Transcript Wireless LAN Management

Wireless LAN Management
w.lilakiatsakun
Topics
• Wireless LAN fundamental
– Link characteristic
– Band and spectrum
– IEEE 802.11 architecture /channel allocation
• Wireless LAN Solution
– Adhoc / infrastructure
– Load balancing /Extended Service Set (Roaming)
– Wireless repeater /bridge
• Wireless LAN Management
• Wireless LAN security
Wireless Link Characteristics
Differences from wired link ….
– decreased signal strength: radio signal
attenuates as it propagates through matter
(path loss)
– interference from other sources: standardized
wireless network frequencies (e.g., 2.4 GHz)
shared by other devices (e.g., phone); devices
(motors) interfere as well
– multipath propagation: radio signal reflects off
objects ground, arriving ad destination at
slightly different times
Transmission over wireless link induces loss and
error more often
Wireless network characteristics
A
B
A
C
B
Hidden terminal problem
• B, A hear each other
• B, C hear each other
• A, C can not hear each
other
means A, C unaware of their
interference at B
C
C’s signal
strength
A’s signal
strength
space
Signal fading:
• B, A hear each other
• B, C hear each other
• A, C can not hear each
other interfering at B
Unlicensed Spectrum
• ISM stands for Industrial Scientific and Medical
• Implementing ISM bands is different for
countries
Band
FCC-Freq.(us) ETSI-Freq.(Eu) Main Use
ISM-900
902-908MHz
890-906MHz
Food Process
ISM-2.4
2.4-2.4835GHz
2.4-2.5GHz
Microwave
Oven
ISM-5.8
5.725-5.850
GHz
5.725-5.875GHz
Medical
Scanner
ISM Band
• Only ISM-2.4 band is available for
every country
– Microwave oven
– Medical equipment
– Communication e.g. wireless LAN, Bluetooth
• But, it is too crowded
– Communication use “Spread Spectrum” to
avoid interference
IEEE 802.11 Wireless LAN
• 802.11b
– 2.4 GHz unlicensed radio spectrum
– Using CCK (Complementary Code Keying) to improve
data rate
– Backward compatible with DSSS system
– Not compatible with FHSS system
– Max. at 11 Mbps - Theoretical max capacity (raw data
rate)
– Max data rate is only 6 Mbps. (only short range and no
interference)
IEEE 802.11 Wireless LAN
• 802.11a
– 5 GHz range ,OFDM
– up to 54 Mbps (31 Mbps – Real throughput)
• 802.11g
– 2.4 GHz range - CCK-OFDM backward compatible
with IEEE 802.11b
– up to 54 Mbps (31 Mbps – Real throughput)
• All use CSMA/CA for multiple access
Wireless LAN standards
802.11 LAN architecture
• wireless host communicates
Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2
with base station
– base station = access
point (AP)
• Basic Service Set (BSS) (aka
“cell”) in infrastructure mode
contains:
– wireless hosts
– access point (AP): base
station
– ad hoc mode: hosts only
IEEE 802.11: multiple access
• avoid collisions: 2+ nodes transmitting at same
•
time
802.11: CSMA - sense before transmitting
– don’t collide with ongoing transmission by other node
• 802.11: no collision detection!
– difficult to receive (sense collisions) when
transmitting due to weak received signals (fading)
– can’t sense all collisions in any case: hidden terminal,
fading
– goal: avoid collisions: CSMA/C(ollision)A(voidance)
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
start random backoff time
timer counts down while channel idle
transmit when timer expires
if no ACK, increase random backoff
interval, repeat 2
sender
receiver
DIFS
802.11 receiver
- if frame received OK return ACK after SIFS
data
SIFS
ACK
Avoiding collisions (more)
idea: allow sender to “reserve” channel rather than random
•
•
•
access of data frames: avoid collisions of long data frames
sender first transmits small request-to-send (RTS) packets to
BS using CSMA
– RTSs may still collide with each other (but they’re short)
BS broadcasts clear-to-send CTS in response to RTS
CTS heard by all nodes
– sender transmits data frame
– other stations defer transmissions
Avoid data frame collisions completely
using small reservation packets!
