default mode in all APs• Not all APs allow beaconing to be turned offNot all APs allow beaconing to be turned off

Or manufacturer recommends against itOr manufacturer recommends against it• SSID initially transmitted in plaintext SSID initially transmitted in plaintext

(unencrypted)(unencrypted)

3737

Other Wireless Attacks: Denial Other Wireless Attacks: Denial of Service (DoS) Attackof Service (DoS) Attack

Standard DoS attack attempts to make a Standard DoS attack attempts to make a server or other network device unavailable server or other network device unavailable by flooding it with requestsby flooding it with requests• Attacking computers programmed to request, Attacking computers programmed to request,

but not respondbut not respond Wireless DoS attacks are different:Wireless DoS attacks are different:

• JammingJamming: : Prevents wireless devices from Prevents wireless devices from transmittingtransmitting

• Forcing a device to continually dissociate and Forcing a device to continually dissociate and re-associate with APre-associate with AP

3838

Wireless Security ProblemsWireless Security Problems Common Techniques to Compromise Common Techniques to Compromise

Wireless Data Networks:Wireless Data Networks:• Rogue Access Point InsertionRogue Access Point Insertion• Traffic SniffingTraffic Sniffing• Traffic Data InsertionTraffic Data Insertion• ARP-Snooping (via “Dsniff”) – trick wired ARP-Snooping (via “Dsniff”) – trick wired

network to pass data over wirelessnetwork to pass data over wireless

3939

Security OverviewSecurity OverviewAuthenticationAuthentication

Determines:Determines:• If you are who you say you areIf you are who you say you are• If (and What) access rights are grantedIf (and What) access rights are granted

Examples are:Examples are:• ““Smart Card” - SecureIdSmart Card” - SecureId®® Server/Cards Server/Cards• S/Key – One time passwordS/Key – One time password• Digital CertificatesDigital Certificates

4040

WEPWEP(Wired Equivalent Privacy)(Wired Equivalent Privacy)

RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption Algorithm Algorithm <<http://www.cebrasoft.co.uk/encryption/rc4.htmhttp://www.cebrasoft.co.uk/encryption/rc4.htm>>

Shared (but Shared (but staticstatic) secret 64 or 128-bit key to ) secret 64 or 128-bit key to encrypt and decrypt the dataencrypt and decrypt the data• 24-bit ‘initialization vector’ (semi-random) leaving only 24-bit ‘initialization vector’ (semi-random) leaving only

40 or 104 bits as the ‘real key’40 or 104 bits as the ‘real key’ WEP Key Cracking SoftwareWEP Key Cracking Software

• WEPCrack / AirSnort / Aircrack (as well as others)WEPCrack / AirSnort / Aircrack (as well as others)• Cracking Time:Cracking Time: 64-bit key = 2 64-bit key = 2 secondsseconds

128-bit key = 128-bit key = ~ 3-10 ~ 3-10 minutesminutes

www.netcraftsmen.net/welcher/papers/wlansec01.htmlwww.netcraftsmen.net/welcher/papers/wlansec01.html and and www.tomsnetworking.com/Sections-article111-page4.phpwww.tomsnetworking.com/Sections-article111-page4.php

http://www.cebrasoft.co.uk/encryption/rc4.htm

http://www.netcraftsmen.net/welcher/papers/wlansec01.html

http://www.tomsnetworking.com/Sections-article111-page4.php

4141

WPA and WPA2WPA and WPA2(WiFi Protected Access)(WiFi Protected Access)

Created by the Created by the WiWi--FiFi Alliance Alliance industry group industry group due to excessive delays in 802.11i approvaldue to excessive delays in 802.11i approval

WPA and WPA2 designed to be backward WPA and WPA2 designed to be backward compatible with WEPcompatible with WEP

Closely mirrors the official Closely mirrors the official IEEEIEEE 802.11i 802.11i standards but with EAP (Extensible standards but with EAP (Extensible Authentication Protocol)Authentication Protocol)

Contains both authentication and encryption Contains both authentication and encryption componentscomponents

Designed to address WEP vulnerabilitiesDesigned to address WEP vulnerabilities

http://www.weca.net/




http://www.ieee.org/

4242

WPA / WPA2 EncryptionWPA / WPA2 Encryption

WPAWPA• Mandates Mandates TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)

Scheduled Shared Key Change Scheduled Shared Key Change (i.e.; every 10,000 data packets)(i.e.; every 10,000 data packets)• Optionally specifies AES (Advanced Encryption Optionally specifies AES (Advanced Encryption

Standard) capabilityStandard) capability WPA will essentially fall back to WEP-level WPA will essentially fall back to WEP-level

security if even a single device on a network security if even a single device on a network cannot use WPAcannot use WPA

WPA2WPA2 Mandates both TKIP and AES capabilityMandates both TKIP and AES capability

WPA / WPA2 networks will drop any altered packet WPA / WPA2 networks will drop any altered packet or shut down for 30 seconds whenever a message or shut down for 30 seconds whenever a message alteration attack is detected.alteration attack is detected.

