Wireless Technology 802.11x: Wi-Fi Standards - Cutting Through The Confusion Rob Karnbach Wireless...

Wireless Technology Wireless Technology

802.11x: Wi-Fi Standards - Cutting Through The Confusion

Rob KarnbachWireless MEMay 2003

3Com University Live December 2002 Session ID: 110 Rev. page 2

Home

Hotel

Airport

Wireless LocalAreaNetwork

OfficeWireless Personal

Area Network

Wireless Wide Area Network

SmallBusiness

Leadership in Wireless Connectivity

3Com Proprietary and Confidential


Technology and Standards Evolution

Today

New network services being added

(QoS, IAPP, WEP2, etc.)

2000

Bluetooth ProductsAvailable (802.15)

1997

Original 802.11 specratified by the IEEE

1999

• 802.11a and 802.11b ratified by the IEEE

• WECA formed

FutureFutureFuture

• 54Mbps extn. to 802.11b• 5Ghz band (up to 54 Mpbs)• 802.11b & Bluetooth

co-existence

New Standards

What are they?



The A,B,G’s of WLANs

Background The IEEE finalized the initial standard for WLANs, IEEE

802.11 in June 1997 The original standard specified a 2.4GHz operating

frequency with data rates of 1 and 2Mbps There are two categories of specifications The first category defines complete wireless LAN

systems 3 main specifications 802.11a, b, and g

The second category defines enhancements that mitigate weaknesses in the existing protocols.

These are not new systems, but rather extensions that will be applied to the systems specifications.

There are currently 6 specifications in this category 802.11d, e, f, h, i, j


802.11 Systems Overview

802.11a 802.11b 802.11g

Standard Ratified

2002 1999 Not Yet Ratified

Radio Band 5GHz 2.4GHz 2.4GHz

Data Rates Up to 54Mbps Up to 11Mbps Up to 54Mbps

Coverage Area Up to 50 Meters Up to 100 Meters Up to 100 Meters

Pros Less potential for interference

Good support for multimedia

apps and densely populated user environments

Certified compatibility

through Wi-Fi Most widely

deployed system today

Compatible with 802.11b

High data rates and broad

coverage area

Cons Requires hardware upgrade Less coverage

area

Slower data rateInterference in

2.4GHz band

Will not be widely available until late 2003


Recommending the Right WLAN System

Recommend 802.11b if your customer: Doesn’t have a need for high-bandwidth Isn’t price sensitive Wants a large choice of providers/manufacturers Wants to give users access to public WLAN hot-

spots Wants guaranteed compatibility Wants to implement a complete WLAN solution

today



Recommend 802.11a if your customer: Has a dense user base confined to one coverage area Wants to run high-bandwidth applications

Voice/video over the wireless network Needs to transfer large data files

CAD files, pre-print publishing documents, other large graphics files

Does not need a wide coverage range Is not price sensitive (in the short term)

It will cost twice as much to cover the same area as 802.11b or g



Recommend 802.11g if your customer: Is willing to wait for the standard to arrive and for

products to hit the market Wants backward compatibility with an existing

802.11b WLAN Wants to maximize current investment

Needs high-bandwidth Has a large coverage area

Quality Of Service

802.11e



IEEE P802.11 TGe

Purpose: To enhance the 802.11 Medium Access

Control (MAC) to improve and manage Quality of Service (QoS)

Cannot be supported in current chip design Requires new Radio Chips

Can do basic Qos in MAC layer

Inter Access Point Protocol

802.11f



IEEE P802.11 TGf

Purpose: To develop a set of requirements for Inter-Access

Point Protocol (IAPP), including operational and management aspects

3Com’s Role: As chair of this group, drive the work of IAPP

towards development of a “Distribution System” consisting of IEEE 802 LAN components supporting an IETF IP environment

Security

Today



Local Authentication Options

Local Access Point Authentication/Encryption Authentication is done at each Access Point

Encryption options No security (encryption) 40-bit encryption shared key 128-bit encryption shared key Dynamic Security Link (128-bit)

Username/Password Authentication with 128bit Dynamic Session key encryption


3Com Access Point 8000Dynamic Security Link

Dynamic Security Link Per user, per session dynamic key with 128-bit

Encryption Unique key automatically generated

between the AP & wireless client each session Keys are done in the background,

automatically, not entered manually Internal database supports 1000

username/password Provide a superior security solution when AP is

deployed in networks without a centralized authentication server


LEAPLightweight Extensible Authentication Protocol (Cisco)

Cisco only Protocol - used to fix WEP Requires Cisco or Funk RADIUS Server Requires Cisco AP’s Requires Cisco or 3Com X jack client cards Is only Dynamic Session Keys (Like DSL) Very Expensive solution for not being Dynamic

Encryption Keys


IEEE 802.1x – Port-Based Network Access Control

802.1x is a standard for authenticating Wireless Clients onto an wireless 802.11 network

