www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
This section reviews the Institute of Electronics and Electrical Engineers (IEEE) 802.11 wireless LAN standards, wireless LAN frequencies, access methods, security, and authentication.
Wireless LAN Standards
Wireless LAN (WLAN) applications include inside-building access, LAN extension, outside building-to-building communications, public access, and small office/home office (SOHO) communications. The first standard for wireless LANs is IEEE 802.11, approved by the IEEE in 1997. The current specification is IEEE 802.11-1999, with many amendments thereafter.
IEEE 802.11 implemented wireless LANs at speeds of 1 Mbps and 2 Mbps using Direct Sequence Spread Spectrum (DSSS) and Frequency Hopping Spread Spectrum (FHSS) at the physical layer of the Open System Interconnection (OSI) model. DSSS divides data into separate sections; each section travels over different frequencies at the same time. FHSS uses a frequency-hopping sequence to send data in bursts. With FHSS, some data transmits at Frequency 1, and then the system hops to Frequency 2 to send more data, and so on, returning to transmit more data at Frequency 1.
In 1999, the 802.11b amendment was introduced, providing an 11-Mbps data rate. It provides speeds of 11, 5.5, 2, and 1 Mbps and uses 11 channels of the Industrial, Scientific, and Medical (ISM) frequencies. The interoperability certification for IEEE 802.11b WLANs is wireless fidelity (Wi-Fi). The Wireless Ethernet Compatibility Alliance (WECA) governs the Wi-Fi certification. IEEE 802.11b uses DSSS and is backward-compatible with 802.11 systems that use DSSS.
The IEEE approved a second standard in 1999. IEEE 802.11a provides a maximum 54-Mbps data rate but is incompatible with 802.11b. It provides speeds of 54, 48, 36, 24, 18, 12, 9, and 6 Mbps. IEEE 802.11a uses 13 channels of the Unlicensed National Information Infrastructure (UNII) frequencies and is incompatible with 802.11b and 802.11g. IEEE 802.11a is also known as Wi-Fi5.
In 2003, the IEEE 802.11g standard was approved, providing a 54-Mbps data rate using the ISM frequencies. The advantage of 802.11g over 802.11a is that it is backward-compatible with 802.11b.
The IEEE 802.11n standard is expected to be ratified in 2007; this will provide a maximum data rate of 540 Mbps.
ISM and UNII Frequencies
ISM frequencies are set aside by ITU-R radio regulations 5.138 and 5.150. In the U.S., the Federal Communications Commission (15.247) specifies the ISM bands for unlicensed use. Several bands are specified in the following ranges:
- 900 to 928 MHz
- 2.4 to 2.5 GHz
- 5.75 to 5.875 GHz
Of these, channels located in the 2.4-GHz range are used for 802.11b and 802.11g. As shown in Figure 4-1, 11 overlapping channels are available for use. Each channel is 22 MHz wide. It is common to use channels 1, 6, and 11 in the same areas, because these three channels do not overlap.
Figure 4-1. ISM 2.4 Channels
- UNII 1— 5.15 to 5.25 GHz and 5.25 to 5.35 GHz.
Summary of Wireless LAN Standards
Table 4-2 summarizes WLAN standards, frequencies, and data rates.
| IEEE Protocol | Standard Release Date | Frequency | Typical Data Rate | Maximum Data Rate |
|---|---|---|---|---|
| Legacy | 1997 | ISM | 1 Mbps | 2 Mbps |
| 802.11a | 1999 | UNII | 25 Mbps | 54 Mbps |
| 802.11b | 1999 | ISM | 6.5 Mbps | 11 Mbps |
| 802.11g | 2003 | ISM | 25 Mbps | 54 Mbps |
| 802.11n | 2007 (draft) | ISM or UNII | 200 Mbps | 540 Mbps |
Service Set Identifier (SSID)
WLANs use an SSID to identify the WLAN's "network name." The SSID can be 2 to 32 characters long. All devices in the WLAN must have the same configured SSID to communicate. It is similar to a VLAN identifier in a wired network. The difficulty in large networks is configuring the SSID, frequency, and power settings for hundreds of remotely located access points. Cisco addresses this problem with the Cisco Wireless Control System (WCS). WCS is covered in more detail in the "Cisco UWN Architecture" section.
WLAN Layer 2 Access Method
The IEEE 802.11 Media Access Control (MAC) layer implements carrier sense multiple access collision avoidance (CSMA/CA) as an access method. With CSMA/CA, each WLAN station listens to see whether a station is transmitting. If no activity is occurring, the station transmits. If activity is occurring, the station uses a random countdown timer. When the timer expires, the station transmits.
