Download - Wireless Networking Slides
Wireless NetworkingWireless NetworkingWireless NetworkingWireless Networking
WiFi 802.11b/g/a
Bluetooth
3G PCS
802.11s Mesh
WiFi 802.11b/g/a
1. Introduction2. RF Bands3. 802.11b4. WLAN IN-BUILDING5. WLAN BUILDING-BUILDING6. Equipment7. Site Survey8. Security9. Future
INTRODUCTION
What is a Wireless LAN?What is a Wireless LAN?
Internet
Ethernet
Hub/ Switch
10/100 Mbps Shared
Bandwidth (CSMA/CD)
Ethernet
Access Point
11 Mbps Shared Bandwidth (CSMA/CA)
In-Building WLANs
Building-to-Building WLANS
WLAN Product CategoriesWLAN Product CategoriesWLAN Product CategoriesWLAN Product Categories
Wireless Bridging LAN-to-LAN connectivity
Two Different Implementations Two Different Implementations
of Wireless LAN Technologyof Wireless LAN TechnologyWireless Networking
Mobile user connectivity
Ethernet Everywhere
10/100Ethernet
Layer 3SwitchedEthernet
GigabitEthernet
WirelessEthernet
Long-ReachEthernet
Ethernet TechnologiesEthernet Technologies
Solutions and Building Blocks
High-Speed Access High-Speed Access Anywhere, AnytimeAnywhere, AnytimeHigh-Speed Access High-Speed Access Anywhere, AnytimeAnywhere, Anytime
Environments
Wireless Switches
SiSi
At Home On the Road At Work
Security Access
At School
Local Area Network (LAN)Local Area Network (LAN)Local Area Network (LAN)Local Area Network (LAN)
Hub
Server Switch
Internet
Access PointHub
Wireless LAN (WLAN) as an extension to wired LAN
Work Group Bridge
Typical WLAN TopologiesTypical WLAN Topologies
Access Point
Wireless “Cell”
Channel 6
Wireless Clients
LAN Backbone
Channel 1
Access Point
Wireless “Cell”
Wireless Clients
Wireless Repeater TopologyWireless Repeater Topology
Channel 1
Access Point
Wireless Clients
Channel 1
Access Point
Wireless Repeater “Cell”
LAN Backbone
Work Group BridgeWork Group BridgeApplicationApplication
Work Group BridgeWork Group BridgeApplicationApplication
Server
Access Point
WGBHub
RF BANDS
ISM Unlicensed ISM Unlicensed Frequency BandsFrequency Bands
ExtremelyLow
VeryLow
Low Medium High VeryHigh
Infrared VisibleLight
Ultra-violet
X-Rays
AudioAM Broadcast
Short Wave Radio FM BroadcastTelevision Infrared wireless LAN
Cellular (840 MHz)NPCS (1.9GHz)
902-928 MHz26 MHz
5 GHz(IEEE 802.11)
HyperLANHyperLAN2
2.4 – 2.4835 GHz83.5 MHz
(IEEE 802.11)
UltraHigh
SuperHigh
900 MHz vs. 2.4 GHz vs. 5 GHz900 MHz vs. 2.4 GHz vs. 5 GHz
900 MHz band900 MHz band 2.4 GHz band2.4 GHz band 5 GHz band5 GHz band
PROsPROs
CONsCONs
Greater range than Greater range than 2.4 GHz band ( for in- 2.4 GHz band ( for in- building LANs)building LANs)
Global marketGlobal market
IEEE 802.11IEEE 802.11
Higher data rates Higher data rates (10+ Mbps)(10+ Mbps)
Global marketGlobal market
IEEE 802.11IEEE 802.11
Higher data rates Higher data rates (20+Mbps)(20+Mbps)
Less range than Less range than 900 MHz (for in-900 MHz (for in-building LANs)building LANs)
Maximum data Maximum data rate rate 1 Mbps1 Mbps
Limited Limited bandwidthbandwidth
Crowded bandCrowded band
Much less Range Much less Range than 900 MHz or than 900 MHz or 2.4 GHz2.4 GHz
Higher cost RF Higher cost RF componentscomponents
Large antenna Large antenna requiredrequired
What Is Spread Spectrum What Is Spread Spectrum RF Technology?RF Technology?
What Is Spread Spectrum What Is Spread Spectrum RF Technology?RF Technology?
