Wireless (Chapter 5)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 165

Chapter 5

Wireless Network Devices

Wireless Network Devices 5-1


Chapter 5: Outline
Chapter goal: Overview/Roadmap:
❖ Wireless LAN Radio Components
❖ Introduce basic terminology
❖ Wireless network adaptors
and concepts related to ❖ Wireless network access points
wireless network devices ❖ Wireless Repeaters
❖ approach: ❖ Bridges
▪ use various ❖ Wireless LAN Switch
❖ Wireless Routers
communication
❖ Wireless Gateways
standards as example ❖ Wireless LAN Antennas
❖ Wireless LAN Planning and Design
❖ Wireless Network Security

Wireless Network Devices 5-2


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-3


Components of Wireless LAN (1)
❖ Wireless LANs consist of components similar to
traditional Ethernet-wired LANs.
❖ In fact, wireless LAN protocols are similar to Ethernet
and comply with the same form factors.
❖ The big difference, however, is that wireless LANs
don't require wires.

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-4


Components of Wireless LAN (2)
Internet
router Internet service
provider

Network
switch

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-5


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-6


Wireless Client
❖ device such as Notebooks, or any kind of mobile
devices which are inter linked with wireless network
area
❖ Using Wi-Fi, wireless network card, bluetooth or etc.

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-7


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-8


Common Components
❖ Radio Transmitter and Receiver or Transceiver
▪ Also Called a radio modulator / demodulator (modem)
❖ Antenna

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-9


802.11 Radio Functions (1)
❖ Modulation
▪ Generates a carrier wave and modulates the wave
❖ Spread Spectrum Encoding
▪ Combines data stream into a bit sequence with a higher data
rate to form what is called a chipping code
▪ Increases the ability to withstand interference

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-10


802.11 Radio Functions (2)
❖ Physical (PHY) layer splitting
▪ Physical Layer Convergence Protocol (PLCP) sublayer
• Senses the carrier to see if it is in use
▪ Physical Medium Dependent (PMD) sublayer
• Carries the modulated signal
❖ MAC Controller
▪ Runs MAC layer protocols that buffer incoming and outgoing
packets along with channel access and management

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-11


Interference
❖ Interference is the biggest issue in wireless
communications
❖ Causes intermittent reception and connectivity
problems
❖ In-channel interference is caused by other devices that
emit signals in the same frequency

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-12


IEEE 802.11 Modulation Methods
Standard Data Modulation Number Spreading
Rate Method of Phase Method
(Mbps) Shifts
802.11 1 Binary Phase Shift 1 (1800) Barker code
Keying (BPSK)
802.11 2 Quadrature Phase 4 (00, 900, Barker code
Shift Keying (QPSK) 1800,
2700)
802.11b 5.5 QPSK 4 Complementary
Code Keying
(CCK)
802.11b 11 QPSK 4 CCK
802.11a/g 54 Orthogonal - -
Frequency Division
Multiplexing (OFDM)

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-13


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-14


Wireless Network Adapters
❖ May be an internal or external device
❖ Form factors include
▪ Internal expansion card, network interface cards (NICs)
▪ Internal integrated network adapters
▪ External PC card network adapters
▪ External USB network adapters

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-15


Key characteristics of Wireless NICs
❖ Interface type (internal, USB, PCI, etc.)
❖ Wireless standard (802.11a, 802.11b, 802.11g,
Bluetooth, etc.)
❖ Antenna type (detachable, non-detachable)
❖ Power output (40mW, 50mW, 200mW)
❖ Power modes (PSP – Power Savings Polling, CAM –
Constantly Awake Mode))

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-16


Advantages and Disadvantages of common
wireless NIC types (1)
Type Advantage Disadvantage
PC Card • No open-box • Not compatible with most
(PCMCIA) installation desktop PCs
required • Relatively higher power
• PC card (16 bit) requirements
and CardBus (32 • Size and power of antenna
bit) models commonly lower than other
available types
• Easily removed • Poor antenna orientation
PCI and Mini-PCI • Permanent • Requires open-box
expansion cards installation installation
• Antenna orientation can be
weak

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-17


Advantages and Disadvantages of common
wireless NIC types (2)
Type Advantage Disadvantage
USB • No open-box installation • USB 1.0 features
required 12 Mbps peak
• USB 2.0 features 480 Mbps transfer rate
peak transfer rate • 802.11a/802.11g
• 802.11b operates requires USB 2.0
approximately the same • Higher CPU
speed as USB 1.1 usage
• USB devices can be easily • More easily
removed stolen
• Usable on either desktop or
portable PCs

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-18


Expansion Card Wireless NIC
❖ Most common until recently
❖ Installed inside a computer case, in a PCI slot in most
instances

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-19


Wireless NICs

❖ An IEEE 802.11b
wireless NIC expansion
card

❖ Verify the 802.11x


standard of a wireless
NIC before installing it

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-20


Network adapter Wireless standards
❖ The IEEE 802.11b and 802.11g standards are mostly
compatible, but 802.11a is not compatible with either
802.11b or 802.11g
❖ The 802.11b-Plus standard is proprietary
❖ Bluetooth is not compatible with any of the 802.11
standards

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-21


Antenna Type
❖ Non-detachable is most common
❖ Detachable antennas may be more useful for a site
survey

❖ An expansion card
wireless NIC with a
connection jack for an
external WLAN antenna

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-22


Power Modes
❖ Constantly Awake Mode (CAM)
▪ Useful when connected to a power source but may drain a
battery quickly
❖ Power Savings Polling (PSP)
▪ Allows NIC to be put to sleep to conserve power when not
in use
❖ Fast PSP
▪ Combines CAM and PSP features
❖ Maximum Power Saving (MaxPSP)
▪ Periodically awakened to retrieve network traffic

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-23


Properties of wireless connection

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-24


Wireless Networks Tab

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-25


Proprietary Wireless Network
❖ Proprietary software to monitor wireless networks is
often provided with the wireless card

❖ The Linksys PCI


Network Monitor
is a proprietary
wireless network
management and
monitoring tool

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-26


Wireless NICs and Linux
❖ Most of the newer Linux versions provide support for
802.11b wireless cards
▪ 802.11g access points are compatible with 802.11b wireless
NICs
❖ When choosing a wireless NIC check to make sure it is
compatible with Linux and that a device driver is
available
▪ If there is no device driver available, you may try the wireless
utilities called wireless-tools.26

