Explaining WLAN Technology and Standards Wireless LANs Explaining WLAN Technology and Standards

Unlicensed Frequency Bands There are three unlicensed bands: 900 MHz, 2.4 GHz, and 5.7 GHz. The 900-MHz and 2.4-GHz bands are referred to as the Industrial, Scientific, and Medical (ISM) bands, and the 5-GHz band is commonly referred to as the Unlicensed National Information Infrastructure (UNII) band. Frequencies for these bands are as follows: 900-MHz band: 902. to 928. MHz 2.4-GHz band: 2.400 to 2.483 GHz (in Japan extends to 2.495 GHz) 5-GHz band: 5.150 to 5.350 MHz, 5.725 to 5.825 MHz, with some countries supporting middle bands between 5.350 and 5.825 MHz. The number of countries that permit 802.11a and the available spectrum varies widely, and the list change quickly. The focus of this module is on 2.4 and 5 GHz bands. Cisco Aironet ® products utilize these bands today as well as adhere to the Institute of Electrical and Electronics Engineers (IEEE) 802.11a, 802.11b and 802.11g standards. ISM: Industry, scientific, and medical frequency band（用于工业医疗科学） No license required(不需要许可) No exclusive use Best effort Interference possible（有冲突的可能）

Radio Frequency Transmission(无线电波的发送) Radio frequencies are radiated into the air via an antenna, creating radio waves.（使用天线空气传播） Radio waves are absorbed when they are propagated through objects (e.g., walls). Radio waves are reflected by objects (e.g., metal surfaces). This absorption and reflection can cause areas of low signal strength or low signal quality. （无线信号可以反射，折射，吸收，散射，衍射） Radio frequencies are radiated into the air via an antenna creating radio waves Radio waves are absorbed when propagating through objects (e.g. walls) Radio waves are and reflected by objects (e.g. metal surfaces) This can cause areas of low signal strength or low signal quality

Radio Frequency Transmission Higher data rates have a shorter transmission range. The receiver needs more signal strength and better SNR to retrieve information. Higher transmit power results in greater distance. Higher frequencies allow higher data rates.（高频率有高速度） Higher frequencies have a shorter transmission range.（高频率传输距离短） Radio frequencies are radiated into the air via an antenna creating radio waves Radio waves are absorbed when propagating through objects (e.g. walls) Radio waves are and reflected by objects (e.g. metal surfaces) This can cause areas of low signal strength or low signal quality

WLAN Regulation and Standardization Regulatory agencies FCC (United States) ETSI (Europe) Standardization IEEE 802.11 http://standards.ieee.org/getieee802/ Certfication of equipment Wi-Fi Alliance certifies interoperability between products. Certifications include 802.11a, 802.11b, 802.11g, dual-band products, and security testing. Certified products can be found at http://www.wi-fi.org. Wi-Fi offers certification for interoperability between vendors 802.11 products. This certification provides a comfort zone for the users purchasing the products. It also helps to market the WLAN technology, by promoting interoperability between vendors. Certification includes all three 802.11 RF technologies as well as Wi-Fi Protected Access, a security model that follows model 802.11i security task group work.

802.11b © 2005 Cisco Systems, Inc. All rights reserved.

802.11b Standard Standard was ratified in September 1999 Operates in the 2.4-GHz band Specifies direct sequence spread spectrum (DSSS) Specifies four data rates up to 11 Mbps 1, 2, 5.5, 11 Mbps Provides specifications for vendor interoperability (over the air) Defines basic security, encryption, and authentication for the wireless link Is the most commonly deployed WLAN standard 802.11b was ratified in 1999, and products were actually introduced into the market before the standard was ratified. It became the defacto standard for wireless and adoption grew rapidly. It operates in the worldwide available 2.4 GHz ISM band. Only one RF transmissions was specified: Direct Sequence Spread Spectrum (DSSS) It provides 4 Data rates up to 11 Mbps 1, 2, 5.5, 11 Mbps It is based on 802.11 standard and the most common Wireless LAN standard Virtually approved for worldwide use

