Designing Optimizing Securing Wireless Networks

7/30/2019 Designing Optimizing Securing Wireless Networks

1/257

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012

Designing, optimizing and SecuringWireless Networks

0. Welcome


2/257

www.jcacademy.com | Telindus 2012 | slide 1

JOHN CORDIER ACADEMY

Floor Plan


3/257



Schedule with break and lunch times.

09u00 - 10u30 1st course session

10u30 - 10u40 Coffee

10u40 - 11u45 2nd course session

12u00 - 13u00 Lunch

13u15 - 15u00 3rd course session

15u00 - 15u15 Coffee

15u15 17u00 5th course session

Vegetarian plate possible

Coffee, tea, water and juice

soft drink with token


4/257



Information

Messages on the door.

Wireless access.

User and password

Telindus Reception (Floor 0)


5/257



Introduce yourself

Ask and answer questions

Give feedback

Who is your instructor?


6/257



Presentation of the students.

What I like to know from you:

Your name and work location

Your job responsibilities

Your networking experience

Your objectives for this course


7/257


Designing, optimizing and Securing Wireless Networks

01. Designing

Introducing Wireless Networks and Topologies

Radio basics, WI-FI basics and Interference

802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing

Encryption and authentication standards

802.1x framework



8/257


Designing wireless networks



9/257


Wireless LANs are evolving


Point Applications

Inventory ManagementBarcode Scanning

Mobile DataEmail

Web browsing

Business Ready Voice, Video, Data

802.112 Mbps

802.11b11 Mbps

802.11ag54 Mbps

802.11n300 Mbps

Next Gen. Wireless Ubiquitous mobile computing

Location Tracking


10/257



WLAN Standards Evolution

IEEE 802.11standard for wireless LAN radio devices was ratified in 1997

Standard included two transmit rates of 1 Mbit/s and 2 Mbit/s

1999: IEEE 802.11b standard for 11 Mb/s WLAN.

Transition from 2.4 GHz to 5 GHz

IEEE 802.11a (2000): 5 GHz offers a chance for higher data rates,

increased capacity, goal is to provide up to 54 Mbps

IEEE 802.11g (2000): 5.5, 11, 54 Mbps

IEEE 802.11n (sept. 2009): up to 600 Mbps?


11/257


Wireless Personal Area Network

WPANs provide connectivity in a personal area.

Links are usually peer to peer or small networks.

Applications range from simple (remote control) to complex (voice).

WPANs meet the need for ease of use, low cost, and portability.

Bluetooth is a typical example, running in 2.4 GHz.

< 5 10m



12/257


Wireless Local Areal Network

Range larger than WPAN, spectrum 2.4 GHz and 5 GHz

More power required

Multiple users expected

Designed to be flexible

< 100m



13/257


Wireless Metropolitan Area Network

Backbone or user coverage applications

Usually in licensed bands

Unlicensed bands possible but interference issues

Typically in city or suberb

> 100m



14/257


Wireless Wide Area Network

Large coverage areas

Issues: bandwidth and number of users

Cost based on usage duration or amount of information transmitted


UMTS HSPDA LTE


15/257



Standard Organizations for Wireless Networks

FCC

Federal Communications Commission

ETSI

European Telecommunications Standards Institute

Hyperlan (instead of 802.11a)

IEEE

Institute of Electrical and Electronics Engineers

802.11a, 802.11b, 802.11g, 802.11i, 802.11e

802.3AF

BIPT

Belgian Institute for Postal services and Telecommunications


16/257



What about WI-FI or Wireless Fidelity?

Before customers really started to complain about compatibility problems

six major players in WLAN field decided to start their own actions toensure compatibility

3Com, Aironet, Intersil, Lucent Technologies, Nokia and Symbol

Technologies formed an industry alliance called WECA in August 1999

http://www.wi-fizone.org/

http://www.wi-fi.org/


17/257


Wireless LAN deployment

Residential

Enterprise

Access for employees

Guest access

Wifi phones

Public access - Hotspots

Airports, Hotels, Restaurants, Public transportation, ....

Environment specific

Healthcare

Education

Retail



18/257


Ad-hoc networks

Independent Basic Service Set (IBSS)

Exists as soon as two wireless devices communicate

Limited in number of devices due to collision and organization

issues


Ad-hoc architecture


19/257


Infrastructure mode

Infrastructure Basic Service Set (BSS)

The AP functions as a translational bridge

between 802.3 wired media and 802.11 wireless media.

Wireless is a half-duplex environment.


Wireless cell

DS


20/257

www.jcacademy.com

| Telindus 2012 | slide 19

Infrastructure mode (ESS)


Channel 6

DS

Channel 1


21/257

www.jcacademy.com


Wireless Outdoor Bridge

Extend the LAN by linking LANs

Point to point or hub and spoke



22/257

www.jcacademy.com


Mesh

Devices are connected with redundant connection between nodes; nosingle point of failure



23/257

www.jcacademy.com



Service Set Identifier (SSID)

Network name

32 octets long

Used to tell a wireless station what network to join

One network (ESS or IBSS) has one SSID

May be broadcasted or not

An Access point can have more then one ssid


24/257

www.jcacademy.com



01. Designing



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



25/257



Radio basics

WI-FI basics

Interference


26/257

www.jcacademy.com | Telindus 2012 | slide 25JOHN CORDIER ACADEMY

Wireless spectrum

Wireless networks use RF signals.

Radio frequencies are electromagnetic waves.

Spectrum defines wave sizes, grouped by categories.

Wireless network radio range is in the microwave segment.

