Wireless Technology Seminar

Introduction
Adam Worthington Network Consultant Adam.Worthington@euroele.com

Wireless LAN Why?

Flexible network access or your users! "uest internet access! #oW$%! &F$'!

Available Wireless LAN Technologies

802.11b
First widely ado(ted commercially a)ailable *+,.-- wireless technology 'ata rates u( to --mb(s. .(erates in ,./"h0 wa)eband 1 non2o)erla((ing channels "ood Signal %ro(agation

802.11g
3ackward com(atible with *+,.--b 'ata rates u( to 4/5b(s .(erates in ,./"h0 wa)eband 1 non2o)erla((ing channels "ood signal (ro(agation

802.11a
6east ado(ted o the three standards in the 78 'ata rates u( to 4/5b(s .(erates in the cleaner 4"h0 wa)eband * non2o)erla((ing channels Worst signal (ro(agation

802.11 !"erging #tandards

*+,.--e 2 9nhancements: ;oS< including (acket bursting *+,.--i 2 9nhanced security =W%A,>

WLAN #olution What #hould It $rovide

A Wireless 6AN Solution Should: Authenticate de)ices?users 9ncry(t data 9nsure data integrity Allow guest access %lan and manage &F co)erage 'etect ad hoc or rogue users $denti y rogue A%s %rotect against and locate the source o 'oS and man2 in2the2middle attacks

%i&&erent Wireless #olution Ty'es

Standalone =FAT> A% A((liance?#%N Solution Wireless 6AN Switch?Controller

#tandalone A$
(isco) *co") $ro+i" "ood< Flexible Feature Set @ighest 5anagement .)erhead Worst (hysical security &eAuires additional management so tware?a((liance or network &F awareness

A''liance,-$N #olution
-ernier,.$) (isco Central security management 9xcellent $% layer security "ood (hysical security 6imited su((ort or 3roadcast?5ulticast?non2 $% No conce(t o &F. Channel< (ower and layer , security must be managed on A%< (ossibly assisted by external management so tware.

Wireless LAN #/itch,(ontroller #olution

(isco) Tra'e0e,*co") Aruba Central security and &F management 9xcellent wireless security "ood (hysical security 3est &F control e.g. dynamic (ower and channel allocation Su((ort or ad)anced wireless technologies e.g. &F$'

WLAN #ecurity Levels o& 'rotection

Authentication 'ata .rigin %rotection 'ata $ntegrity %rotection Con identiality

802.11i #ecurity 1or The Air

$999 *+,.--i =W%A,> de ines a new ty(e o wireless network called a robust security network =&SN>. Strong authentication: *+,.-x Strong encry(tion: T8$% and A9S

802.1+ Authentication
Su((licant Authenticator Authentication Ser)er

802.1+ and !A$

.riginally de ined or use with %%% Truly 9xtensible< does not orce users into certain ty(es o authentication.

802.1+ Initial (onnection

Client
Client scans the air looking for a network Client joins one of the networks and performs open-system Authentication Client sends association request Access Point sends client association ID Start 8 !"#$ authentication %&AP o'er (A)* Start+ Access Point queries ,who are you-.

AP

!A$ Which Ty'e?

9A%2T6S %9A%?5S2C@A%), 9A%2TT6S

$!A$ #tage 1 TL# .andsha2e

Client AP 3ADI7S Ser'er

/i I0m Adam* here0s my )etwork Access Identity %)AI* includes my username* my random num1er and a list of cryptographic algorithms I support+"

AP forwards 3adius Access 3equest with )AI

:ot it" I0ll decrypt the pre-master secret with my pri'ate key" I0ll deri'e the keying material" It0s the same as your keying material" )ow we can 1idirectionally encrypt and integrity check the session"

2kay* here0s my random num1er" I0'e looked at your list and we0ll use #!81it 3C4 encryption and 5D6 message integrity checking" I0ll also send you my certificate"

2kay* I0'e checked your certificate and you0re authenticated" )ow I0ll generate and send you the premaster secret encrypted with your pu1lic key" 8ith this we can each deri'e keying material to 1e used to encrypt this 9(S session"

Client

$!A$ #tage 2 3#4(.A$v2 Authentication 3ADI7S

AP Ser'er
8ho are you-

I0'e told you once;;I0m Adam" 2kay* I0m 3ADI7S#" 8e0ll use 5SC/AP'! for authentication* here0s a challenge for you"

2kay* I0ll use my password and a hash function to create a response to your challenge" I0'e also got a challenge for you"

I0m happy with your response to my challenge* here0s a response to your challenge" 3ADI7S ser'er sends the access point a 3ADI7S accept message including any configured authorisation attri1utes %<(A) ID etc"+

I0m happy with your response to my challenge* AP* let0s talk"

Authentication complete

!ncry'tion
*+,.--i =also known as W%A,> using counter2mode?C3C25AC (rotocol =CC5%> Wi2Fi %rotected Access =W%A> using T8$% 'ynamic W9% 'ynamic W9% with 3roadcast?5ulticast 8ey &otation

$re 802.11i 5oa"ing

@and o 'isco)ery (hase Association =or re2association> with second A% reAuires ull 9A% exchange Total time to associate hundreds o milliseconds

802.11i 1ast .ando&&

@and o 'isco)ery (hase Association =or re2association> %58 Cached< straight to our2way handshake Total time to associate tens o milliseconds

5ogue 6sers and A$7s

Ty(es o rogue 9m(loyee installed unsanctioned A% 9m(loyee A'2@.C network 7nauthorised intruder or hacker 3ug2light A%

!"'loyee Installed 6nsanctioned A$

7nsanctioned AP Corporate Network

8ireless Client

!"'loyee A%4.8( net/or2

Corporate Network

6nauthorised Intruder or .ac2er

9hey don0t all use Pringles cans=

9ug4Light A$
3ogue P&AP 8ith )etwork Stage ! # Access

3ogue AP

(egitimate AP

(egitimate Client

3ADI7S Ser'er

5ogue %etection and Location

5anual detection: $T 5anager with Airmagnet< Airo%eek< Sni er Wireless etc. Wireless $'S: Air'e ense etc. Solution integrated with wireless 6AN: Cisco< Tra(e0e etc.

To (atch a 5ogue
'etection 6ocation Action

.o/ These (once'ts 3ay A''ly to :our WLAN

"uest internet access (ro)ided by Fro'o Web2A7T@ solution 7nit 6AN access managed locally and secured by W%A,

#a"'le To'ology
+ri,-in+ri,-in-

*ccess (oint

*ccess (oint

()

()

() University backbone network

/ro0o

Switch Supporti ! "u#tip#e $%&N'

.ire#e'' Switch
Main Unit VLAN FroDo Guest Wireless VLAN VLAN Trunk Carrying All VLANs Wireless Hardware VLAN

(onclusion
Security is key 5any o(tions< choose the one that its best.