Designing Optimizing Securing Wireless Networks

Designing, optimizing and Securing Wireless Networks
0. Welcome
JOHN CORDIER ACADEMY
www.jcacademy.com | Telindus 2012
Floor Plan
JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 1
Schedule with break and lunch times.

09u00 - 10u30 1st course session 10u30 - 10u40 Coffee 10u40 - 11u45 2nd course session 12u00 - 13u00 Lunch 13u15 - 15u00 3rd course session 15u00 - 15u15 Coffee
15u15 17u00 5th course session

Vegetarian plate possible Coffee, tea, water and juice soft drink with token
Information
Messages on the door. Wireless access.
User and password Telindus Reception (Floor 0)
Who is your instructor?

Introduce yourself
Ask and answer questions Give feedback
Presentation of the students.

What I like to know from you:
Your name and work location Your job responsibilities Your networking experience Your objectives for this course

01. Designing
Introducing Wireless Networks and Topologies Radio basics, WI-FI basics and Interference 802.11n Architecture Site Survey
02. Optimizing
Throughput QoS: 802.11e Voice on Wireless
03. Securing
Encryption and authentication standards 802.1x framework
Designing wireless networks

Introducing Wireless Networks and Topologies
Wireless LANs are evolving

Next Gen. Wireless
Ubiquitous mobile computing Location Tracking
Business Ready
Voice, Video, Data
Mobile Data
Email Web browsing
Point Applications
Inventory Management Barcode Scanning
802.11n
300 Mbps
802.11ag
54 Mbps
802.11b
11 Mbps
802.11
2 Mbps
WLAN Standards Evolution

IEEE 802.11standard for wireless LAN radio devices was ratified in 1997
Standard included two transmit rates of 1 Mbit/s and 2 Mbit/s
1999: IEEE 802.11b standard for 11 Mb/s WLAN.
Transition from 2.4 GHz to 5 GHz

IEEE 802.11a (2000): 5 GHz offers a chance for higher data rates,
increased capacity, goal is to provide up to 54 Mbps
IEEE 802.11g (2000): 5.5, 11, 54 Mbps IEEE 802.11n (sept. 2009): up to 600 Mbps?
Wireless Personal Area Network

WPANs provide connectivity in a personal area. Links are usually peer to peer or small networks. Applications range from simple (remote control) to complex (voice). WPANs meet the need for ease of use, low cost, and portability.
Bluetooth is a typical example, running in 2.4 GHz.

< 5 10m
Wireless Local Areal Network

Range larger than WPAN, spectrum 2.4 GHz and 5 GHz More power required Multiple users expected Designed to be flexible < 100m
Wireless Metropolitan Area Network

Backbone or user coverage applications Usually in licensed bands Unlicensed bands possible but interference issues Typically in city or suberb > 100m
Wireless Wide Area Network

Large coverage areas Issues: bandwidth and number of users Cost based on usage duration or amount of information transmitted
UMTS
HSPDA
LTE
Standard Organizations for Wireless Networks

FCC
Federal Communications Commission
ETSI
European Telecommunications Standards Institute
Hyperlan (instead of 802.11a)
IEEE
Institute of Electrical and Electronics Engineers
802.11a, 802.11b, 802.11g, 802.11i, 802.11e 802.3AF
BIPT
Belgian Institute for Postal services and Telecommunications
What about WI-FI or Wireless Fidelity?

Before customers really started to complain about compatibility problems
six major players in WLAN field decided to start their own actions to ensure compatibility
3Com, Aironet, Intersil, Lucent Technologies, Nokia and Symbol

Technologies formed an industry alliance called WECA in August 1999
http://www.wi-fi.org/ http://www.wi-fizone.org/
Wireless LAN deployment

Residential Enterprise
Access for employees
Guest access
Wifi phones
Public access - Hotspots

Airports, Hotels, Restaurants, Public transportation, ....
Environment specific
Healthcare Education Retail
Ad-hoc networks
Independent Basic Service Set (IBSS) Exists as soon as two wireless devices communicate Limited in number of devices due to collision and organization issues
Ad-hoc architecture
Infrastructure mode
Infrastructure Basic Service Set (BSS) The AP functions as a translational bridge between 802.3 wired media and 802.11 wireless media.
Wireless is a half-duplex environment.
Wireless cell
DS
Infrastructure mode (ESS)
DS
Channel 1 Channel 6
Wireless Outdoor Bridge

Extend the LAN by linking LANs Point to point or hub and spoke
Mesh
Devices are connected with redundant connection between nodes; no
single point of failure
Service Set Identifier (SSID)

Network name
32 octets long Used to tell a wireless station what network to join
One network (ESS or IBSS) has one SSID

May be broadcasted or not
An Access point can have more then one ssid

01. Designing
02. Optimizing
03. Securing

Radio basics
WI-FI basics Interference
Wireless spectrum
Wireless networks use RF signals.
Radio frequencies are electromagnetic waves. Spectrum defines wave sizes, grouped by categories. Wireless network radio range is in the microwave segment.
Wireless Data
902-928 MHz 26 MHz 2.4-2.4835 GHz 85 MHz 5.725-5850 GHz 125 MHz
They made history

1837
Morse invents the telegraph
1876
James Clerck Maxwell develops the theory that predicts the existence of electro-magnetic waves
1886
Heinrich Hertz demonstrates the existence of electro-magnetic waves
1901
Marconi transmits the letter S across the Atlantic Ocean
Wireless Network, Signals Go Through a process

Amplitude indicates the strength of the RF signal The frequency is the number of cycles occurring each second The phase corresponds to how far the signal is offset from a reference
point
Modulator
f c
Modulator
Amplifier
Amplifier
AC and subsequent frequency changes are described as a Sine Wave Radio waves move at a speed of about 299,792 km per second
Frequency
The frequency determines how often a signal is seen. One cycle per second equals 1 Hz. Low frequencies travel farther in the air than high frequencies.
Wavelength
The signal generated in the transmitter is sent to the antenna.
The movement of the electrons generates an electric field, which is the electromagnetic wave.
The size of the cycle pattern is called the wavelength.
Amplitude
Amplitude is the vertical distance, or height, between crests. For the same wavelength and frequency, different amplitudes can exist. Amplitude represents the quantity of energy injected in the signal.
Attenuation
the shorter the wavelength of a wireless signal, the more it is attenuated
Multipath
Obstacles cause the signal to bounce in different directions 1. 2. A part of the signal might go directly to the destination Another portion of the signal might bounce of a desk, ceiling,
Typical Reflectors
Line of Sight
Line of sight is necessary for good signal transmission. Earth curvature plays a role in the quality of outdoor links, even with a distance of a few miles (depending on the elevation of the transmitter and receiver). Visual obstacles may or may not prevent radio line of sight.
Fresnel zone
Outdoor point to point connection needs radio line of sight Fresnel zone
Is an elliptical area immediately surrounding the visual path Parameters depend on the frequency and length of direct line
Fresnel Zone
RSSI and SNR

RSSI is the signal strength indicator. The dBm value is obtained from a signal grading coefficient, which is determined by the vendor.
RSSI usually a negative value, the closer to 0 the better.

