SECURITY

Security comes to play even a bigger part when it comes to wireless network. As a
Wireless Internet Service Provider, our concern is to protect our customers privacy
and to prevent our company from unauthorized users accessing our network. There
are various technologies to achieve security in WLAN. Our company chooses not to
use WEP specified by IEEE 802.11x standards due to the weaknesses it entails. We
are going to use CISCO LEAP (Light Extensible authentication Protocol) and TKIP
(Temporal Key Integrity Protocol) for additional data privacy protection. Before we
get into the features of CISCO LEAP, the reasons why we are not using WEP must be
explained.
WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to
provide for confidentiality of date on wireless networks at a level equivalent to that of
wired LANs. Wired LANs typically employ physical controls to prevent unauthorized
users from connecting to the network and thereby viewing the data. In a wireless
LAN, the network can be accessed without physically connecting to the LAN;
therefore the IEEE chose to employ encryption at the datalink layer to prevent
unauthorized eavesdropping on a network. This is accomplished by encrypting date
with the RC4 encryption algorithm. WEP employs an integrity check field in each
data packet to ensure that data is not modified during transmission. A CRC-32
checksum is used for this purpose. Authentication in the 802.11 specification is based
on authenticating a wireless station or device instead of authenticating a user. The
specification provides for two modes of authentication: open authentication and
shared key authentication.
The 802.11 client authentication process consists of the following transactions
(Figure 1):
1. Client broadcasts a probe request frame on every channel
2. Access points within range respond with a probe response frame
3. The client decides which access point (AP) is the best for access and sends an
authentication request
4. The access point will send an authentication reply
5. Upon successful authentication, the client will send an association request
frame to the access point
6. The access point will reply with an association response
7. The client is now able to pass traffic to the access point

Figure 1: 802.11 Client Authentication Process

WEP is more or less secure when it is used for small business but it is not sufficient
for the enterprise organization. Only very small businesses, or those that do not
entrust mission-critical data to their WLAN networks, can rely on these WLAN
security types. All other enterprises and organizations must invest in a robust,
enterprise-class WLAN security solution.
WEP uses two means of client authentication: open and shared-key authentication.
Open authentication involves little more than supplying the correct SSID. With
shared-key authentication, the AP sends the client device a challenge text packet that
the client must then encrypt with the correct WEP key and return to the access point.
If the client has the wrong key or no key, authentication will fail and the client will
not be allowed to associate with the access point. Shared-key authentication is not
considered secure, because a hacker who detects both the clear-text challenge and the
same challenge encrypted with a WEP key can decipher the WEP key. With open
authentication, even if a client can complete authentication and associate with an AP,
the use of WEP prevents the client from sending data to and receiving data from the
AP, unless the client has the correct WEP key. Another type of key that is often used,
but is not considered secure, is a "static" WEP key. A static WEP key is a key
composed of either 40 or 128 bits that is statically defined the network administrator
on the AP and all clients that communicate with the AP. When static WEP keys are
used, a network administrator must perform the time-consuming task of entering the
same keys on every device in the WLAN. If a device that uses static WEP keys is
lost or stolen, the possessor of the stolen device can access the WLAN. An
administrator won't be able to detect that an unauthorized user has infiltrated the
WLAN, until and unless the theft is reported. The administrator must then change the
WEP key on every device that uses the same static WEP key used by the missing
device. In a large enterprise WLAN with hundreds or even thousands of users, this
can be a daunting task. Worse still, if a static WEP key is deciphered through a tool
like AirSnort, the administrator has no way of knowing that the key has been
compromised by a hacker. Some WLAN vendors support authentication based on the
physical address, or MAC address, of the client Network Interface Card (NIC). An
access point will allow association by a client only if that client's MAC address
matches an address in an authentication table used by the access point. But MAC
authentication is an inadequate security measure, because MAC addresses can be
forged, or a NIC can be lost or stolen.
For the reasons explained above, our company will use a new security measures that
covers the weaknesses of traditional WEP. CISCO LEAP (the EAP Cisco Wireless)
algorithm provides user-based mutual authentication whereas WEP is device
authentication based. It also provides keying material to the client and RADIUS
server for the generation of WEP keys. Cisco LEAP is a user-based authentication
algorithm that is secure enough to implement in hostile wireless LAN deployments.