4343

WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d) Personal Pre-shared KeyPersonal Pre-shared Key

• User–entered 8 – 63 ASCII Character User–entered 8 – 63 ASCII Character Passphrass Produces a 256-bit Pre-Shared KeyPassphrass Produces a 256-bit Pre-Shared Key

• To minimize/prevent key cracking, use a To minimize/prevent key cracking, use a minimumminimum of 21 characters for the passphase of 21 characters for the passphase

• Key GenerationKey Generation passphrase, SSID, and the SSIDlength is hashed 4096 passphrase, SSID, and the SSIDlength is hashed 4096

times to generate a value of 256 bitstimes to generate a value of 256 bits WPA Key Cracking SoftwareWPA Key Cracking Software

• coWPAtty / WPA Cracker (as well as others)coWPAtty / WPA Cracker (as well as others)

4444

WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)

Now Now FiveFive WPA / WPA2 Enterprise WPA / WPA2 Enterprise StandardsStandards

1.1. EAP-TLSEAP-TLSa.a. Original EAP ProtocolOriginal EAP Protocolb.b. Among most secure but seldom Among most secure but seldom

implemented as it needs a Client-implemented as it needs a Client-side certificate ie; smartcard side certificate ie; smartcard (SecurId Key Fob (SecurId Key Fob http://www.http://www.securidsecurid.com/.com/))

http://www.securid.com/



CWNA Guide to Wireless LANs, CWNA Guide to Wireless LANs, Second EditionSecond Edition

Chapter NineChapter NineImplementing Wireless LAN SecurityImplementing Wireless LAN Security

4646

ObjectivesObjectives List wireless security solutionsList wireless security solutions Tell the components of the Tell the components of the

transitional security modeltransitional security model Describe the personal security modelDescribe the personal security model List the components that make up List the components that make up

the enterprise security modelthe enterprise security model

4747

Wireless Security SolutionsWireless Security Solutions IEEE 802.11a and 802.11b standards IEEE 802.11a and 802.11b standards

included WEP specificationincluded WEP specification• Vulnerabilities quickly realizedVulnerabilities quickly realized• Organizations implemented “quick fixes”Organizations implemented “quick fixes”

Did not adequately address encryption and Did not adequately address encryption and authenticationauthentication

IEEE and Wi-Fi Alliance started working on IEEE and Wi-Fi Alliance started working on comprehensive solutionscomprehensive solutions• IEEE 802.11i and IEEE 802.11i and Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)

Foundations of today’s wireless securityFoundations of today’s wireless security

4848

WEP2WEP2 Attempted to overcome WEP limitations Attempted to overcome WEP limitations

• adding two new security enhancementsadding two new security enhancements WEP WEP key increased to 128 bitskey increased to 128 bits KerberosKerberos authenticationauthentication User issued “ticket” by Kerberos serverUser issued “ticket” by Kerberos server Presents ticket to network for a servicePresents ticket to network for a service

• Used to authenticate userUsed to authenticate user No more secure than WEPNo more secure than WEP

• Collisions still occurCollisions still occur• Dictionary-based attacks availableDictionary-based attacks available

4949

Dynamic WEPDynamic WEP Solves weak IV problem by rotating keys Solves weak IV problem by rotating keys

frequentlyfrequently• More difficult to crack encrypted packetMore difficult to crack encrypted packet

Different keys for unicast and broadcastDifferent keys for unicast and broadcast traffictraffic• Unicast WEP key unique to each user’s sessionUnicast WEP key unique to each user’s session

Dynamically generated and changed frequentlyDynamically generated and changed frequently• For example - When roaming to a new APFor example - When roaming to a new AP

• Broadcast WEP key must be same for all users on a Broadcast WEP key must be same for all users on a particular subnet and APparticular subnet and AP

5050

Dynamic WEP (continued)Dynamic WEP (continued) Can be implemented without Can be implemented without

upgrading device drivers or AP upgrading device drivers or AP firmwarefirmware• No-cost and minimal effort to deployNo-cost and minimal effort to deploy

Does not protect against man-in-the-Does not protect against man-in-the-middle attacksmiddle attacks

Susceptible to DoS attacksSusceptible to DoS attacks

5151

IEEE 802.11iIEEE 802.11i Provides good wireless security modelProvides good wireless security model

• Robust security network (RSN)Robust security network (RSN)• Addresses both encryption and authenticationAddresses both encryption and authentication

Encryption accomplished by replacing RC4 Encryption accomplished by replacing RC4 with a block cipherwith a block cipher• Manipulates entire block of plaintext at one Manipulates entire block of plaintext at one

timetime Block cipher used is Advanced Encryption Block cipher used is Advanced Encryption

Standard (AES)Standard (AES)• Three step processThree step process• Second step consists of multiple rounds of Second step consists of multiple rounds of

encryptionencryption

5252

IEEE 802.11i (continued)IEEE 802.11i (continued)

Table 9-1: Time needed to break AES

5353

IEEE 802.11i (continued)IEEE 802.11i (continued) IEEE 802.11i authentication and key IEEE 802.11i authentication and key

management is accomplished by management is accomplished by IEEE IEEE 802.1x 802.1x standardstandard• Implements Implements port securityport security

Blocks all traffic on port-by-port basis until client Blocks all traffic on port-by-port basis until client authenticated using credentials stored on authenticated using credentials stored on authentication serverauthentication server

Key-caching: Key-caching: Stores information from a Stores information from a device on the network, for faster re-device on the network, for faster re-authenticationauthentication

Pre-authentication:Pre-authentication: Allows a device to Allows a device to become authenticated to an AP before become authenticated to an AP before moving to itmoving to it

5454

IEEE 802.11i (continued)IEEE 802.11i (continued)

Figure 9-2: IEEE 802.1x

5555

Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA) Subset of 802.11i that addresses Subset of 802.11i that addresses

encryption and authenticationencryption and authentication Temporal Key Integrity Protocol (TKIP): Temporal Key Integrity Protocol (TKIP):

Replaces WEP’s encryption key with 128-Replaces WEP’s encryption key with 128-bit per-packet keybit per-packet key• Dynamically generates new key for each Dynamically generates new key for each

packet packet Prevents collisionsPrevents collisions

• Authentication server can use 802.1x to Authentication server can use 802.1x to produce unique master key for user sessionsproduce unique master key for user sessions

