IEEE 802.11 The original IEEE 802.11 standard was developed in 1989 and defines the operation of wireless networks operating in the 2.4 GHz range using either DSSS or FHSS at the physica
Trang 1zone to another Many wireless-enabled devices such as laptops and hand-held computers use battery power and should be able to conserve power when not actively communicating with the network Wireless communication over the air has to be secure to mitigate both passive and active attacks
WAP
The WAP is an open specification designed to enable mobile wireless users
to easily access and interact with information and services WAP is designed for hand-held digital wireless devices such as mobile phones, pagers, two-way radios, smartphones, and other communicators It works over most wireless networks and can be built on many operating systems (OSs) includ-ing PalmOS, Windows CE, JavaOS, and others The WAP operational model
is built on the World Wide Web (WWW) programming model with a few enhancements and is shown in Figure 5.5
WAP browsers in a wireless client are analogous to the standard WWW browsers on computers WAP URLs (uniform resource locators) are the same as those defined for traditional networks and are also used to identify local resources in the WAP-enabled client The WAP specification added two significant enhancements to the abovementioned programming model:
push and telephony support (wireless telephony application [WTA]) WAP
also provides for the use of proxy servers, as well as supporting servers that provide functions such as PKI support, user profile support, and provisioning support
Wireless Transport Layer Security
Wireless Transport Layer Security (WTLS) is an attempt by the WAP Forum to introduce a measure of security into WAP The WTLS Protocol is based on the Transport Layer Security (TLS) Protocol that is itself a derivative of the Secure
Sockets Layer (SSL) Protocol However, several changes were made to these protocols to adapt them
to work within WAP These changes include: Support for both datagram- and
■
■
connection-oriented protocols Support for long round-trip times
■
■
Low-bandwidth, limited memory, and
■
■
processor capabilities WTLS is designed to provide privacy as well as reliability for both the client and the server over an unsecured network and is specific to applications
FIGurE 5.5 WAP 2.0 Architecture Programming Model.
Trang 2that utilize WAP These applications tend to be limited by memory,
proces-sor capabilities, and low bandwidth environments
IEEE 802.11
The original IEEE 802.11 standard was developed in 1989 and defines the
operation of wireless networks operating in the 2.4 GHz range using either
DSSS or FHSS at the physical layer of the OSI model This standard also
defines the use of infrared for wireless communication The intent of the
standard is to provide a wireless equivalent for standards, such as 802.3,
that are used for wired networks DSSS devices that follow the 802.11
standard communicate at speeds of 1 and 2 Mbps and generally have a
range of approximately 300 feet Because of the need for higher rates of data
transmission and to provide more functionality at the MAC layer, the 802.11
Task Group developed other standards (in some cases the 802.11 standards
were developed from technologies that preceded them)
The IEEE 802.11 standard provides for all the necessary definitions and
constructs for wireless networks Everything from the physical transmission
specifications to the authentication negotiation is defined by this standard
Wireless traffic, like its wired counterpart, consists of frames transmitted
from one station to another The primary feature that sets wireless networks
apart from wired networks is that at least one end of the communication
pair is either a wireless client or a wireless AP
Ieee 802�11b
Still a common standard used today for wireless networks, the IEEE
802.11b standard, defines DSSS networks that use the 2.4 GHz ISM band
and communicate at speeds of 1, 2, 5.5, and 11 Mbps The 802.11b
stan-dard defines the operation of only DSSS devices and is backward
compat-ible with 802.11 DSSS devices The standard is also concerned only with
the physical and MAC layers: Layer 3 and higher protocols are considered
payload There is only one frame type used by 802.11b networks, and it is
significantly different from Ethernet frames The 802.11b frame type has a
maximum length of 2346 bytes, although it is often fragmented at 1518 bytes
as it traverses an AP to communicate with Ethernet networks The frame
type provides for three general categories of frames: management, control,
Exam warning
The following information must be mastered for the Network exam; you need to know
the 802.11 standards, the speeds, operation, and so on for the Network exam Make
sure that you follow the next sections very carefully as you study.