Channel Frequency Range [MHz] Europe, Middle East, and Asia 2.4-GHz Channels Channel Identifier Channel Center Frequency Channel Frequency Range [MHz] Regulatory Domain Americas Europe, Middle East, and Asia Japan 1 2412 MHz 2401 – 2423 X 2 2417 MHz 2406 – 2428 3 2422 MHz 2411 – 2433 4 2427 MHz 2416 – 2438 5 2432 MHz 2421 – 2443 6 2437 MHz 2426 – 2448 7 2442 MHz 2431 – 2453 8 2447 MHz 2436 – 2458 9 2452 MHz 2441 – 2463 10 2457 MHz 2446 – 2468 11 2462 MHz 2451 – 2473 12 2467 MHz 2466 – 2478 13 2472 MHz 2471 – 2483 14 2484 MHz 2473 – 2495   There are a total of 11 channels available in the US, however, there are only 3 of these channels that are non-overlapping. In the ETSI domains, there are 13 available channels, but again there are only 3 non-overlapping channels. In Japan, there is an additional channel located at the top end of the ban, and it is possible to utilize this along with 3 other channels for a total of 4 non-overlapping channels. 11 U.S. channels 13 European Telecommunications Standards Institute (ETSI) channels 14 Japanese channels Different countries have different regulatory bodies and may have as many as 14 channel sets available. In some countries, this may mean that the number of non-overlapping channels is reduced to one, and an aggregate data rate of 33 Mbps may not be possible. The following list the countries that belong to each regulatory domain. Regulatory Domain information is subject to change. An up-to-date listing of the countries that correspond to theses Regulatory Domains is available at: //www.cisco.com/go/aironet/compliance

2.4-GHz Channel Use Each channel is 22 MHz wide. 2.4GHz 802.11b/g has three non-overlapping channels do not share any frequency. This means that 3 access points (AP’s) could operate in the same cell area without sharing the media. An AP on channel 1 does not share time with an AP on channel 6, because they do not have any common frequencies. There is no degradation in throughput when three AP’s are in the same cell area if the AP’s are each on a non-overlapping channel. Three AP’s in the same cell on three non-overlapping channels provide an aggregated data rate for the cell of 33Mbps with an aggregated throughput of 18.6Mbps. If the same three AP’s shared the same channel the aggregate data rate would still be 33Mbps but the aggregated throughput be more like 7 Mbps. List the channels. 1=2412, 2=2417, 3=2422, 4=2427, 5=2432, 6=2437, 7=2442, 8=2447, 9=2452, 10=2457, 11=2462, 12=2467, 13=2472, and 14=2477. Channels are known by their center frequency. 802.11g standard ratified in June, 2003. Operates in the same 2.4 GHz band as 802.11b and uses the same three non-overlapping channels. Full backward compatibility with 802.11b. 802.11g uses OFDM modulation for 802.11g data rates, CCK modulation for 802.11b data rates. The 802.11g data rates are 54, 48, 36, 24, 18, 12, 9 and 6 Mbps. The 802.11b data rates are 11, 5.5, 2 and 1 Mbps. Each channel is 22 MHz wide. North America: 11 channels. Europe: 13 channels. There are three nonoverlapping channels: 1, 6, 11. Using any other channels will cause interference. Three access points can occupy the same area.

802.11b/g (2.4 GHz) Channel Reuse This particular diagram indicates the 3 non-overlapping channels that are available within 802.11b/g. The goal of access point/cell placement is to reduce the overlapping of cells that are on the same channel. You can correlate this concept to the placement of FM radio stations throughout the country. You will never see two radio stations in the same geographic area on the exact same channel. The same concept exists in this particular case.

