Lesson #9: Exploring Wireless LANs
|
Key Terms
| Standard | Maximum Throughput (Mbps) |
Frequency (GHz) |
Compatibility | Ratified |
|---|---|---|---|---|
| 802.11b | 11 | 2.4 | -- | 1999 |
| 802.11a | 54 | 5 | -- | 1999; available 2001 |
| 802.11g | 54 | 2.4 | Backward-compatible with 802.11b | 2003 |
The 802.11a standard operates in the unlicensed 5 GHz band, which makes the transmission vulnerable to interference from microwave ovens and cordless phones. The strength of 802.11b and 802.11g signals, which operate in the 2.4 GHz band, is affected negatively by water, metal, and thick walls.
The 802.11b and 802.11g standards divide the 2.4 GHz band into 14 overlapping individual channels. The overlap spans a width of 5 adjacent channels, therefore channels 1, 6, and 11 do not overlap and therefore can be used to set up multiple networks. The 802.11a standard is an amendment to the original standard. The advantage of using 802.11a is that it suffers less from interference, but its use is restricted to almost line of sight, thus requiring the installation of more access points than 802.11b to cover the same area.
The medium access method of the IEEE 802.11 standards, called the Distribution Coordination Function (DCF), is similar to the Carrier Sense Multiple Access with Collision Detect (CSMA/CD) access method used by Ethernet.
The following types of frames are transferred over the airwaves:
- Data frame— Network traffic.
- Control frame— Frame controlling access to the medium,
similar to a modem’s analog connection control mechanism, with its
Request To Send (RTS), Clear To Send (CTS), and acknowledgment (ACK)
signals.
- Manager frame— Frames similar to data frames, pertaining
to the control of the current wireless transmission.
Other Wireless Standards
Other wireless standards include the following:
- Bluetooth— This is a specification for short-range radio
links between mobile computers, mobile phones, digital cameras, and
other portable devices, such as headsets. Bluetooth could be considered
a standard for a personal area network
(PAN).
- HomeRF— In 1998, a consortium was formed to promote the idea of HomeRF to be used with products in the home market. The participants were, among others, Siemens, Motorola, and Compaq.
Wireless Components
The main components of wireless networks are as follows:
Wireless Access Points
WAPs provide connectivity between wireless client devices and the wired
network, as shown in the image above.
Integrated Access Point
The WAP does not need to be a stand-alone device. Many vendors offer
integrated access point functionality for some small—
to medium— business (SMB) and small office— home
office (SOHO) routers, as shown below.
By installing a wireless interface card
(WIC) in Cisco, Linksys, Netgear, and other routers.
You can run concurrent routing, switching, and security services and
include IEEE 802.11 wireless LAN functionality in
a single device.
Integrating Routing and Wireless Functionality
Wireless Client Devices
A wireless client device is equipped with a wireless interface card (WIC), which the device uses to communicate over RF with WAPs. Wireless clients can be the following items, among other things:
- User workstations and laptops
- Wireless print servers
- Wireless web cams & secirity cameras
- Smart Phones & PDAs
- Wireless IP phones
User Workstations and Laptops: Ad-Hoc
Network
In addition to connecting to a WLAN access point,
two wireless clients can form an exclusive, point-to-point, wireless
network directly without the need for an access point (e.g. a wireless version
of an Ethernet cross-over cable). This type of point-to-point
network is known as an ad-hoc network, whereas a traditional
one-to-many (access point -to- wireless clients) WLAN is called an
Infrastructure Network.
Smart Phone & PDA Wi-Fi
access
Wireless Smart Phones and PDAs—
devices that connect directly to the wireless network— play a significant
role in an organization where time is extremely sensitive. An example of
where 802.11g-compatible devices (wireless PDAs) are put to benefit is triage
nurses who are faster at inputting their assessment and sharing their findings
on the spot rather than walking back to the nurses’ station to do so.
Wireless IP Phones
Absolute campus mobility is probably best demonstrated by wireless IP phones.