• Data sent over the air waves
• Two-way radio communications (half duplex)
• Cisco designs and manufactures its own radios
• Same radio frequency for sending & receiving (transceiver)
• No licensing required for Cisco Aironet Wireless products
802.11b
IEEE 802.11 StandardIEEE 802.11 StandardIEEE 802.11 StandardIEEE 802.11 Standard
IEEE 802.11 became a standard in July 1997
• Infrared
• RF
Two RF technologies defined:
• Direct sequence spread spectrum - 1 Mbps and 2 Mbps
• Frequency hopping spread spectrum - 1 Mbps and 2 Mbps
IEEE 802.11b became a standard in September 1999
• Only one RF technology defined- DSSS at 5.5 Mbps & 11 Mbps
802.11 defines a high-performance radio
802.11 promises “true” vendor interoperability (over the air)
InteroperabilityInteroperabilityInteroperabilityInteroperability
• 802.11 covers RF connectivity, association processes, and modulation schemes
• Does not cover AP-to-AP connectivity over the wired network, roaming, load balancing, or repeaters
• These features are vendor specific and proprietary
• Choose a single vendor for the wireless backbone
Cisco Radio TechnologyCisco Radio Technology
Direct Sequence Spread Spectrum (DSSS)
• 2.4 GHz
• One piece PCMCIA radio product
• 1, 2, 5.5 and 11 Mbps
• Fully 802.11 compliant at all speeds
Spread Spectrum ApproachesSpread Spectrum Approaches
Both technologies are viable.
Direct Sequence Frequency Hopping
Frequency not used
Frequency not used
22
FREQUENCY
TIM
EPOWER
2.402 GHz2.402 GHz 2.483 GHz2.483 GHz
1 MwMhz
100 MwMhz
1 Ms
1 Sec
Channels- 802.11 DSChannels- 802.11 DSChannels- 802.11 DSChannels- 802.11 DS
• (11) 22 MHz wide stationary channels
• X “chips per bit” means each bit sent redundantly
• 11 Mbps data rate
• 3 non-overlapping channels
• 3 Access Points can occupy same area
1
2
3
4
5
6
7
8
9
10
11
Channel
Frequency
2400 2483 2437
Frequency2.400 GHz 2.483 GHz
12
34
56
78
9
Tim
e
Frequency HoppingFrequency HoppingFrequency HoppingFrequency Hopping
• A total of 79 channels, available
• Changes frequency (hops) at least every 0.4 seconds
• Synchronized hopping required
Time
DS vs. FH: A Summary DS vs. FH: A Summary on Interference Handlingon Interference Handling
• FH system hops around interference
• Lost packets are re-transmitted on next hop
• Data may be decoded from redundant bits
• Can move to an alternate channelto avoid interference
12
3F
req
uen
cy2.
400
GH
z2.
4835
GH
z Direct Sequence
Channel 11
Channel 1
Channel 6
Fre
qu
ency
2.40
0 G
Hz
2.48
35 G
Hz
Frequency Hopping
Access Point CoverageAccess Point CoverageAccess Point CoverageAccess Point Coverage
1Mbps DSSS
5.5 Mbps DSSS
11 Mbps DSSS
2 Mbps DSSS
Moduation ProfilesModuation ProfilesModuation ProfilesModuation Profiles
1 Mbps DBPSK Diff Binary Phase Shift Keying2 Mbps DQPSK Diff Quad Phase Shift Keying5.5 Mbps CCK Complementary Code Keying11 Mbps CCK Complementary Code Keying
Higher data rates use less reliable modulation profiles and require stronger received signal strength to operate properly. Tradeoff between speed and reliability.Minimal Required Signal Strength for Aironet 350:1 Mbps -94 dBm2 Mbps -91 dBm5.5 Mbps -89 dBm11 Mbps -85 dBm
Scalability With Direct Scalability With Direct SequenceSequence
Scalability With Direct Scalability With Direct SequenceSequence
Blue = 11Mb
Green = 11Mb
Red = 11Mb
Total Bandwidth=33Mb!!!