802.11b Access Point Coverage Wireless LAN clients have the ability to data rate shift while moving, allowing the same person operating at 11 Mbps, to shift to 5.5 Mbps, 2 Mbps, and finally still communicate at the outside ring at 1 Mbps. This rate shifting happens without losing connection, and without any interaction from the user. Rate shifting also happens on a transmission by transmission basis, therefore the access point has the ability to support multiple clients at multiple speeds depending upon the location of each client. Higher data rates require stronger signals at the receiver. Therefore lower data rates have a greater range. Wireless clients will always try to communicate with the highest possible data rate. Only if transmission errors and transmission retries occur, the client with reduce the data rate. This provides the highest total throughput of the wireless network.

802.11a © 2005 Cisco Systems, Inc. All rights reserved.

802.11a Standard Standard was ratified September 1999 Operates in the 5-GHz band Uses orthogonal frequency-division multiplexing (OFDM) Uses eight data rates of up to 54 Mbps 6, 9, 12, 18, 24, 36, 48, 54 Mbps Has from 12 to 23 nonoverlapping channels (FCC) Has up to 19 nonoverlapping channels (ETSI) Regulations different across countries Transmit (Tx) power control and dynamic frequency selection required (802.11h) The 802.11a standard was ratified at the same time as 802.11b. However, because of limited supplies of silicon and other components, products did not start to appear in the market until late 2000. The technology provides up to a 54-Mbps data rate, and in most countries provides eight channels of indoor WLAN usage. However, the regulations vary widely across countries and are in constant change at present.

5-GHz Channels with 802.11h 802.11h implements TPC and DFS. With 802.11h in February 2004, the FCC added 11 channels. 23 channels in the United States (FCC) 19 channels in Europe (ETSI) UNII-3 band currently not allowed in most of Europe Note: In order to use the 11 new channels, however, radios must comply with two features that are part of the 802.11h specification-Transmitter Power Control (TPS) and Dynamic Frequency Selection (DFS) DFS dynamically instructs a transmitter to switch to another channel whenever a particular condition (such as the presence of a radar signal) is met. Prior to transmitting, a device's DFS mechanism monitors its available operating spectrum, listening for a radar signal. If a signal is detected, the channel associated with the radar signal will be vacated or flagged as unavailable for use by the transmitter. The transmitting device will continuously monitor the environment for the presence of radar, both prior to and during operation. Portions of the 5 GHz band are allocated to radar systems; this allows WLANs to avoid interference with incumbent radar users in instances where they are co-located. Such features can simplify enterprise installations, because the devices themselves can (theoretically) automatically optimize their channel reuse patterns. TPC technology has been used in the cellular telephone industry for many years. Setting the transmit power of the access point and the client adapter can be useful to allow for different coverage area sizes and, in the case of the client, to conserve battery life. In devices that have the ability to set power levels, the settings are usually static and independent of each other (access point and clients). For example, an access point can be set to a low 5mW transmit power to minimize cell size, which is useful in areas with high user density. The clients will, however, be transmitting at their previously assigned transmit power settings, which is likely more transmit power than is required to maintain association with the access point. This results in unnecessary RF energy transmitting from the clients, creating a higher level than is necessary of RF energy outside the access point's intended coverage area. With TPC, the client and access point exchange information, then the client device dynamically adjusts its transmit power such that it uses only enough energy to maintain association to the access point at a given data rate. The end result is that the client contributes less to adjacent cell interference, allowing for more densely deployed high-performance WLANs. As a secondary benefit, the lower power on the client provides longer battery life-less power is used by the radio. The FCC has yet to define a test method for testing compliance to DFS requirements. As a consequence the 11 new channels are not yet available. Today, the Cisco® Aironet® RM21A and RM22A 5 GHz radio modules for Cisco Aironet 1130AG Series, 1200 Series, and 1230AG Series access points support the 12 channels made up of the UNII-1, UNII-2, and UNII-3 bands. These devices have the hardware capability to support the new 11 channels; however, until the FCC releases a test program, the firmware will not provide the availability to access the additional channels.