SNR is signal strength relative to noise level. The higher the SNR, the better.
Decibels
Compares powers, originally sounds 0 dB = same power 3 dB = twice the power -3 dB = half the power 10 dB = 10 x the power -10 dB = 1 tenth of the power
dBm
Used for AP transmitters Same scale as the other dB 0 dBm = 1 mW 30 dBm = 1 W
- 20 dBm = 0.01 mW
Signal strengths vary logarithmically, not linearly

dBm: Decibel milliWatt
This measurement is used to represent power 0 dBm defined as 1 milliWatt: 0 dBm = 10 log10(1 mW) Access Points (APs) have a power output of +17dBm (50mW)
Decibel Referenced to Isotropic Antenna

dBi refers to an isotropic antenna.
This antenna is theoretical and does not exist in reality dBi is used as a reference point to compare antennae. The same logarithm progression applies to dBi as to the other decibel scales.
Antenna Principles
The radiation pattern describes coverage shape. RF radiation pattern is described by E-plane (elevation chart) and Hplane (azimuth chart). Expressed in dB.
Each antenna design produces different RF radiation patterns.
Everyday objects as antenna pattern illustrations
Antenna radiation pattern

Regions where the capability of the antenna is focused 3D patterns are indicated with an
azimuth pattern (horizontal plane) elevation pattern (vertical plane)
270 0 -3 -6 -10 -15 -20 -30 dB 90
TA-2304-120-T0 Azimuth Pattern

0
180
TA-2304-120-T0 Elevation Pattern

0
-15 -20 -30 270 0 -3 -6 -10 dB 90
180
Antenna Beamwidth
Horizontal Beam width
Vertical Beam width
Antenna Polarization
Diversity
Dual antennas each receive a different signal
One may receive a bad signal while the other may receive a good signal Some wireless technologies use diversity to choose, on a per-client basis, which antenna to use to receive and which to answer.
2.4 GHz Omni-Directional Antennas

2 dBi Dipole "Standard Rubber Duck" 5.2 dBi Ceiling Mount 5.2 dBi Pillar Mount Diversity
2.4 GHz Directional Antennas

13.5 dBi Yagi Antenna 25 degree
21 dBi Parabolic Dish Antenna 12 degree
8.5 dBi Patch Antenna 60 degree
Effective Isotropically Radiated Power
Plasterboard (gyproc) wall
3dB
Glass wall with metal frame

Office window Metal door Metal door in brick wall
6dB
3dB 6dB 12.4dB Remember! 3 dB = 12 the power in mW +3 dB = 2 times the power in mW 10 dB = 110 the power in mW +10 dB = 10 times the power in mW
EIRP limits are country based

As are the channel sets
IC ETSI
Telec FCC
2.4 GHz EIRP rules (ETSI)

20 dBm is the maximum allowed EIRP
17 dBm maximum transmit power Power can be reduced below 17 dBm in a 1:1 rule
Transmit power Transmitter dBm Maximum gain EIRP
Maximum Reduced Tx power
50 mW 30 mW
17 dBm 15 dBM
3 dBi 5 dBi
20 dBm 20 dBm
20 mW 5 mW 1 mW
13 dBm 7 dBm 0 dBm
7 dBi 13 dBi 20 dBi
20 dBm 20 dBm 20 dBm

Radio basics
WI-FI basics
Interference
The Physical Components

L7 L6 L5
APPLICATION
PRESENTATION
This is WI-FI
SESSION
L4 L3
TRANSPORT NETWORK
Logical Link Control sublayer (LLC)
L2 L1
Media Access Control sublayer (MAC)

The Physical Layer Convergence Procedure (PLCP)
DATA LINK
PHYSICAL
Physical Medium Dependent (PMD)
WLAN technologies overview

Secret Communication System Patented in1940
Wireless LAN Technologies Spread Spectrum
Infrared
Narrow Band
OFDM
Direct Sequence
Frequency Hopping
Hedy Lamarr, 1913-2000

FHSS versus DSSS

FHSS is a time-based narrowband hopping of frequencies. DSSS is a broadband use of frequencies.
DSSS: Idea
DSSS: Encoding
Each bit is transformed into a sequence, called chip or symbol. In this example, the chipping code is called Barker 11. Up to 9 bits can be lost.
2 Mhz
22 Mhz
DSSS Modulation: DBPSK / DQPSK

DBPSK RF Carrier Data
0
A B B
RF Carrier Symbols A: 0o Phase Shift B: 180o Phase Shift
I Channel Q Channel
0 1
0 0
1 0
1 1
DQPSK RF Carrier
B A D C
DBPSK
RF Carrier Symbols A: 0o Phase Shift B: 90o Phase Shift C: 180o Phase Shift D: 270o Phase Shift
Spread Spectrum Technologies

Direct Sequence transmitter
Digital Signal (Bits) PLCP Frequency Spectrum f Code Bits (Chips) Code Generator Spread Frequency Spectrum f Spreader X
PMD
Modulator
Amplifier
Spreading: Information signal (I.e. a symbol) is multiplied by a unique, high rate digital
code which stretches (spreads) its bandwidth before transmission.
Code bits are called Chips.
Sequence is called Barker Code
Spread Spectrum Technologies

Direct Sequence receiver
Code Bits (Chips) Code Generator
PMD
Spread Frequency f Spectrum
Digital Signal (Bits) X Descrambler De-Spread Signal f PLCP
Modulator
Amplifier
Correlator
At the receiver, the spread signal is multiplied again by a synchronized replica of the same
code, and is de-spread and recovered
The outcome of the process is the original symbol
Orthogonal Frequency-Division Multiplexing

Of 64 subcarriers:
12 zero subcarriers (in black) on sides and in center Sides function as frequency guard band, leaving 16.5-MHz occupied bandwidth Center subcarrier zero for DC offset/carrier leak rejection
48 data subcarriers (in green) per symbol

4 pilot subcarriers (in red) per symbol for synchronization and tracking
OFDM Modulations: BPSK and QPSK

Uses the same principles as DBPSK and DQPSK: BPSK shifts 180; QPSK shifts 90. Speed depends on density of signal per tone.
Modulation
BPSK
Data Rate per

Subchannel (kb/s)
125
Total Data Rate

(Mb/s)
6
BPSK
QPSK QPSK
187.5
250 375
9
12 18
OFDM Mudulation: QAM

With QAM, 90 shifts are associated with amplitude modulation. With four amplitude positions, 16 values are possible. OFDM for wireless uses 16-QAM and 64-QAM, with speeds up to 54 Mbps.
Conceptual Illustration
S6
S4
S9
S15
www.jcacademy.com | Telindus 2012 | slide 63
Channels and Overlap Issues

With channels built for 5-MHz interchannel space, each DSSS channel uses more than one channel. Only three or four nonoverlapping channels are available in the 2.4-GHz ISM band.
Channel number
2401
1 2412
2406
2423
2431
7 2442
2436
2453
2461
13 2472
2483
Top of channel Center frequency
2 2417
2411
2428
8 2447
2441
2458
3 2422
2416
2433
9 2452
2446
2463
4 2427
2421
2438
10 2457
2451
2468
Bottom of channel
5 2432
2426
2443
11 2462
2456
2473
6 2437
2448
12 2467
2478
2400 MHz
ISM Band
2484 MHz
Emerging Industry Standards
5GHz WLAN Market

2.4GHz WLAN Market
Understanding the 5GHz spectrum

In Europe 8 + 11 non-overlapping channels, each 20 MHz wide
4 Ch 4 Ch 11 Ch 4 Ch
UNII-1
UNII-2
UNII-3
Unlicensed National Information Infrastructure

DFS & TPC

Transmit Power Control (TPC):
Ensures that the minimum amount of radio power is used by the client to communicate to the Access Point
Dynamic Frequency Selection (DFS):

Keep selected frequency, until interference is detected, and then switch to new frequency. (Radar detection)
Types of radars covered by DFS

Civilian weather radars
Military naval navigation radars

Military air defense and missile systems radars
5 GHz WLAN standardisation issues

Different high throughput standards
US: 802.11a Europe: 802.11h (IEEE) and Hiperlan 2 (ETSI)
802.11h 802.11a + TPC + DFS

TPC (Transmit Power Control)
Provides minimum required transmitter power for EACH user
Provides minimal interference to any other users or system
DFS (Dynamic Frequency Selection) lets the device listen to what is happening in the airspace before picking a channel
802.11h is backward-compatible with 802.11a, but it is likely that 802.11a

products bought in the U.S. won't work with European 802.11h access points.
HiperLAN2 and 802.11a/h have nearly identical physical layers

Very different at the MAC (Media Access Control) level
Products are not interoperable


Radio basics WI-FI basics
Interference
Choosing a Channel
Choosing a Channel
??
??
RF Output power
dBm is measure of absolute power output Formula:
dbM = 10 log (Power in milliwatts)
An increase in 10 dBm means 10x the output

power
Exs.
0 dBm = 1 mW (Bluetooth)
10 dBm = 10 mW 20 dBm = 100 mW (802.11, Phones) 30 dBm = 1 Watt (FCC Limit)
RF Propagation Loss
dB is a relative power measurement
Near field: 1 Meter distance results in a 40 dB loss

Every 2x increase in distance = 10 dB loss indoor (6 dB loss outdoor)
Exs. (indoor)
2 Meters = 50 dB loss 4 meters = 60 dB loss 8 meters = 70 dB loss
Netstumbler
InSSIDer
Wi-Fi Inspector
Site survey: what constitutes an acceptable signal?