Wireless Data902-928 MHz 26 MHz

2.4-2.4835 GHz 85 MHz

5.725-5850 GHz 125 MHz


27/257


They made history

1837

Morse invents the telegraph

1876

James Clerck Maxwell develops the theory that predicts the existence

of electro-magnetic waves

1886

Heinrich Hertz demonstrates the existence of electro-magnetic waves

1901

Marconi transmits the letter S across the Atlantic Ocean

Wi l N t k Si l G Th h
http://images.google.com/imgres?imgurl=http://www.newgenevacenter.org/portrait/marconi.jpg&imgrefurl=http://www.newgenevacenter.org/reference/20th-1st2.htm&h=218&w=154&sz=6&tbnid=QHySVg80g8Vd2M:&tbnh=102&tbnw=72&hl=en&ei=LHQFRNacD6rWwgGoq-j7Dg&sig2=7vMjeMrH7YPzFE72pYT5LA&start=9&prev=/images?q=marconi&svnum=10&hl=en&lr=&rls=GGLG,GGLG:2005-23,GGLG:en&sa=Nhttp://images.google.com/imgres?imgurl=http://www.mk.tu-berlin.de/HHertz.jpg&imgrefurl=http://www.mk.tu-berlin.de/&h=256&w=172&sz=5&tbnid=MyUHN7P0vTI51M:&tbnh=107&tbnw=71&hl=en&ei=-XMFRI-cMMXIwQGXhOzjDg&sig2=71MTdnS91K1juUNPhusDkw&start=9&prev=/images?q=heinrich+hertz&svnum=10&hl=en&lr=http://images.google.com/imgres?imgurl=http://www.physik.tu-muenchen.de/~kressier/Bilder/Bios/Maxwell.jpg&imgrefurl=http://www.physik.tu-muenchen.de/~kressier/Bios/Maxwell.html&h=200&w=154&sz=6&tbnid=fs54DwIPQJlHVM:&tbnh=99&tbnw=76&hl=en&ei=wXMFRIayM7_mwQGbvpjsDg&sig2=CvtrAc76X5m-Ms6d1P3v0w&start=8&prev=/images?q=james+maxwell&svnum=10&hl=en&lr=http://images.google.com/imgres?imgurl=http://www.historyplace.com/specials/calendar/docs-pix/sam-morse.jpg&imgrefurl=http://www.historyplace.com/specials/calendar/april.htm&h=472&w=410&sz=52&tbnid=bfOkGwtqsFFx0M:&tbnh=125&tbnw=108&hl=en&ei=mnMFRJvJCLK2wgGs3NjyDg&sig2=MWTgo1xCzdHOxXNvjZrvnA&start=8&prev=/images?q=morse&svnum=10&hl=en&lr=


28/257


Wireless Network, Signals Go Through a process Amplitude indicates the strength of the RF signal

The frequency is the number of cycles occurring each second

The phase corresponds to how far the signal is offset from a reference

point

Modulator

Amplifier

Modulator

Amplifier

cf

AC and subsequent frequency changes are described as a Sine WaveRadio waves move at a speed of about 299,792 km per second


29/257


The frequency determines how often a signal is seen.

One cycle per second equals 1 Hz.

Low frequencies travel farther in the air than high frequencies.

Frequency


30/257


Wavelength


The signal generated in the transmitter is sent to the antenna.

The movement of the electrons generates an electric field, which is the

electromagnetic wave.

The size of the cycle pattern is called the wavelength.


31/257


Amplitude


Amplitude is the vertical distance, or height, between crests.

For the same wavelength and frequency, different amplitudes can exist.

Amplitude represents the quantity of energy injected in the signal.


32/257


Attenuation

the shorter the wavelength of a wireless signal, the more it is attenuated

M lti th


33/257


Multipath

Obstacles cause the signal to bounce in different directions

1. A part of the signal might go directly to the destination

2. Another portion of the signal might bounce of a desk, ceiling,

1

2

Typical Reflectors


34/257


Typical Reflectors


35/257


Line of Sight


Line of sight is necessary for good signal transmission.

Earth curvature plays a role in the quality of outdoor links, even with a

distance of a few miles (depending on the elevation of the transmitter and

receiver).

Visual obstacles may or may not prevent radio line of sight.


36/257


Fresnel zone

Outdoor point to point connection needs radio line of sight

Fresnel zone

Is an elliptical area immediately surrounding the visual path

Parameters depend on the frequency and length of direct line

Fresnel Zone


37/257


RSSI and SNR

RSSI is the signal strength indicator.

The dBm value is obtained from a signal grading coefficient, whichis determined by the vendor.

RSSI usually a negative value, the closer to 0 the better.

SNR is signal strength relative to noise level.

The higher the SNR, the better.



38/257


Decibels

Compares powers,originally sounds

0 dB = same power

3 dB = twice the power

-3 dB = half the power

10 dB = 10 x the power

-10 dB = 1 tenth of the

power



39/257


dBm

Used for APtransmitters

Same scale as the

other dB

0 dBm = 1 mW

30 dBm = 1 W

- 20 dBm = 0.01 mW



40/257


Signal strengths vary logarithmically, not linearly

dBm: Decibel milliWatt

This measurement is used to represent power

0 dBm defined as 1 milliWatt: 0 dBm = 10 log10(1 mW)

Access Points (APs) have a power output of +17dBm (50mW)


41/257


Decibel Referenced to Isotropic Antenna

dBi refers to an isotropic antenna.

This antenna is theoretical and does not exist in reality

dBi is used as a reference point to

compare antennae.

The same logarithm progression

applies to dBi as to the other

decibel scales.



42/257


Antenna Principles

The radiation pattern

describes coverage

shape.

RF radiation pattern is

described by E-plane

(elevation chart) and H-

plane (azimuth chart).

Expressed in dB.

Each antenna design

produces different RF

radiation patterns.


Everyday objects as antenna pattern illustrations


43/257


Everyday objects as antenna pattern illustrations

Antenna radiation pattern


44/257


Antenna radiation pattern Regions where the capability of the antenna is focused

3D patterns are indicated with an

azimuth pattern (horizontal plane)

elevation pattern (vertical plane)

0

90

180

2700 -3 -6 -10

-15-20-30

dB

TA-2304-120-T0Elevation Pattern

0

90

180

2700 -3 -6 -10

-15-20-30

dB

TA-2304-120-T0Azimuth Pattern

Antenna Beamwidth


45/257


Antenna Beamwidth

Horizontal Beam width Vertical Beam width


46/257


Antenna Polarization

Diversity


47/257


Diversity

Dual antennas each receive a different signal

One may receive a bad signal while the other may receive a good

signal

Some wireless technologies use diversity to choose, on a per-client

basis, which antenna to use to receive and which to answer.