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-27


PC Card / PCMCIA NICs
❖ Almost all PC card wireless NICs are type II 68-pin
cards

PC Card Thickness Applications


Type

I 3.3 mm Memory
II 5.0 mm Modem, NIC, SCSI, Audio
111 10.5 mm Hard disk, firewall

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-28


PC Card NIC Guidelines
❖ Use the operating system to stop or disable the card
before removing it
❖ Ensure the orientation of the card before inserting it to
avoid damaging the pins

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-29


USB Network Adapters
❖ Universal Serial Bus (USB) connectors come in two
types:
▪ Direct connect
▪ Cable connect

❖ A USB network
adapter that
connects
directly to a
computer

❖ A USB network
adapter that is
connected to a
computer with a USB
cable
© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-30
Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-31


Access Point
❖ Distribution point, hub, and bridge for wireless NICs
within its range
❖ Includes a radio transceiver, bridging circuitry or
software
❖ Provides a communications link between wireless and
wired network services

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-32


Wireless Access Point
❖ WAP is a device that act as a central transmitter and
receiver of WLAN radio signals between wired and
wireless networking device .
❖ Generally small and with build in network adapter,
antenna, and radio transmitter

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-33


AP Considerations
❖ Coverage to provide linkage for every wireless LAN
station in its cell
❖ Placement location
❖ Network mode
▪ Ad-hoc if wireless devices will roam
▪ Infrastructure if position is relatively static
❖ Thin or fat devices

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-34


Thin and Fat APs
❖ Fat ❖ Thin
▪ Provides all of the ▪ Provides RF-to-RF
functions required for linkage and
WLAN connectivity: radio-to-wire converter
• Authentication ▪ A central controller
• Encryption handles all other
• Management intelligent, or fat,
services

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-35


Multiradio APs
❖ Coverage
❖ Support two or more WLAN standards simultaneously

An access point with multiple


built-in WLAN radios

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-36


Bridging APs
❖ Connect two or more LANs together in a point-to-point
or point-to-multipoint topology

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-37


Stealth APs
❖ Do not broadcast their SSID for security reasons -
only those knowing the SSID may connect

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-38


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-39


Wireless Repeaters
❖ Attenuation is the weakening of a signal as it travels
further from its source
❖ Wireless repeaters receive a transmitted signal and
retransmit the signal with original strength restored
❖ Repeaters add latency

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-40


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-41


Bridges
❖ A bridge creates a crossover point between two LANs or LAN
segments operating on the same networking protocol
❖ Learning bridges maintain a table of what network nodes lie on -
only packets headed to other nodes are allowed thru
❖ Wireless bridges are commonly used to provide a connection
point for WLANs in two buildings of a campus

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-42


Bridging Tables
❖ A bridge uses the entries in its bridging table to route
messages arriving from different networks or network
segments

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-43


Wireless Bridges
❖ Wireless bridges are used to link buildings in a campus
area network setting

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-44


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-45


Network Switch
❖ Network switch acts as a hub to interconnect all
equipments within a local area network (LAN).
❖ Usually most network equipments like routers,
wireless access points or additional cascading switch
are connected to a network switch.

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-46


Wireless Switch
❖ Wireless switches are like multi-port bridges but
smarter
❖ A switch creates and maintains switching tables that
allow it to manage network bandwidth
❖ Switches use Spanning Tree Protocol (STP) to prevent
loops in the network
❖ Messages are forwarded through the switch using
packet switching

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-47


Packet Switching
❖ Cut-through switching
▪ Switch begins forwarding the message as soon as the source
and destination addresses are read
❖ Fast-forward switching
▪ Switch begins forwarding the message as soon as the
destination address is read
❖ Store-and-forward switching
▪ Switch reads entire message before forwarding it
❖ Fragment-free switching
▪ Reads first 64 bytes of the message which helps it identify
collision packets

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-48


Virtual LANs
❖ Switches may create Virtual LANs (VLANs)
▪ Logically creates groups of devices or users
▪ Does not require a device or user to be geographically or
functionally fixed

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-49


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-50


Routers
❖ Routers determine the best path to take through a network and
then switch the packet

A message is routed
across the Internet
until it arrives at the
router servicing the
destination node
address.

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-51


Router
❖ Router is a device which join multiple wired or
wireless networks together and is also a gateway,
which joins the home's local area network (LAN) to
the wide area network (WAN) of the Internet.
❖ There is a piece of storage called routing table to
maintain the configuration information
❖ router can also filter traffic, either incoming or
outgoing, based on the IP addresses of senders and
receivers.

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-52


Routing Tables (1)
❖ Routers use a routing table to determine what port a
packet needs to be switched out of to reach its
destination
❖ Routing entries are created in two ways:
▪ Static routes are manually defined by the network
administrator
▪ Dynamic routes are learned by talking to other routers
through routing protocols

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-53


Routing Tables (2)
❖ Routing tables include:
▪ remote network addresses
▪ ports to use to get to remote networks
▪ gateway of last resort

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-54


Wireless Routers (1)
❖ Wireless routers are also called gateways
❖ Most wireless routers are connected to a wired network
in addition to communicating with wireless devices
❖ Combines the functions of a wireless access point and a
typical router to allow connections among multiple
networks
❖ Routers use information in the IP packet header to route
packets

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-55


Wireless Routers (2)
❖ Additional features of wireless routers include:
▪ Network Address Translation (NAT)
▪ Port-based access control
▪ Firewall

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-56


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-57


Wireless Gateways
❖ A gateway is a network device that joins two networks
❖ Functions of a wireless gateway include:
▪ Advanced routing
▪ Switching
▪ Security

A wireless gateway
is used as the base
station in hot spot
networks.

