WIRELESS

NETWORKING
CONCEPTS

Wireless Standards

Wireless Networking
Computers are connected and communicate with each

other not by emissions of electromagnetic energy in the

air.
Infrastructure Based Networks
Infrastructure Less Networks

IBSS & DS

 SSID (service set identification) is the informal

name of the BSS.

BSS is functionally a contention domain as a local
or workgroup network is functionally a broadcast
domain.
In infrastructure mode, a single access point
together with all associated stations is called a
BSS.
BSSID is used to uniquely identify a BSS. BSSID
is the MAC address of the wireless access point
(WAP).
An Extended Service Set (ESS) is a set of two or
more BSSs that form a single sub network.

WLAN Architecture

IEEE802.11 Standards
802.11: This was the first 802.11 task group. The objective of this group

was to develop MAC layer and physical layer specifications for wireless
connectivity for fixed, portable, and mobile nodes within a local area.
802.11a: This group created a standard for wireless LAN operations in
the 5 GHz frequency band, where data rates of up to 54 Mbps are
possible.
802.11b: This task group created a standard for wireless LAN operations
in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band, which is
freely
available for use throughout the world. This standard is popularly referred
to as Wi-Fi, standing for Wireless-Fidelity. It can offer data rates of up to
11 Mbps.
802.11c: This group was constituted for devising standards for bridging
operations. Manufacturers use this standard while developing bridges
and access points.

 802.11d: This group's main objective is publishing

definitions and requirements for enabling the operation of

the 802.11 standard in countries that are not currently
served by the standard.
802.11e: The main objective of this group is to define an
extension of the 802.11 standard for quality of service
(QoS) provisioning and service differentiation in wireless
LANs.

 802.11f: This group was created for developing specifications for

implementing access points and distribution systems following the

802.11 standard, so that interoperability problems between devices
manufactured by different vendors do not arise.
802.11g: This group was involved in extending the 802.11b standard
to
support high-speed transmissions of up to 54 Mbps in the 5 GHz
frequency band, while maintaining backward compatibility with
current 802.11b devices.
802.11h: This is supplementary to the 802.11 standard. It was
developed in order for the MAC layer to comply with European
regulations for 5 GHz
wireless LANs, which require products to have mechanisms for
transmission power control and dynamic frequency selection.
802.11i: This group is working on mechanisms for enhancing security
in the 802.11 standard.

 802.11j: This task group is working on mechanisms for

enhancing the current

802.11 MAC physical layer protocols to additionally
operate in the newly
available Japanese 4.9 GHz and 5 GHz bands.
802.11n: The objective of this group is to define
standardized modifications to
the 802.11 MAC and physical layers such that modes of
operation that are capable of much higher throughputs at
the MAClayer, with a maximum of at least 100 Mbps, can
be enabled.

Wireless Architecture

Interaction between Services and State

Variables

The IEEE 802.11 standard states that each station must maintain

two variables that are dependent on the authentication, deauthentication services and the association, re-association,
disassociation services.
The variables are authentication state and association state and
used in a simple state machine that determines the order in
which certain services must be invoked and when a station may
begin using the data delivery service.
A station may be authenticated with many different stations
simultaneously. However, a station may be associated with only
one other station at a time.

Interaction between Services and State

Variables
In state 1, the station may use a very limited number of frame types.
This frames are to find an IEEE 802.11 WLAN, an ESS, and its APs, to complete

the required frame handshake protocols, and to implement the authentication

service. If a station is part of an IBSS, it is allowed to implement the data service
in state 1.
In state2, additional frame types are allowed to provide the capability for a station
in state 2 to implement the association, re-association, and disassociation
services.
In state 3, all frame types are allowed and the station may use the data delivery
service. A station must react to frames it receives in each of the states, even those
that are disallowed for a particular state. A station will send a de-authentication
notification to any station with which it is not authenticated if it receives frames
that are not allowed in state 1.
A station will send a disassociation notification to any station with which it is
authenticated, but not associated, if it receives frames not allowed in state 2.
These notifications will force the station that sent the disallowed frames to make a
transition to the proper state in the state diagram and allow it to proceed properly
toward state 3.

Relationship between State Variables

and Services

IEEE 802.11 Service Sets and State

Machine

CSMA/CA
Collision avoidance is used to improve the performance of

the CSMA method by attempting to divide the channel

somewhat equally among all transmitting nodes within the
collision domain.
Carrier Sense
Collision Avoidance
Request to Send/Clear to Send
Transmission

CSMA/CA
CSMA/CD
Inter Frame Space
Role of Contention Window

Timing in CSMA/CA

Procedure

Wireless Frames
Data Frame
hauling data from station to station
Control Frame
area clearing operations
channel acquisition
carrier-sensing maintenance functions
positive acknowledgment of received data
Management Frame
join and leave wireless networks
move associations from access point to access point

Wireless Security

WEP

WPA

WPA2

Name

Wired Equivalent Wifi Protected

Privacy
Access

Wifi Protected
Access 2

Combo

48 bit
24 bit
initialization keys
48 bit
initialization keys
500 trillion
initialization keys
16.7 million
combinations
500 trillion
combination
Advanced
combinations
Encryption
Standard

Encryption

64 bits
128 bits

64 bits
128 bits

64 bits
128 bits

Keys

Static encryption
keys

Unique
encryption key

Unique
encryption key

Speed

Not much
processing
power

Somewhat
processing
power

Requires greater
processing
power

Master Key

Master keys are

used directly

Master keys are

never directly

Master keys are

never directly

Disadvantages of WEP
WEP provides no forgery protection
No protection against Message Replays
WEP misuses the RC4 encryption algorithm in a way that

exposes the protocol to weak key attacks

By reusing initialization vectors, WEP enables an attacker
to decrypt the encrypted data without ever learning the
encryption key

TKIP
Temporal Key Integrity Protocol (TKIP) is the TaskGroupis

solution for the security loop holes present in the already

deployed 802.11 hardware
It is a set of algorithms that wrap WEP to give the best
possible solution given all the above mentioned design
constraints.

