550 likes | 1.08k Views
Xirrus Training. Wi-Fi Basics. Hans Van Damme Senior Wifi Application Engineer. Part A: Wi-Fi Basics #1: RF Basics #2: Wi-Fi Standards #3: Wi-Fi Security #4: Wi-Fi Futures. #1: RF Propagation – Transmission. Transmission Basics Radio Waves Travel at speed of light
E N D
Xirrus Training • Wi-Fi Basics Hans Van Damme Senior Wifi Application Engineer
Part A: Wi-Fi Basics#1: RF Basics #2: Wi-Fi Standards #3: Wi-Fi Security #4: Wi-Fi Futures
#1: RF Propagation – Transmission Transmission Basics • Radio Waves • Travel at speed of light • Radios tune to specific frequency • Data is modulated and encoded • Basic Radio Card Components • Antenna • Amplifiers (Transmit and Receive) • Radio • Baseband (converts analog waves to digital “bits” )
#1: RF Propagation – Range Transmission Basics • Range • Operating distance between two radios that wish to communicate • Access Point to Station • Station to Station • Coverage • Total area wherein radios can maintain connection to Access Point
#1: RF Propagation – Inhibitors Range Inhibitors • Multi-path • Interference • Attenuation
#1: RF Propagation – Enhancers Range Enhancers • Additional transmit power • Better antenna gain • Better receiver sensitivity
#2: The RF Link – Range Dynamics Fundamentals • RF Power is measured in dBm • 0dBm = 1 milliwatt of power • +10dB = 10 times the power • 20dBm = 100milliwatts of power (FCC limit) • -3dBm = ½ of a milliwatt of power • Signal Power Dissipation • Inverse of the square of the distance • Signal Strength • Expected power at receiver • RSSI = Receive Signal Strength Indicator (dBm) • Path Loss • Expected Signal Loss between Two Receivers • Link Budget • TX Power + TX Antenna Gain – Path Loss + RX Antenna Gain = Expected Useable Signal at Receiver
#2: The RF Link – SNR Signal to Noise Ratio (SNR) • Indicates how much useable signal is available • Higher data rates require higher SNR values
#2: The RF Link – Capacity Range versus Capacity The greater the coverage area… …the more wireless stations can be covered …the less bandwidth available to each user …the lower data rates will be at the edge …the more likely the chances of “hidden nodes” 9
#1 and #2: RF – Best Practices Recommendations • Gain is good: use high gain antenna systems • Receiver sensitivity is important • Use better radio chipsets if possible • Design coverage for signal strengths of at least -70dBm or better • SNR of at least 20dB is desired = 36Mbps or better data rates • Use multiple radios to provide capacity for larger spaces High Gain Sectored Antennas Radio Modules Array Controller + Wireless Switch
Part A: Wi-Fi Basics#1: RF Basics#2: Wi-Fi Standards #3: Wi-Fi Security #4: Wi-Fi Futures
#3: 802.11a/b/g – Overview 802.11b • Ratified in 1999 • Operates in 2.4GHz spectrum • Data Rates: 1, 2, 5.5, 11Mbps 802.11a • Ratified in 1999 • Operates in 5GHz spectrum • Data Rates: 6, 9, 12, 18, 24, 36, 48, 54Mbps 802.11g • Ratified in 2003 • Operates in 2.4GHz spectrum • Data Rates: 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54Mbps • Backward compatible with 802.11b
#3: 802.11a/b/g – Client / AP Interaction Contention Management • Clients join the network by an authentication/association process. All wireless devices must follow specific rules for transmitting to avoid and mitigate collisions on the medium (‘the air’).