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-58


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-59


WLAN Antennas
❖ A dipole antenna built into most wireless NICs, access
points, and routers is adequate for small businesses and
homes
❖ An external antenna is necessary for more advanced
applications

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-60


Antenna Considerations
❖ Nearby metal, walls, large furniture, trees, and other
objects may affect signal
❖ Nearby RF interference may be picked up
❖ Many RF antennas are polarized vertically, so
horizontal polarization may be better
❖ Cable connections should be free of splices and
connectors as much as possible

© https://www.slideserve.com/egil/wireless-network-devices-powerpoint-ppt-presentation Wireless Network Devices 5-61


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-62


Firewall
❖ A firewall helps to maintain and protect the network privacy and
security.
❖ There is Hardware and software firewalls
❖ It also monitor and limit the flow of information through a
computer network according to defined rules.
❖ Firewall can also guard against unauthorized incoming messages
or undesired outgoing messages.
❖ Firewalls block traffic according to the listed ports that are listed
by administrators in the equipment. Every communication from
a network uses different ports, e.g. 8080 (which is used to surf
internet from a browser)

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-63


Chapter 5: Roadmap
1.1 Components of Wireless LAN
1.2 Wireless Clients
1.3 Wireless LAN Radio Components
1.4 Wireless Network Adapters
1.5 Wireless Network Access Points
1.6 Wireless Repeaters
1.7 Bridges
1.8 Wireless LAN Switch
1.9 Wireless Routers
1.10 Wireless Gateways
1.11 Wireless LAN Antennas
1.12 Firewall
1.13 ISP

Wireless Network Devices 5-64


Internet Service Provider
❖ an organization that provides access to the Internet
❖ Generally charge by monthly and the rate depends on service
provided
❖ But some is free of charge like Wireless@SG is a wireless
broadband programme developed by the Singapore Infocomm
Development Authority (IDA)

© https://slideplayer.com/slide/8647051/ Wireless Network Devices 5-65


Wireless LAN
Planning and Design

Wireless Network Devices 5-66


Why is WLAN Planning Required? (1)
❖ A WLAN uses radio signals (high-frequency
electromagnetic waves) to transmit data.
❖ Factors that reduce the signal quality or even cause
network unavailability
▪ The strength of radio signals becomes weaker as the
transmission distance increases
▪ Adjacent radio signals cause interference overlapping.
❖ To improve the WLAN quality and meet customers'
requirements on network construction,
▪ WLAN planning and design are required.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-67


Why is WLAN Planning Required? (2)
❖ During the WLAN planning
▪ To ensure
• pervasive wireless network coverage
• fast Internet access
• optimal network experience

▪ The following needs to be planned


• AP models and quantity
• installation positions and modes
• cable deployment modes

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-68


Why is WLAN Planning Required? (3)
❖ If WLAN planning and design are not performed in the
early stage,
▪ rework may be required after APs are installed.
❖ This is because network optimization after APs are
installed may require
▪ AP reinstallation and re-cabling

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-69


Why is WLAN Planning Required? (4)
❖ WLAN planning is performed to address the following
issues:
▪ Weak signal strength
▪ Severe co-channel interference
▪ Slow internet access
▪ No obvious advantage in user experience in VIP areas

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-70


Why is WLAN Planning Required? (5)
❖ Weak signal strength:
▪ If the actual transmit power of APs is not considered during
the wireless network coverage design,
• coverage holes may exist.
▪ The signal strength is weak or even no signal is available.
▪ Users suffer from slow Internet access or even cannot access
the Internet.
▪ The coverage area of each AP needs to be properly planned
during WLAN planning to ensure that each area is covered
by strong wireless signals.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-71


Why is WLAN Planning Required? (6)
❖ Severe co-channel interference:
▪ Co-channel interference is generated when radios of two
neighboring APs work on the same channel.
▪ When co-channel interference occurs,
• signals of the APs are interfered
• delays arise when the APs receive and send data
simultaneously
• which greatly reduces network performance.
▪ Therefore, different working channels that do not interfere
with each other need to be allocated for APs with
overlapping coverage areas.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-72


Why is WLAN Planning Required? (7)
❖ Slow Internet access:
▪ WLANs use the Carrier Sense Multiple Access with Collision
Avoid (CSMA/CA) mechanism.
▪ The probability of wireless packet collisions grows as the
number of concurrent access users increases, thereby
slowing down the Internet access speed.
▪ For example
• in high-density scenarios such as stadium stands, a large
number of wireless users connect to each radio of APs,
causing a high probability of wireless packet collisions.
• In these scenarios, three-radio APs with high-density
small-angle directional antennas are recommended to control
the number of access users on each radio and reduce the
packet collision probability.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-73


Why is WLAN Planning Required? (8)
❖ No obvious advantage in user experience in VIP areas:
▪ VIP areas require special attention during WLAN planning.
▪ The Internet access experience of users in VIP areas should
be preferentially guaranteed.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-74


WLAN Planning Procedure
1. Collect complete project and requirement information
during communication with the customer to avoid
redesign due to insufficient information collected.
2. Perform a site survey on the customer's location and
collect more detailed information, such as interference
sources and obstacles, for WLAN planning solution
design.
3. Determine the coverage mode (indoor or outdoor) based
on customer requirements and the site survey result, and
then design the network coverage, network capacity, and
AP deployment.
4. Deploy and install ACs, APs, and other network devices
based on the WLAN planning result.
5. Check whether the coverage range, signal strength, and
network speed of wireless signals meet the acceptance
criteria.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-75


WLAN Planning
❖ A WLAN can be planned in terms of the network
coverage, network capacity, and AP deployment.
• Plan the network coverage to ensure that the signal strength
in the coverage areas meets user requirements and
co-channel interference is minimized.
• Plan the network capacity to ensure that the network
bandwidth meets Internet access requirements and offers
smooth Internet access experience.
• After the network coverage and capacity are guaranteed,
plan the AP deployment to make sure that APs are deployed,
installed, and cabled smoothly on site.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-76


Network Coverage Design (1)
❖ The network coverage design involves planning of the
▪ network coverage areas
▪ signal strength within the coverage areas

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-77


Network Coverage Design (2)
❖ Coverage area
▪ An AP transmits radio signals
through an antenna and generates
a wireless network coverage area
around the antenna.
▪ The signal strength becomes
weaker as radio signals are
transmitted further.
▪ Generally, the area where the
signal strength around an antenna
is greater than the edge field
strength is called wireless
Network coverage area from the top
network coverage area, as shown
in Figure. view (omnidirectional antenna)
▪ The field strength of radio signals
at the edge of a network coverage
area is called edge field strength.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-78


Network Capacity Design (1)
❖ Design the number of APs required based on
▪ bandwidth requirements
▪ number of wireless terminals
▪ concurrency rate
▪ per-AP performance
❖ This ensures that the WLAN performance can meet
the Internet access requirements of all terminals.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-79


Network Capacity Design (2)
❖ capacity design parameters
▪ Bandwidth per terminal
▪ Number of terminals
▪ Concurrency rate
▪ Per-AP performance

