Present: A Wireless Tutorial March 14th, 2002, 7:00pm

Download Report

Transcript Present: A Wireless Tutorial March 14th, 2002, 7:00pm

The Pittsburgh SAGE Group
and
present:
A Wireless Tutorial
by Chris Tracy
Before We Get Started
• Testing: can everyone hear and see OK?
• Stop me and ask questions if anything
seems confusing or incorrect.
• There will be a Questions & Answers
session afterwards, but feel free to ask
questions during the presentation.
Meeting Contents
• What we will discuss in this meeting:
– IEEE 802.11 wireless LAN (WLAN) services
• Understanding wireless networking services for
laptops and some handheld devices
• Security, configuration and usage of wireless
networking services
– IEEE 802.11[ag] high-speed WLAN services
• The upcoming high-speed physical layer(s)
– Features & usage of a few select 802.11b devices
Meeting Contents
• What we will not discuss in this meeting:
– In-depth Radio Frequency (RF) concepts
– Cellular wireless services/protocols
• i.e. AMPS, IMPS, CDMA, CDPD, PCS, TDMA
– Non-IEEE 802.11 wireless standards
• i.e. GSM, Bluetooth, HomeRF, satellite
– An exhaustive evaluation of every wireless
device and provider
Meeting Objectives
• After this meeting, we are hoping that you
are able to:
– Understand the major protocols and standards
used by wireless LANs (WLANs)
– Identify important features and configuration
options associated with access points (APs) and
client cards
– Recognize the major security threats to wireless
IP networks
What is IEEE 802.11?
• IEEE:
– Institute of Electrical and Electronics Engineers
• 802.11:
– Family of standards set forth by the IEEE to
define the specifications for wireless LANs
– Defines:
• Medium Access Control (MAC)
• Physical Layer (PHY) Specifications
IEEE 802.11 and the ISO stack
What is IEEE 802.11?
• Local, high-speed wireless connectivity for
fixed, portable and moving stations
– stations can be moving at pedestrian and
vehicular speeds
• Standard promises interoperability
– vendors products on the same physical layer
should interoperate
• Targetted for use in
– inside buildings, outdoor areas, anywhere!
IEEE 802.11
• Uses Direct Sequence spread spectrum
(DSSS) technology
– Frequency-Hopping spread spectrum (FHSS)
can only be used for 1 or 2Mbps in US due to
FCC regulations
• Operates in unlicensed 2.4 GHz ISM band
– ISM: Industrial, Scientific and Medical
– ISM regulatory range:
• 2.4 GHz to 2.4835 GHz for North America
IEEE 802.11
• Supported Speeds and Distances
– 1, 2, 5.5, 11 Mbps at distances of 150-2000 feet
without special antenna
– Greater distances can be achieved by using
special antennas
– Distance (or signal strength) greatly depends on
obstructions such as buildings and other objects
– Maximum speed obtained depends on signal
strength
IEEE 802.11b
• ‘b’ in IEEE 802.11b
– September 1999, 802.11b “High Rate”
amendment was ratified by the IEEE
– 802.11b amendment to 802.11 only affects the
physical layer, basic artitecture is the same
• Added two higher speeds
– 5.5 and 11 Mbps
• More robust connectivity
• 802.11b is the current ‘favorite’ in 802.11
– also known as Wi-Fi (Wireless Fidelity)
IEEE 802.11a
• “Fast Ethernet” standard of wireless LANs
• Speeds of up to 54 Mbps
• 5 GHz (U-NII band) instead of 2.4 GHz
– Unlicensed National Information Infrastructure
• OFDM instead of DSSS for encoding
– Orthogonal Frequency Division Multiplexing
• 802.11a products are now on the market
– SMC 2735W AP, $128
– Lucent Orinoco 802.11a/b AP-2000, $799
IEEE 802.11a
• Advantages
– higher speed
– less RF interference than 2.4 GHz
• 2.4 GHz used by Bluetooth, cordless/cellular phones,
etc.
