Wireless LAN ManagementWireless LAN Management

w.lilakiatsakunw.lilakiatsakun

TopicsTopics

• Wireless LAN fundamental Wireless LAN fundamental – Link characteristic Link characteristic – Band and spectrumBand and spectrum– IEEE 802.11 architecture /channel allocationIEEE 802.11 architecture /channel allocation

• Wireless LAN SolutionWireless LAN Solution– Adhoc / infrastructureAdhoc / infrastructure– Load balancing /Extended Service Set (Roaming) Load balancing /Extended Service Set (Roaming) – Wireless repeater /bridgeWireless repeater /bridge

• Wireless LAN ManagementWireless LAN Management• Wireless LAN security Wireless LAN security

Wireless Link Wireless Link CharacteristicsCharacteristics

Differences from wired link ….Differences from wired link ….– decreased signal strength:decreased signal strength: radio signal radio signal

attenuates as it propagates through attenuates as it propagates through matter (path loss)matter (path loss)

– interference from other sources:interference from other sources: standardized wireless network frequencies standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as (e.g., phone); devices (motors) interfere as wellwell

– multipath propagation:multipath propagation: radio signal radio signal reflects off objects ground, arriving ad reflects off objects ground, arriving ad destination at slightly different timesdestination at slightly different times

Transmission over wireless link induces loss Transmission over wireless link induces loss and error more oftenand error more often

Wireless network Wireless network characteristicscharacteristics

AB

C

Hidden terminal Hidden terminal problemproblem

• B, A hear each otherB, A hear each other• B, C hear each otherB, C hear each other• A, C can not hear each A, C can not hear each

otherothermeans A, C unaware of means A, C unaware of

their interference at Btheir interference at B

A B C

A’s signalstrength

space

C’s signalstrength

Signal fading:Signal fading:• B, A hear each otherB, A hear each other• B, C hear each otherB, C hear each other• A, C can not hear each A, C can not hear each

other interfering at Bother interfering at B

Unlicensed SpectrumUnlicensed Spectrum

• ISM stands for ISM stands for Industrial Scientific and Industrial Scientific and Medical Medical

• Implementing ISM bands is different for Implementing ISM bands is different for countriescountries

BandBand FCC-Freq.FCC-Freq.(us)(us)

ETSI-Freq.ETSI-Freq.(Eu)(Eu)

Main UseMain Use

ISM-900ISM-900 902-908MHz902-908MHz 890-906MHz890-906MHz Food Food ProcessProcess

ISM-2.4ISM-2.4 2.4-2.4-2.4835GHz2.4835GHz

2.4-2.5GHz2.4-2.5GHz Microwave Microwave OvenOven

ISM-5.8ISM-5.8 5.725-5.850 5.725-5.850 GHzGHz

5.725-5.875GHz5.725-5.875GHz Medical Medical ScannerScanner

ISM BandISM Band

•Only ISM-2.4 band is available for Only ISM-2.4 band is available for every countryevery country– Microwave ovenMicrowave oven– Medical equipment Medical equipment – Communication e.g. wireless LAN, Communication e.g. wireless LAN,

BluetoothBluetooth

•But, it is too crowdedBut, it is too crowded– Communication use “Spread Spectrum” Communication use “Spread Spectrum”

to avoid interferenceto avoid interference

IEEE 802.11 Wireless LANIEEE 802.11 Wireless LAN

• 802.11b802.11b– 2.4 GHz unlicensed radio spectrum2.4 GHz unlicensed radio spectrum– Using CCK (Complementary Code Keying) to Using CCK (Complementary Code Keying) to

improve data rate improve data rate – Backward compatible with DSSS systemBackward compatible with DSSS system– Not compatible with FHSS systemNot compatible with FHSS system– Max. at 11 Mbps - Theoretical max capacity Max. at 11 Mbps - Theoretical max capacity

(raw data rate)(raw data rate)– Max data rate is only 6 Mbps. (only short range Max data rate is only 6 Mbps. (only short range

and no interference)and no interference)