Signal level
Noise floor Packet completion rate
A low RF signal does NOT mean poor communication A low signal quality DOES mean poor communication
Recognizing (and Assessing) Problems

802.11 stats are good secondary indicators that interference is having an impact
Retries > 10%
Data Rate lower than normal

Power level Average power Fading depth Noise floor Target SNR Error
Time
> 40dB SNR = Excellent signal (5 bars); always associated; lightening fast.
25dB to 40dB SNR = Very good signal (3 - 4 bars); always associated; very fast.
15dB to 25dB SNR = Low signal (2 bars); always associated; usually fast.
10dB - 15dB SNR = very low signal (1 bar);
mostly associated; mostly slow.
5dB to 10dB SNR = no signal; not associated; no go.
Non-WiFi Interference Sources
Bluetooth
Microwave ovens
wireless video cameras
radar
Wireless Game Controller
Motion detectors
2.4/5 GHz cordless phones
fluorescent lights Wireless headphones
802.11b Signature
Arch ~22 MHz wide Centered on 802.11 channel
802.11g Signature
Flat Sloping shoulders ~18 MHz wide Centered on 802.11 channel
Planning Tools Cisco Spectrum Expert

Example: Microwave
Planning Tools Cisco Spectrum Expert

Example: Microwave
How to Mitigate Problems

Find and Remove Interference Device! Shield Interference Device
Grounded shield
Change channels of AP
Ex. Microwave affecting some frequencies worse than others
Increase Tx Power of AP
Possibly use directional antenna to direct more power in desired areas.
Tx Data Rate controls

Dont allow the lowest data rates, to avoid false back-off Trade-off because lower data rates are more noise immune

01. Designing
Introducing Wireless Networks and Topologies Radio basics, WI-FI basics and Interference 802.11n
Architecture
Site Survey
02. Optimizing
03. Securing

802.11n
What does 802.11n deliver?
Ways to increase data rate: Conventional

Conventional single tx and rx radio systems
Increase transmit power

Subject to power amplifier and regulatory limits Increases interference to other devices
Reduces battery life

Use high gain directional antennas Fixed direction(s) limit coverage to given sector(s)
Ways to increase data rate: The 802.11 n-way
Single Input Single Output
Single Transmit Single Spatial Stream Single Receive
Multiple Input Multiple Output
MULTIPATH =
MIMO Overview
Maximal Ratio Combining
Transmit Beam Forming
Spatial Multiplexing
MIMO increases physical data rates for all clients

Today before MIMO
Tomorrow: MIMO on AP
Future: MIMO on AP & client

More Reliable, Predictable Connectivity for All Clients
Channel Bonding
Packet Aggregation & Block Acknowledgement
Guard Interval
Expected data rates
Existing 802.11 WLAN Standards

802.11b 802.11a 802.11g
June 2003
802.11n
Standard Approved
Sept. 1999
Sept. 1999
2009
Available Bandwidth
83.5 MHz
580 MHz
83.5 MHz
83.5/580 MHz
Frequency Band of Operation # Non-Overlapping Channels (US) Data Rate per Channel
2.4 GHz
5 GHz
2.4 GHz
2.4/5 GHz
24
3/24
1 11 Mbps
6 54 Mbps
1 54 Mbps
1 600 Mbps DSSS, CCK, OFDM, MIMO
Modulation Type
DSSS, CCK
OFDM
DSSS, CCK, OFDM

01. Designing
02. Optimizing
03. Securing
Encryption and authentication standards
802.1x framework

Architecture
WLAN architectures overview
Ad-hoc architecture
Infrastructure architecture
Bridged architecture
Infrastructure evolution: wireless switches

Responsibilities (e.g. QoS, encryption, ) are moving from AP to
Wireless switch (e.g. Trapeze, Extreme, ) Appliance (Bluesocket, ) Another access point (WDS in Cisco)
Some call this thin APs
Different protocols possible: GRE, LWAPP, WLCCP
Independent (Fat) Access Points
Cisco Aironet
Dependent (Thin) Access Points + Controller
Cisco Airespace
WI-FI Array
Mesh
Basic wireless network
BUT, a wireless network is more complex

What happens with more then one wireless device?
Shared channel and CSMA/CA
How can you receive more capacity?

More then one channel possible:
Limitation of channels Evolution of SISO to MIMO
How can you make a larger network?

Multiple access points with the same name = SSID.
How can you have different separated networks?

Different SSIDs:
Wireless VLANs.
802.11a/b/g Review
802.11b
Ratified in 1999
Operates in 2.4GHz spectrum Data Rates: 1, 2, 5.5, 11Mbps Available Channels: 11 (3 used)
802.11a
Ratified in 2000 Operates in 5GHz spectrum Data Rates: 6, 9, 12, 18, 24, 36, 48, 54Mbps Available Channels: 24 (19 used in EU)
802.11g
Ratified in 2000 Operates in 2.4GHz spectrum Data Rates: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54Mbps Available Channels: 11 (3 used)
Backward compatible with 802.11b
Limitation of channels 2,4GHz

20 MHz bandwidth. Modulation needed. Non overlapped channels (1 6 11).
802.11a/b/g: Cell Planning

802.11b/g Channels = 3
Distance to cell with same channel is less than a single cell

Sensitive to co-channel interference (from other cells on the same channel)
-------------------------------------------------------------------------------------
802.11a Channels = 19
High Performance: 8 times the capacity Far less interference from cells on same channel More channels to avoid interference
How can you make a larger network?

Connecting different access points with different channels to one network. Work with the same name (SSID).
SSID: data
Network name = SSID

32 octets long Case sensitive Used to tell a wireless station what network to join
One network has one SSID, can be installed over different access points An Access point can have more then one SSID

Configure a SSID (network) per VLAN
Same VLANs wired as wireless Access point maps VLANs to Service Set Identifiers (SSIDs)
Static SSID-to-VLAN Dynamic RADIUS-based VLAN assignment (role-based VLANs)
SSID: data
SSID: voice
Wireless VLANs
Allows a Single WLAN to Handle Different Devices and Applications with Different Types of Security 802.1q Trunk
AP Channel: 6
SSID Data = VLAN 1 SSID Voice = VLAN 2 SSID Visitor = VLAN 3 SSID: Data Security: PEAP + AES
SSID: Voice Security: LEAP + WPA
SSID: Visitor Security: Open
802.11a/b/g Best Practices

Recommendations
Technologies
802.11b-only is end-of-life, avoid if at all possible Buy 802.11a/b/g adapters at a minimum
Transition to the 5GHz spectrum (802.11a now, 802.11n next) to achieve:

Increased capacity
Significantly reduced interference

Simplified channel planning
Use multiple radios on different channels in a given cell to increase capacity Limit the number of users per radio to about 12-15 Lower this limit if using voice to about 8-10
Why Power over Ethernet

Simplicity
A single connection provides network and power to end devices
AC-Free Deployments
No AC power required to support end devices
Mobility
Low voltage, Ethernet Powered Devices can be easily moved
Safety
48V DC low voltage POE reduce user exposure to local AV power circuits
Operational Resiliency
Centralized power solution allows for a centralized UPS deployment
JOHN CORDIER ACADEMY | Wireless Lan Essentials www.jcacademy.com | Telindus 2012 | slide 122
Power over Ethernet (PoE) Delivery

