Transcript 802.11 101
Welcome! Constructing Wireless LANs – A Technology Update Connect System 3.0 (Mobility for Wireless Voice) 802.11 Fortified Security, Enhanced Mobility and Centralized Management Solutions 1 Topics for Discussion Wireless LAN Technology Update Integrating Wireless in the Enterprise – Providing Mission Critical Wireless Services 7 “Deadly Sins” to Avoid With Wireless LANs Questions (anytime!) 2 The Unlicensed Radio Spectrum 33cm 26 Mhz 902 Mhz 12cm 83.5 Mhz 2.4 Ghz 928 Mhz cordless phones baby monitors Wireless LANs 5cm 200 Mhz 5.15 Ghz 2.4835 Ghz 802.11b 802.11g Bluetooth 2.4 Ghz cordless phones Microwave oven 5.35 Ghz 802.11a 3 RF Design - Cost, Power, Range Tradeoff 1 11 11 11 6 1 6 1 11 1 11 1 6 11 1 11 1 6 6 11 1 6 1 11 11 6 6 1 1 11 • 802.11b, 802.11g: 3 Non-Overlapping Channels • 802.11a: 8 Non-Overlapping Channels 4 802.11 System Architecture Basic Service Set (BSS): a set of stations which communicate with one another Independent Basic Service Set (Ad Hoc Mode) • • only direct communication possible no relay function Infrastructure Basic Service Set (Infrastructure Mode) • • AP provides • connection to wired network • relay function stations not allowed to communicate directly 5 The Extended Service Set ESS: a set of BSSs interconnected by a distribution system (DS) • • • • ESS and all of its stations appear to be a single MAC layer AP communicate among themselves to forward traffic Station mobility within an ESS is invisible to the higher layers From Configuration Standpoint – The ESS is the set of Access Points with Same SS-ID 6 Access Point Station Access Point Access Point 802.11 Beacon & Probes Client (station) Scanning Passive listen for beacons on each channel Active send probe and wait for response on each channel Beacon & probe response packets: AP timing information, Beacon period, AP capability information, SSID, SSID (Service set identifier) identifies an ESS or IBSS 7 802.11: Where We Are Today 802.11b 802.11a Proprietary Extensions 802.1x 11Mbps (actual ~6Mbps) 11 channels, 3 non-overlapping WEP w/40 bit key, 104 optional 54Mbps (actual ~25Mbps) 8 non-overlapping channels Dynamic WEP: Key rotation LEAP: Cisco authentication protocol “Port-based” access control for wired & wireless networks Low cost and available worldwide WEP can be easily hacked Vendor interoperability issues Requires ~2-4x more 11a APs to cover the same area as with 11b Requires single-vendor solution Price premium/vendor lock-in LEAP is Cisco’s version All-or-nothing access control Some security vulnerabilities 8 802.11 Alphabet Soup: The Future 802.11e 802.11f 802.11g 802.11h QoS for WLANs Standard approval imminent Inter-Access Point Communication Only layer 2 communications 22-54 Mbps data rate Backward compatible with 802.11b Supports European requirements for .11a Scheduled to be ratified in 2Q03 Prototypes already on market Devices expected by end of year 802.11i Improved security, WEP replacement Requires hardware & protocol replacement! Interim TKIP available Expected late 2003 9 The 802.1x Environment Today Authentication Technique What is it? Comments LEAP Cisco’s approach Requires all-Cisco environment, username visible TLS IETF RFC built Microsoft into Windows XP Requires X.509 certificates on every client TTLS (EAP-TLS) Funk’s approach Uses PAP/CHAP over EAP Microsoft Initiative User ID/Password – Emerging (Not Ubiquitous), Lot of Promise PEAP 10 Encryption Robust Security FIPS-140-2 Minimum AES IPsec (3-DES) TKIP DEGREE OF SECURITY LEAP, Dynamic WEP WEP Poor Security Single Vendor or Not Available DEGREE OF INTEROPERABILITY Ubiquitous 11 802.11 Deployment Lifecycle Home Personal Departmental Enterprise -Wide Adoption 12 Mission-Critical WLAN Questions How will I secure the WLAN? Can I handle multiple user types on the WLAN? How will my WLAN support voice and other applications? How do I provide a seamless user experience? Can my WLAN span multiple sites? Can I detect rogue access points? How will I monitor RF performance? How do I configure the WLAN? How do I leverage my existing network investment? 13 The Numbers are Great… WLAN Adapter Shipments 45 Low cost Built-in wireless $2,500 40 $2,000 35 $1,500 WLAN Adapter Shipments (thousands) $1,000 WLAN Adapter Revenues ($ millions) 30 25 20 15 10 $500 $0 2001 2002 2003 2004 2005 2006 WLAN Access Point Revenues ($ millions) $700 $600 $500 Branch/Small Office $400 Large Enterprise $300 Viable business case Network maintenance Employee productivity with fluid work-style 5 0 Lots of devices Many pilot deployments … but few large enterprise deployments Remote Workers $200 $100 $0 2001 2002 2003 2004 2005 2006 Source: Gartner Wireless LAN Summit, 11/2001 14 Building Mission-Critical Wireless LANs enterprise resources •Enterprise Portal •Directory Services •Vertical Applications •Network Management •Authentication Services •Accounting & Billing “wireless LAN services fabric” •Technology Agnostic •Layered Security •Vendor Agnostic •Centralized Management •Standards Based •Enhanced Mobility •Investment