802.11a Channel Reuse 802.11h DFS not available Manual channel assignment required 802.11h DFS implemented Channel assignment done by Dynamic Frequency Selection (DFS) Only frequency bands can be selected This particular diagram illustrates the channel deployment of 802.11a products throughout a given area. As you can see the cells are easier to deploy due to there being 8 different channels to work with. It is recommended for neighboring cells not be places on neighboring frequencies. Channel scheme for 802.11a UNII 1 and UNII 2: Channel Frequency 36 5180 40 5200 44 5220 48 5240 52 5260 56 5280 60 5300 64 5320 802.11h Dynamic Channel Selection (DFS) replaces manual channel assignment Only frequency bands can be selected 12 / 23 channels are available in the US Up to 19 channels are available in Europe if 5 GHz frequency bands are allowed

802.11g © 2005 Cisco Systems, Inc. All rights reserved.

802.11g Standard Standard was ratified June 2003 Operates in the 2.4-GHz band as 802.11b Same three nonoverlapping channels: 1, 6, 11 DSSS (CCK) and OFDM transmission 12 data rates of up to 54 Mbps 1, 2, 5.5, 11 Mbps (DSSS / 802.11b) 6, 9, 12, 18, 24, 36, 48, 54 Mbps (OFDM) Full backward compatiblity to 802.11b standard 802.11g was ratified in June 2003. The speeds of 802.11g promised to be similar to 802.11a, and because it uses the exact same frequencies as 802.11b, it has full backward compatibility to 802.11b. Equipment complying with 802.11g operates in the same modulation as 802.11b for 11-, 5.5-, 2-, and 1-Mbps data rates. Equipment complying with 802.11g operates in the same modulation as 802.11a for 54-, 48-, 36-, 24-, 18-, 12-, 9- and 6-Mbps data rates. Equipment complying with 802.11g operates in the same bandwidth as 802.11b for 22-MHz-wide channels. The aim was to provide higher data rates than the 802.11b standard. By using the 2.4 GHz band backward compatibility was possible with existing 802.11b Wireless LANs. Same three non-overlapping channels 1, 6, 11 11- N/A;13- ETSI; 14- Japan DSSS (CCK) and OFDM transmission 12 Data rates of up to 54 Mbps 1, 2, 5.5, 11 Mbps (DSSS / 802.11b) 6, 9, 12, 18, 24, 36, 48, 54 Mbps (OFDM) Same transmission as 802.11b for: 11, 5.5, 2 and 1 Mbps data rates Same transmission as 802.11a for: 54, 48, 36, 24, 18, 12, 9 and 6 Mbps data rates Same bandwidth as 802.11b 22MHz wide channels Full backward compatiblity to 802.11b standard

802.11g Protection Mechanism Problem: 802.11b stations cannot decode 802.11g radio signals. 802.11b/g access point communicates with 802.11b clients with max. 11 Mbps. 802.11b/g access point communicates with 802.11g clients with max. 54 Mbps. 802.11b/g access point activates RTS/CTS to avoid collisions when 802.11b clients are present. 802.11b client learns from CTS frame the duration of the 802.11g transmission. Reduced throughput is caused by additional overhead. Problem: 802.11b stations cannot decode 802.11g radio signals 802.11b/g AP communicates with 802.11b Clients with max. 11Mbps 802.11b/g AP communicates with 802.11g Clients with max. 54 Mbps 802.11b/g AP activates RTS/CTS to avoid collisions when 802.11b clients are present 802.11b client learns from CTS frame the duration of the 802.11g transmission 802.11g protection mode results in reduced total throughput caused by the additional overhead

