The two dominant 802 working groups are 802.3 Ethernet and 802.11 wireless LAN. However, there are important differences between the two. WLANs use radio frequencies (RF) instead of cables at the Physical layer and MAC sub-layer of the Data Link layer. WLANs connect clients to the network through a wireless access point (AP) instead of an Ethernet switch. 802.11 prescribes collision-avoidance instead of collision-detection for media access to proactively avoid collisions within the media.
WLANs use a different frame format than wired Ethernet LANs. WLANs require additional information in the Layer 2 header of the frame.
WLANs raise more privacy issues because radio frequencies can reach outside the facility.
Wireless LAN Standards
802.11 wireless LAN is an IEEE standard that defines how radio frequency (RF) in the unlicensed industrial, scientific, and medical (ISM) frequency bands is used for the Physical layer and the MAC sub-layer of wireless links.
802.11a
The IEEE 802.11a adopted the OFDM modulation technique and uses the 5 GHz band.
802.11a devices operating in the 5 GHz band are less likely to experience interference than devices that operate in the 2.4 GHz band because there are fewer consumer devices that use the 5 GHz band. Also, higher frequencies allow for the use of smaller antennas.
There are some important disadvantages to using the 5 GHz band. The first is that higher frequency radio waves are more easily absorbed by obstacles such as walls, making 802.11a susceptible to poor performance due to obstructions. The second is that this higher frequency band has slightly poorer range than either 802.11b or g.
802.11b and 802.11g
802.11b specified data rates of 1, 2, 5.5, and 11 Mb/s in the 2.4 GHz ISM band using DSSS. 802.11g achieves higher data rates in that band by using the OFDM modulation technique. IEEE 802.11g also specifies the use of DSSS for backward compatibility with IEEE 802.11b systems. DSSS data rates of 1, 2, 5.5, and 11 Mb/s are supported, as are OFDM data rates of 6, 9, 12, 18, 24, 48, and 54 Mb/s.
There are advantages to using the 2.4 GHz band. Devices in the 2.4 GHz band will have better range than those in the 5GHz band. Also, transmissions in this band are not as easily obstructed as 802.11a.
There is one important disadvantage to using the 2.4 GHz band. Many consumer devices also use the 2.4 GHz band and cause 802.11b and g devices to be prone to interference.
802.11n
The IEEE 802.11n draft standard is intended to improve WLAN data rates and range without requiring additional power or RF band allocation. 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the same frequency to establish multiple streams. The multiple input/multiple output (MIMO) technology splits a high data-rate stream into multiple lower rate streams and broadcasts them simultaneously over the available radios and antennae. This allows for a theoretical maximum data rate of 248 Mb/s using two streams.
Wi-Fi Certification
Wi-Fi certification is provided by the Wi-Fi Alliance (http://www.wi-fi.org), a global, nonprofit, industry trade association devoted to promoting the growth and acceptance of WLANs. Standards ensure interoperability between devices made by different manufacturers. Internationally, the three key organizations influencing WLAN standards are:
- ITU-R regulates allocation of RF bands.
- IEEE specifies how RF is modulated to carry information.
- Wi-Fi ensures that vendors make devices that are interoperable.
Wireless Access Points
An access point connects wireless clients (or stations) to the wired LAN. Client devices do not typically communicate directly with each other; they communicate with the AP. In essence, an access point converts the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.
In an infrastructure network, clients must associate with an access point to obtain network services. Association is the process by which a client joins an 802.11 network.
An access point is a Layer 2 device that functions like an 802.3 Ethernet hub. RF is a shared medium and access points hear all radio traffic. Just as with 802.3 Ethernet, the devices that want to use the medium contend for it.
CSMA/CA
Access points oversee a distributed coordination function (DCF) called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). This simply means that devices on a WLAN must sense the medium for energy (RF stimulation above a certain threshold) and wait until the medium is free before sending. Because all devices are required to do this, the function of coordinating access to the medium is distributed. If an access point receives data from a client station, it sends an acknowledgement to the client that the data has been received. This acknowledgement keeps the client from assuming that a collision occurred and prevents a data retransmission by the client.