Based on these user requirements, and the need for single-sign-on (SSO) capabilities,
Cisco built Cisco LEAP around the premise of Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP).
Cisco LEAP is a password-based algorithm. It preserves the integrity of the password
during wireless authentication by converting the password to a secret key value so
that wireless eavesdroppers cannot sniff Cisco LEAP authentication and see a user's
password transmitted across the wireless link. The secret key value is the result of a
mathematical function called a hash function. A hash function is an algorithm that
one-way encrypts data. The data cannot be decrypted to derive the original input.
Cisco LEAP uses secrets in the form of the Microsoft NT key format. The Windows
NT key is a Message Digest Algorithm 4 (MD4) hash of an MD4 hash of the user's
password.
Figure 29: Windows NT Key

Use of the Windows NT key allows Cisco LEAP to use existing Windows NT
Domain Services authentication databases as well as Windows 2000 Active Directory
databases. In addition, any Open Database Connectivity (ODBC) that uses MSCHAP passwords can also be used.
Cisco has developed drivers for most versions of Microsoft Windows (Windows 95,
98, Me, 2000, NT and XP) and uses the Windows logon as the Cisco LEAP logon. A
software shim in the Windows logon allows the username and password information
to be passed to the Cisco Aironet client driver. The driver will convert the password
into a Windows NT key and hand the username and Windows NT key to the Cisco
NIC. The NIC executes 802.1X transactions with the AP and the authentication,
authorization, and accounting (AAA) server.
Reauthentication and subsequent WEP key derivation follow a similar process. The
transaction WEP-encrypted with the existing client WEP key and client's port on the
access point does not transition to a blocking state. It will remain in the forwarding
state until the client explicitly sends an EAP Logoff message or fails
reauthentication. Notice again that either that password nor the password hash is ever
sent across the wireless medium. The authentication process is described as follows.

LEAP Authentication Process

LEAP provides two significant benefits over basic WEP. The first benefit is the
mutual authentication scheme as described above. This scheme effectively eliminates
"man-in-the-middle attacks" introduced by rogue access points and RADIUS servers.
The second benefit is a centralized management and distribution of the encryption
keys used by WEP. Even if the WEP implementation of RC4 had no flaws, there
would still be the administrative difficulty of distributing static keys to all the APs
and clients in the network. Each time a wireless device was lost, the network would
need to be re-keyed to prevent the lost system from gaining unauthorized access. The
comparison among other wireless encryption is showed in the following table.
LEAP

IPSec

Static
WEP

Key Length (bits)

128

168

128

Encryption
Algorithm

RC4

3 DES

RC4

Packet Integrity

CRC32/MIC

MD5-HMAC/SHA-HMAC

CRC32/MIC

Device
Authentication

None

Pre-shared secret or
Certificates

None

User
Authentication

Username/Password

Username/Password or OTP

None

User
Differentiation *

No

Yes

No

Transparent user
experience

Yes

No

Yes

ACL
requirements

None

Substantial

N/A

Additional
Hardware

Authentication Server

Authentication Server and VPN

Gateway

No

Per users keying

Yes

Yes

No

Protocol Support

Any

IP Unicast

Any

Client Support

PCs and high-end PDAs.

Wide range of OSs
supported from Cisco

PCs and high-end PDAs. Wide

range of OSs supported from
Cisco and Third-Party Vendors.

All clients
supported

Open Standard

No

Yes

Yes

Time-based key
rotation

Configurable

Configurable

No

Client hardware
Encryption

Yes

Available, software is most

common method

Yes

Additional
Software

No

IPSec client

No

Per-flow QoS
Policy
Management

At access switch

After VPN gateway

At access
switch

The design of our LEAP WLAN will be as drawn below:

(This design details a generic method for using LEAP as a security mechanism to
access the production corporate network.)

Key LEAP Devices

Wireless client adapter and softwareA software solution that provides the
hardware and software necessary for wireless communications to the AP; it
provides mutual authentication to the AP via LEAP

Wireless access pointMutually authenticates wireless clients via LEAP

Layer 2/3 switchProvides Ethernet connectivity and Layer 3/4 filtering
between the WLAN AP and the corporate network
RADIUS serverDelivers user-based authentication for wireless clients and
access-point authentication to the wireless clients
DHCP serverDelivers IP configuration information for wireless LEAP
clients

Threats Mitigated

Wireless packet sniffersWireless packet sniffers can take advantage of any

of the known WEP attacks to derive the encryption key. These threats are
mitigated by WEP enhancements (see "Security Improvements Are Required"
axiom), and key rotation using LEAP.