Common Mode Resistor Discovery Optional Classification (4-, 7-, 15.4- Watts Before PWR on)
Up to 15.4 Watts
Power Off on Disconnect (DC/AC)
Power over Ethernet Plus (PoE+)

IEEE 802.3at
Max power 30 60 Watt
On category 5 cables
Problem: what is the max of power trough a CAT 5 cable?
Equipments which ask more power:

Some diskless CPUs Access points with more versions of 802.11
Camera's with engine

IP phones with colour video.
JOHN CORDIER ACADEMY | Chapter title www.jcacademy.com | Telindus 2012 | slide 124

01. Designing
Introducing Wireless Networks and Topologies Radio basics, WI-FI basics and Interference 802.11n
Architecture
Site Survey
02. Optimizing
03. Securing

Site Survey
Site survey
Site survey: channel selection
AP 5
AP1 Channel 1 Channel 6
AP 3
Channel 11
AP 2 Channel 6
AP 4 Channel 1
AP 6 Channel 11
Site survey: data rates

Overlap for voice should be 15-20%, for data only 10-15% Use by preference the AP and wireless client that you intend to deploy
Surveyed at 36 Mbps
Surveyed at 54 Mbps
Airmagnet Surveyor Airmagnet Surveyor: SNR G
Ekahau Heatmapper
Site Survey prepares for 802.11n
Overlap for data traffic
LAN Backbone
Overlapping 10-15%
Access Point
Access Point
Wireless Clients
Wireless Clients
allows remote users to roam without losing RF connections

802.11n Deployment Expectations Data services

Overlap
10-15%
Range
10-15% increase in maximum range versus an AP1130 Recommended 1:1 replacement of an 802.11a/g deployment
Coverage
10-20% increase in 802.11a/g high data rate coverage More uniform coverage versus an AP1130
Capacity
Maximum data rates of 144Mbps in 2.4GHz Maximum data rates of 300Mbps in 5GHz
Impact on speed and range with 11n?

Test results between 2 cisco APs
Cisco 1240 a/g AP
Cisco 1250 a/g/n AP
Example Speed vs. Range Comparison

Cisco 1240 and 1250 11A Active Survey
28 m
31 m
Example Speed vs. Range Comparison

1240 and 1250 11G Active Survey
34 m
45 m
802.11n Deployment Expectations Voice services

Voice
Plan for the same number of calls per AP as 11a/g (15-25 calls) Voice over WiFi phones still top out at 54Mbps No 11n WiFi phones on the market right now Expect better voice reliability, especially in the upstream direction (Phone to AP) Overlap 20-25%
Recommendations
Forget about 11b 5 GHz Disable speeds lower then 12 Mbps
RF Interference and Noise Floor

01. Designing
02. Optimizing
03. Securing
802.1x framework
Optimizing wireless networks

Throughput

L7 L6 L5
APPLICATION
PRESENTATION
This is WI-FI
SESSION
L4 L3
TRANSPORT NETWORK
L2 L1
DATA LINK
PHYSICAL
Physical Medium Dependent (DPM)

Classes of frames
Data frames
Carry higher level protocol data
Control frames
Administration of the access to the wireless medium RTS/CTS, ACK,
Management frames
Beacon transmitted at regular intervals to allow wireless devices to find networks + match parameters with the AP Association and authentication frames Probe Request / Probe Response
Frame Format: Frame Control
Frame Format: Duration & Sequence Control
Frame Format: Addressing: BSS
At least 3 mac addresses are used:

Destination address
Source address Address of the access point (BSSID)
DA SA
BSSID
Address 4 is optional and used in bridging
How does your client connects to the AP?
BEACON
Management Frame: Beacon

The access point periodically sends a beacon frame to announce its
presence and relay information, such as timestamp, SSID, ...
Clients continually scan all channels and listen to beacons as the basis for
choosing which access point is best to associate with.
In infrastructure networks
Access points periodically send beacons. In general, the beacon interval is set to 100ms, which provides good performance for most applications.
In ad hoc networks
There are no access points. One of the peer stations assumes the responsibility for sending the beacon.
Used in passive scanning

Management Frame: Beacon
Capability Info
Used in passive scanning

BEACON
PROBE REQUEST
PROBE RESPONSE
Management Frame: Probes

Probe request frame
A station sends a probe request frame when it needs to obtain information from another station. For example, a station would send a probe request to determine which access points are within range.
Probe response frame

A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.
Used in active scanning

Request


Response

BEACON
PROBE REQUEST
PROBE RESPONSE
OPEN OR SHARED AUTHENTICATION
ASSOCIATION REQUEST
ASSOCIATION RESPONSE
Management Frame: Association

To establish relationship with Access-Point
Association request frame
This frame carries information about the station (e.g., supported data rates) and the SSID of the network it wishes to associate with.
Association response frame

An access point sends an association response frame containing an acceptance or rejection notice to the station requesting association.
Disassociation frame
A station sends a disassociation frame to another station if it wishes to terminate the association.
Management Frame: Association

Stations scan frequency band and select Access-Point with best
communications quality
Active Scan (sending a Probe request) Passive Scan (assessing communications quality from beacon message)
Access-Point maintains list of associate stations in MAC FW

Record station capability (data-rate) To allow inter-BSS relay
Stations MAC address is also maintained in bridge learn table associated

with the port it is located on
Traffic flow - Inter-BSS
Bridge learn table

STA-1 STA-2
AP
2 2
Wireless PC-Card Association table

STA-1 STA-2
BSS-A
Associate STA-1 Packet for STA-2
Inter-BSS Relay ACK Associate ACK
Packet for STA-2 STA-2
Traffic flow - ESS operation

Bridge learn table Bridge learn table
STA-2 STA-1
AP
AP
STA-2 STA-1
2 Wireless PC-Card 1 Association table
1 Wireless PC-Card 2
STA-2
Association table
STA-1
Packet for STA-2 ACK
Packet for STA-2 ACK
BSS-B
STA-1
BSS-A
STA-2
Association and roaming

Reassociation
If a station moves, it may need to associate with another AP
reassociation
Even if a station doesnt move, it may need to reassociate with a new AP

AP failure New interferer
Doors, equipment movement, human bodies, ...
Scanning and association as before IAPP protocol used to convey information from new to old AP
Multiple access
Distributed Coordination Function (DCF)
CSMA/CA Contention based access
Priority Coordination Function (PCF)

Contention free periods Tricky and not used in commercial products
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

Medium is free DCF IFS(Inter Frame Space) (DIFS)
Immediate access
Medium is busy
Transmission is deferred by DIFS + random time Collision avoidance (but not elimination!) Immediate access when medium is idle >= DIFS DIFS Busy Medium DIFS
PIFS SIFS
Contention Window
Backoff Window Slot Time Data
Defer Access
Select Slot and decrement backoff as long as medium stays idle

Back-Off Timer
Back-Off Time is subsequently calculated (slots)
Starting with random number powers of 2 minus 1 (2x 1) Ascending integer powers of 2 minus 1 if transmission fails
DIFS DIFS DIFS
Source 1 Source 2 Source 3
7 slots
15 slots
31 slots
Two way delivery: data-acknowledgement

Two frames
Frame sent from source to destination Acknowledgement sent from destination back to source
The exchange of this pair of frames is atomic in the MAC protocol

Cannot be interrupted
If an acknowledgement is not received, the MAC will retransmit

Reduces latency compared to letting a higher layer protocol
DIFS
Source Destination Other
Data SIFS Contention Window Backoff Window
ACK
DIFS
Broadcast and Multicast have no ACK!!!!!
Slot Time
Carrier-sensing
Physical carrier-sensing
Detects signal strength from other sources at PHY
CCA: Clear Channel Assessment
Virtual carrier-sensing (optional)

Wireless device first reserves medium Other stations set NAV timer NAV>0 the medium busy
Channel is said to be idle only

when both the mechanisms report idle
Hidden node problem

Carrier sensing may not work due to hidden terminal
RTS/CTS reservation mechanism
If A starts sending, C might also start sending

Resulting in collision at B
RTS Range RTS CTS
CTS Range
Four way delivery: virtual carrier sensing