Imagine two client stations that both connect to the access point, but are at opposite sides of its reach. If they are at the maximum range to reach the access point, they will not be able to reach each other. So neither of those stations sense the other on the medium, and they may end up transmitting simultaneously. This is known as the hidden node (or station) problem.
One means of resolving the hidden node problem is a CSMA/CA feature called request to send/clear to send (RTS/CTS). RTS/CTS was developed to allow a negotiation between a client and an access point. When RTS/CTS is enabled in a network, access points allocate the medium to the requesting station for as long as is required to complete the transmission. When the transmission is complete, other stations can request the channel in a similar fashion.
Wireless Routers
Wireless routers perform the role of access point, Ethernet switch, and router. For example, the Linksys WRT300N used is really three devices in one box. First, there is the wireless access point, which performs the typical functions of an access point. A built-in four-port, full-duplex, 10/100 switch provides connectivity to wired devices. Finally, the router function provides a gateway for connecting to other network infrastructures.
Wireless Operation
A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between multiple wireless networks in the same vicinity. Several access points on a network can share an SSID.
The IEEE 802.11 standard establishes the channelization scheme for the use of the unlicensed ISM RF bands in WLANs. The 2.4 GHz band is broken down into 11 channels for North America and 13 channels for Europe. These channels have a center frequency separation of only 5 MHz and an overall channel bandwidth (or frequency occupation) of 22 MHz. The 22 MHz channel bandwidth combined with the 5 MHz separation between center frequencies means there is an overlap between successive channels. Best practices for WLANs that require multiple access points are set to use non-overlapping channels. If there are three adjacent access points, use channels 1, 6, and 11. If there are just two, select any two that are five channels apart, such as channels 5 and 10.
802.11 Topologies
Wireless LANs can accommodate various network topologies. When describing these topologies, the fundamental building block of the IEEE 802.11 WLAN architecture is the basic service set (BSS). The standard defines a BSS as a group of stations that communicate with each other.
Ad hoc Networks
Wireless networks can operate without access points; this is called an ad hoc topology. Client stations which are configured to operate in ad hoc mode configure the wireless parameters between themselves. The IEEE 802.11 standard refers to an ad hoc network as an independent BSS (IBSS).
Basic Service Sets
Access points provide an infrastructure that adds services and improves the range for clients. A single access point in infrastructure mode manages the wireless parameters and the topology is simply a BSS. The coverage area for both an IBSS and a BSS is the basic service area (BSA).
Extended Service Sets
When a single BSS provides insufficient RF coverage, one or more can be joined through a common distribution system into an extended service set (ESS). In an ESS, one BSS is differentiated from another by the BSS identifier (BSSID), which is the MAC address of the access point serving the BSS
Common Distribution System
The common distribution system allows multiple access points in an ESS to appear to be a single BSS. An ESS generally includes a common SSID to allow a user to roam from access point to access point.
Cells represent the coverage area provided by a single channel. An ESS should have 10 to 15 percent overlap between cells in an extended service area. With a 15 percent overlap between cells, an SSID, and non-overlapping channels (one cell on channel 1 and the other on channel 6), roaming capability can be created.
Client and Access Point Association
A key part of the 802.11 process is discovering a WLAN and subsequently connecting to it. The primary components of this process are as follows:
- Beacons - Frames used by the WLAN network to advertise its presence.
- Probes - Frames used by WLAN clients to find their networks.
- Authentication - A process which is an artifact from the original 802.11 standard, but still required by the standard.
- Association - The process for establishing the data link between an access point and a WLAN client.
The primary purpose of the beacon is to allow WLAN clients to learn which networks and access points are available in a given area, thereby allowing them to choose which network and access point to use. Access points may broadcast beacons periodically.
Although beacons may regularly be broadcast by an access point, the frames for probing, authentication, and association are used only during the association (or reassociation) process.