It is a key feature in Microsoft’s Windows XP operating system

Needs to be implemented in conjunction with a centralized RADIUS authentication server supporting EAP-MD5 or EAP-TLS

Scalable to large enterprise networks

Authentication is central, rather than in each Access Point


RADIUS Authentication Support

RADIUS Centralized User Authentication Authentication is provided between the wireless client and

the RADIUS server, in conjunction with the IEEE 802.1x standard-based network log-in

Any RADIUS supporting EAP-MD5, EAP-TLS, EAP-TTLS

Implemented in conjunction with 802.1x to provide a secure authentication solution for Wireless clients

For an even more secure solution, 3Com’s Universal Client Certificate supporting EAP-TLS enables RADIUS servers that support EAP-TLS to achieve Dynamic Key Distribution – Per-User / Per-Session key

RADIUS Accounting Username, start time, stop time, packet input/output


EAP-MD5

Authentication Never sends password in clear text Uses MD-5 HMAC

128 bit HASH of password comparison Most RADIUS Servers support this today

Cisco Funk Microsoft


EAP-TLS

Authentication Authenticates device and user

Device by digital cert User by Username/Password

Requires Digital Cert Can store Phase one encryptions on it

3Com incorporates 128 Dynamic Key encryption with it. Key changes every 15 minutes

Supported in High End RADIUS Servers, ie Microsoft, Funk Steel Belted Radius, Cisco


3Com Universal Client Certificate Supports EAP-TLS

Certificate is required for mutual-authentication

Used by any 3Com WLAN client in EAP-TLS authentication mode

Required for serial authentication

3Com developed to fully utilize the power of EAP-TLS authentication

Public Key for client is generally expensive to deploy

Free to 3Com wireless clients


Hotel Lobby

Basic RADIUS (EAP-MD5) (Public Areas)

Airport

RADIUS client built into the AP8000 Provides upper layer authentication through RADIUS supporting EAP-MD5 (Microsoft, Funk, Cisco) One-way authentication for the wireless client to be authenticated by the RADIUS server

Mgmt.Console

RADIUS Server

(EAP-MD5)

ATM

SuperStack3 Firewall

SuperStackSwitch

NT orNetwareServer

Encryption capability can be provided between the client and the AP using 40-bit or 128-bit shared key Static key generated in the AP and manually entered in all clients and APs

WLAN

Ideal for enterprise networks with legacy RADIUS deployments, requiring centralized user management and basic level of encryption capability


Student DormitoryMain Campus

Library

Standard EAP-TLS and 802.1x, with XP Clients and Existing PKI (University Campus)

802.1x is native to the Windows XP Operating System only

Mgmt.Console

RADIUS Server

(EAP-MD5) Registration Office

SuperStack3 Firewall

SuperStackSwitch

NT orNetwareServer

Disable Microsoft’s 802.1x agent and deploy Serial Authentication using 3Com’s 802.1x agent and achieve:

WLAN

With PKI, each client has a “unique” certificate, issued by an external CA (very expensive to implement) The TLS server also needs its own certificate, issued by an external CA

RADIUS EAP-TLS

Login for 802.1XUsername: 3Com

Password: ********

3Com’s next generation 802.1x agent will work with 3rd party CA

Certificate-based mutual authentication using 3Com’s own Universal Client Certificate

Support for standards based RC4 encryption algorithm (40-bit and 128-bit)

Dynamic key management supported in the AP8000 Secure username/password authentication on top of certificate based authentication


EAP-TTLS

Tunneled EAP-TLS Still requires Digital Cert But can use MS-Chap for password checking

Supported right now only in Funk Software Odyssey Server


PEAP - Protected EAP

Competes with EAP-TTLS Uses TLS and Digital Certs Two Phase TLS authentication Uses TLS encryption Allows for support of Token Cards


TKIP - Temporal Key Integrity Protocol

Uses RC4 encryption - stream cipher Phase I

Uses MAC address mixed with TK to produce Phase I key

Phase 2 Phase 1 key mixed with IV (initialization vector) to

derive per-packet keys. Each key is used to encrypt one and only one

data packet


WPA - Wi-Fi Protected Access

Requires Authentication and Encryption Authentication

Requires EAP Mutual Authentication

Protects the user from accidentally joining a rogue AP Encryption

Requires TKIP - use of a temporal key We do not support WPA Home/Soho mode

Use of a shared key

Security

802.11i



IEEE P802.11 TGi

Purpose: To enhance the current 802.11 MAC

to provide improvements in security and authentication mechanisms

Will be based on New Federal Encryption Standard AES (Advanced Encryption Standard)

Will replace DES Requires hardware acceleration Today's AP’s cannot support it yet Rijndael algorithm Symmetric block cipher Keys 128, 192, 256 bits

Simple Sets You Free

Date post:	14-Dec-2015
Category:	Documents
Upload:	buck-roberts
View:	213 times
Download:	0 times

Wireless Technology 802.11x: Wi-Fi Standards - Cutting Through The Confusion Rob Karnbach Wireless...

Documents