• Creates automated key hierarchy and Creates automated key hierarchy and management systemmanagement system

5656

Wi-Fi Protected Access Wi-Fi Protected Access (continued)(continued)

Message Integrity Check (MIC): Message Integrity Check (MIC): Designed to prevent attackers from Designed to prevent attackers from capturing, altering, and resending data capturing, altering, and resending data packetspackets• Replaces CRC from WEPReplaces CRC from WEP• CRC does not adequately protect data integrityCRC does not adequately protect data integrity

Authentication accomplished via IEEE Authentication accomplished via IEEE 802.1x or 802.1x or pre-shared key (PSK) pre-shared key (PSK) technologytechnology• PSK passphase serves as PSK passphase serves as seedseed for generating for generating

keyskeys

5757

Wi-Fi Protected Access 2 Wi-Fi Protected Access 2 (WPA2)(WPA2)

Second generation of WPA securitySecond generation of WPA security• Based on final IEEE 802.11i standardBased on final IEEE 802.11i standard• Uses AES for data encryption Uses AES for data encryption • Supports IEEE 802.1x authentication or Supports IEEE 802.1x authentication or

PSK technologyPSK technology• Allows both AES and TKIP clients to Allows both AES and TKIP clients to

operate in same WLANoperate in same WLAN

5858

Summary of Wireless Security Summary of Wireless Security Solutions (continued)Solutions (continued)

Table 9-3: Wireless security solutions

Table 9-2: Wi-Fi modes

5959

Transitional Security ModelTransitional Security Model Transitional wireless implementationTransitional wireless implementation

• Should be temporaryShould be temporary Until migration to stronger wireless security Until migration to stronger wireless security

possiblepossible• Should implement basic level of security Should implement basic level of security

for a WLANfor a WLAN Including authentication and encryptionIncluding authentication and encryption

6060

Authentication: Shared Key Authentication: Shared Key AuthenticationAuthentication

First and perhaps most important First and perhaps most important stepstep• Uses WEP keysUses WEP keys

Networks that support multiple Networks that support multiple devices should use all four keysdevices should use all four keys• Same key should not be designated as Same key should not be designated as

default on each devicedefault on each device

6161

Authentication: SSID BeaconingAuthentication: SSID Beaconing Turn off SSID beaconing by Turn off SSID beaconing by

configuring APs to not include itconfiguring APs to not include it• Beaconing the SSID is default mode for Beaconing the SSID is default mode for

all APsall APs Good practice to use cryptic SSIDGood practice to use cryptic SSID

• Should not provide any information to Should not provide any information to attackersattackers

6262

WEP EncryptionWEP Encryption Although vulnerabilities exist, should be turned Although vulnerabilities exist, should be turned

on if no other options for encryption are availableon if no other options for encryption are available• Use longest WEP key availableUse longest WEP key available• May prevent script kiddies or “casual” eavesdroppers May prevent script kiddies or “casual” eavesdroppers

from attackingfrom attacking

Table 9-4: Transitional security model

6363

Personal Security ModelPersonal Security Model Designed for single users or small Designed for single users or small

office home office (SOHO) settings office home office (SOHO) settings • Generally 10 or fewer wireless devicesGenerally 10 or fewer wireless devices

Two sections:Two sections:• WPA: Older equipmentWPA: Older equipment• WPA2: Newer equipmentWPA2: Newer equipment

6464

WPA Personal Security: PSK WPA Personal Security: PSK AuthenticationAuthentication

Uses passphrase (PSK) that is Uses passphrase (PSK) that is manually entered to generate the manually entered to generate the encryption keyencryption key• PSK used a PSK used a seedseed for creating encryption for creating encryption

keyskeys Key must be created and entered in Key must be created and entered in

AP and also on any wireless device AP and also on any wireless device (“shared”) prior to (“pre”) the (“shared”) prior to (“pre”) the devices communicating with APdevices communicating with AP

6565

WPA Personal Security: TKIP WPA Personal Security: TKIP EncryptionEncryption

TKIP is a substitute for WEP encryptionTKIP is a substitute for WEP encryption• Fits into WEP procedure with minimal changeFits into WEP procedure with minimal change

Device starts with two keys:Device starts with two keys:• 128-bit 128-bit temporal keytemporal key• 64-bit MIC64-bit MIC

Three major components to address Three major components to address vulnerabilities:vulnerabilities:• MICMIC• IV sequenceIV sequence• TKIP key mixingTKIP key mixing

TKIP required in WPATKIP required in WPA

6666

WPA2 Personal Security: PSK WPA2 Personal Security: PSK AuthenticationAuthentication

PSK intended for personal and SOHO users PSK intended for personal and SOHO users without enterprise authentication serverwithout enterprise authentication server• Provides strong degree of authentication protectionProvides strong degree of authentication protection

PSK keys automatically changed (PSK keys automatically changed (rekeyedrekeyed) and ) and authenticated between devices after specified authenticated between devices after specified period of time or after set number of packets period of time or after set number of packets transmitted (transmitted (rekey intervalrekey interval))

Employs consistent method for creating keysEmploys consistent method for creating keys• Uses Uses shared secret shared secret entered at AP and devicesentered at AP and devices

Random sequence of at least 20 characters or 24 Random sequence of at least 20 characters or 24 hexadecimal digitshexadecimal digits

6767

WPA2 Personal Security: AES-WPA2 Personal Security: AES-CCMP EncryptionCCMP Encryption

