3.

7 Basic Wireless Concepts

Comparison WLAN to LAN –

Wireless LAN Standards –

DSSS: Direct Sequence Spread Spectrum

OFDM: Orthogonal Frequency Division Multiplexing

802.11a – (The IEEE 802.11a adopted the OFDM modulation technique and uses the 5 GHz band).
802.11a devices operating in the 5 GHz band are less likely to experience interference than devices that
operate in the 2.4 GHz band because there are fewer consumer devices that use the 5 GHz band. Also, higher
frequencies allow for the use of smaller antennas.
There are some important disadvantages to using the 5 GHz band. The first is that higher frequency radio waves are
more easily absorbed by obstacles such as walls, making 802.11a susceptible to poor performance due to
obstructions. The second is that this higher frequency band has slightly poorer range than either 802.11b or g. Also,
some countries, including Russia, do not permit the use of the 5 GHz band, which may continue to curtail its
deployment.
802.11n –
The IEEE 802.11n draft standard is intended to improve WLAN data rates and range without requiring additional
power or RF band allocation. 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the
same frequency to establish multiple streams. The multiple input/multiple output (MIMO) technology splits a high
data-rate stream into multiple lower rate streams and broadcasts them simultaneously over the available radios and
antennae. This allows for a theoretical maximum data rate of 248 Mb/s using two streams.

 ITU-R (International Telecommunications Union) regulates allocation of RF bands.

 IEEE specifies how RF is modulated to carry information.
 Wi-Fi ensures that vendors make devices that are interoperable.

Hidden Nodes –
Imagine two client stations that both connect to the access point, but are at opposite sides of its reach. If they are at
the maximum range to reach the access point, they will not be able to reach each other. So neither of those stations
sense the other on the medium, and they may end up transmitting simultaneously. This is known as the hidden node
(or station) problem.

Wireless Routers –
Wireless routers perform the role of access point, Ethernet switch, and router. For example, the Linksys WRT300N
used is really three devices in one box. First, there is the wireless access point, which performs the typical functions
of an access point. A built-in four-port, full-duplex, 10/100 switch provides connectivity to wired devices. Finally, the
router function provides a gateway for connecting to other network infrastructures.

MODE – The wireless network mode refers to the WLAN protocols: 802.11a, b, g, or n. Because 802.11g is backward
compatible with 802.11b, access points support both standards. Remember that if all the clients connect to an
access point with 802.11g, they all enjoy the better data rates provided. When 802.11b clients associate with the
access point all the faster clients contending for the channel have to wait on 802.11b clients to clear the channel
before transmitting. When a Linksys access point is configured to allow both 802.11b and 802.11g clients, it is
operating in mixed mode.
For an access point to support 802.11a as well as 802.11b and g, it must have a second radio to operate in the
different RF band.

SSID – A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between
multiple wireless networks in the same vicinity. Several access points on a network can share an SSID. The figure
shows an example of SSIDs distinguishing between WLANs, each which can be any alphanumeric, case-sensitive
entry from 2 to 32 characters long.
SSID (service set identifier)
The SSID is a code attached to all packets on a wireless network to identify each packet as part of that Network. The code is a
case sensitive text sting which consists of a maximum of 32 alphanumeric characters. All wireless device attempting to
communicate with each other must share the same SSID. Apart from identifying each packet, SSID also serves to uniquely
identify a group of wireless network devices used in a given service set.
Channel –

The IEEE 802.11 standard establishes the channelization scheme for the use of the unlicensed ISM RF bands in
WLANs. The 2.4 GHz band is broken down into 11 channels for North America and 13 channels for Europe. These
channels have a center frequency separation of only 5 MHz and an overall channel bandwidth (or frequency
occupation) of 22 MHz. The 22 MHz channel bandwidth combined with the 5 MHz separation between center
frequencies means there is an overlap between successive channels. Best practices for WLANs that require multiple
access points are set to use non-overlapping channels. If there are three adjacent access points, use channels 1, 6,
and 11. If there are just two, select any two that are five channels apart, such as channels 5 and 10. Many access
points can automatically select a channel based on adjacent channel use. Some products continuously monitor the
radio space to adjust the channel settings dynamically in response to environmental changes.

802.11 Topologies
Wireless LANs can accommodate various network topologies. When describing these topologies, the fundamental
building block of the IEEE 802.11 WLAN architecture is the basic service set (BSS). The standard defines a BSS as a
group of stations that communicate with each other.
(BSS - WLAN infrastructure mode whereby mobile clients use a single access point for connectivity to each other or to wired
network resources)

Ad hoc Networks –

Wireless networks can operate without access points; this is called an ad hoc topology. Client stations which are
configured to operate in ad hoc mode configure the wireless parameters between themselves. The IEEE 802.11
standard refers to an ad hoc network as an independent BSS (IBSS).

