practical wireless ip - university of california, berkeleyee228a/fa03/228a03/802.11 wlan... · ncan...
TRANSCRIPT
1
Practical Wireless IP: Concepts, Administration, and Security
Brad C. Johnson &Philip CoxSystemExperts Corporation
V 2.10 Copyright SystemExperts 2001,2002,2003 2
Just checking...
n This is a top level bulletn This is the next level in
n this would be level 3
n this would be level 4
n Can you hear? Check 1…2…3…Check
n Is it too hot?
Too cold?
2
V 2.10 Copyright SystemExperts 2001,2002,2003 3
Jump Start Skinny
n Wireless LANs are in a state of fluxn Speed: 802.11a, 802.11b, 802.11g
n Security: 802.1X, ESN, EAP, LEAP
n Handhelds are in a state of consolidation and globalizationn Phones, pagers, beepers, handheld are all melding into a
single device
n Permutations of protocols, capabilities, and features can be overwhelmingn Turn any card and system into an Access Point
n Use a Pringles as an antenna
n Expand your network without any help or notice
V 2.10 Copyright SystemExperts 2001,2002,2003 4
Jump Start Help
n Focus on long term goalsn New applications deployed quickly -> Interoperability
=> Stay away from vendor specific solutions
n Reduced deployment costs -> Management Costs=> Updated policies
n Flexible infrastructure -> Network Design => Antenna homework
n Enable business opportunities -> Architecture => Security
n Think about your real speed needsn 1 Mbps is about the same as T1
n It’s hard to predict interference without trying
n Consistency (polling) vs. bandwidth (RTS/CTS)
n Published speeds are not realistically possible (85% at best)
3
V 2.10 Copyright SystemExperts 2001,2002,2003 5
Speed vs. Interoperability
O F D M , C C K - O F D M5 4
O F D M , C C K - O F D M4 8
O F D M , C C K - O F D M3 6
P B C C3 3
C C K- O F D MO F D M2 4
P B C C2 2
O F D M , C C K - O F D M1 8
C C K- O F D MO F D M1 2
P B C CC C K1 1
O F D M , C C K - O F D M9
C C K- O F D MO F D M6
P B C CC C K5.5
Barke r2
Barke r1
O p t i o n a l M e t h o dR e q u i r e d M e t h o dB i t R a t e
802.11GProposal
V 2.10 Copyright SystemExperts 2001,2002,2003 6
Course Contents
n What is isn Wireless, focused on
n IP services for laptops
n and a little on handheld and cell-phone Internet access
n Wireless, for understanding
n Security, configuration, and usage
n What it isn’tn A Radio Frequency Primer
n An in-depth analysis of Cellular Wireless protocols
n An exhaustive list of wireless providers and devices
4
V 2.10 Copyright SystemExperts 2001,2002,2003 7
Course Objectives
n When you leave this course, you should be able to:n Identify major protocols and standards used by, first
and foremost, wireless LANs as well as PDAs and cell-phones
n Identify important features and configuration options associated with Access Point and client cards
n Understand major threats to wireless IP networks
V 2.10 Copyright SystemExperts 2001,2002,2003 8
Where are We?
n From 50,000’ to 5’ in about 24 slidesn Threats
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
5
V 2.10 Copyright SystemExperts 2001,2002,2003 9
What is Wireless
Coverage AreaLocal Wide
SpreadSpectrum
WLAN
Broadband PCS
Narrowband WLAN
Circuit & Packet Data
Narrowband PCS
10 mbps
4 mbps
2 mbps
1 mbps
128 kbps
56 kbps
19.6 kbps
9.6 kbps
Infr
ared
WLA
N
Da
ta
R
at
es
Satellite
“old” stable
“new” & “unstable”
V 2.10 Copyright SystemExperts 2001,2002,2003 10
Wireless Component Overview
Gateway
802.11
PDA
WEB
WAPAPP
Server
Gateway
PSTN
Wired
Network
This Course
This Course
6
V 2.10 Copyright SystemExperts 2001,2002,2003 11
Wireless Devices
n Historicallyn Single function device (very small)
n use a phone to talk
n use a pager to get a phone call notification
n use a PDA to load appointments
n General purpose devices (small)n desktop or laptop for “anything”
n Now and moving into the futuren Simple devices becoming more flexible
n General purpose devices becoming (almost) as small/light as the single function devices
V 2.10 Copyright SystemExperts 2001,2002,2003 12
General Purpose Wireless Environments
n HomeRFn 2.4 GHz band
n 1.6 Mbps from a distance of about 150 feet
n Residential market
n Bluetoothn 2.4 GHz band
n Creates Personal Area Networks (PANs)
n Up to 780 Kbps within a 10-meter range
n “Appliance” market
7
V 2.10 Copyright SystemExperts 2001,2002,2003 13
802.11b
n Unlicensed 2.4 GHz band
n Uses direct-sequence spread-spectrum (DSSS)n Frequency-Hopping FHSS can only be used for 1 &
2 Mbps in US because of FCC regulations
n 1 - 11 Mbps from a distance of about 150 to 2000 feet (without special antenna)n …more on this later
n Home business and business markets
V 2.10 Copyright SystemExperts 2001,2002,2003 14
802.11 Plain and Simple
Application
Presentation
Session
Transport
Network
NetworkOperatingSystem (NOS) IP
TCP
Data Link
Physical802.11
F H , D S , I R , C C K ( b ) , O F D M ( a )
L o g i c a l L i n k C o n t r o l ( L L C ) – 8 0 2 . 2
M e d i a A c c e s s C o n t r o l ( M A C ) – P o w e r S e c u r i t y , E t c .
8
V 2.10 Copyright SystemExperts 2001,2002,2003 15
802.11b
n Physical Layern Physical Medium
Dependent (PMD) –wireless encoding
n Physical Layer Convergence Protocol (PLCP) – common interface
n long preamble for all 802.11b systems
n short preamble for
special case: e.g., streaming video, Voice-over IP
n MAC Layern Inter Frame Space (IFS)
n Physical Carrier Sense
n Virtual Carrier Sense
n e.g., hidden-node
n Frame Control
n Power Management
n Fragmentation
V 2.10 Copyright SystemExperts 2001,2002,2003 16
802.11 A Little Less Plain & Simple
Logical Link Control
Point Coordination Function (pcf)
Distributed Coordination Function (dcf)
2.2 GHzFHSS
2.4 GHzDSSS
Infrared 2.4GHzDSSS
5.5 and 11 Mbps
5GHzOFDM
6,9,12,18,24,36,48,54 Mbps
MAC
PHYData Rates
1Mbps and 2 Mbps
IEEE 802.11 802.11b 802.11a
9
V 2.10 Copyright SystemExperts 2001,2002,2003 17
802.11b Frame Control
n 3 types of 802.11b packetsn Management (type 00)
n {association, re-association, probe} {request, response}
n authentication, de-authentication, & disassociation
n beacon
n e.g., time-stamp, traffic indication map, supported rates
n ATIM – Announcement Traffic Information Message
n sent after each frame
n Control (01)n RTS, CTS, ACK, CF*, PS-Poll
n Data (10)n ok, data! plus
n CF-ACK/Poll, etc.
V 2.10 Copyright SystemExperts 2001,2002,2003 18
802.11b IBSS
n Independent Basic Service Set (IBSS)n Ad-Hoc mode
n Often called peer-to-peer
n No Access Point (AP)
n i.e., with just your client cards
n No wired connections, only link wireless clients
10
V 2.10 Copyright SystemExperts 2001,2002,2003 19
802.11b BSS
n Basic Service Set (BSS)n Infrastructure mode
n Uses an AP to connect clients to a wired network
Wired LAN
Access Point
V 2.10 Copyright SystemExperts 2001,2002,2003 20
802.11b ESS
n Extended Service Set (ESS)n Infrastructure mode
n Uses multiple APs
n Clients may roam between APs
n …more on roaming later
Wired LAN
Access Points
11
V 2.10 Copyright SystemExperts 2001,2002,2003 21
802.11b ESS
n Extension Pointn Infrastructure mode
n Chain APs
Wired LAN
Access Points
V 2.10 Copyright SystemExperts 2001,2002,2003 22
Exposures
n Technology problems
n Theft of hardware
n Insecure and publicly known configuration information
n Masquerading
n Virus
n Eavesdropping
n Authorization
n Ease of use (huh?)
12
V 2.10 Copyright SystemExperts 2001,2002,2003 23
Technology Problems
n What does “technology” mean?n The current state of common hardware and
software solutions, examples includen protocol issues
n the issues with WEP and interoperability
n specification issues
n WEP doesn’t encrypt the SSID and, in general, management packets
n configuration issues
n default AP is WEP disabled, open authentication, default SNMP community string
n vendor issues
n more interoperability problems
V 2.10 Copyright SystemExperts 2001,2002,2003 24
Theft of hardware
n Wireless stuff is smalln Wireless cards fit in a shirt-pocket
n Most of the APs fit in a jacket pocket or are easily hidden in any kind of bag
n should they be tagged like clothes in a store?
n The wireless configuration stuff has to be someplacen Cisco 340 cards write WEP keys to the card
n Other cards write WEP keys to the local system
n If a card were stolen or lost, how long would it take to re-key your Wireless network?n What would be the trigger point?
13
V 2.10 Copyright SystemExperts 2001,2002,2003 25
Insecure Configuration Information
n Where does the client store the information?n Cisco: On the card
n so steal it
n Lucent: n on Windows, it’s in a world-readable registry key:
so copy the values and import them into your configuration
n on other OSs, it’s stored in a file
n Other cards are storing the data someplace too ☺
n Let’s take a closer look at the Lucent Windows example
V 2.10 Copyright SystemExperts 2001,2002,2003 26
Lucent Client Registry Entries
Obfuscated or encryptedWEP Key
SSID
14
V 2.10 Copyright SystemExperts 2001,2002,2003 27
Registry Permissions
Any authenticated user
Can read and copythis data L
V 2.10 Copyright SystemExperts 2001,2002,2003 28
Publicly Known Configuration Information
n Default configurations are insecure and well knownn www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/
n e.g.Netgear 802.11 DS products, ME102 and MA401 Default SSID: Wireless Default Channel: 6 Default IP address: 192.168.0.5 Default WEP: Disabled Default WEP KEY1: 11 11 11 11 11 Default WEP KEY2: 20 21 22 23 24 Default WEP KEY3: 30 31 32 33 34 Default WEP KEY4: 40 41 42 43 44 Default MAC: 00:30:ab:xx:xx:xx
15
V 2.10 Copyright SystemExperts 2001,2002,2003 29
Masquerading
n Client siden AP identifies system, not user
n System may be used by more than one user
n No authorization schemes for different user groups
n Access Pointn Clients don’t authenticate AP’s
n Solution?n Per user authentication: e.g., EAP
V 2.10 Copyright SystemExperts 2001,2002,2003 30
Virus
n Various ways that virus can “get” to your wireless devicen Host based that is carried forward on a PDA
(HotSync) or phone (TrueSync) sync
n PDA passes on through infrared
n Web phone downloads
n examples include the European EPOC OS
Courtesy of Information Security
16
V 2.10 Copyright SystemExperts 2001,2002,2003 31
Eavesdropping
n Indirect: listening to the network that the wireless access point is connected to (PROMISC)n Remember: WEP only encrypts data between the client and
the access point!
n Quite frankly, this is what most people are doing when they talk about “sniffing wireless”
n Direct: listening to the airwaves (RFMON)n Sender can not detect eavesdropping
n Frequency band largely determines range
n it is quite possible that it goes outside the building
n special electromagnetic shielding is needed to “stop” leakage or
special antenna usage and placement is need to control leakage
V 2.10 Copyright SystemExperts 2001,2002,2003 32
MAC Layer
n Can configure the AP to talk to specific Media Access Control addresses (MAC, a.k.a. hardware address)
n Controls access to wired network not wireless
n Some APs will use RADIUS to get the information
n Problem:n MAC addresses can be manually set very easily
(see next slide)
17
V 2.10 Copyright SystemExperts 2001,2002,2003 33
MAC address configuration
L
V 2.10 Copyright SystemExperts 2001,2002,2003 34
Ease of Use
60 seconds on one corner in a major city
18
V 2.10 Copyright SystemExperts 2001,2002,2003 35
Net Stumbler
n Windows utility for “war driving” – that is, finding Access Points (APs)n www.personaltelco.net/index.cgi/NetStumbler
n Gives critical AP information includingn MAC address, SSID, network name, broadcast
channel, vendor, WEP flag, GPS (if attached to the serial port), and all sort of other stuff…
n Mini Stumbler now available for handhelds!