Channel SetupChannel SetupChannel SetupChannel Setup
Site Survey Channel ExampleSite Survey Channel Example
Channel 1
Channel 6
Channel 11
Channel 1
Channel 6
Channel 11
Channel 11
Channel 1
Channel 6
Channel 11
Access Point Coverage & Access Point Coverage & Data Rate Shifting ReviewData Rate Shifting ReviewAccess Point Coverage & Access Point Coverage & Data Rate Shifting ReviewData Rate Shifting Review
1 Mbps DSSS
2 Mbps DSSS
5.5 Mbps DSSS
11 Mbps DSSS
Site Survey Bandwidth ExampleSite Survey Bandwidth Example
Multi-rate ImplementationMulti-rate ImplementationMulti-rate ImplementationMulti-rate Implementation
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps
350 (100mW)350 (100mW)Cell Size ComparisonCell Size Comparison
350 (100mW)350 (100mW)Cell Size ComparisonCell Size Comparison
100 milli-Watt client and Access Point range capabilities
11 Mbps DSSS 100-150 feet radius
5.5 Mbps DSSS150-250 feet radius
2 Mbps DSSS250-350 feet radius
WLAN IN-BUILDING
Scalability Requirements for Scalability Requirements for WLANsWLANs
Scalability Requirements for Scalability Requirements for WLANsWLANs
Robust roaming for seamless handoff between access point
Centralized user-based authentication
Dynamic WEP key distribution and management
Subnet roaming
Client support for all popular operating systems
WLAN TopologiesWLAN TopologiesWLAN TopologiesWLAN Topologies
Multiple AP’s with roaming
Redundant WLAN
Wireless Repeaters
Rate ShiftingRate ShiftingRate ShiftingRate Shifting
Survey performed at each data rate
Coverage cell for each rate mapped
Higher rates – shift to proper areas
Lower rates – overlap and frequency5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
5.5 Mbps
11 Mbps
2 Mbps
Wireless OfficeWireless OfficeWireless OfficeWireless Office
Maximum CoverageAuto Rate Negotiation
Wireless Mobile WorkersDiPole Antennas
Office 1 Office 3
Class 1
Hallway
2000’
850’
Office 4 Office 5 Office 6 Office 7 Office 8Office 2
Office 9 Office 11 Conference Room Break RoomOffice 10
AP’s on Isolated LAN with PIX
1
11 1 11
6 111
6
Indoor/Outdoor CoverageIndoor/Outdoor CoverageIndoor/Outdoor CoverageIndoor/Outdoor Coverage
Maximum CoverageAuto Rate Negotiation
Wireless for Mobile WorkersDiPole Indoor, Patch Outdoor
Office 1 Office 3
Hallway
1000’
850’
Office 4Office 2
AP’s on Isolated LANwith PIX
Conference RoomBreak Room
Building Courtyard
1000’
11
6
6
111
1
Warehouse Design SampleWarehouse Design SampleWarehouse Design SampleWarehouse Design Sample
Maximum CoverageAuto Rate Negotiation
Cabling Available to Middle of RoomHigh Gain Mast Mount Antennas
2000’
850’
1
6
11
1
1
611
6
WLAN
BUILDING-TO-BUILDING
Upon completion of this chapter, you will be able to perform the following tasks:
• Determine the feasibility of installing a wireless bridge link.
• Explain why a wireless bridge may be a better solution than other alternatives.
• Determine the maximum distance that can be achieved using wireless bridges with given antennas and extension cables.
• Protect a wireless bridge installation against a lightning strike.
ObjectivesObjectives
Bridging DefinedBridging DefinedBridging DefinedBridging Defined
Medium Drawbacks
Phone lines Monthly costs
Installation costs(56K, T1)
SlowSlow
Extra equipment needed
InflexiblePhysical barriers
may preclude
Difficult installation High costMicrowaveFCC Licensing
required
Cable
Wireless Bridge AlternativesWireless Bridge Alternatives
Installation costs
0 to 25 miles(line of sight)
Ethernet
Bridge
OptionalAntenna
Building A Building B
OptionalAntenna
Point-to-Point ConfigurationPoint-to-Point ConfigurationPoint-to-Point ConfigurationPoint-to-Point Configuration
