2Similarities Between WLAN and LAN A wireless LAN is an 802 LAN.Transmits data using RF carriers vs. data over the wireLooks like a wired network to the userDefines physical and data link layerUses MAC addressesThe same protocols/applications run over both WLANs and LANs.IP (network layer)IPSec VPNs (IP-based)Web, FTP, SNMP (applications)Wireless LANs are 802 LANs. The data in WLANs is sent over radio waves. In wired LANs the data is sent over wires. But the network interface of WLANs looks similar to wired LANs for the user.Both WLANs and wired LANs define the physical and data link layers and use MAC addresses. The same protocols and applications can be used over LANs and WLANs. Examples of such protocols are the IP and IP Security (IPSec) protocol for virtual private networks (VPNs). Examples of applications are Web, FTP, and Simple Network Management (SNMP) management.
3Current Standards – 802.11a,b,g RadioNetworkSpeed860 Kbps900 MHz1 and 2 Mbps2.4 GHzProprietary1 and 2 Mbps11 Mbps54 MbpsStandards-based2.4 GHz5 GHzIEEE Begins DraftingRatified802.11a,b Ratified802.11g Ratified198619881990199219941996199820002003802.11aUp to 54 Mbps5 GHzNot compatible with either b or g802.11bUp to 11 Mbps2.4 GHz802.11g802.11n, the newest protocol, utilizes both 2.4-GHz and 5-GHz bands.The WLAN evolution started in the 1980s using 900-MHz Direct Sequence Spread Spectrum (DSSS) technology. The 900-MHz systems were fairly easy to deploy, because one access point could cover large areas and no licenses were required in the approved countries. However, only a few countries allowed the technology. As time progressed, the need for faster speeds, open standards, and global acceptance forced the manufacturers of WLAN products to engineer new products for the 2.4-GHz band.The move to 2.4 GHz in the 1990s put WLAN products into a “cleaner” radio frequency (RF) environment, making it possible to deploy data collection systems without interference from 900-MHz transmissions. The 2.4-GHz technology was also well received because the throughput grew from 860 kbps to 1 Mbps and 2 Mbps.When frequency and speeds are increased, coverage distances are decreased, but the new data collection opportunities that the faster throughput helped to create justified the extra access points that were needed. However, end users were still concerned about using a proprietary system. In 1992, the IEEE began drafting the standard to eliminate the issue of proprietary technology and design an open standard for WLANs.In July 1997, the IEEE ratified the 2.4-GHz standard that included DSSS technology at the physical layer. This standard specified 1 Mbps as the standard speed and 2 Mbps as a “turbo” mode. In September 1999, the IEEE ratified the a standard (54 Mbps at 5 GHz) and the b standard (11 Mbps at 2.4 GHz). In June 2003, the IEEE ratified the g standard (54 Mbps at 2.4 GHz). This standard is backward compatible with b systems, because both standards use the same 2.4-GHz frequency band.802.11g is backwards compatible with b802.11n is backward compatible with existing a/b/g
4Radio Frequency Issues As signal strength decreases, so will the transmission rate.An b client’s speed may drop from 11 Mbps to 5.5 Mbps, to 2 Mbps, or even 1 Mbps.This can all be associated with a combination of factors including:DistanceLine of SightObstructionsReflectionMultpath ReflectionRefraction (partially blocked by obstruction)Diffraction (bending of signal)Noise and Interference
5Wireless Access Points An access point (AP) is a WLAN device that can act as the center point of a stand-alone wireless network.An AP can also be used as the connection point between wireless and wired networks.In large installations, the roaming functionality provided by multiple APs allows wireless users to move freely throughout the facility, while maintaining seamless, uninterrupted access to the network.Cisco APs come in several models. The 1100 Series supports IEEE b. The 1200 Series, supports a and b in the same unit. It also supports inline power injection, to save on AC wiring costs, and both RJ45 and 10/100 Ethernet connectors
6Wireless BridgesThe Cisco Aironet 1300 Series Wireless Bridge is designed to connect two or more networks that are typically located in different buildings.It delivers high data rates and superior throughput for data-intensive, line-of-sight applications. The bridges connect hard-to-wire sites, noncontiguous floors, satellite offices, school or corporate campus settings, temporary networks, and warehouses.They can be configured for point-to-point or point-to-multipoint applications.