V 2.10 Copyright SystemExperts 2001,2002,2003 36
Stumbler Screen Shots
19
V 2.10 Copyright SystemExperts 2001,2002,2003 37
Stumbler Screen Shots (cont.)
V 2.10 Copyright SystemExperts 2001,2002,2003 38
Why is Net Stumbler Successful?
Good antenna design:coverage area is appropriate
Poor antenna design:coverage area is excessive
Two2-story buildings with different Access Point antenna antenna setupsVertical Leakage
Horizontal Leakage
Antenna Design Considerations
20
V 2.10 Copyright SystemExperts 2001,2002,2003 39
Where are We?
n From 50,000’ to 5’
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
V 2.10 Copyright SystemExperts 2001,2002,2003 40
Section Contents
n Transports
n Mobile Data Services
21
V 2.10 Copyright SystemExperts 2001,2002,2003 41
Key Factors in Technology
n Regulationn Determines who gets what and how
n In US “competition” was kingn Regional Bell’s and one other (1/2 each)
n In Europe “interoperability” was kingn Competition was not an issue, interoperability was
n Need to exchange billing and accounting information
n Security was designed to protect against fraudn As opposed to protecting your data
V 2.10 Copyright SystemExperts 2001,2002,2003 42
Cellular Basics
n Two Connections Typesn Circuit Switched
n Packet Switchedn More efficient (~10x) than circuit switched
n Transmission techniquesn Frequency Division Multiple Access (FDMA)
n Frequency range is divided into channels
n Dedicated channel/frequency per call
n Time Division Multiple Access (TDMA)n Each call gets a “timeslot” of time on a certain frequency
n Code Division Multiple Access (CDMA) n Uses spread spectrum techniques (i.e., is spread over the
available frequencies)
n Each call has a unique code
22
V 2.10 Copyright SystemExperts 2001,2002,2003 43
Major Cellular Systems
n Advanced Mobile Phone System (AMPS)
n IS-54/IS-136
n IS-95
n Global System for Mobile Communications (GSM)
n Integrated Digital Enhanced Network (iDEN)
n PCS
Note Telecommunications Industry Association (TIA) is the main standards carrier for the Interim Standards (IS)
V 2.10 Copyright SystemExperts 2001,2002,2003 44
GSM
n “THE” system outside of the US
n A digital system using a modified version of TDMA
n Data at 9.6kn No modem needed for circuit or packet switched data
n 900 MHz (GSM800) and 1800 MHz (GSM1800) in Europe and Asia, 1900 MHz US (GSM1900)n They are not compatible
n Use Subscriber Identification Module (SIM) cards to store all the connection data and identification numbers you need to access a particular wireless service provider
23
V 2.10 Copyright SystemExperts 2001,2002,2003 45
GSM Security
n International Mobile Equipment Identity (IMEI) for each device to determine if device is allowed on the network
n Shared secret: Stored in the Authentication Center (AuC) and subscriber's SIM cardn Authentication: The AuC generates a random number sends it to
the mobile. Mobile uses A3 cipher and shared key to generate a signed response sent back to the AuC
n Encryption: Use a key derived from A8 cipher using the same pseudo random number+subscriber-key as above. Cipher key is used with the TDMA frame number, in the A5 cipher to create a value to XOR with data
n same process in IS-54/136 & PCS1900
V 2.10 Copyright SystemExperts 2001,2002,2003 46
Today’s Data Systems
n Primary mobile wireless data services are…n Cellular Digital Packet Data (CDPD)
n iDEN packet service
n Circuit-switched data service for CDMA networks (e.g., SprintPCS)
n Circuit-switched data services for GSM networks
n Modems and analog phones
n All of these services offer speeds in the 9.6 Kbps to 19.2 Kbps range
n How they deliver…n Smart phones (phones with micro-browsers)
n Wireless modems (PC card or cable with phone)
24
V 2.10 Copyright SystemExperts 2001,2002,2003 47
CDPD
n IS-732n Uses idle voice channel or dedicated data channel
depending on network configuration
n It enables analog AMPS networks to carry packetized data alongside voicen CDPD is to AMPS what D-AMPS+ is to TDMA
(IS-136/D-AMPS) a way to do Packet Data vice Circuit Data
n Operates on the 800 MHz frequency
n Data only, up to 19.2k
n Requires a modem to convert analog
V 2.10 Copyright SystemExperts 2001,2002,2003 48
CDPD Security
n Clone prevention: Asks 2 questionsn How many times have you accessed the network?
n What was the last password you used?
n Network level security based on RC4n Diffie-Hellman to get session key
25
V 2.10 Copyright SystemExperts 2001,2002,2003 49
Other Popular Systems
n Cingular (a.k.a. Mobitex)n Operated by Bell South and RAM Mobile Data
n Data up to 8k
n Wide coverage
n Australia, Belgium, Canada, Korea, Netherlands, Sweden, United Kingdom, United States
n Used by PALM VII and Blackberry
n ARDIS (DataTAC)n Connection oriented
n Two versions: MDC4800 and RD-LAP
n Most widely used version is Radio Data Link Access Protocol (RD-LAP)
n used by Motient for Blackberry
V 2.10 Copyright SystemExperts 2001,2002,2003 50
What is 3G?
n Generic term covering a range of future wireless network technologies
n a.k.a. IMT-2000
n Includes …n cdma2000
n UMTS (Universal Mobile Telecommunications System)
n GPRS (General Packet Radio Service)
n WCDMA (Wideband Code Division Multiple Access)
n EDGE (Enhanced Data rate for GSM Evolution)
n Focus is to combine high-speed mobile access with Internet Protocol (IP) based services
26
V 2.10 Copyright SystemExperts 2001,2002,2003 51
In a box …
14.4kVerizon, Sprint PCS, Bell Mobility & Clearnet PCS, Airtouch, GTE, Bell Atlantic, Primeco, others
CDMACircuit (voice and data)
9.6kCingular (old PacBell), Voicestream, Omnipoint, BellSouth Mobility, Sprint, others
GSM
9.6kAT&T , BellSouth, Southwestern BellTDMA
19.2kAT&TAMPS
9.6kNextel (voice)iDEN
9.6kNextel OnlineiDEN
19.2kMotientRD-LAP
19.2kAT&T , Verizon, BC TEL Mobility, TELUS Mobility
CDPD
8kCingularMobitexPacket (data)
SpeedProviderTechnologyNetwork Type
V 2.10 Copyright SystemExperts 2001,2002,2003 52
Observations
n A lot of things are changing quickly here, and it’s hard to keep them straight
n Watch IMT-2000 and your wallet ☺
n IS-54, IS-136, and IS-95 will default to AMPS when their signal cannot be detected
n Arguably the best site to find technical informationn www.privateline.com/Cellbasics/Cellbasics.html
n www.howstuffworks.com/cell-phone.htm
n As time passes, we’ll watch and see what actually shakes out
27
V 2.10 Copyright SystemExperts 2001,2002,2003 53
Section Contents
n Transports
n Mobile Data Services
V 2.10 Copyright SystemExperts 2001,2002,2003 54
Mobile Data Services
n Currently there are three main services provided:n Messaging
n Wireless Web
n Proprietary applications
n As time goes on, specific applications will be written or ported to provide mobile services
28
V 2.10 Copyright SystemExperts 2001,2002,2003 55
Mobile Data Services: Messaging
n Short Messaging Service (SMS)n Available on all digital technologies
n 140-260 byte messages, store and forward
n Cell Broadcast Service (CBS)n Available on GSM only
n 1,395 byte messages
n Limited deployment: No way to bill, it’s broadcast ☺
n Unstructured Supplementary Services Data (USSD)n Connection oriented, GSM based (also UMTS, GSM
successor)
n 182 bytes, uses control channel
V 2.10 Copyright SystemExperts 2001,2002,2003 56
Mobile Data Services: Wireless Web
n Factors: speed, screen size, and CPU/memory
n Uses a micro-browser
n Popular delivery standardsn Compact HTML (C-HTML)
n Web Clipping
n Wireless Application Protocol (WAP)
29
V 2.10 Copyright SystemExperts 2001,2002,2003 57
C-HTML
n Created by W3C
n Simplified version of HTML
n Heavily used in Japan via i-mode servicen Virtually unknown elsewhere
n Advantage: Displays equally well on regular browsers
n Disadvantage: Not optimized for handheld limitations
V 2.10 Copyright SystemExperts 2001,2002,2003 58
Web Clipping
n Palm proprietaryn Palm VII (US only)
n Palm Query Application (PQA) loaded on each server interprets HTML and tell the PALM which parts of the page to downloadn A separate PQA must be installed for each site
n Downloaded to Palm from desktop
n Uses Mobitex and OmniSKY networks
n Advantage: Fast access and off-line browsing
n Disadvantage: Need to have PQA on each system
30
V 2.10 Copyright SystemExperts 2001,2002,2003 59
Wireless Application Protocol (WAP)
n An application environment
n A set of communication protocols for wireless devices
n Derived from Handheld Device Markup Language (HDML) by Phone.com (a.k.a. Unwired Planet)
n Client/server philosophy
n Uses a micro-browser and a WAP Gateway connected to the mobile network
V 2.10 Copyright SystemExperts 2001,2002,2003 60
WAP Architecture
WAPGateway
WebServer
HTTPWSP/WTP
N o t e : W A P S e r v e r = W A P G a t e w a y + W e b S e r v e r
31
V 2.10 Copyright SystemExperts 2001,2002,2003 61
WAP Protocol Layers
Wireless Application Environment (WAE)Applicaiton
Wireless Session Protocol (WSP)Session
Wireless Transaction Protocol (WTP)Transaction
Wireless Transport Layer Security (WTLS)Security
Wireless Datagram Protocol(WDP)
Transport
Bearers(GSM, SMS, CDMA, CDPD, GPRS, etc.)
Network
UDP
V 2.10 Copyright SystemExperts 2001,2002,2003 62
The Gap in WAP
n What is the Gap in WAP?n WAP handset to WAP server handled by WTLS
n WAP server to Internet handled by SSL
n Once decrypted by WTLS, data is exposed until it is re-encrypted by SSLn this of service providers, like PalmNet
32
V 2.10 Copyright SystemExperts 2001,2002,2003 63
Gap in WAP
WAP Gateway Client
WTLSSSL
WTLSSSL Encrypt DecryptPlain Text
HTTP SERVER
V 2.10 Copyright SystemExperts 2001,2002,2003 64
VPNs
n Certicom’s movianVPNn Basis for iPassConnect PDA service
n requires a modem and two pieces of software on the PDA
n lightweight version of iPass’ dialer, called iPass Synch and movianVPN
n users dial up an iPass-affiliated ISP, then establish a VPN
n Cisco VPN concentrators will support the client
n Texas Instruments/SafeNet VPN
33
V 2.10 Copyright SystemExperts 2001,2002,2003 65
What Really Matters?
n Securityn Encryption options by…
n the Bearer
n the Application
n WTLS
n Device costn Phones
n constantly changing options and services
n Handheld
n PocketPC vs. CE vs.