2 4 GHz Omni-Directional Antennas


48/257


2.4 GHz Omni Directional Antennas

2 dBi Dipole "Standard Rubber Duck" 5.2 dBi Ceiling Mount 5.2 dBi Pillar Mount Diversity

2.4 GHz Directional Antennas


49/257


2.4 GHz Directional Antennas

13.5 dBi Yagi Antenna 25 degree 21 dBi Parabolic Dish Antenna 12 degree

8.5 dBi Patch Antenna 60 degree

Eff ti I t i ll R di t d P
http://wireless.ictp.trieste.it/school_2004/lectures/rob/cantenna/04inside.htmlhttp://wireless.ictp.trieste.it/school_2004/lectures/rob/cantenna/03detail.htmlhttp://wireless.ictp.trieste.it/school_2004/lectures/rob/cantenna/03detail.html


50/257


Effective Isotropically Radiated Power

Plasterboard (gyproc) wall 3dB

Glass wall with metal frame 6dB

Office window 3dB

Metal door 6dB

Metal door in brick wall 12.4dB

Remember!3 dB = 12 the power in mW

+3 dB = 2 times the power in mW10 dB = 110 the power in mW+10 dB = 10 times the power in mW


51/257


EIRP limits are country based

As are the channel sets

FCC

IC ETSI

Telec

2.4 GHz EIRP rules (ETSI)


52/257


2.4 GHz EIRP rules (ETSI)

20 dBm is the maximum allowed EIRP

17 dBm maximum transmit power

Power can be reduced below 17 dBm in a 1:1 rule

Transmit power Transmitter dBm Maximum gain EIRP

Maximum 50 mW 17 dBm 3 dBi 20 dBm

Reduced Tx

power

30 mW 15 dBM 5 dBi 20 dBm

20 mW 13 dBm 7 dBi 20 dBm




53/257



Radio basics

WI-FI basics

Interference

The Physical Components


54/257


L1

L2DATA LINK

PHYSICALPhysical Medium Dependent (PMD)

The Physical Layer Convergence Procedure (PLCP)

Media Access Control sublayer (MAC)

Logical Link Control sublayer (LLC)

L3

L4

L5

L6

L7 APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

This is WI-FI

WLAN technologies overview


55/257


Wireless LAN Technologies

InfraredSpread

SpectrumNarrow Band

DirectSequence

FrequencyHopping

g

OFDM

Hedy Lamarr, 1913-2000

Secret Communication System Patented in1940


56/257


FHSS versus DSSS


FHSS is a time-based narrowband hopping of

frequencies.

DSSS is a broadband use of frequencies.

DSSS: Idea


57/257


DSSS: Idea


58/257


DSSS: Encoding


Each bit is transformed into a sequence, called chip or symbol.

In this example, the chipping code is called Barker 11.

Up to 9 bits can be lost.

2 Mhz 22 Mhz

DSSS M d l ti DBPSK / DQPSK


59/257


DSSS Modulation: DBPSK / DQPSK

DBPSK

RF Carrier

Data

DQPSKRF Carrier

I Channel

Q Channel

RF Carrier Symbols

A: 0o Phase ShiftB: 180o Phase Shift

0 1 0 0 1 0 1 1

BA AB BA

010

01 1

CD RF Carrier SymbolsA: 0o Phase ShiftB: 90o Phase ShiftC: 180o Phase ShiftD: 270o Phase Shift

B

1

0

A

B

DBPSK

Spread Spectrum Technologies PMD


60/257


Spreading: Information signal (I.e. a symbol) is multiplied by a unique, high rate digital

code which stretches (spreads) its bandwidth before transmission.

Code bits are called Chips.

Sequence is called Barker Code

PLCP

CodeGenerator

X

Spreader

Code Bits (Chips)

Digital Signal (Bits)

FrequencySpectrum

f

Spread FrequencySpectrum

f

p p gDirect Sequence transmitter

Modulator

Amplifier

PMD

Spread Spectrum Technologies PMD


61/257


At the receiver, the spread signal is multiplied again by a synchronized replica of the same

code, and is de-spread and recovered

The outcome of the process is the original symbol

Correlator

De-SpreadSignal

f

Spread FrequencySpectrum

f

Digital Signal (Bits)

Direct Sequence receiver

Modulator

Amplifier

Code

Generator

Code Bits (Chips)

XPLCP

Descrambler

PMD

Orthogonal Frequency-Division Multiplexing


62/257


Of 64 subcarriers:

12 zero subcarriers (in black) on

sides and in center

Sides function as frequency

guard band, leaving 16.5-MHz

occupied bandwidth

Center subcarrier zero for DCoffset/carrier leak rejection

48 data subcarriers (in green) per

symbol

4 pilot subcarriers (in red) persymbol for synchronization and

tracking


63/257


OFDM Modulations: BPSK and QPSK


Uses the same principles as

DBPSK and DQPSK: BPSKshifts 180; QPSK shifts 90.

Speed depends on density ofsignal per tone.

Modulation Data Rate per

Subchannel (kb/s)

Total Data Rate

(Mb/s)

BPSK 125 6

BPSK 187.5 9QPSK 250 12

QPSK 375 18

OFDM Mudulation: QAM


64/257


OFDM Mudulation: QAM

S15S9S6 S4

Conceptual

Illustration

With QAM, 90 shifts are

associated with

amplitude modulation.

With four amplitude

positions, 16 values are

possible.

OFDM for wireless uses16-QAM and 64-QAM,

with speeds up to 54

Mbps.

Channels and Overlap Issues


65/257


Channels and Overlap Issues

ISM Band

12412

2401 2423

22417

2406 2428

32422

2411 2433

42427

2416 2438

52432

2421 2443

62437

2426 2448

72442

2431 2453

82447

2436 2458

92452

2441 2463

102457

2446 2468

112462

2451 2473

122467

2456 2478

132472

2461 2483

2400 MHz 2484 MHz

Channel

number

Top of channel

Center

frequency

Bottom of

channel

With channels built for 5-MHz interchannel space, each DSSS channel uses more

than one channel.

Only three or four nonoverlapping channels are available in the 2.4-GHz ISMband.

Emerging Industry Standards


66/257


2.4GHz

WLAN

Market

5GHz WLAN

Market

Understanding the 5GHz spectrum


67/257


In Europe 8 + 11 non-overlapping channels, each 20 MHz wide

11 Ch 4 Ch4 Ch 4 Ch

UNII-1 UNII-2 UNII-3

Unlicensed National Information Infrastructure

DFS & TPC


68/257


Transmit Power Control (TPC):

Ensures that the minimum amount of radio power is used by the client

to communicate to the Access Point

Dynamic Frequency Selection (DFS):

Keep selected frequency, until interference is detected, and then

switch to new frequency. (Radar detection)

Types of radars covered by DFS

Civilian weather radars

Military naval navigation radars

Military air defense and missile systems radars

5 GHz WLAN standardisation issues Different high throughput standards


69/257


g g p

US: 802.11a

Europe: 802.11h (IEEE) and Hiperlan 2 (ETSI)

802.11h 802.11a + TPC + DFS

TPC (Transmit Power Control)

Provides minimum required transmitter power for EACH user

Provides minimal interference to any other users or system

DFS (Dynamic Frequency Selection) lets the device listen to what is

happening in the airspace before picking a channel

802.11h is backward-compatible with 802.11a, but it is likely that 802.11a

products bought in the U.S. won't work with European 802.11h access

points.