WPA2 personal security model encryption WPA2 personal security model encryption accomplished via AESaccomplished via AES

AES-CCMP: AES-CCMP: Encryption protocol in 802.11iEncryption protocol in 802.11i• CCMP based on Counter Mode with CBC-MAC (CCM) of CCMP based on Counter Mode with CBC-MAC (CCM) of

AES encryption algorithmAES encryption algorithm• CCM provides data privacyCCM provides data privacy• CBC-MAC provides data integrity and authenticationCBC-MAC provides data integrity and authentication

AES processes blocks of 128 bitsAES processes blocks of 128 bits• Cipher key length can be 128, 192 and 256 bitsCipher key length can be 128, 192 and 256 bits• Number of rounds can be 10, 12, and 14Number of rounds can be 10, 12, and 14

6868

WPA2 Personal Security: AES-WPA2 Personal Security: AES-CCMP Encryption (continued)CCMP Encryption (continued)

AES encryption/decryption computationally AES encryption/decryption computationally intensiveintensive• Better to perform in hardwareBetter to perform in hardware

Table 9-5: Personal security model

6969

Enterprise Security ModelEnterprise Security Model Most secure level of security that can be Most secure level of security that can be

achieved today for wireless LANsachieved today for wireless LANs• Designed for medium to large-size Designed for medium to large-size

organizationsorganizations• Intended for setting with authentication serverIntended for setting with authentication server

Like personal security model, divided into Like personal security model, divided into sections for WPA and WPA2sections for WPA and WPA2

Additional security tools available to Additional security tools available to increase network protectionincrease network protection

7070

WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication802.1x Authentication

Uses Uses port-basedport-based authentication authentication mechanismsmechanisms

Network supporting 802.1x standard Network supporting 802.1x standard should consist of three elements:should consist of three elements:• Supplicant: Supplicant: Wireless device which requires Wireless device which requires

secure network accesssecure network access• Authenticator: Authenticator: Intermediary device accepting Intermediary device accepting

requests from supplicantrequests from supplicant Can be an AP or a switchCan be an AP or a switch

• Authentication Server: Authentication Server: Accepts requests Accepts requests from authenticator, grants or denies accessfrom authenticator, grants or denies access

7171

WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication 802.1x Authentication

(continued)(continued) Supplicant is software on a client Supplicant is software on a client

implementing 802.1x frameworkimplementing 802.1x framework Authentication server stores list of Authentication server stores list of

names and credentials of authorized names and credentials of authorized usersusers• Remote Authentication Dial-In User Remote Authentication Dial-In User

Service (RADIUS) Service (RADIUS) typically usedtypically used Allows user profiles to be maintained in Allows user profiles to be maintained in

central database that all remote servers can central database that all remote servers can shareshare

7272

WPA Enterprise Security: IEEE WPA Enterprise Security: IEEE 802.1x Authentication802.1x Authentication

802.1x based on 802.1x based on Extensible Extensible Authentication Protocol (EAP)Authentication Protocol (EAP)• Several variations:Several variations:

EAP-Transport Layer Security (EAP-TLS)EAP-Transport Layer Security (EAP-TLS) Lightweight EAP (LEAP)Lightweight EAP (LEAP) EAP-Tunneled TLS (EAP-TTLS)EAP-Tunneled TLS (EAP-TTLS) Protected EAP (PEAP)Protected EAP (PEAP) Flexible Authentication via Secure Tunneling (FAST)Flexible Authentication via Secure Tunneling (FAST)

• Each maps to different types of user logons, Each maps to different types of user logons, credentials, and databases used in credentials, and databases used in authenticationauthentication

7373

WPA Enterprise Security: TKIP WPA Enterprise Security: TKIP EncryptionEncryption

TKIP is a “wrapper” around WEP TKIP is a “wrapper” around WEP • Provides adequate encryption Provides adequate encryption

mechanism for WPA enterprise securitymechanism for WPA enterprise security• Dovetails into existing WEP mechanismDovetails into existing WEP mechanism

Vulnerabilities may be exposed in the Vulnerabilities may be exposed in the futurefuture

7474

WPA2 Enterprise Security: WPA2 Enterprise Security: IEEE 802.1x AuthenticationIEEE 802.1x Authentication

Enterprise security model using WPA2 Enterprise security model using WPA2 provides most secure level of provides most secure level of authentication and encryption available on authentication and encryption available on a WLANa WLAN

IEEE 802.1x is strongest type of wireless IEEE 802.1x is strongest type of wireless authentication currently availableauthentication currently available

Wi-Fi Alliance certifies WPA and WPA2 Wi-Fi Alliance certifies WPA and WPA2 enterprise products using EAP-TLSenterprise products using EAP-TLS• Other EAP types not tested, but should run a Other EAP types not tested, but should run a

WAP or WAP2 environmentWAP or WAP2 environment

7575

WPA2 Enterprise Security: WPA2 Enterprise Security: AES-CCMP EncryptionAES-CCMP Encryption

AES:AES: Block cipher that uses same key for Block cipher that uses same key for encryption and decryptionencryption and decryption• Bits encrypted in blocks of plaintext Bits encrypted in blocks of plaintext

Calculated independentlyCalculated independently• block size of 128 bitsblock size of 128 bits• Three possible key lengths: 128, 192, and 256 Three possible key lengths: 128, 192, and 256

bitsbits• WPA2/802.11i uses128-bit key lengthWPA2/802.11i uses128-bit key length• Includes four stages that make up one roundIncludes four stages that make up one round

Each round is iterated 10 timesEach round is iterated 10 times

7676

WPA2 Enterprise Security: WPA2 Enterprise Security: AES-CCMP Encryption AES-CCMP Encryption

