August 24, 2011

AGENDA

>Module 1: WLAN Technology Overview >Module 2: WLAN Architecture >Module 3: RF Fundamentals >Module 4: WLAN Security >Module 5: Site Survey & WLAN Design

3Com Confidential

WIRELESS NETWORKS

802.11a/b/g/n

UMTS Wireless Wide GSM Area Network IEEE 802.16 MAN & 802.20 WAN

GPRS

Wireless Personal Area Network Wireless Local Area Network IEEE 802.15.1
1

3Com Confidential

3Com Confidential

August 24, 2011

OBJECTIVES

>By the end of this course, you will be able to:

Describe IEEE 802.11 wireless LAN (WLAN) and related network standards and specifications Describe the components and network architectures used in WLANs Identify the characteristics of RF technology Describe radio signaling and the operation of equipment used in a WLAN Identify common security threats and countermeasures for WLANs including authentication and encryption methods and protocols Explain the use of Virtual Local Area Networks (VLANs) to enhance security within an enterprise WLAN implementation Design a basic WLAN Identify the key steps of a site survey to prove the viability of a WLAN design
3Com Confidential 2

WIRELESS LAN TECHNOLOGY OVERVIEW

Module 1

3Com Confidential3 Confidential Com

3Com Confidential

August 24, 2011

WLAN INTRODUCTION

Wired Email Wireless Web Database

>Network access without wires >Move around freely within wireless coverage areas

3Com Confidential

WLAN BENEFITS

>Increased user mobility >Increased user productivity >Network flexibility and portability >Ease and speed of deployment >Cost and/or time savings >Improved aesthetics >Shared resources >Increased connectivity options >Improved efficiency and reduced costs

3Com Confidential

3Com Confidential

August 24, 2011

WLAN OVERVIEW

Wi-Fi Hot Spot

>Defined by the IEEE 802.11 specifications >Also known as Wi-Fi and/or Hot Spots

3Com Confidential

WLAN CONCEPTS

Radio Antenna

>Uses RF technology to transmit and receive data >RF signals pass through most objects >Not immune to signaling issues: Absorption, Reflection, Refraction, Diffraction, and Scattering

3Com Confidential

3Com Confidential

August 24, 2011

OVERALL SPECTRUM

> Regulated by individual countries > WLANs operates within the unlicensed 2.4 GHz ISM and 5 GHz U-NII bands Hz AM Radio 550 - 1700kHz
VLF LF MF HF

UHF TV 460-600MHz
VHF UHF SHF

Remote Controls 100GHz-500THz

EHF Infrared Visible

Medical X-ray
UV X Gamma Cosmic

VHF TV 54-220 MHz FM Radio 88-108 MHz

Light 700THz - 1000THz

Super High Frequency:

800-900 MHz Cellular 900 MHz Indoor Wireless 1.8-2 GHz PCS 2.4 GHz ISM 5 GHz U-NII 118 GHz Terrestrial Microwave

Unlicensed Bands
3Com Confidential

CHANNELS IN THE 2.4 GHz BAND

Channel ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14
3Com Confidential

Frequency (GHz) 2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 2.467 2.472 2.484

US / Canada X10 / X20 (FCC / IC) X X X X X X X X X X X

Europe X30 (ETSI) X X X X X X X X X X X X X

Spain X31

France X32

Japan X40

Japan X41 X X X X X X X X X

X X

X X X X X

X X X X

3Com Confidential

August 24, 2011

2.4 GHz CHANNEL RANGES

2.417

2.427

2.437

2.447

2.457

2.467

5 4 3 2 1
2.412 2.422 2.432

10 9 8 7 6
2.442 2.452

14 13 12 11
2.462 2.472 2.484

3Com Confidential

10

IEEE 802.11b Standard Specification

2.4 GHz frequency range Un-Licensed band 3 non-overlapping channels

11Mbps 5.5Mbp s 2Mbps

Uses Complimentary Code Keying 1Mbps (CCK) modulation Transmission rates: 11 Mbps, 5.5 Mbps, 2 Mbps, 1 Mbps 2.417 2.427 2.437 2.447 2.457 2.467 Range: 100 m 5 10 4 9 Availability: H1CY00 3 8 13 2 7 12 1 6 11
2.412 2.422 2.432 2.442 2.452 2.462 2.472 2.484
11

3Com Confidential

3Com Confidential

August 24, 2011

Complimentary Code Keying (CCK)

