180 likes | 296 Views
Gary Zavitz gaz@interbeach.com. Wireless LAN Site Surveys and Security Considerations. eLearning…Wired and Wirelessly!. Experience. WBT and ILT training experience Producer, Developer of Virtual Webinars Wireless Computing Instructor Telecom Management Certification
E N D
Gary Zavitz gaz@interbeach.com Wireless LAN Site Surveys and Security Considerations eLearning…Wired and Wirelessly!
Experience • WBT and ILT training experience • Producer, Developer of Virtual Webinars • Wireless Computing Instructor • Telecom Management Certification • Chair of Sheridan College Telecom Alumni Association
A Warehouse Without Wires The client has expanded warehouse operations into a large area, that lacks existing wiring. The ceiling is very high, and the floor is thick concrete. It will be quite expensive to install traditional data wiring. They have some fork lifts whose operators use mobile terminals which need LAN connectivity. Think about what type of area this represents, and what design considerations might need to be made.
Why a site survey? • Determine actual coverage area • Determine number of wireless cells needed • Determine location of access point and/or wireless servers
Wireless – planning considerations • Number of total and simultaneous users • Average and maximum bandwidth needed • Degree of user roaming • Site survey input • Location of AP’s to maximize connectivity and bandwidth (distance/density/overlap) • Frequency/channel usage (1,6,11 non-overlapping) • Redundancy
Barriers and attenuation of signals RF Barrier description RF Barrier severity Examples Air Minimal Wood Low partitions Plaster Low inner walls Synthetic material Low partitions Asbestos Low ceilings Glass Low windows Water Medium damp wood , aquarium Bricks Medium inner and outer walls Marble Medium inner walls Paper rolls High paper on a roll Concrete High floors, outer walls Bulletproof glass High security booths Metal Very high desks, metal partitions
Security Concerns We are concerned and need what ever wireless solution is deployed to be secure. We’d like to have an easy to manage, centralized system for updating keys, and validating AP’s and clients. Using MAC based filters at each of the AP’s is too much of a hassle.
Phy - Header MAC Header and Payload Preamble MAC Header Payload CRC PLCP Header Encrypted Cyphertext ICV 32 bits Init Vector 24 bits wLAN Security - Wired Equivalency Privacy • WEP : symmetric encryption (shared key), defines method but not how to share and distribute/manage keys • RC4 algorithm (40+24 bits keys) WIFI compliant • 104 + 24 bits proprietary (non IEEE standard/non WiFi scope) but interoperable implementations (i.e. Lucent/Cisco, others)
wLAN Security - WEP issue? • Goal was to address equivalent physical security as with fixed network • Should be used with other measures above and beyond to achieve data privacy • 40 or 104 bit encryption, length of 24 bit init vector, sent as clear text, was concern of Berkeley article • Single Key per Network • multiple keys for Receive to allow key change-over • Most AP (Cisco, etc.) products support Radius based MAC authentication
EncryptionWired Equivalent Privacy • “64 WEP” standard available • 40-bit secret key + 24-bits Initialization Vector (IV) • IEEE 802.11 standard • “128RC4” available • 104-bit secret key + 24-bits Initialization Vector (IV) • Not IEEE 802.11 compliant • When WEP is enabled, Shared Key Authentication is enabled
Overview of 802.11b Security Vulnerabilities • Compromise of encryption key • Theft of hardware is equivalent to theft of key • Packet spoofing, disassociation attack • Rogue AP • Known plain-text attack • Brute force attack • Passive monitoring • Replay attack
Wireless – Security Recommendations • Change default SSID, password, SNMP settings • Avoid temping SSID names that identify hacker targets • Configure as “Closed System” to not broadcast SSID beacons or answer probes from clients set to “ANY” • Minimize coverage beyond desired areas • Use tools for periodic site surveys to spot “rogue” AP’s • Consider limiting access based on MAC if practical • Place APs in DMZ based VLAN and have clients VPN in • Consider IPSec • AP’s not in public accessible areas • Address WEP Weaknesses via Key Rotation, 802.1x, WEP 2 (802.11i),VPN Overlay
802.1x, Security and Encryption • 802.1x is purely an authentication standard and is a “Standard for Port Based Network Access Control” • 802.1x applies to wired and wireless networks • 802.1x defines methods for authentication and key distribution plus other things • 802.1x is usable with currently standardized authentication/key distribution schemes (i.e. - RADIUS/ Kerberos) • 802.1x is a work in progress • Usable with currently standardized authentication/key distribution schemes (i.e. - RADIUS/ Kerberos) • Does not specify MAC level encryption type (I.e. WEP40/104 or other), so independent of it • However, 802.1x can be used to set WEP keys • Addresses Key Distribution problem • Permits rapidly changing, individual WEP keys • WEP is still required for encryption
Access ControlRADIUS Access Control (RAC) • Extension to existing Access Control system to make it more usable for large networks • Access Control table does not reside in each Access Point but in a RADIUS server: • Server device that communicates with APs using RFC 2138 defined RADIUS protocol definition. (RADIUS = Remote Authentication Dial-In User Service) • Network administrator needs to manage one Access Control table which rather then one for each AP • RAC will overcome the limitation of the 497 entries that an AP-based Access Control Table can hold at maximum
And if you don’t believe secure wireless communications is important…