HiperLAN2 and 802.11a/h have nearly identical physical layers

Very different at the MAC (Media Access Control) level

Products are not interoperable


70/257



Radio basics

WI-FI basics

Interference


71/257


Choosing a Channel


72/257


Choosing a Channel

??

??

RF O t t


73/257


RF Output power

dBm is measure of absolute power output

Formula:

dbM = 10 log (Power in milliwatts)

An increase in 10 dBm means 10x the output

power

Exs.

0 dBm = 1 mW (Bluetooth)

10 dBm = 10 mW

20 dBm = 100 mW (802.11, Phones)

30 dBm = 1 Watt (FCC Limit)

RF P ti L


74/257


RF Propagation Loss

dB is a relative power measurement

Near field: 1 Meter distance results in a 40 dB loss

Every 2x increase in distance = 10 dB loss indoor (6 dB loss outdoor)

Exs. (indoor)

2 Meters = 50 dB loss

4 meters = 60 dB loss

8 meters = 70 dB loss


75/257


Netstumbler

I SSID


76/257


InSSIDer


Wi Fi I t


77/257


Wi-Fi Inspector


Site survey: what constitutes an acceptable signal?


78/257


Signal level

Noise floor

Packet completion rate

A low RF signal does NOT mean poor communication

A low signal quality DOES mean poor communication

Recognizing (and Assessing) Problems


79/257


802.11 stats are good secondary indicators that interference is having an impact

Retries > 10%

Data Rate lower than normal

Time

Power

levelAverage

power

Noise

floor

Fading

depth

Target

SNRError

> 40dB SNR = Excellent signal (5 bars);


80/257


g ( );

always associated; lightening fast.

25dB to 40dB SNR = Very good signal (3 - 4 bars);

always associated; very fast.

15dB to 25dB SNR = Low signal (2 bars);

always associated; usually fast.

10dB - 15dB SNR = very low signal (1 bar);

mostly associated; mostly slow.

5dB to 10dB SNR = no signal;

not associated; no go.

Non-WiFi Interference Sources


81/257


Non-WiFi Interference Sources

wireless video

cameras

fluorescent lights

BluetoothMicrowave ovens

2.4/5 GHz

cordless phones

radar

Wireless

headphones

Wireless

Game Controller Motion detectors
http://www.1000bulbs.com/category.php?category=12


82/257


802.11b Signature

Arch

~22 MHz wide

Centered on 802.11 channel


83/257


802.11g Signature

Flat

Sloping shoulders

~18 MHz wide

Centered on 802.11 channel


84/257


Planning Tools Cisco Spectrum Expert

Example: Microwave


85/257


Planning Tools Cisco Spectrum Expert

Example: Microwave

How to Mitigate Problems


86/257


How to Mitigate Problems

Find and Remove Interference Device!

Shield Interference Device

Grounded shield

Change channels of AP

Ex. Microwave affecting some frequencies worse than others

Increase Tx Power of AP

Possibly use directional antenna to direct more power in desired areas.

Tx Data Rate controls

Dont allow the lowest data rates, to avoid false back-off

Trade-off because lower data rates are more noise immune



87/257


01. Designing



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



88/257



802.11n

What does 802.11n deliver?


89/257


Ways to increase data rate: Conventional


90/257


Conventional single tx and rx radio systems

Increase transmit power

Subject to power amplifier and regulatory limits

Increases interference to other devices

Reduces battery life

Use high gain directional antennas

Fixed direction(s) limit coverage to given sector(s)

Ways to increase data rate: The 802 11 n way


91/257


Ways to increase data rate: The 802.11 n-way

Single Input Single Output


92/257


Single Input Single Output

Single TransmitSingle Spatial StreamSingle Receive

Multiple Input Multiple Output


93/257


Multiple Input Multiple Output

MULTIPATH =

MIMO Overview


94/257


Maximal Ratio Combining


95/257


Maximal Ratio Combining



96/257


Transmit Beam Forming



97/257

MIMO increases physical data rates for all clients


98/257


MIMO increases physical data rates for all clients

Today before MIMO

Tomorrow: MIMO on AP

Future: MIMO on AP & client

More Reliable, Predictable Connectivity for All

Clients


99/257


Clients

Channel Bonding


100/257



101/257

Guard Interval


102/257

www.jcacademy.com| Telindus 2012 | slide 101JOHN CORDIER ACADEMY

Expected data rates


103/257


Existing 802.11 WLAN Standards


104/257


802.11b 802.11a 802.11g 802.11n

Standard Approved Sept. 1999 Sept. 1999June

20032009

Available Bandwidth 83.5 MHz 580 MHz 83.5 MHz83.5/580

MHz

Frequency Band of Operation 2.4 GHz 5 GHz 2.4 GHz 2.4/5 GHz

# Non-Overlapping Channels

(US)3 24 3 3/24

Data Rate per Channel 1 11 Mbps 6 54 Mbps 1 54 Mbps 1 600 Mbps

Modulation Type DSSS, CCK OFDMDSSS, CCK,

OFDM

DSSS, CCK,

OFDM,

MIMO



105/257

www.jcacademy.com| Telindus 2012 | slide 104

01. Designing



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing Encryption and authentication standards

802.1x framework



106/257



Architecture

WLAN architectures overview


107/257


Ad-hoc architecture

Bridged architecture

Infrastructure

architecture

Infrastructure evolution: wireless switches

Responsibilities (e g QoS encryption ) are moving from AP to


108/257


Responsibilities (e.g. QoS, encryption, ) are moving from AP to

Wireless switch (e.g. Trapeze, Extreme, )

Appliance (Bluesocket, )

Another access point (WDS in Cisco)

Some call this thin APs

Different protocols possible:GRE, LWAPP, WLCCP

Independent (Fat) Access Points


109/257


Independent (Fat) Access Points

Cisco Aironet

Dependent (Thin) Access Points + Controller


110/257


Dependent (Thin) Access Points + Controller

Cisco Airespace

WI FI Array


111/257


WI-FI Array

Mesh


112/257


Mesh

Basic wireless network


113/257


Basic wireless network

BUT a wireless network is more complex


114/257


BUT, a wireless network is more complex

What happens with more then one wireless device?