Complimentary Code Keying (CCK) is the basic modulation format for current Wi-Fi (IEEE 802.11b) systems CCK is a single carrier system. In other words, all of the data is transmitted by modulating a single radio frequency, or carrier

CCK is a Single -Carrier Modulation Format

3Com Confidential 12

SPREAD SPECTRUM

>FHSS systems use a radio carrier that hops from frequency to frequency in a pattern known to both transmitter and receiver
Easy to implement Resistant to noise Limited throughput (1-3 Mbps @ 2.4 GHz)

>DSSS & HR/DSSS systems convert data bits to a wide bit pattern called a chip
Updated definition, HR/DSSS provides higher throughput than FH (up to 11 Mbps @ 2.4 GHz) Better range or coverage Less resistant to noise (made up for by redundancy)

3Com Confidential

13

3Com Confidential

August 24, 2011

5 GHz BAND

>Regulatory classes for 5 GHz bands in the USA

Channel Starting Frequency (GHz) 5 5 5 Reserved Channel Spacing (MHz) 20 20 20 Reserved Transmit Power Limit (mW) 40 200 800 Reserved

Regulatory Class 1 2 3 4-255

Channel Set 36,40,44,48 52,56,60,64 149,153,157,161 Reserved

Emission Limits Set 1 1 1 Reserved

Behavior Limits Set 1, 2 1 1 Reserved

3Com Confidential

14

5 GHz BAND (continued)

>Regulatory classes for 5 GHz bands in Europe

Regulatory Class 1 2 Channel Starting Frequency (GHz) 5 5 Channel Spacing (MHz) 20 20 Transmit Power Limit (EIRP) 200 200 Emission Limits Set 1 1 Behavior Limits Set 2,3 1,3,4

Channel Set 36,40,44,48 52,56,60,64 100,104,108, 112,116,120, 124,128,132, 136,140 Reserved

20

1W

1,3,4

4-255

Reserved

Reserved

Reserved

Reserved

Reserved

3Com Confidential

15

3Com Confidential

August 24, 2011

5 GHz BAND (continued)

>Regulatory classes for 4.9 and 5 GHz bands in Japan

Regulatory Class 1 2 3 4 5 6 7 8 9 10 11 12
3Com Confidential

Channel Starting Frequency (GHz) 5 5 5 5 5 5 4 4 4 4 5 5

Channel Spacing (MHz) 20 20 20 20 20 20 20 20 20 20 20 10

Channel Set 34,38,42,46 8,12,16 8,12,16 8,12,16 8,12,16 8,12,16 184,188,192,196 184,188,192,196 184,188,192,196 184,188,192,196 34,38,42,46 7,8,9,11

Transmit Power Limit (dBm) 22 24 24 24 24 22 24 24 24 24 22 24

Emission Limits Set 1 2 2 3 3 1 2 2 3 3 1 2

Behavior Limits Set 1,2,6 5,6,7 5,6,8 5,6,7 5,6,8 5,6,8 5,6,7 5,6,8 5,6,7 5,6,8 5,6,8 5,6,7
16

5 GHz BAND (continued)

>Regulatory classes for 4.9 and 5 GHz bands in Japan

Regulatory Class 13 14 15 16 17 18 19 20 21-255
3Com Confidential

Channel Starting Frequency (GHz) 5 5 5 5 4 4 4 4 Reserved

Channel Spacing (MHz) 10 10 10 10 10 10 10 10 Reserved

Channel Set 7,8,9,11 7,8,9,11 7,8,9,11 8,12,16 183,184,185, 187,188,189 183,184,185, 187,188,189 183,184,185, 187,188,189 183,184,185, 187,188,189 Reserved

Transmit Power Limit (dBm) 24 24 24 22 24 24 24 17 Reserved

Emission Limits Set 2 3 3 2 2 3 3 1 Reserved

Behavior Limits Set 5,6,8 5,6,7 5,6,8 5,6,7 5,6,8 5,6,7 5,6,8 5,6,8 Reserved

17

3Com Confidential

August 24, 2011

IEEE 802.11a Standard Specification

5 GHz frequency range Potentially uses licensed band 8 non-overlapping channels Uses Orthogonal Frequency Division Multiplexing OFDM modulation Transmission rate: 54 Mbps or 6, 9,12,18,24,36,48 (6,12, 24 mandatory) Range 50 m High power consumption Availability: H1CY02

3Com Confidential

18

802.11a Access Point Transmission Distances

> Distance depends on environment > Estimates:

Speed (Mbps) Distance in Meters (Indoor)

54 18m

48 25m

36 30m

24 35m

18 40m

12 45m

9 48m

6 50m

3Com Confidential

19

3Com Confidential

10

August 24, 2011

802.11a SUMMARY

>Published in 1999 >Operates in the 5 GHz U-NII bands, Wi-Fi5

8 channels total in the lower and middle bands

>Supports OFDM at data rates up to 54 Mbps including:

6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, 54 Mbps

>Coverage up to 50 meters (164 feet) >Uncrowded frequency band

8 non-overlapping channels Less populated frequency

>Will not interoperate with 802.11b/g systems >Global deployment issues may exist
3Com Confidential 20

802.11b/g SUMMARY

>Operates in the 2.4 GHz ISM band

14 total channels Only 1-3 channels usable at any time

>802.11b supports data rates up to 11 Mbps

Uses DSSS

>802.11g supports data rates up to 54 Mbps

Similar data rates as 802.11a Backward compatible with 802.11b

>Coverage up to 100 meters (328 feet) >Most commonly implemented standard, Wi-Fi >Crowded frequency band

3Com Confidential

21

3Com Confidential

11

August 24, 2011

802.11 COMPARISONS

802.11a
Up to 54 Mbps

802.11b
Up to 11 Mbps (11, 5.5, 2, & 1 Mbps) 100 Meters 2.4 GHz ISM DSSS

802.11g
Up to 54 Mbps (54, 33, 22, 11, 5.5, 2, and 1 Mbps) 100 Meters 2.4 GHz ISM DSSS, OFDM, and modified versions

Data rates

(54, 48, 36, 24, 18, 12 and 6 Mbps) 50 Meters 5 GHz U-NII

Range Bandwidth Modulatio n

OFDM

3Com Confidential

22

DATA AND THROUGHPUT RATES

>Data rates will drop as distance to AP increases as a result of reduced signal quality >Actual throughput is about onehalf of actual data or link rate >Throughput rates affected by:
Multicast rate (defaults at a rate of 1 Mbps) Framing overhead Collision avoidance mechanisms

3Com Confidential

23

3Com Confidential

12

August 24, 2011

ATHEROS HIGH SPEED TECHNOLOGIES

>Super G and Super AG

Proprietary features built into Atheros chipsets Allows 108 Mbps maximum data rate or link speed and increased throughput up to 60 Mbps Bonds two channels in the 2.4 GHz or 5 GHz spectrum Three possible modes
> Base Mode 22 Mbps throughput > Super or Static Turbo Mode 40 Mbps throughput > Dynamic Turbo Mode 60 Mbps throughput
54mb 54mb 54mb

3Com Confidential

24

802.11a Turbo Mode

> Allows 108 Mbps through-put > Bonds two channels in the 5ghz spectrum > When turning it on you no longer can select a channel to run in. It will constantly be checking open channels to be able to bond two of them together

54mb 54mb 54mb

3Com Confidential

25

3Com Confidential

13

August 24, 2011

RELATED PUBLISHED AND PROPOSED WLAN STANDARDS

>802.11c Bridge Operation Procedures >802.11d Country Compatibility (Roaming)1 >802.11e QoS Enhancements >802.11f Inter-Access Point Protocol (IAPP)2

Published Date > 1 - 2001 > 2 - 2003

3Com Confidential

26

RELATED PUBLISHED AND PROPOSED WLAN STANDARDS (continued)

>802.11h Spectrum and Power Control Management3 >802.11i Enhanced Security4 >802.11j Channel Selection for Japan5 >802.11k Radio Resource Measurement Enhancements >802.11l (letter skipped) >802.11m Maintenance of the IEEE Standard >802.11n Enhancement for Higher Throughput
Published Date > 3 - 2003 > 4 - 2004 > 5 - 2004

3Com Confidential

27

3Com Confidential

14

August 24, 2011

RELATED PUBLISHED AND PROPOSED WLAN STANDARDS (continued)

>802.11p - Wireless Access for the Vehicular Environment (WAVE) >802.11r - Fast roaming >802.11s - Wireless mesh networking >802.11T - Wireless Performance Prediction (WPP) >802.11u - Interworking with non-802 networks >802.11v - Wireless network management

3Com Confidential

28

OTHER RELATED STANDARDS

>802.3af Power Over Ethernet6 >802.1X Authentication7 >LWAPP Lightweight Access Point Protocol >CAPWAP Control and Provisioning of Wireless Access Points

