Transcript Wireless Local Area Network

Wireless Technology
802.11x: Wi-Fi Standards - Cutting Through The
Confusion
Rob Karnbach
Wireless ME
May 2003
Leadership in
Wireless Connectivity
Wireless Wide
Area Network
Airport
Hotel
Wireless
Local
Area
Network
Office
Home
Small Wireless Personal
Business Area Network
3Com Proprietary and Confidential
3Com University Live December 2002
Session ID: 110 Rev. page 2
Technology and
Standards Evolution
• 54Mbps extn. to 802.11b
• 5Ghz band (up to 54 Mpbs)
• 802.11b & Bluetooth
co-existence
New network
services being added
(QoS, IAPP,
WEP2, etc.)
Bluetooth Products
Available (802.15)
• 802.11a and
802.11b ratified
by the IEEE
• WECA formed
Original
802.11 spec
ratified by
the IEEE
1997
1999
2000
Today
Future 3Com
Future
Future
University
Live December 2002
Session ID: 110 Rev. page 3
New Standards
What are they?
3Com Proprietary and Confidential
The A,B,G’s of WLANs

Background




The IEEE finalized the initial standard for WLANs, IEEE
802.11 in June 1997
The original standard specified a 2.4GHz operating
frequency with data rates of 1 and 2Mbps
There are two categories of specifications
The first category defines complete wireless LAN
systems


3 main specifications 802.11a, b, and g
The second category defines enhancements that
mitigate weaknesses in the existing protocols.


These are not new systems, but rather extensions that will be
applied to the systems specifications.
There are currently 6 specifications in this category 802.11d, e, f,
h, i, j
3Com University Live December 2002
Session ID: 110 Rev. page 5
802.11 Systems Overview
802.11a
802.11b
802.11g
2002
1999
Not Yet Ratified
5GHz
2.4GHz
2.4GHz
Up to 54Mbps
Up to 11Mbps
Up to 54Mbps
Up to 50 Meters
Up to 100 Meters
Up to 100 Meters
Pros
Less potential
for interference
 Good support
for multimedia
apps and densely
populated user
environments
Certified
compatibility
through Wi-Fi
 Most widely
deployed system
today
Cons
Requires
hardware upgrade
 Less coverage
area
Standard
Ratified
Radio Band
Data Rates
Coverage Area




Slower data rate
Interference in
2.4GHz band
Compatible with
802.11b
 High data rates
and broad
coverage area

Will not be
widely available
until late 2003

3Com University Live December 2002
Session ID: 110 Rev. page 6
Recommending the Right WLAN
System

Recommend 802.11b if your customer:






Doesn’t have a need for high-bandwidth
Isn’t price sensitive
Wants a large choice of providers/manufacturers
Wants to give users access to public WLAN hotspots
Wants guaranteed compatibility
Wants to implement a complete WLAN solution
today
3Com University Live December 2002
Session ID: 110 Rev. page 7
Recommending the Right WLAN
System

Recommend 802.11a if your customer:





Has a dense user base confined to one coverage area
Wants to run high-bandwidth applications
 Voice/video over the wireless network
Needs to transfer large data files
 CAD files, pre-print publishing documents, other large
graphics files
Does not need a wide coverage range
Is not price sensitive (in the short term)
 It will cost twice as much to cover the same area as
802.11b or g
3Com University Live December 2002
Session ID: 110 Rev. page 8
Recommending the Right WLAN
System

Recommend 802.11g if your customer:


Is willing to wait for the standard to arrive and for
products to hit the market
Wants backward compatibility with an existing
802.11b WLAN



Wants to maximize current investment
Needs high-bandwidth
Has a large coverage area
3Com University Live December 2002
Session ID: 110 Rev. page 9
Quality Of Service
802.11e
3Com Proprietary and Confidential
IEEE P802.11 TGe

Purpose:

To enhance the 802.11 Medium Access
Control (MAC) to improve and manage
Quality of Service (QoS)
Cannot be supported in current chip design
 Requires new Radio Chips


