HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Wireless LAN
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Objectives
w w w .h a n o ic tt.c o m
In this chapter, you will learn to: • Wireless LAN Concepts • Deploying WLANs • Wireless LAN Security
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Wireless LAN Concepts
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Wireless Data Technologies
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Characteristics of Wireless Data Technologies Wireless Technology
Characteristics
Infrared (IR)
Very high data rates, low cost, very short distance
Narrowband
Low data rates, medium cost, limited distance, license required
Spread spectrum
High data rates, medium cost, limited to campus coverage
Personal communication service (PCS)
Low data rates, medium cost, citywide coverage
3G service
Mobile phone data technologies, medium cost, worldwide coverage
Cellular, Cellular Digital Packet Data (CDPD), Mobitex, DataTAC
Low data rates, flat monthly rate, national coverage
Microwave transmissions
Wireless data link using microwaves, medium rage, high data rates possible, license required
Long range (LR) optical transmissions
Data link using laser transmission, short range, high data rates
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Data Technologies (Cont.) WAN (Wide Area Network)
MAN (Metropolitan Area Network)
LAN (Local Area Network)
PAN
w w w .h a n o ic tt.c o m
(Personal Area Network)
PAN
LAN
MAN
WAN
Standards
Bluetooth
IEEE 802.11a, 802.11b, 802.11g
802.16 MMDS, LMDS
GSM, GPRS, CDMA, 2.5–3G
Speed
<1 Mbps
1–54+ Mbps
22+ Mbps
10–384 kbps
Range
Short
Medium
Medium–long
Long
Applications
Peer to peer, device to device
Enterprise networks
Fixed, lastmile access
PDAs, mobile phones, cellular access
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN (WLAN) • • • •
w w w .h a n o ic tt.c o m
•
•
A WLAN is a shared network. An access point is a shared device and functions like a shared Ethernet hub. Data is transmitted over radio waves. Two-way radio communications (half-duplex) are used. To arbitrate the use of the frequency, WLANs use the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) algorithm to enforce HDX logic and avoid as many collisions as possible. The same radio frequency is used for sending and receiving (transceiver).
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
What Are WLANs? They are:
w w w .h a n o ic tt.c o m
• Local • In building or campus for mobile users • Radio or infrared • Not required to have RF licenses in most countries • Using equipment owned by customers
They are not: • WAN or MAN networks • Cellular phones networks • Packet data transmission via celluar phone networks – Cellular digital packet data (CDPD) – General packet radio service (GPRS) – 2.5G to 3G services
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Similarities Between WLAN and LAN
w w w .h a n o ic tt.c o m
• A WLAN is an 802 LAN. – The IEEE defines standards for both, using the IEEE 802.3 family for Ethernet LANs and the 802.11 family for WLANs. – Transmits data over the air vs. data over the wire – Looks like a wired network to the user – Defines physical and data link layer – Both define a frame format with a header and trailer, with the header including a source and destination MAC address field, each 6 bytes in length. – Both define rules about how the devices should determine when they should send frames and when they should not. • The same protocols/applications run over both WLANs and LANs. – IP (network layer) – IPSec VPNs (IP-based) – Web, FTP, SNMP (applications) HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Differences Between WLAN and LAN
w w w .h a n o ic tt.c o m
• WLANs use radio waves as the physical layer. – WLANs use CSMA/CA instead of CSMA/CD to access the network. • Radio waves have problems that are not found on wires. – Connectivity issues. • Coverage problems • Multipath issues • Interference, noise – Privacy issues. • WLANs use mobile clients. – No physical connection. – Battery-powered. • WLANs must meet country-specific RF regulations.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Standard
w w w .h a n o ic tt.c o m
Organizations That Set or Influence WLAN Standards Organization
Standardization Role
ITU-R
Worldwide standardization of communications that use radiated energy, particularly managing the assignment of frequencies
IEEE
Standardization of wireless LANs (802.11)
Wi-Fi Alliance
An industry consortium that encourages interoperability of products that implement WLAN standards through their Wi-Fi certified program
Federal Communications Commission (FCC)
The U.S. government agency with that regulates the usage of various communications frequencies in the U.S.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Standard Feature