PALM
n Expandability
n Interoperability n Where can you use it?
n What can you get to?
n Device managementn Ease of configuration,
upgrades
V 2.10 Copyright SystemExperts 2001,2002,2003 66
Notes:
34
V 2.10 Copyright SystemExperts 2001,2002,2003 67
Where are We?
n From 50,000’ to 5’
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
V 2.10 Copyright SystemExperts 2001,2002,2003 68
Section Contents
n 802.11
n Access Points 101
n Deployment Examples
35
V 2.10 Copyright SystemExperts 2001,2002,2003 69
Wireless LAN Technologies
n Made up of three primary semi-competing technologiesn IEEE 802.11 {802.11b is our focus}
n Bluetooth
n HomeRF
V 2.10 Copyright SystemExperts 2001,2002,2003 70
Upcoming WLAN
n IEEE 802.11g (Next generation WLAN)n Data rates of 20+ Mbps
n Selected Intersil's Orthogonal Frequency Division Multiplexing (OFDM)
n TI's Packet Binary Convolution Coding (PBCC) technology was not selected
n 802.11an …more later
36
V 2.10 Copyright SystemExperts 2001,2002,2003 71
802.11 Local Area Wireless
n IEEE 802.11 makes up the majority of Wireless LANs
n 802.11b (a.k.a. Wi-Fi™) is the current favoriten Encodes data using DSSS (direct-sequence
spread-spectrum) technology
n Runs in the 2.4-GHz rangen different ranges in different regions US, Europe, Japan,
France, Spain
n Four “speed” ranges: 1-Mbps, 2-Mbps, 5.5-Mbps, and 11Mbps
V 2.10 Copyright SystemExperts 2001,2002,2003 72
802.11b Components
n Clientn Wireless Stations
n “Servers”n Residential Gateways
n Enterprise Access Points
n Access Servers
n Outside Routers
37
V 2.10 Copyright SystemExperts 2001,2002,2003 73
Current 802.11 Security
n Privacyn Wired Equivalent Privacy (WEP)
n Authenticationn Shared key
n Open system
n Authorizationn MAC
V 2.10 Copyright SystemExperts 2001,2002,2003 74
Wired Equivalent Privacy (WEP)
n Purpose it to provide “privacy of a wire”
n Uses RC4 for encryptionn WEP Key + initialization vector (IV) are fed into a
pseudorandom number generator
n The IV, Encrypted Message, and checksum are sent in the 802.11 packetn Checksum is not WEP key dependent
n IV is changed periodicallyn Implementation dependant, but best if every packet (problem
is running out)
n Packet-by-packet data encryption
38
V 2.10 Copyright SystemExperts 2001,2002,2003 75
More on WEP Keys
n Standard says 40bit, but many vendors support or 128 bitn 40bit is actually 64bit: a 40bit key and 24-bit IV
n 128bit is a 104-bit key with a 24-bit IV
n No key-management protocol
n Also no inter AP protocol (IAPP) to pass keys
V 2.10 Copyright SystemExperts 2001,2002,2003 76
Access Points and WEP
WEP Not WEP
HTTP ServerClient
SSL Not SSL
Q: What does WEP do for you?A: Think of SSL and WTLS
Access PointClient
WAP GatewayClient
WTLS SSL
Wired Network
Backend Server
HTTP Server
39
V 2.10 Copyright SystemExperts 2001,2002,2003 77
WEP Encryption Steps
n Integrity Check Value computedn Checksum of payload (i.e., plaintext) using CRC32
n Select encryption keyn One of four keys selected
n Generate IV
n Use RC4 to generate a keystream RC4(IV,Key)n Note IV is prepended to key
n Concatenate ICV to payload, then XOR with the generated keystream to get ciphertext
n Send IV+keynumber+ciphertext over the airn Key number is the key selected in the second step
V 2.10 Copyright SystemExperts 2001,2002,2003 78
WEP Encryption
RC4
IV Secret Key Payload
ICV
XOR
CiphertextIVMessage
40
V 2.10 Copyright SystemExperts 2001,2002,2003 79
WEP Decryption Steps
n Use key number to get private key
n Use sent IV to generate keystreamn RC4(IV,Key)
n XOR received ciphertext with keystreamn Get ICV+Payload
n Compute ICV on Payload
n If new ICV == sent ICV, then packet good
V 2.10 Copyright SystemExperts 2001,2002,2003 80
WEP Decryption
RC4
IV Secret Key Payload
ICV
XOR
CiphertextIVMessage
ICV
41
V 2.10 Copyright SystemExperts 2001,2002,2003 81
WEP Key Management
n Static keys
n Manually distributed
n Up to four keysn Can be mixture of 40/128 bit keys
n Either set as hex data or ASCIIn ASCII string is converted into key by key generator
n this limits the key strength to 2^21 because of high ASCII bit and PRNG not being very random
n to interoperate, they all use the same algorithm
n Configuration tool usually determines
V 2.10 Copyright SystemExperts 2001,2002,2003 82
The Major WEP Problems
n Message Authentication
n Key Generators
n Keystream Reuse
n RC4 Key Scheduling Algorithm
42
V 2.10 Copyright SystemExperts 2001,2002,2003 83
Problem: Message Authentication
n The Cyclical Redundancy Check (CRC) chosen for the authentication is weakn It is designed for errors, not authentication
n It is possible to modify a message such that the CRC will be valid for the messages, but is not the messages that was sent
n Can also inject messages in much the same manner
V 2.10 Copyright SystemExperts 2001,2002,2003 84
Problem: 40-Bit ASCII Generator
n Folds the ASCII string into a 32-bit number (2^40 now 2^32)
n Use this in a PRNG to generate the 40-bit key, same key every 2^24
n Folding method guarantees only 2^21 unique sets of WEP keysn It takes about 35 seconds of time on a 500MHz PIII
n 128-bit Generatorn Not the same problems
n Relies on strength of ASCII test and MD5
43
V 2.10 Copyright SystemExperts 2001,2002,2003 85
Problem: Keystream Reuse
n The shared key is static and rarely changed
n Randomness of key stream depends on IVn When IV is reused, then you have two messages
encrypted with same keystream (a collision)
n 2^24 possible IV, so repeated after ~16 million packets
n Most clients reset IV to 0 and increment by 1 for each packet
n lots of collisions
V 2.10 Copyright SystemExperts 2001,2002,2003 86
Problem: Keystream Reuse Attack
n Attacker sends you a known packet (i.e., ping)n A bunch of them ☺
n Sees the response: Ciphertext and IV
n Now knows Plaintext and Ciphertext, can get keystreamn K = P XOR C
n note: the attacker does *not* know the key, but the keystream
n Makes a database indexed with IVn Now for any IV he/she sees in the future, then have the
keystream needed to decrypt the packet
n Major problem because of shared keys
44
V 2.10 Copyright SystemExperts 2001,2002,2003 87
Problem: Key Scheduling Algorithm of RC4
n Documented by Scott Fluhrer, Itsik Mantin and Adi Shamirn Paper indicated that an attacker could gain access to an entire
WLAN in less than 15 minutes
n Requires between 1 million and 8 million packets, and does not require significant CPU power
n Main problem is a weakness in the way the RC4 encryption algorithm is implemented in WEPn By having a “known” plaintext prepended on the key (I.e., the
IV), it leads to weak keys that will generate known ciphertext output from the RC4 engine
n It allows the attacker to go back and "reverse engineer" the secret key from encrypted packets
V 2.10 Copyright SystemExperts 2001,2002,2003 88
Problem: Key Scheduling Algorithm of RC4
n Longer keys won’t help because the attack recovers each key byte individually, rather than attempting to decrypt the key as a whole
n The attack scales linearly -- not exponentially -- as key length increases
45
V 2.10 Copyright SystemExperts 2001,2002,2003 89
WEP Solution
n IEEE 802.11 TGi is working on two solutions
n Short-Term:n A lightweight protocol called TKIP is being
developed
n Can be implemented on existing hardware platforms while still providing acceptable security in the short term future
n More later …
n Long-Term:n One based on AES will be used for future devices
V 2.10 Copyright SystemExperts 2001,2002,2003 90
Current 802.11b Authentication
n Two specified in the standard: Open and Sharedn Open system authentication: This is the default
n any client can associate with the access point
n doesn’t mean the get an IP though
n Shared key authentication: Uses a shared secret key (i.e., the WEP Key) to authenticate the client to the AP
n client sends an Authentication frame to the AP
n AP replies with an Authentication frame containing a 128bit challenge
n client will send the “encrypted” challenge back
n AP will decrypt and compare, if it matches, then replies with a “success” authentication
46
V 2.10 Copyright SystemExperts 2001,2002,2003 91
Other 802.11b Authentication Mechanisms
n Closed network (no broadcast SSID)
n Captive Portalsn NoCat
n Proprietary
V 2.10 Copyright SystemExperts 2001,2002,2003 92
Current 802.11 Authorization
n MAC Layern Can configure the AP to talk to specific MAC
addresses
n Controls access to wired network not wireless
47
V 2.10 Copyright SystemExperts 2001,2002,2003 93
RSN: The Wireless Security Future?