Duration field in all frames
Including RTS and CTS, monitored by every station
Duration field to construct a network access vector (NAV)

Inhibits transmission even if no carrier is detected
DIFS
RTS
SIFS
Source 1
7 slots
Data SIFS ACK
SIFS CTS
DIFS
Destination 1
DIFS
Set NAV
Set NAV
9 slots 2 slots
Source 2
Station deffers, but keeps backoff 2 slots
Data SIFS ACK
Destination 2
Source 3
ACK Destination 3
Set NAV
Set NAV
802.11g throughput
Compatibility mode requires 11g OFDM packets
To be preceded by RTS/CTS or CTS packet exchange Additional overhead DIFS SIFS DIFS SIFS
RTS
Source 1 g
7 slots
Data OFDM
SIFS CTS
Destination 1
DIFS
ACK
2 slots
Set NAV
Set NAV
9 slots
Source 2 b
Station deffers, but keeps backoff 2 slots
Data SIFS ACK
Destination 2
Source 3 b
ACK Destination 3
Set NAV
Set NAV
Extra delay because sent @ 11 Mbps

Message fragmentation
IEEE 802.11 defines:
Function to transmit large messages as smaller frames Improves performance in RF polluted environments Can be switched off to avoid the overhead in RF clean environments
Hit
A hit in a large frame requires re-transmission of a large frame Fragmenting reduces the frame size and the required time to retransmit
802.11n and data link layer

L7 L6 L5
APPLICATION
PRESENTATION
This is WI-FI
SESSION
L4 L3
TRANSPORT
NETWORK
L2 L1

DATA LINK
PHYSICAL
Physical Medium Dependent (DPM)


01. Designing
02. Optimizing
03. Securing
802.1x framework

QoS: 802.11e
QoS Requirements for Applications

ERP and MissionCritical
Varies Moderate to High Low to Moderate Varies
Voice
Bandwidth Low to Moderate Low
FTP
Moderate to High High
Loss Sensitivity
Delay Sensitive
High
Low
Jitter Sensitive
High
Low
Traffic should be grouped into classes that have similar QoS requirements
802.11e and Wi-Fi

Modification of the MAC architecture to support QoS Two new channel access functions
Priority classes
Enhanced Distributed Coordination Access (EDCA)
Polled access
HCF Coordinated Channel Access (HCCA)
Subsets defined by Wi-Fi: Wireless Multimedia (WMM)

WME (Wi-Fi Multimedia Extensions) ~ EDCA
Parametrised QoS
WSM, (Wi-Fi Scheduled MultiMedia) ~ HCCA

Guaranteed QoS
EDCA (Enhanced Distributed Channel Access)

EDCA supports prioritised traffic
Four access categories (AC)
AC parameters announced by beacon frames

Adapted dynamically Arbitration inter-frame space number (AIFSN)
Contention window (CW)

TXOP limit
WMM Access Category timings

WMM will initially use WME
WME vs. WSM

WME
Based on 802.11e draft Based on EDCA (Enhanced Distributed Coordination Access)
WSM
Based on 802.11e draft, includes WME Based on HCCA (HCF Coordinated Channel Access)
EDCA provides priority classes of service
HCCA reserves bandwidth based on traffic specifications from client devices Best suited for two way streaming media (voice, video) Uses Scheduled APSD- suitable for power save
Best suited for one way audio applications
Triggered APSD Optional
Existing QoS mechanisms: 802.1p, IP precedence, DSCP

Layer 2: 802.1Q/p on LAN segments
Three bits CoS (802.1p User Priority)
PRI
CFI
VLAN ID
802.1Q/p header
Pream. SFD
DA
SA
Type
TAG
4 bytes
PT
Data
FCS
Layer 3: IP end to end
Version Length
ToS Byte
Len
ID
Offset TTL Proto FCS IP SA IP DA Data
IP prec (3 bits) DSCP (6 bits)

Layer 2 Classification802.1p, CoS
Layer 3 ClassificationIP Precedence, DSCP
Redefinition RFC 1349

It is possible to map 802.1q directly into TOS Precedence
Version ToS Len Length 1 Byte
ID
offset
TTL Proto FCS IP-SA IP-DA
Data
7
MBZ
Precedence
Type of Service
RFC 1122
RFC 1349
Must Be Zero
0-2 111 110 101 100
Precedence - Network Control - Internetwork Control - CRITIC/ECP - Flash Override
011 010 001 000
Flash Immediate Priority Routine
IP Type of Service (TOS)
3-6 Type of Service Defined 0000 all normal 1000 minimize delay 0100 maximize troughput 0010 maximize reliability 0001 minimize monetary cost
Classification: DSCP Values

DS field
DROP Precedence
DSCP
Class#1 Class #2 Class #3
CU
Class #4
Low Drop Precedence Medium Drop Prec
AF11 (001010) 10 AF12 (001100) 12 AF13 (001110) 14
AF21 (010010) 18 AF22 (010100) 20 AF23 (010110) 22
AF31 (011010) 26 AF32 (011100) 28 AF33 (011110) 30
AF41 (100010) 34 AF42 (100100) 36 AF43 (100110) 38
High Drop Precedence
High Priority = EF = 101110 = 46
Best Effort = 000000 = 0

L2 QoS marking: wireless LANs

Standard mappings by WMM (but may be customized)
Access category Description 802.1Q/p tags
7,6
DSCP
WME voice priority

(ACI 3)
Highest priority
Allows multiple concurrent VoIP calls with low latency and toll voice quality
EF
WME video priority (ACI 2)
Prioritize video traffic above other data traffic One 802.11g/a channel can support 3-4 SDTV streams or 1 HDTV stream
5,4
AF4x
WME best effort priority
(ACI 0)
Traffic from legacy devices or from applications that lack QoS capabilities Traffic less sensitive to latency but affected by long delays, such as internet surfing
0,3
BE
WME background (ACI 1)
Low priority traffic (file downloads, print jobs) that does not have strict latency and throughput requirements
1,2
AF2x
802.11b throughput: impact of 802.11 MAC & PHY

Idle time (IFS)
PLCP preamble PLCP header MAC header + ACK LLC/SNAP header TCP/IP overhead Net throughput
12 11
Fraction in Mbit/s 10
9
8 7 6 5 4 3 2 1 0 1 2 Mbit/s 5.5 11
802.11g throughput
Mixed mode requires 11g adaptations for protection
CTS-only
RTS/CTS Slot time of 20 s (vs 9 s) Maximum back-off time
Most APs support automatic performance tuning by adapative 802.11b

protection, typically 3 levels
No 11b clients sensed 11b clients sensed 11b clients active 11g stations get higher probability of air time in mixed environment Throughput performance may vary over time
g-only mode (turning off protection)

11g performance deteriorates when 11b clients start to associate/send data
Network capacity
Theoretical maximum application-level throughput
1500 byte packets, encryption enabled, zero packet errors
Modulation Maximum link rate Theoretical maximum TCP rate Theoretical maximum UDP rate
802.11b
CCK
11 Mbps
5.9 Mbps
7.1 Mbps
802.11g (with 802.11b)
OFDM/CCK
54 Mbps
14.4 Mbps
19.5 Mbps
802.11g (11g-only mode)
OFDM
54 Mbps
24.4 Mbps
30.5 Mbps
802.11a
OFDM
54 Mbps
24.4 Mbps
30.5 Mbps

01. Designing
02. Optimizing
03. Securing
802.1x framework

Voice on Wireless
The new voice infrastructure

PBX Signalling VoIP
Signalling
Other
Transport
Transport
Voice Protocols
Media Transport ProtocolsSignaling
Application Host to Host Internet Network access
Audio Video RTCP Ras H.225.0 MGCP Codec Codec Megaco H.248 RTP UDP
IP
SIP
H.245 Q.931
TCP
Ethernet / PPP / ATM / ?
Why IP, UDP & RTP Transport?
Parameters affecting VoIP quality