#3: 802.11a/b/g – Best Practices Recommendations • 802.11b-only is nearly unavailable • 802.11b/g is end of life • Buy 802.11a/b/g adapters at a minimum • Better yet, buy 802.11a/b/g/n adapters
802.11a 802.11g 802.11b #4: 802.11 Channels – Capacity / Allocation • Non-overlapping Channels • 802.11a = 23 • 802.11b/g = 3 • Total Capacity • 802.11a = 1.24Gbps • 802.11g = 162Mbps • 802.11g (w / 11b) = 42Mbps • 802.11b = 33Mbps
#4: 802.11 Channels – Cell Planning 802.11b/g Channels Available = 3 • Distance to cell with same channel is less than a single cell • Sensitive to co-channel interference (from other cells on the same channel) • If energy is weak, seen as interference • If energy is strong, stations will defer • Bleed-over retards higher data rates • Greatly reduces overall network capacity 802.11a Channels Available = 23 • High Performance: 8 times the capacity • Far less interference from cells on same channel • More channels to avoid interference
#4: 802.11 Channels – Interference Issues 802.11b/g uses the 2.4 GHz ISM band • Common devices cause interference • Bluetooth devices • Cordless phones • Microwave ovens • X10 wireless video cameras • HAM radio operators • Interference collides with the intended signal • Transmissions are garbled and data packets are retransmitted • Reduced end-user throughput and increased latency of data traversing the RF network 802.11a uses the 5GHz UNII band • Relatively interference free
#4: Channels – Best Practices Recommendations Graduate to the 5GHz spectrum (802.11a now, 802.11n next) to achieve: 8X increased capacity Significantly reduced interference Simplified channel planning Use multiple radios on different channels in a given cell to increase capacity Limit the number of users per radio to about 12-15 Lower this limit if using voice to about 8-10 18
#5: 802.11 Networking – Client Connection Client Association • Clients join the Wi-Fi infrastructure through an authentication/association process • Probe Requests/Responses sent periodically by stations to update information about wireless environment
#5: 802.11 Networking – SSIDs SSIDs Clients associate to an SSID (Service Set Identifier) – a label that uniquely defines a virtual Wi-Fi network, similar to a VLAN on a wired network. SSIDs can operate across: Multiple APs Multiple channels Multiple radios 20
#5: 802.11 Networking – Roaming Scanning • Wi-Fi client radios continually scan the air to detect available networks (SSIDs) within range, maintaining information about each Roaming • After a Wi-Fi client associates with a radio/SSID, it remains connected to that radio unless it determines there is another one with a better signal strength • If the signal strength is above a certain threshold, the client will switch (roam) to that new radio
#5: 802.11 Networking – Best Practices Recommendations • Use separate SSIDs to partition different groups of users, each with their corresponding security level, QoS level, access restrictions, etc. • Tie each SSID to its own VLAN in the wired network • Keep the number of different SSIDs to a minimum – usually 2-3 • Do not use disabled SSID broadcasting as security – anyone with a wireless sniffer can detect the SSID • Do not use default SSIDs – change them to something not associated with your organization’s name • Adjust station driver settings to control roaming behavior
Xirrus Array Training 30 Minute Break
Part A: Wi-Fi Basics#1: RF Basics #2: Wi-Fi Standards #3: Wi-Fi Security #4: Wi-Fi Futures
#6: Authentication – Standards • IEEE 802.11i defines the security provisions for Wi-Fi, including: • Authentication • Encryption and Key Management • Commercial implementations of 802.11i are most commonly referred to by the Wi-Fi Alliance’s terminology, which they certify: • WPA and WPA2 = Wi-Fi Protected Access (2) 25
#6: Authentication – 802.11i Security 802.11i • Ratified in 2004 • Provides much stronger security than the original 802.11 standard (WEP) • Uses IEEE 802.1X authentication (Pre-shared Key (PSK) version for SOHO use only) Four primary phases:
#6: Authentication – Fundamentals What is Authentication? Validates the identity of a user or device (you are who you say you are) Executes mutually between the client and AP / infrastructure 802.11i authentication based on the 802.1x standard Benefits Encryption key management Password expiration and change (Microsoft) Prevents Man in the Middle attacks and connecting to rogue APs Provides Accounting and Audit information of every connection Allows extended control of end users Time of Day Access Guest Access 27
#6: Authentication – Infrastructure Typical Infrastructure Authentication server can interface with Directory Services Central use of policies and permissions Authenticator can enforce policies at the edge (i.e. what VLAN a user should use) Active Directory LDAP Server Authentication Server Ethernet Switch Authenticator Authenticator Authenticator Supplicant 28
#6: Authentication – Wi-Fi Authentication Wi-Fi Authentication Framework In a wired environment, user has to gain physical access to a port In a wireless environment, it is much easier to gain access to the medium 802.11i makes use of 802.1x Adapts EAP (used for port-level control of a wired network) to wireless Authenticator (Access Point) provides multiple virtual ports, one per user Key Exchange Faster Roaming 29