n Robust Security Network (RSN)n Enhanced Security Network (ESN)
n Defined in the 802.11 Security Baseline
n RSN security consists of two basic subsystems:
n Data privacy mechanismn TKIP (a protocol patching WEP)
n AES-based protocol (long term)
n Security association managementn RSN negotiation procedures, to establish a security context
n IEEE 802.1X authentication, replacing IEEE 802.11 authentication
n IEEE 802.1X key management, to provide cryptographic keys
V 2.10 Copyright SystemExperts 2001,2002,2003 94
Temporal Key Integrity Protocol (TKIP) Overview
n Quick fix to the existing WEP problem (i.e., Kludge)
n New “procedures” around Legacy WEPn Message Integrity Code (MIC)
n Sequence Counter
n Dynamic key management (re-keying)
n Countermeasures
n Key mixing
48
V 2.10 Copyright SystemExperts 2001,2002,2003 95
TKIP Foundations
n Never use the same IV value more than once for any particular session keyn Prevents key-stream reuse by a system
n Receivers discard any packets whose IV value is less or equal to the last successfully received packet encrypted with the same keyn Assumes that we receive packets in order. Prevents
replay attacks
V 2.10 Copyright SystemExperts 2001,2002,2003 96
TKIP Foundations (cont)
n Regularly generate a new random session key before the IV counter overflowsn Prevents key-stream reuse
n Provide a more thorough mixing of the IV value and the session key to derive the packet's RC4 keyn To “fix” the RC4 Key scheduling issues with WEP
49
V 2.10 Copyright SystemExperts 2001,2002,2003 97
TKIP Message Integrity Code (MIC)
n In order to defeat active attacks against the privacy key, TKIP mandates use of a MIC, called Michaeln Developed by Niels Ferguson for Intersil
n It is calculated over the entire MSDUn Includes the MSDU source and destination addresses and the
MSDU plaintext data
n Michael uses a 64-bit key and generates a 64-bit MICn Design goal of 20 bits of security
n Michael by itself thus provides only weak protection against active attack
V 2.10 Copyright SystemExperts 2001,2002,2003 98
TKIP Sequence Counter (tsc)
n A 16-bit monotonically incrementing countern Take the 1st and 3rd bytes of the old IV
(24 bits == 3 bytes)
n Initialized to zero when the corresponding TKIP temporal key is initialized or refreshed
n Encoded as a WEP IVn A mixing function combines the TK and tsc into a
WEP seed
n The first 24 bits of the seed are what was the IV and corresponds in a one-to-one fashion with the packet sequence counter
50
V 2.10 Copyright SystemExperts 2001,2002,2003 99
TKIP counter-measures
n TKIP sequence counter exhaustionn If a new temporal key cannot be established before
the full 16-bit space is exhausted, then TKIP-protected communications shall cease
n Key refresh failuren The implementation halts further data traffic until
rekeying succeeds, or disassociates
n MIC failuren The station basically deletes the keys and
reassociates
V 2.10 Copyright SystemExperts 2001,2002,2003 100
Key Mixing
n The mixing function has two phasesn Phase1: Mix Temporal Key (TK) with transmitter MAC
address (TA)n TK is 128 bit shared secret
n Output is 128 bits
n Phase 2: Mix Phase 1 output with the tsc to produce 128 bit WEP seed (a.k.a. per-packet key)
n The WEP seed is fed to the Legacy WEP engine to encrypt one and only one data packetn WEP engine sees the WEP seed as the IV and Legacy WEP Key
combinationn Why RC4: AES takes too many resources for existing 802.11b gear
n Expect AES built into silicon within a year or so
n S-boxn Substitutes one 16-bit value with another 16-bit value
51
V 2.10 Copyright SystemExperts 2001,2002,2003 101
TKIP Encapsulation
MIC Key TKIP sequence counter(s)
SA + DA + Plaintext MSDU
Data
Ciphertext MPDU(s)
WEP Encapsulation
MIC
TTAK Key
Plaintext MSDU +
MIC Fragment(s)
Phase 2 key mixing
Plaintext MPDU(s)
WEP seed(s) (represented as WEP IV + RC4
key)
Phase 1 key mixing TA
Temporal Key
C o u r t e s y o f I E E E 8 0 2 . 1 1 TGi
V 2.10 Copyright SystemExperts 2001,2002,2003 102
TKIP decapsulation
MIC Key
WEP IV
Plaintext MSDU
Ciphertext MPDU
WEP Decapsulation
Michael
TTAK Key SA + DA + Plaintext MSDU
Reassemble
Key mixing
Plaintext MPDU
WEP Seed
Phase 1 key mixing
TA
Temporal Key
TKIP sequence counter
Unmix IV
In-sequence MPDU
Out-of-sequence MPDU
MIC
MIC ′
MIC = MIC ′?
MPDU with failed WEP ICV
MSDU with failed TKIP MIC
Countermeasures
C o u r t e s y o f I E E E 8 0 2 . 1 1 TGi
52
V 2.10 Copyright SystemExperts 2001,2002,2003 103
Dynamic key management (re-keying)
n 802.1X EAPOL key protocol n This MAY change
n Refresh the temporal and MIC keys sufficiently often to prevent key reuse
n Derive Unicast and Multicast keys
V 2.10 Copyright SystemExperts 2001,2002,2003 104
RSN negotiation procedures
n RSN capable devices identify themselves by asserting Robust Security in Association, Beacon, Probe, and Reassociation messages
n There are four association-specific parameters:n Authentication mechanism
n Unicast cipher suite
n Multicast cipher suite
n nonces
53
V 2.10 Copyright SystemExperts 2001,2002,2003 105
IEEE 802.1X authentication
n Performs authentication in a layer above the IEEE 802.11 MAC layer
n Removes all authentication processing from the IEEE 802.11 MAC
n 802.1X can use any EAP method installed on the client and AAA servern Methods in common use include TLS, Cisco LEAP
(based on MS-CHAPv1), and Funk's Tunneled TTLS (TTLS)
V 2.10 Copyright SystemExperts 2001,2002,2003 106
A bit on EAP
n The Extensible Authentication Protocol (EAP), defined in RFC 2284,
n provides for support of multiple authentication methods
n Originally created for use with PPP
n Inherent weaknesses:n Lack of protection of the user identity or EAP negotiation
n No standardized mechanism for key exchange
n No built-in support for fragmentation and reassembly
n Lack of support for fast reconnect
54
V 2.10 Copyright SystemExperts 2001,2002,2003 107
Common Authentication Methods
n EAP-TLSn Uses a TLS handshake is used to mutually authenticate a
client and server
n EAP-TTLS extends thisn Uses the secure connection established by the TLS
handshake to perform additional authentication, such as another EAP or another authentication protocol such as PAP, CHAP, MS-CHAP or MS-CHAP-V2
n Establish keying material
n PEAPn Similar to EAP-TTLS but only allows EAP for authentication
n Also has key exchange, session resumption, fragmentation and reassembly
V 2.10 Copyright SystemExperts 2001,2002,2003 108
Ethernet
Access Point
Radius Server
A Typical Configuration
EAPOW-Start
EAP-Response/Identity
Radius-Access-Challenge
EAP-Response (credentials)
Access blockedAssociation
Radius-Access-Accept
EAP-Request/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Request
RADIUS
Laptop computer
Wireless
Associate-Request
EAP-Success
Access allowedEAPOW-Key
Associate Response
55
V 2.10 Copyright SystemExperts 2001,2002,2003 109
IEEE 802.1X key management
n Master key hierarchyn If EAP keying is used for the master key hierarchy, the master key
hierarchy will normally reside on the RADIUS server and the supplicant
n Rekeying key hierarchyn Pairwise key hierarchies (key mapping keys, per-STA unicast keys)
n The keys that are used between two entities
n Instantiated in parallel on the two entities using shared information
n The AP is the Pairwise key owner
n Group key hierarchies (Multicast)n Used by all entities in a wireless group
n Instantiated only the AP and sent to the clients
n The AP is the Group key owner
n The per-packet key hierarchyn This may be either for TKIP (using an RC4 encryption engine), or for AES.
V 2.10 Copyright SystemExperts 2001,2002,2003 110
Protocol Negotiation
n Pre-RSNn IEEE 802.11 authentication
n Association
n Legacy WEP (optional)
n With RSNn Association: Negotiates the security parameters
n Notice that in an RSN, IEEE 802.11 authentication is omitted.
n Authentication: Using the agreed upon association mechanism
n This is 802.1X authentication
n Key exchange: Based on the 802.1X EAPOL Rekey protocol
n This will probably change in the future
n Encryption: TKIP or AES
56
V 2.10 Copyright SystemExperts 2001,2002,2003 111
What we have today
n Data privacy mechanismn TKIP (a protocol patching WEP): Non AES-based protocol (long term): No
n Security association managementn RSN negotiation procedures, to establish a
security context: Yesn IEEE 802.1X authentication, replacing IEEE 802.11
authentication: Yesn IEEE 802.1X key management, to provide
cryptographic keys: Yes
n Othern Proprietary/homogeneous methods of accomplishing the same
tasks
V 2.10 Copyright SystemExperts 2001,2002,2003 112
Are you really getting what you think?
n Are you really getting 802.1X?n Several implementations only use the per-STA keys derived in
802.1X to encrypt the default keys sent down to the STA
n Since they don't support key mapping keys (per-STA unicast keys), they use the default key to encrypt traffic going to associated STAs
n Some APs don't even change the default key automatically, to keep it fresh.
n You can lose user passwords not only datan Potentially giving access to facilities other than just the wireless LAN
n So before purchasing an AP that claims to implement 802.1X… ask your vendors:n Do you support 802.1X-based dynamic key mapping keys (per-STA
unicast keys)?n Do you support use of password-based authentication methods that
are invulnerable to dictionary attack? If so, is the specification public and has it been analyzed by the security community?
n Can the AP automatically change the default keys?n What are your plans to support AES-based ciphers? TKIP?
57
V 2.10 Copyright SystemExperts 2001,2002,2003 113
Observations
n This is changing territory!
n Legacy WEP can be a legitimate tool in the security arsenaln View 802.11 networks as an insecure MAC layer,
over which you run secure IP protocols
n Use WEP to protect against casual snoopers, local DoS attacks, and bandwidth theft
n WEP won’t help with stolen equipment and ex-employees
n RSN is the future for WLAN security
V 2.10 Copyright SystemExperts 2001,2002,2003 114
Notes:
58
V 2.10 Copyright SystemExperts 2001,2002,2003 115
Section Contents
n 802.11
n Access Points 101
n Deployment Examples
V 2.10 Copyright SystemExperts 2001,2002,2003 116
Access Points 101
n Access Points (AP) broadcast their service (beacon)n FCC (US) allows 11 channels for Direct Sequence
Spread Spectrum (DSSS)
n in North America and Europe, they start at 2412 MHz (2.412 GHz)
n The spread spectrum for DSSS crosses over several channelsn i.e., channel bandwidth is 22MHz (25MHz is required to
minimize interference) , yet they are spaced at 5MHz
59
V 2.10 Copyright SystemExperts 2001,2002,2003 117
Frequency Overlap
1 6 11
10
9
8
7
5
4
3
2
2400 2500Frequency (US)Channels start at 2414MHz, increase by 5MHz, and have
about a 20MHz range up to 2483.5MHz
V 2.10 Copyright SystemExperts 2001,2002,2003 118
Access Point Usage
n Number of clients supported depends on device “memory” size, aggregation, congestion, noise, quality, etc., etc., etc.n As we’ll see later, the Apple Airport AP (e.g.) has
enough slots to cover about a dozen clients and the Cisco Aironet 340 series, up to 2,048 slots
n Typically connects wireless and wired networksn If not wired, then it is an Extension Point (EP),
i.e., a wireless bridge
60
V 2.10 Copyright SystemExperts 2001,2002,2003 119
Extension Point
Wireless Extension Point
Range
V 2.10 Copyright SystemExperts 2001,2002,2003 120
Access Point Placement
n Roaming can be achieved by having slightly overlapping APs on different channelsn …more on roaming in just a bit
n 2.4Ghz contains 80MHz of spectrumn 25MHz to minimize interference
n Only 3 equivalent-width non-overlapping DSSS channels
61
V 2.10 Copyright SystemExperts 2001,2002,2003 121
Placement (cont.)
V 2.10 Copyright SystemExperts 2001,2002,2003 122
Placement (cont.)
n Developing configurations to maximize roaming and minimize interference is hardn Remember it’s 3 dimensional broadcasts
n Remember it goes through walls!n out to the street, to your neighbor, to your competitor!
62
V 2.10 Copyright SystemExperts 2001,2002,2003 123
Placement, 3 Dimensional
V 2.10 Copyright SystemExperts 2001,2002,2003 124
Capacity and Bandwidth
n Maximum of 11Mbpsn Not really: since the Physical Layer Convergence
Protocol (PLCP) layer is always transmitted at 1Mpbs, 802.11b is only 85% efficient as the physical layer
n Goes down because ofn Distance, barriers, collisions, interference,
congestion, capacity usage
63
V 2.10 Copyright SystemExperts 2001,2002,2003 125
Capacity and Bandwidth (cont.)
n Stays “higher” because ofn Reducing size of coverage areas
n Reducing client-to-AP ratio
n Using aggregationn increasing AP-to-client ratio and using load balancing
V 2.10 Copyright SystemExperts 2001,2002,2003 126
Bandwidth Aggregation
64
V 2.10 Copyright SystemExperts 2001,2002,2003 127
Anatomy of 802.11b
n Looking at some of the guts of the protocol to help us understand:n Modulation determines speed/distance
n What effects the transmission raten other than distance or barriers
n Congestion resolution
n Hidden nodes
n The MAC layer is our friend!