(continued)(continued)

Table 9-6: Enterprise security model

7777

Other Enterprise Security Tools: Other Enterprise Security Tools: Virtual Private Network (VPN)Virtual Private Network (VPN)

Virtual private network (VPN): Virtual private network (VPN): Uses a Uses a public, unsecured network as if it were public, unsecured network as if it were private, secured networkprivate, secured network

Two common types:Two common types:• Remote-access VPN: Remote-access VPN: User-to-LAN connection User-to-LAN connection

used by remote usersused by remote users• Site-to-site VPN: Site-to-site VPN: Multiple sites can connect Multiple sites can connect

to other sites over Internetto other sites over Internet VPN transmissions are achieved through VPN transmissions are achieved through

communicating with communicating with endpointsendpoints

7878

Other Enterprise Security Tools: Other Enterprise Security Tools: Virtual Private NetworkVirtual Private Network

Endpoint: Endpoint: End of tunnel between VPN End of tunnel between VPN devicesdevices• Can local software, dedicated hardware device, Can local software, dedicated hardware device,

or even a firewallor even a firewall VPNs can be used in WLAN settingVPNs can be used in WLAN setting

• Tunnel though WLAN for added securityTunnel though WLAN for added security Enterprise trusted gateway: Enterprise trusted gateway: Extension Extension

of VPNof VPN• Pairs of devices create “trusted” VPN Pairs of devices create “trusted” VPN

connection between themselvesconnection between themselves• Can protect unencrypted packets better than a Can protect unencrypted packets better than a

VPN endpointVPN endpoint

7979

Other Enterprise Security Tools: Other Enterprise Security Tools: Wireless GatewayWireless Gateway

AP equipped with additional AP equipped with additional functionalityfunctionality• Most APs are wireless gatewaysMost APs are wireless gateways

Combine functionality of AP, router, network Combine functionality of AP, router, network address translator, firewall, and switchaddress translator, firewall, and switch

On enterprise level, wireless gateway On enterprise level, wireless gateway may combine functionality of a VPN may combine functionality of a VPN and an authentication serverand an authentication server• Can provide increased security for Can provide increased security for

connected APsconnected APs

8080

Other Enterprise Security Tools: Other Enterprise Security Tools: Wireless Intrusion Detection Wireless Intrusion Detection

System (WIDS)System (WIDS) Intrusion-detection system (IDS):Intrusion-detection system (IDS): Monitors Monitors

activity on network and what the packets are activity on network and what the packets are doingdoing• May perform specific function when attack detectedMay perform specific function when attack detected• May only report information, and not take actionMay only report information, and not take action

Wireless IDS (WIDS): Wireless IDS (WIDS): Constantly monitors RF Constantly monitors RF frequency for attacksfrequency for attacks• Based on database of attack signatures or on abnormal Based on database of attack signatures or on abnormal

behaviorbehavior• Wireless sensors Wireless sensors lie at heart of WIDSlie at heart of WIDS• Hardware-based have limited coverage, software-based Hardware-based have limited coverage, software-based

have extended coveragehave extended coverage

8181

Other Enterprise Security Tools: Other Enterprise Security Tools: Captive PortalCaptive Portal

Web page that wireless users are forced to Web page that wireless users are forced to visit before they are granted access to visit before they are granted access to InternetInternet

Used in one of the following ways:Used in one of the following ways:• Notify users of wireless policies and rulesNotify users of wireless policies and rules• Advertise to users specific services or productsAdvertise to users specific services or products• Authenticate users against a RADIUS serverAuthenticate users against a RADIUS server

Often used in public hotspotsOften used in public hotspots

CWNA Guide to Wireless CWNA Guide to Wireless LANs, Second EditionLANs, Second Edition

Chapter TenChapter TenManaging a Wireless LANManaging a Wireless LAN

8383

Monitoring the Wireless Monitoring the Wireless NetworkNetwork

Network monitoring provides valuable Network monitoring provides valuable data regarding current state of a data regarding current state of a networknetwork• Generate network Generate network baselinebaseline• Detect emerging problemsDetect emerging problems

Monitoring a wireless network can be Monitoring a wireless network can be performed with two sets of tools:performed with two sets of tools:• Utilities designed specifically for WLANsUtilities designed specifically for WLANs• Standard networking toolsStandard networking tools

8484

WLAN Monitoring ToolsWLAN Monitoring Tools Two classifications of tools: Two classifications of tools:

• Operate on wireless device itself Operate on wireless device itself • Function on APFunction on AP

Device and Operating System Device and Operating System Utilities:Utilities:• Most OSs provide basic utilities for Most OSs provide basic utilities for

monitoring the WLANmonitoring the WLAN• Some vendors provide more detailed Some vendors provide more detailed

utilitiesutilities

8585

WLAN Monitoring Tools WLAN Monitoring Tools Access Point UtilitiesAccess Point Utilities

• All APs have WLAN reporting utilitiesAll APs have WLAN reporting utilities• ““Status” information sometimes just a Status” information sometimes just a

summary of current AP configurationsummary of current AP configuration No useful monitoring informationNo useful monitoring information

• Many enterprise-level APs provide utilities that Many enterprise-level APs provide utilities that offer three types of information:offer three types of information:

Event logsEvent logs Statistics on wireless transmissionsStatistics on wireless transmissions Information regarding connection to wired Ethernet Information regarding connection to wired Ethernet

networknetwork

8686

Standard Network Monitoring Standard Network Monitoring ToolsTools

Drawbacks to relying solely on info from AP Drawbacks to relying solely on info from AP and wireless devices:and wireless devices:• Lack of Retention of dataLack of Retention of data• Laborious and time-intensive data collectionLaborious and time-intensive data collection• Data generally not collected in time mannerData generally not collected in time manner