Published Date > 6 - 2003 > 7 - 2004

3Com Confidential

29

3Com Confidential

15

August 24, 2011

STANDARDS & CERTIFICATIONS ORGANIZATIONS

http://www.ieee.org/

http://www.fcc.gov/

http://www.wi-fi.org/

3Com Confidential

30

WLAN ARCHITECTURE AND OPERATION

Module 2

3Com Confidential

31

3Com Confidential

16

August 24, 2011

WIRELESS COMPONENTS

>Wireless Medium >Stations and access points

Transceivers to move data Antennas used for radio signals

>Distribution system

Stations

Access Point (AP)

3Com Confidential

32

BASIC SERVICE SETS

> Infrastructure Basic Service Set (Infrastructure BSS)

Both AP and stations are used

BSS Infrastructure Mode

> Independent Service Set (IBSS)

a.k.a. Ad Hoc mode or Peer-to-Peer Mode No access point is used Access Point

> Extended Service Set (ESS)

ESS
BSS BSS BSS

Stations Only

IBSS Ad Hoc Mode

3Com Confidential

33

3Com Confidential

17

August 24, 2011

WIRELESS BRIDGE

>Connects two remote sites wirelessly >A.K.A. Wireless Distribution System (WDS) >Implemented by enabling a configuration option on an AP

Wireless Bridge Connection

3Com Confidential

34

GENERIC 802.11 MAC FRAME

> Three types of frames with several subtypes: > Management

Probe Beacon Authentication Association Reassociation Disassociation Deauthentication
2 2 6 6 6 0 - 2312 4

> Control
Request-to-Send Clear-to-Send Acknowledgement

> Data

3Com Confidential

35

3Com Confidential

18

August 24, 2011

802.2 ENCAPSULATION

3Com Confidential

36

WIRELESS MANAGEMENT PROCESSES

>Scanning >Station (user) Authentication and Association >Beacon Management >Power Management Mode >DRS and ARS

3Com Confidential

37

3Com Confidential

19

August 24, 2011

SCANNING

>Station identifies if wireless network present >Passively listens for or actively probes for beacon frames >Builds a table of APs from the beacons >Begins authentication and association process

Beacon Beacon Returned

Probe Sent

Passive Scanning
3Com Confidential

Active Scanning
38

AUTHENTICATION & ASSOCIATION

Open System Authentication

Authentication request including identity, algorithm open system, sequence number 1 Authentication response including algorithm open system, sequence number 2, status code (association Success/denied/rejected/other)

Shared Key Authentication

Authentication request Challenge Response Challenge Text Status (success, deny, reject)
3Com Confidential 39

3Com Confidential

20

August 24, 2011

ROAMING & REASSOCIATION

1. Reassociate request 2. Reassociate response

3. IAPP 4. IAPP
Original Association

5. Buffered Frames

3Com Confidential

40

DISASSOCIATION & DEAUTHENTICATION

1. Request 2. Response

>Disassociation ends the association relationship and removes the station from the WLAN >Deauthentication breaks the authentication between a station and AP >Used when the station has not properly joined a network, performed an incorrect operation, or has left the cell service area
3Com Confidential 41

3Com Confidential

21

August 24, 2011

BEACON MANAGEMENT

>Used during scanning to identify presence of a WLAN >Used in both FHSS and DSSS WLANs >Transmitted at regular intervals
About 10 times per second

>Provide network parameters for joining >Stations must be close enough to hear beacons from an AP >Provides time synchronization between station and AP >Provides channel usage information >Beacons are transmitted from the AP at the lowest supported (configured) data rate

3Com Confidential

42

POWER MANAGEMENT MODE

>Allows stations to go into sleep mode to conserve battery power >Defines how long a station will be down (in milliseconds) >Frames to be buffered at the AP until station wakes up >Relies on the time synchronization performed through beacon management >Station wakes up after predetermined interval and receives any buffered frames from the AP >Two modes:
Power Save Polling Mode (PSP) station using power saving when available Continuous Aware Mode (CAM) power saving is not in use and the station is always on and ready to transmit and receive