V 2.10 Copyright SystemExperts 2001,2002,2003 128
Anatomy of 802.11b: the bits
n As we said before, data is encoded using DSSSn i.e., The data stream is modulated (XOR’d) with a
sequence called the Barker code (11 bits: 10110111000 – it’s just a really good pattern for generating radio waves) to generate a series of data objects called chips
n These chips are then sent out by the wireless radio (i.e., the wireless card)
65
V 2.10 Copyright SystemExperts 2001,2002,2003 129
Anatomy of 802.11b: the wave
n …then the wireless radio generates a 2.4 GHz wave and modulates it…n 1Mbps is done using Binary Phase Shift Keying
n 2Mbps uses Quadrature Phase Shift Keying (QPSK)
n 5.5 & 11Mbps use Complementary Sequences (vs. Barker code) then uses QPSK
n …so all of these yield a 22 MHz frequency spectrumn Hence, the reason only 3 channels fit without
overlap because there is this ~25MHz range
n Hence, all management packets are sent via BPSK: to ensure they “get there” (they go the furthest!)
V 2.10 Copyright SystemExperts 2001,2002,2003 130
Anatomy of 802.11b: congestion
n Everybody is “broadcasting” this stuff out, where is the traffic cop?n MAC layer “waits” for a quiet time: it’s been idle for
the Inter-Frame Spacing period
n if it’s still busy, wait for this spacing period plus a random number of slot times, and try again
n so each station is keeping track of it’s allocated number of slot times (i.e., they trust each other)
n think about TearDrop and Land DoS
66
V 2.10 Copyright SystemExperts 2001,2002,2003 131
Congestion (cont.)
n Each station listens to the network
n 1st station to finish it’s allocated slot times sends data
n If another station “hears” another station talk, it stops counting down its back-off timer
n In addition to the MAC back-off, 802.11 adds another back-off to ensure fairness
n When in this “contention window” it uses these back-off timers
V 2.10 Copyright SystemExperts 2001,2002,2003 132
Congestion (cont.)
DIFSDIFS Contention WindowFrame Frame
Medium is free for DIFS, so client begins to transmit
Slot time
67
V 2.10 Copyright SystemExperts 2001,2002,2003 133
Anatomy of 802.11b: Hidden Node Problem
n AP P sees A, B, and C, but A and C can’t see each other (see means, the packets don’t reach)n Optional feature of RTS/CTS added to 802.11b
n RTS packet includes target addressn A sends: “This is for B” (C doesn’t see this)
n CTS includes sender addressn B sends: “Go ahead and send it A” (C DOES see this)
n This feature is significant overhead but a very common condition that needs to be accounted for
V 2.10 Copyright SystemExperts 2001,2002,2003 134
Hidden Node Problem
B
C
Hidden node: AP sees A, B, C: A and B don’t see each other
A AP
68
V 2.10 Copyright SystemExperts 2001,2002,2003 135
Hidden Node Problem: Let’s try it again
n 802.11n basically designed for indoor, relatively short
distances, active and long-lived connected clients, and low noise level
n but 802.11 (“wi-fi”) is “winning” in the wireless arena and being increasingly used as well in outdoor, long distant, occasionally connected, potentially high noise level environments
n So what does that mean to hidden nodes?n The key is the need to minimize the amount of
overhead you introduce to manage them
V 2.10 Copyright SystemExperts 2001,2002,2003 136
Finding those Hidden Nodes
n Carrier Sense Multiple Access (CSMA)/ Collision Avoidance (CA)n CSMA – the device listens to the media before
transmitting
n Request To Send (RTS)/ Clear To Send (CTS) –media reservation mechanism
n Polling – adaptive mechanismn Device can not start transmission before receiving a
special acknowledgement packet (a marker) from the AP
n Defend against “sudden” chaosn …like a bunch of systems booting up
69
V 2.10 Copyright SystemExperts 2001,2002,2003 137
Surprising Results
wi th RTS/CTS Pol l ing
What does this mean?In certain circumstances, the method used makes a HUGE difference!
V 2.10 Copyright SystemExperts 2001,2002,2003 138
What Does This Mean?
n Media reservation systems (e.g., RTS/CTS) work “better” in stable environments with expectations of full/long-lived connectivityn e.g., in your office building, point-to-point
connections, small number of nodes
n Adaptive systems (e.g., polling) work “better” in other environmentsn e.g., city (or larger) wide environments
n Remember you’ll tend to have lower speed but much more predictable and controllable
70
V 2.10 Copyright SystemExperts 2001,2002,2003 139
Anatomy of 802.11b: Roaming
n More than 1 AP providing signals to a single clientn The client is responsible for choosing the best AP
n signal strength (#1), signal strength (#2), signal strength (#2), and network utilization (#4)
n When existing signal degrades (to poor), it tries to find another APn either passively listening or actively probing the other
channels and getting a response
n once it finds one, it tries to authenticate and associate
V 2.10 Copyright SystemExperts 2001,2002,2003 140
Roaming (cont.)
Wireless Extension Point
71
V 2.10 Copyright SystemExperts 2001,2002,2003 141
Important Concepts: Strength vs. Quality
n Received Signal Strength n Signal energy at the location of the station
n (i.e., the power level)
n Received Signal Quality n Ability to coherently interpret the signal
n (i.e., the usability level)
V 2.10 Copyright SystemExperts 2001,2002,2003 142
Roaming Activities
n IAPP or Inter Access Point Protocol is intended to standardize roaming features and protocoln Started by Aironet (Cisco), Digital Ocean, and Lucent
n 802.11f is the proposed extension to 802.11
n Wireless Ethernet Compatibility Alliance (WECA) as part of the Wireless ISP Roaming Initiative has published a roadmapn Cisco, IBM, Intel, 3Com, and Microsoft
n “Technical Outline for Wi-Fi Inter-Network Roaming Framework”
72
V 2.10 Copyright SystemExperts 2001,2002,2003 143
IEEE IAPP
n Accomplishes roaming within a subnetn Basically, within a corporate wireless LAN
n 2 transfer protocolsn 1 for single logical LANs
n 1 for crossing router boundaries
n Crossing subnets is a vendor specific solutionn It requires mobile IP software on every client
n Cisco, e.g., is expected to release Mobile IP
V 2.10 Copyright SystemExperts 2001,2002,2003 144
Wi-Fi Inter-Network Roaming Framework
n Assumptionsn Inter-service roaming
n All components are Wi-Fi certified
n No client footprint other than browser
n RADIUS is the protocol for authentication, authorization, and accounting data
n Pagers, cell-phones, WAP-phones, and PDAs will be addressed “later”
73
V 2.10 Copyright SystemExperts 2001,2002,2003 145
Wi-FI Roaming (cont.)
n 802.11bn Boot up with correct SSID
for Wi-Fi network
n Local WISP login screen
n which details charges
n separate window tracks session information
n 802.1xn Boot up
n Prompted with username/password for local WISP
n Windows XP is only 1x implementation available today
V 2.10 Copyright SystemExperts 2001,2002,2003 146
WISPr
WECA is looking to form a set of relationships and network standards between wireless ISP’s that will eventually enableWireless 802.11b roaming between them.
802.11bdevice
802.11bAP
TagClearingHouse
UsersWISPWISP
Wireless user connects. A unique tag identifies users home WISP account
Roam WISP passes this “Tag” & request for service to a clearing house
Clearing house passes info to users WISP
WISP authenticates user and authorizes access. Then bills user and pays roaming WISP
74
V 2.10 Copyright SystemExperts 2001,2002,2003 147
Configuring an Access Point
n How to manage itn HTTP, Telnet, SNMP or Serial Interface
n Security Settingsn SSID, WEP, & EAP
n RADIUS servers and shared key
n MAC layer Filters
n Making it work easily with clientsn DHCP
V 2.10 Copyright SystemExperts 2001,2002,2003 148
Access Point Medicine
n Enable WEP
n Change SSIDn And not just a little
n Disable broadcastn Otherwise, your SSID is
there to see
n Change the password on your AP
n Periodically survey your own site
n Use MAC address filtering
n Reconsider using DHCP
n Consider using fixed IP addresses for your wireless NICs
n Look into other mechanisms (SSL, VPN) for privacy & confidentiality
75
V 2.10 Copyright SystemExperts 2001,2002,2003 149
Notes:
V 2.10 Copyright SystemExperts 2001,2002,2003 150
Notes:
76
V 2.10 Copyright SystemExperts 2001,2002,2003 151
Section Contents
n 802.11
n Access Points 101
n Deployment Examples
V 2.10 Copyright SystemExperts 2001,2002,2003 152
Wireless at Home
n Goalsn Extend network capabilities without physical
alterations and costs – other than wireless
n Share existing resources without specialized or unique (weird) configuration setup
n Allow visitors easy access to the home network resources (e.g., Cable/DSL/ISDN, printers)
n Feel comfortable about the security of the additional wireless services
77
V 2.10 Copyright SystemExperts 2001,2002,2003 153
Home Setup
IDSL
SpeedStream
Cisco340
DHCP DHCP
Ext Fixed 216.27.x.yInt 10 Net
Fixed 10.0.0.2AD, DNSDHCP 10.0.0.3-254 (.7 reserved)
Ninja(DHCP)
DHCP(multi- boot)
DHCP Clients
FirewallDHCP
- 128 bit WEP- No broadcast SSID
- No WEP-Broadcast SSID-Use one of the free 216.27.x.y
Internet
V 2.10 Copyright SystemExperts 2001,2002,2003 154
Wireless at a Conference
n Goalsn Reduce time to setup fully functional temporary
network resources
n Scale down terminal room requirements
n Reduce effort and cost to provide Internet access to tutorial instructors and their students
n Allow attendees ubiquitous access to the Internet within a reasonable distance to the conference center
78
V 2.10 Copyright SystemExperts 2001,2002,2003 155
Conference Setup: USENIX
Courtesy of Lynda McGinley
Wireless HUB
OpenBSD Firewall (ipfw)DHCP Server
Wireless Extension Point
Wireless Extension Point
Internet
Wireless Extension Point
V 2.10 Copyright SystemExperts 2001,2002,2003 156
Industry Setup: Ariba
n Goalsn Increase efficiency of people in meetings
n Readily available communications: Instant Messenger
n 802.11b supportn wanted the speed that this standard brings to the table
n Standard design
n Speed and Rangen designers had experience with other wireless networks
n Cost
n Only deployed at headquartersn It has met expectations
79
V 2.10 Copyright SystemExperts 2001,2002,2003 157
Industry Setup: Ariba
HUB(s)
AP-1000(s)With Range Extender(s)
Ariba Corporate Network
Wireless VLAN
V 2.10 Copyright SystemExperts 2001,2002,2003 158
CyberCafe
n Typically an Open AP
n Use a captive portal to allow access
n Somewhat costly
n Starbucks is one of the firstn Use MobileStar as their ISP
n Watch for Neighborhood Area Networks (likely) coming to a place near you soon
80
V 2.10 Copyright SystemExperts 2001,2002,2003 159
CyberCafe Setup
HUB
Captive Portal(DHCP, Filtering, Accounting, etc.)