IEEE 802.11 Wireless LANIEEE 802.11 Wireless LAN

• 802.11a 802.11a – 5 GHz range ,OFDM5 GHz range ,OFDM– up to 54 Mbps (31 Mbps – Real throughput)up to 54 Mbps (31 Mbps – Real throughput)

• 802.11g 802.11g – 2.4 GHz range - CCK-OFDM backward 2.4 GHz range - CCK-OFDM backward

compatible with IEEE 802.11bcompatible with IEEE 802.11b– up to 54 Mbps (31 Mbps – Real throughput)up to 54 Mbps (31 Mbps – Real throughput)

• All use CSMA/CA for multiple accessAll use CSMA/CA for multiple access

Wireless LAN standardsWireless LAN standards

802.11 LAN architecture802.11 LAN architecture• wireless host wireless host

communicates with base communicates with base stationstation– base station = access base station = access

point (AP)point (AP)

• Basic Service Set (BSS)Basic Service Set (BSS) (aka “cell”) in (aka “cell”) in infrastructure mode infrastructure mode contains:contains:– wireless hostswireless hosts– access point (AP): base access point (AP): base

stationstation– ad hoc mode: hosts ad hoc mode: hosts

onlyonly

BSS 1

BSS 2

Internet

hub, switchor routerAP

AP

IEEE 802.11: multiple IEEE 802.11: multiple accessaccess

• avoid collisions: 2+ nodes transmitting at avoid collisions: 2+ nodes transmitting at same timesame time

• 802.11: CSMA - sense before transmitting802.11: CSMA - sense before transmitting– don’t collide with ongoing transmission by other don’t collide with ongoing transmission by other

nodenode

• 802.11: 802.11: nono collision detection! collision detection!– difficult to receive (sense collisions) when difficult to receive (sense collisions) when

transmitting due to weak received signals (fading)transmitting due to weak received signals (fading)– can’t sense all collisions in any case: hidden can’t sense all collisions in any case: hidden

terminal, fadingterminal, fading– goal: goal: avoid collisions:avoid collisions: CSMA/C(ollision)A(voidance) CSMA/C(ollision)A(voidance)

IEEE 802.11 MAC Protocol: IEEE 802.11 MAC Protocol: CSMA/CACSMA/CA

802.11 sender802.11 sender

1 1 if sense channel idleif sense channel idle for for DIFSDIFS thenthen

transmit entire frame (no CD)transmit entire frame (no CD)

2 if2 if sense channel busy thensense channel busy then

start random backoff timestart random backoff time

timer counts down while channel idletimer counts down while channel idle

transmit when timer expirestransmit when timer expires

if no ACK, increase random backoff if no ACK, increase random backoff interval, repeat 2interval, repeat 2

802.11 receiver802.11 receiver

- - if frame received OK if frame received OK return ACK after return ACK after SIFSSIFS

sender receiver

DIFS

data

SIFS

ACK

Avoiding collisions (more)Avoiding collisions (more)

idea:idea: allow sender to “reserve” channel rather than allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long random access of data frames: avoid collisions of long data framesdata frames

• sender first transmits sender first transmits smallsmall request-to-send (RTS) request-to-send (RTS) packets to BS using CSMApackets to BS using CSMA– RTSs may still collide with each other (but they’re RTSs may still collide with each other (but they’re

short)short)

• BS broadcasts clear-to-send CTS in response to RTSBS broadcasts clear-to-send CTS in response to RTS

• CTS heard by all nodesCTS heard by all nodes– sender transmits data framesender transmits data frame– other stations defer transmissions other stations defer transmissions

Avoid data frame collisions completely using small reservation packets!

