7/18/2019 Expl Sw Chapter 07 Wireless Part II
1/33
CCNA3-1 Chapter 7-2
Chapter 7
Basic Wireless Conceptsand Configuration
Part II
7/18/2019 Expl Sw Chapter 07 Wireless Part II
2/33
CCNA3-2 Chapter 7-2
Note for Instructors
These presentations are the result of a collaboration amongthe instructors at St. Clair College in Windsor, Ontario.
Thanks must go out to Rick Graziani of Cabrillo College. Hismaterial and additional information was used as a reference
in their creation. If anyone finds any errors or omissions, please let me know
at: [email protected].
7/18/2019 Expl Sw Chapter 07 Wireless Part II
3/33
CCNA3-3 Chapter 7-2
Basic Wireless Concepts and Configuration
Wireless LAN Security
War Drivers
Hackers/Crackers
Employees
Consumer Devices
7/18/2019 Expl Sw Chapter 07 Wireless Part II
4/33
CCNA3-4 Chapter 7-2
Wireless LAN Security
Three Major Categories of Security Threats: War Drivers:
War driving means driving around a neighborhoodwith a wireless laptop and looking for an unsecured
802.11b/g system. Hackers/Crackers:
Malicious intruders who enter systems as criminalsand steal data or deliberately harm systems.
Employees: Set up and use Rogue Access Points without
authorization. Either interfere with or compromiseservers and files.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
5/33
CCNA3-5 Chapter 7-2
Threats to Wireless Security
War Drivers: "War driving" originally referred to using a scanning
device to find cellular phone numbers to exploit. War driving now also means driving around a
neighborhood with a laptop and an 802.11b/g clientcard looking for an unsecured 802.11b/g system toexploit.
Software is readily available.
Totally and completely ILLEGAL!!!!!!!!
7/18/2019 Expl Sw Chapter 07 Wireless Part II
6/33
CCNA3-6 Chapter 7-2
Threats to Wireless Security
Man-in-the-Middle Attacks: Attackers select a host as a target and position
themselves logically between the target and the router ofthe target.
In a wired LAN , the attacker needs to be able tophysically access the LAN to insert a device logically intothe topology.
With a WLAN, the radio waves emitted by access points
can provide the connection. Because access points act like Ethernet hubs, each NIC
in a BSS hears all the traffic. Attackers can modify the NIC of their laptop with special
software so that it accepts all traffic.
In effect, the NIC hasbeen modified to act as
an Access Point.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
7/33CCNA3-7 Chapter 7-2
Threats to Wireless Security
Denial of Service (DoS): 802.11b/g WLANs
use the unlicensed2.4 GHz band.
This is the same bandused by most babymonitors, cordlessphones, and
microwave ovens. With these devicescrowding the RF band,attackers can create noise on all the channels in the bandwith commonly available devices.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
8/33CCNA3-8 Chapter 7-2
Threats to Wireless Security
Denial of Service (DoS): An attacker can turn a NIC into an access point. The attacker, using a PC as an AP, can flood the BSS
with clear-to-send (CTS) messages, which defeat the
CSMA/CA function used by the stations. The actual
AP, floods theBSS with
simultaneoustraffic, causinga constantstream ofcollisions.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
9/33CCNA3-9 Chapter 7-2
Threats to Wireless Security
Denial of Service (DoS): Another DoS attack that can be launched in a BSS is
when an attacker sends a series of disassociatecommands that cause all stations to disconnect.
When the stations are disconnected, they immediately tryto reassociate,which createsa burst of
traffic. The attackersends anotherdisassociateand the cyclerepeats itself.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
10/33CCNA3-10 Chapter 7-2
Wireless Security Protocols
7/18/2019 Expl Sw Chapter 07 Wireless Part II
11/33CCNA3-11 Chapter 7-2
Authenticating to the Wireless LAN
In an open network, such as a home network, associationmay be all that is required to grant a client access to devicesand services on the WLAN.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
12/33CCNA3-12 Chapter 7-2
Authenticating to the Wireless LAN
In networks that have stricter security requirements, anadditional authentication or login is required to grant clientssuch access.
This login process is managed by the Extensible
Authentication Protocol (EAP) .
A central repository of User IDsand Passwords. Used by all
network login processes.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
13/33CCNA3-13 Chapter 7-2
Wireless Encryption
Two Encryption Mechanisms:
TKIP is the encryption method certified as Wi-Fi Protected Access (WPA) .
Provides support for legacy WLAN equipment byaddressing the original flaws associated with the 802.11WEP encryption method.
Encrypts the Layer 2 payload. Message integrity check (MIC) in the encrypted packet
that helps ensure against a message tampering.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
14/33CCNA3-14 Chapter 7-2
Wireless Encryption
Two Encryption Mechanisms:
The AES encryption of WPA2 is the preferred method. WLAN encryption standards used in IEEE 802.11i. Same functions as TKIP.
Uses additional data from the MAC header that allowsdestination hosts to recognize if the non-encrypted bitshave been tampered with.
Also adds a sequence number to the encrypted dataheader.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
15/33CCNA3-15 Chapter 7-2
Wireless Encryption
When you configure Linksys access points or wirelessrouters you may not see WPA or WPA2 .
Instead you may see references to something calledpre-shared key (PSK) .
Types of PSKs: PSK or PSK2 with TKIP is the same as WPA. PSK or PSK2 with AES is the same as WPA2. PSK2, without an encryption method specified, is the
same as WPA2.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
16/33
CCNA3-16 Chapter 7-2
Controlling Access to the Wireless LAN
When controlling access, the concept of depth means havingmultiple solutions available.