““Standard” network monitoring tools:Standard” network monitoring tools:• Used on wired networks Used on wired networks • Proven to be reliableProven to be reliable• Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) • Remote Monitoring (RMON)Remote Monitoring (RMON)

8787

Simple Network Management Simple Network Management Protocol (SNMP)Protocol (SNMP)

Protocol allowing computers and network Protocol allowing computers and network equipment to gather data about network equipment to gather data about network performanceperformance• Part of TCP/IP protocol suitePart of TCP/IP protocol suite

Software agent Software agent loaded onto each network loaded onto each network device that will be managed using SNMPdevice that will be managed using SNMP• Monitors network traffic and stores info in Monitors network traffic and stores info in

management information base (MIB)management information base (MIB)• SNMP management station:SNMP management station: Computer with Computer with

the SNMP management softwarethe SNMP management software

8888

Simple Network Management Simple Network Management Protocol (continued)Protocol (continued)

SNMP management station communicates SNMP management station communicates with software agents on network devices with software agents on network devices • Collects data stored in MIBsCollects data stored in MIBs• Combines and produces statistics about Combines and produces statistics about

networknetwork Whenever network exceeds predefined Whenever network exceeds predefined

limit, triggers an limit, triggers an SNMP trapSNMP trap• Sent to management stationSent to management station

Implementing SNMP provides means to Implementing SNMP provides means to acquire wireless data for establishing acquire wireless data for establishing baseline and generating alertsbaseline and generating alerts

8989

Remote Monitoring (RMON)Remote Monitoring (RMON) SNMP-based tool used to monitor LANs connected SNMP-based tool used to monitor LANs connected

via a via a wide area network (WAN)wide area network (WAN)• WANs provide communication over larger geographical WANs provide communication over larger geographical

area than LANsarea than LANs Allows remote network node to gather network Allows remote network node to gather network

data at almost any point on a LAN or WANdata at almost any point on a LAN or WAN• Uses SNMP and incorporates special database for Uses SNMP and incorporates special database for

remote monitoringremote monitoring WLAN AP can be monitored using RMONWLAN AP can be monitored using RMON

• Gathers data regarding wireless and wired interfacesGathers data regarding wireless and wired interfaces

9090

Maintaining the Wireless Maintaining the Wireless NetworkNetwork

Wireless networks are not staticWireless networks are not static• Must continually be modified, adjusted, and Must continually be modified, adjusted, and

tweakedtweaked Modifications often made in response to Modifications often made in response to

data gathered during network monitoringdata gathered during network monitoring Two of most common functions:Two of most common functions:

• Updating AP firmwareUpdating AP firmware• Adjusting antennas to enhance transmissionsAdjusting antennas to enhance transmissions

9191

Upgrading FirmwareUpgrading Firmware FirmwareFirmware: Software embedded into : Software embedded into

hardware to control the devicehardware to control the device• Electronic “heart” of a hardware deviceElectronic “heart” of a hardware device• Resides on Resides on EEPROMEEPROM

Nonvolatile storage chipNonvolatile storage chip Most APs use a browser-based Most APs use a browser-based

management systemmanagement system Keep APs current with latest changes by Keep APs current with latest changes by

downloading the changes to the APsdownloading the changes to the APs

9292

Upgrading Firmware (continued)Upgrading Firmware (continued) General steps to update AP firmware:General steps to update AP firmware:

• Download firmware from vendor’s Web siteDownload firmware from vendor’s Web site• Select “Upgrade Firmware” or similar option Select “Upgrade Firmware” or similar option

from APfrom AP• Enter location of firmware fileEnter location of firmware file• Click Click Upgrade Upgrade buttonbutton

Enterprise-level APs often have enhanced Enterprise-level APs often have enhanced firmware update capabilitiesfirmware update capabilities• e.g., may be able to update System firmware, e.g., may be able to update System firmware,

Web Page firmware, and Radio firmware Web Page firmware, and Radio firmware separatelyseparately

9393

Upgrading Firmware (continued)Upgrading Firmware (continued) With many enterprise-level APs, once a With many enterprise-level APs, once a

single AP has been upgraded to the latest single AP has been upgraded to the latest firmware, can distribute to all other APs on firmware, can distribute to all other APs on the WLANthe WLAN• Receiving AP must be able to hear IP multicast Receiving AP must be able to hear IP multicast

issued by Distribution APissued by Distribution AP• Receiving AP must be set to allow access Receiving AP must be set to allow access

through a Web browserthrough a Web browser• If Receiving AP has specific security If Receiving AP has specific security

capabilities enabled, must contain in its capabilities enabled, must contain in its approved user lists a user with the same user approved user lists a user with the same user name, password, and capabilities as user name, password, and capabilities as user logged into Distribution APlogged into Distribution AP

9494

Upgrading Firmware (continued)Upgrading Firmware (continued) RF site tuning: RF site tuning: After firmware updates After firmware updates

applied, adjusting APs’ settingapplied, adjusting APs’ setting• Adjust radio power levels on all access pointsAdjust radio power levels on all access points

Firmware upgrades may increase RF coverage areasFirmware upgrades may increase RF coverage areas• Adjust channel settingsAdjust channel settings• Validate coverage areaValidate coverage area• Modify integrity and throughputModify integrity and throughput• Document changesDocument changes