Collision Avoidance: RTS-CTS Collision Avoidance: RTS-CTS exchangeexchange

APA B

time

RTS(A)RTS(B)

RTS(A)

CTS(A) CTS(A)

DATA (A)

ACK(A) ACK(A)

reservation collision

defer

Channel partitioning in Channel partitioning in wireless LANwireless LAN

• With DSSS modulation technique, With DSSS modulation technique, bandwidth used for one channel is 22 Mbpsbandwidth used for one channel is 22 Mbps

• In 2.4 GHz band , bandwidth is only 83 MHz In 2.4 GHz band , bandwidth is only 83 MHz availableavailable

• So, we need 5 channel space for non-So, we need 5 channel space for non-overlapping channeloverlapping channel– Avoiding interference between each otherAvoiding interference between each other

• Consider in frequency reuse and capacity Consider in frequency reuse and capacity incrementincrement

Channel AllocationChannel Allocation

Relationship between Data Relationship between Data rate and signal strengthrate and signal strength

802.11: Channels, 802.11: Channels, associationassociation

• 802.11b: 2.4GHz-2.485GHz spectrum divided 802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequenciesinto 11 channels at different frequencies– AP admin chooses frequency for APAP admin chooses frequency for AP– interference possible: channel can be same interference possible: channel can be same

as that chosen by neighboring AP!as that chosen by neighboring AP!

• host: must host: must associateassociate with an AP with an AP– scans channels, listening for scans channels, listening for beacon framesbeacon frames

containing AP’s name (SSID) and MAC containing AP’s name (SSID) and MAC addressaddress

– selects AP to associate withselects AP to associate with– may perform authentication may perform authentication

Interferences in wireless Interferences in wireless LANLAN

• Microwave oven – 2450 MHz (1000 Microwave oven – 2450 MHz (1000 watts)watts)– Around channel 7-10 Around channel 7-10

• Bluetooth device (0.01 W)Bluetooth device (0.01 W)

• Cordless PhoneCordless Phone

• Toys and etcToys and etc

• Use Use Network StrumblerNetwork Strumbler to show signal / to show signal / noise ratio on wireless LAN channelsnoise ratio on wireless LAN channels

Network StrumblerNetwork Strumbler

Wireless SolutionWireless Solution

• AdhocAdhoc

• InfrastructureInfrastructure

• Load balancingLoad balancing

• Connect wireless LAN without access Connect wireless LAN without access pointpoint

• Extended Service SetExtended Service Set

• Extend range with wireless repeaterExtend range with wireless repeater

• Wireless bridgeWireless bridge

Ad hoc Ad hoc

• Configuration – set as Adhoc / Peer to peer Configuration – set as Adhoc / Peer to peer

• Set BSSID and channel to useSet BSSID and channel to use

InfrastructureInfrastructure

Load balancingLoad balancing

• 5 channel space5 channel space

• Maximum 3 Maximum 3 access point access point assigned on assigned on overlapped areaoverlapped area

• Channel 1 /6 /11 Channel 1 /6 /11

Connect wireless LAN Connect wireless LAN without access pointwithout access point

• Use a host Use a host act as act as gatewaygateway

Extended Service SetExtended Service Set

Support mobility

Extend range with Wireless Extend range with Wireless repeaterrepeater

Wireless bridge Wireless bridge (Point to point link)(Point to point link)

Wireless LAN ManagementWireless LAN Management

• WLAN Management WLAN Management may may involves thr involves thr ee primary functions: ee primary functions:

– Discovering theWLAN devices Discovering theWLAN devices– Monitoring theWLAN devices Monitoring theWLAN devices– Configuring theWLAN devices Configuring theWLAN devices

Discovering the WLAN devic Discovering the WLAN devic es es

• ICMP, SNMP, Telnet, CLI, AP Scan, RF ICMP, SNMP, Telnet, CLI, AP Scan, RF Scan, CDP etc. are used to discover Scan, CDP etc. are used to discover devices in your WLAN. devices in your WLAN.

• The dedicated RF sensors that come as The dedicated RF sensors that come as additional hardware components with additional hardware components with WiFi Manager perform the RF scan and WiFi Manager perform the RF scan and discover every element that is discover every element that is transmitting on the air and ensures a transmitting on the air and ensures a 100% complete discovery of WLAN 100% complete discovery of WLAN devices.devices.

Monitoring the WLAN devices Monitoring the WLAN devices(1/2)(1/2)

• Threshold monitoring: Threshold monitoring: SS et threshold values f et threshold values f or key parameters and alerts you when the a or key parameters and alerts you when the a

ctual values exceed the set threshold levels. ctual values exceed the set threshold levels.

