Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | quentin-gayman |
View: | 222 times |
Download: | 0 times |
Wireless LAN Management
w.lilakiatsakun
Topics Wireless LAN fundamental
Link characteristic Band and spectrum IEEE 802.11 architecture /channel allocation
Wireless LAN Solution Adhoc / infrastructure Load balancing /Extended Service Set
(Roaming) Wireless repeater /bridge
Wireless LAN security
Wireless Link Characteristics
Differences from wired link …. decreased signal strength: radio signal
attenuates as it propagates through matter (path loss)
interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as well
multipath propagation: radio signal reflects off objects ground, arriving ad destination at slightly different times
Transmission over wireless link induces loss and error more often
Wireless network characteristics
AB
C
Hidden terminal problem B, A hear each other B, C hear each other A, C can not hear each othermeans A, C unaware of their
interference at B
A B C
A’s signalstrength
space
C’s signalstrength
Signal fading: B, A hear each other B, C hear each other A, C can not hear each other
interfering at B
Unlicensed Spectrum ISM stands for Industrial Scientific and
Medical Implementing ISM bands is different
for countries
Band FCC-Freq.(us)
ETSI-Freq.(Eu)
Main Use
ISM-900 902-908MHz 890-906MHz Food Process
ISM-2.4 2.4-2.4835GHz
2.4-2.5GHz Microwave Oven
ISM-5.8 5.725-5.850 GHz
5.725-5.875GHz Medical Scanner
ISM Band
Only ISM-2.4 band is available for every country Microwave oven Medical equipment Communication e.g. wireless LAN,
Bluetooth But, it is too crowded
Communication use “Spread Spectrum” to avoid interference
IEEE 802.11 Wireless LAN 802.11b
2.4 GHz unlicensed radio spectrum Using CCK (Complementary Code Keying) to
improve data rate Backward compatible with DSSS system Not compatible with FHSS system Max. at 11 Mbps - Theoretical max capacity
(raw data rate) Max data rate is only 6 Mbps. (only short range
and no interference)
IEEE 802.11 Wireless LAN 802.11a
5 GHz range ,OFDM up to 54 Mbps (31 Mbps – Real throughput)
802.11g 2.4 GHz range - CCK-OFDM backward
compatible with IEEE 802.11b up to 54 Mbps (31 Mbps – Real throughput)
All use CSMA/CA for multiple access
Wireless LAN standards
802.11 LAN architecture wireless host
communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka “cell”) in infrastructure mode contains: wireless hosts access point (AP): base
station ad hoc mode: hosts
only
BSS 1
BSS 2
Internet
hub, switchor routerAP
AP
IEEE 802.11: multiple access
avoid collisions: 2+ nodes transmitting at same time
802.11: CSMA - sense before transmitting don’t collide with ongoing transmission by other
node 802.11: no collision detection!
difficult to receive (sense collisions) when transmitting due to weak received signals (fading)
can’t sense all collisions in any case: hidden terminal, fading
goal: avoid collisions: CSMA/C(ollision)A(voidance)
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
start random backoff timetimer counts down while channel idletransmit when timer expiresif no ACK, increase random backoff
interval, repeat 2
802.11 receiver- if frame received OK return ACK after SIFS
sender receiver
DIFS
data
SIFS
ACK
Avoiding collisions (more)
idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames
sender first transmits small request-to-send (RTS) packets to BS using CSMA RTSs may still collide with each other (but they’re
short) BS broadcasts clear-to-send CTS in response to RTS CTS heard by all nodes
sender transmits data frame other stations defer transmissions
Avoid data frame collisions completely using small reservation packets!
Collision Avoidance: RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
Channel partitioning in wireless LAN
With DSSS modulation technique, bandwidth used for one channel is 22 Mbps
In 2.4 GHz band , bandwidth is only 83 MHz available
So, we need 5 channel space for non-overlapping channel Avoiding interference between each other
Consider in frequency reuse and capacity increment
Channel Allocation
Relationship between Data rate and signal strength
802.11: Channels, association
802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies AP admin chooses frequency for AP interference possible: channel can be same
as that chosen by neighboring AP! host: must associate with an AP
scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address
selects AP to associate with may perform authentication
Interferences in wireless LAN
Microwave oven – 2450 MHz (1000 watts) Around channel 7-10
Bluetooth device (0.01 W) Cordless Phone Toys and etc Use Network Strumbler to show signal /
noise ratio on wireless LAN channels
Network Strumbler
Wireless Solution
Adhoc Infrastructure Load balancing Connect wireless LAN without access
point Extended Service Set Extend range with wireless repeater Wireless bridge
Ad hoc Configuration – set as Adhoc / Peer to peer Set BSSID and channel to use
Infrastructure
Load balancing 5 channel space Maximum 3
access point assigned on overlapped area
Channel 1 /6 /11
Connect wireless LAN without access point
Use a host act as gateway
Extended Service Set
Support mobility
Extend range with Wireless repeater
Wireless bridge (Point to point link)
Wireless LAN security management (1/2)
Common attack and vulnerability The weakness in WEP & key management &
user behavior Sniffing, interception and eavesdropping Spoofing and unauthorized access Network hijacking and modification Denial of Service and flooding attacks
Wireless LAN security management (2/2)
Security countermeasure Revisiting policy Analysis threat Implementing WEP Filtering MAC Using closed systems and Networks Securing user
The weakness in WEP & key management & user behavior