Packet losses due to collisions, bad radio channel and buffer overflow
Packet loss rate 10 % mostly acceptable (depends on the codec)
One-way delay according to ITU G.114

Lower than 150 ms is acceptable for most applications Between 150 ms and 400 ms is potentially intolerable
Above 400 ms is unacceptable
Delay variations (jitter) must me compensated using buffers

static or adaptive
Wireless LAN specific

Handover causes delay High compression codecs result in higher delay
Watch out for interference!
Perception
I think my WLAN is Lightly utilized So, I should be able To easily add voice
Reality
But interference is eating Into my capacity
+
So, theres no room in the pipe for voice
L2 QoS marking: wireless LANs

Standard mappings by WMM (but may be customized)
Access category Description 802.1Q/p tags
7,6
DSCP
WME voice priority (ACI 3)
Highest priority Allows multiple concurrent VoIP calls with low latency and toll voice quality
EF
WME video priority (ACI 2)
Prioritize video traffic above other data traffic One 802.11g/a channel can support 3-4 SDTV streams or 1 HDTV stream
5,4
AF4x
WME best effort priority (ACI 0)
Traffic from legacy devices or from applications that lack QoS capabilities Traffic less sensitive to latency but affected by long delays, such as internet surfing
0,3
BE
WME background (ACI 1)
Low priority traffic (file downloads, print jobs) that does not have strict latency and throughput requirements
1,2
AF2x
Bandwidth provisioning: VoIP & RTP/UDP/IP overhead

IP+UDP+RTP headers = 40 bytes
IP 20 bytes
UDP
RTP
8 bytes
12 bytes
IP RTP UDP
At 64 Kbps PCM
20 ms = 160 Bytes overall rate = 80 Kbps
40 IP RTP UDP 40 20
160
At 8 Kbps, encoding
20 ms = 20 Bytes Overall rate = 24 Kbps
Bandwidth provisioning: VoIP combined with data

Single VoIP connection seriously reduces throughput of data applications on same
802.11b AP
4.50E+06 4.00E+06 3.50E+06
TCP throughput
3.00E+06 2.50E+06 2.00E+06 1.50E+06 1.00E+06 5.00E+05 0.00E+00 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
G.711, 20 ms packet size G.729, 20 ms packet size
# VoIP connections
Bandwidth provisioning: number of active VoIP users

Maximum number of VoIP calls at 70% efficiency
G.711 (20 ms) 802.11b 802.11a or g 13 42 16 47
G.729 (20 ms)
802.11b/g
(RTS/CTS protection)
14
15
Bandwidth provisioning: data rate and VoIP call density

Maximum VoIP call density
G.711 assumed No data
1 Mb/s
2 Mb/s 5.5 Mb/s
11 Mb/s 12 Calls
10 Calls 7 Calls 4 Calls

802.11n Deployment Expectations Voice services

Voice
Plan for the same number of calls per AP as 11a/g (15-25 calls) Voice over WiFi phones still top out at 54Mbps No 11n WiFi phones on the market right now Expect better voice reliability, especially in the upstream direction (Phone to AP) Overlap 20-25%
Recommendations
Forget about 11b 5 GHz Disable speeds lower then 12 Mbps

01. Designing
02. Optimizing
03. Securing
802.1x framework
Securing wireless networks

Encryption and authentication standards 802.1x Framework
Thinking about security

Social engineering Physical security
Wireless is un-secure
Windows is un-secure Using your neighbors network Wired network is un-secure
Come and get me

Wireless networks beg to be used (or abused)
War nibbling
Similar to war driving, but its against Bluetooth technology Redfang: www.@stake.com/research/tools/info_gathering
War driving / War flying

Finding installed access points 802.11a, b or g
Eaves Dropping / Unauthorized access

Netstumbler: www.netstumbler.com
War chalking
Physical marking of a wireless accessible network
A roguish WLAN
Adding fake access points
Jamming
Taking a device off the air by overriding the signal by a stronger one
Why would people want to hack you?

Just for fun It gives (nearly) anonymous access
Attacker is difficult to trace
Way of preserving online privacy
Who am I ?
Wireless Protection Measures: What do you want to protect?

Protect Data?
Protect Access?
Protect Users?
AirSnort NetStumbler Kismet WEPCrack

WLAN security hierarchy

Enhanced Security Basic Security Open Access
No Encryption, MAC, SSID 40-bit or 128-bit Static WEP Encryption WPA WPA2 - 802.11i
Public Hotspots
Home Use
Business
Remote Access
Virtual Private Network (VPN)
Business Traveler, Telecommuter
Standards
Encryption/Integrity
WEP RC4
TKIP RC4
AES
Authentication
802.1X
Wireless Security
Architectures
WEP
WEP
If not found
WPA
TKIP + 802.1x
WPA2 (802.11i)
AES + 802.1x
Multiple VLANs + Multiple SSIDs WIRELESS

Wep Authentication
Open
Shared
WEP
Data
WEP is a shared key only It uses the symmetrical RC4 (Rons Code 4)
40bit 104bit
3
1
Data ICV Data ICV
7 6
XOR
CRC
8 Cipher
Text
40bit 104bit 4
9
24 bit IV
Keystream
Cipher Text
24 bit IV
64bit 128bit
RC4
How does WEP work?

0xaa 0xaa 0x03 0x00 0x00 0x00 0x08 0x00
802.11 Hdr
Data
Append ICV = CRC32(Data)

802.11 Hdr
Check ICV = CRC32(Data)

Data ICV
Select and insert IV Per-packet Key = IV || RC4 Base Key RC4 Encrypt Data || ICV
802.11 Hdr IV
Remove IV from packet Per-packet Key = IV || RC4 Base Key RC4 Decrypt Data || ICV
Cypher Data ICV
Wep Framing
Why not wep?

Manual Key management is a minefield of problems Is 40 bit private keys adequate 2 Frames that use the same IV almost certainly use the same keystream Web uses a weak integrity check: CRC We always know the the first byte: LLC AA
EAP Protocol-overview
TLS
PEAP
LEAP
MD5
802.1x
Client-server based access control and authentication protocol that
restricts unauthorized devices from connecting to a LAN through publicly accessible ports Standard set by the IEEE 802.1 working group. Standard link layer protocol used for transporting higher-level authentication protocols
Works between the supplicant (client) and the authenticator (network

device)
Maintains backend communication to an authentication (RADIUS) server
IEEE 802.1x
802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports
Supplicant Authenticator Authentication Server
1 4 1 2 3 4
User activates link (ie: turns on the PC)
2 3
Switch requests authentication server if user is authorized to access LAN

Authentication server responds with authority access Switch opens controlled port (if authorized) for user to access LAN
IEEE 802.1x Components

Supplicant Authenticator
Authentication Server
What is RADIUS?
Remote Access Dial In User Service
Supports authentication, authorization, and accounting for remote access

Physical ports (analog, ISDN, LAN) Virtual ports (tunnels)
Allows centralized administration and accounting IETF status

Proposed standard
RFC 2865, RADIUS authentication/authorization RFC 2618-2621, RADIUS MIBs
Informational
RFC 2866, RADIUS accounting RFC 2867-8, RADIUS Tunneling support RFC 2869, RADIUS extensions
What Does 802.1x Do?

Transport authentication information in the form of Extensible
Authentication Protocol (EAP) payloads
Authenticator (switch or router) becomes the middleman for relaying EAP

received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information
802.1x Header
EAP Payload
802.1x: EAPOL Container

Authentication dialog between Supplicant and Authentication Server carried in EAP
frames.
EAP over LAN (EAPOL), is used for all communication between Supplicant and
Authenticator.
DA SA 6B: 0180.C200.0003 T/L DATA 2B: 888E FCS
Authenticator to Supplicant
Destination: 0180.C200.0003 until learned Source: Unicast Authenticator
Supplicant to Authenticator
Destination: 0180.C200.0003 Source: Unicast supplicant
Protocol Version Length 1B: 0000 0001 1B FrameType 1B: EAP-Packet EAPOL-Start EAPOL-Logoff EAPOL-KEY EAPOL-Encapsulated-ASF-Alert
Body XB
0000 0000 0000 0001 0000 0010 0000 0011 0000 0100
What Does EAP Do?