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-80


Network Capacity Design (3)
❖ capacity design parameters
▪ Bandwidth per terminal
• Bandwidth requirements vary depending on terminal types
and services to be provided by terminals.
• For example,
– the bandwidth required by a terminal used for watching HD
videos is higher than that required by a terminal used only for
browsing web pages.
• Therefore, plan sufficient bandwidth based on terminal
services and types to avoid bandwidth insufficiency or
waste.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-81


Network Capacity Design (4)
❖ capacity design parameters
▪ Number of terminals
• You need to specify an accurate number of terminals to be
supported on the WLAN according to the WLAN planning.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-82


Network Capacity Design (5)
❖ capacity design parameters
▪ Concurrency rate
• The concurrency rate refers to the ratio of terminals using
the network concurrently to the total number of terminals.
• The average number of terminals using the network
concurrently is calculated based on the concurrency rate
and the number of terminals.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-83


Network Capacity Design (6)
❖ capacity design parameters
▪ Per-AP performance
• The recommended number of concurrent access terminals in
different scenarios varies according to AP models.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-84


AP Deployment Design
❖ AP Deployment Principles
▪ When deploying APs, take into account the following points:
• Reduce the number of obstacles that wireless signals have
to pass through.
– If this case cannot be avoided, try to make the signals vertically
pass through obstacles such as walls and ceilings.
– In particular, avoid metal obstacles.
• Make sure APs directly face towards the target coverage
areas.
• Deploy APs far away from interference sources.
• Ensure the aesthetics of AP installation.
– In areas with high aesthetics requirements, you can use
camouflage covers or mount APs in the non-metal ceiling.

© https://support.huawei.com/enterprise/en/doc/EDOC1000113315/b34edf9f/ Wireless Network Devices 5-85


Wireless Network
Security

Wireless Network Devices 5-86


Chapter 5: Roadmap
1.1 802.11 Security Basics
1.2 Legacy 802.11 Security
1.3 Authentication and Authorization
1.4 WPA/802.11i

Wireless Network Devices 5-87


802.11 Security Basics
❖ Major components
▪ Strong Encryption
• Data is transmitted freely and openly in the air
• To ensure data privacy
▪ Mutual Authentication
• To provide a portal into some other network infrastructure
• Wireless portal must be protected
▪ Segmentation
• The wireless network should always be treated as untrusted
• Segmented in some fashion from the wired infrastructure

© CWNA Study Guide Wireless Network Devices 5-88


Encryption (1)
❖ 802.11 wireless networks
▪ License free frequency bands
▪ All data transmissions travel in the open air
❖ Data privacy in Wired vs Wireless
▪ Easier in wired networks because physical access to the wired
medium is more restricted.
▪ Difficult because physical access to wireless transmissions is
available to anyone in listening range.
❖ Cipher Encryption
▪ A cipher is an algorithm used to perform encryption

© CWNA Study Guide Wireless Network Devices 5-89


Encryption (2)
❖ Cipher Encryption Algorithms
▪ RC4 (Ron’s Code or Rivest’s Cipher)
▪ Advanced Encryption Standard (AES)
❖ Cipher Encryption Types
▪ Encrypt data in Continuous stream
▪ Encrypt data in Blocks

© CWNA Study Guide Wireless Network Devices 5-90


Encryption (3)
❖ RC4 (Ron’s Code or Rivest’s Cipher)
▪ Streaming Cipher
▪ Used to protect Internet traffic, such as Secure Sockets Layer
(SSL)
▪ Used to protect 802.11 wireless data
▪ Incorporated into two encryption methods
• WEP
• TKIP

© CWNA Study Guide Wireless Network Devices 5-91


Encryption (4)
❖ The AES algorithm
▪ Rijndael algorithm
▪ Block cipher
▪ Stronger protection than the RC4 streaming cipher
▪ Used to encrypt 802.11 wireless data using an encryption
method
• Counter mode with Cipher Block Chaining–Message
Authentication Code (CCMP)
▪ Encrypts data in fixed data blocks
• Encryption key strength of 128, 192, or 256 bits

© CWNA Study Guide Wireless Network Devices 5-92


AAA (1)

❖ Authentication
❖ Authorization
❖ Accounting

© CWNA Study Guide Wireless Network Devices 5-93


AAA (2)

❖ Authentication
▪ Verification of user identity and credentials
• Usernames and Passwords
• Digital Certificates
▪ Multifactor Authentication
• More secure authentication systems
• At least two sets of different credentials must be presented

© CWNA Study Guide Wireless Network Devices 5-94


AAA (3)

❖ Authorization
▪ Granting access to network resources and services
▪ Before authorization
• Proper authentication must occur

© CWNA Study Guide Wireless Network Devices 5-95


AAA (4)

❖ Accounting
▪ Tracking the use of network resources by users
▪ Who used What resource and When and Where
▪ A record is kept of user identity
• Which resource was accessed, and at what time

© CWNA Study Guide Wireless Network Devices 5-96


Segmentation
❖ Segment users in proper groups
❖ Once authorized onto network
resources
▪ Users can be further restricted as to
what resources may be accessed and
where they can go
❖ Segmentation can be achieved
through
▪ Firewalls
▪ Routers
▪ VPNs
▪ VLANs - Most common wireless
segmentation strategy
❖ Role-Based Access Control
(RBAC)

© CWNA Study Guide Wireless Network Devices 5-97


Chapter 5: Roadmap
1.1 802.11 Security basics
1.2 Legacy 802.11 Security
1.3 Authentication and Authorization
1.4 WPA/802.11i

Wireless Network Devices 5-98


802.11 Security
❖ Legacy
▪ Original 802.11 standard
▪ From 1997 until 2004
▪ The authentication methods
• provided an open door into the network infrastructure
▪ The encryption method
• has long been cracked
• is considered inadequate for data privacy
❖ Robust
▪ 802.11i security amendment

© CWNA Study Guide Wireless Network Devices 5-99


Legacy 802.11 Security

❖ Legacy Authentication
❖ Static WEP Encryption
❖ MAC Filters
❖ SSID Cloaking

© CWNA Study Guide Wireless Network Devices 5-100


Legacy Authentication
❖ The original 802.11 standard specifies two
different methods of authentication:
▪ Open System authentication
▪ Shared Key authentication

© CWNA Study Guide Wireless Network Devices 5-101


Open System authentication (1)
❖ No client verification
▪ Authentication without performing any type of client verification
❖ Two-way exchange
▪ Between the client and the access point
▪ The client sends an authentication request
▪ The access point then sends an authentication response
▪ It does not require the use of any credentials
▪ Every client gets authenticated and authorized onto network resources once
they have been associated

© CWNA Study Guide Wireless Network Devices 5-102


Open System authentication (2)
❖ Static WEP encryption - optional
▪ May be used to encrypt the data frames after Open System authentication
and association occur.