• Service monitoring: Service monitoring: MM onitors the services ru onitors the services ru nning in nning in thethe Access Points such as the web s Access Points such as the web s

ervice. ervice.

• Performance monitoring: Performance monitoring: MM onitors the WLAN onitors the WLAN devices for various parameters such as Tx/R devices for various parameters such as Tx/R

x traffic and utilization, datarate, channel us x traffic and utilization, datarate, channel us age, errors etc. age, errors etc.

Monitoring the WLAN devices Monitoring the WLAN devices(2/2)(2/2)

• Trap reception: Trap reception: RR eceive eceive traptrap and alert t and alert t he operator he operator

• AA larms: larms: ShowShow severity to every network severity to every network failure and generates alarms failure and generates alarms

• - Email based notification:- Email based notification: NN otifies opera otifies opera tors through email when a fault occurs tors through email when a fault occurs

Configuring the WLAN Configuring the WLAN devicesdevices

• It consists of It consists of – AP configurationAP configuration– Firmware upgradeFirmware upgrade

• For management perspective, it can For management perspective, it can be done as be done as – Group managementGroup management– Individual Individual

Access Point ConfigurationAccess Point Configuration

• AP basic configuration

• AP ACL configuration

• AP security configuration

• AP services configuration

AP basic configuration (1/2)AP basic configuration (1/2)

• SSID – service set identifier for the access p SSID – service set identifier for the access p oint oint

• Allow broadcast SSID – enable/disable AP to Allow broadcast SSID – enable/disable AP to broadcast the SSID broadcast the SSID

• Allow auto channel select –enable/disable A Allow auto channel select –enable/disable A P to auto select the channel P to auto select the channel

• Channel – specify the channel at which the Channel – specify the channel at which the AP operates (applicable only if allow autoch AP operates (applicable only if allow autoch

annel select is NO) annel select is NO)

• Name – name of the access point Name – name of the access point

AP basic configuration (2/2)AP basic configuration (2/2)

• System Location – sysLocation value of the ac cesspoint

• System Contact – sysContact value of the acc ess point

• Use DHCP – enable/disable DHCP mode in AP• LAN IP –IP address of the AP (applicable only i

f Use DHCP is NO)• Subnet Mask – mask value• Gateway IP – IP address of the gateway• DNS server IP – IP address of the DNS server

AP ACL configurationAP ACL configuration

• WLAN administrators can deny or allo WLAN administrators can deny or allo w network access to wireless clients b w network access to wireless clients b y configuring the ACL settings in the a y configuring the ACL settings in the a

ccess points. ccess points.• Block – prevents access to specified M

AC addresses and allows others• Pass through – allows only the specifi

ed MAC addresses and blocks others

AP Security ConfigurationAP Security Configuration

• WEP – Encrypts data. p rovide WEP keys

• 802.1x – Enables user authentication.– at least one RADIUS server is provided

• WPA – 802.1x + TKIP + dynamic key dis tributionWPA PSK

– - Uses pre shared key instead of RADIUS

• Mixed mode – Allows both WPA as well - as non WPA clients

AP Service ConfigurationAP Service Configuration

• Management services such as SNMP, HT Management services such as SNMP, HT TP, Telnet, and NTP running in access poi TP, Telnet, and NTP running in access poi nts can be configured. nts can be configured.

• - SNMP: Enable/Disable, Read/Read Write - SNMP: Enable/Disable, Read/Read Write Community, Trap Destination/ Communit Community, Trap Destination/ Communit

y, Enable Trap Notifications y, Enable Trap Notifications• HTTP: Enable/Disable, HTTP Port HTTP: Enable/Disable, HTTP Port• Telnet: Enable/Disable, Telnet Port Telnet: Enable/Disable, Telnet Port• NTP: Enable/Disable, NTP Server Address NTP: Enable/Disable, NTP Server Address

Wireless LAN securityWireless LAN security managementmanagement (1/2)(1/2)

• Common attack and vulnerabilityCommon attack and vulnerability– The weakness in WEP & key management & The weakness in WEP & key management &

user behavioruser behavior– Sniffing, interception and eavesdroppingSniffing, interception and eavesdropping– Spoofing and unauthorized accessSpoofing and unauthorized access– Network hijacking and modificationNetwork hijacking and modification– Denial of Service and flooding attacksDenial of Service and flooding attacks