Ethernet
Bridge
Building B Building C
Building A
DirectionalAntenna
Omni-directional Antenna
Point-to-Multipoint Point-to-Multipoint ConfigurationConfiguration
Point-to-Multipoint Point-to-Multipoint ConfigurationConfiguration
DirectionalAntenna
Optional AntennasOptional Antennas for Long Range for Long Range
13.5dBi YagiDistances over 6.5miles @ 2Mbps and2miles @11Mbps
21dBi Solid DishFor distances up to25+ miles @ 2Mbps 11.5miles @ 11Mbps
Note: Distances include 50 feet of low loss cable and 10dB fade margin
Common QuestionsCommon Questions
340 Wireless BridgeHow Fast?
Max data rate
11.5+ Miles
11 Mbps5.5 Mbps
2 MilesHow Far? (at MAX rate)
Typical throughput
Yagi antenna
2 Mbps1.4 Mbps
6.5 miles25+ milesDish antenna
Bridge Application: Bridge Application: School DistrictSchool District
RichardsonElementaryYagi
LincolnElementaryYagi
BodeElementaryYagi
PriceElementaryYagi
Dewitt ElementaryYagi
BolichMiddle SchoolYagi
RobertsMiddle SchoolDish
Weaver-Special EducationDish
High School 2 BridgesOne 12dB omniOne Dish Administration
2 BridgesOne 12dB omniOne Yagi
U N I V E R S I T YU N I V E R S I T Y
Channel #11
Channel #6
Channel #1
LightningLightningLightningLightning
Ethernet
BridgeStatic Electricity
• Wind
• Nearby Strikes
Path Loss ConsiderationsPath Loss Considerations
How far will it go?
22 miles?
Calculations of Coverage Calculations of Coverage PerformancePerformance
Coax Length150ft?
Coax Length100ft?
Wants 11Mb datarateDistance =13miles
Towers needed to clear trees andother buildings
Calculations of Coverage Calculations of Coverage PerformancePerformance
Line of SightLine of SightLine of SightLine of Sight
The following obstructions might obscure a visual link:• Topographic features, such as mountains.
• The curvature of the Earth.
• Buildings and other man-made objects
• Trees
Line of site!
Longer DistancesLonger DistancesLonger DistancesLonger Distances
Line of Sight disappears at 6 miles due to the earth curve
Fresnel ZoneFresnel ZoneFresnel ZoneFresnel Zone
Fresnel Zone
Improving Fresnel EffectImproving Fresnel EffectImproving Fresnel EffectImproving Fresnel Effect
Improve the Fresnel effect:
• Raise the antenna
• New structure
• Existing structure
• Different mounting point
• Remove trees
Total Distance
Fresnel @ 60% (Value “F”)
Earth Curvature (Value “C”)
Antenna Height (Value “H”)
Site to Site Fresnel ZoneSite to Site Fresnel ZoneSite to Site Fresnel ZoneSite to Site Fresnel Zone
Antenna Height
• Fresnel zone consideration
• Line-of-Sight over 25 miles hard to implement
Antenna AlignmentAntenna AlignmentAntenna AlignmentAntenna Alignment
Line of Sight
Antenna AlignmentAntenna AlignmentAntenna AlignmentAntenna Alignment
Antenna AlignmentAntenna AlignmentAntenna AlignmentAntenna Alignment
Antenna Installation Antenna Installation Antenna Installation Antenna Installation
Towers and antennas may require permits and must meet local regulations.
EQUIPMENT
Cisco Aironet 1200 Series Cisco Aironet 1200 Series Access Points – other featuresAccess Points – other features
Cisco Aironet 1200 Series Cisco Aironet 1200 Series Access Points – other featuresAccess Points – other features
Wi-Fi certified–11Mbps data rate
Up to 100 mW output power
Aluminum case for plenum rating; UL 2043 certified;extended operating temperature (-20 to 55 C)
2 separate locking mechanisms
Cisco Aironet 350 Series Cisco Aironet 350 Series Access PointsAccess Points
Cisco Aironet 350 Series Cisco Aironet 350 Series Access PointsAccess Points
• Same great features of 1200 series in a static platform
• Affordable cost point to meet all budget requirements
• Reliable interoperability with 1200 series 802.11b solutions
• Software upgrade path for future software enhancements
• Dynamic WEP Security
Cisco Aironet 350 Client Cisco Aironet 350 Client AdaptersAdapters
Cisco Aironet 350 Client Cisco Aironet 350 Client AdaptersAdapters
PCMCIA card for Laptops and PDAs
PCI adapter for Desktops
Mini-PCI for embedded applications
Driver Support
•Windows 95, 98, Me, NT 4.0, 2000, XP
•Windows CE 2.11, 3.0 (Pocket PC)
•Linux
•Mac OS 9, X
