802.11x Wireless Basics
Wireless LAN Configurations
Currently, most wireless networks (WLANs) are based on the IEEE 802.11b, 802.11a or 802.11g standards. These standards define how to wirelessly connect computers or devices to a network.
The choice of
802.11b was the first 802.11 standard to be released and have commercial products available. Also called Wireless Fidelity, or Wi-Fi, it has a range suitable for use in big office spaces. Wi-Fi is currently the most popular and least expensive wireless LAN specification. It operates in the unlicensed 2.4 GHz radio spectrum and can transmit data at speeds up to 11 Mbps within a 30m range. It can be affected by interference from mobile phones and Bluetooth devices which can reduce transmission speeds.
802.11a has some advantages over Wi-Fi. It operates in a less-populated (but also unlicensed) frequency band (5.15GHz to 5.35GHz) and, therefore, is less prone to interference. Its bandwidth is much higher than 802.11b, with a theoretical peak of 54 Mbps. However, actual throughput is typically closer to 25 Mbps.
802.11g is the latest standard and promises to be the most popular format. It combines the speed the 802.11a and backward compatibility with 802.11b. It operates in the same frequency band as 802.11b but, consequently, can also be affected by interference.
The following table provides some comparative communications distances at various data communications speeds for each of the 802.11x standards.
The following table provides information on data rates for each standard. Note that 802.11g systems operate significantly faster when there are no 802.11b clients in the network.
Basic Wireless Network Topology
When upgrading to a wireless network, the overall layout can be somewhat confusing. In the figure below, we can see a typical wired client/server network setup, including a network hub or (more often in modern networks) a switch, a dedicated server, PC and a serial device connected to the network via a serial server. This is referred to as a “wired infrastructure configuration.”
A simpler wired network configuration (shown below) dispenses with the server and only consists of computers and other networked devices connected via their Ethernet interfaces through the hub or switch. This configuration is called a “wired peer-to-peer network.”
To give either of these existing networks wireless capability, connect a wireless access point (AP) to the network switch as shown in the figure below. Laptop or desktop computers equipped with wireless cards, or other wireless devices such as wireless serial servers, communicate with each other and the wired network via the AP. Wireless devices connect to the switch as if they are connected via a normal network cable. Major benefits to adding the wireless segment
Wireless devices also can be set up as peer-to-peer, or an AdHoc network configuration, as shown below.
Extending the Range
WLANs have a flexible architecture. You can easily extend the range and allow seamless roaming between APs.The preferred setup method for roaming within the office environment is to install multiple APs with the same ServiceSet Identifier (SSID) and security settings, however, with each on a unique channel. 802.11x has three truly unique channels: 1, 6 and 11. You can spread out the APs in an overlapping channel layout as shown below:
802.11 Authentication & Encryption Secuirty Basics
Like installing locks and keys on a door to control entry,wireless LAN security is designed to control which users can access the LAN. The following table provides a summary of various WLAN security protocols and techniques.
Default Security SettingsTo provide basic authentication, most APs support simple MAC address filtering. Default security values are builtin and, in most cases, the AP implements these values on power up. However, you may want to make changes. Typically the following three parameters are configurable:
SSID – The Service Set Identifier will normally default to the manufacturer’s name. You can set it to any word or phrase you like.
Channel – Normally the channel setting will default to channel 6. However, if a nearby neighbor is also using an access point and it is set to channel 6, there can be interference. Choose any other channel between 1 and 11. An easy way to see if your neighbors have access points is to use the search feature that comes with your wireless card.
WEP Key – WEP is disabled by default. To turn it on you must enter a WEP key and turn on 128-bit encryption.
Wired Equivalent Privacy (WEP)
WEP is the original security protocol for WLANs, defined in the 802.11 standard. WEP was the only encryption available on early 802.11 devices and is not an industrial security algorithm.
Although simple to implement, WEP is easily hacked. Significant security improvements can be made simply by implementing two options built in to the Access Point: MAC address filtering and hiding the SSID. These measures will stop unwanted traffic from accidental intrusion and casual hackers, but are not sufficient for sensitive data or missioncritical networks.
Lightweight Extensible Authentication Protocol (LEAP)LEAP is a proprietary authentication solution that is based on 802.1x but adds proprietary elements of security. The standard was developed by Cisco and, although implementation is simple, it shares some weaknesses with WEP and should not be used if high security is required for your configuration.LEAP helps eliminate security vulnerabilities through the use of the following techniques
Mutual Authentication – The client must authenticate the network and the network must authenticate the client.
User-Based Authentication – LEAP eliminates the possibility of unauthorized users accessing the network through a preauthorized piece of equipment by the use of usernames and passwords.
Dynamic WEP Keys – LEAP uses 802.1x to continually generate unique WEP keys for each user.
Protected Extensible Authentication Protocol (PEAP)PEAP is a flexible security scheme that creates an encrypted SSL/TLS (Secure Sockets Layer / Transport Layer Security) channel between the client and the authentication server; the channel then protects the subsequent user authentication exchange. To create the secure channel between client and authentication server, the PEAP client first authenticates the PEAP authentication server using digital certificate authentication. When the secure TLS channel has been established, you can select any standard EAP-based user authentication scheme for use within the channel.
After the user is successfully authenticated, dynamically generated keying material is supplied by the authentication server to the wireless AP. From this keying material, the AP creates new encryption keys for data protection.
Temporal Key Integrity Protocol (TKIP)TKIP is part of the IEEE 802.11i encryption standard forWLANs and is the next generation of WEP. It enhancesWEP by adding a per-packet key mixing function, a messageintegrity check and a re-keying mechanism. TKIP encryptionreplaces WEP’s small (40-bit) static encryption key, manuallyentered on wireless APs and client devices, with a 128-bit per-packet key. TKIP significantly mitigates WEP’svulnerabilities but does not provide a complete resolution forWEP weaknesses.
WI-FI Protected Access (WPA)WPA was introduced as a subset of the 802.11i security standard based on TKIP. WPA addresses the weaknesses of WEP with the dynamic encryption scheme provided by TKIP. WPA dynamically generates keys and removes the predictability that intruders rely on to exploit the WEP key. WPA also includes a Message Integrity Check (MIC), designed to prevent an attacker from capturing, altering and resending data packets.
WI-FI Protected Access 2 (WPA2)WPA2 is the certified interoperable version of the full IEEE 802.11i specification. Like WPA, WPA2 supports IEEE 802.1x/EAP authentication or PSK technology. The authentication method depends on whether Personal Mode or Enterprise Mode is being implemented. Encryption is the same in both modes. The encryption is the Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES). AES satisfies U.S. government security requirements.
When a user associates with an access point, a WPA2 mutual authentication process is initiated. The AP blocks access to the network until the user provides the appropriate credentials. The mutual authentication process ensures that only authorized users can gain access to the network. It also ensures that the client is connecting to an authorized server. If the user’s credentials are accepted by the authentication server, the client is admitted to the WLAN.