7Wireless Workgroup Bridges The Cisco 1300 Series Wireless Bridge is designed to connect two or more networks that are typically located in different buildings.It delivers high data rates and superior throughput for data-intensive, line-of-sight applications. The bridges connect hard-to-wire sites, noncontiguous floors, satellite offices, school or corporate campus settings, temporary networks, and warehouses.They can be configured for point-to-point or point-to-multipoint applications.The Cisco Aironet Workgroup Bridge (WGB) connects to the Ethernet port of a device that does not have a WLAN NIC. The Cisco WGB provides a single MAC address connection into an access point and onto the LAN backbone. It cannot be used in a peer-to-peer mode connection and must communicate with an autonomous Cisco Aironet Access Point or Cisco Aironet Bridge in access point mode. The Cisco Aironet WGB does not operate with access points of other vendors.Another WGB configuration allows multiple wired machines to be attached to the same radio device. This configuration is ideal for connecting remote workgroups to a wired LAN.To use a WGB with multiple MAC addresses, you must connect the WGB to a hub or switch with an Ethernet patch cable. If the WGB is connected directly to an Ethernet client node, you must use an Ethernet crossover cable.
8Service Set Identifier (SSID) SSID is used to logically separate WLANs.The SSID must match on client and access point.Access point can broadcast SSID in beacon.Client can be configured without SSID.SSID, short for service set identifier, is the name of the wireless cell. It is a 32-character unique identifier attached to the header of packets sent over a WLAN that logically separates WLANS and acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.The access point can broadcast the SSID in the beacons. Beacons are broadcasts that the access points send to announce the available services. If the SSID is broadcast in the beacons, clients can be configured without an SSID (null-SSID), detect all access points, and learn the SSID from the beacons of the access point. Knowing the SSID name does not necessarily mean that clients will be able to join the network. It depends on how the network administrator has configured their WLAN, particularly WEP security.SSID broadcasts can be disabled on the access point but this approach does not work if the client needs to see the SSID in the beacon. SSIDs should not be the only form of security used on a WLAN.SSID is case sensitive.
9Basic Topologies Basic Infrastructure Topology (BSS) Peer-to-Peer (Ad Hoc) Topology (IBSS)Peer-to-Peer (Ad Hoc) Topology (IBSS) – A wireless service set can consist of nothing more than two or more PCs, each with a wireless network card. This configuration, which does not include an AP, is called an Independent BSS (IBSS). Operating systems such as Windows 98 or Windows XP have made this type of peer-to-peer network very easy to set up. This topology can be used for a small office or home office, to allow a laptop to be connected to the main PC, or for several individuals, to simply share files. However, coverage limitations are a drawback in this type of a network since everyone must be able to hear everyone else.Basic Infrastructure Topology (BSS) – The basic service set (BSS) is the building block of an LAN. Slide shows a BSS with three stations that are members of the BSS, in addition to the AP. The BSS covers a single cell, as indicated by the circle. When a device moves out of its BSS, it can no longer communicate with other members of the BSS. A BSS uses infrastructure mode, a mode that needs an access point (AP). All stations communicate through the AP. The stations do not communicate directly. A BSS has one service set ID (SSID).Extended Infrastructure Topology (ESS) – An extended service set (ESS) is defined as two or more BSSs that are connected by a common distribution system, as illustrated above. This allows the creation of a wireless network of arbitrary size and complexity. As with a BSS, all packets in an ESS must go through one of the APs.Extended Infrastructure Topology (ESS)
10WiFi (802.11) Media Access Control WiFi is often referred to as wireless Ethernet, as it is a development of the Ethernet standard.Within a WiFi network, all devices are connected using the same RF frequency to a common Access Point (AP).All communication between the PCs is via the AP.As all the devices in the network share the same frequency, then they cannot all transmit at the same time as their signals will interfere.Therefore, WiFi networks operate in half-duplex, using an access method similar called CSMA/CA.Access PointWireless networks need to use an access control method.Wireless systems are half-duplex, and do not listen when they are transmitting.All hosts pass information to each other via the AP, however they must be able to receive each others signals in order to carry out carrier sense.