9595

Adjusting Antennas: RF Adjusting Antennas: RF TransmissionsTransmissions

May need to adjust antennas in response May need to adjust antennas in response to firmware upgrades or changes in to firmware upgrades or changes in environmentenvironment• May require reorientation or repositioningMay require reorientation or repositioning• May require new type of antennaMay require new type of antenna

Radio frequency link between sender and Radio frequency link between sender and receiver consists of three basic elements:receiver consists of three basic elements:• Effective transmitting powerEffective transmitting power• Propagation lossPropagation loss• Effective receiving sensibilityEffective receiving sensibility

9696

Adjusting Antennas: RF Adjusting Antennas: RF Transmissions (continued)Transmissions (continued)

Figure 10-14: Radio frequency link

9797


Link budget: Link budget: Calculation to determine if Calculation to determine if signal will have proper strength when it signal will have proper strength when it reaches link’s endreaches link’s end• Required information:Required information:

Antenna gainAntenna gain Free space path lossFree space path loss Frequency of the linkFrequency of the link Loss of each connector at the specified frequencyLoss of each connector at the specified frequency Number of connectors usedNumber of connectors used Path lengthPath length Power of the transmitterPower of the transmitter

9898


Link budget (continued):Link budget (continued):• Required information (continued):Required information (continued):

Total length of transmission cable and loss per unit Total length of transmission cable and loss per unit length at specified frequencylength at specified frequency

For proper WLAN performance, link budget For proper WLAN performance, link budget must be greater than zeromust be greater than zero• System operating margin (SOM)System operating margin (SOM)• Good WLAN link has link budget over 6 dBGood WLAN link has link budget over 6 dB• Fade margin: Fade margin: Difference between strongest Difference between strongest

RF signal in an area and weakest signal that a RF signal in an area and weakest signal that a receiver can processreceiver can process

9999


Attenuation (loss):Attenuation (loss): Negative Negative difference in amplitude between RF difference in amplitude between RF signalssignals• AbsorptionAbsorption• ReflectionReflection• ScatteringScattering• RefractionRefraction• DiffractionDiffraction• Voltage Standing Wave RatioVoltage Standing Wave Ratio

100100

Adjusting Antennas: Antenna Adjusting Antennas: Antenna TypesTypes

Rod antenna:Rod antenna: Antenna typically used on Antenna typically used on a WLANa WLAN• OmnidirectionalOmnidirectional• 360 degree radiation pattern360 degree radiation pattern• Transmission pattern focused along horizontal Transmission pattern focused along horizontal

planeplane• Increasing length creates “tighter” 360-degree Increasing length creates “tighter” 360-degree

beambeam Sectorized antennaSectorized antenna: “Cuts” standard : “Cuts” standard

360-degree pattern into four quarters360-degree pattern into four quarters• Each quarter has own transmitter and antennaEach quarter has own transmitter and antenna• Can adjust power to each sector independentlyCan adjust power to each sector independently

101101

Adjusting Antennas: Antenna Adjusting Antennas: Antenna Types (continued)Types (continued)

Panel antenna:Panel antenna: Typically used in outdoor areas Typically used in outdoor areas• ““Tight” beamwidthTight” beamwidth

Phase shifter: Phase shifter: Allows wireless device to use a Allows wireless device to use a beam steering antenna beam steering antenna to improve receiver to improve receiver performance performance • Direct transmit antenna pattern to targetDirect transmit antenna pattern to target

Phased array antenna:Phased array antenna: Incorporates network of Incorporates network of phase shifters, allowing antenna to be pointed phase shifters, allowing antenna to be pointed electronically in microseconds, electronically in microseconds, • Without physical realignment or movementWithout physical realignment or movement

102102


Radiation pattern emitting from antennas Radiation pattern emitting from antennas travels in three-dimensional “donut” formtravels in three-dimensional “donut” form• Azimuth and elevationAzimuth and elevation planes planes

Antenna Accessories:Antenna Accessories:• Transmission problem can be resolved by Transmission problem can be resolved by

adding “accessories” to antenna systemadding “accessories” to antenna system• Provide additional power to the antenna, Provide additional power to the antenna,

decrease power when necessary, or provide decrease power when necessary, or provide additional functionalityadditional functionality

103103


Figure 10-17: Azimuth and elevation pattern

104104

Adjusting Antennas: RF Adjusting Antennas: RF AmplifierAmplifier

Increases amplitude of an RF signalIncreases amplitude of an RF signal• Signal gainSignal gain

Unidirectional amplifier: Unidirectional amplifier: Increases Increases RF signal level before injected into RF signal level before injected into transmitting antennatransmitting antenna

Bidirectional amplifier: Bidirectional amplifier: Boosts RF Boosts RF signal before injected into device signal before injected into device containing the antennacontaining the antenna• Most amplifiers for APs are bidirectionalMost amplifiers for APs are bidirectional

105105

Adjusting Antennas: RF Adjusting Antennas: RF AttenuatorsAttenuators

Decrease RF signalDecrease RF signal• May be used when gain of an antenna did not May be used when gain of an antenna did not

match power output of an APmatch power output of an AP Fixed-loss attenuators: Fixed-loss attenuators: Limit RF power Limit RF power

by set amountby set amount Variable-loss attenuators: Variable-loss attenuators: Allow user to Allow user to

set amount of lossset amount of loss Fixed-loss attenuators are the only type Fixed-loss attenuators are the only type

permitted by the FCC for WLAN systemspermitted by the FCC for WLAN systems

106106

Adjusting Antennas: Cables and Adjusting Antennas: Cables and ConnectorsConnectors