Defined in RFC 2284 EAP (Extensible Authentication Protocol)
Authentication framework Supports multiple authentication methods Operates directly over Data-Link Layer Does not require Internet Protocol (IP)
Proprietary EAP types being developed by vendors, Ciscos Lightweight Extensible Authentication Protocol LEAP
Three forms of EAP are specified in the standard

EAP-MD5 MD5 Hashed Username/Password EAP-OTP One-Time Passwords EAP-TLS Strong PKI Authenticated Transport Layer Security (SSL)
802.1x Header
EAP Payload
EAP Method Comparison
EAP Container Request /Response

DA SA T/L DATA FCS
Ethernet
802.1x
Protocol Version FrameType Length Type 1B 0000 0001 Identity 0000 0010 Notification 0000 0011 NAK (Response Only: Desired Authentication type is unacceptable) 0000 0100 MD-5 Challenge 0000 0101 One-Time Password(OPT) 0000 0110 GenericToken Card
EAP
Type-Data Length XB 2B Identifier 1B Code 1B: 0000 0001 Request 0000 0010 Response
How Does 802.1x Work?

For each 802.1x switch port, the switch creates TWO virtual access points at each port
The controlled port is open only when the device connected to the port has been authorized by 802.1x
Controlled
EAPOL
Un-Controlled
EAPOL
Uncontrolled port provides a path for Extensible Authentication Protocol over LAN (EAPOL) traffic ONLY
Authentication
Before Authentication After successful authentication
IEEE 802.1X EAPOL Conversation

802.1X users identified by usernames, not MAC addresses
Enables user-based authentication, authorization, accounting
EAP over LAN (EAPOL) PAE PAE EAP Over RADIUS
Radius Server
Port connect
Supplicant
EAPOL-Start
Access blocked
RADIUS
EAPOL
EAP-Request/Identity
EAP-Response/Identity EAP-Request EAP-Response (credentials) EAP-Success
Radius-Access-Request
Radius-Access-Challenge Radius-Access-Request
Radius-Access-Accept
Access allowed
PPP Extensible Authentication Protocol (EAP) RFC2284
IEEE 802.1X EAPOW Conversation

EAP Over Wireless (EAPOW) PAE PAE EAP Over RADIUS
Radius Server
Associate
Supplicant Association Request Association Response EAPOL-Start
Access blocked
802.11 EAPOW RADIUS
Radius-Access-Challenge Radius-Access-Request Radius-Access-Accept
EAP-Request/Identity EAP-Response/Identity EAP-Request EAP-Response (credentials) EAP-Success EAPOW-Key (wep)
Access allowed
EAPOL-Key frames can be used periodically
Static or Dynamic WEP?

Static WEP and dynamic WEP are two entirely different things
In static WEP, everyone uses the same key
No privacy between different users
Huge key distribution problem

Lots of people using the same key = lots of packets available for capture One weakness in WEP allows cracking of the key by capturing a large number of packets (largely mitigated by modern implementations)
In dynamic WEP, everyone is assigned a different key

Key generated by authentication server during 802.1x Key changes periodically (configurable interval) Separate keys used for unicast and multicast
802.1x using Cisco proprietary LEAP

Associate
Access blocked
802.11 EAPOW
Radius Ser
EAP-Request/Identity EAP-Response/Identity
RADIUS
EAP-Request (cisco challenge) EAP-Response (Cisco response) EAP-Request (Cisco challenge) EAP-Respose (cisco response)
Radius-Access-Request (Cisco challenge) Radius-Access-Response (Cisco response) Radius-Access-Request (Cisco challenge) Radius-Access-Response (Cisco response)
Client generates PMK
Access allowed Radius generates PMK

Radius-Access-Accept (with dynamic key)
Access allowed
EAP-Success Broadcast Key
Broadcast Key Length
How does PEAP work?

Part 1 Establish TLS tunnel
Client
WAP
Request Connection
Authentication server Request Connection
AD
Do you support PEAP? Yes Server PKI certificate & servers TLS preferences Certificate verified & clients TLS preferences or OK
TLS settings accepted & TLS finished

TLS tunnel established
How does PEAP work?

Part 2 EAP authentication within the TLS tunnel
Client
Authentication Server Response to TLS tunnel established Request clients identity
WAP
AD
Clients identity (tells server domain to contact)

Servers requested EAP authentication type Clients requested EAP authentication type or OK EAP method accepted, request authentication Clients UserID and Password EAP authentication success
TLS tunnel torn down
UserID & password Success
EAP mechanisms
EAP-OPEN
EAP-FAST
LEAP
Ease of use PEAP EAP-MD5
EAP-TTLS EAP-TLS Security

WPA roadmap
WPA (subset 802.11i)
802.1x + TKIP + MIC WPA authenticated key management
WPA2
802.1x + AES + MIC
Wi-Fi Protected Access (WPA)

Authentication Encryption
802.1X
TKIP/MIC
WPA
802.1x provides method for generating master session key
WPA adds extra key handshake

Generation and exchange of final data encryption and integrity keys between the Authenticator and Supplicant Proving key ownership (AP to client and vice versa) Handshake identical for all EAP methods
Re-authentication time-out can be much larger than with dynamic WEP

(typically every 8 hours)
WPA lacks real-time re-authentication needed with roaming

Problem for VoIP
WPA: key management process

Supplicant Authenticator Authentication server
Discovery
EAP credential
Beacon/probe EAP credential Derive PMK PMK
Authentication
Derive PMK
EAP authentication
4-way handshake
Key management
Derive PTK Decrypt GTK
2-way handshake
Derive PTK
Data protection
PTK Unicast data GTK Multicast data

IEEE 802.1X EAPOW Conversation

Radius Server
Associate
Access blocked
802.11 EAPOW RADIUS
Radius-Access-Challenge Radius-Access-Request Radius-Access-Accept
EAP-Request/Identity EAP-Response/Identity EAP-Request EAP-Response (credentials) EAP-Success
Generates PMK
Access allowed Generates PMK
Access allowed
EAP-Success Broadcast Key Broadcast Key Length

4 Way Handshake
PMK
PMK
PTK
PTK
PTK
PTK
GTK GTK
Message Integrity Check

MIC uses a hashing algorithm to stamp frame The MIC is still pre-standards, awaiting 802.11i ratification
WEP
TKIP
WPA: TKIP
Temporal Key Integrity Protocol
Name is something of a misnomer (J. Walker, Intel)
Suite of algorithms wrapping WEP

Key hierarchy leveraging 802.1x/EAP Message Integrity Code (MIC)
Per-packet key hashing
TKIP + MIC
1
Data MIC Data MIC
MIC ICV
Destination Address
64bits
Data
Source Address
2 7
Keystream RC4
802.1x Key
A Phase 1 Key B Per Packet d Key 5
24bits
6
IV d IV
104bits
XOR
Cipher Text
9
IV IV
Cipher Text
48 bit IV
32bits 16bits
AES-CCMP
Mandatory to implement in 802.11i and WPA2
Other protocols in 802.11i include TKIP and WRAP 3 protocols instead of 1 because of IEEE politics
Based on AES in CCM mode

CCM = Counter Mode Encryption with CBC-MAC Data Origin Authenticity AES overhead generally requires new AP hardware
AES overhead may require new STA hardware for hand-held devices, but not mobile PCs
An all-new protocol with few concessions to WEP
Message Integrity Check

WEP
TKIP
CCMP
AES-CCMP Block Diagram
The End Users Experience is the Same: Single Sign-On
802.11 security overview
WEP Cipher Key size RC4 40 / 104 bits RC4
WPA AES
WPA2
128 bits encryption 64 bits authentication
128 bit 256 bit 48-bit IV Not needed CCM CCM IV sequence EAP-based
Key life Packet key Data integrity Header integrity Replay attack Key management
24-bit IV Concatenated CRC-32 None None None
48-bit IV Mixing function Michael Michael IV sequence EAP-based
Designing, Optimizing and Securing Wireless Networks