11Local area networks (LAN) 802.11b/g Channels802.11a ChannelsIf a single cell does not provide enough coverage, any number of cells can be added to extend the range. It is recommended that adjacent BSS cells have a 10 to 15 percent overlap, as shown in above.This allows remote users to roam without losing RF connectivity. Bordering cells should be set to different non-overlapping channels, or frequencies, for best performanceAdding an AP is also a way to add wireless devices and extend the range of an existing wired system.If a single cell does not provide enough coverage, any number of cells can be added to extend the range.It is recommended that adjacent BSS cells have a 10 to 15 percent overlap.
12Wireless repeater 50% overlap Not covered by 802.11 standards A wireless repeater is simply an access point that is not connected to the wired backbone.This setup requires a 50% overlap of the AP on the backbone and the wireless repeater. (So they can reach each other).The user can set up a chain of several repeater access points, however, the throughput for client devices at the end of the repeater chain will be quite low, as each repeater must receive and re-transmit each frame.For each repeater added to the chain, throughput is cut in half - it is recommended that not more than two hops be used.In an environment where extended coverage is needed, but access to the backbone is not practical or available, a wireless repeater can be used. A wireless repeater is simply an access point that is not connected to the wired backbone. This setup requires a 50% overlap of the AP on the backbone and the wireless repeater.The user can set up a chain of several repeater access points. However, the throughput for client devices at the end of the repeater chain will be quite low. This is because each repeater must receive and then re-transmit each packet on the same channel. For each repeater added to the chain, throughput is cut in half. It is recommended that not more than two hops be used.When configuring repeater access points use the following guidelines:Use repeaters to serve client devices that do not require high throughput. Repeaters extend the coverage area of the WLAN, but they drastically reduce throughput.Use repeaters when client devices that associate with the repeaters are Cisco Aironet clients. Non-Cisco client devices sometimes have trouble communicating with repeater access points.Use omnidirectional antennas, like the ones that ship with the access point, for repeater access points.Generally within buildings, the availability of Ethernet connections is fairly pervasive. Repeaters can be used to extend APs from the building edge, to the surrounding outdoor portions of the building, for temporary use. For example, one customer could use repeater-mode APs to extend coverage into the parking lot during spring sales for a grocery store.The client association is assigned to the wired/root AP and not to the AP acting like a repeater.
13Cisco WLAN Implementation Cisco offers 2 “flavors” of wireless solutions:Distributed WLAN solutionAutonomous APWireless LAN Solution Engine (WLSE)Centralized WLAN solutionLightweight APWireless LAN Controller (WLC)Cisco offers two WLAN implementationsThe distributed WLAN solution is based on autonomous access points and uses the Wireless LAN Solution Engine (WLSE) for management. The distributed model was the original WLAN implementation offered by Cisco under the product name Aironet. The Academy course, Fundamentals of Wireless LANS, covers the distributed model. While this model is still fully supported by Cisco, the trend is for customers to migrate to the Centralized WLAN solution.The centralized WLAN solution is based on lightweight access points and wireless LAN controllers. Cisco begain offering the centralized solution after the acquisition of Airespace.The primary difference between the distributed and centralized solutions can be seen in the division of labor between the access point and the controller.
