HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802

)

Wireless LAN

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Objectives

In this chapter, you will learn to: • Wireless LAN Concepts • Deploying WLANs • Wireless LAN Security

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Concepts

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Data Technologies

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Characteristics of Wireless Data Technologies
Wireless Technology Infrared (IR) Narrowband Spread spectrum Personal communication service (PCS) 3G service Cellular, Cellular Digital Packet Data (CDPD), Mobitex, DataTAC Microwave transmissions Long range (LR) optical transmissions Characteristics Very high data rates, low cost, very short distance Low data rates, medium cost, limited distance, license required High data rates, medium cost, limited to campus coverage Low data rates, medium cost, citywide coverage Mobile phone data technologies, medium cost, worldwide coverage Low data rates, flat monthly rate, national coverage Wireless data link using microwaves, medium rage, high data rates possible, license required Data link using laser transmission, short range, high data rates

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Data Technologies (Cont.)
WAN
(Wide Area Network)

MAN
(Metropolitan Area Network)

LAN
(Local Area Network)

PAN
(Personal Area Network)

PAN
Standards Speed
w w w .h a n o ic tt.c o m

LAN
IEEE 802.11a, 802.11b, 802.11g 1–54+ Mbps Medium Enterprise networks

MAN
802.16 MMDS, LMDS 22+ Mbps Medium–long Fixed, lastmile access

WAN
GSM, GPRS, CDMA, 2.5–3G 10–384 kbps Long PDAs, mobile phones, cellular access

Bluetooth <1 Mbps Short Peer to peer, device to device

Range Applications

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN (WLAN)
• • • • •
A WLAN is a shared network. An access point is a shared device and functions like a shared Ethernet hub. Data is transmitted over radio waves. Two-way radio communications (half-duplex) are used. To arbitrate the use of the frequency, WLANs use the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) algorithm to enforce HDX logic and avoid as many collisions as possible. The same radio frequency is used for sending and receiving (transceiver).

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

What Are WLANs?
They are:
• Local • In building or campus for mobile users • Radio or infrared • Not required to have RF licenses in most countries • Using equipment owned by customers
w w w .h a n o ic tt.c o m

They are not: • WAN or MAN networks • Cellular phones networks • Packet data transmission
via celluar phone networks – Cellular digital packet data (CDPD) – General packet radio service (GPRS) – 2.5G to 3G services

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Similarities Between WLAN and LAN
• A WLAN is an 802 LAN. – The IEEE defines standards for both, using the IEEE 802.3
family for Ethernet LANs and the 802.11 family for WLANs. – Transmits data over the air vs. data over the wire – Looks like a wired network to the user – Defines physical and data link layer – Both define a frame format with a header and trailer, with the header including a source and destination MAC address field, each 6 bytes in length. – Both define rules about how the devices should determine when they should send frames and when they should not. • The same protocols/applications run over both WLANs and LANs. – IP (network layer) – IPSec VPNs (IP-based) – Web, FTP, SNMP (applications)
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

w w w .h a n o ic tt.c o m

w w w .h a n o ic tt.c o m

Differences Between WLAN and LAN
• WLANs use radio waves as the physical layer. – WLANs use CSMA/CA instead of CSMA/CD to access the network. • Radio waves have problems that are not found on wires. – Connectivity issues. • Coverage problems • Multipath issues • Interference, noise – Privacy issues. • WLANs use mobile clients. – No physical connection. – Battery-powered. • WLANs must meet country-specific RF regulations.

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Standard
Organizations That Set or Influence WLAN Standards
Organization ITU-R Standardization Role Worldwide standardization of communications that use radiated energy, particularly managing the assignment of frequencies Standardization of wireless LANs (802.11) An industry consortium that encourages interoperability of products that implement WLAN standards through their Wi-Fi certified program The U.S. government agency with that regulates the usage of various communications frequencies in the U.S.

IEEE Wi-Fi Alliance
w w w .h a n o ic tt.c o m

Federal Communications Commission (FCC)

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Standard
Feature Year ratified Maximum speed using DSSS Maximum speed using OFDM Frequency band Channels (nonoverlapped) 802.11a 1999 ---------802.11b 1999 11 Mbps 802.11g 2003 11 Mbps 54 Mbps 2.4 GHz 11 (3)

54 Mbps ---------5 GHz 23 (12) 2.4 GHz 11 (3)

Speeds required by standard (Mbps) 6, 12, 24 1, 2, 5.5, 11 6, 12, 24

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Service Set Identifier (SSID)
• The SSID is the name of the
wireless cell. SSID is used to logically separate WLANs. The SSID must match on client and access point. Access point broadcasts one SSID in beacon. Therefore, clients can be configured without SSID. Client association steps: – Client sends probe request. – Access point sends probe response. – Client initiates association. – Access point accepts association. – Access point adds client MAC address to association table.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

• •

w w w .h a n o ic tt.c o m w w w .h a n o ic tt.c o m

Service Sets and Modes
Ad hoc mode: • Independent Basic Service Set (IBSS): – Mobile clients connect directly without an intermediate access point. Infrastructure mode: • Basic Service Set: – Mobile clients use a single access point for connecting to each other or to wired network resources. • Extended Services Set: – Two or more Basic Service Sets are connected by a common distribution system (DS).

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Different WLAN Modes and Names
Mode Ad hoc Infrastructure (one AP) Service Set Independent Basic Service Set (IBSS) Basic Service Set (BSS) Name Description Allows two devices to communicate directly. No AP is needed. A single wireless LAN created with an AP and all devices that associate with that AP Multiple APs create one wireless LAN, allowing roaming and a larger coverage area.