Basic rules for selecting cables and Basic rules for selecting cables and connectors:connectors:• Ensure connector matches electrical capacity Ensure connector matches electrical capacity

of cable and device, along with type and of cable and device, along with type and gender of connectorgender of connector

• Use high-quality connectors and cables Use high-quality connectors and cables • Make cable lengths as short as possibleMake cable lengths as short as possible• Make sure cables match electrical capacity of Make sure cables match electrical capacity of

connectorsconnectors• Try to purchase pre-manufactured cables Try to purchase pre-manufactured cables • Use Use splitters splitters sparinglysparingly

107107

Adjusting Antennas: Lightning Adjusting Antennas: Lightning ArrestorArrestor

Antennas can inadvertently pick up high Antennas can inadvertently pick up high electrical discharges electrical discharges • From nearby lightning strike or contact with From nearby lightning strike or contact with

high-voltage electrical sourcehigh-voltage electrical source Lightning Arrestor: Lightning Arrestor: Limits amplitude Limits amplitude

and disturbing interference voltages by and disturbing interference voltages by channeling them to groundchanneling them to ground• Designed to be installed between antenna Designed to be installed between antenna

cable and wireless devicecable and wireless device One end (3) connects to antennaOne end (3) connects to antenna Other end (2) connects to wireless deviceOther end (2) connects to wireless device Ground lug (1) connects to grounded cableGround lug (1) connects to grounded cable

108108

Establishing a Wireless Security Establishing a Wireless Security PolicyPolicy

One of most important acts in One of most important acts in managing a WLANmanaging a WLAN• Should be backbone of any wireless Should be backbone of any wireless

networknetwork• Without it, no effective wireless securityWithout it, no effective wireless security

109109

General Security Policy General Security Policy ElementsElements

Security policy: Security policy: Document or series of Document or series of documents clearly defining the defense documents clearly defining the defense mechanisms an organization will employ mechanisms an organization will employ to keep information secureto keep information secure• Outlines how to respond to attacks and Outlines how to respond to attacks and

information security duties/responsibilities of information security duties/responsibilities of employeesemployees

Three key elements: Three key elements: • Risk assessmentRisk assessment• Security auditingSecurity auditing• Impact analysisImpact analysis

110110

Risk AssessmentRisk Assessment

Determine nature of risks to organization’s Determine nature of risks to organization’s assetsassets• First step in creating security policyFirst step in creating security policy

Asset: Asset: Any item with positive economic Any item with positive economic valuevalue• Physical assetsPhysical assets• DataData• SoftwareSoftware• HardwareHardware• PersonnelPersonnel

Assets should be assigned numeric values Assets should be assigned numeric values indicating relative value to organizationindicating relative value to organization

111111

Risk Assessment (continued)Risk Assessment (continued)

Factors to consider in determining relative Factors to consider in determining relative value:value:• How critical is this asset to the goals of the How critical is this asset to the goals of the

organization?organization?• How much profit does it generate?How much profit does it generate?• How much revenue does it generate?How much revenue does it generate?• What is the cost to replace it?What is the cost to replace it?• How much does it cost to protect it?How much does it cost to protect it?• How difficult would it be to replace it?How difficult would it be to replace it?• How quickly can it be replaced?How quickly can it be replaced?• What is the security impact if this asset is What is the security impact if this asset is

unavailable?unavailable?

112112

Risk Assessment (continued)Risk Assessment (continued)

Table 10-1: Threats to information security

113113

Security AuditingSecurity Auditing Determining what current security Determining what current security

weaknesses may expose assets to threatsweaknesses may expose assets to threats• Takes current snapshot of wireless security of Takes current snapshot of wireless security of

organizationorganization Each threat may reveal multiple Each threat may reveal multiple

vulnerabilitiesvulnerabilities Vulnerability scanners: Vulnerability scanners: Tools that can Tools that can

compare an asset against database of compare an asset against database of known vulnerabilitiesknown vulnerabilities• Produce discovery report that exposes the Produce discovery report that exposes the

vulnerability and assesses its severityvulnerability and assesses its severity

114114

Impact AnalysisImpact Analysis Involves determining likelihood that Involves determining likelihood that

vulnerability is a risk to organizationvulnerability is a risk to organization Each vulnerability can be ranked:Each vulnerability can be ranked:

• No impactNo impact• Small impactSmall impact• SignificantSignificant• MajorMajor• CatastrophicCatastrophic

Next, estimate probability that Next, estimate probability that vulnerability will actually occurvulnerability will actually occur• Rank on scale of 1 to 10Rank on scale of 1 to 10

115115

Impact Analysis (continued)Impact Analysis (continued) Final step is to determine what to do Final step is to determine what to do

about risksabout risks• Accept the riskAccept the risk• Diminish the riskDiminish the risk• Transfer the riskTransfer the risk

Desirable to diminish all risks to some Desirable to diminish all risks to some degreedegree• If not possible, risks for most important If not possible, risks for most important

assets should be reduced firstassets should be reduced first

116116

Functional Security Policy Functional Security Policy ElementsElements

Baseline practices: Baseline practices: Establish benchmark Establish benchmark for actions using wireless networkfor actions using wireless network• Can be used for creating Can be used for creating design and design and

implementation practicesimplementation practices Foundation of what conduct is acceptable on the Foundation of what conduct is acceptable on the

WLANWLAN Security policy must specifically identify Security policy must specifically identify

physical securityphysical security• Prevent unauthorized users from reaching Prevent unauthorized users from reaching

equipment in order to use, steal, or vandalize itequipment in order to use, steal, or vandalize it

Documents

CWNA Guide to Wireless LANs, Second Edition Chapter Seven thru Ten Review