14Comparison of the WLAN Solutions Autonomous WLAN:Autonomous access pointConfiguration of each access pointIndependent operationManagement via CiscoWorks WLSE and WDSAccess point redundancyLightweight WLAN:Lightweight access pointConfiguration via Cisco Wireless LAN ControllerDependent on Cisco Wireless LAN ControllerManagement via Cisco Wireless LAN ControllerCisco Wireless LAN Controller redundancyAutonomous WLAN: Autonomous access points are configured per access point. Their Cisco IOS software operates independently. CiscoWorks WLSE performs centralized configuration, monitoring, and management. WDS facilitates radio monitoring and management communication between the autonomous access points and CiscoWorks WLSE. WDS is a feature that is enabled in any access point that forwards aggregated RF information from a grouping of access points to CiscoWorks WLSE.Lightweight WLAN: You configure lightweight access points by using the Cisco Wireless LAN Controller. The access points usually depend on the controller for control and data transmission. Only in Remote-Edge Access Point (REAP) mode does a lightweight access point not depend on the Cisco Wireless LAN Controller for data transmission. The controller implements monitoring and security. Centralized configuration, monitoring, and management can be performed through Cisco WCS. Cisco Wireless LAN Controllers can be installed with redundancy within wireless LAN controller groups.
15Why Lightweight APs?A WLAN controller system is used to create and enforce policies across many different lightweight access points.With centralized intelligence, functions essential to WLAN operations such as security, mobility, and quality of service (QoS), can be efficiently managed across an entire wireless enterprise.Splitting functions between the access point and the controller, simplifies management, improves performance, and increases security of large WLANs.Traditional WLAN solutions distribute all traffic handling, RF control, security, and mobility functions to the access point itself. However, this architecture limits visibility of traffic to an individual access point only. This means:Individual access points, when used without a management device, must be managed individually, which can increase operations costs and staffing requirements.Networkwide attacks and interference are not visible across a system–Single point of enforcement for security policies across Layer 1, Layer 2, and Layer 3–Unable to detect and mitigate denial of service (DoS) attacks across an entire WLANA system cannot correlate or predict activity across an enterprise–Limits the ability to enable optimized, real-time load balancing–Clients cannot perform fast handoffs, which are required to support real-time applications such as voice and videoThere is an inherent security risk if an access point is stolen or compromised
16Cisco Centralized WLAN Model The control traffic between the access point and the controller is encapsulated by Lightweight Access Point Protocol (LWAPP). And encrypted via the Advanced Encryption Standard (AES).The data traffic between the access point and controller is also encapsulated with LWAPP, but not encrypted.The Centralized WLAN architecture divides processing of the protocol between two devices, the AP and a centralized Cisco WLAN controller (WLC). The controller is a required component and is used to control access points in the WLAN. This architecture uses a new protocol, Lightweight Access Point Protocol (LWAPP), for communication between the AP and the controller.The AP handles the portions of the protocol that have real-time requirements, including:The frame exchange handshake between a client and AP when transferring a frame over the airThe transmission of Beacon framesThe buffering and transmission of frames for clients in power save operationThe response to Probe Request frames from clientsForwarding notification of received Probe Requests to the controllerProviding real-time signal quality information to the controller with every received frameMonitoring each of the radio channels for noise, interference and other WLANs,Monitoring for the presence of other APsAll remaining functionality is handled in the controller, whereby time-sensitivity is not a concern, and controller-wide visibility is required.Some of the MAC-layer functions provided in the WLAN controller include:authenticationassociation and reassociation (mobility)frame translation and bridging
17Wireless Mesh Networking Each access point runs the Cisco Adaptive Wireless Path protocol (AWP).AWP allows access points to communicate with each other to determine the best path back to the wired network.After the optimal path is established, AWP continues to run in the background to establish alternative routes back to the roof-top access point (RAP) if the topology changes or conditions cause the link strength to diminish.Mesh networks require lightweight APs and wireless LAN controllers.A mesh networking infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node. Nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. This approach results in a network that can span a large distance, especially over rough or difficult terrain.Mesh networks are also extremely reliable because each node is connected to several other nodes. If one node drops out of the network because of hardware failure or any other reason, its neighbors simply find another route. Extra capacity can be installed by simply adding more nodes.Mesh networks allow many possible paths from a given node to other nodes. Paths through the mesh network can change in response to traffic loads, radio conditions, or traffic prioritization.Wireless mesh networks differ from other wireless networks in that only a subset of the nodes needs to be connected to the wired network. The network can cover more distance by using nodes that are not connected to the wired network. Unlicensed bandwidth and wireless routing allow microcells to interconnect over wireless backhaul links.