Basic Service Sets –

Access points provide an infrastructure that adds services and improves the range for clients. A single access point in
infrastructure mode manages the wireless parameters and the topology is simply a BSS. The coverage area for both
an IBSS and a BSS is the basic service area (BSA).
BSA - Area of radio frequency coverage provided by an access point. To extend the BSA, or to simply add wireless devices and extend the range
of an existing wired system, you can add an access point.

Extended Service Sets –

When a single BSS provides insufficient RF coverage, one or more can be joined through a common distribution
system into an extended service set (ESS). In an ESS, one BSS is differentiated from another by the BSS identifier
(BSSID), which is the MAC address of the access point serving the BSS. The coverage area is the extended service
area (ESA).

Common Distribution System:

The common distribution system allows multiple access points in an ESS to appear to be a single BSS. An ESS
generally includes a common SSID to allow a user to roam from access point to access point.
Cells represent the coverage area provided by a single channel. An ESS should have 10 to 15 percent overlap
between cells in an extended service area. With a 15 percent overlap between cells, an SSID, and non-overlapping
channels (one cell on channel 1 and the other on channel 6), roaming capability can be created.
Client and Access Point Association –
A key part of the 802.11 process is discovering a WLAN and subsequently connecting to it. The primary components
of this process are as follows:
 Beacons - Frames used by the WLAN network to advertise its presence.
 Probes - Frames used by WLAN clients to find their networks.
 Authentication - A process which is an artifact from the original 802.11 standard, but still required by the
standard.
 Association - The process for establishing the data link between an access point and a WLAN client.

The 802.11 Join Process (Association)

Before an 802.11 client can send data over a WLAN network, it goes through the following three-stage process:

 Stage 1 - 802.11 probing:

Clients search for a specific network by sending a probe request out on multiple channels. The probe request
specifies the network name (SSID) and bit rates. A typical WLAN client is configured with a desired SSID, so
probe requests from the WLAN client contain the SSID of the desired WLAN network.
If the WLAN client is simply trying to discover the available WLAN networks, it can send out a probe
request with no SSID, and all access points that are configured to respond to this type of query respond.
WLANs with the broadcast SSID feature disabled do not respond.
 Stage 2 - 802.11 authentication:
802.11 was originally developed with two authentication mechanisms. The first one, called open
authentication, is fundamentally a NULL authentication where the client says "authenticate me," and the
access point responds with "yes." This is the mechanism used in almost all 802.11 deployments.
A second authentication mechanism is referred to as shared key authentication. This technique is
based on a Wired Equivalency Protection (WEP) key that is shared between the client and the access point.
In this technique, the client sends an authentication request to the access point. The access point then sends
a challenge text to the client.
NOTE - Although shared key authentication needs to be included in client and access point implementations for
overall standards compliance, it is not used or recommended. The problem is that the WEP key is normally used to
encrypt data during the transmission process. Using this same WEP key in the authentication process provides an
attacker with the ability to extract the key by sniffing and comparing the unencrypted challenge text and then the
encrypted return message. Once the WEP key is extracted, any encrypted information that is transmitted across the
link can be easily decrypted.
 Stage 3 - 802.11 association:
This stage finalizes the security and bit rate options, and establishes the data link between the WLAN
client and the access point. As part of this stage, the client learns the BSSID, which is the access point MAC
address, and the access point maps a logical port known as the association identifier (AID) to the WLAN
client. The AID is equivalent to a port on a switch. The association process allows the infrastructure switch to
keep track of frames destined for the WLAN client so that they can be forwarded.

Planning the Wireless LAN-The number of users a WLAN can support is not a straightforward calculation. The
number or users depends on the geographical layout of your facility (how many bodies and devices fit in a space),
the data rates users expect (because RF is a shared medium and the more users there are the greater the contention
for RF), the use of non-overlapping channels by multiple access points in an ESS, and transmit power settings (which
are limited by local regulation).You will have sufficient wireless support for your clients if you plan your network for
proper RF coverage in an ESS. Detailed consideration of how to plan for specific numbers of users is beyond the
scope of this course. (SEE ccna3 7.1.5.1)
Threats to Wireless Security

Unauthorized Access:

Rogue Access Points –

A rogue access point is an access point placed on a WLAN that is used to interfere with normal network operation. If
a rogue access point is configured with the correct security settings, client data could be captured. A rogue access
point also could be configured to provide unauthorized users with information such as the MAC addresses of clients
(both wireless and wired), or to capture and disguise data packets or, at worst, to gain access to servers and files.
A simple and common version of a rogue access point is one installed by employees without authorization.
Employees install access points intended for home use on the enterprise network. These access points typically do
not have the necessary security configuration, so the network ends up with a security hole.