Wireless HUB
Internet
V 2.10 Copyright SystemExperts 2001,2002,2003 160
Architectural Considerations
n Need to have a defined goal
n Segregate the wireless infrastructuren Isolated sub-network/DMZ
n Use appropriate data protection mechanismsn VPNs
n SSL
n SSH
n etc.
n WEP is good forn Protecting against casual snoopers and
bandwidth theft
81
V 2.10 Copyright SystemExperts 2001,2002,2003 161
Notes:
V 2.10 Copyright SystemExperts 2001,2002,2003 162
Notes:
82
V 2.10 Copyright SystemExperts 2001,2002,2003 163
Where are We?
n From 50,000’ to 5’
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
V 2.10 Copyright SystemExperts 2001,2002,2003 164
Linux Wireless RF Sniffer
n Most of the existing sniffer renditions use cards based on the prism II chipset from Intersiln With either prismdump or patched Libpcap
n …and Ethereal
n AirSnort and WEPCrack both use these
n Some more popular Prism II cards include the following:n D-Link DWL-650
n Linksys WPC11
n SMC 2632W
n Zoom Telephonics ZoomAir 4100
83
V 2.10 Copyright SystemExperts 2001,2002,2003 165
Linux Sniffer: How-To
Directions at Tim Newsham’s site
http://www.lava.net/~newsham/wlan
n Get an SMC2632W wireless card
n Get a wlan-ng driver with RF monitoring coden Get linux-wlan-ng-0.1.8-pre13 and apply wlan-monitor.patch
n Or linux-wlan-ng-0.1.6.tar.gz
n Get ethereal-0.8.17n Apply patches from wlan-mods.tgz
n Get Libpcap-0.6.2 or Prismdumpn Apply LibPcap patches from wlan-mods.tgz
V 2.10 Copyright SystemExperts 2001,2002,2003 166
How-To (cont.)
n Compile them up and install them
n Start the monitorn wlanctl-ng wlan0 lnxreq_wlansniff
channel=<pickone> enable=true
n ORn Get RedHat 7.2 (or greater)
n Latest Libpcap and Ethereal
n And a Cisco card
n Fire it up! ☺
84
V 2.10 Copyright SystemExperts 2001,2002,2003 167
Sniffer Observations
n It works! Its Linux! Its free!
n Only one channel at a time Ln You can write a script to change that ☺
n You have to type “prism” as the interface for ethereal if you use LibPcap
V 2.10 Copyright SystemExperts 2001,2002,2003 168
AirSnort
n Need wlan-ng and Newsham’s patches
n You run prismdump to capture packets to a file …
n Run AirSnort on that file (real-time) to attempt cracking
n So after starting the monitor mode …n prismdump > WEPCapture
n capture –c WEPCapture
n "Interesting Packets”: ~1500 for 104-bit and 575 for 40-bit
n crack (at intervals)
n airsnort.sourceforge.net(also wepcrack.sourceforge.net)
85
V 2.10 Copyright SystemExperts 2001,2002,2003 169
Home Spun Access Point
n What is itn A system that gateways between the wireless and
wired networksn a.k.a. Wireless Gateway
n Implements IBSS (Ad-hoc) or BSS modes
n Typically provides DHCP and firewall/NAT services
n May provide authentication and authorization
n Usually some flavor of Unix (Linux or FreeBSD)
n What does it entailn Get the equipment
n Install the software
n Tweak a bit
V 2.10 Copyright SystemExperts 2001,2002,2003 170
Building your own AP
Condensed f rom ht tp: / /www.orei l lynet .com/pub/a/wireless/2001/03/06/recipe.html
n Equipmentn PC, wireless card, ISA-to-PCMCIA adapter, and a NIC
n Operating System: Unix-like n Clients can be anything that can do Ad-Hoc
n Install the PCMCIA adapter in the gateway and insert the wireless card
n Build and install the new kerneln Don't forget to edit /etc/lilo.conf and then run /sbin/lilo
n Install the pcmcia-cs packagen Configure wireless and NIC IP options
n Install and configure DHCP (if desired)
86
V 2.10 Copyright SystemExperts 2001,2002,2003 171
Directions (cont.)
n Harden the rest of the system (read: TURN OFF ALL UNUSED SERVICES)n Keep the PCMCIA, firewall, and DHCP services
running
n Reboot and see what you broke ☺n Probably should reboot before the firewall and
DHCP install/configure
n Setup clients
V 2.10 Copyright SystemExperts 2001,2002,2003 172
My Problems
n Trouble getting DHCP working correctly on the wireless net
n Setting up firewall rules n Getting ipchains to actually pass traffic through
double NATn wireless gateway and my firewall
n could do HTTP but not SMB
n Links would drop every so often
n It worked, but not painlessly using 2.2.xn Once I went to 2.4.x and iptables it worked for me
n no DHCP though L
87
V 2.10 Copyright SystemExperts 2001,2002,2003 173
My Observations
n Functionality is limited in some instancesn IBSS only
n WLAN-NG supposedly supports BSS, I never got it to work
n Functionality is enhanced in othersn Firewall and potential authentication/authorization hub
n If education and experience is what you want, then this is the way to go
n If a up and running or many-client is what you want, then buy an APn Especially for people with limited time and/or experience
V 2.10 Copyright SystemExperts 2001,2002,2003 174
Wireless Firewall Gateway (WFG) by NASA
http://www. n a s.nasa.gov/Groups/Networks/Projects /Wireless/
n Design Objectives n A method to authenticate/identify a user
n Simplicity
n What it doesn Acts as a router between a wireless and external network with
the ability to dynamically change firewall filters as users authenticate
n Acts as a DHCP server,hosts the user authentication site, and maintains accounting records
n Purposen To keep the wireless network as user-friendly as possible
while maintaining some level of security for everyone
88
V 2.10 Copyright SystemExperts 2001,2002,2003 175
OpenAP
n OpenAP http://opensource.instant802.com/n Open-source softwaren Fully 802.11b compliant wireless access point
n Has the ability to:n Do multipoint to multipoint wireless bridging, while simultaneously
serving 802.11b stations (i.e. and AP)
n Runs on Eumitcom WL11000SA-N board based AP’sn US Robotics (USR 2450) (tested) n SMC 2652W EZconnect Wireless AP (tested)
n Why use it?n You have the sourcen It is customizablen It can do anything that Linux can do
V 2.10 Copyright SystemExperts 2001,2002,2003 176
How Does it Work?
n The basic recipe is this: n Get the hardware
n Create a programming image
n Write the image to a PCMCIA SRAM card
n Open the access point and insert the SRAM card in place of the 802.11 PCMCIA card
n Power on the AP
n Short a jumper to boot from the SRAM card and reprogram the onboard flash
n Watch what happens on the serial port
n Replace the 802.11 card
n You are done
n Now it can be upgraded over the network
89
V 2.10 Copyright SystemExperts 2001,2002,2003 177
Notes:
V 2.10 Copyright SystemExperts 2001,2002,2003 178
Notes:
90
V 2.10 Copyright SystemExperts 2001,2002,2003 179
Where are We?
n From 50,000’ to 5’
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
V 2.10 Copyright SystemExperts 2001,2002,2003 180
IEEE 802.11a
n Next generation High speed WLANn Speeds 6, 9,12,18, 24, 36, 48, & 54 Mbps
n Uses 5 GHz Unlicensed National Information Infrastructure (U-NII) bandn U-NII devices will provide short-range, fixed, point-to-point,
high-speed wireless digital communications on an unlicensed basis
n Uses Orthogonal Frequency Division Multiplexing (OFDM)
n Different chip set than 802.11b, so no upgradesn Can co-exist, as they are on different spectrums
91
V 2.10 Copyright SystemExperts 2001,2002,2003 181
802.11a Spectrum
n 3 primary non-contiguous bandsn 100MHz each band with power restrictions
n split into 20MHz channels
n 5.15-5.25 GHz: Indoor, short-range
n 5.25-5.35 GHz: Indoor or outdoor, medium range(campus-type networks)
n 5.725-5.825 GHz: Outdoor, long-range (several km)
1 W5 . 7 2 5 -5 . 8 2 5
2 0 0 m W2 0 0 m W2 0 0 m W2 5 0 m W5 . 2 5 0 -5 . 3 5 0
2 0 0 m W2 0 0 m W2 0 0 m W2 0 0 m W5 0 m W5 . 1 5 0 -5 . 2 5 0
JapanSpainFranceEuropeUSA/
Canada
Band
V 2.10 Copyright SystemExperts 2001,2002,2003 182
802.11a Spectrum (cont.)
n 12 non-overlapping simultaneously operating networks
n 4 channels in each band
n OFDM the splits each channel into 52 sub-channels
92
V 2.10 Copyright SystemExperts 2001,2002,2003 183
802.11 Spectrum Comparison
DSSS (CS, QPSK, BPSK)
OFDMOFDMModulation
1,2,5.5,11 MbpsUnder development
Up to 54 Mbps
6,9,12,18,24,36,48,54 Mbps
Data Rate Per Channel
34*12Non-Overlapping Channels
83.5MHz83.5MHz300MHzAvailable Bandwidth
2.4-2.4835GHz2.4-2.4835GHz5.15-5.35GHz, 5.725-5.825GHz
Frequency
802.11b802.11g802.11a
IEEE is discussing the feasibility of adding additional channel
V 2.10 Copyright SystemExperts 2001,2002,2003 184
802.11a Data Points
n OFDM is a *much* more sophisticated modulation than CS/CCK, QPSK, and BPSK used in 802.11bn OFDM is GREAT in indoor (i.e., in moderate to high multipath)
environments
n Because it does not have to use carriers where high interference
is present
n The lowest rate for 802.11a is 6Mbpsn If you're getting through at all, you're running faster than 11b's
5.5Mbps
n The noise floor in 5GHz is lower than it is in 2.4GHz n The "cleaner spectrum" argument will be true for a while
93
V 2.10 Copyright SystemExperts 2001,2002,2003 185
802.11a Data Points
n Outdoors, it is true that the free space loss at 2.4 is much less than at 5GHzn But part 15.407 rules allow the same tx power as
15.247 (1W), but in 5GHz, you're allowed essentially *unlimited* antenna gain for point-to-point applications, vs. 6dBi of gain @ 1W of txpower in 2.4GHz
V 2.10 Copyright SystemExperts 2001,2002,2003 186
802.11a Office environment
n Office Environment (for a given range)n Similar range as 802.11b
n 2-5X the data link raten 36 Mbps vs 11Mbps @ 65ft*
n 6Mbps vs 2Mbps @ 225ft*
n 2-4X the throughput of 802.11b
n 21Mbps vs 5.1Mbps @ 65ft*
n 5.2Mbps vs 1.6Mbps @ 225ft*
n More available non-overlapping channels, so higher capacityn 8X for an 8 cell deployment*
* From Athe ros tests
94
V 2.10 Copyright SystemExperts 2001,2002,2003 187
802.11a Office environment
n Deployment optionsn For the same throughput, you may need less AP’s
n For same # AP’s, more throughput
V 2.10 Copyright SystemExperts 2001,2002,2003 188
802.11a Problems
n Use of 5 GHz band will cause contention in different parts of the worldn Remember the problems with spectrums in
handhelds
n Coverage will costn Equipment will be more expensive for a while
n Power consumption is the big questionn Mobilian vs Atheros
95
V 2.10 Copyright SystemExperts 2001,2002,2003 189
Wireless Security Tools
n Auditingn NetStumbler and MiniStumbler (handheld PC)
n http://www.netstumbler.com/
n MacStumbler (uh, Mac NetStumbler)n http://homepage.mac.com/macstumbler/
n AP Scanner (another Mac NetStumbler-like)
n http://www.wireless.org.au/wiki/?Apple
n bsd-airtools (NetBSD, OpenBSD, FreeBSDn http://www.dachb0den.com/projects/bsd-airtools.html
V 2.10 Copyright SystemExperts 2001,2002,2003 190
Wireless Security Tools (cont.)