802.11a
802.11b
802.11g
Year ratified
1999
1999
2003
Maximum speed using DSSS
----------
11 Mbps
11 Mbps
Maximum speed using OFDM
54 Mbps ----------
54 Mbps
Frequency band
5 GHz
2.4 GHz
2.4 GHz
Channels (nonoverlapped)
23 (12)
11 (3)
11 (3)
w w w .h a n o ic tt.c o m
Speeds required by standard (Mbps) 6, 12, 24 1, 2, 5.5, 11 6, 12, 24
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Service Set Identifier (SSID) • The SSID is the name of the
• •
w w w .h a n o ic tt.c o m
•
wireless cell. SSID is used to logically separate WLANs. The SSID must match on client and access point. Access point broadcasts one SSID in beacon. Therefore, clients can be configured without SSID. Client association steps: – Client sends probe request. – Access point sends probe response. – Client initiates association. – Access point accepts association. – Access point adds client MAC address to association table. HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Service Sets and Modes Ad hoc mode: • Independent Basic Service Set (IBSS): – Mobile clients connect directly without an intermediate access point. Infrastructure mode: • Basic Service Set: – Mobile clients use a single access point for connecting to each other or to wired network resources. • Extended Services Set: – Two or more Basic Service Sets are connected by a common distribution system (DS).
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Different WLAN Modes and Names Mode
Service Set
Name Description
Ad hoc
Independent Basic Service Set (IBSS)
Allows two devices to communicate directly. No AP is needed.
Infrastructure (one AP)
Basic Service Set (BSS)
A single wireless LAN created with an AP and all devices that associate with that AP Multiple APs create one wireless LAN, allowing roaming and a larger coverage area.
w w w .h a n o ic tt.c o m
Infrastructure Extended Service (more than one AP) Set (ESS)
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
• •
w w w .h a n o ic tt.c o m
•
WLANs transmit data at Layer 1 by sending and receiving radio waves Many electronic devices radiate energy at varying frequencies. To prevent the energy radiated by one device from interfering with other devices, national government agencies, regulate and oversee the frequency ranges that can be used inside that country. For example, Radio Frequency Directorate (RFD) in the Vietnam regulates the electromagnetic spectrum of frequencies. The wider the range of frequencies in a frequency band, the greater the amount of information that can be sent in that frequency band
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1) FCC Unlicensed Frequency Bands
w w w .h a n o ic tt.c o m
•
Frequency Name
Sample Devices
900 KHz
Industrial, Scientific, Mechanical (ISM)
Older cordless telephones
2.4 GHz
ISM
Newer cordless phones and 802.11, 802.11b, 802.11g WLANs
5 GHz
Unlicensed National Information Infrastructure (U-NII)
Newer cordless phones and 802.11a, 802.11n WLANs
Unlicensed frequencies can be used by all kinds of devices; however, the devices must still conform to the rules set up by the regulatory agency. In particular, a device using an unlicensed band must use power levels at or below a particular setting. Otherwise, the device might interfere too much with other devices sharing that unlicensed band HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
w w w .h a n o ic tt.c o m
FCC Unlicensed Frequency Bands
• • •
ISM (Industry, Scientific, and Medical) bands: • 900 MHz and 2.4 GHz • U-NII (Unlicensed National Information • Infrastructure) bands: 5GHz No license required
No exclusive use Best effort Interference and degradation are possible
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1) •
w w w .h a n o ic tt.c o m
•
It is important to know the names of three general classes of encoding, in part because the type of encoding requires some planning and forethought for some WLANs. Frequency Hopping Spread Spectrum (FHSS): – Uses all frequencies in the band, hopping to different ones. – By using slightly different frequencies for consecutive transmissions, a device can hopefully avoid interference from other devices that use the same unlicensed band, succeeding at sending data at some frequencies. – The original 802.11 WLAN standards used FHSS, but the current standards (802.11a, 802.11b, and 802.11g) do not.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
w w w .h a n o ic tt.c o m
•
Direct Sequence Spread Spectrum (DSSS) followed as the next general class of encoding type for WLANs. – Designed for use in the 2.4 GHz unlicensed band, – Uses one of several separate channels or frequencies. – This band has a bandwidth of 82 MHz, with a range from 2.402 GHz to 2.483 GHz. As regulated by the FCC, this band can have 11 (North America) or 13 (Europe) different overlapping DSSS channels.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