Man-in-the-Middle Attacks –
One of the more sophisticated attacks an unauthorized user can make is called a man-in-the-middle (MITM) attack.
Attackers select a host as a target and position themselves logically between the target and the router or gateway of
the target. In a wired LAN environment, the attacker needs to be able to physically access the LAN to insert a device
logically into the topology. With a WLAN, the radio waves emitted by access points can provide the connection.

Radio signals from stations and access points are "hearable" by anyone in a BSS with the proper equipment, such as
a laptop with a NIC. Because access points act like Ethernet hubs, each NIC in a BSS hears all the traffic. Device
discards any traffic not addressed to it. Attackers can modify the NIC of their laptop with special software so that it
accepts all traffic. With this modification, the attacker can carry out wireless MITM attacks, using the laptop NIC acts
as an access point.

To carry out this attack, a hacker selects a station as a target and uses packet sniffing software, such as Wireshark, to
observe the client station connecting to an access point. The hacker might be able to read and copy the target
username, server name, client and server IP address, the ID used to compute the response, and the challenge and
associate response, which is passed in clear text between station and access point.

If an attacker is able to compromise an access point, the attacker can potentially compromise all users in the BSS.
The attacker can monitor an entire wireless network segment and wreak havoc on any users connected to it.

Defeating an attack like a MITM attack, depends on the sophistication of your WLAN infrastructure and your
vigilance in monitoring activity on the network. The process begins with identifying legitimate devices on your
WLAN. To do this, you must authenticate users on your WLAN.

When all legitimate users are known, you then monitor the network for devices and traffic that is not supposed to be
there. Enterprise WLANs that use state-of-the-art WLAN devices provide administrators with tools that work
together as a wireless intrusion prevention system (IPS). These tools include scanners that identify rogue access
points and ad hoc networks, and radio resource management (RRM) which monitors the RF band for activity and
access point load. An access point that is busier than normal, alerts the administrator of possible unauthorized
traffic.
Denial of Service

DoS 1 - 802.11b and g WLANs use the unlicensed 2.4 GHz ISM band. This is the same band used by most wireless
consumer products, including baby monitors, cordless phones, and microwave ovens. With these devices crowding
the RF band, attackers can create noise on all the channels in the band with commonly available devices.

DoS 2 - Earlier we discussed how an attacker can turn a NIC into an access point. That trick can also be used to create
a DoS attack. The attacker, using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which
defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous
traffic, causing a constant stream of collisions.
Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate
commands that cause all stations in the BSS to disconnect. When the stations are disconnected, they immediately try
to reassociate, which creates a burst of traffic. The attacker sends another disassociate command and the cycle
repeats itself.

Wireless Protocol Overview:

NOTE - TKIP encryption algorithm is being used by WPA

Authenticating to the Wireless LAN –

In networks that have stricter security requirements, an additional authentication or login is required to grant clients
such access. This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for
authenticating network access. IEEE developed the 802.11i standard for WLAN authentication and authorization to
use IEEE 802.1x.

EAP Process:
 The 802.11 association process creates a virtual port for each WLAN client at the access point.
 The access point blocks all data frames, except for 802.1x-based traffic.
 The 802.1x frames carry the EAP authentication packets via the access point to a server that maintains
authentication credentials. This server is an Authentication, Authorization, and Accounting (AAA) server
running a RADIUS protocol.
 If the EAP authentication is successful, the AAA server sends an EAP success message to the access point,
which then allows data traffic from the WLAN client to pass through the virtual port.
 Before opening the virtual port, data link encryption between the WLAN client and the access point is
established to ensure that no other WLAN client can access the port that has been established for a given
authenticated client.
Encryption

Two enterprise-level encryption mechanisms specified by 802.11i are certified as WPA and WPA2 by the Wi-Fi
Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).

TKIP is the encryption method certified as WPA. It provides support for legacy WLAN equipment by addressing the
original flaws associated with the 802.11 WEP encryption method. It makes use of the original encryption algorithm
used by WEP.

TKIP has two primary functions:

 It encrypts the Layer 2 payload
 It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message
being tampered with.

Although TKIP addresses all the known weaknesses of WEP, the AES encryption of WPA2 is the preferred method,
because it brings the WLAN encryption standards into alignment with broader IT industry standards and best
practices, most notably IEEE 802.11i.

AES has the same functions as TKIP, but it uses additional data from the MAC header that allows destination hosts to
recognize if the non-encrypted bits have been tampered with. It also adds a sequence number to the encrypted data
header.

When you configure Linksys access points or wireless routers, such as the WRT300N, you may not see WPA or WPA2,
instead you may see references to something called pre-shared key (PSK).
Various types of PSKs are as follows:
 PSK or PSK2 with TKIP is the same as WPA
 PSK or PSK2 with AES is the same as WPA2
 PSK2, without an encryption method specified, is the same as WPA2

TKIP vs. AES –

Controlling Access to the Wireless LAN –