The 802.11 Join Process (Association)
Before an 802.11 client can send data over a WLAN network, it goes through the following three-stage process:
Stage 1 - 802.11 probing
Clients search for a specific network by sending a probe request out on multiple channels. The probe request specifies the network name (SSID) and bit rates. A typical WLAN client is configured with a desired SSID, so probe requests from the WLAN client contain the SSID of the desired WLAN network.
If the WLAN client is simply trying to discover the available WLAN networks, it can send out a probe request with no SSID, and all access points that are configured to respond to this type of query respond. WLANs with the broadcast SSID feature disabled do not respond.
Stage 2 - 802.11 authentication
802.11 was originally developed with two authentication mechanisms. The first one, called open authentication, is fundamentally a NULL authentication where the client says "authenticate me," and the access point responds with "yes." This is the mechanism used in almost all 802.11 deployments.
A second authentication mechanism is referred to as shared key authentication. This technique is based on a Wired Equivalency Protection (WEP) key that is shared between the client and the access point. In this technique, the client sends an authentication request to the access point. The access point then sends a challenge text to the client, who encrypts the message using its shared key, and returns the encrypted text back to the access point. The access point then decrypts the encrypted text using its key and if the decrypted text matches the challenge text, the client and the access point share the same key and the access point authenticates the station. If the messages do not match, the client is not authenticated.
The problem is that the WEP key is normally used to encrypt data during the transmission process. Using this same WEP key in the authentication process provides an attacker with the ability to extract the key by sniffing and comparing the unencrypted challenge text and then the encrypted return message. Once the WEP key is extracted, any encrypted information that is transmitted across the link can be easily decrypted.
Stage 3 - 802.11 association
This stage finalizes the security and bit rate options, and establishes the data link between the WLAN client and the access point. As part of this stage, the client learns the BSSID, which is the access point MAC address, and the access point maps a logical port known as the association identifier (AID) to the WLAN client. The AID is equivalent to a port on a switch. The association process allows the infrastructure switch to keep track of frames destined for the WLAN client so that they can be forwarded.
Once a WLAN client has associated with an access point, traffic is now able to travel back and forth between the two devices.
Unauthorized Access
There are three major categories of threat that lead to unauthorized access:
- War drivers
- Hackers (Crackers)
- Employees
"War driving" originally referred to using a scanning device to find cellular phone numbers to exploit. War driving now also means driving around a neighborhood with a laptop and an 802.11b/g client card looking for an unsecured 802.11b/g system to exploit.
Rogue Access Points
A rogue access point is an access point placed on a WLAN that is used to interfere with normal network operation. If a rogue access point is configured with the correct security settings, client data could be captured. A rogue access point also could be configured to provide unauthorized users with information such as the MAC addresses of clients (both wireless and wired), or to capture and disguise data packets or, at worst, to gain access to servers and files. A simple and common version of a rogue access point is one installed by employees without authorization.
Man-in-the-Middle Attacks
One of the more sophisticated attacks an unauthorized user can make is called a man-in-the-middle (MITM) attack. Attackers select a host as a target and position themselves logically between the target and the router or gateway of the target. In a wired LAN environment, the attacker needs to be able to physically access the LAN to insert a device logically into the topology.
Radio signals from stations and access points are "hearable" by anyone in a BSS with the proper equipment, such as a laptop with a NIC. Because access points act like Ethernet hubs, each NIC in a BSS hears all the traffic. Device discards any traffic not addressed to it. Attackers can modify the NIC of their laptop with special software so that it accepts all traffic. With this modification, the attacker can carry out wireless MITM attacks, using the laptop NIC acts as an access point.
To carry out this attack, a hacker selects a station as a target and uses packet sniffing software, such as Wireshark, to observe the client station connecting to an access point. The hacker might be able to read and copy the target username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response, which is passed in clear text between station and access point.
Denial of Service
802.11b and g WLANs use the unlicensed 2.4 GHz ISM band. This is the same band used by most wireless consumer products, including baby monitors, cordless phones, and microwave ovens. With these devices crowding the RF band, attackers can create noise on all the channels in the band with commonly available devices.