– some interoperability, vendors currently have
“dual-standard” 802.11a/b equipment
• Disadvantages
– shorter range, need to increase AP density or
power 4X to compensate
IEEE 802.11g
• Another high-speed standard
• Viewed as a ‘step’ towards 802.11a
• Speeds of up to 54 Mbps
– may be more like 20+ Mbps
• Still works at 2.4 GHz
– not in the 5 GHz range like 802.11a
• Advantages
– compatible with 802.11b
– better range than 802.11a, for now
IEEE 802.11e
• Another upcoming standard for WLANs
– adds quality-of-service features to MAC layer of
802.11b compatible networks
• error correction
• better bandwidth management
– significantly improves multimedia performance
• works around RF interference
– handles interference by moving away from it
– i.e., moves to a new frequency when interferenece from a 2.4
GHz cordless phone is detected
– research has been going on for a little over a year
IEEE 802.11 and the ISO stack
IEEE 802.11 Physical Layer
• 802.11 Physical Layer Specifications
– include FHSS, DSSS, IR
• PLCP: Physical Layer Convergence Protocol
– interface used by the other physical layer specs
– maps data units into a suitable framing format
• PMD system: Physical Medium Dependent
– defines the characteristics/method of Tx/Rx data
through a wireless medium between 2 or more
stations
IEEE 802.11 Physical Layer
• Spread Spectrum
– spreads the transmitted signal over a wide range
of spectrum
– avoids concentrating power in a single narrow
frequency band
– noise makes this necessary so that receiver can
accurately decode the transmitted signal
– 2 major approaches to spread spectrum:
• FHSS: Frequency Hopping Spread Spectrum
• DSSS: Direct Sequence Spread Spectrum
IEEE 802.11 Physical Layer
• FHSS
– hop to other frequencies at a fixed time interval
using a predetermined sequence
– the “hopping” allows the system to avoid noise
• DSSS
– a different approach: artifically broaden the
bandwidth needed to transmit a signal by
modulating the data with a spreading code
– allows for error detection
IEEE 802.11 Physical Layer
• DSSS
– modules the data (XOR’d) with an 11-bit
sequence called the Barker code
• 10110111000
• a good pattern for generating radio waves
– moduated sequence is a series of data objects
called chips
– chips are sent out by the wireless radio
• wireless radio modulates a 2.4 GHz wave
• modulation techniques: Binary PSK, Quadrature PSK
IEEE 802.11 Data Link Layer
• 2 Sublayers
– Logical Link Control (LLC)
– Media Access Control (MAC)
• 802.11 uses the same 802.2 LLC
– same 48-bit addressing as other 802 LANs
• MAC address is 6 bytes or 48 bits
– allows for simple bridging to wired networks
• MAC sublayer is unique in 802.11
IEEE 802.11 MAC Sublayer
•
•
•
•
MAC: Regulates access to the medium
Wired IEEE 802 LANs use CSMA/CD
802.11 uses CSMA/CA
CSMA: carrier sense multiple access
– CD: with collision detection
– CA: with collision avoidance
• Collision detection is not possible in 802.11
– near/far problem: can’t transmit and “hear” a
collision at the same time
IEEE 802.11 MAC Sublayer
• CSMA/CA avoids collisions by explicit packet
acknowledgment (ACK)
– station wishing to transmit first senses the medium
– if no activity detected, station waits an additional,
random amount of time then transmits if the
medium is still free
– ACK packet is sent by receiving station to confirm
the data packet arrived intact
– collision assumed if sending station doesn’t get
ACK, data is retransmitted after a random time
IEEE 802.11 MAC Sublayer
• Other unique features in 802.11
– IFS: Inter Frame Space
• time interval between frames
– Handling hidden stations (hidden-node problem)
• virtual carrier sense
– Power management functions
– Data security (MAC address, WEP)
• WEP: Wired Equivalent Privacy
– Multirate support
– Fragmentation / Defragmentation
IEEE 802.11: A Closer Look
IEEE 802.11 Frame Types
• Three types of frames
– Control
• RTS, CTS, ACK, Contention-Free (CF), PS-Poll
– Management
• Probe request/response
• Beacon
– supported rates, timestamp, traffic indication map
