Professional Documents
Culture Documents
NETWORKING
CONCEPTS
Wireless Standards
Wireless Networking
Computers are connected and communicate with each
IBSS & DS
WLAN Architecture
IEEE802.11 Standards
802.11: This was the first 802.11 task group. The objective of this group
was to develop MAC layer and physical layer specifications for wireless
connectivity for fixed, portable, and mobile nodes within a local area.
802.11a: This group created a standard for wireless LAN operations in
the 5 GHz frequency band, where data rates of up to 54 Mbps are
possible.
802.11b: This task group created a standard for wireless LAN operations
in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band, which is
freely
available for use throughout the world. This standard is popularly referred
to as Wi-Fi, standing for Wireless-Fidelity. It can offer data rates of up to
11 Mbps.
802.11c: This group was constituted for devising standards for bridging
operations. Manufacturers use this standard while developing bridges
and access points.
Wireless Architecture
The IEEE 802.11 standard states that each station must maintain
two variables that are dependent on the authentication, deauthentication services and the association, re-association,
disassociation services.
The variables are authentication state and association state and
used in a simple state machine that determines the order in
which certain services must be invoked and when a station may
begin using the data delivery service.
A station may be authenticated with many different stations
simultaneously. However, a station may be associated with only
one other station at a time.
CSMA/CA
Collision avoidance is used to improve the performance of
CSMA/CA
CSMA/CD
Inter Frame Space
Role of Contention Window
Timing in CSMA/CA
Procedure
Wireless Frames
Data Frame
hauling data from station to station
Control Frame
area clearing operations
channel acquisition
carrier-sensing maintenance functions
positive acknowledgment of received data
Management Frame
join and leave wireless networks
move associations from access point to access point
Wireless Security
WEP
WPA
WPA2
Name
Wifi Protected
Access 2
Combo
48 bit
24 bit
initialization keys
48 bit
initialization keys
500 trillion
initialization keys
16.7 million
combinations
500 trillion
combination
Advanced
combinations
Encryption
Standard
Encryption
64 bits
128 bits
64 bits
128 bits
64 bits
128 bits
Keys
Static encryption
keys
Unique
encryption key
Unique
encryption key
Speed
Not much
processing
power
Somewhat
processing
power
Requires greater
processing
power
Master Key
Disadvantages of WEP
WEP provides no forgery protection
No protection against Message Replays
WEP misuses the RC4 encryption algorithm in a way that
TKIP
Temporal Key Integrity Protocol (TKIP) is the TaskGroupis
Components of TKIP
A cryptographic message integrity code, or MIC, called
AES
Block Cipher
10 cycles of repetition for 128-bit keys
12 cycles of repetition for 192-bit keys
14 cycles of repetition for 256-bit keys
Operations performed in first 9 rounds:
Sub Bytes
Shift Rows
Mix Columns
Add Round Key
Operations performed in 10 rounds
Sub Bytes
Shift Rows
Add Round Key
AES
Diagram
EAP
Extensible Authentication Protocol
Link layer Authentication Framework
Used in Wireless and Point-Point Networks
Uses 4 different kinds of messages:
1. EAP request
2. EAP response
3. EAP success
4. EAP failure
EAP Example
Peer
Identity Request
Identity Response
Repeated as
many times as
needed
Authenticat
or
EAP
Request
Identity Response
If mutual
Auth
EAP Request
Repeate
Is
d as
required needed EAP Response with the same type or a
Nak
authentication methods:
Identity - request the other side to identify itself.
Notification - to send notifications to the other side.
Nak - peer refuses to use the authentication method.
MD5-Challenge - an implementation of chap over EAP.
One Time Password - used for one time passwords.
Generic Token Card - used for generic token cards.
Vendor Specific - *
EAPMD5
LEAP
EAPTLS
EAPTTLS
PEAP
Server
Authentication
None
Password
Hash
Public Key
(Certificate)
Public Key
(Certificate)
Public Key
(Certificate)
Supplicant
Authentication
Password
Hash
Dynamic Key
Delivery
No
Security Risks
Password
Public Key
Hash
(Certificate or
Smart Card)
Yes
Identity
Identity
exposed,
exposed,
Dictionary
Dictionary
attack, Manattack
in-the-Middle
(MitM) attack,
CHAP, PAP,
Any EAP,
MSlike EAPCHAP(v2), MS-CHAPv2
EAP
or Public
Key
Yes
Yes
Yes
Identity
exposed
MitM attack
MitM attack;
Identity
hidden in
Phase 2 but
potential
exposure in
RBAC
Role-Based Access Control
Role and Permission
Core RBAC
(PA)
(UA) User
Assignment
USERS
Permission
Assignment
ROLES
OPERA
TIONS
OBJECTS
privileges
user_sessions
Sessions
session_roles
roles
User/role relations can be defined independent of role/privilege relations
Privileges are system/application dependent
Accommodates traditional but robust group-based access control
Hierarchical RBAC
Role Hierarchy
(PA)
(UA) User
Assignment
USERS
Permission
Assignment
ROLES
OPERA
TIONS
OBJECTS
privileges
user_sessions
Sessions
session_roles
Role Hierarchy
(UA) User
Assignment
(PA) Permission
Assignment
ROLES
USERS
session_roles
user_sessions
OPERA
TIONS
OBJECTS
privileges
SESSIONS
Permission
Assignment
ROLES
USERS
session_roles
user_sessions
SESSIONS
OPERA
TIONS
OBJECTS
privileges
Dynamic
Separation of Duty
DSoD policies deter fraud by placing constrains on the roles that can be activated in
any given session there by restricting combinations of privileges that are available to
users
WIDS
Wireless Intrusion
Detection System
Components
Sensor
Dedicated Sensors
Bundled with AP
Console
Management Server
Database Server
WIPS
Wireless Intrusion Prevention System
Prevention Capabilities offered by WIPS
Wireless :
De-associate the current session between
misconfigured STA and an authorized AP
misconfigured AP and an authorized STA
Wired :
Block network activity based on the devices MAC address or switch
port.
MAC Filtering
GUI Filtering or Layer 2 Address Filtering
Security Access Control Method
Uses Blacklists and Whitelists
Port Security