#6: Authentication – Wi-Fi Authentication Extensible Authentication Protocol (EAP) Types 30
#6: Authentication – Best Practices Recommendations • Don’t compromise – for enterprise-grade security, use 802.11i / WPA2 and RADIUS for strongest security • RADIUS is FREE with Windows 2000, 2003 Server (Microsoft IAS) • See Xirrus website for installation guidance: http://www.xirrus.com/library/wifitools.html • RADIUS can interface with Active Directory or other directory services • Free RADIUS also can be used • Use PEAP with MSCHAPv2 for easiest administration (no client certificates required) • Use authentication to enforce other access policies • Ensure replication and availability of Authentication Server • Scale for peak loading • Remote location considerations
#7: Encryption – Encryption Basics What is Encryption? • Wi-Fi data is easily captured and viewed if passed in the clear • Username/passwords, email headers, and message contents are all vulnerable • Encryption changes data to make it unintelligible to an unauthorized user • Encryption mathematically alters the original data using a key to encrypt/decrypt the data The Key Is the Key • The key is a unique value only known by sender/receiver and used by the encryption algorithm to change the original information • The longer the key, the harder to break • A 40 bit key has 240 combinations = 1.1 x 1012 = 1.1 trillion • A 128 bit key has 2128 combinations = 3.4 x 1038 = 340 undecillion
#7: Encryption – Protocols • AES/CCMP encryption (AES is the encryption standard adopted by the US government) provides the best data confidentiality for Wi-Fi • TKIP encryption provides a decent alternative for older, non-AES capable hardware • WEP encryption is dead – easily cracked with readily available software in just minutes
#7: Encryption – Key Management Key Management • Master Key is the starting point, and is originated: • Dynamically via RADIUS • Statically from Pre-Shared Key (PSK) • Transient (temporal) keys are derived from the master and used to encrypt the data • Changed per packet to provide best security
#7: Encryption – Best Practices Recommendations Use WPA2 Enterprise (AES/CCMP encryption) for best security Use WPA/WPA2 Personal only in SOHO environments Use random, hard-to-guess passphrases of 20+ ASCII characters Update passphrases periodically and if employee leaves, laptops lost, etc. Don’t use WEP if at all possible – it is only barely better than nothing Use only for legacy and embedded devices if no other option Refresh keys periodically and use filtering/firewalling to limit access Use Open for guest or public access networks WPA/2 not practical since one must configure the supplicant (client) Internally, segregate guest traffic, routing/VLAN it away from corporate assets Externally, require road warriors connecting to corporate assets to use a VPN Use separate SSIDs mapped to VLANs for different security types to logically separate users Use 802.1Q/p VLAN segregation and prioritization as wireless traffic enters the wired network 35
Hands-On #3: Associate with Security Associate to the Xirrus Array with PSK • Double click the wireless icon in your system tray • Select the “xirrus-wpa-psk” network from the list • Select “Connect” • Enter passphrase (PSK) = xirrusarray
#8: Wi-Fi Threats – Types Threats to a corporate Wi-Fi network can come from many places: Unauthorized APs – rogues, evil twins Unauthorized connections – ad hocs, neighbor APs Unauthorized clients – intruders, guests Misconfigured APs – no security, defaults Eavesdropping Forgery and replay 37
#8: Wi-Fi Threats – Mitigation Techniques Sensor radios scan airwaves; signal strength data used to locate attackers Tarpits use sensor radios to pull clients away from unauthorized/rogue APs
#8: Wi-Fi Threats – Best Practices • Network Infrastructure • Proactively audit AP configurations for changes • Use VLANs to segregate Wi-Fi traffic on the wired network • Use firewall filters, ACLs to restrict traffic to the wired network • Use routing to limit reachable IP addresses, ports, etc. • Wireless Stations • Use VPNs for offsite access • Ensure use of personal firewalls, anti-virus software • Centrally-administer Wi-Fi settings • Intrusion Detection/Intrusion Prevention Systems (IDS/IPS) • Dedicate threat sensor radios to continuously monitor the air and feed an IDS/IPS system • Automatically block unauthorized wireless activity
Part A: Wi-Fi Basics#1: RF Basics #2: Wi-Fi Standards #3: Wi-Fi Security#4: Wi-Fi Futures
#9: 802.11n – Standards Wi-Fi Industry Still Young and Growing • IEEE Task Groups are still in full swing • 802.11n (High Throughput) • 802.11v (Wireless Network Management) • 802.11w (Protected Management Frames) • 802.11s (MESH Networking) • VHT (Very High Throughput Study Group)
#9: 802.11n – Data Rates Range and Data Rates • Longer Range or Higher Data Rates • Wi-Fi Certified data rates 300Mpbs • Most compatible with 802.11a • Backwards compatible with 802.11bg • Future rates up to 600Mbps specified • YOUR MILEAGE WILL VARY!