Trang 3and data In general, the frame type provides methods for wireless devices to discover, associate (or disassociate), and authenticate with one another; to shift data rates as signals become stronger or weaker; to conserve power by going into sleep mode; to handle collisions and fragmentation; and to enable encryption through WEP Regarding WEP, it should be noted that the standard defines the use of only 64-bit (also sometimes referred to as 40-bit to add to the confusion) encryption, which may cause issues of interoperability between devices from different vendors that use 128-bit or higher encryption
Ieee 802�11a
Despite its nomenclature, IEEE 802.11a is a more recent standard than 802.11b This standard defines wireless networks that use the 5 GHz UNII bands 802.11a supports much higher rates of data transmission than 802.11b These rates are 6, 9, 12, 16, 18, 24, 36, 48, and 54 Mbps, although higher rates are possible using proprietary technology and a technique known
as rate doubling Unlike 802.11b, 802.11a does not use spread spectrum and
Quadrature Phase Shift Keying (QPSK) as a modulation technique at the
physical layer Instead, it uses a modulation technique known as Orthogonal
Frequency Division Multiplexing (OFDM) To be 802.11a compliant, devices
are only required to support data rates of 6, 12, and 24 Mbps – the standard does not require the use of other data rates
Although identical to 802.11b at the MAC layer, 802.11a is not backward
compatible with 802.11b because of the use of a different frequency band and the use of OFDM at the physical layer, although some vendors are provid-ing solutions to bridge the two standards at the AP However, both 802.11a and 802.11b devices can be easily co-located because their frequencies will not interfere with each other, providing a technically easy, but relatively expensive migration to a pure 802.11a network At the time of this writing, 802.11a-compliant devices are becoming more common, and the prices for them are falling quickly However, even if the prices for 802.11b and 802.11a devices were identical, 802.11a would require more APs and would therefore
be more expensive than an 802.11b network to achieve the highest pos-sible rates of data transmission, because the higher frequency 5 GHz waves attenuate more quickly over distance
Exam warning
Remember that IEEE 802.11b functions up to 11 Mbps in the ISM band.
Exam warning
Remember that IEEE 802.11a functions up to 54 Mbps in the UNII band.
Trang 4Ieee 802�11g
To provide both higher data rates (up to 54 Mbps) in the ISM 2.4 GHz band
and backward compatibility with 802.11b, the IEEE 802.11g Task Group
members along with wireless vendors introduced the 802.11g standard
spec-ifications To achieve the higher rates of transmission, 802.11g devices use
OFDM in contrast to QPSK, which is used by 802.11b devices as a
modula-tion technique However, 802.11g devices are able to automatically switch to
QPSK to communicate with 802.11b devices 802.11g has advantages over
802.11a in terms of providing backward compatibility with 802.11b;
how-ever, migrating to and co-existence with 802.11b may still prove problematic
because of crowding in the widely used 2.4 GHz band
Ieee 802�11n
To provide both higher data rates (up to 300 Mbps) in the ISM 2.4 GHz
bands and the 5 GHz UNII band, 802.11n was introduced It is backward
compatibility with 802.11b/g and to
achieve the higher rates of
transmis-sion, 802.11n devices use MIMO
(multiple input/multiple output) to
take advantage of multiple antennas
Ad-hoc and Infrastructure Network
Configuration
The 802.11 standard provides for
two modes for wireless clients to
communicate: ad-hoc and
infrastruc-ture The ad-hoc mode is geared for a
network of stations within
commu-nication range of each other Ad-hoc
networks are created spontaneously
between the network participants
In infrastructure mode, APs provide
more permanent structure for the
network An infrastructure consists
of one or more APs as well as a
distribution system (that is, a wired
network) behind the APs that tie
the wireless network to the wired
network Figures 5.6 and 5.7 show an
Exam warning
Remember that IEEE 802.11g functions up to 54 Mbps in the ISM band.
FIGurE 5.6 Ad Hoc Network Configuration.
Trang 5ad hoc network and an infrastructure network, respectively
To distinguish different wireless networks from one another, the 802.11 standard defines the service set iden-tifier (SSID) The SSID is considered the identity element that “glues” vari-ous components of a WLAN together Traffic from wireless clients that use one SSID can be distinguished from other wireless traffic using a differ-ent SSID Using the SSID, an AP can determine which traffic is meant for
it and which is meant for other wire-less networks
802.11 traffic can be subdivided into three parts:
Control frames
■
■
Management frames
■
■
Data frames
■
■
Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and ACK messages Management frames include bea-con frames, probe request/response, authentication frames, and association frames Data frames are 802.11 frames that carry data, which is typically con-sidered network traffic, such as Internet Protocol (IP) encapsulated frames
IEEE 802.15 (Bluetooth)
Bluetooth uses the same 2.4 GHz frequency that the IEEE 802.11b and 802.11g wireless networks use, but unlike those networks, Bluetooth can select from up to 79 different frequencies within a radio band Unlike 802.11 networks where the wireless client can only be associated with one network
at a time, Bluetooth networks allow clients to be connected to seven net-works at the same time Bluetooth devices typically have a maximum use-able range of about 10 m (33 feet)
Test day Tip
Remember for the Network exam that there are two main wireless networking models: ad-hoc and infrastructure.