• Authentication / deauthentication
• Announcement traffic indication message (ATIM)
– sent after each frame
– Data
IEEE 802.11 Topologies
• Three basic topologies for WLANs
– IBSS: Independent Basic Service Set
– BSS: Basic Service Set
– ESS: Extended Service Set
• Independent of type of PHY chosen
IEEE 802.11 IBSS
• IBSS: Independent Basic Service Set
– Peer-to-peer or ad-hoc network
– Wireless stations communicate directly with one
another
– Generally are not connected to a larger network
– No Access Point (AP)
IEEE 802.11 BSS
• BSS: Basic Service Set
– Infrastructure mode
– An AP connects clients to a wired network
IEEE 802.11 ESS
• ESS: Extended Service Set
– Infrastructure mode
– Consists of overlapping BSSs (each with an AP)
• DS connects APs together, almost always Ethernet
• ESS allows clients to seamlessly roam between APs
Access Points (APs)
• Broadcasts service
– uses beacon management frames
• Number of clients supported
– device dependent
• memory size, congestion,
• SMC2652W - 128 clients
• Cisco Aironet 340 - 2,048 clients
Access Points (APs)
• Usually connects wireless and wired
networks
– if not wired
• acts as an extension point (wireless bridge)
• Creation of ESS by overlapping AP coverage
– allows roaming operation
– APs should be on different channels
– more coming up on this setup...
Access Points (APs)
• Capacity and Bandwidth
– Advertised maximum of 11 Mbps
• Physical Layer Convergence Protocol (PLCP) is
always transmitted at 1 Mbps.
• Therefore, 802.11b will never be 100% efficient at
the physical layer
• Normally, 802.11b is about 85% efficient at the PHY
– Other degrading factors include
• distance, barriers, collisions, interference, congestion
Access Points (APs)
• Capacity and Bandwidth
– Possible to keep these higher by using these
techniques
• Reducing size of coverage areas
• Reducing client-to-AP ratio
• Using bandwidth aggregation
– AP-to-client ratio
– load balancing
Access Points (APs)
• Roaming
– More than 1 AP provides signals to a single
client
– Client is responsible for choosing the best AP
• first, signal strength. second, network utilization.
– When signal in use degrades, client tries to find
another AP
• if found, tries to authenticate and associate
Access Points (APs)
• Configuration
– Management usually done via
• HTTP, Telnet, SNMP, serial interface
– Configuring Security Settings
• SSID: Service Set Identifier
• WEP: Wired Equivalent Privacy
• EAP: Extensible Authentication Protocol
– Configuring Network Settings
• DHCP: Dynamic Host Configuration Protocol
• NAT: Network Address Translation
Access Points (APs)
• How to setup a secure access point
– Enable WEP or EAP
– Change SSID and disable broadcast
– Change the management password of your AP
• some have 2: read-only as well as read-write
– Use MAC address filtering
– Consider not using DHCP
• instead use fixed IP addresses for wireless NICs
– Consider other mechanisms for privacy
• PPTP, VPN, SSL, SSH
IEEE 802.11 Security
• Authentication
– Open system
– Shared key
• Authorization
– MAC address
• Privacy
– WEP: Wired Equivalent Privacy
• not going to talk about the details of how WEP works
• see references at the end of this document for info
IEEE 802.11 Security
• WEP: Wired Equivalent Privacy
– many debates over its “secureness”
– doesn’t encrypt the SSID
– can be broken with brute-force attacks
• need several million packets
– WEP keys
• can be decrypted from the Windows registry for
Lucent Orinoco cards
• are stored directly onto Cisco cards
• can be easily retrieved in most situations if you are
determined enough
IEEE 802.11 Security
IEEE 802.11 Security
• WEP: Wired Equivalent Privacy
– covers station-to-station transmission
– uses RC4 security algorithm from RSA
– relies on either 40-bit key to encrypt payload
• Major weaknesses with WEP
–
–
–
–
key generators
keystream reuse
RC4 key scheduling algorithm
message authentication
IEEE 802.11 Security
• Current WEP status
– WEP2
• Enhanced security at the MAC layer
• Use AES instead of RC4