802.11 Standards Comparison © 2005 Cisco Systems, Inc. All rights reserved.

802.11 RF Comparison 802.11b – 2.4 GHz 802.11g – 2.4 GHz 802.11a – 5 GHz Pro Most commonly deployed WLAN standard Higher throughput OFDM technology reduces multipath issues Highest throughput Provides up to 23 nonoverlapping channels Con Interference and noise from other services in the 2.4-GHz band Only 3 nonoverlapping channels Distance limited by multipath issues Throughput degraded in the presence of 802.11b clients Lower market penetration 2.4 GHz (802.11b) The 802.11b standard, the most widely deployed wireless standard, operates in the 2.4-GHz unlicensed radio band and delivers a maximum data rate of 11 Mbps. The 802.11b standard has been widely adopted by vendors and customers who find its 11-Mbps data rate more than adequate for most applications. Interoperability between many of the products on the market is ensured through the Wi-Fi Alliance™ certification program. Therefore, if your network requirements include supporting a wide variety of devices from different vendors, 802.11b is probably your best choice. 2.4 GHz (802.11g) The 802.11g standard was ratified in June 2003. The 802.11g standard delivers the same 54-Mbps maximum data rate as 802.11a, yet it offers an additional and compelling advantage— backward compatibility with 802.11b equipment. This means that 802.11b client cards will work with 802.11g access points and that 802.11g client cards will work with 802.11b access points. Because 802.11g and 802.11b operate in the same 2.4-GHz unlicensed band, migrating to 802.11g is an affordable choice for organizations with existing 802.11b wireless infrastructures. Note that 802.11b products cannot be “software upgraded” to 802.11g. This limitation is due to the fact that 802.11g radios use a different chipset in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products can be commingled with 802.11b products in the same network. Both 802.11g and 802.11b operate in the same unlicensed band. As a result, they share the same three channels that can limit wireless capacity and scalability. 5 GHz (802.11a) The IEEE also ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of 54 Mbps and twelve nonoverlapping frequency channels—resulting in increased network capacity, improved scalability, and the ability to create microcellular deployments without interference from adjacent cells. Operating in the unlicensed portion of the 5 GHz-radio band, 802.11a is also immune to interference from devices that operate in the 2.4-GHz band, such as microwave ovens, cordless phones, and Bluetooth devices (a short-range, low-speed, point-to-point, personal area network [PAN] wireless standard). The 802.11a standard is not, however, compatible with existing 802.11b-compliant wireless devices. Organizations with 802.11b equipment that want the extra channels and network speed supported by 802.11a technology must upgrade to a product that supports the technology. Some product support dual-band operation, and it is important to note that 2.4- and 5-GHz equipment can operate in the same physical environment without interference.

802.11 Standards Comparison 802.11b 802.11g 802.11a Ratified 1999 2003 Frequency band 2.4 GHz 5 GHz No of channels 3 Up to 23 Transmission DSSS OFDM Data rates [Mbps] 1, 2, 5.5, 11 6, 9, 12, 18, 24, 36, 48, 54 Throughput [Mbps] Up to 6 Up to 22 Up to 28 This table summarizes the features of the 802.11 wireless LAN standards which were introduced earlier.

Range Comparisons The 11b and 11g ranges are based on default power settings with 2.2 dBi 2.4 GHz antennas on the AP’s and 0 dBi antennas on the clients. The 11a ranges are based on default power settings with 5dBi Omni on the AP and 6 dBi Omni on the client. This slides compares the range of the different data rates and the different wires LAN standards in an open office environment. Actual distances can be different due to absorption and reflection. The size of a wireless cell depends on the data rate. It is possible to limit the range by disabling lower data rates. To limit the range to 150ft data rates of 5.5, 2, and 1 Mbps (802.1b/g) and 6, 9, 12, 18 Mbps (802.11g) could be disabled.