FIGurE 5.7 Infrastructure Network Configuration.
Trang 6Bluetooth, by its very design, is not intended for the long ranges or high
data throughput rates that 802.11 wireless networks have This is largely due
to the fact that the hop rate of Bluetooth devices is about 1600 hops per second
with an average of a 625 µs dwell time, thus producing exceptionally more
management overhead than 802.11 Although this exceptionally high hop rate
does tend to make Bluetooth resistant to narrow band interference, it has the
undesirable side effect of causing disruption of other 2.4 GHz-based network
technologies such as 802.11b and 802.11g This high hop rate causes all-band
interference on these 802.11 networks and can, in some cases, completely
prevents an 802.11 wireless network from functioning
Infrared
Infrared, unlike 802.11 and 802.15, is not a standard itself, but rather is
the focus of the Infrared Data Association (IrDA) The IrDA was founded in
1993 as a member-funded organization whose primary function is to create
and promote a standardized data transmission mechanism using infrared
light Infrared data transmission has been used for many applications in a
non-nonstandard manner by Hewlett Packard calculators and printers Now,
most PDAs (personal digital assistants) and almost all portable computers
do or can have infrared capabilities
Infrared devices typically can achieve a maximum data throughput of 4
Mbps, but as it is a light-based technology, it is susceptible to light-based
inter-ference and the typical data throughput you can expect is around 100 to 125
Kbps Also, because infrared is a light-based technology, it does not interfere in
any way with RF-based wireless technologies By that same token, infrared is a
fairly secure technology in that an attacker would have to be in the direct path
of the transmission, which is typically not very likely given the low power and
low transmission range of infrared – the best theoretical outdoor distance you
can get out of infrared is about 3,280 feet (1,000 m), and this maximum drops
off significantly with the presence of any other form of light
WEP
The IEEE 802.11 standard covers the communication between WLAN
components RF poses challenges to privacy in that it travels through and
around physical objects Because of the nature of the 802.11 wireless LANs,
the IEEE working group implemented a mechanism to protect the privacy
of the individual transmissions, known as the WEP Protocol Because WEP
utilizes a cryptographic security countermeasure for the fulfillment of its
stated goal of privacy, it has the added benefit of becoming an authentication
mechanism This benefit is realized through a shared-key authentication
that allows for encryption and decryption of wireless transmissions Up to
Trang 7four keys can be defined on an AP or a client, and they can be rotated to add complexity for a higher security standard in the WLAN policy
WEP was never intended to be the absolute authority in wireless secu-rity The IEEE 802.11 standard states that WEP provides for protection from
“casual eavesdropping.” Instead, the driving force behind WEP was privacy
In cases that require high degrees of security, other mechanisms should be utilized such as authentication, access control, password protection, and virtual private networks (VPNs)
Despite its flaws, WEP still offers a level of security provided that all its features are used properly This means taking great care in key management, avoiding default options, and ensuring adequate encryption is enabled at every opportunity
Proposed improvements in the 802.11 standard should overcome many
of the limitations of the original security options and should make WEP more appealing as a security solution Additionally, as WLAN technology gains popularity and users clamor for functionality, both the standards com-mittees and the hardware vendors will offer improvements It is critically important to keep abreast of vendor-related software fixes and changes that improve the overall security posture of a wireless LAN
With data security enabled in a closed network, the settings on the client for the SSID and the encryption keys must match the AP when attempting
to associate with the network or it will fail The next few paragraphs discuss WEP and its relation to the functionality of the 802.11 standard, including a standard definition of WEP, the privacy created, and the authentication WEP provides security and privacy in transmissions held between the AP and the clients To gain access, an intruder must be more sophisticated and have specific intent to gain access Some of the other benefits of implement-ing WEP include the followimplement-ing:
All messages are encrypted using a CRC-32 checksum to provide
■
■
some degree of integrity
Privacy is maintained via the RC4 encryption Without possession
■
■
of the secret key, the message cannot be easily decrypted
Exam warning
Most APs advertise that they support WEP in 40-bit encryption, but often the 128-bit option is also supported For corporate networks, 128-bit encryption-capable devices should be considered as a minimum.