w w w .h a n o ic tt.c o m
802.11b/g (2.4 GHz) Channel Reuse
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
w w w .h a n o ic tt.c o m
Using Nonoverlapping DSSS 2.4-GHz Channels in an ESS WLAN
•
The devices in one BSS (devices communicating through one AP) can send at the same time as the other two BSSs and not interfere with each other, because each uses the slightly different frequencies of the nonoverlapping channels
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1) Encoding Classes and IEEE Standard WLANs
Name of Encoding Class
What It Is Used By
Frequency Hopping Spread Spectrum (FHSS)
802.11
Direct Sequence Spread Spectrum (DSSS)
802.11b, 802.11g
w w w .h a n o ic tt.c o m
Orthogonal Frequency Division Multiplexing (OFDM) 802.11a
•
The last of the three categories of encoding for WLANs is called Orthogonal Frequency Division Multiplexing (OFDM). Like DSSS, WLANs that use OFDM can use multiple nonoverlapping channels. NOTE: The emerging 802.11n standard uses OFDM as well as multiple antennas, a technology sometimes called multiple input multiple output (MIMO).
•
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1) Wireless Interference •
w w w .h a n o ic tt.c o m
• •
Radio frequencies are radiated into the air via an antenna, creating radio waves. The following factors influence the transmission of radio waves: – Reflection: Occurs when RF waves bounce off objects (for example, metal or glass surfaces). – Scattering: Occurs when RF waves strike an uneven surface (for example, a rough surface) and are reflected in many directions. – Absorption: Occurs when RF waves are absorbed by objects (for example, walls). Additionally, wireless communication is impacted by other radio waves in the same frequency range. One key measurement for interference is the Signal-to-Noise Ratio (SNR). This calculation measures the WLAN signal as compared to the other undesired signals (noise) in the same space. The higher the SNR, the better the WLAN devices can send data successfully.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1) Coverage Area, Speed, and Capacity •
A WLAN coverage area is the space in which two WLAN devices can successfully send data. The coverage area created by a particular AP depends on many factors: – The transmit power by an AP or WLAN NIC cannot exceed a particular level based on the regulations from regulatory agencies such as the FCC – The materials and locations of the materials near the AP NOTE: The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP) calculation. This is the radio’s power output, plus the increase in power caused by the antenna, minus any power lost in the cabling. In effect, it’s the power of the signal as it leaves the antenna.
w w w .h a n o ic tt.c o m
•
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Transmissions (Layer 1)
w w w .h a n o ic tt.c o m
WLAN Speed and Frequency Reference
• •
IEEE Standard Maximum Speed (Mbps)
Other Speeds Frequency (Mbps) (GHz)
Nonoverlapping Channels
802.11b
11
1, 2, 5.5
2.4
3
802.11a
54
6, 9, 12, 18, 24, 36, 48
5
12
802.11g
54
Same as 802.11.a
5
3
The speeds listed in bold text are required speeds according to the standards. The other speeds are optional. NOTE: The original 802.11 standard supported speeds of 1 and 2 Mbps.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Media Access (Layer 2) • •
w w w .h a n o ic tt.c o m
•
The solution to the media access problem with WLANs is to use the carrier sense multiple access with collision avoidance (CSMA/CA) algorithm. However, CSMA/CA does not prevent collisions, so the WLAN standards must have a process to deal with collisions when they do occur. Because the sending device cannot tell if its transmitted frame collided with another frame, the standards all require an acknowledgment of every frame. Each WLAN device listens for the acknowledgment, which should occur immediately after the frame is sent. If no acknowledgment is received, the sending device assumes that the frame was lost or collided, and it resends the frame. – Step 1: Listen to ensure that the medium (space) is not busy (no radio waves currently are being received at the frequencies to be used). – Step 2: Set a random wait timer before sending a frame to statistically reduce the chance of devices all trying to send at the same time. – Step 3: When the random timer has passed, listen again to ensure that the medium is not busy. If it isn’t, send the frame. – Step 4: After the entire frame has been sent, wait for an acknowledgment. – Step 5: If no acknowledgment is received, resend the frame, using CSMA/CA logic to wait for the appropriate time to send again.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Deploying WLANs