Utilities include user configuration and site survey tool for simple installation and upgrade
Workgroup Bridge
350 Series Wireless Bridge350 Series Wireless Bridge350 Series Wireless Bridge350 Series Wireless Bridge
Building-to-building links of up to 25 miles (40.2 km)
Flexibility: point-to-point and point-to-multipoint
Metal case for durability and plenum rating; UL 2043 certified
In-line power; simplified installation tools; industry-leading receive sensitivity
Management capabilities:•SNMP, Telnet, FTP, HTML
•802.1d spanning tree
Aironet 1200Aironet 1200Ethernet In-Line PowerEthernet In-Line Power
Aironet 1200Aironet 1200Ethernet In-Line PowerEthernet In-Line Power
Aironet 350 uses Ethernet in-line power
ONLY
Eliminates need for local power and AC
infrastructure cost
Draws in-line power from edge devices
(-48 Volts)
Catalyst power switches support device
discovery mode
Ethernet In-line Power Source:• Catalyst 3524 Power Switch• Catalyst 6000 Power Blade• Catalyst 4000 Power Blade• 48 Port Power Patch Panel
Ethernet In-line Power Source:• Aironet Power Injector
No Power
Power
Power
Cisco Aironet AntennasCisco Aironet AntennasCisco Aironet AntennasCisco Aironet Antennas
DirectionalDirectional
Patch
Yagi
Dish
Omni DirectionalOmni Directional
• Dipole
• Mast mount
• Ceiling mount
• Ground plane
2.4Ghz Omni-Directional 2.4Ghz Omni-Directional AntennasAntennas
2.2dBi Dipole “Standard Rubber Duck”
Cisco Aironet Part # AIR-ANT4941
2.4Ghz Omni-Directional 2.4Ghz Omni-Directional AntennasAntennas
12dBi Omni Directional (Outdoor only)
Cisco Aironet Part # AIR-ANT4121
2.4Ghz Directional 2.4Ghz Directional AntennasAntennas
3dBi Patch Antenna – 65 degree
Cisco Aironet Part # AIR-ANT3195
2.4Ghz Directional 2.4Ghz Directional AntennasAntennas
13.5dBi Yagi Antenna – 25 degree
Cisco Aironet Part # AIR-ANT1949
2.4Ghz Directional 2.4Ghz Directional AntennasAntennas
21dBi Parabolic Dish Antenna – 12 degree
Cisco Part # AIR-ANT3338
Beam MountingBeam MountingBeam MountingBeam Mounting
Zip ties
2x4 secured with beam clamps
Mounting bracket secured with beam clamps
Mount antenna in same position they were surveyed
Antenna MountingAntenna MountingAntenna MountingAntenna Mounting
Some antennae not shipped with mounting brackets
Modify brackets to fit your needs
Modified brackets can be used with a variety of antennae
Be creative
Ceiling Mount
Mast Mount
Patch
Antenna MountingAntenna MountingAntenna MountingAntenna Mounting
Sometimes antennae are mounted in unusual ways
Specify in your report exactly how the antenna is to be mounted
NEMA EnclosuresNEMA EnclosuresNEMA EnclosuresNEMA Enclosures
Mounting plate with standoffs
Bulkhead Extender (Part #AIR-ACC2537-018 [18 inch], AIR-ACC2537-
060 [60 inch])
External Antenna Connector
Electrical Workbox
SITE SURVEY
Lab 2B – ACU Site Survey Lab 2B – ACU Site Survey (cont’d)(cont’d)
Lab 2B – ACU Site Survey Lab 2B – ACU Site Survey (cont’d)(cont’d)
RF PropagationRF PropagationRF PropagationRF Propagation
• Radio waves are reflected just like light waves
• Can reduce the reflected waves by using directional antennae
RF PropagationRF PropagationRF PropagationRF Propagation
Waves 1800 out of phase will create a “null” or dead spot
Use diversity antennae to help overcome nulls
When using a single antenna, change the antenna location to overcome the null
Nulls
RF PropagationRF PropagationRF PropagationRF Propagation
If the RF wave is unable to pass through an object, it may suffer from Diffraction
Diffraction creates RF “shadows”
Shadow
Site SurveySite SurveySite SurveySite Survey
Site SurveySite SurveySite SurveySite Survey
Site SurveySite SurveySite SurveySite Survey
Channel SelectionChannel SelectionChannel SelectionChannel Selection
AP1
Channel 1
AP 4
Channel 1 AP 6
Channel 11
AP 5
Channel 6AP 3
Channel 11
AP 2
Channel 6
Data RatesData RatesData RatesData Rates
Surveyed at 2Mb Surveyed at 5.5Mb
Interference (cont’d)Interference (cont’d)Interference (cont’d)Interference (cont’d)
CardboardWood Paper
Electrical Transformers
Microwave Ovens
Fluorescent Lighting
Firewalls
Why would I want a Site Why would I want a Site Survey?Survey?