Wireless LAN securityWireless LAN security management (2/2)management (2/2)

• Security countermeasureSecurity countermeasure– Revisiting policyRevisiting policy– Analysis threatAnalysis threat– Implementing WEPImplementing WEP– Filtering MACFiltering MAC– Using closed systems and NetworksUsing closed systems and Networks– Securing userSecuring user

The weakness in WEP & key The weakness in WEP & key management & user management & user behaviorbehavior

• Several papers were published to show Several papers were published to show vulnerabilities on WEP and tools to recover vulnerabilities on WEP and tools to recover encryption keyencryption key– AirSnort (AirSnort (http://airsnort.shmoo.com))– WEPCrack WEPCrack http://sourceforge.net/projects/wepcrack/

• IEEE 802.11 outline that the secret key used by WEP IEEE 802.11 outline that the secret key used by WEP needs to be controlled by external key managementneeds to be controlled by external key management– Normally, key management is done by user (define 4 Normally, key management is done by user (define 4

different secret keys)different secret keys)– RADIUS (Remote Dial-In User Service) not use in small RADIUS (Remote Dial-In User Service) not use in small

business or home usersbusiness or home users

The weakness in WEP & key The weakness in WEP & key management & user management & user behaviorbehavior

• Users often operate the devices on Users often operate the devices on default configurationdefault configuration– SSID broadcast – turn onSSID broadcast – turn on– Default password as a secret keyDefault password as a secret key

•3com product – comcomcom3com product – comcomcom

•Lucent product is the last five digit of network IDLucent product is the last five digit of network ID

Sniffing, interception and Sniffing, interception and eavesdroppingeavesdropping

• Sniffing is the Sniffing is the electronic form of electronic form of eavesdroppingeavesdropping on the communications that on the communications that computer have across networkcomputer have across network

• Wireless networks is a broadcast (shared) Wireless networks is a broadcast (shared) linklink

• Every communication across the wireless Every communication across the wireless network is network is viewable to anyoneviewable to anyone who is who is listening to the networklistening to the network

• Not even need to associatedNot even need to associated with the with the networknetwork

Sniffing toolsSniffing tools

• All software packages will put network card in All software packages will put network card in promiscuous mode, promiscuous mode, every packet that pass its every packet that pass its interface is captured and displayedinterface is captured and displayed

• Ethereal Ethereal – www.ethereal.com/www.ethereal.com/

• OmniPeekOmniPeek– http://www.wildpackets.com/products/omnipeekhttp://www.wildpackets.com/products/omnipeek

• TcpdumpTcpdump– www.tcpdump.org/www.tcpdump.org/

• Ngrep Ngrep – http://http:// ngrep.sourceforge.net/ ngrep.sourceforge.net/

Spoofing and unauthorized Spoofing and unauthorized accessaccess

• Spoofing- An attacker is able to trick your Spoofing- An attacker is able to trick your network equipment into thinking that the network equipment into thinking that the connection is from one of allowed machinesconnection is from one of allowed machines

• Several way to accomplishSeveral way to accomplish– Redefine MAC address to a valid MAC addressRedefine MAC address to a valid MAC address– simple Registry edit for windows simple Registry edit for windows – On unix with a simple command from root shellOn unix with a simple command from root shell– SMAC (software packages on windows)SMAC (software packages on windows)

Network hijacking and Network hijacking and modificationmodification

• Malicious user able to send message to Malicious user able to send message to routing devices and APs stating that routing devices and APs stating that their MAC address is associated with a their MAC address is associated with a known IP address known IP address

• From then on, all traffic that goes From then on, all traffic that goes through that router (switch) destined for through that router (switch) destined for hijacked IP address will be handoff to the hijacked IP address will be handoff to the hijacker machinehijacker machine

• ARP spoof or ARP poisoningARP spoof or ARP poisoning

Network hijacking and Network hijacking and modificationmodification

• If the attacker spoofs as the default If the attacker spoofs as the default gateway gateway – All machines trying to get to the network will All machines trying to get to the network will

connect to the attackerconnect to the attacker– To get passwords and necessary information To get passwords and necessary information