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Wireless LAN Implementation Checklist The following basic checklist can help guide the installation of a new BSS WLAN: • Step 1: Verify the Existing Wired Network – Verify that the existing wired network works, including DHCP services, VLANs, and Internet connectivity. • Step 2: Install and Configure the AP’s Wired and IP Details – Install the AP and configure/verify its connectivity to the wired network, including the AP’s IP address, mask, and default gateway. • Step 3: Configure the AP’s WLAN Details – Configure and verify the AP’s wireless settings, including Service Set Identifier (SSID), but no security. • Step 4: Install and Configure One Wireless Client – Install and configure one wireless client (for example, a laptop), again with no security. • Step 5: Verify that the WLAN works from the laptop
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Implementation
w w w .h a n o ic tt.c o m
Step 1: Verify the Existing Wired Network
different non-overlapping or frequencies channels for best performance
For wireless voice networks, an overlap of 15 to 20 percent is recommended.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Implementation Step 2: Install and Configure the AP’s Wired and IP Details
• •
w w w .h a n o ic tt.c o m
•
Just like an Ethernet switch, wireless APs operate at Layer 2 and do not need an IP address to perform their main functions. However, just as an Ethernet switch in an Enterprise network should have an IP address so that it can be easily managed, APs deployed in an Enterprise network should also have an IP address. In particular, the AP needs an IP address, subnet mask, default gateway IP address, and possibly the IP address of a DNS server.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Implementation Step 3: Configure the AP’s WLAN Details
w w w .h a n o ic tt.c o m
• The following list highlights some of the features mentioned earlier in this chapter that may need to be configured: – IEEE standard (a, b, g, or multiple) – Wireless channel – Service Set Identifier (SSID, a 32-character text identifier for the WLAN) – Transmit power
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Implementation Step 4: Install and Configure One Wireless Client • • •
w w w .h a n o ic tt.c o m
•
•
To be a WLAN client, the device simply needs a WLAN NIC that supports the same WLAN standard as the AP. When the client starts working, it tries to discover all APs by listening on all frequency channels for the WLAN standards it supports by default. WLAN clients may use wireless NICs from a large number of vendors. To help ensure that the clients can work with Cisco APs, Cisco started the Cisco Compatible Extensions Program (CCX). With Microsoft operating systems, the wireless NIC may not need to be configured because of the Microsoft Zero Configuration Utility (ZCF). This utility, part of the OS, allows the PC to automatically discover the SSIDs of all WLANs whose APs are within range on the NIC. The user can choose the SSID to connect to. Or the ZCF utility can automatically pick the AP with the strongest signal, thereby automatically connecting to a wireless LAN without the user’s needing to configure anything. Note that most NIC manufacturers also provide software that can control the NIC instead of the operating system’s built-in tools such as Microsoft ZCF.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless LAN Implementation Step 5: Verify that the WLAN works from the laptop •
w w w .h a n o ic tt.c o m
•
if the new client cannot communicate, you might check the following: – Is the AP at the center of the area in which the clients reside? – Is the AP or client right next to a lot of metal? – Is the AP or client near a source of interference, such as a microwave oven or gaming system? – Is the AP’s coverage area wide enough to reach the client? The following list notes a few other common problems with a new installation: – Check to make sure that the NIC and AP’s radios are enabled. In particular, most laptops have a physical switch with which to enable or disable the radio, as well as a software setting to enable or disable the radio. This allows the laptop to save power (and extend the time before it must be plugged into a power outlet again). It also can cause users to fail to connect to an AP, just because the radio is turned off. – Check the AP to ensure that it has the latest firmware. AP firmware is the OS that runs in the AP. – Check the AP configuration—in particular, the channel configuration—to ensure that it does not use a channel that overlaps with other APs in the same location.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Wireless LAN Security