These 802.11b/g phones have built-in security, QoS, and management features.
Wireless IP phones leverage existing IP telephony deployments, as shown below.
Deploying Wireless IP Phones
Wireless Security: 802.11i & 802.1x
Although security was originally included with 802.11 standards, it soon became obvious that it wasn’t enough. Wireless security— or the lack of it— has been a major contributor to IT managers’ reluctance to adapt wireless LANs.
Recently, wireless security has improved dramatically, providing IT managers with an acceptable level of comfort to proceed with the installation of WLANs. IEEE 802.11i, released in June 2004, addresses current security concerns.
In addition to the 802.11 suite of standards, the 802.1x standard can be used for wireless security. More precisely, 802.1x addresses port-based access control.
Wireless Security Issues
A main issue with wireless communication is unauthorized access to network traffic or, more precisely, the watching, displaying, and logging of network traffic, also known as sniffing. Contrary to a wired network, where a hacker would need to be physically located at the corporate premises to gain access through a network drop, —with a wireless network, the intruder can access the network from a location outside the corporate building. WLANs use radio frequencies, and their signals propagate through ceilings and walls. Therefore, wireless eavesdropping, also known as war driving or walk-by hacking, —and rogue Access Points, unauthorized WAPs that allow a hacker access to a network, —are two significant security issues with wireless networks.
In addition, wireless equipment tends to ship with open access. Not only is traffic propagated in clear text, but WAPs also voluntarily broadcast their identity, known as the Service Set Identifier (SSID).
Wireless Threat Mitigation
Thanks to the wireless open-access default mode, we can join a Wi-Fi network from our favorite coffee shop or hotel room; however, this unrestricted access is not advisable for corporate or SOHO networks. Wireless network security can be classified into the following three categories:
- Basic wireless security
- Enhanced wireless security
- Wireless intrusion detection
Basic Wireless Security
Basic wireless security is provided by the following built-in functions:
- SSIDs
- Wired Equivalent Privacy (WEP)
- Media Access Control (MAC) address verification
SSIDs
An SSID is a code that identifies membership with a WAP.
All wireless devices that want to communicate on a Wi-Fi network must
have their SSID set to the same value as the WAPs SSID to establish connectivity
with the WAP, —very much like a NetBIOS workgroup
membership.
By default, a WAP broadcasts its SSID every few seconds. This broadcast can be stopped so that a drive-by hacker can’t automatically discover the SSID and hence the WAP. However, because the SSID is included in the beacon of every wireless frame, it is easy for a hacker equipped with sniffing equipment to discover the SSID and fraudulently join the network.
Beacon Frame
The WAP periodically advertises SSID and other network information using a
special 802.11 management frame known as a beacon.
Being able to join a wireless network by the mere fact of knowing the SSID is referred to as open authentication.
WEP -Wired Equivalent Privacy
WEP can be used to alleviate the problem of SSID broadcasts by
encrypting the traffic between the wireless clients and WAPs.
Joining a wireless network using WEP is referred to as
shared-key authentication, where the
AP sends a challenge to the wireless client who must return it encrypted.
If the AP can decipher the client’s response, the WAP has the proof that
the client possesses valid keys and therefore has the right to
join the wireless network. WEP security comes in two encryption strengths:
64-bit and 128-bit.
Note: Even if a user manages to proceed with open authentication —for example, he guesses the SSID, if WEP is activated, he could not communicate with the AP until he obtains the authentication keys.
However, WEP is not considered secure: A hacker sniffing first the challenge and then the encrypted response could reverse-engineer the process and deduce the keys used by the client and WAP.
MAC Address Verification
To increase wireless security, a network administrator could use MAC address
filtering, in which the WAP is configured with the MAC addresses
of the wireless clients that are to be permitted access.
Unfortunately, this method is also not secure because frames could be sniffed to discover a valid MAC address, which the hacker could then spoof.