Shared channel and CSMA/CA

How can you receive more capacity?

More then one channel possible:

Limitation of channels

Evolution of SISO to MIMO

How can you make a larger network?

Multiple access points with the same name = SSID.

How can you have different separated networks?

Different SSIDs:

Wireless VLANs.


802.11a/b/g Review


115/257


802.11b

Ratified in 1999

Operates in 2.4GHz spectrum

Data Rates: 1, 2, 5.5, 11Mbps

Available Channels: 11 (3 used)

802.11a

Ratified in 2000

Operates in 5GHz spectrum

Data Rates: 6, 9, 12, 18, 24, 36, 48, 54Mbps

Available Channels: 24 (19 used in EU)

802.11g

Ratified in 2000

Operates in 2.4GHz spectrum

Data Rates: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54Mbps

Available Channels: 11 (3 used)

Backward compatible with 802.11b

Limitation of channels 2 4GHz


116/257


Limitation of channels 2,4GHz

20 MHz bandwidth.

Modulation needed.

Non overlapped channels (1 6 11).


802 11a/b/g: Cell Planning


117/257


802.11a/b/g: Cell Planning

802.11b/g Channels = 3

Distance to cell with same channel is less than a single cell

Sensitive to co-channel interference

(from other cells on the same channel)

-------------------------------------------------------------------------------------

802.11a Channels = 19

High Performance: 8 times the capacity

Far less interference from cells on same channel

More channels to avoid interference


How can you make a larger network?


118/257


Connecting different access points with different channels to one network.

Work with the same name (SSID).

SSID: data



119/257


Network name = SSID

32 octets long

Case sensitive

Used to tell a wireless station what network to join

One network has one SSID, can be installed over different access points

An Access point can have more then one SSID



120/257


Configure a SSID (network) per VLAN

Same VLANs wired as wireless

Access point maps VLANs to Service Set Identifiers (SSIDs)

Static SSID-to-VLAN

Dynamic RADIUS-based VLAN assignment (role-based VLANs)

SSID: data

SSID: voice

Wireless VLANs

Allows a Single WLAN 802.1q Trunk


121/257


gto Handle Different

Devices and

Applications withDifferent Types ofSecurity

SSID: DataSecurity:PEAP + AES

AP Channel: 6

SSID Data = VLAN 1

SSID: Voice

Security:LEAP + WPA

SSID Voice = VLAN 2

SSID: Visitor

Security:Open

SSID Visitor = VLAN 3

802.11a/b/g Best Practices


122/257


802.11a/b/g Best Practices

Recommendations

Technologies

802.11b-only is end-of-life, avoid if at all possible

Buy 802.11a/b/g adapters at a minimum

Transition to the 5GHz spectrum (802.11a now, 802.11n next) to achieve:

Increased capacity

Significantly reduced interference

Simplified channel planning

Use multiple radios on different channels in a given cell to increase capacity

Limit the number of users per radio to about 12-15

Lower this limit if using voice to about 8-10

Why Power over Ethernet

Simplicity


123/257

www.jcacademy.com| Telindus 2012 | slide 122JOHN CORDIER ACADEMY |Wireless Lan Essentials

Simplicity

A single connection provides network and power to end devices

AC-Free Deployments

No AC power required to support end devices

Mobility

Low voltage, Ethernet Powered Devices can be easily moved

Safety

48V DC low voltage POE reduce user exposure to local AV power

circuits

Operational Resiliency

Centralized power solution allows for a centralized UPS deployment

Power over Ethernet (PoE) Delivery

Common Mode Resistor Discovery


124/257


Common Mode Resistor Discovery

Optional Classification (4-, 7-, 15.4- Watts Before PWR on)

Up to 15.4 Watts

Power Off on Disconnect (DC/AC)

Power over Ethernet Plus (PoE+)


125/257

www.jcacademy.com| Telindus 2012 | slide 124JOHN CORDIER ACADEMY |Chapter title

IEEE 802.3at

Max power 30 60 Watt

On category 5 cables

Problem: what is the max of power trough a CAT 5 cable?

Equipments which ask more power:

Some diskless CPUs

Access points with more versions of 802.11

Camera's with engine

IP phones with colour video.


01 Designing


126/257


01. Designing



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



127/257



Site Survey

Site survey


128/257


Site survey: channel selection


129/257


AP1

Channel 1

AP 4

Channel 1

AP 6

Channel 11

AP 5

Channel 6AP 3

Channel 11

AP 2

Channel 6

Site survey: data rates

Overlap for voice should be 15-20%, for data only 10-15%


130/257


Use by preference the AP and wireless client that you intend to deploy

Surveyed at 36 Mbps Surveyed at 54 Mbps

Airmagnet Surveyor Airmagnet Surveyor: SNR G


131/257


Ekahau Heatmapper


132/257


Site Survey prepares for 802.11n


133/257


Overlap for data traffic


134/257


Wireless Clients

LAN Backbone

Access Point Access Point

Wireless Clients

Overla

pping

10-1

5%

allows remote users to roam without losing RF connections

802.11n Deployment Expectations Data services

Overlap


135/257


10-15%

Range

10-15% increase in maximum range

versus an AP1130

Recommended 1:1 replacement

of an 802.11a/g deployment

Coverage

10-20% increase in 802.11a/g high data rate coverage

More uniform coverage versus an AP1130

Capacity

Maximum data rates of 144Mbps in 2.4GHz

Maximum data rates of 300Mbps in 5GHz


Impact on speed and range with 11n?