n Sniffersn Network Sniffer > $10,000
n http://www.sniffer.com/products/wireless/
n AiroPeek – packet analyzer $1,500 - $2,000n http://www.wildpackets.com/products/airopeek
n Kismet
n http://www.kismetwireless.net/
n SSIDSniffn http://www.bastard.net/~kos/wifi/
96
V 2.10 Copyright SystemExperts 2001,2002,2003 191
Wireless Security Tools
n Special Purposen WEPCrack – ok,cracks WEP keys
n http://wepcrack.sourceforge.net/
n AirSnort – recovers encryption keysn http://airsnort.shmoo.com/
n Fake AP – generates thousands of counterfeit 802.11b access pointsn http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
see http://www.networkintrusion.co.uk/wireless.htm for a list of many other wireless security tools
V 2.10 Copyright SystemExperts 2001,2002,2003 192
Notes:
97
V 2.10 Copyright SystemExperts 2001,2002,2003 193
Where are We?
n From 50,000’ to 5’
n Handheld Practicals
n LAN Practicals
n *NIX and Wireless
n Currents
n Antennas
V 2.10 Copyright SystemExperts 2001,2002,2003 194
Antennas: The Skinny
n 2.4 GHz ISM Bandn You don’t need a license to operate a transmitter…
n …But you MUST be prepared to accept interference from other other users/devices
n Good antenna deployment…n May be one of the best security measures you can
implementn reduce stray RF signals
n less susceptible to interference
n better control who can have access to the AP RF
98
V 2.10 Copyright SystemExperts 2001,2002,2003 195
Antennas: Basics
n A radiation pattern is a diagram that allows us to visualize in what directions the energy will radiate from an antennan If an antenna radiates in all directions equally we
say it is an “isotropic radiator”
n The radiation pattern is split into two perpendicular planes called Azimuth and Elevation
n When RF energy is concentrated, it means the antenna has “gain” over a portion of the radiator
n gain is measured in decibels and written dBi
V 2.10 Copyright SystemExperts 2001,2002,2003 196
Antennas: Basics (cont.)
n Gaining coverage is achieved thru gain, which again, is measured in decibels dB
n Calculation rangen Indoors, each 1 dB increase in gain results in a
range increase of 2.5%: outdoors it’s 5%
n Positioningn Normally should be mounted as high and as clear
as obstructions as possible
n Best performance is when the transmitting and receiving antenna are at the same height and in direct line of site
99
V 2.10 Copyright SystemExperts 2001,2002,2003 197
Antennas: Basics (cont.)
n Multipath distortionn Occurs when an RF signal has more than one path
between a receiver and a transmitter
n These multiple signals combine in the RX antenna and receiver to cause distortion of the signal
n Changing the type of antenna, and location of the antenna can eliminate multipath interference
V 2.10 Copyright SystemExperts 2001,2002,2003 198
Antennas: Basics (cont.)
n Basic antenna typesn Omni-directional
n di-pole
n Directionaln yagi, patch, parabolic
100
V 2.10 Copyright SystemExperts 2001,2002,2003 199
Antennas: Dipole
n Most common antenna and the default type on most APsn Usually a 1-inch radiating element
n Note: the higher the frequency, the smaller the antenna and the wavelength become
n Radiation patternn “Donut” like
n Radiates in equally in all directions around its axis but NOT along the length of the wiren also called omnidirectional
V 2.10 Copyright SystemExperts 2001,2002,2003 200
Dipole Radiation
101
V 2.10 Copyright SystemExperts 2001,2002,2003 201
Antennas: PCMCIA Cards
n Their terrible, awful, did I mention yuck?
n It’s hard to form antennas onto the card
n The effective gain is low
n They tend to be VERY directional
n These are some of the reasons that your signal strength can change dramatically with small changesn Tip your laptop sideways and you’ll see
n The Apple is an exception
n on the iBook the antenna connector runs up the LCD panel
n on Powerbooks there is an antenna port on each side!
n Attaching external antennas (and orienting it) makes a really big difference
n Therefore, buy cards that take an external antenna
V 2.10 Copyright SystemExperts 2001,2002,2003 202
Typical PCMCIA Radiation
102
V 2.10 Copyright SystemExperts 2001,2002,2003 203
Antennas: Examples
n Ceiling mount omni directional
Vertical radiation pattern
V 2.10 Copyright SystemExperts 2001,2002,2003 204
Antennas: Examples
n Ceiling mount patch
Vertical radiation pattern
103
V 2.10 Copyright SystemExperts 2001,2002,2003 205
Antennas: Directional
n Directional antenna concentrate their energy into a conen Known as a beam
n Radiation patternn It depends on what kind of directional antenna you
have
V 2.10 Copyright SystemExperts 2001,2002,2003 206
Directional Radiation: Biquad
104
V 2.10 Copyright SystemExperts 2001,2002,2003 207
Antennas: Examples (cont.)
n Pillar mount omni directional
Vertical radiation pattern
V 2.10 Copyright SystemExperts 2001,2002,2003 208
Antennas: Examples (cont.)
n Yagi
Vertical radiation pattern
Horizontal radiation pattern
105
V 2.10 Copyright SystemExperts 2001,2002,2003 209
Antennas: Examples (cont.)
n Parabolicn Remember: parabolic dishes have a very narrow RF
energy path and the installer must be accurate in aiming these at each other
Vertical radiation pattern
V 2.10 Copyright SystemExperts 2001,2002,2003 210
Antennas: More Facts
n Constant trade-off of range and throughputn Remember that the “low” speed of 1 Mbps is slightly
slower than a T1 connection (1.544 Mbps)
n Remember that the top speed of 11 Mbps is only over the air: the Ethernet it’s connected to is 10 Mbps and then you have contention, etc.
n Current client cards have only 1 radio in themn that means half-duplex (they can’t listen and talk at the
same time)
106
V 2.10 Copyright SystemExperts 2001,2002,2003 211
Just About Done
n Review actions and decision to consider for dealing with the 802.11 wireless environment
n Review end-matter in course materialsn self review, references, mailing lists, glossary,
changing/updating Apple airport AP, building your own AP, miscellaneous
n Our tutorial on-linen http://www.systemexperts.com/tutors/wireless.pdf
V 2.10 Copyright SystemExperts 2001,2002,2003 212
What To Do?
n Baseline assessmentn Conduct a survey to find and characterize each
Access Point
n Update policiesn Update your security policies to specifically address
wireless
n Find and use best practicesn e.g., Prepare a brief (2 to 4 pages) document
describing required configuration changes that must be made before an Access Point can be attached to the Corporate Network
107
V 2.10 Copyright SystemExperts 2001,2002,2003 213
What To Do? (cont.)
n Immediate actionsn Use WEP to encrypt the data while it is in transit
n Change the default SNMP community strings (passwords)
n Change the default Access Point Service Set ID (SSID, a.k.a. Network Name)
n Disable the broadcast SSID feature on your Access Point
n Change the default password for administrative access to your Access Point
V 2.10 Copyright SystemExperts 2001,2002,2003 214
What To Do? (cont.)
n Configuration and deployment actionsn Consider the use of MAC level (Ethernet) address filtering to
limit which clients your Access Point will “pay attention” to
n Consider placing the Access Point in your DMZ (as opposed to being attached directly to your internal networks) and in front of a firewall
n Consider configuring the Access Point so that it won’t respond to “probe-response” requests
n Consider whether or not your Access Point should offer DHCP for new clients
n Development actionsn Look into some type of end-to-end security solution for
sensitive data
n Integrate your wireless environment with your (hopefully existing) intrusion detection mechanism
108
V 2.10 Copyright SystemExperts 2001,2002,2003 215
What To Do? (cont.)
n Antenna actionsn Survey your site to understand how far your Access
Points are actually broadcasting their signals
n To restrict the signal, you may need to change the placement of the Access Points or to consider the use of more specialized (directional) antennas
n To restrict the strength of the signal, if the manufacturer of your Access Point allows it, you may want to reduce the power of your antenna
V 2.10 Copyright SystemExperts 2001,2002,2003 216
The End
n Thank you for attending!
n Thank you for your comments!
n Please fill out the Instructor Evaluation Form!!
n www.SystemExperts.com/tutors/wirelessip.pdf
109
V 2.10 Copyright SystemExperts 2001,2002,2003 217
Notes:
V 2.10 Copyright SystemExperts 2001,2002,2003 218
Notes:
110
V 2.10 Copyright SystemExperts 2001,2002,2003 219
Self Review
n Why is it basically impossible to get full 2, 5.5, or 11 Mbps?
n What’s the common management interface to ALL APs?
n What’s the difference between AP aggregation and AP DoS?
n What are the security implications of broadcast SSID?
n What is the problem with MAC based ACL security?
V 2.10 Copyright SystemExperts 2001,2002,2003 220
Self Review (cont.)
n What are the security implications of shared keys?
n How easy/difficult it is to exploit WEP vulnerabilities?n Name one!
n What is the Gap in WAP?
n What are the roaming limitations with using a home spun AP?
n What is the ratio of 802.11a to 802.11b APs for constant power and throughput?
111
V 2.10 Copyright SystemExperts 2001,2002,2003 221
Thanks to …
n David Lounsburyn Vice President of Research for
The Open Group
n Lynda McGinleyn University of Colorado
n Coordinator or USENIX wireless services
n Richard Rothschildn Director Ariba Network Operations for Ariba
V 2.10 Copyright SystemExperts 2001,2002,2003 222
References
n Access Pointsn www.cisco.com/warp/public/cc/pd/witc/ao340ap/
n www.apple.com/airport/specs.html
n www.wavelan.com/template.html?section=m58&page=103&envelope=94
n www.3com.com/products/proddatasheet/datasheet/3CRWE74796B.pdf
n Cell Phone Internet Servicesn www.sprintpcs.com/wireless
n www.verizonwireless.com
n www.attws.com/personal/explore/pocketnet
n www.nextel.com/phone_services/wirelessweb
112
V 2.10 Copyright SystemExperts 2001,2002,2003 223
References (cont.)
n Securityn www.datafellows.com/products/white-
papers/sec_wap_env.pdf
n www.tml.hut.fi/Opinnot/Tik-110.501/1997/wireless_lan.html
n http://securingwireless.intranets.com
n Sniffingn www.sniffer.com/products/wireless/
n www.robertgraham.com/pubs/sniffing-faq.html
n www.wildpackets.com/products/airopeek
V 2.10 Copyright SystemExperts 2001,2002,2003 224
References (cont.)
n Reference materialn www.cmu.edu/computing/wireless/index.html
n www.teleport.com/~samc/psuwireless/
n www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.html
n www.proxim.com/wireless/glossary/index.shtml
n www.motorola.com/SPS/WIRELESS/information/glossary.html
n www.wireless-online.com/glossary.htm
n www.zdnet.com/pcmag/stories/reviews/0,6755,2603595,00.html
n http://allnetdevices.com/faq/
n www.wapforum.org/
n www.ntia.doc.gov/osmhome/allochrt.html (Frequency Map)
113
V 2.10 Copyright SystemExperts 2001,2002,2003 225
References (cont.)
n Seminal 802.11 Security Pressn The Isaac project at UC Berkeley
n Integrity checking mechanism, and Use of Initialization Vector (IV) in RC4 algorithm
n http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
n Wireless Ethernet Compatibility Alliance (WECA) response to the UC Berkeley papern http://www.wi-fi.net/pdf/Wi-FiWEPSecurity.pdf
n University of Maryland paper “Your 802.11 Wireless Network has No Clothes”n Shared Key to derive WEP key, MAC authentication
n http://www.cs.umd.edu/~waa/wireless.pdf
n RC4 Key Scheduling
n http://www.crypto.com/papers/others/rc4_ksaproc.ps
n Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
V 2.10 Copyright SystemExperts 2001,2002,2003 226
Wireless Stuff
n Wireless performance articlen www.networkcomputing.com/1113/1113f2full.html
n IEEE 802.11 page n www.ieee802.org/11/
n 802.11b Primer n www.personaltelco.net/download/802.11b-
primer.pdf
114
V 2.10 Copyright SystemExperts 2001,2002,2003 227
Mailing Lists
n Bay Area Wireless Users Groupn http://lists.bawug.org/mailman/listinfo/wireless/
NOTE: This is THE list to watch!
n Aironetn http://csl.cse.ucsc.edu/mailman/listinfo/aironet
n O’Reillyn http://oreilly.wirelessdevnet.com/
V 2.10 Copyright SystemExperts 2001,2002,2003 228
Glossary
3G (third generation) An industry term used to describe the next, still-to-come generation of wireless applications. It represents a move from circuit-switched communications (where a device user has to dial in to a network) to broadband, high-speed, packet-based wireless networks (which are always "on"). The first generation of wireless communications relied on analog technology, followed by digital wireless communications. The third generation expands the digital premise by bringing high-speed connections and increasing reliability.