150 #9: 802.11n – Capacity 802.11n Capacity • 26 channels * 150Mbps = 3.9 Gbps • (23) 5GHz channels + (3) 2.4GHz channels 802.11a Capacity • 23 channels * 54Mbps = 1.2 Gbps 802.11g Capacity • 3 channels * 54Mbps = 162 Mbps 802.11b Capacity • 3 channels * 11Mbps = 33 Mbps
#9: 802.11n – Physical Layer (Radio) Classic 802.11 Transmitter • Data Stream sent out of one antenna • Best antenna on receiver selected
#9: 802.11n – 802.11n and MIMO 802.11n and MIMO and Signal Processing • Multiple antennas • Greatly Improves receiver sensitivity (ability to hear)
#9: 802.11n – Obtaining Higher Data Rates Spatial Multiplexing • Source data stream split and sent over separate antennas at the same time • Recombined at receiver using MIMO signal processing • Doubles, triples, or quadruples the data rate depending on the number of transmit antennas used Channel Bonding • Increasing the Bandwidth • Bonds two 20MHz channels to a 40MHz channel • Slightly more than doubles the bandwidth • Phased channel operation: ability to jump between 20 and 40Mhz channels
#9: 802.11n – MAC Improvements Reducing Overhead Improves Efficiency • Frame Aggregation • Block ACKs • Reduced Inter-frame spacing
#9: 802.11n – Client Requirements What will my end users require if I install 802.11n APs? • Possibly nothing • Today’s 802.11abg will interoperate with 802.11n Access Points • 802.11n improves either side of the link (Access Point or Station) • Standard 802.11abg will obtain better throughput up to today’s data rates. • Higher data rates can only be obtained when you have 802.11n on both sides of link • Phase in 802.11n stations when standard is ratified • Don’t have to do a mass swap-out of existing devices
#9: 802.11n – Cell Sizes What about cell sizes – will I need to change the location of APs? • 802.11n is not about higher transmit power, but about a better receiver (ability to listen) • Plan to keep same AP locations if you have designed for 5GHz • 802.11n cell will provide higher data rates and more user density • Need to support legacy 11abg stations set the edge • Enterprise gear should automatically adjust cell sizes • Plan to redesign for 11n if you only have 2.4GHz (802.11bg) • Do site survey for new locations
#9: 802.11n – Best Practices Recommendations • Client Devices • Move away from 802.11b as it seriously degrades 802.11n (and 802.11g) performance • Fold in new 802.11n client adapters that supports 5GHz (802.11a + 802.11n) for channel bonding • At least buy 802.11a/b/g adapters • Wired Network Infrastructure • Pull at least one Gigabit Ethernet connection to each Access Point location (Dual Gigabit is better) • Implement switching as close to the edge as possible • Wireless Network • Buy infrastructure gear that is upgradeable and provides local switching at the edge • Upgrade your sensor networks to 802.11n • Keep cell sizes the same as you have today • Plan to support today’s 802.11a/b/g devices • May need to resurvey if you just have 2.4GHz • Management and planning tools will need to comprehend 802.11n • Should I Wait? • Start planning today! 802.11n is backwards compatible (improved PHY performance helps even today’s client devices) • Buy modular and upgradeable infrastructure with a path to 802.11n