Why would I want a Site Why would I want a Site Survey?Survey?
Customer AssistanceCustomer AssistanceCustomer AssistanceCustomer Assistance
How
man
y?
Where?Throughput?
RF WLAN
Coverage
Wired Ave.
Wire
less
Blv
d.
SECURITY
Older Security MethodsOlder Security MethodsOlder Security MethodsOlder Security Methods
Older forms of security on WLANs
• SSID
• Authentication controlled by MAC
802.11 Security802.11 Security802.11 Security802.11 Security
WEP (Wired Equivalency Privacy)
• 40 bit keys
• 128 bit keys
• Part of the association process
• WEP uses the RC4 stream cipher of RSA Data Security, Inc. (RSADSI) for encryption.
802.11 Open Authentication802.11 Open Authentication802.11 Open Authentication802.11 Open Authentication
Steps to Authentication:
Client sends probe.
AP sends Probe Response.Client evaluates APresponse, selects best AP.
Client sends authenticationrequest to selected AP (A).
AP A confirms authenticationand registers client.
Access Point
A
Access Point B
802.11 Shared Key 802.11 Shared Key AuthenticationAuthentication
802.11 Shared Key 802.11 Shared Key AuthenticationAuthentication
Steps to Authentication:
Steps 1 - 3 are the same as Open Authentication
AP A confirms authenticationand sends unencrypted test packet.
Client encrypts packet and returns to AP. AP checks encryption against WEP key.
Correct WEP key is allowed on the network. Incorrect WEP key is not not allowed to associate.
Access Point
A
Access Point B
Configuring WEP Keys (cont.)Configuring WEP Keys (cont.)Configuring WEP Keys (cont.)Configuring WEP Keys (cont.)
Header: Use Key3 Data: Encrypted using KEY3 Trailer
Header: Use Key2Data: Encrypted using KEY2Trailer
Key1=1234……Key2=5678……Key3=9012……Key4=3456……
Key1=1234……Key2=5678……Key3=9012……Key4=3456……
802.11 Security Issues 802.11 Security Issues 802.11 Security Issues 802.11 Security Issues
SSID (Service Set Identifier)• 32 ASCII character string
• Under 802.11, any client with a ‘NULL’ string will associate to any AP regardless of SSID setting on AP
• This should not be considered a security feature
802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)
Assumes threat is “outside” the LAN
Hardware Theft
Rogue APs
802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)
Authentication is one-way
No way to dynamically generate keys
No integration with existing network authentication methods on LAN
Keys are static
802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)802.11 Security Issues (cont.)
Authentication is device-based
No method for account auditing
802.1x802.1x802.1x802.1x
802.1x is an IEEE Standard in progress for Port Based Network Access Control
• EAP
• Improved user authentication: username and password
• Dynamic, session-based encryption keys
• Centralized user administration
802.1x advantages for WLANs802.1x advantages for WLANs802.1x advantages for WLANs802.1x advantages for WLANs
Extensible authentication support• EAP designed to allow additional
authentication methods to be deployed with no changes to the AP or client NIC
• Password authentication
• One-Time Passwords
• Smartcard authentication and Security Dynamics
EAP and LEAPEAP and LEAPEAP and LEAPEAP and LEAP
Operating systems with native EAP support:• Windows 2000, CE
Cisco LEAP Authentication type• Legacy Operating Systems
• Quick support on multitude of host systems
• Implementation reduces support requirements on host systems
Improved Security (cont.)Improved Security (cont.)Improved Security (cont.)Improved Security (cont.)
Session Keys
802.1X Protocol in WLAN 802.1X Protocol in WLAN EnvironmentEnvironment
802.1X Protocol in WLAN 802.1X Protocol in WLAN EnvironmentEnvironment
~
~
1) User requests access. AP prevents network access.2) Encrypted credentials sent to authentication server.3) Authentication server validates user, grants access rights.4) AP Port enabled and dynamic WEP keys are assigned to client
(encrypted).5) Wireless client can now access general network services securely.