Ratified IEEE 802.11 Standards 802.11: WLAN 1 and 2 Mbps at 2.4 GHz 802.11a: WLAN 54-Mbps at 5 GHz 802.11b: WLAN 11-Mbps at 2.4 GHz 802.11d: Multiple regulatory domains 802.11e: Quality of service 802.11f: Inter-Access Point Protocol (IAPP) 802.11g: WLAN 54-Mbps at 2.4 GHz 802.11h: Dynamic Frequency Selection (DFS) Transmit Power Control (TPC) at 5 GHz 802.11i: Security 802.11j: 5-GHz channels for Japan The 802.11a, b, and g specifications all relate to WLAN physical layer standards. Cisco Aironet access points in this release support the 802.11d standard for world mode. World mode enables the access point to inform an 802.11d client device which radio setting the device should use to conform to local regulations. The IEEE 802.11e standard is being developed to enhance the current 802.11 MAC to expand support for applications with quality of service (QoS) requirements and improve the capabilities and efficiency of the protocol. This standard will assist with voice, video, and other time-sensitive applications. In March 2005, the IEEE will submit this standard to the Executive Committee for approval. The IEEE 802.11F standard is a recommended practice guideline, defining a protocol for intercommunication between access points, to assist in roaming, and handoff of traffic. Most vendors have implemented their own proprietary Inter-Access Point Protocol (IAPP) for use with their access points. The IEEE 802.11h standard is supplementary to the MAC layer to comply with European regulations for 5-GHz WLANs. Most European radio regulations for the 5-GHz band require products to have transmission power control (TPC) and dynamic frequency selection (DFS). TPC limits the transmitted power to the minimum needed to reach the farthest user. DFS selects the radio channel at the access point to minimize interference with other systems, particularly radar. The IEEE 802.11i standard specifies the improved security, encryption and authentication for Wireless LANs and the enhancements to the current 802.11 MAC to provide improvements in security. The IEEE 802.11j standard is intended to enhance the 802.11 standard and amendments, to add channel selection for 4.9 GHz and 5 GHz in Japan to conform to Japanese rules on operational mode, operational rate, radiated power, spurious emissions, and channel sense. http://standards.ieee.org/getieee802/

Worldwide Availability In most parts of the world Cisco products can be deployed without a user license (that is, unlicensed). In most countries there is over 80 MHz of available spectrum. The 5-GHz WLAN technology is also gaining popularity worldwide as more products become available in the UNII-1, UNII-2, and UNII-3 frequency bands. The operating frequency range varies worldwide from 5.150 GHz to 5.825 GHz, as does the maximum power, which is determined by the local regulating country. The Cisco Aironet products and the specific countries for which each product is currently certified for order and shipment are listed at http://www.cisco.com/go/aironet/compliance If there is no “X” in the matrix box that corresponds to the country and product, then that product is not certified to ship to that country. Please take note of the Country SKU suffix in the column adjacent to your country. You will need this specific SKU suffix to ensure that you order the product with the proper power and channel settings required for each country. If you have any questions regarding this information, please contact your Cisco Account Manager or Cisco Reseller for more information. Each country has its own set of rules governing the installation and use of RF products. Be aware that these rules may affect which products you use and may require you to obtain a site-specific license. http://www.cisco.com/go/aironet/compliance

General Office WLAN Design Eight 802.11g access points deployed 7 users per access point with no conference rooms provides 3.8 Mbps throughput per user 7 users + 1 conference room (10 users) = 17 total users, provides 1.5 Mbps throughput per user 54 Cubes—4 Conference Rooms Conference Room Conference Room 120 Feet In this general office design 802.11g products with a maximum data rate is 54 Mbps are deployed. Throughput is data rate minus overhead. The Throughput is about 50% of the data rate. 7 users per access points with no conference rooms provides 3.8 Mbps throughput per users. 7 users + 1 conference room (10 users) = 17 total users provides 1.5 Mbps throughput per user. Conference Room Reception Conference Room 95 Feet