136/257


Test results between 2 cisco APs

Cisco 1240 a/g AP Cisco 1250 a/g/n AP


Example Speed vs. Range Comparison

Cisco 1240 and 1250 11A Active Survey


137/257


28 m 31 m


Example Speed vs. Range Comparison

1240 and 1250 11G Active Survey


138/257


1240 and 1250 11G Active Survey

34 m 45 m


802.11n Deployment Expectations Voice services

Voice


139/257


Plan for the same number of calls per AP as 11a/g (15-25 calls)

Voice over WiFi phones still top out at 54Mbps

No 11n WiFi phones on the market right now

Expect better voice reliability, especially in the upstream direction (Phone to AP)

Overlap 20-25%

Recommendations Forget about 11b

5 GHz

Disable speeds lower then 12 Mbps


RF Interference and Noise Floor


140/257



01. Designing


141/257




802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



142/257


Optimizing wireless networks

Throughput


L7 APPLICATION


143/257


L1

L2 DATA LINK

PHYSICAL

Physical Medium Dependent (DPM)




L3

L4

L5

L6 PRESENTATION

SESSION

TRANSPORT

NETWORK

This is WI-FI

Classes of frames


144/257


Data frames

Carry higher level protocol data

Control frames

Administration of the access to the wireless medium

RTS/CTS, ACK,

Management frames

Beacon transmitted at regular intervals to allow wireless devices to find

networks + match parameters with the AP

Association and authentication frames

Probe Request / Probe Response

Frame Format: Frame Control


145/257


Frame Format: Duration & Sequence Control


146/257


Frame Format: Addressing: BSS


147/257


At least 3 mac addresses are used:

Destination address

Source address

Address of the access point (BSSID)

Address 4 is optional and used in bridging

DA

BSSID

SA

How does your client connects to the AP?


148/257


BEACON

Management Frame: Beacon

The access point periodically sends a beacon frame to announce its


149/257


presence and relay information, such as timestamp, SSID, ...

Clients continually scan all channels and listen to beacons as the basis forchoosing which access point is best to associate with.

In infrastructure networks

Access points periodically send beacons.

In general, the beacon interval is set to 100ms, which provides goodperformance for most applications.

In ad hoc networks

There are no access points.

One of the peer stations assumes the responsibility for sending thebeacon.

Used in passive scanning

Management Frame: Beacon


150/257


Used in passive scanning

Capability Info



151/257


BEACON

PROBE REQUEST

PROBE RESPONSE

Management Frame: Probes

Probe request frame


152/257


Used in active scanning

A station sends a probe request frame when it needs to obtain

information from another station. For example, a station would send aprobe request to determine which access points are within range.

Probe response frame

A station will respond with a probe response frame, containing

capability information, supported data rates, etc., when after it receivesa probe request frame.


Request


153/257




Response


154/257





155/257


BEACON

PROBE REQUEST

PROBE RESPONSE

OPEN OR SHAREDAUTHENTICATION

ASSOCIATION REQUEST

ASSOCIATION RESPONSE

Management Frame: Association

To establish relationship with Access-Point


156/257


To establish relationship with Access Point

Association request frame

This frame carries information about the station (e.g., supported data

rates) and the SSID of the network it wishes to associate with.

Association response frame

An access point sends an association response frame containing an

acceptance or rejection notice to the station requesting association.

Disassociation frame

A station sends a disassociation frame to another station if it wishes to

terminate the association.

Management Frame: Association

Stations scan frequency band and select Access-Point with best

i ti lit


157/257


communications quality

Active Scan (sending a Probe request)

Passive Scan (assessing communications quality from beacon

message)

Access-Point maintains list of associate stations in MAC FW

Record station capability (data-rate)

To allow inter-BSS relay

Stations MAC address is also maintained in bridge learn table associated

with the port it is located on

Traffic flow - Inter-BSS


158/257


Wireless PC-Card

Association table

Inter-BSS

Relay

Bridge learn

table

STA-1

BSS-A

Associate

STA-2

AssociatePacket for STA-2ACK Packet for STA-2

ACK

STA-1

STA-1

2

STA-2

STA-2 2

AP

Traffic flow - ESS operation

APBridge learn


159/257


STA-1 STA-2BSS-A

BSS-B

Packet for STA-2

ACK

Packet for STA-2

ACK

AP

Wireless PC-Card

Association table

Bridge learntable

Wireless PC-Card

Association table

table

STA-1

STA-2 1

STA-1

STA-2

STA-1

2STA-2

2

1


160/257

Multiple access Distributed Coordination Function (DCF)

CSMA/CA


161/257


Contention based access

Priority Coordination Function (PCF)

Contention free periods

Tricky and not used in commercial products

Carrier Sense Multiple Access with Collision Avoidance(CSMA/CA)

Medium is free DCF IFS(Inter Frame Space) (DIFS)


162/257


Immediate access

Medium is busy

Transmission is deferred by DIFS + random time

Collision avoidance (but not elimination!)

BusyMedium

SIFS

PIFS

DIFS

BackoffWindow

Slot Time

Defer Access Select Slot and decrement backoffas long as medium stays idle

DIFS

Contention WindowImmediate access whenmedium is idle >= DIFS

Data

Back-Off Timer


163/257


Back-Off Time is subsequently calculated (slots)

Starting with random number powers of 2 minus 1 (2x 1)

Ascending integer powers of 2 minus 1 if transmission fails

Source 1

Source 2

Source 3

DIFS

7 slots

DIFS

15 slots

DIFS

31 slots

Two way delivery: data-acknowledgement Two frames

Frame sent from source to destination


164/257


Acknowledgement sent from destination back to source

The exchange of this pair of frames is atomic in the MAC protocol

Cannot be interrupted

If an acknowledgement is not received, the MAC will retransmit

Reduces latency compared to letting a higher layer protocol

DIFSData

SIFS ACK

BackoffWindow

Slot Time

Contention WindowDIFS

Source

Destination

Other

Broadcast and Multicast have no ACK!!!!!


165/257

Hidden node problem

Carrier sensing may not work due to hidden terminal

RTS/CTS reservation mechanism


166/257


RTS/CTS reservation mechanism

If A starts sending, C might also start sending

Resulting in collision at B

A B C

RTS

RTS Range

CTS

CTS Range

Four way delivery: virtual carrier sensing

Duration field in all frames

Including RTS and CTS, monitored by every station


167/257


g , y y

Duration field to construct a network access vector (NAV)

Inhibits transmission even if no carrier is detected

Source 1

Destination 1CTS

S

IFS

SIFS

Data

ACK

S

IFS

Source 2

Destination 2

Source 3

Destination 3ACK

Data

RTS

Station deffers, but keeps backoff 2 slots

DIFS

2 slots

Set NAV

Set NAV

SIFS

Set NAV

ACK

Set NAV

DIFS

7 slots

9 slotsDIFS

802.11g throughput Compatibility mode requires 11g OFDM packets

To be preceded by RTS/CTS or CTS packet exchange


168/257


Additional overhead

Source 1 g

Destination 1CTS

SIFS

SIFS

DataOFDM

ACK

SIFS

Source 2 b

Destination 2

Source 3 b

Destination 3ACK

Data

RTS

Station deffers, but keeps backoff 2 slots

DIFS

2 slotsSet NAV

Set NAV

SIFS

Set NAV

ACK

Set NAV

DIFS

7 slots

9 slotsDIF

S

Extra delay because sent @ 11 Mbps

Message fragmentation

IEEE 802.11 defines:

Function to transmit large messages as smaller frames


169/257


Function to transmit large messages as smaller frames

Improves performance in RF polluted environments

Can be switched off to avoid the overhead in RF clean environments

A hit in a large frame requires re-transmission of a large frame

Fragmenting reduces the frame size and the required time to re-

transmit

Hit

802.11n and data link layer


170/257



L7 APPLICATION


171/257


L1

L2 DATA LINK

PHYSICAL

Physical Medium Dependent (DPM)




L3

L4

L5

L6 PRESENTATION

SESSION

TRANSPORT

NETWORK

This is WI-FI


01. Designing



172/257


g p g


802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



173/257


Optimizing wireless networks QoS: 802.11e

Voice FTP

ERP andMission-

QoS Requirements for Applications


174/257


Voice FTPCritical

Bandwidth Low toModerate

Moderateto High

Varies

Loss Sensitivity Low HighModerateto High

Delay Sensitive High Low Low toModerate

Jitter Sensitive High Low Varies

Traffic should be grouped into classesthat have similar QoS requirements

802.11e and Wi-Fi

Modification of the MAC architecture to support QoS

Two new channel access functions


175/257


Priority classes Enhanced Distributed Coordination Access (EDCA)

Polled access

HCF Coordinated Channel Access (HCCA)

Subsets defined by Wi-Fi: Wireless Multimedia (WMM)

WME (Wi-Fi Multimedia Extensions) ~ EDCA

Parametrised QoS

WSM, (Wi-Fi Scheduled MultiMedia) ~ HCCA

Guaranteed QoS


176/257

WMM Access Category timings

WMM will initially use WME


177/257


WME vs. WSM

WME WSM


178/257


Based on 802.11e draft Based on 802.11e draft, includes WME

Based on EDCA

(Enhanced Distributed Coordination Access)

Based on HCCA

(HCF Coordinated Channel Access)

EDCA provides priority classes of service HCCA reserves bandwidth based on traffic

specifications from client devices

Best suited for one way audio applications Best suited for two way streaming media (voice,

video)

Triggered APSD Optional Uses Scheduled APSD- suitable for power save

Existing QoS mechanisms: 802.1p, IP precedence, DSCP Layer 2: 802.1Q/p on LAN segments

Three bits CoS(802.1p User Priority)

802.1Q/pheaderPRI VLAN IDCFI


179/257


Layer 3: IP end to end

TAG4 bytes Data FCSPTSADASFDPream. Type

ID Offset TTL Proto FCS IP SA IP DA DataLenVersionLength

ToSByte

IP prec (3 bits)

DSCP (6 bits)

Layer 2 Classification802.1p, CoS


180/257


Layer 3 ClassificationIP Precedence, DSCP


181/257


Redefinition RFC 1349 It is possible to map 802.1q directly into TOS Precedence

VersionL th

ToS1 B t

Len ID offset TTL Proto FCS IP-SA IP-DA Data


182/257


Type of ServicePrecedence

RFC 1122MustBe

Zero

IP Type of Serv ice (TOS)

0 32 4 5 6 71

MBZ

RFC 1349

011 - Flash

010 - Immediate

001 - Priority

000 - Routine0-2Precedence111 - Network Control

110 - Internetwork Control

101 - CRITIC/ECP

100 - Flash Override

3-6 Type of Service Defined

0000 all normal

1000 minimize delay

0100 maximize troughput0010 maximize reliability

0001 minimize monetary cost

Length 1 ByteLen ID offset TTL Proto FCS IP SA IP DA Data

Classification: DSCP Values

DSCP CUDS field


183/257


DROP

Precedence

Class#1 Class #2 Class #3 Class #4

Low DropPrecedence

AF11

(001010)

10

AF21

(010010)

18

AF31

(011010)

26

AF41

(100010)

34

MediumDrop Prec

AF12

(001100)

12

AF22

(010100)

20

AF32

(011100)

28

AF42

(100100)

36

High DropPrecedence

AF13

(001110)

14

AF23

(010110)

22

AF33

(011110)

30

AF43

(100110)

38

High Priority = EF = 101110 = 46 Best Effort = 000000 = 0

L2 QoS marking: wireless LANs Standard mappings by WMM (but may be customized)

Access category Description 802.1Q/p DSCP


184/257


g y p p

tags

WME voice priority

(ACI 3)

Highest priority

Allows multiple concurrent VoIP calls with low latency and toll voice

quality

7,6 EF

WME video priority

(ACI 2)

Prioritize video traffic above other data traffic

One 802.11g/a channel can support 3-4 SDTV streams or 1 HDTV

stream

5,4 AF4x

WME best effort priority

(ACI 0)

Traffic from legacy devices or from applications that lack QoS

capabilities

Traffic less sensitive to latency but affected by long delays, such as

internet surfing

0,3 BE

WME background

(ACI 1)

Low priority traffic (file downloads, print jobs) that does not have strict

latency and throughput requirements

1,2 AF2x

802.11b throughput: impact of 802.11 MAC & PHY

Idle time (IFS)12


185/257


PLCP preamble

PLCP header

MAC header + ACK

LLC/SNAP header

TCP/IP overhead

Net throughput

0

1

2

3

4

56

7

8

9

10

11

1 2 5.5 11

Mbit/s

Fraction in Mbit/s

802.11g throughput Mixed mode requires 11g adaptations for protection

CTS-only

RTS/CTS


186/257


RTS/CTS

Slot time of 20 s (vs 9 s)

Maximum back-off time

Most APs support automatic performance tuning by adapative 802.11b

protection, typically 3 levels

No 11b clients sensed

11b clients sensed

11b clients active

11g stations get higher probability of air time in mixed environment

Throughput performance may vary over time

g-only mode (turning off protection)

11g performance deteriorates when 11b clients start to associate/send data

Network capacity

Theoretical maximum application-level throughput


187/257


Theoretical maximum application level throughput

1500 byte packets, encryption enabled, zero packet errors

Modulation Maximum link

rate

Theoretical maximum TCP rate Theoretical maximum UDP rate

802.11b CCK 11 Mbps 5.9 Mbps 7.1 Mbps

802.11g

(with 802.11b)

OFDM/CCK 54 Mbps 14.4 Mbps 19.5 Mbps

802.11g

(11g-only mode)

OFDM 54 Mbps 24.4 Mbps 30.5 Mbps

802.11a OFDM 54 Mbps 24.4 Mbps 30.5 Mbps


01. Designing



188/257



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



189/257


Optimizing wireless networks Voice on Wireless

The new voice infrastructure

PBX VoIP

Signalling OtherSignalling


190/257


Transport

Signalling Other

Transport

g g

Voice Protocols

AudioCodec

VideoCodec

RTCP RasH 225 0 H 245 Q 931MGCP SIP

Media Transport ProtocolsSignaling


191/257


Application

Host to Host

Internet

Network access Ethernet / PPP / ATM / ?