18Wireless LAN Security Threats Threats to WLAN security include the following:War drivers trying to find open access points for free Internet accessHackers trying to exploit weak encryption to access sensitive data via the WLANEmployees installing access points for home use without the necessary security configuration on the enterprise network
19Wireless Security Protocols Today, the standard that should be followed in most enterprise networks is the i standard. This is similar to the Wi-Fi Alliance WPA2 standard.For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.The flaws with WEP shared key encryption were two-fold. First, the algorithm used to encrypt the data was crackable. Second, scalability was a problem. The 32-bit WEP keys were manually managed, so users entered them by hand, often incorrectly, creating calls to technical support desks.Following the weakness of WEP-based security, there was a period of interim security measures. Vendors such as Cisco, wanting to meet the demand for better security, developed their own systems while simultaneously helping to evolve the i standard. On the way to i, the TKIP encryption algorithm was created, which was linked to the Wi-Fi Alliance WiFi Protected Access (WPA) security method.
20Layer-2 LWAPP Architecture As more products emerge that use lightweight access points with centralized WLAN intelligence, there is a need for an industry standard that governs how these devices communicate with one another. The LWAPP is a draft being considered for standardization within the IETF working group to address this issue. Authored initially by Airespace (acquired by Cisco Systems in March 2005) and NTT DoCoMo, LWAPP standardizes the communications protocol between access points and WLAN systems (controllers, switches, routers, etc.)LWAPP can operate at Layer 2 or Layer 3. When deployed in a Layer 2 architecture:Layer 2 LWAPP is in an Ethernet frame.The WLAN controller and the access point must be in the same broadcast domain and IP subnet, but the APs do not require IP addresses.Access Points don’t require IP addressingControllers need to be on EVERY subnet on which APs resideL2 LWAPP was the first step in the evolution of the architecture; many current products do not support this functionality
21Layer-3 LWAPP Architecture Layer 3 LWAPP is in a UDP/IP frame.The WLAN controller and access point can be in the same or different broadcast domains and IP subnets.The access point must have an IP address.Access Points require IP addressingAPs can communicate w/ WLC across routed boundariesL3 LWAPP is more flexible than L2 LWAPP and all products support this LWAPP operational ‘flavor’
22Evolution of Wireless LAN Security Initial (1997)Interim (2001)Interim (2003)PresentEncryption (WEP)802.1x EAPWi-Fi Protected Access (WPA)Wireless IDSIdentification and protection against attacks, DoSAES strong encryptionAuthenticationDynamic key managementNo strong authenticationStatic, breakable keysNot scalableDynamic keysImproved encryptionUser authentication802.1x EAP (LEAP, PEAP)RADIUSStandardizedImproved encryptionStrong, user authentication (e.g., LEAP, PEAP, EAP-FAST)IEEE iWPA2 (2004)Initially, IEEE security relied on static keys for both encryption and authentication. The authentication method was not strong and the keys were eventually compromised. Because the keys were administered statically, this method of security was not scalable to large enterprise environments.Cisco introduced enhancements that allowed for the use of IEEE 802.1x authentication protocols and dynamic keys and 802.1x Extensible Authentication Protocol (EAP) authentication. Cisco also introduced methods to overcome the exploitation of the encryption keys with key hashing (per-packet keying [PPK]) and message integrity checks (MIC). These methods are today known as Cisco Key Integrity Protocol (CKIP) and Cisco Message Integrity Check (CMIC).The committee began the process of upgrading the security of the WLAN. The Wi-Fi Alliance introduced WPA as an interim solution. This standard was a subset of the expected i security standard for WLANs that use 802.1x authentication and improved encryption. WPA consists of user authentication, MIC, Temporal Key Integrity Protocol (TKIP), and dynamic keys. It is similar to the Cisco enhancements but implemented differently. WPA also includes a passphrase or preshared key user authentication for home users, which is not recommended for enterprise security.Today IEEE i has been ratified and Advanced Encryption Standard (AES) has replaced WEP as the latest and most secure method of encrypting data. Wireless intrusion detection systems are available to identify and protect the WLAN from attacks. The Wi-Fi Alliance certifies i devices under WPA2.
