Transcript 802.11 101
Welcome!
Constructing Wireless LANs – A
Technology Update
Connect System 3.0
(Mobility for Wireless Voice)
802.11 Fortified Security, Enhanced Mobility
and Centralized Management Solutions
1
Topics for Discussion
Wireless LAN Technology Update
Integrating Wireless in the Enterprise – Providing
Mission Critical Wireless Services
7 “Deadly Sins” to Avoid With Wireless LANs
Questions (anytime!)
2
The Unlicensed Radio Spectrum
33cm
26 Mhz
902 Mhz
12cm
83.5 Mhz
2.4 Ghz
928 Mhz
cordless phones
baby monitors
Wireless LANs
5cm
200 Mhz
5.15 Ghz
2.4835 Ghz
802.11b
802.11g
Bluetooth
2.4 Ghz cordless phones
Microwave oven
5.35 Ghz
802.11a
3
RF Design - Cost, Power, Range Tradeoff
1
11
11
11
6
1
6
1
11
1
11
1
6
11
1
11
1
6
6
11
1
6
1
11
11
6
6
1
1
11
• 802.11b, 802.11g: 3 Non-Overlapping Channels
• 802.11a: 8 Non-Overlapping Channels
4
802.11 System Architecture
Basic Service Set (BSS): a set of stations which communicate
with one another
Independent Basic Service
Set (Ad Hoc Mode)
•
•
only direct communication possible
no relay function
Infrastructure Basic Service
Set (Infrastructure Mode)
•
•
AP provides
•
connection to wired network
•
relay function
stations not allowed to
communicate directly
5
The Extended Service Set
ESS: a set of BSSs interconnected by a distribution system (DS)
•
•
•
•
ESS and all of its stations appear to be a single MAC layer
AP communicate among themselves to forward traffic
Station mobility within an ESS is invisible to the higher layers
From Configuration Standpoint – The ESS is the set of Access
Points with Same SS-ID
6
Access Point
Station
Access Point
Access Point
802.11 Beacon & Probes
Client (station) Scanning
Passive
listen for beacons on each
channel
Active
send probe and wait for
response on each channel
Beacon & probe response packets:
AP timing information,
Beacon period,
AP capability information,
SSID,
SSID (Service set identifier)
identifies an ESS or IBSS
7
802.11: Where We Are Today
802.11b
802.11a
Proprietary
Extensions
802.1x
11Mbps (actual ~6Mbps)
11 channels, 3 non-overlapping
WEP w/40 bit key, 104 optional
54Mbps (actual ~25Mbps)
8 non-overlapping channels
Dynamic WEP: Key rotation
LEAP: Cisco authentication
protocol
“Port-based” access control for
wired & wireless networks
Low cost and available
worldwide
WEP can be easily hacked
Vendor interoperability issues
Requires ~2-4x more 11a
APs to cover the same area
as with 11b
Requires single-vendor
solution
Price premium/vendor lock-in
LEAP is Cisco’s version
All-or-nothing access control
Some security vulnerabilities
8
802.11 Alphabet Soup: The Future
802.11e
802.11f
802.11g
802.11h
QoS for WLANs
Standard approval imminent
Inter-Access Point
Communication
Only layer 2 communications
22-54 Mbps data rate
Backward compatible with
802.11b
Supports European
requirements for .11a
Scheduled to be ratified in 2Q03
Prototypes already on market
Devices expected by end of year
802.11i
Improved security, WEP
replacement
Requires hardware & protocol
replacement!
Interim TKIP available
Expected late 2003
9
The 802.1x Environment Today
Authentication
Technique
What is it?
Comments
LEAP
Cisco’s approach
Requires all-Cisco
environment, username
visible
TLS
IETF RFC built Microsoft
into Windows XP
Requires X.509 certificates on
every client
TTLS (EAP-TLS)
Funk’s approach
Uses PAP/CHAP over EAP
Microsoft Initiative
User ID/Password – Emerging
(Not Ubiquitous), Lot of
Promise
PEAP
10
Encryption
Robust
Security
FIPS-140-2
Minimum
AES
IPsec (3-DES)
TKIP
DEGREE OF
SECURITY
LEAP,
Dynamic WEP
WEP
Poor
Security
Single Vendor or
Not Available
DEGREE OF
INTEROPERABILITY
Ubiquitous
11
802.11 Deployment Lifecycle
Home
Personal
Departmental
Enterprise
-Wide
Adoption
12
Mission-Critical WLAN Questions
How will I secure the WLAN?
Can I handle multiple user types on the WLAN?
How will my WLAN support voice and other applications?
How do I provide a seamless user experience?
Can my WLAN span multiple sites?
Can I detect rogue access points?
How will I monitor RF performance?
How do I configure the WLAN?
How do I leverage my existing network investment?