WLAN Security
WLANs provide an effective solution for hard-to-reach locations and enable mobility to a level that was previously unattainable. However, WLANs without any encryption present a security risk, because publicly available software can obtain the SSIDs. The productivity improvements with WLANs are just beginning, however. The Wired Equivalent Privacy (WEP) security protocol, used in the IEEE 802.11b standard, is considered faulty and vulnerable to numerous attacks. The 802.11b protocol is the most commonly deployed wireless protocol, and although it has the ability to use 64-bit or 128-bit encryption, readily available software can crack the encryption scheme.
In June 2004, the IEEE 802.11i standard was ratified to provide additional security in WLAN networks. IEEE 802.11i is also known as Wi-Fi Protected Access 2 (WPA2). The 802.11i architecture contains the following components:
- Robust Security Network (RSN) for keeping track of associations
- Advanced Encryption Standard (AES) for confidentiality, integrity, and origin authentication
Unauthorized Access
A problem that confronts WLANs comes from the fact that wireless signals are not easily controlled or contained. WEP works at the data link layer, sharing the same key for all nodes that communicate. The 802.11 standard was deployed because it allowed bandwidth speed up to 11 Mbps and it is based on DSSS technology. DSSS also enables APs to identify WLAN cards via their MAC addresses. Because traditional physical boundaries do not apply to wireless networks, attackers can gain access using wireless from outside the physical security perimeter. Attackers achieve unauthorized access if the wireless network does not have a mechanism to compare a MAC address on a wireless card to a database that contains a directory with access rights. An individual can roam within an area, and each AP that comes into contact with that card must also rely on a directory. Statically allowing access via a MAC address is also insecure, because MAC addresses can be spoofed.
Some APs can implement MAC address and protocol filtering to enhance security or limit the protocols used over the WLAN. With hundreds of WLAN clients, MAC address filtering is not a scalable solution. Again, attackers can hack MAC address filtering. A user can listen for transmissions, gather a list of MAC addresses, and then use one of those MAC addresses to connect to the AP.
WLAN Security Design Approach
The WLAN security design approach makes two assumptions, which this chapter describes. The assumptions are that all WLAN devices are connected to a unique IP subnet and that most services available to the wired network are also available to the wireless nodes. Using these two assumptions, the WLAN security designs offer two basic security approaches:
Considering WLAN as an alternative access methodology, remember that the services these WLAN users access are often the same as those accessed by the wired users. WLAN opens a new world of access for the hacker, and you should consider the risks before deployment.
To enhance security, you can implement WLANs with IPsec VPN software, use the IEEE 802.1X-2001 port-based access control protocol, and use dynamic WEP keys.
IEEE 802.1X-2001 Port-Based Authentication
IEEE 802.1X-2001 is a port-based authentication standard for LANs. It authenticates a user before allowing access to the network. You can use it on Ethernet, Fast Ethernet, and WLAN networks.
With IEEE 802.1X-2001, client workstations run client software to request access to services. Clients use EAP to communicate with the LAN switch. The LAN switch verifies client information with the authentication server and relays the response to the client. LAN switches use a Remote Authentication Dial-In User Service (RADIUS) client to communicate with the server. The RADIUS authentication server validates the client's identity and authorizes the client. The server uses RADIUS with EAP extensions to make the authorization.
Dynamic WEP Keys and LEAP
Cisco also offers dynamic per-user, per-session WEP keys to provide additional security over statically configured WEP keys, which are not unique per user. For centralized user-based authentication, Cisco developed LEAP. LEAP uses mutual authentication between the client and the network server and uses IEEE 802.1X for 802.11 authentication messaging. LEAP uses a RADIUS server to manage user information.
LEAP is a combination of 802.1X and EAP. It combines the capability to authenticate to various servers such as RADIUS with forcing the WLAN user to log in to an access point that compares the login information to RADIUS. This solution is more scalable than MAC address filtering.
Because the WLAN access depends on receiving an address, using Dynamic Host Configuration Protocol (DHCP), and the authentication of the user using RADIUS, the WLAN needs constant access to these back-end servers. In addition, LEAP does not support one-time passwords (OTP), so you must use good password-security practices. The password issue and maintenance practice are a basic component of corporate security policy.
Controlling WLAN Access to Servers
In the same way you place Domain Name System (DNS) servers accessible via the Internet on a demilitarized zone (DMZ) segment, you should apply a similar strategy to the RADIUS and DHCP servers accessible to the WLAN. These servers should be secondary servers that are on a different segment (separate VLAN) from their primary counterparts. Access to this VLAN is filtered. Such placement ensures that any attacks launched on these servers are contained within that segment.
You should control network access to the servers. Consider the WLAN an unsecured segment and apply appropriate segmentation and access lists. Such a step ensures that WLAN access is controlled and directed to only those areas that need it. For example, you might not want to permit WLAN access to management servers and HR servers.
No comments:
Post a Comment