Can do basic Qos in MAC layer
3Com University Live December 2002
Session ID: 110 Rev. page 11
Inter Access Point Protocol
802.11f
3Com Proprietary and Confidential
IEEE P802.11 TGf

Purpose:


To develop a set of requirements for Inter-Access
Point Protocol (IAPP), including operational and
management aspects
3Com’s Role:

As chair of this group, drive the work of IAPP
towards development of a “Distribution System”
consisting of IEEE 802 LAN components
supporting an IETF IP environment
3Com University Live December 2002
Session ID: 110 Rev. page 13
Security
Today
3Com Proprietary and Confidential
Local Authentication Options

Local Access Point Authentication/Encryption


Authentication is done at each Access Point
Encryption options




No security (encryption)
40-bit encryption shared key
128-bit encryption shared key
Dynamic Security Link (128-bit)

Username/Password Authentication with 128bit Dynamic
Session key encryption
3Com University Live December 2002
Session ID: 110 Rev. page 15
3Com Access Point 8000
Dynamic Security Link

Dynamic Security Link

Per user, per session dynamic key with 128-bit
Encryption




Unique key automatically generated
between the AP & wireless client each session
Keys are done in the background,
automatically, not entered manually
Internal database supports 1000
username/password
Provide a superior security solution when AP is
deployed in networks without a centralized
authentication server
3Com University Live December 2002
Session ID: 110 Rev. page 16
LEAP
Lightweight Extensible
Authentication Protocol (Cisco)

Cisco only Protocol - used to fix WEP





Requires Cisco or Funk RADIUS Server
Requires Cisco AP’s
Requires Cisco or 3Com X jack client cards
Is only Dynamic Session Keys (Like DSL)
Very Expensive solution for not being Dynamic
Encryption Keys
3Com University Live December 2002
Session ID: 110 Rev. page 17
IEEE 802.1x – Port-Based
Network Access Control


802.1x is a standard for authenticating Wireless Clients
onto an wireless 802.11 network
It is a key feature in Microsoft’s Windows XP operating
system

Needs to be implemented in conjunction with a
centralized RADIUS authentication server supporting
EAP-MD5 or EAP-TLS

Scalable to large enterprise networks

Authentication is central, rather than in each Access Point
3Com University Live December 2002
Session ID: 110 Rev. page 18
RADIUS Authentication Support

RADIUS Centralized User Authentication


Any RADIUS supporting EAP-MD5, EAP-TLS, EAPTTLS



Authentication is provided between the wireless client and
the RADIUS server, in conjunction with the IEEE 802.1x
standard-based network log-in
Implemented in conjunction with 802.1x to provide a secure
authentication solution for Wireless clients
For an even more secure solution, 3Com’s Universal Client
Certificate supporting EAP-TLS enables RADIUS servers
that support EAP-TLS to achieve Dynamic Key Distribution
– Per-User / Per-Session key
RADIUS Accounting

Username, start time, stop time, packet input/output
3Com University Live December 2002
Session ID: 110 Rev. page 19
EAP-MD5

Authentication


Never sends password in clear text
Uses MD-5 HMAC


128 bit HASH of password comparison
Most RADIUS Servers support this today



Cisco
Funk
Microsoft
3Com University Live December 2002
Session ID: 110 Rev. page 20
EAP-TLS

Authentication

Authenticates device and user



Requires Digital Cert



Device by digital cert
User by Username/Password
Can store Phase one encryptions on it
3Com incorporates 128 Dynamic Key
encryption with it. Key changes every 15
minutes
Supported in High End RADIUS Servers, ie
Microsoft, Funk Steel Belted Radius, Cisco
3Com University Live December 2002
Session ID: 110 Rev. page 21
3Com Universal Client Certificate
Supports EAP-TLS