Collision Avoidance: RTS-CTS
exchange
A
AP
B
reservation collision
DATA (A)
time
defer
Channel partitioning in wireless
LAN
• With DSSS modulation technique, bandwidth
used for one channel is 22 Mbps
• In 2.4 GHz band , bandwidth is only 83 MHz
available
• So, we need 5 channel space for nonoverlapping channel
– Avoiding interference between each other
• Consider in frequency reuse and capacity
increment
Channel Allocation
Relationship between Data rate
and signal strength
802.11: Channels, association
• 802.11b: 2.4GHz-2.485GHz spectrum divided into
11 channels at different frequencies
– AP admin chooses frequency for AP
– interference possible: channel can be same as
that chosen by neighboring AP!
• host: must associate with an AP
– scans channels, listening for beacon frames
containing AP’s name (SSID) and MAC address
– selects AP to associate with
– may perform authentication
Interferences in wireless LAN
• Microwave oven – 2450 MHz (1000 watts)
– Around channel 7-10
• Bluetooth device (0.01 W)
• Cordless Phone
• Toys and etc
• Use Network Strumbler to show signal / noise
ratio on wireless LAN channels
Network Strumbler
Wireless Solution
• Adhoc
• Infrastructure
• Load balancing
• Connect wireless LAN without access point
• Extended Service Set
• Extend range with wireless repeater
• Wireless bridge
Ad hoc
• Configuration – set as Adhoc / Peer to peer
• Set BSSID and channel to use
Infrastructure
Load balancing
• 5 channel space
• Maximum 3 access
•
point assigned on
overlapped area
Channel 1 /6 /11
Connect wireless LAN without
access point
• Use a host act
as gateway
Extended Service Set
Support mobility
Extend range with Wireless
repeater
Wireless bridge
(Point to point link)
Wireless LAN Management
• WLAN Management may involves three
primary functions:
– Discovering the WLAN devices
– Monitoring the WLAN devices
– Configuring the WLAN devices
Discovering the WLAN devices
• ICMP, SNMP, Telnet, CLI, AP Scan, RF
Scan, CDP etc. are used to discover
devices in your WLAN.
• The dedicated RF sensors that come as
additional hardware components with WiFi
Manager perform the RF scan and discover
every element that is transmitting on the
air and ensures a 100% complete
discovery of WLAN devices.
Monitoring the WLAN devices (1/2)
• Threshold monitoring: Set threshold values for
key parameters and alerts you when the actual
values exceed the set threshold levels.
• Service monitoring: Monitors the services
running in the Access Points such as the web
service.
• Performance monitoring: Monitors the WLAN
devices for various parameters such as Tx/Rx
traffic and utilization, datarate, channel usage,
errors etc.
Monitoring the WLAN devices (2/2)
• Trap reception: Receive trap and alert the
operator
• Alarms: Show severity to every network
failure and generates alarms
• Email-based notification: Notifies operators
through email when a fault occurs
Configuring the WLAN devices
• It consists of
– AP configuration
– Firmware upgrade
• For management perspective, it can be
done as
– Group management
– Individual
Access Point Configuration
• AP basic configuration
• AP ACL configuration
• AP security configuration
• AP services configuration
AP basic configuration (1/2)
• SSID – service set identifier for the access point
• Allow broadcast SSID – enable/disable AP to
broadcast the SSID
• Allow auto channel select –enable/disable AP to
auto select the channel
• Channel – specify the channel at which the AP
•
operates (applicable only if allow autochannel
select is NO)
Name – name of the access point
AP basic configuration (2/2)
• System Location – sysLocation value of the
•
•
•
•
•
•
accesspoint
System Contact – sysContact value of the access
point
Use DHCP – enable/disable DHCP mode in AP
LAN IP –IP address of the AP (applicable only if
Use DHCP is NO)
Subnet Mask – mask value
Gateway IP – IP address of the gateway
DNS server IP – IP address of the DNS server
AP ACL configuration
• WLAN administrators can deny or allow
network access to wireless clients by
configuring the ACL settings in the access
points.