3Com Confidential

43

3Com Confidential

22

August 24, 2011

RF FUNDAMENTALS
Module 3

3Com Confidential3 Confidential Com

44

CELL SIGNALING CHARACTERISTICS

Radio Signal

Omnipole Antenna

3Com Confidential

45

3Com Confidential

23

August 24, 2011

SIGNAL CHARACTERISTICS

Frequency Amplitude

Cycle

3Com Confidential

46

SIGNAL PHASE

90

180 360

270

3Com Confidential

47

3Com Confidential

24

August 24, 2011

SIGNAL PROPAGATION

Signal 2

Signal 1 Signal 3

3Com Confidential

48

WATTS VERSUS DECIBELS

dBm 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
3Com Confidential

Watts 1.0 mW 1.3 mW 1.6 mW 2.0 mW 2.5 mW 3.2 mW 4 mW 5 mW 6 mW 8 mW 10 mW 13 mW 16 mW 20 mW 25 mW 32 mW

dBm 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Watts 40 mW 50 mW 63 mW 79 mW 100 mW 126 mW 158 mW 200 mW 250 mW 316 mW 398 mW 500 mW 630 mW 800 mW 1.0 W 1.3 W

dBm 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

Watts 1.6 W 2.0 W 2.5 W 3W 4W 5W 6W 8W 10 W 13 W 16 W 20 W 25 W 32 W 40 W 50 W

49

3Com Confidential

25

August 24, 2011

SIGNAL LEVELS

Effective Radiated Power

Received Signal Level

Antenna (Gain)

Signal Path (Loss)

Antenna (Gain)

Transmission Line (Loss)

Transmission Line (Loss)

Amplifier (Gain)

Amplifier (Threshold)

Transmitter
3Com Confidential

Receiver
50

OMNIPOLE ANTENNA

> Transmits signals equally on a horizontal plane > Coverage cell is best horizontally but not vertically
Round (horizontal plane) Donut shaped (on all three dimensions)

> Typically used indoors > Low gain between 3-10 dBi of gain (low gain)

3Com Confidential

51

3Com Confidential

26

August 24, 2011

DIPOLE ANTENNA

> Figure 8 transmission pattern > Low gain though it achieves greater distance > Typically used indoors for hallways or corridors > Not as good for ceiling mounting

3Com Confidential

52

YAGI OR SEMI-DIRECTIONAL ANTENNA

> Semi-directional, more focused transmission pattern > Provides moderately high gain, 12-18 dBi > Flat in design so it can be used against a wall or in a corner > Has an extended forward reach which is good for indoor and/or outdoor use
Short to medium range bridging Along narrow hallways and corridors

3Com Confidential

53

3Com Confidential

27

August 24, 2011

PATCH PANEL OR PARABOLIC ANTENNA

> Semi- or highly-directional, more focused, narrower transmission pattern > Can provide up to 24 dBi in gain (regulatory concerns) > Good for indoor or outdoor use
Along narrow hallways and corridors Highly-directional designs cover distances of up to 20 miles

3Com Confidential

54

CHOOSING THE RIGHT ANTENNA

>When choosing the best antenna to use take in consideration:

Coverage area Number of users Installation location Obstructions

>Be aware of regulatory limits

EIRP is limited to 36 dBi

3Com Confidential

55

3Com Confidential

28

August 24, 2011

WLAN SECURITY
Module 4

3Com Confidential3 Confidential Com

56

WLAN SECURITY INTRODUCTION

>Design characteristics
Easy Accessibility for Users Optimal Coverage Data Privacy Network Security

>Are not naturally secure

Open System, simple association No encryption for transmitted data Create holes in firewalls and trusted zones

>Prone to hackers and war driving

3Com Confidential

57

3Com Confidential

29

August 24, 2011

TYPES OF WIRELESS ATTACKS

> Broadcast Monitoring (snooping) > RF Jamming > Rogue Access Point
Man-in-the-Middle Masquerading

Internet
Firewall

> CLI or Web Management interface

Trusted

BEACON DEFAULT SSID

war driving

Open System!
58

3Com Confidential

WLAN SECURITY FRAMEWORK

>WLAN security components

User authentication Key management computation and distribution Data Encryption privacy and integrity

>Implementation hierarchy
Open Access Open system authentication, no encryption Baseline security Open system authentication, WEP Enhanced security 802.1x authentication, AES or TKIP encryption

3Com Confidential

59

3Com Confidential

30

August 24, 2011

SECURITY PROTOCOLS

>Local MAC Filtering >Wired Equivalent Privacy (WEP) >Wi-Fi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP)

>WPA2 2nd generation WPA

Advanced Encryption Standard (AES)