Certificate is required for
mutual-authentication
Used by any 3Com WLAN
client in EAP-TLS
authentication mode
Required for serial
authentication
3Com developed to fully
utilize the power of EAP-TLS
authentication
Public Key for client is
generally expensive to
deploy
Free to 3Com wireless
clients
3Com University Live December 2002
Session ID: 110 Rev. page 22
Basic RADIUS (EAP-MD5) (Public
Areas)
Airport
Hotel Lobby
SuperStack
Switch
SuperStack
3 Firewall
WLAN
RADIUS
Server
(EAP-MD5)
Mgmt.
Console
ATM






NT or
Netware
Server
RADIUS client built into the AP8000
Provides upper layer authentication through RADIUS supporting EAP-MD5 (Microsoft, Funk, Cisco)
One-way authentication for the wireless client to be authenticated by the RADIUS server
Encryption capability can be provided between the client and the AP using 40-bit or 128-bit shared key
Static key generated in the AP and manually entered in all clients and APs
Ideal for enterprise networks with legacy RADIUS deployments, requiring centralized
user management and basic level of encryption capability
3Com University Live December 2002
Session ID: 110 Rev. page 23
Standard EAP-TLS and 802.1x, with XP Clients
and Existing PKI (University Campus)
Login for 802.1X
Main Campus
Library
Username: 3Com
Password: ********
Student Dormitory
SuperStack
Switch
SuperStack
3 Firewall
WLAN
RADIUS
Server
(EAP-MD5)
Mgmt.
Console
Registration Office





RADIUS
EAP-TLS
NT or
Netware
Server
802.1x is native to the Windows XP Operating System only
With PKI, each client has a “unique” certificate, issued by an external CA (very expensive to implement)
The TLS server also needs its own certificate, issued by an external CA
Disable Microsoft’s 802.1x agent and deploy Serial Authentication using 3Com’s 802.1x agent and achieve:

Certificate-based mutual authentication using 3Com’s own Universal Client Certificate

Dynamic key management supported in the AP8000

Secure username/password authentication on top of certificate based authentication

Support for standards based RC4 encryption algorithm (40-bit and 128-bit)
3Com’s next generation 802.1x agent will work with 3rd party CA
3Com University Live December 2002
Session ID: 110 Rev. page 24
EAP-TTLS

Tunneled EAP-TLS



Still requires Digital Cert
But can use MS-Chap for password checking
Supported right now only in Funk Software
Odyssey Server
3Com University Live December 2002
Session ID: 110 Rev. page 25
PEAP - Protected EAP
Competes with EAP-TTLS
 Uses TLS and Digital Certs
 Two Phase TLS authentication
 Uses TLS encryption
 Allows for support of Token Cards

3Com University Live December 2002
Session ID: 110 Rev. page 26
TKIP - Temporal Key Integrity
Protocol
Uses RC4 encryption - stream cipher
 Phase I



Phase 2


Uses MAC address mixed with TK to produce
Phase I key
Phase 1 key mixed with IV (initialization vector) to
derive per-packet keys.
Each key is used to encrypt one and only one
data packet
3Com University Live December 2002
Session ID: 110 Rev. page 27
WPA Wi-Fi Protected Access


Requires Authentication and Encryption
Authentication


Requires EAP
Mutual Authentication


Encryption


Protects the user from accidentally joining a rogue AP
Requires TKIP - use of a temporal key
We do not support WPA Home/Soho mode

Use of a shared key
3Com University Live December 2002
Session ID: 110 Rev. page 28
Security
802.11i
3Com Proprietary and Confidential
IEEE P802.11 TGi

Purpose:


To enhance the current 802.11 MAC
to provide improvements in security
and authentication mechanisms
Will be based on New Federal Encryption Standard
AES (Advanced Encryption Standard)






Will replace DES
Requires hardware acceleration
Today's AP’s cannot support it yet
Rijndael algorithm
Symmetric block cipher
Keys 128, 192, 256 bits
3Com University Live December 2002
Session ID: 110 Rev. page 30
Simple Sets You Free