© CWNA Study Guide Wireless Network Devices 5-103


Shared Key Authentication (1)
❖ Wired Equivalent Privacy (WEP)
▪ To authenticate client stations
▪ A static WEP key be configured
• On both the station and the access point
▪ WEP being mandatory
• Authentication will not work if the static WEP keys do not match.
❖ Authentication process
▪ Similar to Open System authentication
▪ Includes a challenge and response

© CWNA Study Guide Wireless Network Devices 5-104


Shared Key Authentication (2)
❖ Four-way authentication frame handshake

❖ If Shared Key authentication is successful,


▪ The same static WEP key that was used during the Shared Key
authentication process will also be used to encrypt the 802.11 data frames.

© CWNA Study Guide Wireless Network Devices 5-105


Open System vs Shared Key Authentication (1)
❖ Shared Key could be the bigger security risk
▪ Anyone who captures the cleartext challenge phrase
▪ Then captures the encrypted challenge phrase in the response frame
▪ Could potentially derive the static WEP key
▪ If the static WEP key is compromised
• All the data frames can be decrypted.

© CWNA Study Guide Wireless Network Devices 5-106


Open System vs Shared Key Authentication (2)

❖ Neither of the legacy authentication methods is considered


strong enough for enterprise security.
❖ More-secure 802.1X/EAP authentication methods will be
used

© CWNA Study Guide Wireless Network Devices 5-107


Static WEP Encryption (1)
❖ Wired Equivalent Privacy (WEP)
▪ Layer 2 encryption method
▪ Uses the RC4 streaming cipher
❖ 64-bit WEP
▪ Defined by original 802.11 standard
▪ Default encryption method
❖ 128-bit WEP
▪ Not defined by the standard
▪ Equipment from different vendors using 128-bit WEP will not
be compatible.

© CWNA Study Guide Wireless Network Devices 5-108


Static WEP Encryption (2)

❖ Main Goals
▪ Confidentiality
▪ Access control
▪ Data integrity

© CWNA Study Guide Wireless Network Devices 5-109


Static WEP Encryption (3)
❖ Confidentiality
▪ To provide data privacy
▪ By encrypting the data before transmission
❖ Access Control
▪ A crude form of Authorization
▪ Client stations that do not have the same matching static key as
an access point are refused access to network resources.
❖ Data Integrity
▪ Data integrity checksum
• Integrity Check Value (ICV) is computed on data before encryption
▪ Used to prevent data from being modified

© CWNA Study Guide Wireless Network Devices 5-110


Static WEP Encryption (4)
❖ 64-bit WEP
▪ Secret 40-bit static key
▪ 24-bit number Initialization Vector (IV)
• Selected by the card’s device drivers
• Sent in Cleartext
• Different on every frame
– There are only 16,777,216 (224) different IV combinations
– Reuse the IV values

Static WEP encryption key and Initialization Vector


© CWNA Study Guide Wireless Network Devices 5-111
Static WEP Encryption (5)
❖ 128-bit WEP
▪ 104-bit secret static key
▪ 24-bit Initialization Vector

Static WEP encryption key and Initialization Vector

© CWNA Study Guide Wireless Network Devices 5-112


Static WEP Encryption (6)
❖ A 40-bit static key
consists of
▪ 10 hex characters (10×4
= 40 bits)
▪ 5 ASCII characters
(5×8=40bits)
❖ A 104-bit static key
consists of
▪ 26 hex characters
(26×4=104)
▪ 13 ASCII characters
(13×8=104)
❖ Not all client stations or
access points support
both hex and ASCII.
❖ Four separate static
WEP keys
▪ A user can choose as the
default transmission key
Transmission Key
© CWNA Study Guide Wireless Network Devices 5-113
Static WEP Encryption (7)
❖ Transmission key
▪ Static key that is
used to encrypt data
by the transmitting
radio.
▪ A client or access
point may use one
key to encrypt
outbound traffic and
a different key to
decrypt received
traffic.
▪ All keys must match
exactly on both sides
of a link for
encryption/decryptio
n to work properly.
Transmission Key

© CWNA Study Guide Wireless Network Devices 5-114


Static WEP Encryption (8) WEP Encryption Process

❖ How does WEP


work?
▪ CRC on the plaintext
data that is to be
encrypted
• Appends the Integrity
Check Value (ICV) to the
end of the plaintext data.
▪ A 24-bit cleartext
Initialization Vector
(IV) is then generated
and combined with the
static secret key.

© CWNA Study Guide Wireless Network Devices 5-115


Static WEP Encryption (9) WEP Encryption Process

❖ How does WEP


work?
▪ Keystream
• WEP then uses both
the static key and the
IV as seeding material
through a
pseudo-random
algorithm that
generates random bits
of data known as a
keystream.
• These pseudo-random
bits are equal in length
to the plaintext data
that is to be encrypted.

© CWNA Study Guide Wireless Network Devices 5-116


Static WEP Encryption (10) WEP Encryption Process
❖ How does WEP
work?
▪ XOR Process
• The pseudo-random bits
in the keystream are then
combined with the
plaintext data bits using a
Boolean XOR process.
▪ End Result
• The end result is the WEP
ciphertext, which is the
encrypted data.
▪ Transmitted
• The encrypted data is
then prefixed with the
cleartext IV.

© CWNA Study Guide Wireless Network Devices 5-117


Static WEP Encryption (11)
❖ Weaknesses - four main attacks:
▪ IV collisions attack
▪ Weak key attack
▪ Re-injection attack
▪ Bit-flipping attack

© CWNA Study Guide Wireless Network Devices 5-118


Static WEP Encryption (12)
❖ IV collisions attack
▪ 24-bit Initialization Vector is in cleartext
▪ Different in every frame
▪ In a busy WEP encrypted network, all 16 million IVs will
eventually repeat themselves
▪ Due to the limited size of the IV space
• IV collisions occur
▪ An attacker can recover the secret key much easier when IV
collisions occur in wireless networks.

© CWNA Study Guide Wireless Network Devices 5-119


Static WEP Encryption (13)
❖ Weak key attack
▪ Due to the RC4 key-scheduling algorithm
• Weak IV keys are generated
▪ An attacker can recover the secret key much easier by
recovering the known weak IV keys.