WLAN as a Shared Medium: Best Practices 2.4-GHz 802.11b bandwidth calculations 25 users per cell; general office maximum users limited by bandwidth Peak true throughput 6.8 Mbps 6.8 Mbps * 1024/25 = 278.5 kbps per user 2.4-GHz 802.11g bandwidth calculations 20 users per cell; general office maximum users limited by bandwidth Peak true throughput 32 Mbps 32 Mbps * 1024/20 = 1683 kbps per user 5-GHz 802.11a bandwidth calculations 15 users per cell; general office users limited by coverage, not bandwidth 32 Mbps * 1024/15 = 2188 kbps per user Cisco’s WLAN solutions continue to lead the industry in addressing customers requirements for secure, manageable, and scale-able WLANs. Some of the major innovations include: Security: delivering wire-line class security by offering the industry’s first, centralized user authentication and centralized management of encryption keys. Performance: offering most powerful WLAN products to help ensure high data throughput, and offers better (and more cost effective) coverage than any other solution on the market A scalable flexible management architecture where customers can manage wireless LANs through industry standard APIs (SNMP, Web) or through major enterprise management applications like Cisco Works 2000, Cisco stack manager, and Cisco resource manager. A solution that mitigates the hidden installation and ongoing operation costs of wireless LAN deployments particularly in regards to power, safety and RF management issues relating to WLAN deployments. Customers demand standards compliance to guarantee interoperability. In this area, the Wireless Ethernet Compatibility Alliance (WECA) plays a vital role because its Wi-Fi certification guarantees interoperability with other Wi-Fi certified products.

WLAN Security © 2005 Cisco Systems, Inc. All rights reserved.

Why WLAN Security? Wide availability and low cost of IEEE 802.11 wireless equipment 802.11 standard ease of use and deployment Availability of sniffers Statistics on WLAN security Media hype about hot spots, WLAN hacking, war driving Nonoptimal implementation of encryption in standard Wired Equivalent Privacy (WEP) encryption Authentication vulnerability With the cost of 802.11b systems coming down it is inevitable that hackers will have a lot more unsecured WLANs to choose from. 802.11b “Sniffers” enable network engineers (and hackers) to passively capture data packets so they can be examined to correct system problems. “War driving” is a phrase that describes someone who is using a cellular scanning device looking for cell phone numbers to exploit. Recently, the definition of war driving has been expanded to include someone driving around with their laptop and a 802.11b client card looking for an 802.11b system to exploit. There have been vulnerabilities reported using numerous open source applications to collect & exploit vulnerabilities in the 802.11 standard security mechanism, WEP. With basic WEP encryption (or obviously with no encryption) enabled, it is possible to collect data and obtain sensitive network information such as user login information, account numbers, personnel records, etc. etc.

WLAN Security Threats The WLAN security threads are War drivers trying to find open access points for free Internet access. Hackers trying to exploit weak encryption to access sensitive data via tghe WLAN. Employees install access points intended for home use without the necessary security configuration on the enterprize network causing a security risk for the network.

Mitigating the Threats Control and Integrity Privacy and Confidentiality Protection and Availability Authentication Encryption Intrusion Detection System (IDS) Ensure that legitimate clients associate with trusted access points. Protect data as it is transmitted and received. Track and mitigate unauthorized access and network attacks.