Unauthenticated accessOnly authenticated users are able to access the

wireless and wired network. Optional access control on the Layer 3 switch
limits wired network access.
Man in the middleThe mutual authentication nature of LEAP combined
with the MIC prevents a hacker from inserting itself in the path of wireless
communications.
IP spoofingHackers cannot perform IP spoofing without first authenticating
to the WLAN, after authenticating optional RFC 2827 filtering on the Layer 3
switch restricts any spoofing to the local subnet range.
ARP spoofingHackers cannot perform ARP spoofing without first
authenticating to the WLAN, after authenticating ARP spoofing attacks can
be launched in the same manner as in a wired environment to intercept other
user's data.
Network topology discoveryHackers cannot perform network discovery if
they are unable to authenticate. When authenticated via LEAP, standard

topology discovery can occur in the same way that is possible in the wired
network.
We will use following devices for the installing the LEAP WLAN design in our
company: LEAP devices- DHCP server, RADIUS server, Wireless Client adapter and
Additional security software: Firewall.
DHCP SERVER: we are going to use Cisco AS5200 Family Universal Access
Servers as platform and install CISCO ISO DHCP SERVER.

AS5200 Technical Specifications

Processor Type
20-MHz 68030
Memory
Up to 16M main DRAM and 16M packet DRAM
Flash Memory
Up to 8M boot Flash
Up to 16M system Flash
Chassis Slots
Three (2 Modem Carrier Card, one WAN
interface)
WAN Interface Options
Dual T1/PRI (RJ-45)
Dual E1/PRI (DB15)
Ethernet (AUI)
One 10MB
High-Speed Synchronous
Serial

Two

Modems
Up to 48 (T1) or 60 (E1)

Console and Auxiliary Ports

One each
Other Standard Components
Power supply and cord, one console cable

Environmental Condition and Power Requirements

Dimensions (H x W x D)
3.4 x 17.5 x 15 in.
Weight
25 lb. (11.4 kg)
Input Power
170 watts, AC or DC (typical)
Output Power
120 watts, AC or DC (typical)
Peak
180 watts
Power Factor
>.88
Ripple and Noise
Below 100 mV at board level
Frequency 5
0/60 Hz
Efficiencies
0.65 to 0.70
Heat Dissipation
514 Btu/hr
AC Input Voltage
85 VAC minimum
120 VAC nominal

260 (132) VAC maximum

DC Input Voltage
40 VDC minimum
48 VDC nominal
72 (56) VDC maximum
AC Input Current (maximum)
3A (rms)
DC Input Current (maximum)
5A (3A) (rms)
Operating Temperature
32 to 104 F (0 to 40 C)
Nonoperating Temperature
-4 to 149 F (-20 to 65 C)
Operating Humidity
10 to 85%, noncondensing
Nonoperating Relative Humidity
5 to 95%, noncondensing

CISCO ISO DHCP SERVER

Feature Overview
Dynamic Host Control Protocol (DHCP) enables you to automatically assign
reusable IP addresses to DHCP clients. The Cisco IOS DHCP Server feature is a full
DHCP server implementation that assigns and manages IP addresses from specified
address pools within the router to DHCP clients. If the Cisco IOS DHCP Server
cannot satisfy a DHCP request from its own database, it can forward the request to
one or more secondary DHCP servers defined by the network administrator.
Figure 1 shows the basic steps that occur when a DHCP client requests an IP address
from a DHCP server. The client, Host A, sends a DHCPDISCOVER broadcast
message to locate a Cisco IOS DHCP Server. A DHCP server offers configuration
parameters (such as an IP address, a MAC address, a domain name, and a lease for
the IP address) to the client in a DHSCPOFFER unicast message.

Figure 1: DHCP Request for an IP Address from a DHCP Server

Note A DHCP client may receive offers from multiple DHCP servers and can accept
any one of the offers; however, the client usually accepts the first offer it receives.
Additionally, the offer from the DHCP server is not a guarantee that the IP address
will be allocated to the client; however, the server usually reserves the address until
the client has had a chance to formally request the address.
The client returns a formal request for the offered IP address to the DHCP server in a
DHCPREQUEST broadcast message. The DHCP server confirms that the IP address
has been allocated to the client by returning a DHCPACK unicast message to the
client.
Note The formal request for the offered IP address (the DHCPREQUEST message)
that is sent by the client is broadcast so that all other DHCP servers that received the
DHCPDISCOVER broadcast message from the client can reclaim the IP addresses
that they offered to the client.
If the configuration parameters sent to the client in the DHCPOFFER unicast
message by the DHCP server are invalid (a misconfiguration error exists), the client
returns a DHCPDECLINE broadcast message to the DHCP server.
The DHCP server will send to the client a DHCPNAK denial broadcast message,
which means the offered configuration parameters have not been assigned, if an error
has occurred during the negotiation of the parameters or the client has been slow in
responding to the DHCPOFFER message (the DHCP server assigned the parameters
to another client) of the DHCP server.
Benefits
The Cisco IOS DHCP Server feature offers the following benefits:

Reduced Internet access costs

Using automatic IP address assignment at each remote site substantially
reduces Internet access costs. Static IP addresses are considerably more
expensive to purchase than are automatically allocated IP addresses.

Reduced client configuration tasks and costs

Because DHCP is easy to configure, it minimizes operational overhead and
costs associated with device configuration tasks and eases deployment by
nontechnical users.

Centralized management
Because the DHCP server maintains configurations for several subnets, an
administrator only needs to update a single, central server when configuration
parameters change.

RADIUS SERVER: For the platform, we are using Intel SPKA4 Server platform and
Interlink RAD server series software.
Intel SPKA4 Features

Features

Benefits

Support from one to four

Intel Pentium III Xeon
processors with L2 cache
sizes from 512K to 2M and
100 MHz system bus2

Provides peak
performance and
scalability for the most
demanding server
applications

Up to 16 GB of PC100
SDRAM memory over 16
DIMM sites

Increased memory
capacity and flexibility for
the most demanding
server applications

Triple Peer PCI buses

providing over 900 MB/s of
I/O bandwidth; (Two 64bit/33 MHz, and one 32bit/33 MHz)

Separate PCI buses

eliminate data bottlenecks
and increase bandwidth
for intensive I/O needs

Eight PCI slots (6 64bit/33MHz hot-plug, and

two 32-bit/33MHz)

Maximum scalability and

investment protection

PCI Hot-Plug access and

support

High availability, with no

server down time to add
or remove many
peripherals3

Three integrated SCSI

channels (two Ultra160
SCSI, one Ultra Wide/Ultra
Narrow SCSI)

Maximum data
throughput due to three
independent SCSI
channels

Integrated Intel PRO/100+

Enhanced manageability

Fast Ethernet Controller

(Intel 82559)

and availability with

access to Web enabled
server management;
leaves PCI slots available
for expansion

Integrated ATI* Rage* IIC

graphics controller with 2M
of memory

All PCI slots are available

for expansion

Intel Server Management

solution includes:
-Server Management
controller
-Intel Server Control (ISC)
software

Data protection, security

features, remote access,
and quick problem
resolution capabilities that
used to be available only
on high-end servers

Three-year limited warranty

Peace of mind with Intels

service, support, and
warranty

Designed by Intel

Performance, value, and

choice you expect from
Intel

4U rack form factor

High-density rack for

maximum power in
minimum space

Up to five 1" (or three 1.6")

Hot-swap Ultra160 SCSI
hard drives

High capacity storage for

your most demanding data
needs

Redundant hot-swap power

supplies and fans

High availability for

power and cooling, with
no server downtime to add
or remove peripherals

Modular, highly accessible

chassis

Ease of service

INTERLINK RAD SERIES

RAD-Series is widely installed, provides high performance, and is highly scalable and
modular. The server is structured so it can support RADIUS, the current standard
protocol for authentication, authorization, and accounting, including the emerging
wireless LAN authentication standards such as CISCO LEAP, ETP-TLS.

Features

Supports multiple services; dial, wholesale dial, broadband, managed VPN,

wireless LAN
Supports delivery of additional wholesale, outsourcing and roaming services
by proxy RADIUS.
Delivers high performance AAA transaction at the rate up to 1000 transactions
per second.
Provides reliability with failover, load balancing, redundancy features.
Provides a full-web based interface ensuring easy connectivity from anywhere.
Provides Oracle, LDAP, and Active Directory support.