Trang 8WEP is extremely easy to implement All that is required is to set
■
■
the encryption key on the APs and on each client
WEP provides a basic level of security for WLAN applications
■
■
WEP keys are user-definable and unlimited WEP keys can, and
■
■
should, be changed often
WPA and WPA2
Because of the relative ease that WEP with a preshared key can be broken, the
Wifi Alliance has created a new encryption standard called WIFI Protected
Access WPA is based on the IEEE’s 802.11i (WPA2 or WPA Enterprise)
stan-dard and enhances security over WEP by using the Temporal Key Integrity
Protocol (TKIP) to address some of the weaknesses of WEP including
per-packet mixing, a message integrity check, an extended initialization vector
(IV), and dynamic rekeying It should also be noted that the authentication
function of WEP has been changed to provide better security in WPA
Creating Privacy with WeP
WEP provides for three implementations: no encryption, 40-bit encryption,
and 128-bit encryption Clearly, no encryption means no privacy When
WEP is set to no encryption, transmissions are sent in the clear form and can
be viewed by any wireless sniffing application that has access to the RF signal
propagated in the WLAN, unless some other encryption mechanism such as
IPSec (IP Security) is being used In the case of the 40- and 128-bit varieties
(just as with password length), the greater the number of characters (bits),
the stronger the encryption is The initial configuration of the AP includes
the setup of the shared key This shared key can be in the form of either
alphanumeric or hexadecimal strings and must be matched on the client
WEP uses the RC4 encryption algorithm, a stream cipher developed by
Ron Rivest (the “R” in RSA) The process by which WEP encrypts a
mes-sage is shown in Figure 5.8 Both the sender and the receiver use the stream
cipher to create identical pseudorandom strings from a known shared key
This process entails having the sender logically XOR the plaintext
trans-mission with the stream cipher to produce ciphertext The receiver takes
Exam warning
Do not confuse WAP and WEP Although it may seem that WEP is the privacy system for
WAP, you should remember that WTLS is the privacy mechanism for WAP and WEP is
the privacy mechanism for 802.11 WLANs.
Trang 9the shared key and identical stream and reverses the process to gain the plaintext transmission
The steps in the process are as follows:
The plaintext message is run through an integrity check algorithm
1
(the 802.11 standard specifies the use of CRC-32) to produce an integrity check value (ICV)
This value is appended to the end of the original plaintext message
2
A “random” 24-bit IV is generated and prepended to (added to
3
the beginning of) the secret key (which is distributed through an out-of-band method) that is then input to the RC4 Key Scheduling Algorithm (KSA) to generate a seed value for the WEP pseudoran-dom number generator (PRNG)
The WEP PRNG outputs the encrypting cipher-stream
4
This cipher-stream is then XOR’d with the plaintext/ICV message
5
to produce the WEP ciphertext
The ciphertext is then prepended with the IV (in plaintext),
encap-6
sulated, and transmitted
A new IV is used for each frame to prevent the reuse of the key from weakening the encryption This means that for each string generated, a dif-ferent value will be used for the RC4 key Although this is a secure policy
in itself, its implementation in WEP is flawed because of the nature of the 24-bit space It is so small with respect to the potential set of IVs that in a short period of time all keys are reused When this happens, two different messages are encrypted with the same IV and key and the two messages can
be XOR’d with each other to cancel out the key stream, allowing an attacker who knows the contents of one message to easily figure out the contents
of the other Unfortunately, this weakness is the same for both the 40- and 128-bit encryption levels, because both use the 24-bit IV
FIGurE 5.8
WEP Encryption Process
in IEEE 802.11.
Initialization Vector (IV)
Plaintext Secret Key
Key Scheduling Algorithm
Plaintext/
ICV
Seed
PRNG Key Sequence
IV Ciphertext
Integrity Algorithm (CRC-32)
Trang 10To protect against some rudimentary attacks that insert known text into
the stream to attempt to reveal the key stream, WEP incorporates a
check-sum into each frame Any frame not found to be valid through the checkcheck-sum
is discarded
Authentication
There are two authentication methods in the 802.11 standard: open and
shared-key Open authentication is more precisely described as device-oriented
authentication and can be considered a null authentication – all requests are
granted Without WEP, open authentication leaves the WLAN wide open to
any client who knows the SSID With WEP enabled, the WEP secret key
becomes the indirect authenticator The open authentication exchange, with
WEP enabled, is shown in Figure 5.9
Exam warning
Open authentication can also require the use of a WEP key Do not assume that just
be-cause the Network exam discusses open authentication that a WEP key should not be set.
FIGurE 5.9 Open Authentication.
The shared-key authentication process shown in Figure 5.10 is a four-step
process that begins when the AP receives the validated request for association
After the AP receives the request, a series of management frames are
trans-mitted between the stations to produce the authentication This includes the
use of the cryptographic mechanisms employed by WEP as a validation The
four steps break down in the following manner:
The requestor (the client) sends a request for association
1
The authenticator (the AP) receives the request, and responds by
2
producing a random challenge text and transmitting it back to the
requestor