gary zavitz firstname.lastname@example.org wireless lan site surveys and security considerations site surveys...
out of 18
Post on 26-Dec-2015
Embed Size (px)
- Slide 1
- Gary Zavitz email@example.com Wireless LAN Site Surveys and Security Considerations Site Surveys and Security Considerations eLearningWired and Wirelessly!
- Slide 2
- Experience WBT and ILT training experience Producer, Developer of Virtual Webinars Wireless Computing Instructor Telecom Management Certification Chair of Sheridan College Telecom Alumni Association
- Slide 3
- eLearningWired and Wirelessly! A Warehouse Without Wires The client has expanded warehouse operations into a large area, that lacks existing wiring. The ceiling is very high, and the floor is thick concrete. It will be quite expensive to install traditional data wiring. They have some fork lifts whose operators use mobile terminals which need LAN connectivity. Think about what type of area this represents, and what design considerations might need to be made.
- Slide 4
- eLearningWired and Wirelessly! Why a site survey? Determine actual coverage area Determine number of wireless cells needed Determine location of access point and/or wireless servers
- Slide 5
- eLearningWired and Wirelessly! Wireless planning considerations Number of total and simultaneous users Average and maximum bandwidth needed Degree of user roaming Site survey input Location of APs to maximize connectivity and bandwidth (distance/density/overlap) Frequency/channel usage (1,6,11 non- overlapping) Redundancy
- Slide 6
- eLearningWired and Wirelessly! RF Barrier description RF Barrier severityExamples Air Minimal WoodLowpartitions PlasterLowinner walls Synthetic materialLowpartitions AsbestosLowceilings GlassLowwindows WaterMediumdamp wood, aquarium BricksMediuminner and outer walls MarbleMediuminner walls Paper rollsHighpaper on a roll ConcreteHighfloors, outer walls Bulletproof glassHighsecurity booths MetalVery highdesks, metal partitions Barriers and attenuation of signals
- Slide 7
- eLearningWired and Wirelessly! Security Concerns We are concerned and need what ever wireless solution is deployed to be secure. Wed like to have an easy to manage, centralized system for updating keys, and validating APs and clients. Using MAC based filters at each of the APs is too much of a hassle.
- Slide 8
- eLearningWired and Wirelessly! wLAN Security - Wired Equivalency Privacy WEP : symmetric encryption (shared key), defines method but not how to share and distribute/manage keys RC4 algorithm (40+24 bits keys) WIFI compliant 104 + 24 bits proprietary (non IEEE standard/non WiFi scope) but interoperable implementations (i.e. Lucent/Cisco, others) Phy- Header MAC Header and Payload Preamble PLCP Header MAC Header CRC Payload Encrypted Init Vector 24 bits ICV 32 bits Cyphertext
- Slide 9
- eLearningWired and Wirelessly! wLAN Security - WEP issue? Goal was to address equivalent physical security as with fixed network Should be used with other measures above and beyond to achieve data privacy 40 or 104 bit encryption, length of 24 bit init vector, sent as clear text, was concern of Berkeley article Single Key per Network multiple keys for Receive to allow key change-over Most AP (Cisco, etc.) products support Radius based MAC authentication
- Slide 10
- eLearningWired and Wirelessly! Encryption Wired Equivalent Privacy 64 WEP standard available 40-bit secret key + 24-bits Initialization Vector (IV) IEEE 802.11 standard 128RC4 available 104-bit secret key + 24-bits Initialization Vector (IV) Not IEEE 802.11 compliant When WEP is enabled, Shared Key Authentication is enabled
- Slide 11
- eLearningWired and Wirelessly! Overview of 802.11b Security Vulnerabilities Compromise of encryption key Theft of hardware is equivalent to theft of key Packet spoofing, disassociation attack Rogue AP Known plain-text attack Brute force attack Passive monitoring Replay attack
- Slide 12
- eLearningWired and Wirelessly! Wireless Security Recommendations Change default SSID, password, SNMP settings Avoid temping SSID names that identify hacker targets Configure as Closed System to not broadcast SSID beacons or answer probes from clients set to ANY Minimize coverage beyond desired areas Use tools for periodic site surveys to spot rogue APs Consider limiting access based on MAC if practical Place APs in DMZ based VLAN and have clients VPN in Consider IPSec APs not in public accessible areas Address WEP Weaknesses via Key Rotation, 802.1x, WEP 2 (802.11i),VPN Overlay
- Slide 13
- eLearningWired and Wirelessly! 802.1x, Security and Encryption 802.1x is purely an authentication standard and is a Standard for Port Based Network Access Control 802.1x applies to wired and wireless networks 802.1x defines methods for authentication and key distribution plus other things 802.1x is usable with currently standardized authentication/key distribution schemes (i.e. - RADIUS/ Kerberos) 802.1x is a work in progress Usable with currently standardized authentication/key distribution schemes (i.e. - RADIUS/ Kerberos) Does not specify MAC level encryption type (I.e. WEP40/104 or other), so independent of it However, 802.1x can be used to set WEP keys Addresses Key Distribution problem Permits rapidly changing, individual WEP keys WEP is still required for encryption
- Slide 14
- eLearningWired and Wirelessly! Access Control RADIUS Access Control (RAC) Extension to existing Access Control system to make it more usable for large networks Access Control table does not reside in each Access Point but in a RADIUS server: Server device that communicates with APs using RFC 2138 defined RADIUS protocol definition. (RADIUS = Remote Authentication Dial-In User Service) Network administrator needs to manage one Access Control table which rather then one for each AP RAC will overcome the limitation of the 497 entries that an AP-based Access Control Table can hold at maximum
- Slide 15
- eLearningWired and Wirelessly! Secure Wireless LAN Architecture
- Slide 16
- eLearningWired and Wirelessly! And if you dont believe secure wireless communications is important
- Slide 17
- eLearningWired and Wirelessly!
- Slide 18
- Gary Zavitz firstname.lastname@example.org 416-347-9251 Thank You Gary Zavitz email@example.com 416-347-9251 firstname.lastname@example.org
View more >