© CWNA Study Guide Wireless Network Devices 5-120


Static WEP Encryption (14)
❖ Re-injection attack
▪ Hacker tools exist that implement a packet re-injection attack to
accelerate the collection of weak IVs on a network with little
traffic.
❖ Bit-flipping attack
▪ The ICV data integrity check is considered weak.
▪ WEP encrypted packets can be tampered with.

© CWNA Study Guide Wireless Network Devices 5-121


Static WEP Encryption (15)
❖ Current WEP cracking tools
▪ may use a combination of the first three mentioned attacks
• IV collisions attack
• Weak key attack
• Re-injection attack
▪ can crack WEP in less than 5 minutes time.
▪ Once an attacker has compromised the static WEP key, any data
frame can be decrypted with the newly discovered key.

© CWNA Study Guide Wireless Network Devices 5-122


Static WEP Encryption (16)
❖ Enhancement to WEP
▪ Temporal Key Integrity Protocol (TKIP)
• currently has not been cracked
❖ CCMP
▪ Counter mode with Cipher Block Chaining-Message Authentication
Code (CCMP)
• uses the AES algorithm and is an even stronger encryption method.
❖ As defined by the original 802.11 standard
▪ WEP encryption is considered optional and is not required.
▪ WEP encryption has indeed been cracked
▪ Unacceptable in the enterprise
▪ It is still better than using no encryption at all

© CWNA Study Guide Wireless Network Devices 5-123


MAC Filters (1)
❖ Physical address known as a MAC address
▪ 12-digit hexadecimal number (48 bit)
❖ 802.11 client stations
▪ each have unique MAC addresses
❖ 802.11 access points
▪ Use MAC addresses to direct frame traffic
❖ MAC filtering capabilities on the access points
❖ MAC filters can be configured to either allow or deny
traffic from specific MAC addresses.

© CWNA Study Guide Wireless Network Devices 5-124


MAC Filters (2)
❖ MAC filters apply restrictions
▪ Allow traffic only from specific client stations to pass through
based on their unique MAC addresses.
▪ Any other client stations whose MAC addresses are not on the
allowed list will not be able to pass traffic through the virtual
port of the access point and onto the distribution system
medium.

© CWNA Study Guide Wireless Network Devices 5-125


MAC Filters (3)
❖ Spoofing
▪ MAC addresses can be “spoofed,” or impersonated
▪ Any amateur hacker can easily bypass any MAC filter by
spoofing an allowed client station’s address.

❖ MAC filtering is not considered a reliable means of


security for wireless enterprise networks.
▪ Because of spoofing
▪ Because of all the administrative work that is involved with
setting up MAC filters,
❖ The 802.11 standard
▪ Does not define MAC filtering
▪ Any implementation of MAC filtering is vendor specific

© CWNA Study Guide Wireless Network Devices 5-126


SSID Cloaking (1)
❖ Hide Service Set
Identifier (SSID)
❖ Access points setting –
to hide wireless network
name
▪ Closed Network
•Enabling a closed network
▪ Broadcast SSID
•Disabling the broadcast
SSID feature

© CWNA Study Guide Wireless Network Devices 5-127


SSID Cloaking (2)
❖ Passive Scanning
▪ By Access Point
▪ The SSID field in the beacon frame is null (empty)
▪ Passive scanning will not reveal the SSID to client stations that
are listening to beacons
❖ Active Scanning
▪ By client station
▪ Many wireless client software utilities
• transmit probe requests
• with null SSID fields
• when actively scanning for access points

© CWNA Study Guide Wireless Network Devices 5-128


SSID Cloaking (3)
❖ NetStumbler
▪ freely available software program
▪ used to discover wireless networks
▪ sends out null probe requests actively scanning for access
points.
▪ When closed network implemented
• The access point responds to null probe requests with null probe
responses
• SSID is hidden to client stations that are using active scanning

© CWNA Study Guide Wireless Network Devices 5-129


SSID Cloaking (4)
❖ An access point in a closed network
▪ Respond to any configured client station that transmits probe
requests with the properly configured SSID.
• This ensures that legitimate end users will be able to authenticate and
associate to the AP.
▪ Any stations that are not configured with the correct SSID will
not be able to authenticate or associate.

© CWNA Study Guide Wireless Network Devices 5-130


SSID Cloaking (5)
❖ Layer 2 wireless protocol analyzer
▪ Implementing a closed network will indeed hide your SSID
• from NetStumbler and other WLAN discovery tools
▪ Layer 2 wireless protocol analyzer
• Can capture the frames transmitted by any legitimate end user
• Which is transmitted in cleartext
• Discover the SSID

© CWNA Study Guide Wireless Network Devices 5-131


SSID Cloaking (6)
❖ SSID cloaking - vendor specific
▪ The 802.11 standard does not define SSID cloaking
▪ All implementations of a closed network are vendor specific
▪ Incompatibility can potentially cause connectivity problems
with older legacy cards or when using cards from mixed
vendors on your own network.

© CWNA Study Guide Wireless Network Devices 5-132


Chapter 5: Roadmap
1.1 802.11 Security basics
1.2 Legacy 802.11 Security
1.3 Authentication and Authorization
1.4 WPA/802.11i

Wireless Network Devices 5-133


Authentication and Authorization
❖ Authentication
▪ Authentication is the verification of user identity and
credentials.
▪ Users must identify themselves and present credentials such as
passwords or digital certificates.
❖ Authorization
▪ Granting access to network resources and services
▪ Before authorization to network resources can be granted,
proper authentication must occur.