>802.1X Authentication
Several types of EAP (Extensible Authentication Protocol) Several types of PEAP (Protected EAP) 3Com Dynamic Security Link Lightweight Extensible Authentication Protocol (LEAP)

3Com Confidential

60

LOCAL MAC AUTHENTICATION

>Allow or deny authentication to a station

MAC address-based Not user authentication

>Good for small WLAN implementations

Approximately 50 users or less

>Issues
Forged MAC address Not totally secure Administratively difficult to maintain in large networks

3Com Confidential

61

3Com Confidential

31

August 24, 2011

WIRED EQUIVALENT PRIVACY (WEP)

> A shared key encryption and authentication mechanism for 802.11 WLANs
Original 802.11 security implementation Improves privacy and integrity

> Used between the station and AP only > Only payload data, not header, is encrypted
> Management and control frames not encrypted

Uses 64 or 128 bit encryption method

> a.k.a. 40 and 104 bit RC4 encryption > Static keys

Up to four user configurable, shared keys

> a.k.a. Shared Key Authentication > Keys must be same end-to-end among all systems

Verifies transmitted data is same as received data

> Not very secure

3Com Confidential

62

WEP SHARED KEY AUTHENTICATION

Shared Key Authentication

Authentication request Response - Challenge Text Encrypted Challenge Text Status (success, deny, reject)

3Com Confidential

63

3Com Confidential

32

August 24, 2011

WI-FI PROTECTED ACCESS (WPA)

>Improves security as compared to WEP >Introduced in 2002 >Enhanced data encryption

WPA - using Temporal Key Integrity Protocol (TKIP) WPA2 - using Advanced Encryption Standard (AES)

>User authentication implemented using either:

802.1x Authentication (enterprise applications) Pre-Shared Key (SOHO applications)
> Manually-entered keys or passwords > Designed to be easy to set up for the home user.

>Forward compatible with 802.11i Enhanced Security >Susceptible to DoS attacks

3Com Confidential

64

TEMPORAL KEY INTEGRITY PROTOCOL (TKIP)

>Allows WEP security to be upgraded, adds

Message integrity check (for weak key attacks) Per-packet key mixing Key management and distribution

>Each key is used to encrypt one and only one data packet

3Com Confidential

65

3Com Confidential

33

August 24, 2011

IEEE 802.11i ENHANCED SECURITY

>Enhances the current 802.11 MAC to provide improvements in security and authentication mechanisms >Based on federal encryption standard AES (Advanced Encryption Standard)
Replaces Triple DES (Data Encryption Standard) Requires hardware acceleration Rijndael algorithm Symmetric block cipher Keys 128, 192, 256 bits

3Com Confidential

66

802.1x AUTHENTICATION

>Framework for authenticating and controlling user traffic to protect wired and wireless LANs
Centralized authentication rather than distributed at each AP
> Messages forwarded to RADIUS authentication server

Access control still maintained at the AP Must choose authentication method

>Uses dynamically varying encryption keys >Supported in Microsofts Windows XP, Funk, and Meeting House operating systems (supplicant and authenticator) >Scales well for large enterprise networks

3Com Confidential

67

3Com Confidential

34

August 24, 2011

802.1x AUTHENTICATION METHODS

>EAP-MD5 (Extensible Authentication Protocol-Message Digest 5) >EAP-TLS (EAP-Transport Layer Security) >EAP-TTLS (EAP-Tunneled TLS) / MSCHAPv2 (Microsoft Challenge Handshake Protocol) >EAP-SIM (Subscriber Identity Module) >PEAPv0 (Protected EAP) / EAP-MSCHAPv2 >PEAPv1/EAP-GTC (Generic Token Card) >3Com Dynamic Security Link >Lightweight Extensible Authentication Protocol (LEAP)

3Com Confidential

68

SECURITY CHECKLIST

1. 2. 3. 4. 5. 6. 7.

Change default settings on the access point Disable SSID broadcast Change the default radio channel Isolate APs into an untrusted zone Enable some form of encryption Limit RF coverage Restrict traffic to specific applications

3Com Confidential

69

3Com Confidential

35

August 24, 2011

SECURITY CHECKLIST (continued)

8. 9.

Local MAC access Disable DHCP if only a few, no roaming users

10. Maximize IP address assignments if using DHCP 11. Centralize authentication services 12. Perform regular scans and audits 13. Restrict use to authorize personnel 14. Integrate user policies 15. Implement VPNs to secure trusted WLANs

3Com Confidential

70

3Com Confidential

36