Upload
buck-roberts
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Wireless Technology Wireless Technology
802.11x: Wi-Fi Standards - Cutting Through The Confusion
Rob KarnbachWireless MEMay 2003
3Com University Live December 2002 Session ID: 110 Rev. page 2
Home
Hotel
Airport
Wireless LocalAreaNetwork
OfficeWireless Personal
Area Network
Wireless Wide Area Network
SmallBusiness
Leadership in Wireless Connectivity
3Com Proprietary and Confidential
3Com University Live December 2002 Session ID: 110 Rev. page 3
Technology and Standards Evolution
Today
New network services being added
(QoS, IAPP, WEP2, etc.)
2000
Bluetooth ProductsAvailable (802.15)
1997
Original 802.11 specratified by the IEEE
1999
• 802.11a and 802.11b ratified by the IEEE
• WECA formed
FutureFutureFuture
• 54Mbps extn. to 802.11b• 5Ghz band (up to 54 Mpbs)• 802.11b & Bluetooth
co-existence
3Com University Live December 2002 Session ID: 110 Rev. page 5
The A,B,G’s of WLANs
Background The IEEE finalized the initial standard for WLANs, IEEE
802.11 in June 1997 The original standard specified a 2.4GHz operating
frequency with data rates of 1 and 2Mbps There are two categories of specifications The first category defines complete wireless LAN
systems 3 main specifications 802.11a, b, and g
The second category defines enhancements that mitigate weaknesses in the existing protocols.
These are not new systems, but rather extensions that will be applied to the systems specifications.
There are currently 6 specifications in this category 802.11d, e, f, h, i, j
3Com University Live December 2002 Session ID: 110 Rev. page 6
802.11 Systems Overview
802.11a 802.11b 802.11g
Standard Ratified
2002 1999 Not Yet Ratified
Radio Band 5GHz 2.4GHz 2.4GHz
Data Rates Up to 54Mbps Up to 11Mbps Up to 54Mbps
Coverage Area Up to 50 Meters Up to 100 Meters Up to 100 Meters
Pros Less potential for interference
Good support for multimedia
apps and densely populated user environments
Certified compatibility
through Wi-Fi Most widely
deployed system today
Compatible with 802.11b
High data rates and broad
coverage area
Cons Requires hardware upgrade Less coverage
area
Slower data rateInterference in
2.4GHz band
Will not be widely available until late 2003
3Com University Live December 2002 Session ID: 110 Rev. page 7
Recommending the Right WLAN System
Recommend 802.11b if your customer: Doesn’t have a need for high-bandwidth Isn’t price sensitive Wants a large choice of providers/manufacturers Wants to give users access to public WLAN hot-
spots Wants guaranteed compatibility Wants to implement a complete WLAN solution
today
3Com University Live December 2002 Session ID: 110 Rev. page 8
Recommending the Right WLAN System
Recommend 802.11a if your customer: Has a dense user base confined to one coverage area Wants to run high-bandwidth applications
Voice/video over the wireless network Needs to transfer large data files
CAD files, pre-print publishing documents, other large graphics files
Does not need a wide coverage range Is not price sensitive (in the short term)
It will cost twice as much to cover the same area as 802.11b or g
3Com University Live December 2002 Session ID: 110 Rev. page 9
Recommending the Right WLAN System
Recommend 802.11g if your customer: Is willing to wait for the standard to arrive and for
products to hit the market Wants backward compatibility with an existing
802.11b WLAN Wants to maximize current investment
Needs high-bandwidth Has a large coverage area
3Com University Live December 2002 Session ID: 110 Rev. page 11
IEEE P802.11 TGe
Purpose: To enhance the 802.11 Medium Access
Control (MAC) to improve and manage Quality of Service (QoS)
Cannot be supported in current chip design Requires new Radio Chips
Can do basic Qos in MAC layer
3Com University Live December 2002 Session ID: 110 Rev. page 13
IEEE P802.11 TGf
Purpose: To develop a set of requirements for Inter-Access
Point Protocol (IAPP), including operational and management aspects
3Com’s Role: As chair of this group, drive the work of IAPP
towards development of a “Distribution System” consisting of IEEE 802 LAN components supporting an IETF IP environment
3Com University Live December 2002 Session ID: 110 Rev. page 15
Local Authentication Options
Local Access Point Authentication/Encryption Authentication is done at each Access Point
Encryption options No security (encryption) 40-bit encryption shared key 128-bit encryption shared key Dynamic Security Link (128-bit)
Username/Password Authentication with 128bit Dynamic Session key encryption
3Com University Live December 2002 Session ID: 110 Rev. page 16
3Com Access Point 8000Dynamic Security Link
Dynamic Security Link Per user, per session dynamic key with 128-bit
Encryption Unique key automatically generated
between the AP & wireless client each session Keys are done in the background,
automatically, not entered manually Internal database supports 1000
username/password Provide a superior security solution when AP is
deployed in networks without a centralized authentication server
3Com University Live December 2002 Session ID: 110 Rev. page 17
LEAPLightweight Extensible Authentication Protocol (Cisco)
Cisco only Protocol - used to fix WEP Requires Cisco or Funk RADIUS Server Requires Cisco AP’s Requires Cisco or 3Com X jack client cards Is only Dynamic Session Keys (Like DSL) Very Expensive solution for not being Dynamic
Encryption Keys
3Com University Live December 2002 Session ID: 110 Rev. page 18