© CWNA Study Guide Wireless Network Devices 5-134


802.1X/EAP Framework (1)
❖ port-based access control standard
❖ Authorization framework
▪ allows or disallows traffic to pass through a port
❖ Implemented in
▪ wireless or wired environment

© CWNA Study Guide Wireless Network Devices 5-135


802.1X/EAP Framework (2)
❖ Three main
components:
▪ Supplicant
▪ Authenticator
▪ Authentication
Server (AS)

802.1X/EAP authentication – Generic Frame Exchanges

© CWNA Study Guide Wireless Network Devices 5-136


802.1X/EAP Framework (3)
❖ Supplicant
▪ A host with
software that is
requesting
• Authentication
• Access to
network
resources

802.1X/EAP authentication – Generic Frame Exchanges

© CWNA Study Guide Wireless Network Devices 5-137


802.1X/EAP Framework (4)
❖ Authenticator
▪ A device that blocks or
allows traffic to pass
through its port
• Allows to pass the
authenticated traffic
• Blocks the other traffic
▪ Maintains two virtual ports:
• Uncontrolled port
– Allows EAP
authentication traffic
to pass through
• Controlled port
– Blocks all other
traffic until the
supplicant has been 802.1X/EAP authentication – Generic Frame Exchanges
authenticated

© CWNA Study Guide Wireless Network Devices 5-138


802.1X/EAP Framework (5)
❖ Authentication Server
(AS)
▪ Validates the credentials
of the supplicant that is
requesting access
▪ Notifies the authenticator
that the supplicant has
been authorized
▪ Authentication server
• Maintains a user
database or
• May proxy with an
external user database
to authenticate user
credentials
802.1X/EAP authentication – Generic Frame Exchanges

© CWNA Study Guide Wireless Network Devices 5-139


802.1X/EAP Framework (6)
❖ In an 802.3 Ethernet network
▪ Supplicant - Desktop host
▪ Authenticator - Managed switch
▪ Authentication Server - Remote Authentication Dial-In User
Service (RADIUS) server
❖ In an 802.11 wireless environment
▪ Supplicant - client station requesting access to network
resources.
▪ Authenticator - Access point or wireless switch blocking access
via virtual ports
▪ Authentication Server - RADIUS server

© CWNA Study Guide Wireless Network Devices 5-140


802.1X/EAP Framework (7)
❖ Extensible
Authentication
Protocol (EAP)
▪ Layer 2
authentication
protocol that resides
under Point-to-Point
Protocol (PPP)
▪ The supplicant and
the authentication
server communicate
with each other
using the EAP
protocol.

802.1X/EAP authentication – Generic Frame Exchanges

© CWNA Study Guide Wireless Network Devices 5-141


802.1X/EAP Framework (8)
❖ Extensible Authentication EAPoL – EAP over LAN
Protocol (EAP)
▪ The authenticator allows
the EAP traffic to pass
through its virtual
uncontrolled port
▪ Once the AS has verified
the credentials of the
supplicant, the server
sends a message to the
authenticator that the
supplicant has been
authenticated and the
authenticator is now
authorized to open the
virtual controlled port,
allowing all other traffic
to pass through.
802.1X/EAP authentication – Generic Frame Exchanges
© CWNA Study Guide Wireless Network Devices 5-142
Dynamic Encryption Key Generation (1)

❖ EAP frame exchange


▪ Mutual authentication
▪ Both the AS and the
supplicant now know
information about each
other due to the exchange
of credentials
❖ Seeding Material
▪ This new-found
information is used as
seeding material or
keying material
▪ Generate a matching
dynamic encryption key
for both the supplicant
and the authentication
server.

© CWNA Study Guide Wireless Network Devices 5-143


Dynamic Encryption Key Generation (2)
❖ Per session per user
▪ These dynamic keys are generated per session per user
▪ Every time a client station authenticates
• A new key is generated
▪ Every user has a unique and separate key

© CWNA Study Guide Wireless Network Devices 5-144


Dynamic Encryption Key Generation (3)
❖ Unicast Key
▪ Dynamically generated key
▪ Used to encrypt and decrypt all unicast data frames
▪ AS delivers its copy of the unicast key to the access point
▪ The access point and the client station now both have unique unicast keys
that can be used.
❖ Broadcast key
▪ A second static key exists on the access point known as the broadcast key.
▪ The broadcast key is used to encrypt and decrypt all broadcast and multicast
data frames.
❖ Unicast vs Broadcast key
▪ Each client station has a unique and separate unicast key, but every station
must share the same broadcast key.
▪ The broadcast key is delivered from the access point in a unicast frame
encrypted with each individual client station’s unicast key.

© CWNA Study Guide Wireless Network Devices 5-145


Chapter 5: Roadmap
1.1 802.11 Security basics
1.2 Legacy 802.11 Security
1.3 Authentication and Authorization
1.4 WPA/802.11i

Wireless Network Devices 5-146


WPA/802.11i (1)
❖ 802.11i security amendment
▪ In 2004, the 802.11i security amendment was ratified.
▪ Defines
• Authentication for Enterprise
– Uses 802.1X/EAP authentication method in the enterprise
• Authentication for home use
– Uses preshared key or a passphrase in a SOHO environment
▪ Stronger dynamic key management encryption methods
• CCMP/AES encryption is the default encryption method
• TKIP/RC4 is the optional encryption method

© CWNA Study Guide Wireless Network Devices 5-147


WPA/802.11i (2)
❖ Prior to the ratification of the 802.11i amendment
▪ Wi-Fi Protected Access (WPA) was introduced
▪ By Wi-Fi Alliance
▪ As a snapshot of the not-yet-released 802.11i amendment
▪ Supporting only TKIP/RC4 dynamic encryption key
management
❖ Required
▪ 802.1X/EAP authentication in the enterprise
▪ Passphrase authentication in a SOHO environment

© CWNA Study Guide Wireless Network Devices 5-148


WPA/802.11i (3)
❖ After 802.11i was ratified
▪ WPA2 was introduced
▪ By Wi-Fi Alliance
❖ WPA2
▪ More complete implementation of the 802.11i amendment
▪ Supports both CCMP/AES and TKIP/RC4 dynamic encryption
key management.
▪ 802.1X/EAP authentication is required in the enterprise
▪ Passphrase authentication in a SOHO environment

© CWNA Study Guide Wireless Network Devices 5-149


WPA/802.11i (4)
❖ Comparison of all the various security standards

© CWNA Study Guide Wireless Network Devices 5-150


Robust Security Network (1)
❖ The 802.11i amendment defines
▪ robust security network (RSN)
▪ robust security network associations (RSNAs)
❖ 4-way handshake
▪ two stations (STAs)
• Authenticate and Associate with each other
• Create dynamic encryption keys
❖ RSNA
▪ The association between two stations is referred to as an RSNA.
❖ RSN
▪ Network that only allows for the creation of robust security network
associations (RSNAs)

© CWNA Study Guide Wireless Network Devices 5-151


Robust Security Network (2)
❖ Information Element (IE)
▪ An RSN can be identified by a new field known as the RSN
Information Element (IE)
▪ IE can be found in
• Beacons
• Probe response frames
• Association request frames
• Re-association request frames
▪ This field may identify the cipher suite capabilities of each
station

© CWNA Study Guide Wireless Network Devices 5-152


Robust Security Network (3)
❖ Transition Security Network
▪ The 802.11.i amendment does allow for the creation of
pre-robust security network associations (pre-RSNAs) as well
as RSNAs.
▪ In other words, legacy security measures can be supported in
the same basic service set (BSS) along with 802.11i security
defined mechanisms.
▪ A transition security network (TSN) supports 802.11i defined
security as well as legacy security such as WEP within the same
BSS.