• Block – prevents access to specified MAC
addresses and allows others
• Pass through – allows only the specified
MAC addresses and blocks others
AP Security Configuration
• WEP – Encrypts data. provide WEP keys
• 802.1x – Enables user authentication.
– at least one RADIUS server is provided
• WPA – 802.1x + TKIP + dynamic key
distributionWPA PSK
– Uses pre-shared key instead of RADIUS
• Mixed mode – Allows both WPA as well as
non-WPA clients
AP Service Configuration
• Management services such as SNMP, HTTP,
Telnet, and NTP running in access points can
be configured.
• SNMP: Enable/Disable, Read/Read-Write
Community, Trap Destination/ Community,
Enable Trap Notifications
• HTTP: Enable/Disable, HTTP Port
• Telnet: Enable/Disable, Telnet Port
• NTP: Enable/Disable, NTP Server Address
Wireless LAN security
management (1/2)
• Common attack and vulnerability
– The weakness in WEP & key management & user
behavior
– Sniffing, interception and eavesdropping
– Spoofing and unauthorized access
– Network hijacking and modification
– Denial of Service and flooding attacks
Wireless LAN security
management (2/2)
• Security countermeasure
– Revisiting policy
– Analysis threat
– Implementing WEP
– Filtering MAC
– Using closed systems and Networks
– Securing user
The weakness in WEP & key
management & user behavior
• Several papers were published to show vulnerabilities
on WEP and tools to recover encryption key
– AirSnort (http://airsnort.shmoo.com)
– WEPCrack http://sourceforge.net/projects/wepcrack/
• IEEE 802.11 outline that the secret key used by WEP
needs to be controlled by external key management
– Normally, key management is done by user (define 4
different secret keys)
– RADIUS (Remote Dial-In User Service) not use in small
business or home users
The weakness in WEP & key
management & user behavior
• Users often operate the devices on default
configuration
– SSID broadcast – turn on
– Default password as a secret key
• 3com product – comcomcom
• Lucent product is the last five digit of network ID
Sniffing, interception and
eavesdropping
• Sniffing is the electronic form of
eavesdropping on the communications that
computer have across network
• Wireless networks is a broadcast (shared) link
• Every communication across the wireless
network is viewable to anyone who is listening
to the network
• Not even need to associated with the network
Sniffing tools
• All software packages will put network card in
•
promiscuous mode, every packet that pass its
interface is captured and displayed
Ethereal
– www.ethereal.com/
• OmniPeek
– http://www.wildpackets.com/products/omnipeek
• Tcpdump
– www.tcpdump.org/
• Ngrep
– http://ngrep.sourceforge.net/
Spoofing and unauthorized
access
• Spoofing- An attacker is able to trick your
network equipment into thinking that the
connection is from one of allowed machines
• Several way to accomplish
– Redefine MAC address to a valid MAC address
– simple Registry edit for windows
– On unix with a simple command from root shell
– SMAC (software packages on windows)
Network hijacking and
modification
• Malicious user able to send message to
routing devices and APs stating that their MAC
address is associated with a known IP address
• From then on, all traffic that goes through that
router (switch) destined for hijacked IP
address will be handoff to the hijacker
machine
• ARP spoof or ARP poisoning
Network hijacking and
modification
• If the attacker spoofs as the default gateway
– All machines trying to get to the network will
connect to the attacker
– To get passwords and necessary information
• Use of rogue AP
– To receive authentication requests and information
Denial of Service and flooding
attacks
• One of the original DoS attacks is known as a ping
flood
– A large number of hosts or devices to send and ICMP echo
to a specified target
• One of possible attack would be through a massive
amount of invalid or valid authentication requests.