Several papers were published to show vulnerabilities on WEP and tools to recover encryption key AirSnort (http://airsnort.shmoo.com) WEPCrack http://sourceforge.net/projects/wepcrack/
IEEE 802.11 outline that the secret key used by WEP needs to be controlled by external key management Normally, key management is done by user (define 4
different secret keys) RADIUS (Remote Dial-In User Service) not use in small
business or home users
The weakness in WEP & key management & user behavior
Users often operate the devices on default configuration SSID broadcast – turn on Default password as a secret key
3com product – comcomcom Lucent product is the last five digit of network ID
Sniffing, interception and eavesdropping
Sniffing is the electronic form of eavesdropping on the communications that computer have across network
Wireless networks is a broadcast (shared) link
Every communication across the wireless network is viewable to anyone who is listening to the network
Not even need to associated with the network
Sniffing tools All software packages will put network card in
promiscuous mode, every packet that pass its interface is captured and displayed
Ethereal www.ethereal.com/
OmniPeek http://www.wildpackets.com/products/omnipeek
Tcpdump www.tcpdump.org/
Ngrep http:// ngrep.sourceforge.net/
Spoofing and unauthorized access
Spoofing- An attacker is able to trick your network equipment into thinking that the connection is from one of allowed machines
Several way to accomplish Redefine MAC address to a valid MAC address simple Registry edit for windows On unix with a simple command from root shell SMAC (software packages on windows)
Network hijacking and modification
Malicious user able to send message to routing devices and APs stating that their MAC address is associated with a known IP address
From then on, all traffic that goes through that router (switch) destined for hijacked IP address will be handoff to the hijacker machine
ARP spoof or ARP poisoning
Network hijacking and modification
If the attacker spoofs as the default gateway All machines trying to get to the network will
connect to the attacker To get passwords and necessary information
Use of rogue AP To receive authentication requests and
information
Denial of Service and flooding attacks
One of the original DoS attacks is known as a ping flood A large number of hosts or devices to send and
ICMP echo to a specified target One of possible attack would be through a
massive amount of invalid or valid authentication requests. Users attempting to authenticate themselves would
have difficulties in acquiring a valid session If hacker can spoof as a default gateway, it
can prevent any machine from wireless network to access the wired network
Revisiting policy Adjust corporate security policy to
accommodate wireless networks and the users who depend on them ,
Because of wireless environment no visible connection – good authentication
required Ease of capture of RF traffic – good policy
should not broadcast SSID and should implement WEP
Not use default name or password in operating AP devices
Analyzing the threat (1/2)
Identify assets and the method of accessing these from an authorized perspective
Identify the likelihood that someone other than an authorized user can access the assets
Identify potential damages Defacement Modification Theft Destruction of data
Analyzing the threat (2/2) Identify he cost to replace, fix, or track
the loss Identify security countermeasures Identify the cost in implementation of
the countermeasures Hardware/software/personnel Procedures /limitations on access across the
corporate structure Compare costs of securing the resources
versus the cost of damage
Implementing WEP To protect data sniffing during session 128-bit encryption should be considered
as a minimum Most APs support both 40-bit and 128-bit
encryption WEP advantages
All messages are encrypted so privacy is maintained
Easy to implement WEP keys are user definable and unlimited
Implementing WEP
WEP disadvantages The RC4 encryption algorithm is a known
stream cipher can be broken Once the key is changed, it needs to be
informed to everyone WEP does not provide adequate WLAN
security Only eliminate the curious hacker who lacks the
means or desire to really hack your network WEP has to be implemented on every client as
well as every AP to be effective
Filtering MAC To minimize the a number of attack
More practical on small networks It can be performed at the switch attached
to the AP or on the AP itself MAC filtering advantages
Predefined users are accepted/ filtered MAC do not get access
MAC filtering advantages Administrative overhead- large amount of users MAC address can be reprogrammed
Using closed systems and networks
Turn off broadcasting SSID, use proper password (WEP)
Select “close wireless system” Advantages
AP does not accept unrecognized network requests
Preventing Netstrumbler snooping software Easy to implement
Disadvantages Administration required for new users and
changes
Securing users Educate the users to the threats and
where they are at risk How proper password is set ?
Provide policies that enable them to successfully secure themselves Change password on regular interval At least password length
Create policies that secure user behind the scenes Filtering traffic
Securing users
Some of the rule sets that should be in place with the respect to wireless 802.11 No rogue access point Inventory all wireless cards and their
corresponding MAC address No antennas without administrative consent Strong password on wireless network
devices
Other methods VPN WEP + RADIUS WPA (Wi-Fi Protected Access) – IEE802.11i WPA + RADIUS 802.1x + RADIUS
-EAP MD5 , LEAP (cisco) - -, EAP TLS, EAP TTLS MAC filtering +WEP + RADIUS
Mahanakorn solution
Web recommendationhttp://www.thaicert.nectec.or.th/paper/wireless/IEEE80211_4.php