Access Point
Very scalableSupports a variety of authentication types (EAP-TLS, EAP-LEAP, biometrics, etc.)Standards based solutionCentralized policy control
1
Other network serversAnd services
2
4 Encrypted
WEP
3
5
WirelessClient
Authentication Server
Very scalable
Strong Authentication
Transparent Roaming
Better multicast capability
Standards based solution
Very scalable
Strong Authentication
Transparent Roaming
Better multicast capability
Standards based solution
802.1x Authentication Process802.1x Authentication Process802.1x Authentication Process802.1x Authentication Process
Start
broadcast key
identity
AP sends client broadcast key, encrypted
with session key
AP blocks all requests until authentication
completesidentity
RADIUS server authenticates client
Request identity
Client authenticates RADIUS server
key length
clientAP
RADIUS
server
DerivekeyDeriv
ekey
Comparison between Aironet Comparison between Aironet Dynamic WEP and VPN solutions Dynamic WEP and VPN solutions
in intranetsin intranets
Comparison between Aironet Comparison between Aironet Dynamic WEP and VPN solutions Dynamic WEP and VPN solutions
in intranetsin intranets VPN Solution
3DES, end-to-end securitySomewhat less scalableMore expensiveWorks with Aironet solutionNo mobility between VPN Concentrators; roaming latencyLoss of QoS insight
Aironet Dynamic WEP & Enhanced Security Suite
Encryption only between client and APHighly scalable Less expensiveSeamless mobility between profiles and locationsEnd-to-end QoS integration
VLAN
VPN Server
Access Point
Local Network
ACS RADIUS Server
Secure VPN connectionVPN at the office
Aironet Dynamic WEP at the office
Cisco offers BOTH solutions!
EnterpriseIntranet
Application Servers
Cisco Wireless Security SuiteCisco Wireless Security SuiteCisco Wireless Security SuiteCisco Wireless Security Suite
No WEP and Broadcast Mode
Public Access
No Security
Wi-Fi 40-bit, 128-bit, and Static WEP
Telecommuter and Small Business
Basic Security
Dynamic Key Management
System, Mutual Authentication, and
802.1x via EAP
Mid-Market and Enterprise
Enhanced Security
End-to-end security using VPN
Mobile User andPublic Access
Specialized Security
Assessing Security Assessing Security RequirementsRequirements
Assessing Security Assessing Security RequirementsRequirements
Analyze your business environment
Perform your risk assessment
Determine your Cisco wireless security profile ….
Analyze your business environment
Perform your risk assessment
Determine your Cisco wireless security profile ….
SecuritySecurity = =
Authentication + EncryptionAuthentication + Encryption
FUTURE
Wireless LAN TechnologiesWireless LAN TechnologiesWireless LAN TechnologiesWireless LAN Technologies
The Laws of Radio Dynamics:
Higher data rates = shorter transmission rangeHigher power output = increased range, but lower battery lifeHigher frequency radios = higher data rates, shorter ranges
802.11b802.11b 802.11a802.11a HiperLAN2HiperLAN2
2.4 GHz2.4 GHz 5 GHz5 GHz 5 GHz5 GHz
WorldwideWorldwide US/AP (initially)US/AP (initially) EuropeEurope
1-11 Mbps(now)
1-11 Mbps(now)
20-54 Mbps (now)100+Mbps (future)20-54 Mbps (now)100+Mbps (future)
20-54 Mbps (??)
20-54 Mbps (??)