– Users attempting to authenticate themselves would have
difficulties in acquiring a valid session
• If hacker can spoof as a default gateway, it can
prevent any machine from wireless network to
access the wired network
WLAN Security countermeasure
• Security countermeasure
– Revisiting policy
– Analysis threat
– Implementing WEP
– Filtering MAC
– Using closed systems and Networks
– Securing user
Revisiting policy
• Adjust corporate security policy to
accommodate wireless networks and the users
who depend on them
• Because of wireless environment
– no visible connection – good authentication
required
– Ease of capture of RF traffic – good policy should
not broadcast SSID and should implement WEP
– Not use default name or password in operating AP
devices
Analyzing the threat (1/2)
• Identify assets and the method of accessing
these from an authorized perspective
• Identify the likelihood that someone other
than an authorized user can access the assets
• Identify potential damages
– Defacement
– Modification
– Theft
– Destruction of data
Analyzing the threat (2/2)
• Identify he cost to replace, fix, or track the
loss
• Identify security countermeasures
• Identify the cost in implementation of the
countermeasures
– Hardware/software/personnel
– Procedures /limitations on access across the
corporate structure
• Compare costs of securing the resources
versus the cost of damage
Implementing WEP
• To protect data sniffing during session
• 128-bit encryption should be considered as a
minimum
– Most APs support both 40-bit and 128-bit
encryption
• WEP advantages
– All messages are encrypted so privacy is
maintained
– Easy to implement
– WEP keys are user definable and unlimited
Implementing WEP
• WEP disadvantages
– The RC4 encryption algorithm is a known stream
cipher can be broken
– Once the key is changed, it needs to be informed
to everyone
– WEP does not provide adequate WLAN security
• Only eliminate the curious hacker who lacks the means
or desire to really hack your network
– WEP has to be implemented on every client as
well as every AP to be effective
Filtering MAC
• To minimize the a number of attack
– More practical on small networks
• It can be performed at the switch attached to
the AP or on the AP itself
• MAC filtering advantages
– Predefined users are accepted/ filtered MAC do not
get access
• MAC filtering disadvantages
– Administrative overhead- large amount of users
– MAC address can be reprogrammed
Using closed systems and
networks
• Turn off broadcasting SSID, use proper
password (WEP)
• Select “close wireless system”
• Advantages
– AP does not accept unrecognized network
requests
– Preventing Netstrumbler snooping software
– Easy to implement
• Disadvantages
– Administration required for new users and changes
Securing users
• Educate the users to the threats and where
they are at risk
– How proper password is set ?
• Provide policies that enable them to
successfully secure themselves
– Change password on regular interval
– At least password length
• Create policies that secure user behind the
scenes
– Filtering traffic
Securing users
• Some of the rule sets that should be in place
with the respect to wireless 802.11
– No rogue access point
– Inventory all wireless cards and their
corresponding MAC address
– No antennas without administrative consent
– Strong password on wireless network devices
Other methods
•
•
•
•
•
VPN
WEP + RADIUS
WPA2 (Wi-Fi Protected Access)
WPA + RADIUS
802.1x
– EAP-MD5, LEAP (cisco), EAP-TLS, EAP-TTLS
• MAC +WPA + RADIUS
– Mahanakorn solution
Web recommendation
http://www.thaicert.nectec.or.th/paper/wireless/IEEE80211_4.php
802.11i
• Known As WPA2 and also called RSN (Robust
•
Security Network).
802.11i makes use of the Advanced Encryption
Standard (AES) block cipher, whereas WEP and
WPA use the RC4 stream cipher
• The 802.11i architecture contains the
following components:
– 802.1X for authentication
– RSN for keeping track of associations,
– AES-based CCMP to provide confidentiality
integrity and origin authentication.
802.1x (1/2)
• It provides an authentication mechanism
to devices wishing to attach to a LAN port.
• Either establishing a point-to-point
connection or preventing access from that
port if authentication fails.
• It is used for most wireless 802.11 access
points and is based on the Extensible
Authentication Protocol (EAP).
802.1x (2/2)
802.11n (new WLAN standard)
• To improve performance and security for WLAN
– Net bandwidth 248Mbps
– Operate both5 Ghz and 2.4Ghz band
• Technology changes:
– MIMO (Multiple input Multiple Output)
– Channel Bonding can simultaneously use two
separate non-overlapping channels to transmit data.
– Frame Aggregation
– Backward Compatibility