The attacker, using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions.
Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate commands that cause all stations in the BSS to disconnect. When the stations are disconnected, they immediately try to reassociate, which creates a burst of traffic. The attacker sends another disassociate command and the cycle repeats itself.
Wireless Security Protocols
Two types of authentication were introduced with the original 802.11 standard: open and shared WEP key authentication. While open authentication is really "no authentication," (a client requests authentication and the access point grants it), WEP authentication was supposed to provide privacy to a link, making it like a cable connecting a PC to an Ethernet wall-jack. As was mentioned earlier, shared WEP keys proved to be flawed and something better was required. To counteract shared WEP key weakness, the very first approach by companies was to try techniques such as cloaking SSIDs and filtering MAC addresses. These techniques were also too weak.
The flaws with WEP shared key encryption were two-fold. First, the algorithm used to encrypt the data was crackable. Second, scalability was a problem. The 32-bit WEP keys were manually managed, so users entered them by hand, often incorrectly, creating calls to technical support desks.
Following the weakness of WEP-based security, there was a period of interim security measures. On the way to 802.11i, the TKIP encryption algorithm was created, which was linked to the Wi-Fi Alliance WiFi Protected Access (WPA) security method.
Today, the standard that should be followed in most enterprise networks is the 802.11i standard. This is similar to the Wi-Fi Alliance WPA2 standard. For enterprises, WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database
Authenticating to the Wireless LAN
In an open network, such as a home network, association may be all that is required to grant a client access to devices and services on the WLAN. In networks that have stricter security requirements, an additional authentication or login is required to grant clients such access. This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for authenticating network access. IEEE developed the 802.11i standard for WLAN authentication and authorization to use IEEE 802.1x.
The enterprise WLAN authentication process is summarized as follows:
- The 802.11 association process creates a virtual port for each WLAN client at the access point.
- The access point blocks all data frames, except for 802.1x-based traffic.
- The 802.1x frames carry the EAP authentication packets via the access point to a server that maintains authentication credentials. This server is an Authentication, Authorization, and Accounting (AAA) server running a RADIUS protocol.
- If the EAP authentication is successful, the AAA server sends an EAP success message to the access point, which then allows data traffic from the WLAN client to pass through the virtual port.
- Before opening the virtual port, data link encryption between the WLAN client and the access point is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client.
Before 802.11i (WPA2) or even WPA were in use, some companies tried to secure their WLANs by filtering MAC addresses and not broadcasting SSIDs. Today, it is easy to use software to modify MAC addresses attached to adapters, so the MAC address filtering is easily fooled.
Even if an SSID is not broadcast by an access point, the traffic that passes back and forth between the client and access point eventually reveals the SSID. If an attacker is passively monitoring the RF band, the SSID can be sniffed in one of these transactions, because it is sent in clear text. The ease of discovering SSIDs has led some people to leave SSID broadcasting turned on.
Encryption
Two enterprise-level encryption mechanisms specified by 802.11i are certified as WPA and WPA2 by the Wi-Fi Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).
TKIP is the encryption method certified as WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. It makes use of the original encryption algorithm used by WEP.
TKIP has two primary functions:
- It encrypts the Layer 2 payload
- It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message being tampered with.
Although TKIP addresses all the known weaknesses of WEP, the AES encryption of WPA2 is the preferred method. AES has the same functions as TKIP, but it uses additional data from the MAC header that allows destination hosts to recognize if the non-encrypted bits have been tampered with. It also adds a sequence number to the encrypted data header.
When you configure Linksys access points or wireless routers, such as the WRT300N, you may not see WPA or WPA2, instead you may see references to something called pre-shared key (PSK). Various types of PSKs are as follows:
- PSK or PSK2 with TKIP is the same as WPA
- PSK or PSK2 with AES is the same as WPA2
- PSK2, without an encryption method specified, is the same as WPA2
Nessun commento:
Posta un commento