Freq.Band
Coverage
DataRate
802.11g802.11g
2.4 GHz2.4 GHz
Worldwide(subject to approval)
Worldwide(subject to approval)
<54 Mbps(?? mths)<54 Mbps(?? mths)
IEEE 802.11 Standard IEEE 802.11 Standard ActivitiesActivities
IEEE 802.11 Standard IEEE 802.11 Standard ActivitiesActivities
802.11a- 5GHz- ratified in 1999
802.11b - 11Mb 2.4GHz- ratified in 1999
802.11d - Additional regulatory domains
802.11e- Quality of Service
802.11f - Inter-Access Point Protocol (IAPP)
802.11g - Higher Data rate (>20mBps) 2.4GHz
802.11h - Dynamic Frequency Selection and Transmit Power Control
mechanisms
802.11i - Authentication and security
Europe19 Channels(*assumes noantenna gain)
1W200mW
Understanding the 5 GHz Understanding the 5 GHz SpectrumSpectrum
Understanding the 5 GHz Understanding the 5 GHz SpectrumSpectrum
5.15 5.35 5.470 5.725 5.8255GHzUNII Band
5.25
UNII-1: Indoor Use, antenna must be fixed to the radioUNII-2: Indoor/Outdoor Use, fixed or remote antennaUNII-3: Outdoor Bridging Only
UNII-140mW
UNII-2200mW
US (FCC)12 Channels(*can use up to
6dBi gain antenna)
UNII-3800mW
11 Ch 4 Ch4 Ch4 Ch
*if you use a higher gain antenna, you must reduce the transmit power accordingly
Characteristics of 802.11aCharacteristics of 802.11aCharacteristics of 802.11aCharacteristics of 802.11a
Orthogonal Frequency Division Multiplexing (OFDM)•Data rates supported: 54, 48, 36, 24, 12 & 6Mbps
•Can “downshift” to lower data rates for longer range
Compliant with FCC and Japanese regulations•Initial offering will not be available in EMEA & portions of Asia/Pacific
5GHz band has more channels than 2.4GHz band•UNII-1 + UNII-2 = 8 non-overlapping channels•(vs. 3 channels for 2.4GHz)
802.11 a/b/g Comparison802.11 a/b/g Comparison802.11 a/b/g Comparison802.11 a/b/g Comparison
standard frequency Max speed Backwards Compatible
802.11b 2.4GHz 11Mbps n/a
802.11a 5.8GHz 54Mbps NO
802.11g 2.4GHz 54Mbps YES
BluetoothBluetoothBluetoothBluetooth
Ethernet framing
Short distances only (typical 10 meters)
Applications-
Network notebooks, PDAs, printers, phone, etc., in a cubical or home office.
Share files with others in a conference room.
3G PCS3G PCS3G PCS3G PCS
3rd Generation Personal Communications Service (3G PCS)
Use cell phone CDMA and GSM technology on existing cell phone network infrastructure.
Offered by cell phone companies with cell phone services like Cingular/AT&T, Sprint, Verizon.
Currently on 3rd generation or “3G” of this technology.
3G PCS - Speed3G PCS - Speed3G PCS - Speed3G PCS - Speed
This technology is assymetrical with the following download speeds:
1G 14Kbps
2G 56K – 80Kbps
3G 300Kbps (current)
4G 10Mbps ??? (future)
3G PCS - Cost3G PCS - Cost3G PCS - Cost3G PCS - Cost
$150 3G CardBUS network card
(Use in notebook pc or PDA)
$75/mo 3G service with unlimited use
3G PCS - Uses3G PCS - Uses3G PCS - Uses3G PCS - Uses
1. Attach individual notebook computer to the Internet, and optionally use VPN encryption to access secure network. Eg Florida Highway Patrol (FHP).
2. Use with PCS router to provide wired and 802.11b wireless access using PCS as Internet uplink for small office, trade show, etc.
802.11s Mesh Networks802.11s Mesh Networks802.11s Mesh Networks802.11s Mesh Networks
Proprietary only today—
Tropos, BelAir Networks, Firetide, Nortel
802.11s Task Group working on standard
Devices-
Mesh Gateway (hard wired to network)
Mesh Router (wireless only)
802.11b or 802.11g client
802.11s Mesh - Tropos802.11s Mesh - Tropos802.11s Mesh - Tropos802.11s Mesh - Tropos
Tropos “Metromesh”
Mesh Gateways connect to wired network and talk wirelessly to Mesh Routers and 802.11b/g clients.
Designed for outdoor installation where Mesh Routers require only power.
Predictive Wireless Routing Protocol (PWRP) optimizes the switching path for Mesh Routers to relay to a Mesh Gateway while consuming less than 5% of the bandwidth.
End user may be relayed wirelessly through several Mesh Routers.
802.11s Mesh - MIT802.11s Mesh - MIT802.11s Mesh - MIT802.11s Mesh - MIT
Working on building $100 laptop computer to bring technology to undeveloped countries.
2 problems- (1) Power, (2) network access.
1- Charge battery with hand crank
2- Built-in custom Mesh network software with integrated 802.11b/g hardware
802.11s Mesh - Intel802.11s Mesh - Intel802.11s Mesh - Intel802.11s Mesh - Intel
Working on chipsets 802.11g chipsets with additional features for discovery, security, authentication, etc., to build mesh networks supporting 802.11s.
Designing Mesh portals to connect mesh networks to other technologies like 802.11g
802.11s technical editor is also Intel wireless network architecht