Components of TKIP
A cryptographic message integrity code, or MIC, called

Michael: to defeat forgeries;

A new IV sequencing discipline: to remove replay attacks
from the attackers arsenal;
A per-packet key mixing function: to de-correlate the
public IVs from weak keys
A re-keying mechanism: to provide fresh encryption and
integrity keys, undoing the threat of attacks stemming
from key reuse.

TKIP Encryption Process

TKIP Decryption Process

AES
Block Cipher
10 cycles of repetition for 128-bit keys
12 cycles of repetition for 192-bit keys
14 cycles of repetition for 256-bit keys
Operations performed in first 9 rounds:
Sub Bytes
Shift Rows
Mix Columns
Add Round Key
Operations performed in 10 rounds
Sub Bytes
Shift Rows
Add Round Key

AES
Diagram

EAP
Extensible Authentication Protocol
Link layer Authentication Framework
Used in Wireless and Point-Point Networks
Uses 4 different kinds of messages:

1. EAP request
2. EAP response
3. EAP success
4. EAP failure

EAP Example
Peer

Identity Request
Identity Response

Repeated as
many times as
needed

Authenticat
or

EAP
Request

EAP Response with the same type or a

Nack

EAP Success or EAP Failure

message
Identity Request

Identity Response
If mutual
Auth
EAP Request
Repeate
Is
d as
required needed EAP Response with the same type or a
Nak

EAP Success or failure

message

Basic EAP Methods

In the initial definition of EAP included several built in

authentication methods:
Identity - request the other side to identify itself.
Notification - to send notifications to the other side.
Nak - peer refuses to use the authentication method.
MD5-Challenge - an implementation of chap over EAP.
One Time Password - used for one time passwords.
Generic Token Card - used for generic token cards.
Vendor Specific - *

EAPMD5

LEAP

EAPTLS

EAPTTLS

PEAP

Server
Authentication

None

Password
Hash

Public Key
(Certificate)

Public Key
(Certificate)

Public Key
(Certificate)

Supplicant
Authentication

Password
Hash

Dynamic Key
Delivery

No

Security Risks

Password
Public Key
Hash
(Certificate or
Smart Card)

Yes

Identity
Identity
exposed,
exposed,
Dictionary
Dictionary
attack, Manattack
in-the-Middle
(MitM) attack,

CHAP, PAP,
Any EAP,
MSlike EAPCHAP(v2), MS-CHAPv2
EAP
or Public
Key

Yes

Yes

Yes

Identity
exposed

MitM attack

MitM attack;
Identity
hidden in
Phase 2 but
potential
exposure in

RBAC
Role-Based Access Control
Role and Permission

RBAC Model Components

Security Principles:
Least Privilege
Separation of duties
Data Abstraction
RBAC model is defined in terms of four model components:
Core RBAC
Hierarchical RBAC
Static Separation of Duty Relations
Dynamic Separation of Duty Relations

Core RBAC
(PA)
(UA) User
Assignment

USERS

Permission
Assignment

ROLES

OPERA
TIONS

OBJECTS

privileges
user_sessions

Sessions

session_roles

Many-to-many relationship among individual users and privileges

Session is a mapping between a user and an activated subset of assigned

roles
User/role relations can be defined independent of role/privilege relations
Privileges are system/application dependent
Accommodates traditional but robust group-based access control

Hierarchical RBAC
Role Hierarchy
(PA)
(UA) User
Assignment

USERS

Permission
Assignment

ROLES

OPERA
TIONS

OBJECTS

privileges
user_sessions

Sessions

session_roles

Role/role relation defining user membership and privilege inheritance

Reflects organizational structures and functional delineations
Two types of hierarchies:
- Limited hierarchies
- General hierarchies

Static Separation of Duty Relations

SSD

Role Hierarchy
(UA) User
Assignment

(PA) Permission
Assignment
ROLES

USERS

session_roles

user_sessions

OPERA
TIONS

OBJECTS

privileges

SESSIONS

SoD policies deter fraud by placing constrains on administrative

actions and there by restricting combinations of privileges that are
available to users
E.g., no user can be a member of both Cashier and AR Clerk roles
in Accounts Receivable Department

Dynamic Separation of Duty Relations

Role Hierarchy
User Assignment

Permission
Assignment
ROLES

USERS

session_roles

user_sessions
SESSIONS

OPERA
TIONS

OBJECTS

privileges

Dynamic
Separation of Duty

DSoD policies deter fraud by placing constrains on the roles that can be activated in
any given session there by restricting combinations of privileges that are available to
users

WIDS
Wireless Intrusion

Detection System
Components
Sensor
Dedicated Sensors
Bundled with AP

Console
Management Server
Database Server

WIPS
Wireless Intrusion Prevention System
Prevention Capabilities offered by WIPS
Wireless :
De-associate the current session between
misconfigured STA and an authorized AP
misconfigured AP and an authorized STA

Wired :
Block network activity based on the devices MAC address or switch

port.

MAC Filtering
GUI Filtering or Layer 2 Address Filtering
Security Access Control Method
Uses Blacklists and Whitelists
Port Security