• Use of rogue APUse of rogue AP– To receive authentication requests and To receive authentication requests and

information information

Denial of Service and Denial of Service and flooding attacksflooding attacks

• One of the original DoS attacks is known as a One of the original DoS attacks is known as a ping floodping flood– A large number of hosts or devices to send and A large number of hosts or devices to send and

ICMP echo to a specified targetICMP echo to a specified target

• One of possible attack would be through a One of possible attack would be through a massive amount of invalid or valid massive amount of invalid or valid authentication requests.authentication requests.– Users attempting to authenticate themselves would Users attempting to authenticate themselves would

have difficulties in acquiring a valid session have difficulties in acquiring a valid session

• If hacker can spoof as a default gateway, it If hacker can spoof as a default gateway, it can prevent any machine from wireless can prevent any machine from wireless network to access the wired networknetwork to access the wired network

WLAN Security WLAN Security countermeasurecountermeasure

• Security countermeasureSecurity countermeasure– Revisiting policyRevisiting policy– Analysis threatAnalysis threat– Implementing WEPImplementing WEP– Filtering MACFiltering MAC– Using closed systems and NetworksUsing closed systems and Networks– Securing userSecuring user

Revisiting policyRevisiting policy

• Adjust corporate security policy to Adjust corporate security policy to accommodate wireless networks and the accommodate wireless networks and the users who depend on them users who depend on them

• Because of wireless environment Because of wireless environment – no visible connection – good authentication no visible connection – good authentication

required required – Ease of capture of RF traffic – good policy Ease of capture of RF traffic – good policy

should not broadcast SSID and should should not broadcast SSID and should implement WEP implement WEP

– Not use default name or password in Not use default name or password in operating AP devicesoperating AP devices

Analyzing the threatAnalyzing the threat (1/2)(1/2)

• Identify assets and the method of accessing Identify assets and the method of accessing these from an authorized perspectivethese from an authorized perspective

• Identify the likelihood that someone other Identify the likelihood that someone other than an authorized user can access the than an authorized user can access the assetsassets

• Identify potential damagesIdentify potential damages– DefacementDefacement– ModificationModification– TheftTheft– Destruction of dataDestruction of data

Analyzing the threatAnalyzing the threat (2/2)(2/2)

• Identify he cost to replace, fix, or track Identify he cost to replace, fix, or track the lossthe loss

• Identify security countermeasuresIdentify security countermeasures• Identify the cost in implementation of Identify the cost in implementation of

the countermeasuresthe countermeasures– Hardware/software/personnelHardware/software/personnel– Procedures /limitations on access across the Procedures /limitations on access across the

corporate structurecorporate structure

• Compare costs of securing the resources Compare costs of securing the resources versus the cost of damageversus the cost of damage

Implementing WEPImplementing WEP

• To protect data sniffing during sessionTo protect data sniffing during session• 128-bit encryption should be considered 128-bit encryption should be considered

as a minimumas a minimum– Most APs support both 40-bit and 128-bit Most APs support both 40-bit and 128-bit

encryption encryption

• WEP advantagesWEP advantages– All messages are encrypted so privacy is All messages are encrypted so privacy is

maintainedmaintained– Easy to implementEasy to implement– WEP keys are user definable and unlimited WEP keys are user definable and unlimited

Implementing WEPImplementing WEP

• WEP disadvantagesWEP disadvantages– The RC4 encryption algorithm is a known The RC4 encryption algorithm is a known

stream cipher can be brokenstream cipher can be broken– Once the key is changed, it needs to be Once the key is changed, it needs to be

informed to everyoneinformed to everyone– WEP does not provide adequate WLAN WEP does not provide adequate WLAN

securitysecurity•Only eliminate the curious hacker who lacks the Only eliminate the curious hacker who lacks the

means or desire to really hack your network means or desire to really hack your network

– WEP has to be implemented on every client WEP has to be implemented on every client as well as every AP to be effectiveas well as every AP to be effective