– Advanced Encryption Standard
– http://csrc.nist.gov/encryption/aes
– New standard for encrypted communication used by the
government and government organizations
• Still a work in progress, for more information see:
– http://grouper.ieee.org/groups/802/11/Reports/tgi_update.htm
• Won’t be available for mainstream use for awhile
AirSnort and WepCrack
• WLAN tool that recovers encryption keys
– Exploits weakness in Key Scheduling Algorithm
of RC4
– Requires 5-10 million encrypted packets
– Once enough packets have been gathered, can
guess the encryption key in under a second
– Runs under Linux, requires wlan-ng drivers
– For more information:
• http://airsnort.sourceforge.net/
• http://wepcrack.sourceforge.net/
Antenna Basics
• 2.4 GHz ISM Band
– doesn’t require a license to transmit
– antenna must be able to accept interference from
other devices or users
• Antenna placement
– radiation pattern of antenna
• determines where the signal can be picked up at
– finding best place for antenna is not always easy
• want to pick places that will maximize range for clients
• minimize stray RF signals and interference
Antenna Basics
• Ideal antennas
– radiate equally in all directions
– called “isotropic” or “isotropic radiator”
• Real antennas
– real world antennas are not ideal
• have radiation patterns that concentrate the RF energy
in different ways
• omnidirectional antennas, also called a dipole
– radiate in a donut shape, very common on APs
• directional antennas, i.e., biquad
– concentrates energy into a cone or a beam
PCMCIA Antennas
• Tend to be very directional
• Effective gain is very low
• This is one reason your signal strength will
change drastically with small changes in position
• Nearly all client cards have only 1 radio
– can’t listen and talk at the same time
– half-duplex
• Getting external antennas makes a big difference
Antenna Positioning
• In general, should be mounted:
– as high as possible
– as clear from obstructions as possible
• Best performance achieved when:
– direct line of sight
– Tx/Rx antennas are at the same height
• Gaining coverage is achieved thru gain,
– gain is measured in decibels (dBi)
Building Your Own AP
• More than one method
– Recipe for a Linux 802.11b home network
• http://www.oreillynet.com/pub/a/wireless/2001/03/06/r
ecipe.html
• detailed explanation on setting up a Linux machine to
perform AP functions
– Floppy based wireless gateway
• http://nocat.net/ezwrp.html
• turns a machine with a wireless adapter and an ethernet
card into a wireless gateway
• many features
Building Your Own AP
• Advantages
– Great for educational and experience purposes
– Some functionality is enhanced
• firewalling features
• authentication/authorization
• Disadvantages
– Some functionality is limited
• some hardware/software combos only support IBSS
• setup is time-consuming, requires a lot of experience
• may not support as many clients as some APs
References
• IEEE 802.11 Working Group Page
– http://www.ieee802.org/11/
– Can download the 802 standards here for FREE
– Has links to all the latest 802.11 developments
• Sniffing
– http://www.sniffer.com/products/wireless/
– http://www.robertgraham.com/pubs/sniffingfaq.html
– http://www.wildpackets.com/products/airope
ek
References
• SystemExperts Corporation
– Practical Wireless IP:
• Concepts, Administration and Security
– Brad C. Johnson & Philip Cox
– http://www.systemexperts.com/tutorial.html
• Anand Trivedi’s IEEE 802.11 Page
– http://alpha.fdu.edu/~anandt/introduction.html
• NoCatNet
– http://nocat.net
Mailing Lists
• Bay Area Wireless Users Group (BAWUG)
– http://lists.bawug.org/mailman/listinfo/wireles
s/
• O’Reilly
– http://oreilly.wirelessdevnet.com/
• Aironet
– http://csl.cse.ucsc.edu/mailman/listinfo/airon
et
Telerama Wireless
http://wireless.telerama.com
•
•
•
•
•
11 locations currently
6+ coming soon
Free introductory period
Grab a copy of our current locations here
802.11b, SSID: TELERAMA
Chris Tracy
Senior Network Engineer
[email protected]
(412) 688-3200
http://www.telerama.com