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wireless Security Encryption + Authentication = Security
w w w .h a n o ic tt.c o m
•
To provide a minimum level of security in a WLAN, you need two components: – A means to decide who or what can use a WLAN. This requirement is satisfied by authentication mechanisms for LAN access control. – A means to provide privacy for the wireless data. The requirement is satisfied by encryption algorithms.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
WLAN Security Issues •
w w w .h a n o ic tt.c o m
•
The Cisco-authorized CCNA-related courses suggest several categories of threats: – War drivers – Hackers – Employees – Rogue AP To reduce the risk of such attacks, three main types of tools can be used on a WLAN: – Mutual authentication – Encryption – Intrusion tools
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
WLAN Vulnerabilities and Solutions WLAN Vulnerabilities and Solutions Vulnerability
Solution
War drivers
Strong authentication
Hackers stealing information in a WLAN
Strong encryption
w w w .h a n o ic tt.c o m
Hackers gaining access to the rest of the network Strong authentication Employee AP installation
Intrusion Detection Systems (IDS), including Cisco SWAN
Rogue AP
Strong authentication, IDS/SWAN
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
The Progression of WLAN Security Standards
Name
Year
Who Defined It IEEE
The interim Cisco solution while 2001 awaiting 802.11i
Cisco, IEEE 802.1x Extensible Authentication Protocol (EAP)
Wi-Fi Protected Access (WPA)
2003
Wi-Fi Alliance
802.11i (WPA2)
2005+ IEEE
w w w .h a n o ic tt.c o m
Wired Equivalent Privacy (WEP) 1997
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wired Equivalent Privacy (WEP) • •
w w w .h a n o ic tt.c o m
•
WEP is based on the RC4 symmetric stream cipher. The symmetric nature of RC4 requires that matching WEP keys, either 40 or 104 bits in length, must be statically configured on client devices and access points (APs). WEP was chosen primarily because of its low computational overhead.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wired Equivalent Privacy (WEP) Open Authentication with Differing WEP Keys
w w w .h a n o ic tt.c o m
• •
•
Open authentication is a null authentication algorithm. Access control in Open authentication relies on the preconfigured WEP key on the client and AP. The client and AP must have matching WEP keys to enable them to communicate. If the client and AP do not have WEP enabled, there is no security in the BSS. Any device can join the BSS and all data frames are transmitted unencrypted. HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wired Equivalent Privacy (WEP) Shared Key Authentication Process
w w w .h a n o ic tt.c o m
•
•
The following summarizes the Shared Key authentication process: 1. The client sends an authentication request for Shared Key authentication to the AP. 2. The AP responds with a cleartext challenge frame. 3. The client encrypts the challenge and responds back to the AP. 4. If the AP can correctly decrypt the frame and retrieve the original challenge, the client is sent a success message. 5. The client can access the WLAN. The premise behind Shared Key authentication is similar to that of Open authentication with WEP keys as the access control means. The client and AP must have matching keys. The difference between the two schemes is that the client cannot associate in Shared Key authentication unless the correct key is configured
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wired Equivalent Privacy (WEP) •
w w w .h a n o ic tt.c o m
•
The main problems were as follows: – Static Preshared Keys (PSK): The key value had to be configured on each client and each AP, with no dynamic way to exchange the keys without human intervention. As a result, many people did not bother to change the keys on a regular basis, especially in Enterprises with a large number of wireless clients. – Easily cracked keys: The key values were short (64 bits, of which only 40 were the actual unique key). This made it easier to predict the key’s value based on the frames copied from the WLAN. Additionally, the fact that the key typically never changed meant that the hacker could gather lots of sample authentication attempts, making it easier to find the key. Because of the problems with WEP, and the fact that the later standards include much better security features, WEP should not be used today.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
SSID Cloaking and MAC Filtering •
w w w .h a n o ic tt.c o m
•
•