Protection •Customization via APIs connectivity connectivity •Laptops •802.11b •Handhelds •802.11a •Voice Phones •802.11g •Specialized devices •Bluetooth 15 WLANs Wired LANs Wired LANs Physical Usually VLANs security assume stationary devices used for isolation Virtually unlimited bandwidth WLANs Open access Mobile devices are the norm RF “ports” of WLANs cannot be isolated 802.11b (~6Mbps) & 802.11a (~25Mbps) shared by many users Attacks New Stable Management are well understood and containable management environment attacks frequently announced challenges 16 The Seven Deadly Sins of Wireless LANs Top mistakes made during wireless LAN pilots and deployments (and how to avoid them) 17 1. Succumbing to Insecurity Most WLAN deployments do not have any! Wired Equivalent Privacy (WEP) in 802.11b standard Link-layer encryption with per-packet encryption key Used to validate client access Badly flawed, so intruders can Bypass client access control Analyze and decrypt data Modify data without being detected Various attempts to fix Still not secure Sacrifice scalability, interoperability, complexity, cost 18 Absolution Beware WEP Deploy systems that provide User authentication Per-user access control Data privacy via distributed VPN encryption Policy administration Logging and audit 19 2. Praying to the Giant VLAN 802.11 is a link-layer technology (like Ethernet) All users affected by Subnet mobility Session persistence Wireless VLAN Create a single VLAN for all access points? Limited Scalability Inefficient Routing Tough to Manage 20 Absolution Beware rewiring your network to make it wireless Instead Plug access points into existing LAN Deploy layer 3 roaming technologies in the network 21 3. Deploying Questionable Coverage 11 Mbps of coverage up to 100 meters Getting 55 Mbps? Radios are tough! Only 3 non-colliding channels Unpredictable coverage APs have different characteristics 22 Absolution Beware the temptation of plugging in access points Instead Understand the radio environment through an RF site survey Select radio equipment according to range and coverage needs Tune power levels to match coverage needs 23 4. Providing Quality of Disservice Users and applications accustomed to 100Mbps or 1Gbps switched LANs Must share 11Mbps wireless link Result Contention for limited capacity Very unhappy wireless users 24 Absolution Beware the bandwidth bottleneck Instead Install bandwidth management software to coordinate wireless bandwidth usage Look to 802.11a, 802.11g for higher capacity 802.11e for link-layer traffic prioritization 25 5. Embracing the Heretics The 802.11b standard Interoperability between clients and access points Compatibility testing through WECA (Wireless Ethernet Compatibility Alliance) Result: Low cost, large quantity The threat: Proprietary extensions Examples Early 802.1x implementations PPP over 802.11 Inter-access point communication Non-vendor equipment does not support extra features May even deny access by non-vendor clients Cannot control all clients (guest users, built-in wireless) High cost vendor lock-in 26 Absolution Beware temptation by your vendor salesperson Instead Use WLAN equipment according to the WECA compatibility standards Address WLAN issues in the network with vendorindependent infrastructure Avoid special-purpose client software 27 6. Re-living the Past Today 802.11b, laptops “Nomadic mobility” Tomorrow 802.11a, 802.11b, 802.11g, HiperLAN, Bluetooth, … Laptops, web pads, industrial devices, PDAs, cell phones, … “True mobility” Heterogeneity will be the order of the day New applications, services supporting a mobile work style 28 Absolution Beware the forward march of technology Instead Plan for technology change Encourage new applications to enhance mobile productivity 29 7. Hiding from the Future Fear delays the enterprise deployment Users are becoming accustomed to the benefits of wireless LANs Users will do it themselves (and they do!) 30 Absolution Beware the temptation of time Instead Actively watch for rogue access points Take control of the enterprise wireless LAN before your users do! 31 Summary Beware the Seven Deadly Sins 1. 2. 3. 4. 5. 6. 7. Succumbing to Insecurity Praying to the Giant VLAN Deploying Questionable Coverage Providing Quality of Disservice Embracing the Heretics Re-living the Past Hiding from the Future 32 About ReefEdge Network appliances supporting enterprise WLANs Security: authentication, access control, encryption Management: policy definition, WLAN configuration, bandwidth control, back-end IT integration Usability: subnet roaming, session persistence, application services Partner with integrators providing design, site survey, installation, and support services For more information Visit us at www.reefedge.com 33 Summary Beware the Seven Deadly Sins 1. 2. 3. 4. 5. 6. 7. Contact: Succumbing to Insecurity Praying to the Giant VLAN Deploying Questionable Coverage Providing Quality of Disservice Embracing the Heretics Re-living the Past Hiding from the Future [email protected] (201) 548-2600 34