802.11 A family of wireless specifications developed by a working group of The Institute of Electrical and Electronics Engineers. These specifications are used to manage packet traffi c over a network and ensure that packets do not collide—which could result in loss of data—while traveling from their point of origin to their destination (that is, from device to device).
AMPS (advanced mobile phone service) A term used for analog technologies, the first generation of wireless technologies.Analog Radio signals that are converted into a format that allows them to carry data. While cellular phones and other wireless
devices still use analog in geographic areas where there is little or no coverage by digital networks, analog will eventually give way to faster digital networks, analysts say.
AP (Access Point) A base station in a wireless LAN. Access points are typically standalone devices that plug into an Ethernet hub or server. Like a cellular phone system, users can roam around with their mobile devices and be handed off from one access point to the other.
BlackBerry Two-way wireless device, made by Waterloo, Ontario-based Research in Motion, that allows users to check e-mail and voice mail (translated into text), as well as page other users via a wireless network service. Also known as a RIM device, it has a miniature qwerty keyboard for users to type their messages. It uses the SMS protocol. BlackBerry users must subscribe to a wireless service that allows for data transmission.
Bluetooth A short-range wireless specification that allows for radio connections between devices within a 30-foot range of each other.
CDMA (code division multiple access) U.S. wireless carriers, such as Sprint PCS and Verizon, use CDMA to allocate bandwidth for users of digital wireless devices. CDMA distinguishes between multiple transmissions carried simultaneously on a single wireless signal. It carries the transmissions on that signal, freeing network room for the wireless carrier and providing interference-free calls for the user. Several versions of the standard are still under development. CDMA promises to open up network capacity for wireless carriers and improve the quality of wireless messages and users' access to the wireless airwaves. It's an alternative to GSM, which is popular in Europe and Asia.
115
V 2.10 Copyright SystemExperts 2001,2002,2003 229
Glossary (cont.)
CDPD (cellular digital packet data) Telecommunications companies can use CDPD to transfer data on unused cellular networks to users. If one section, or "cell," of the network is overtaxed, CDPD automatically allows for the reallocation of resources.
COFDM (Coded Orthogonal Frequency Division Multiplexing) The same as OFDM except that forward error correction is applied to the signal before transmission. This is to overcome errors in the transmission due to lost carriers from frequency selective fading, channel noise and other propagation effects. For the discussion of terms OFDM and COFDM are used interchangeably
Cellular Technology that sends analog or digital transmissions from transmitters that have areas of coverage called cells. As a user of a cellular phone moves between transmitters from one cel l to another, the user's call travels from transmitter to transmitter uninterrupted.
Circuit switched Used by wireless carriers, this method lets a user connect to a network or the Internet by dialing in, such as with a traditional phone line. It's a dial-in Internet service provider for wireless device users. Circuit-switched connections can be slow and unreliable compared with packet-switched networks, but for now circuit-switched networks are the primary method of Internet and network access for wireless users in the United States.
Dual-band mobile phonePhones that support both analog and digital technologies by picking up analog signals when digital signals fade. Most mobile phones are not dual-band.
Extensible Authentication Protocol (EAP) An extens ion to PPP, tha t provides a s tandard suppor t mechanism for au then t i ca t ion schemes such as token ca rds , Kerbe ros , Pub l i c Key , and S/Key.
EDGE (enhanced data GSM environment) A faster version of the GSM standard. It is faster than GSM because it can carry messages using broadband networks that employ more bandwidth than standard GSM networks.
FDMA (frequency division multiple access) An analog standard that lets multiple users access a group of radio frequency bands and eliminates interference of message traffic.
Frequency hopping spread spectrum A method by which a carrier spreads out packets of information (voice or data) over different frequencies. For example, a phone call is carried on several different frequencies so that when one frequency is lost another picks up the call without breaking the connection.
GPS (Global Positioning System) A series of 24 geo-synchronous satellites that continually transmit their position. GPS is used in personal tracking, navigation, and automatic vehicle location technologies.
V 2.10 Copyright SystemExperts 2001,2002,2003 230
Glossary (cont.)
GPRS (general packet radio service) A technology that sends packets of data across a wireless network at speeds of up to 114Kbps. It is a step up from the circuit-switched method; wireless users do not have to dial in to networks to download information. With GPRS, wireless devices are always on—they can receive and send information without dial-ins. GPRS is designed to work with GSM.
GSM (global system for mobile communications) A standard for how data is coded and transferred through the wireless spectrum. The European wireless standard also used in Asia, GSM is an alternative to CDMA. GSM digitizes and compresses data and sends it down a channel with two other streams of user data. The standard is based on time division multiple access.
HDML (handheld device markup language) It uses hypertext transfer protocol (HTTP, the underlying protocol for the Web) to allow for the display of text versions of webpages on wireless devices. Unlike wireless markup language, HDML is not based on XML. HDML also does not allow developers to use scripts, while WML employs its own version of JavaScript. Phone.com, now part of Openwave Systems, developed HDML and offers it free of charge. Website developers using HDML must recode their webpages in this language to tailor them for the smaller screens of handhelds.
iDEN (Integrated Digital Enhanced Network) A Motorola-enhanced mobile radio network technology that integrates two-way radio, telephone, text messaging, and data transmission into a single network.
I-Mode A wildly popular service in Japan for transferring packet-based data to handheld devices. I-Mode is based on a compact version of HTML and does not use WAP, setting it apart from other widely used transmission method.
Industrial, Scientific, and Medical (ISM) An unlicensed Radio Frequency spectrum used primarily for industrial, scientific, medical, domestic or similar purposes, excluding applications in the field of telecommunications These bands support spread spectrum operation on a non-interference unlicensed basis. Operation in this band is authorized under FCC Rule Part 15.247. Spread spectrum systems share these bands on a non-interference basis with systems supporting critical government requirements, secondary only to ISM equipment operated under the provisions of Part 18. Many of these government systems are airborne radiolocation systems that emit a high ERP, which can cause interference to other users.
Multipath Effect The effect that occurs when a transmitted signal is reflected from objects resulting in multiple copies of a given transmission arriving at the receiver at different moments in time. Thus the receiver receives multiple copies of the same signal with many different signal strengths or powers.
OFDM (Orthogonal Frequency Division Multiplexing) A multi-carrier transmission technique, which divides the available spectrum into many carriers, each one being modulated by a low rate data stream. This is the basis for ADSL as well
PCS (personal communications services) An alternative to cellular, PCS works like cellular technology because it sends calls from transmitter to transmitter as a caller moves. But PCS uses its own network, not a cellular network, and offers fewer "blind spots"—areas in which access to calls is not available—than cellular. PCS transmitters are generally closer together than their cellular counterparts.
116
V 2.10 Copyright SystemExperts 2001,2002,2003 231
Glossary (cont.)
PDA (personal digital assistant) Mobile, handheld devices—such as the Palm series and Handspring Visors—that give users access to text-based information. Users can synchronize their PDAs with a PC or network; some models support wireless communication to retrieve and send e-mail and get information from the Web.
Physical Layer Convergence Protocol (PLCP) A pro tocol spec i f ied wi th in the Transmiss ion Convergence layer that specif ies exact ly how cel ls are format ted wi thin a data s t ream for a par t icu lar type of t ransmiss ion fac i l i ty .
Physical Medium Dependent (PMD) Performs wireless encodingSatellite phone Phones that connect callers via satellite. The idea behind a satellite phone is to give users a worldwide
alternative to sometimes unreliable digital and analog connections. Service Set Identifier (SSID) An identifier attached to packets sent over the WLAN that functions as a "password" for joining
a particular radio network (BSS). All radios and access points within the same BSS must use the same SSID, or their packets will be ignored
SMS (short messaging service) A service through which users can send text-based messages from one device to another. The message—up to 160 characters—appears on the screen of the receiving device. SMS works with GSM networks.
Symbol A term for the information contained in a message. I can be though of as a discrete block of digital information.TDMA (time division multiple access) This protocol allows large numbers of users to access one radio frequency by
allocating time slots for use to multiple voice or data calls. TDMA breaks down data transmission, such as a phone conversation, into fragments and transmits each fragment in a short burst, assigning each fragment a time slot. With a cell phone, the caller would not detect this fragmentation. Whereas CDMA (which is used more frequently in the United States) breaks down calls on a signal by codes, TDMA breaks them down by time. The result in both cases: increased network capacity for the wireless carrier and a lack of interference for the caller. TDMA works with GSM and digital cellular services.
WAP (wireless application protocol) WAP is a set of protocols that lets users of mobile phones and other digital wireless devices access Internet content, check voice mail and e-mail, receive text of faxes and conduct transactions. WAP works with multiple standards, including CDMA and GSM. Not all mobile devices support WAP.
WASP (wireless application service provider) These vendors provide hosted wireless applications so that companies will not have to build their own sophisticated wireless infrastructures.
V 2.10 Copyright SystemExperts 2001,2002,2003 232
Glossary (cont.)
WCDMA (wideband CDMA) A third-generation wireless technology under development that allows forhigh-speed, high-quality data transmission. Derived from CDMA, WCDMA digitizes and transmits wireless data over a broad range of frequencies. It requires more bandwidth than CDMA but offers faster transmission because it optimizes the use of multiple wireless signals—not just one, as with CDMA.
Wireless LAN (WLAN) It uses radio frequency technology to transmit network messages through the air for relatively short distances, like across an office building or college campus. A wireless LAN can serve as a replacement for or extension to a wired LAN.
Wireless spectrum A band of frequencies where wireless signals travel carrying voice and data information. Wireless carriers are bidding at Federal Communications Commission auctions on slivers of airwaves through which they will ultimately be able to send third-generation communications. The auctions, which began in December 2000 in the United States and already occurred in several European nations, will give providers access to new pieces of the spectrum that will allow them to move to third-generation services. More auctions relevant to 3G communications are on tap.
WISP (wireless Internet service provider) A vendor that specializes in providing wireless Internet access.WML (wireless markup language) A version of HDML, WML is based on XML and will run with its own
version of JavaScript. Wireless application developers use WML to repurpose content for wireless devices.
117
V 2.10 Copyright SystemExperts 2001,2002,2003 233
Floppy based Wireless Gateway
n Same basic hardware requirementsn System, ISA-PCMCIA, NIC, Wireless card
n NIC cards are much more sensitiven Trinux experience helps when adding modules
n http://nocat.net/ezwrp.html
n My Problemsn Got it up quickly
n Problems with DHCP
n Never got it passing traffic
n Unclear how to manage firewall rules
Philip CoxConsultant
[email protected] direct
530-887-9253 fax978-440-9388 main
http://www.SystemExperts.com/
118
Brad C. JohnsonVice President
[email protected] direct
401-348-3078 fax978-440-9388 main
http://www.SystemExperts.com/