23WPA and WPA2 Authentication User authentication is done via the 802.1x protocol. A supplicant for 802.1x or EAP is needed on the WLAN client. The access point is the authenticator, which communicates via RADIUS with the authentication, authorization, and accounting (AAA) server such as Cisco Secure ACS. Lightweight access points communicate with the WLAN controller, which acts as the authenticator.The client and the authentication server implement different versions of EAP. The EAP messages pass through the access point as the authenticator.
24WPA and WPA2 EncryptionAfter authentication of the WLAN client, the data is sent encrypted.The basic encryption algorithm RC4 was originally used in WEP.TKIP made the RC4 encryption more secure through increased size of initialization vector and per-packet key mixing while maintaining hardware compatibility.AES replaces the RC4 with a more cryptographically robust algorithm.WPA uses TKIP while WPA2 use AES or TKIP.
25Wi-Fi Protected Access What are WPA and WPA2?Authentication and encryption standards for Wi-Fi clients and APs802.1x authenticationWPA uses TKIP encryptionWPA2 uses AES block cipher encryptionWhich should I use?Gold, for supporting NIC/OSsSilver, if you have legacy clientsLead, if you absolutely have no other choice.GoldWPA2/802.11iEAP-FastAESSilverWPAEAP-FastTKIPLeadDynamic WEPEAP-Fast/LEAPVLANs + ACLs
26WLAN Security Summary Basic Security Open Access Remote Access Enhanced SecurityBasic Security802.1x, TKIP Encryption,Mutual Authentication,Scalable Key Mgmt., Etc.Open Access40-bit or 128-bit Static WEP Encryption, WPANo Encryption, Basic AuthenticationSecurity of wireless LANs has received a lot of bad press. However, Wireless LANs can be as secure as wired infrastructure if set up correctly. Prior to deploying an education institution needs to conduct a risk assessment of its environment and decide how much security it needsNote that 70% of businesses do not turn on the basic security available on all WLAN products.Open Access – this may be the most appropriate option where open access is required (i.e. “hotspots”)802.11b Configurable FeaturesSecurity Options -- SSID – Not a security handle, sent in the clear; Public/Private WLAN segregationDrawbacks -- “Promiscuous mode” drivers; Null associationBasic Security – b Configurable Features (i.e. home users)Security Options – SSID, WEP Encryption (H/W or S/W); Public/Private WLAN SegregationDrawbacks -- Static keys – create security and management issues; Easily hackedEnhanced Security – Enhanced FeaturesSecurity Options –802.1x Authentication Framework ( TGi Baseline)Mutual Authentication – Dynamic, per user, per session, WEP keyAutomatic, frequent re-authenticationAdvantages –Multi-tiered security approachMaximum Security – Special Applications requiring maximum securitySecurity Options:TunnelingEncryptionPacket integrityUser and device authenticationPolicy managementPublic “Hotspots”Home UseEnterpriseVirtual Private Network (VPN)Business Traveler, TelecommuterRemote Access