Three step approach: SSID cloaking:
Disable SSID broadcasts from access points. MAC address filtering:
Tables are manually constructed on the accesspoint to allow or disallow clients based on theirphysical hardware address.
WLAN Security: Implement WPA or WPA2.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
17/33
CCNA3-17 Chapter 7-2
Controlling Access to the Wireless LAN
SSID Cloaking
MAC Address Filtering
WPA/WPA2
7/18/2019 Expl Sw Chapter 07 Wireless Part II
18/33
CCNA3-18 Chapter 7-2
Controlling Access to the Wireless LAN
An additional consideration is to configure access points thatare near outside walls of buildings to transmit on a lowerpower setting than other access points closer to the middle ofthe building.
This is to merely reduce the RF signature on the outside ofthe building. Anyone running an application such as Netstumbler,
Wireshark, or even Windows XP can map WLANs.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
19/33
CCNA3-19 Chapter 7-2
Basic Wireless Concepts and Configuration
Configuring Wireless LAN Access
7/18/2019 Expl Sw Chapter 07 Wireless Part II
20/33
CCNA3-20 Chapter 7-2
Configuring the Wireless Access Point
In this topic, you will learn: How to configure a wireless access point.
How to set the SSID . How to enable security . How to configure the channel . How to adjust the power settings . How to back up and restore the configuration .
7/18/2019 Expl Sw Chapter 07 Wireless Part II
21/33
CCNA3-21 Chapter 7-2
Configuring the Wireless Access Point
The basic approach to wireless implementation, as with anybasic networking, is to configure and test incrementally .
Verify the existing network and Internet access for thewired hosts.
Start the WLAN implementation process with a singleaccess point and a single client , without enabling wirelesssecurity.
Verify that the wireless client has received a DHCP IP
address and can ping the local wired default router andthen browse to the external Internet. Finally, configure wireless security with WPA2 .
Use WEP only if the hardware does not support WPA.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
22/33
CCNA3-22 Chapter 7-2
Configuring the Wireless Access Point
The remainder of the configuration asoutlined in the text and online curriculum
will be addressed during the lab.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
23/33
CCNA3-23 Chapter 7-2
Basic Wireless Concepts and Configuration
Troubleshooting SimpleWLAN Problems
7/18/2019 Expl Sw Chapter 07 Wireless Part II
24/33
CCNA3-24 Chapter 7-2
A Systematic Approach
Eliminate the Users PC as
the source of the problem.
Network configuration.Can it connect to a wired network?Is the NIC O.K?
Are the proper drivers loaded?Do the security settings match?
How far is the PC from the Access Point?Check the channel settings.
Any interference from other devices?
7/18/2019 Expl Sw Chapter 07 Wireless Part II
25/33
CCNA3-25 Chapter 7-2
A Systematic Approach
Eliminate the Users PC as
the source of the problem.
Confirm the physicalstatus of the devices.
Are all devices actually in place?Is there power to all the devices?
7/18/2019 Expl Sw Chapter 07 Wireless Part II
26/33
CCNA3-26 Chapter 7-2
A Systematic Approach
Eliminate the Users PC as
the source of the problem.
Confirm the physicalstatus of the devices.
Inspect the wired links.
Cables damaged or missing?Can you ping the AP from a cabled device?
If all of this fails, perhaps the AP is faulty or theconfiguration is in error. The AP may also
require a firmware upgrade.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
27/33
CCNA3-27 Chapter 7-2
A Systematic Approach
Updating the Access Point
DownloadSelect the Firmware
Run the Upgrade
DO NOT upgrade the firmware unless you are
experiencing problems with the access point orthe new firmware has a feature you want to use.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
28/33
CCNA3-28 Chapter 7-2
A Systematic Approach
Incorrect Channel Settings
7/18/2019 Expl Sw Chapter 07 Wireless Part II
29/33
CCNA3-29 Chapter 7-2
RF Interference Issues
Many other devicesoperate on Channel 6.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
30/33
CCNA3-30 Chapter 7-2
RF Interference Issues
Site Survey: How to not addressed in this course. The first thing that should be done in the planning stage.
RF interference. Physical Interference (cabinets, walls with metal
girders). Multiple WLANs. Variances in usage (day/night shifts). Two Types:
Manual. Utility Assisted.
With a utility assisted site Survey, you can obtainRF band usage and make provisions for it.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
31/33
CCNA3-31 Chapter 7-2
Access Point Placement
A WLAN that just did not seem to perform like it should. You keep losing association with an access point Your data rates are much slower than they should be.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
32/33
CCNA3-32 Chapter 7-2
Access Point Placement
Some additional specific details: Not mounted closer than 7.9 inches (20 cm) from the
body of all persons. Do not mount the access point within 3 feet (91.4 cm) of
metal obstructions. Install the access point away from microwave ovens. Always mount the access point vertically.. Do not mount the access point outside of buildings. Do not mount the access point on building perimeter
walls, unless outside coverage is desired. When mounting an access point in the corner of a right-
angle hallway intersection, mount it at a 45-degree angle.
7/18/2019 Expl Sw Chapter 07 Wireless Part II
33/33
Authentication and Encryption
The WLAN authentication and encryption problems you aremost likely to encounter, and that you will be able to solve,are caused by incorrect client settings.
Remember, all devices connecting to anaccess point must use the same security type
as the one configured on the access point.