WIRELESS CLIENT ADAPTER

The Cisco Aironet 350 Series Mini-PCI (MPI350) Client Adapter is an embedded
solution that complements the industry-leading 11-Mbps Cisco Aironet 350 Series.
Based on direct sequence spread spectrum (DSSS) technology operating in the 2.4
GHz Industrial, Science and Medical (ISM) band, the MPI350 client adapter
complies with the IEEE 802.11b standard, ensuring interoperability with other
compliant wireless LAN (WLAN) products.
Key Features

IEEE 802.11b high-rate standard compliance

Type IIIa Mini-PCI form factor for standard compatibility in a variety of

mobile devices
Industry-leading range and throughput performance
Up to 100mW transmit power
Supports hardware accelerated 128-bit WEP RC4 encryption for data security
with negligible performance degradation
802.1x security support via EAP and LEAP for the most advanced wireless
authentication scheme available
World mode for international mobility across regulatory domains
Dual antenna connectors supporting diversity for improved multipath
compensation
True PCI bus interface
Support for all popular operating systems

How it works: With the Cisco security solution, authentication is based on username and
password, and each user gets a unique, session-based encryption key.

FIREWALL - Cisco IOS Firewall Software 12.1(4)T will be integrated into our
Internet router.
Cisco IOS Firewall Key Features
The Cisco IOS Firewall delivers integrated firewall functionality for Cisco networks
and increases the flexibility and security of Cisco routers. Table 1 provides an
overview of key features.
Table 1 Cisco IOS Firewall Overview
Feature
Context-Based Access
Control (CBAC)

Description

Provides internal users secure, per-application-based

access control for all traffic across perimeters such as
perimeters between private enterprise networks and
the Internet

Intrusion Detection
Provides real-time monitoring, interception, and
response to network misuse with a broad set of the
most common attack and information-gathering
intrusion detection signatures
Authentication Proxy
Dynamic, per-user authentication and authorization

for LAN-based and dial-in communications;

authenticates users against industry-standard
TACACS+ and RADIUS authentication protocols;
network administrators can set individual, per-user
security policies
Denial of Service
Detection and Prevention

Defends and protects router resources against

common attacks; checks packet headers, dropping
suspicious packets

Dynamic Port Mapping

Allows network administrators to run CBACsupported applications on nonstandard ports
Java Applet Blocking
Protects against unidentified, malicious Java applets
VPNs, IPSec Encryption,
and QoS Support

Operates with Cisco IOS software encryption,

tunneling, and QoS features to secure VPNs
Provide scalable encrypted tunnels on the router while
integrating strong perimeter security, advanced
bandwidth management, intrusion detection, and
service-level validation
Standards based for interoperability

Real-Time Alerts
Log alerts for denial-of-service attacks or other preconfigured conditions; now configurable on a perapplication, per-feature basis
Audit Trail
Details transactions; records time stamp, source host,
destination host, ports, duration and total number of
bytes transmitted for detailed reporting; now
configurable on a per-application, per-feature basis
Event Logging
Allows administrators to track potential security
breaches or other nonstandard activities in real time
by logging system error message output to a console
terminal or syslog server, setting severity levels, and
recording other parameters

Firewall Management
Wizard-based network configuration tool offers stepby-step guidance through network design, addressing,
and Cisco IOS Firewall security policy configuration;
available on Cisco 1600, 1720, 2500, 2600, and 3600
routers; also supports NAT and IPSec configurations
Integration with Cisco
IOS Software

Basic and Advanced

Traffic Filtering

Interoperates with Cisco IOS features, integrating

security policy enforcement into the network
Standard and extended access control lists (ACLs)
apply access controls to specific network segments
and define which traffic passes through a network
segment
Lock and Key-dynamic ACLs grant temporary access
through firewalls upon user identification
(username/password)

Policy-Based MultiInterface Support

Provides ability to control user access by IP address

and interface as determined by the security policy

Redundancy/Failover
Automatically routes traffic to a backup router if a
failure occurs
Network Address
Translation

Hides internal network from the outside for enhanced

security

Time-Based Access Lists

Defines security policy by time of day and day of
week
Peer Router
Authentication

Improved attack detection

and defense for e-mail
servers

Ensures that routers receive reliable routing

information from trusted sources

New intrusion detection is designed specifically for

SMTP-oriented attacks.

With these devices and software, our network will be more or less hacker-free.
However, Cisco LEAP is a password-based algorithm and it is not protected
from dictionary attacks. To minimize the possibility of a successful dictionary
attack, we will distribute and encourage our clients to use strong passwords,
which are difficult to guess. Some characteristics of strong passwords include:

A minimum of six characters

A mixture of uppercase and lowercase letters

At least one numeric character
No form of the user's name or user ID
A word that is not found in the dictionary (domestic or foreign)

Examples of strong passwords:

cnw84Fri, from "cannot wait for Friday"

!crE8vpw, from "not creative password"

G8tSm^rt, from "get smart"