13
The Numbers are Great…
WLAN Adapter Shipments
45
Low cost
Built-in wireless
$2,500
40
$2,000
35
$1,500
WLAN Adapter
Shipments
(thousands)
$1,000
WLAN Adapter
Revenues ($ millions)
30
25
20
15
10
$500
$0
2001 2002 2003 2004 2005 2006
WLAN Access Point Revenues ($ millions)
$700
$600
$500
Branch/Small Office
$400
Large Enterprise
$300
Viable business case
Network maintenance
Employee productivity
with fluid work-style
5
0
Lots of devices
Many pilot
deployments
… but few large
enterprise deployments
Remote Workers
$200
$100
$0
2001
2002
2003
2004
2005
2006
Source: Gartner Wireless
LAN Summit, 11/2001
14
Building Mission-Critical Wireless LANs
enterprise resources
•Enterprise Portal
•Directory Services
•Vertical Applications
•Network Management
•Authentication Services
•Accounting & Billing
“wireless LAN services fabric”
•Technology Agnostic
•Layered Security
•Vendor Agnostic
•Centralized Management
•Standards Based
•Enhanced Mobility
•Investment Protection
•Customization via APIs
connectivity
connectivity
•Laptops
•802.11b
•Handhelds
•802.11a
•Voice Phones
•802.11g
•Specialized devices
•Bluetooth
15
WLANs Wired LANs
Wired LANs
Physical
Usually
VLANs
security
assume stationary devices
used for isolation
Virtually
unlimited bandwidth
WLANs
Open
access
Mobile
devices are the norm
RF
“ports” of WLANs cannot be
isolated
802.11b
(~6Mbps) & 802.11a
(~25Mbps) shared by many users
Attacks
New
Stable
Management
are well understood and
containable
management environment
attacks frequently announced
challenges
16
The Seven Deadly Sins of Wireless LANs
Top mistakes made during
wireless LAN pilots and
deployments
(and how to avoid them)
17
1. Succumbing to Insecurity
Most WLAN deployments do not have any!
Wired Equivalent Privacy (WEP) in 802.11b
standard
Link-layer encryption with per-packet encryption key
Used to validate client access
Badly flawed, so intruders can
Bypass client access control
Analyze and decrypt data
Modify data without being detected
Various attempts to fix
Still not secure
Sacrifice scalability, interoperability, complexity, cost
18
Absolution
Beware WEP
Deploy systems that provide
User authentication
Per-user access control
Data privacy via distributed VPN encryption
Policy administration
Logging and audit
19
2. Praying to the Giant VLAN
802.11 is a link-layer
technology (like
Ethernet)
All users affected by
Subnet mobility
Session persistence
Wireless
VLAN
Create a single VLAN for
all access points?
Limited Scalability
Inefficient Routing
Tough to Manage
20
Absolution
Beware rewiring your network to make it wireless
Instead
Plug access points into existing LAN
Deploy layer 3 roaming technologies in the network
21
3. Deploying Questionable Coverage
11 Mbps of coverage up
to 100 meters
Getting 55 Mbps?
Radios are tough!
Only 3 non-colliding
channels
Unpredictable
coverage
APs have different
characteristics
22
Absolution
Beware the temptation of plugging in access
points
Instead
Understand the radio environment through an RF site
survey
Select radio equipment according to range and
coverage needs
Tune power levels to match coverage needs
23
4. Providing Quality of Disservice
Users and applications
accustomed to 100Mbps or
1Gbps switched LANs
Must share 11Mbps wireless link
Result
Contention for limited capacity
Very unhappy wireless users
24
Absolution
Beware the bandwidth bottleneck
Instead
Install bandwidth management software to coordinate
wireless bandwidth usage
Look to
802.11a, 802.11g for higher capacity
802.11e for link-layer traffic prioritization
25
5. Embracing the Heretics
The 802.11b standard
Interoperability between clients and access points
Compatibility testing through WECA (Wireless Ethernet
Compatibility Alliance)
Result: Low cost, large quantity
The threat: Proprietary extensions
Examples
Early 802.1x implementations
PPP over 802.11
Inter-access point communication
Non-vendor equipment does not support extra features
May even deny access by non-vendor clients
Cannot control all clients (guest users, built-in wireless)
High cost vendor lock-in
26
Absolution
Beware temptation by your vendor salesperson
Instead
Use WLAN equipment according to the WECA
compatibility standards
Address WLAN issues in the network with vendorindependent infrastructure
Avoid special-purpose client software
27
6. Re-living the Past
Today
802.11b, laptops
“Nomadic mobility”
Tomorrow
802.11a, 802.11b, 802.11g, HiperLAN, Bluetooth, …
Laptops, web pads, industrial devices, PDAs, cell phones, …
“True mobility”
Heterogeneity will be the order of the day
New applications, services supporting a mobile work style
28
Absolution
Beware the forward march of technology
Instead
Plan for technology change
Encourage new applications to enhance mobile
productivity
29
7. Hiding from the Future
Fear delays the enterprise
deployment
Users are becoming
accustomed to the benefits
of wireless LANs
Users will do it themselves
(and they do!)
30
Absolution
Beware the temptation of time
Instead
Actively watch for rogue access points
Take control of the enterprise wireless LAN before your
users do!
31
Summary
Beware the Seven Deadly Sins
1.
2.
3.
4.
5.
6.
7.
Succumbing to Insecurity
Praying to the Giant VLAN
Deploying Questionable Coverage
Providing Quality of Disservice
Embracing the Heretics
Re-living the Past
Hiding from the Future
32
About ReefEdge
Network appliances supporting enterprise WLANs
Security: authentication, access control, encryption
Management: policy definition, WLAN configuration,
bandwidth control, back-end IT integration
Usability: subnet roaming, session persistence,
application services
Partner with integrators providing design, site
survey, installation, and support services
For more information
Visit us at www.reefedge.com
33
Summary
Beware the Seven Deadly Sins
1.
2.
3.
4.
5.
6.
7.
Contact:
Succumbing to Insecurity
Praying to the Giant VLAN
Deploying Questionable Coverage
Providing Quality of Disservice
Embracing the Heretics
Re-living the Past
Hiding from the Future
[email protected]
(201) 548-2600
34