Additional information
Magic Quadrant for Wireless LAN Infrastructure ( 2007)
http://mediaproducts.gartner.com/reprints/merunetworks/153883.html
Existing 802.11 WLAN Standards

802.11b 802.11a 802.11g
June 2003
802.11n
Standard Approved
Sept. 1999
Sept. 1999
2009
Available Bandwidth
83.5 MHz
580 MHz
83.5 MHz
83.5/580 MHz
Frequency Band of Operation # Non-Overlapping Channels (US) Data Rate per Channel
2.4 GHz
5 GHz
2.4 GHz
2.4/5 GHz
24
3/24
1 11 Mbps
6 54 Mbps
1 54 Mbps
1 600 Mbps DSSS, CCK, OFDM, MIMO
Modulation Type
DSSS, CCK
OFDM
DSSS, CCK, OFDM
Best practice: 5GHz vs 2.4GHz Spectrum

5GHz Bandwidth 54/300Mbps 2.4GHz 54/300Mbps Advantage Defined Both choices support up to 54Mbps of bandwidth today and up to 300Mbps when the new 802.11n standard is deployed. Restrictions in the 2.4GHz band limit the number of simultaneously channels to 3, while the 5GHz band offers up to 23. The 23 channels available with 5GHz far exceed the capacity of 2.4GHz. 802.11a = 1.24Gbps / 802.11n = 3.45Gbps (5GHz) 802.11g = 162Mbps / 802.11n = 450Mbps (2.4GHz) Wi-Fi in 2.4GHz competes with microwaves, Bluetooth, wireless phones, etc. resulting in a very noisy environment. The 5GHz band is considerably cleaner. With 8 times the number of channels to chose from in the 5GHz band, planning is far simpler than the 2.4GHz band. Only 5GHz supports the bandwidth, capacity, and throughput required for enterprise quality voice, video, and data applications.
Channels
24
Capacity
3.45Gbps
450Mbps
Interference
Low
High
Channel Planning
Flexible
Restricted
Triple Play Support
Optimal
Limited
802.11n
Optimal
Limited
Although 802.11n supports both bands, the available channels, bandwidth, and client capacity makes the 5GHz band the obvious choice.
Even though the 2.4GHz band has greater range than 5GHz, proper deployment using directional antennas can eliminate any issue.
Range
Good
Better
Best Practices: Distributed vs. Centralized Architecture

Distributed Packet Flow Efficient Centralized Inefficient Advantage Defined Centralized architectures force traffic to transit the controller in the core, increasing core network congestion. Distributed architectures forward traffic directly to its final destination. Centralized traffic must traverse the controller for processing (QoS, tagging, encryption, etc). This additional routing results in increased congestion, latency, and jitter. Centralized architectures typically offer 1 or 2 radios per access device, limiting the Wi-Fi capacity in a given area. Distributed architectures integrate up to 16 radios and offers up to 2Gbps of capacity. Centralized architectures require significant controller, AP, antenna, and cable deployments that increase complexity and install time. Distributed architectures with integrated elements require far fewer components to simplify installs and reduce costs. Centralized architectures place intelligence (QoS, security, tagging, etc) at the controller where all traffic must be processed. Distributed architectures place intelligence at the edge, like wired networks, to improve traffic handling and increase performance. In a centralized architecture, loss of a single AP has little impact; however loss of a controller can mean loss of the entire Wi-Fi network. Distributed architectures place the intelligence throughout the network, eliminating the presence of single points of failures. Centralized architectures allow for simple additions of APs, however each new APs tasks the capabilities of the existing controller. Distributed architectures easily scale as the network grows by adding the required amount of controller processing.
Latency/Jitter
Low
High
Capacity
2Gbps
300Mbps
Deployment
Simple
Complex
Intelligence
Efficient
Inefficient
Reliability
Great
Good
Scalability
Great
Good
Directional vs Omni-Directional Antennas

High-Gain Directional Coverage Focused Omni-Directional General Advantage Defined Omni-directional antennas offer a standard 360 degree coverage pattern. Directional antennas focus the energy in a specific direction, like a flashlight. Omni-directional antennas offer 360 coverage pattern, but at far less distance. Directional antennas focus the energy resulting in greater antenna gain and results in greater distance. Omni-Directional antennas are limited to a circular pattern. The use of multiple directional antennas allows each antenna to be independently adjusted to define a specific pattern. Omni-systems with 1 or 2 antennas limit total capacity to only 2 radios. Using multiple directional antennas, each forming a separate cell offering up to a 7x capacity increase per device and cable drop. Omni-directional systems offer 360 degree coverage and all clients within range may connect, however this may allow more associations than can be effectively handled by 1 radio. A directional antenna covers a larger area, yet is able to segment and balance users across the radios, delivering higher effective bandwidth to each user. Granular control of radiation patterns allows administrators to radiate strong signals where desired and restrict signals where not desired.
Range (Gain)
Great
Limited
Coverage Shaping
Great
Limited
Capacity
864Mbps
108Mbps
Client Density
Great
Limited
Security
Great
Limited
802.11 ABCs: Continued

Layer a
PHY
54 Mb/s in 5 GHz bands 11 Mb/s direct sequence in 2.4 GHz band Bridging operation International domains Quality of service (QoS) (late 04) Access point interoperability 54 Mb/s at 2.4 GHz (802.11b compatible) Coordination with European HiperLAN2 standards Security (mid 04)
Description
b
c d e f g h i
PHY
MAC PHY MAC both PHY both MAC
802.11 ABCs
Layer j k m n p
both both both both MAC MAC both
Additional Japanese bands at 4.9 and 5 GHz Radio resource measurement enhancements Maintenance of earlier standards High throughput (>100 Mb/s) Vehicular hand-off Fast roaming Mesh networking
Description
r
s
Wireless Security Summary

WEP
Encryption algorithm Key management Key length Data integrity Header integrity
WPA RC4 EAP-based 128 bits Michael Michael
802.11i (WPA2) AES EAP-based 128 bits CCM CCM
RC4 None 40 bits CRC-32 None

Designing Optimizing Securing Wireless Networks

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Designing Optimizing Securing Wireless Networks

Hochgeladen von

Copyright:

Verfügbare Formate

Designing, optimizing and Securing Wireless Networks

JOHN CORDIER ACADEMY

www.jcacademy.com | Telindus 2012

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 1

Schedule with break and lunch times.

15u15 17u00 5th course session

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 2

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 3

Who is your instructor?

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 4

Presentation of the students.

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 5

Designing, optimizing and Securing Wireless Networks

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 6

Designing wireless networks

JOHN CORDIER ACADEMY

www.jcacademy.com | Telindus 2012

Wireless LANs are evolving

WLAN Standards Evolution

1999: IEEE 802.11b standard for 11 Mb/s WLAN.

Transition from 2.4 GHz to 5 GHz

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 9

Wireless Personal Area Network

Bluetooth is a typical example, running in 2.4 GHz.

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 10

Wireless Local Areal Network

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 11

Wireless Metropolitan Area Network

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 12

Wireless Wide Area Network

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 13

Standard Organizations for Wireless Networks

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 14

What about WI-FI or Wireless Fidelity?

3Com, Aironet, Intersil, Lucent Technologies, Nokia and Symbol

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 15

Wireless LAN deployment

Public access - Hotspots

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 16

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 17

Wireless is a half-duplex environment.

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 18

Infrastructure mode (ESS)

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 19

Wireless Outdoor Bridge

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 20

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 21

Service Set Identifier (SSID)

One network (ESS or IBSS) has one SSID

An Access point can have more then one ssid

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 22

Designing, optimizing and Securing Wireless Networks

Designing wireless networks

JOHN CORDIER ACADEMY

www.jcacademy.com | Telindus 2012

They made history

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 26

Wireless Network, Signals Go Through a process

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 28

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 29

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 30

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 31

JOHN CORDIER ACADEMY www.jcacademy.com | Telindus 2012 | slide 32