Filtering MACFiltering MAC

• To minimize the a number of attack To minimize the a number of attack – More practical on small networksMore practical on small networks

• It can be performed at the switch attached It can be performed at the switch attached to the AP or on the AP itself to the AP or on the AP itself

• MAC filtering advantagesMAC filtering advantages– Predefined users are accepted/ filtered MAC do Predefined users are accepted/ filtered MAC do

not get accessnot get access

• MAC filtering disadvantagesMAC filtering disadvantages– Administrative overhead- large amount of usersAdministrative overhead- large amount of users– MAC address can be reprogrammed MAC address can be reprogrammed

Using closed systems and Using closed systems and networksnetworks

• Turn off broadcasting SSID, use proper Turn off broadcasting SSID, use proper password (WEP) password (WEP)

• Select “close wireless system”Select “close wireless system”• AdvantagesAdvantages

– AP does not accept unrecognized network AP does not accept unrecognized network requestsrequests

– Preventing Netstrumbler snooping softwarePreventing Netstrumbler snooping software– Easy to implement Easy to implement

• DisadvantagesDisadvantages– Administration required for new users and Administration required for new users and

changeschanges

Securing usersSecuring users

• Educate the users to the threats and Educate the users to the threats and where they are at riskwhere they are at risk– How proper password is set ? How proper password is set ?

• Provide policies that enable them to Provide policies that enable them to successfully secure themselvessuccessfully secure themselves– Change password on regular intervalChange password on regular interval– At least password length At least password length

• Create policies that secure user behind Create policies that secure user behind the scenes the scenes – Filtering trafficFiltering traffic

Securing usersSecuring users

• Some of the rule sets that should be in Some of the rule sets that should be in place with the respect to wireless 802.11place with the respect to wireless 802.11– No rogue access point No rogue access point – Inventory all wireless cards and their Inventory all wireless cards and their

corresponding MAC addresscorresponding MAC address– No antennas without administrative consentNo antennas without administrative consent– Strong password on wireless network Strong password on wireless network

devicesdevices

Other methodsOther methods

• VPNVPN• WEP + RADIUSWEP + RADIUS• WPA2 (Wi-Fi Protected Access)WPA2 (Wi-Fi Protected Access)• WPA + RADIUSWPA + RADIUS• 802.1x802.1x

– -EAP MD-EAP MD55 , LEAP , LEAP (cisco)(cisco) - -, EAP TLS, EAP TTLS - -, EAP TLS, EAP TTLS

• MAC +WPA + RADIUSMAC +WPA + RADIUS– Mahanakorn solutionMahanakorn solution

Web recommendationhttp://www.thaicert.nectec.or.th/paper/wireless/IEEE80211_4.php

802.11i 802.11i

• Known A s WPA2 and also called RSN (Robust Security Network).

• 802.11i makes use of the Advanced Encrypti on Standard (AES) block cipher, whereas WE

P and WPA use the RC4 stream cipher• The 802.11i architecture contains the f

ollowing components:– 8021. X for authentication– RSN for keeping track of associations,– - AES based CCMP t o pr ovi de confi dent i a

lity integrity and origin authentication.

802.1x (1/2)802.1x (1/2)

• It provides an authentication mechani sm to devices wishing to attach to a L AN port.

• - - Either establishing a point to point co nnection or preventing access from th

at port if authentication fails.• It is used for most wireless 802.11 acc

ess points and is based on the Extensi ble Authentication Protocol (EAP).

802.1x (2/2)802.1x (2/2)

802.11n (new WLAN 802.11n (new WLAN standard)standard)• To improve performance and security for WLANTo improve performance and security for WLAN

– Net bandwidth 248MbpsNet bandwidth 248Mbps– Operate both5 Ghz and 2.4Ghz bandOperate both5 Ghz and 2.4Ghz band

• Technology changes:Technology changes:– MIMO (Multiple input Multiple Output)MIMO (Multiple input Multiple Output)– Channel Bonding can simultaneously use two Channel Bonding can simultaneously use two

separate non-overlapping channels to transmit data.separate non-overlapping channels to transmit data. – Frame Aggregation Frame Aggregation – Backward CompatibilityBackward Compatibility