Computer NetworksMarwan Al-Namari

Week 10

RTS/CTS time line

RTS

CTS

DATA

ACK

NAV

A

B

C

Figure 7 RTS/CTS and frame structure

RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment .NAV: network allocation vector (channel access, expected time to finish and packet sequence transmission )

AssociationThe process of connecting a node to an access point is called ‘Association’ This occurs when a node moves within range and tunes its radio channel to what the access point is set to.

Inter-cell communicationsInter-cell communication of nodes connected to different access points by a distribution system or backbone network is accommodated by a frame structure which contain four MAC addresses

Access Points and Roaming

The use of Access Points can result in essentially unlimited rangeAccess Points are typically installed in a false ceiling (higher = better)APs are connected to the Ethernet backbone and act as a bridge between Ethernet and wirelessAll communications are through the AP

Roaming

Basic Roaming

As the mobile user roams away from one AP and closer to another, his WLAN NIC will automatically “re-associate” with the closer AP to maintain reliable performance.

Broad Roaming Employing Channel Reuse

Access Points can be programmed to 3 different channels and these can be re-used to provide potentially unlimited coverage.

Load Balancing

Even if a user is stationary, his WLAN NIC may decide to “re-associate” with a different AP because the load on the current AP is too high for optimal performance

Mobile IP roaming

Seamless Extended Roaming

As the mobile user roams across a router boundary, the WLAN NIC will inform the AP on the other side of the router of his “Home Agent” AP and a “forwarding” relationship will be set up between the two APs

Security IssuesWEP Wired Equivalent Privacy (can be easily cracked)IEEE 802.1x authentication

Access Control Lists (they can be spoofed)Turn off SSID broadcast (they can be sniffed)WPA (Wired or Wi-Fi protected access) better than WEP available in latest 802.11g technologyIEEE 802.11i standard solution ratified 2004 uses stronger encryption and authentication techniques

Additional security options:VPN Virtual Private Network (AP could be end point)VLAN Virtual LANWLAN switches

WEP problemAmong WEP's numerous flaws are its lack of a message integrity code and its insecure data-confidentiality protocol.Since the decryption could be done passively, it meant that an attacker could watch WEP traffic from a distance, be undetected, and know the original traffic.

IEEE 802.11iIEEE 802.11i, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Medium Access Control (MAC) Security Enhancement," leverages security technology that has emerged since the original IEEE 802.11 standard was written in the late 1990s.

These developments include the Advanced Encryption Standard (AES) and the IEEE 802.1X™ standard for access control.

All in all, the IEEE 802.11i amendment is a step forward in wireless security. The amendment adds stronger encryption, authentication, and key management strategies that will make our wireless data and systems more secure.

IEEE 802.11i

More IEEE802.11iFor IEEE 802.11i, the access point takes the role of the authenticator and the client card the role of supplicant. (In systems using Independent Basic Service Set [IBSS], the client card takes the role of supplicant and authenticator.) The supplicant authenticates with the authentication server through the authenticator. In IEEE 802.1X, the authenticator enforces authentication. The authenticator doesn't need to do the authentication. Instead the authenticator exchanges the authentication traffic between the supplicant and the authentication server. Between the supplicant and the authenticator, the protocol is IEEE 802.1X. The protocol between the authenticator and authentication server isn't defined in IEEE 802.1X nor IEEE 802.11i. However, Radius is typically used between authenticator and authentication server.

WPA(WPA) Wireless Protected Access :is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and small office/home office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption.

WPA2

Provides authentication support via IEEE 802.1X and PSK( pre shared keys)Enterprise Mode:Enterprise Mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1X/EAP modes of operation for authentication. When IEEE 802.1X is used, an authentication, authorization, and accounting (AAA) server (the RADIUS protocol for authentication and key management and centralized management of user credentials) is required. Enterprise Mode is targeted to enterprise environments.Personal Mode:Personal Mode is a term given to products tested to be interoperable in the PSK-only mode of operation for authentication. It requires manual configuration of a pre-shared key on the access point and clients. PSK authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal Mode is targeted to SOHO environments.

TKIPThe Temporal Key Integrity Protocol (TKIP) is a data-confidentiality protocol that was designed to improve the security of products that implemented WEPTo get around WEP limitations, TKIP uses a message integrity code called Michael. Basically, Michael enables devices to authenticate that the packets are coming from the claimed source. This authentication is especially important in a wireless technology where traffic can be easily injected. TKIP uses a mixing function to defeat weak-key attacks, which enabled attackers to decrypt traffic. TKIP fixes this situation by using a mixing function.

WEP and 802.1xAs an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys. While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

IEEE 802.1x use in IEEE 802.11i

IEEE 802.1X provides a framework to authenticate and authorize devices connecting to a network. It prohibits access to the network until such devices pass authentication. It also provides a framework to transmit key information between authenticator and supplicant.

IEEE 802.1x framework

Wireless Switches

Used for management and security controlDifferent policies can be assigned for each wired segmentSome WLAN switches have built in APs and authentication servers

WLAN SWITCH

WLAN switch2

Before

After

Can have different policies for each wired segment

abg SegmentationCould segment by configuring access point so that some users to use b or g and others to use a standardOr

Use multiple access points connected to a WLAN switch – can also restrict access using security features – must ensure channels don't interfere

Extended WLANPublic access (hot spots)

Wireless Bridging

3G mobile

Mesh RadioBroadband Wireless IEEE 802.16 Wi-MAX