Enhanced Wireless Security
The stronger security standards, shown below, were created to replace the weaknesses in WEP.
| Security Component | 802.11 Original Standards | Security Enhancement |
|---|---|---|
| Authentication | Open authentication or shared-key |
802.1x |
| Encryption | WEP | Wi-Fi Protected Access (WPA), then 802.11i |
802.1x
IEEE 802.1x is a port-based network access control
standard. It provides per-user, per-session, mutual strong authentication,
not only for wireless networks but also for wired networks, if need be.
Depending on the authentication method used, 802.1x can also provide
encryption. Based on the IEEE Extensible Authorization Protocol
(EAP), 802.1x allows WAPs and clients to share and
exchange WEP encryption keys automatically. The access point
acts as a proxy, doing the heavier computational load
of encryption. The 802.1x standard also supports a centralized key
management for WLANs.
WPA -Wi-Fi Protected Access
WPA was introduced as an intermediate solution to
WEP encryption and data integrity insecurities while the IEEE 802.11i
standard was being ratified.
When WPA is implemented, access to the WAP is provided only to clients that have the right passphrase. Although WPA is more secure than WEP, if the preshared key is stored on the wireless client and the client is stolen, a hacker could get access to the wireless network.
WPA supports both authentication and encryption. Authentication done through preshared keys is known as WPA Personal; when done through 802.1x, it is known as WPA Enterprise.
WPA offers Temporal Key Integrity Protocol
(TKIP) as an encryption algorithm and a new
integrity algorithm known as
Michael. WPA is a subset of the
802.11i specification.
WPA2 -802.11i
In 2004, IEEE ratified the 802.11i standard,
also known as WPA2. The WPA2 /
802.11i standard formally replaces WEP and other security
features of the original IEEE 802.11 standard.
WPA2 is the product certification given to wireless equipment compatible with the 802.11i standard. WPA2 certification provides support for additional mandatory 802.11i security features that are not included in WPA. WPA2, like WPA, supports both Enterprise and Personal modes for authentication.
In addition to stricter encryption requirements, WPA2 also adds enhancements to support fast roaming of wireless clients by allowing a client to preauthenticate with the access point toward which it is moving, while maintaining a connection to the access point that it is moving away from.
Wireless Intrusion Detection
Many products provide rogue access point detection.
However, some third-party products integrate better with specific
WAPs. One such third-party product is from AirDefense. This
product provides wireless intrusion detection that uses the
access points to scan the airwaves and report wireless activity.
WLAN Roaming
WLANs are relatively inexpensive to deploy compared to wired networks, and because, as shown above, throughput is directly related to the proximity of WAPs. Network managers often install WAPs to provide overlapping signals, as shown below. Using this overlapping design, coverage (radius) area is traded for improved throughput.
Overlapping Signals Eliminate Dead Spots
Note: these overlapping signals must be in nonoverlapping channels. This scenario, however, requires WLAN roaming. WLAN roaming plans consider that as a user moves away from a WAP and is therefore losing signal strength, his connection should seamlessly jump to a WAP that provides a stronger signal.
Point-to-Point Bridging
It is not always feasible to run a network cable between two buildings to join
their respective LANs into a single broadcast domain. If
the two buildings are a reasonable distance apart and preferably in direct
line of sight with each other, wireless bridges
can be configured, as shown below. It takes two WAPs to create one
logical two-port bridge. In this mode, WAPs are
operating in a dedicated point-to-point bridge mode and therefore
are no longer operating as wireless access points for clients.
![[Internetworking]](./images/20-grLt.gif){kind=small}
Lesson #8 - Hub/Switch/... ![[Parallel/Serial Ports]](./images/20-grRt.gif){kind=small}
Lesson #10 - Par/Ser Ports
This page is maintained by:
Prof.
Michael P. Harris, CCNA, CCAI
 |
academy.delmar.edu/Courses Last modified: 24-Jul-2013 |
 |
mpharris@delmar.edu Copyright © 1984-2013 |
|---|