IEEE 802.1x – Port-Based Network Access Control
802.1x is a standard for authenticating Wireless Clients onto an wireless 802.11 network
It is a key feature in Microsoft’s Windows XP operating system
Needs to be implemented in conjunction with a centralized RADIUS authentication server supporting EAP-MD5 or EAP-TLS
Scalable to large enterprise networks
Authentication is central, rather than in each Access Point
3Com University Live December 2002 Session ID: 110 Rev. page 19
RADIUS Authentication Support
RADIUS Centralized User Authentication Authentication is provided between the wireless client and
the RADIUS server, in conjunction with the IEEE 802.1x standard-based network log-in
Any RADIUS supporting EAP-MD5, EAP-TLS, EAP-TTLS
Implemented in conjunction with 802.1x to provide a secure authentication solution for Wireless clients
For an even more secure solution, 3Com’s Universal Client Certificate supporting EAP-TLS enables RADIUS servers that support EAP-TLS to achieve Dynamic Key Distribution – Per-User / Per-Session key
RADIUS Accounting Username, start time, stop time, packet input/output
3Com University Live December 2002 Session ID: 110 Rev. page 20
EAP-MD5
Authentication Never sends password in clear text Uses MD-5 HMAC
128 bit HASH of password comparison Most RADIUS Servers support this today
Cisco Funk Microsoft
3Com University Live December 2002 Session ID: 110 Rev. page 21
EAP-TLS
Authentication Authenticates device and user
Device by digital cert User by Username/Password
Requires Digital Cert Can store Phase one encryptions on it
3Com incorporates 128 Dynamic Key encryption with it. Key changes every 15 minutes
Supported in High End RADIUS Servers, ie Microsoft, Funk Steel Belted Radius, Cisco
3Com University Live December 2002 Session ID: 110 Rev. page 22
3Com Universal Client Certificate Supports EAP-TLS
Certificate is required for mutual-authentication
Used by any 3Com WLAN client in EAP-TLS authentication mode
Required for serial authentication
3Com developed to fully utilize the power of EAP-TLS authentication
Public Key for client is generally expensive to deploy
Free to 3Com wireless clients
3Com University Live December 2002 Session ID: 110 Rev. page 23
Hotel Lobby
Basic RADIUS (EAP-MD5) (Public Areas)
Airport
RADIUS client built into the AP8000 Provides upper layer authentication through RADIUS supporting EAP-MD5 (Microsoft, Funk, Cisco) One-way authentication for the wireless client to be authenticated by the RADIUS server
Mgmt.Console
RADIUS Server
(EAP-MD5)
ATM
SuperStack3 Firewall
SuperStackSwitch
NT orNetwareServer
Encryption capability can be provided between the client and the AP using 40-bit or 128-bit shared key Static key generated in the AP and manually entered in all clients and APs
WLAN
Ideal for enterprise networks with legacy RADIUS deployments, requiring centralized user management and basic level of encryption capability
3Com University Live December 2002 Session ID: 110 Rev. page 24
Student DormitoryMain Campus
Library
Standard EAP-TLS and 802.1x, with XP Clients and Existing PKI (University Campus)
802.1x is native to the Windows XP Operating System only
Mgmt.Console
RADIUS Server
(EAP-MD5) Registration Office
SuperStack3 Firewall
SuperStackSwitch
NT orNetwareServer
Disable Microsoft’s 802.1x agent and deploy Serial Authentication using 3Com’s 802.1x agent and achieve:
WLAN
With PKI, each client has a “unique” certificate, issued by an external CA (very expensive to implement) The TLS server also needs its own certificate, issued by an external CA
RADIUS EAP-TLS
Login for 802.1XUsername: 3Com
Password: ********
3Com’s next generation 802.1x agent will work with 3rd party CA
Certificate-based mutual authentication using 3Com’s own Universal Client Certificate
Support for standards based RC4 encryption algorithm (40-bit and 128-bit)
Dynamic key management supported in the AP8000 Secure username/password authentication on top of certificate based authentication
3Com University Live December 2002 Session ID: 110 Rev. page 25
EAP-TTLS
Tunneled EAP-TLS Still requires Digital Cert But can use MS-Chap for password checking
Supported right now only in Funk Software Odyssey Server
3Com University Live December 2002 Session ID: 110 Rev. page 26
PEAP - Protected EAP
Competes with EAP-TTLS Uses TLS and Digital Certs Two Phase TLS authentication Uses TLS encryption Allows for support of Token Cards
3Com University Live December 2002 Session ID: 110 Rev. page 27
TKIP - Temporal Key Integrity Protocol
Uses RC4 encryption - stream cipher Phase I
Uses MAC address mixed with TK to produce Phase I key
Phase 2 Phase 1 key mixed with IV (initialization vector) to
derive per-packet keys. Each key is used to encrypt one and only one
data packet
3Com University Live December 2002 Session ID: 110 Rev. page 28
WPA - Wi-Fi Protected Access
Requires Authentication and Encryption Authentication
Requires EAP Mutual Authentication
Protects the user from accidentally joining a rogue AP Encryption
Requires TKIP - use of a temporal key We do not support WPA Home/Soho mode
Use of a shared key
3Com University Live December 2002 Session ID: 110 Rev. page 30
IEEE P802.11 TGi
Purpose: To enhance the current 802.11 MAC
to provide improvements in security and authentication mechanisms
Will be based on New Federal Encryption Standard AES (Advanced Encryption Standard)
Will replace DES Requires hardware acceleration Today's AP’s cannot support it yet Rijndael algorithm Symmetric block cipher Keys 128, 192, 256 bits