© CWNA Study Guide Wireless Network Devices 5-153


4-Way Handshake (1)
❖ Dynamic Encryption Key Management
▪ Robust secure network associations
(RSNAs) utilize a dynamic encryption key
management method
❖ Two master keys
▪ Group Master Key (GMK)
▪ Pairwise Master Key (PMK)
❖ Creation of master keys
▪ These keys are created as a result of
802.1X/EAP authentication.
▪ A PMK can also be created from a preshared key
(WPA2 Passphrase) typically used in SOHO
authentication.
❖ Seeding material
▪ These master keys are the seeding material that
is used to create the final dynamic keys that are
actually used for encryption and decryption.

© CWNA Study Guide Wireless Network Devices 5-154


4-Way Handshake (2)
❖ Final encryption keys
▪ Pairwise Transient Key (PTK)
▪ Group Temporal Key (GTK)
❖ Creation of final encryption
keys
▪ These final keys are created during
a four-way EAP frame exchange
that is known as the 4-way
handshake.
❖ The 4-way handshake
▪ will always be the final four frames
exchanged during either
802.1X/EAP authentication or
passphrase authentication.
❖ Whenever TKIP/RC4 or
CCMP/AES dynamic keys are
created
▪ the 4-way handshake must occur Wireless Network Devices 5-155
© CWNA Study Guide
WPA/WPA2 Personal
❖ RADIUS Server
▪ 802.1X/EAP authentication
❖ WPA/WPA2 Enterprise solutions require
▪ 802.1X for mutual authentication using some form of EAP.
▪ Additionally, an authentication server will be needed.
❖ Simple method of authentication
▪ Do not have a RADIUS server
▪ 802.11i amendment offers a simpler method of authentication using a
preshared key (PSK).
❖ Authentication and Encryption key generation
▪ Manually typing matching passphrases on both the access point and all client
stations that will need to be able to associate to the wireless network.
▪ An algorithm is run that converts the passphrase to a Pairwise Master Key
(PMK) used with the 4-way handshake to create the final dynamic
encryption keys.

© CWNA Study Guide Wireless Network Devices 5-156


TKIP (1)
❖ Temporal Key Integrity Protocol (TKIP)
❖ Optional
▪ Optional encryption method defined by the 802.11i amendment
❖ RC Cipher
▪ Uses the RC4 cipher just as WEP encryption
❖ Enhancement of WEP
▪ TKIP is actually an enhancement of WEP encryption that
addresses many of the known weaknesses of WEP.

© CWNA Study Guide Wireless Network Devices 5-157


TKIP (2)
❖ Three new security Features
▪ Per-packet key mixing (Key Mixing Function)
▪ Sequencing Method (Sequence Counter)
▪ Message Integrity Check (MIC)

© CWNA Study Guide Wireless Network Devices 5-158


TKIP (3)
❖ Per-packet key mixing
▪ 128-bit temporal key (Secret Key)
▪ Combined with
• 48-bit Initialization Vector (IV)
• Source and Destination MAC addresses
▪ This key mixing process mitigates the known IV collision and
weak key attacks used against WEP.

© CWNA Study Guide Wireless Network Devices 5-159


TKIP (4)
❖ Sequencing Method (Sequence Counter)
▪ To mitigate the re-injection attacks used against WEP
▪ Packets received out of order will be rejected by the access
point
❖ Message Integrity Check
▪ Uses a stronger data integrity check
▪ Known as the Message Integrity Check (MIC)
▪ To mitigate known bit-flipping attacks against WEP
▪ The MIC is sometimes referred to by the nickname Michael

© CWNA Study Guide Wireless Network Devices 5-160


TKIP (5)
❖ WEP encryption
▪ will add an extra 8 bytes (64 bits) of overhead to the body of an
802.11 data frame.
❖ When TKIP is implemented
▪ Because of the extra overhead from the extended IV and the
MIC
▪ Total of 20 bytes of overhead is added to the body of an 802.11
data frame
❖ TKIP uses the RC4 algorithm
▪ Simply WEP that has been enhanced
▪ Most vendors released a WPA firmware upgrade that gave
legacy WEP-only cards the capability of using TKIP encryption

© CWNA Study Guide Wireless Network Devices 5-161


CCMP (1)
❖ Counter mode with Cipher Block Chaining-Message Authentication
Code (CCMP)
▪ Counter mode CBC-MAC Protocol or CCM mode Protocol (CCMP)
❖ Default encryption method defined under the 802.11i amendment
❖ Uses the Advanced Encryption Standard (AES) algorithm (Rijndael
algorithm)
❖ CCMP/AES
▪ Uses a 128-bit encryption key size
▪ Encrypts in 128-bit fixed length blocks
❖ Message Integrity Check
▪ An 8-byte Message Integrity Check is used that is considered much stronger
than the one used in TKIP.
❖ Per packet key mixing
▪ Because of the strength of the AES cipher, per-packet key mixing is
unnecessary.

© CWNA Study Guide Wireless Network Devices 5-162


CCMP (2)
❖ Overhead
▪ CCMP/AES encryption will add an extra 16 bytes (128 bits) of
overhead to the body of an 802.11 data frame
❖ Older Legacy Radio Cards
▪ Because the AES cipher is processor intensive
▪ Older legacy radio cards will not have the processing power
necessary to perform AES calculations
❖ Hardware Upgrade
▪ Older radio cards will not be firmware upgradeable
▪ Hardware upgrade is often needed to support WPA2
▪ Because of the requirement to upgrade the hardware to
implement AES, the transition to WPA2 has been slow.

© CWNA Study Guide Wireless Network Devices 5-163


CCMP (4)
❖ Software upgrade
▪ There are some vendors that still attempt to achieve this in
software rather than through a hardware mechanism.
▪ Software solutions will always perform substantially slower.

© CWNA Study Guide Wireless Network Devices 5-164


END

Wireless Network Devices 5-165

You might also like