Normally, the association process occurs like this: – Step 1: The AP sends a periodic Beacon frame (the default is every 100 ms) that lists the AP’s SSID and other configuration information. – Step 2: The client listens for Beacons on all channels, learning about all APs in range. – Step 3: The client associates with the AP with the strongest signal (the default), or with the AP with the strongest signal for the currently preferred SSID. – Step 4: The authentication process occurs as soon as the client has associated with the AP. SSID cloaking is an AP feature that tells the AP to stop sending periodic Beacon frames. This seems to solve the problem with attackers easily and quickly finding all APs. However, clients still need to be able to find the APs. Therefore, if the client has been configured with a null SSID, the client sends a Probe message, which causes each AP to respond with its SSID. In short, it is simple to cause all the APs to announce their SSIDs, even with cloaking enabled on the APs, so attackers can still find all the APs. MAC address filtering: The AP can be configured with a list of allowed WLAN MAC addresses, filtering frames sent by WLAN clients whose MAC address is not in the list. As with SSID cloaking, MAC address filtering may prevent curious onlookers from accessing the WLAN, but it does not stop a real attack. The attacker can use a WLAN adapter that allows its MAC address to be changed, copy legitimate frames out of the air, set its own MAC address to one of the legitimate MAC addresses, and circumvent the MAC address filter.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
The Cisco Interim Solution Between WEP and 802.11i •
w w w .h a n o ic tt.c o m
• •
The Cisco answer included some proprietary improvements for encryption, along with the IEEE 802.1x standard for end-user authentication. The main features of Cisco enhancements included the following: – Dynamic key exchange (instead of static preshared keys) – User authentication using IEEE 802.1x – A new encryption key for each packet Cisco also added user authentication to its suite of security features. User authentication means that instead of authenticating the device by checking to see if the device knows a correct key, the user must supply a username and password. This extra authentication step adds another layer of security. That way, even if the keys are temporarily compromised, the attacker must also know a person’s username and password to gain access to the WLAN.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
Wi-Fi Protected Access (WPA) •
•
•
w w w .h a n o ic tt.c o m
•
•
Wi-Fi alliance took the current work-in-progress on the 802.11i committee, made some assumptions and predictions, and defined a de facto industry standard. The Wi-Fi Alliance then performed its normal task of certifying vendors’ products as to whether they met this new industry standard, calling it Wi-Fi Protected Access (WPA). WPA essentially performed the same functions as the Cisco proprietary interim solution, but with different details. WPA includes the option to use dynamic key exchange, using the Temporal Key Integrity Protocol (TKIP). (Cisco used a proprietary version of TKIP.) WPA allows for the use of either IEEE 802.1X user authentication or simple device authentication using preshared keys. And the encryption algorithm uses the Message Integrity Check (MIC) algorithm, again similar to the process used in the Cisco-proprietary solution. NOTE: The Cisco-proprietary solutions and the WPA industry standard are incompatible.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
IEEE 802.11i and WPA-2 •
•
w w w .h a n o ic tt.c o m
•
Like the Cisco-proprietary solution, and the Wi-Fi Alliance’s WPA industry standard, 802.11i includes dynamic key exchange, much stronger encryption, and user authentication. However, the details differ enough so that 802.11i is not backward-compatible with either WPA or the Ciscoproprietary protocols. One particularly important improvement over the interim Cisco and WPA standards is the inclusion of the Advanced Encryption Standard (AES) in 802.11i. AES provides even better encryption than the interim Cisco and WEP standards, with longer keys and much more secure encryption algorithms. The Wi-Fi Alliance continues its product certification role for 802.11i, but with a twist on the names used for the standard. Because of the success of the WPA industry standard and the popularity of the term “WPA,” the Wi-Fi Alliance calls 802.11i WPA2, meaning the second version of WPA. So, when buying and configuring products, you will more likely see references to WPA2 rather than 802.11i.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)
w w w .h a n o ic tt.c o m
Comparisons of WLAN Security Features Standard
Key Distribution
Device User Encryption Authentication Authentication
WEP
Static
Yes (weak)
None
Yes (weak)
Cisco
Dynamic
Yes
Yes (802.1x)
Yes (TKIP)
WPA
Both
Yes
Yes (802.1x)
Yes (TKIP)
802.11i (WPA2) Both
Yes
Yes (802.1x)
Yes (AES)