RTP

UDP

IP

Codec Codec H.225.0

TCP

H.245 Q.931MGCP

MegacoH.248

SIP

Why IP, UDP & RTP Transport?


192/257


Parameters affecting VoIP quality

Packet losses due to collisions, bad radio channel and buffer overflow

Packet loss rate 10 % mostly acceptable (depends on the codec)


193/257


One-way delay according to ITU G.114

Lower than 150 ms is acceptable for most applications

Between 150 ms and 400 ms is potentially intolerable

Above 400 ms is unacceptable

Delay variations (jitter) must me compensated using buffers

static or adaptive

Wireless LAN specific

Handover causes delay

High compression codecs result in higher delay

Watch out for interference!


194/257


+

Perception

Reality

I think my WLAN is

Lightly utilized

So, I should be able

To easily add voice

But interference is eating

Into my capacity So, theres no room inthe pipe for voice

L2 QoS marking: wireless LANs

Standard mappings by WMM (but may be customized)

Access category Description 802.1Q/p DSCP


195/257


g y p Q p

tags

WME voice priority

(ACI 3)

Highest priority

Allows multiple concurrent VoIP calls with low latency and toll voice

quality

7,6 EF

WME video priority

(ACI 2)

Prioritize video traffic above other data traffic

One 802.11g/a channel can support 3-4 SDTV streams or 1 HDTV

stream

5,4 AF4x

WME best effort priority

(ACI 0)

Traffic from legacy devices or from applications that lack QoS

capabilities

Traffic less sensitive to latency but affected by long delays, such as

internet surfing

0,3 BE

WME background

(ACI 1)

Low priority traffic (file downloads, print jobs) that does not have strict

latency and throughput requirements

1,2 AF2x

Bandwidth provisioning: VoIP & RTP/UDP/IP overhead IP+UDP+RTP headers = 40 bytes

IP 20 bytes

UDP 8 bytes


196/257


IP RTP UDP

40 160

IP RTP UDP

40 20

UDP 8 bytes

RTP 12 bytes

At 64 Kbps PCM

20 ms = 160 Bytes

overall rate = 80 Kbps

At 8 Kbps, encoding

20 ms = 20 Bytes

Overall rate = 24 Kbps

Bandwidth provisioning: VoIP combined with data Single VoIP connection seriously reduces throughput of data applications on same

802.11b AP

4.50E+06


197/257


0.00E+00

5.00E+05

1.00E+06

1.50E+06

2.00E+06

2.50E+06

3.00E+06

3.50E+06

4.00E+06

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

# VoIP connections

TCPthroughput

G.711, 20 ms packet size

G.729, 20 ms packet size


198/257

Bandwidth provisioning: data rate and VoIP call

density

Maximum VoIP call density1 Mb/s


199/257


G.711 assumed

No data

4 Calls

2 Mb/s

7 Calls

5.5 Mb/s

10 Calls

11 Mb/s12 Calls

802.11n Deployment Expectations Voice services

Voice

Plan for the same number of calls per AP as 11a/g (15-25 calls)


200/257


Voice over WiFi phones still top out at 54Mbps

No 11n WiFi phones on the market right now

Expect better voice reliability, especially in the upstream direction (Phone to AP)

Overlap 20-25%

Recommendations

Forget about 11b

5 GHz

Disable speeds lower then 12 Mbps



01. Designing


R di b i WI FI b i d I t f


201/257



802.11n

Architecture

Site Survey

02. Optimizing

Throughput

QoS: 802.11e

Voice on Wireless

03. Securing


802.1x framework



202/257


Securing wireless networks Encryption and authentication standards

802.1x Framework

Thinking about security

Social engineering

Physical security


203/257


Wireless is un-secure

Windows is un-secure

Using your neighbors network

Wired network is un-secure

Come and get me Wireless networks beg to be used (or abused)

War nibbling

Similar to war driving, but its against Bluetooth technology

R df @ t k / h/t l /i f th i


204/257


Redfang: [email protected]/research/tools/info_gathering

War driving / War flying

Finding installed access points 802.11a, b or g

Eaves Dropping / Unauthorized access

Netstumbler: www.netstumbler.com

War chalking

Physical marking of a wireless accessible network

A roguish WLAN

Adding fake access points

Jamming

Taking a device off the air by overriding the signal by a stronger one

Why would people want to hack you?

Just for fun

It gives (nearly) anonymous access


205/257


Attacker is difficult to trace

Way of preserving online privacy

Who

amI

?

Wireless Protection Measures: What do you wantto protect?

Protect Data?

Protect Access?


206/257


Protect Users?

AirSnort

NetStumblerKismetWEPCrack

WLAN security hierarchy

WPA


207/257


VirtualPrivate

Network(VPN)

No Encryption,MAC, SSID

Public Hotspots

Open Access 40-bit or 128-bitStatic WEP Encryption

Home Use

WPA2 - 802.11i

Business

RemoteAccess

Business

Traveler,Telecommuter

Standards

Encryption/Integrity

WEP RC4

TKIP RC4


208/257


AES

Authentication

802.1X

Architectures

WEP

WEP

WPA

TKIP + 802.1x

WPA2 (802.11i)

AES + 802.1xIf

not

found

Multiple VLANs+ Multiple SSIDs WIRELESS

Wireless

Security

Wep Authentication

Open


209/257


Open

Shared

WEP

WEP is a shared key only

It uses the symmetrical RC4 (Rons

Documents

Designing Optimizing Securing Wireless Networks