Evolution of WLAN Security No strong authentication Static, breakable keys Not scalable Initial (1997) Encryption (WEP) Interim (2001) 802.1x EAP Dynamic keys Improved encryption User authentication 802.1x EAP (LEAP, PEAP) RADIUS Interim (2003) Wi-Fi Protected Access (WPA) Standardized Improved encryption Strong, user authentication (e.g., LEAP, PEAP, EAP-FAST) Present Wireless IDS IEEE 802.11i WPA2 (2004) Identification and protection against attacks, DoS AES strong encryption Authentication Dynamic key management The figure shows the evolution of wireless LAN (WLAN) security. Initially, IEEE 802.11 security relied on static keys for both encryption and if used authentication. The authentication method was not strong and the keys were eventually compromised. Because the keys were administered statically, this method of security was not scalable to large enterprise environments. Cisco introduced enhancements that allowed for the use of IEEE 802.1X authentication protocols and dynamic keys. Cisco also introduced methods to overcome the exploitations of the encryption keys. The 802.11 committee began the process of upgrading the security of the WLAN. The Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) as an interim solution that was a subset of the expected 802.11i security standard for WLANs using 802.1X authentication and improvements to WEP encryption. Today IEEE 802.11i has been ratified and Advanced Encryption Standard (AES) has replaced Wired Equivalent Privacy (WEP) as the latest and most secure method of encrypting data. Wireless intrusion detection systems are available to identify and protect the WLAN from attacks. The Wi-Fi Alliance certifies 802.11i devices under Wi-Fi Protected Access 2 (WPA2).

Wireless Client Association Access points send out beacons announcing SSID, data rates, and other information. Client scans all channels. Client listens for beacons and responses from access points. Client associates to access point with strongest signal. Client will repeat scan if signal becomes low to reassociate to another access point (roaming). During association SSID, MAC address and security settings are sent from the client to the access point and checked by the access point. Access points send out beacons announcing SSID, data rates and other information Client scans all channels Client listens for beacons and responses from access points Client associates to access point with strongest signal Client will repeat scan if signal becomes low to re-associate to another access point (roaming) During association SSID, MAC address and security settings are sent from the client to the AP and checked by the AP

WPA and WPA2 Authentication The user authentication is done via the 802.1x protocol. A supplicant for 802.1x / EAP is needed on the WLAN client. The access point is the authenticator which communicates via Radius with the AAA server (Cisco ACS). Lightweight access points communicate with the WLAN controller which acts as the authenticator. The client and the authentication server implement the different version of EAP. The EAP messages pass through the authenticator.

WPA and WPA2 Encryption After authentication of the WLAN client the data is sent encrypted. TKIP and AES are the strong encryption methods which replaced the weak RC4 encryption.

Mutual Authentication WLAN Security Summary 802.1x EAP Mutual Authentication TKIP Encryption WPA / WPA2 802.11i Security WPA Passphrase WEP Encryption We find different requirements for security of WLANs. For open access at hotspots no encryption with basic authentication is used. For the home user at least basic security with WPA passphrase or preshared keys is recommended. For enterprises enhanced security with 802.1x/EAP authentication and TKIP or AES encryption is recommended. This is standardized as WPA / WPA2 and 802.11i security.

Security Evaluation Evaluate effectiveness of encrypted WLAN statistics. Focus on proper planning and implementation. Estimate potential security threats and the level of security needed. Evaluate amount of WLAN traffic being sent when selecting security methods. Evaluate tools and options applicable to WLAN design. Security for WLAN is just like security for any other network. Network security is a multi-layered solution, which requires common sense evaluation and implementation. Obvious security fixes should be implemented first, such as limiting administrative access and disabling “open” access. WLAN security is closely tied to the volume of traffic which traverses the network, so use of statistics to evaluate the network’s relative vulnerability is a valuable step towards assessing WLAN security. Attackers more likely to attack unsecured WLANs Proper planning and implementation required Estimate potential security threats and the level of security needed Evaluate amount of WLAN traffic being sent when deciding Evaluate tools and options applicable to WLAN design

Summary The 2.4-GHz and 5-GHz frequency bands are used by WLAN 802.11 standards. The throughput per user depends on the data rate and the number of users per wireless cell. 802.11b has data rates of up to 11 Mbps at 2.4 GHz. 802.11a has data rates of up to 54 Mbps at 5 GHz. 802.11g has data rates of up to 54 Mbps at 2.4 GHz. 802.11a has a shorter range than 802.11g. For maximum efficiency, limit the number of users per cell. Different WLAN security types with authentication and encryption satisfy the security requirements of enterprise and home users.

WLAN Lab