Infrastructure Extended Service (more than one AP) Set (ESS)

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)

• •

WLANs transmit data at Layer 1 by sending and receiving radio waves Many electronic devices radiate energy at varying frequencies. To prevent the energy radiated by one device from interfering with other devices, national government agencies, regulate and oversee the frequency ranges that can be used inside that country. For example, Radio Frequency Directorate (RFD) in the Vietnam regulates the electromagnetic spectrum of frequencies. The wider the range of frequencies in a frequency band, the greater the amount of information that can be sent in that frequency band

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
FCC Unlicensed Frequency Bands
Frequency Name 900 KHz 2.4 GHz 5 GHz Industrial, Scientific, Mechanical (ISM) ISM Unlicensed National Information Infrastructure (U-NII) Sample Devices Older cordless telephones Newer cordless phones and 802.11, 802.11b, 802.11g WLANs Newer cordless phones and 802.11a, 802.11n WLANs

w w w .h a n o ic tt.c o m

Unlicensed frequencies can be used by all kinds of devices; however, the devices must still conform to the rules set up by the regulatory agency. In particular, a device using an unlicensed band must use power levels at or below a particular setting. Otherwise, the device might interfere too much with other devices sharing that unlicensed band
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
FCC Unlicensed Frequency Bands

w w w .h a n o ic tt.c o m

• • •

ISM (Industry, Scientific, and Medical) bands: • 900 MHz and 2.4 GHz • U-NII (Unlicensed National Information • Infrastructure) bands: 5GHz No license required

No exclusive use Best effort Interference and degradation are possible

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
• It is important to know the names of three general classes of encoding, in part because the type of encoding requires some planning and forethought for some WLANs. Frequency Hopping Spread Spectrum (FHSS): – Uses all frequencies in the band, hopping to different ones. – By using slightly different frequencies for consecutive transmissions, a device can hopefully avoid interference from other devices that use the same unlicensed band, succeeding at sending data at some frequencies. – The original 802.11 WLAN standards used FHSS, but the current standards (802.11a, 802.11b, and 802.11g) do not.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)

w w w .h a n o ic tt.c o m

Direct Sequence Spread Spectrum (DSSS) followed as the next general class of encoding type for WLANs. – Designed for use in the 2.4 GHz unlicensed band, – Uses one of several separate channels or frequencies. – This band has a bandwidth of 82 MHz, with a range from 2.402 GHz to 2.483 GHz. As regulated by the FCC, this band can have 11 (North America) or 13 (Europe) different overlapping DSSS channels.

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
802.11b/g (2.4 GHz) Channel Reuse

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
Using Nonoverlapping DSSS 2.4-GHz Channels in an ESS WLAN

w w w .h a n o ic tt.c o m

The devices in one BSS (devices communicating through one AP) can send at the same time as the other two BSSs and not interfere with each other, because each uses the slightly different frequencies of the nonoverlapping channels

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
Encoding Classes and IEEE Standard WLANs

Name of Encoding Class Frequency Hopping Spread Spectrum (FHSS) Direct Sequence Spread Spectrum (DSSS)

What It Is Used By 802.11 802.11b, 802.11g

Orthogonal Frequency Division Multiplexing (OFDM) 802.11a

w w w .h a n o ic tt.c o m

The last of the three categories of encoding for WLANs is called Orthogonal Frequency Division Multiplexing (OFDM). Like DSSS, WLANs that use OFDM can use multiple nonoverlapping channels. NOTE: The emerging 802.11n standard uses OFDM as well as multiple antennas, a technology sometimes called multiple input multiple output (MIMO).
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
Wireless Interference
• Radio frequencies are radiated into the air via an antenna, creating radio waves. The following factors influence the transmission of radio waves: – Reflection: Occurs when RF waves bounce off objects (for example, metal or glass surfaces). – Scattering: Occurs when RF waves strike an uneven surface (for example, a rough surface) and are reflected in many directions. – Absorption: Occurs when RF waves are absorbed by objects (for example, walls). Additionally, wireless communication is impacted by other radio waves in the same frequency range. One key measurement for interference is the Signal-to-Noise Ratio (SNR). This calculation measures the WLAN signal as compared to the other undesired signals (noise) in the same space. The higher the SNR, the better the WLAN devices can send data successfully.


w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
Coverage Area, Speed, and Capacity
• A WLAN coverage area is the space in which two WLAN devices can successfully send data. The coverage area created by a particular AP depends on many factors: – The transmit power by an AP or WLAN NIC cannot exceed a particular level based on the regulations from regulatory agencies such as the FCC – The materials and locations of the materials near the AP NOTE: The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP) calculation. This is the radio’s power output, plus the increase in power caused by the antenna, minus any power lost in the cabling. In effect, it’s the power of the signal as it leaves the antenna.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Transmissions (Layer 1)
WLAN Speed and Frequency Reference

IEEE Standard Maximum Speed (Mbps) 802.11b 802.11a 802.11g
w w w .h a n o ic tt.c o m

Other Speeds Frequency (Mbps) (GHz) 1, 2, 5.5 6, 9, 12, 18, 24, 36, 48 Same as 802.11.a 2.4 5 5

Nonoverlapping Channels 3 12 3

11 54 54

• •

The speeds listed in bold text are required speeds according to the standards. The other speeds are optional. NOTE: The original 802.11 standard supported speeds of 1 and 2 Mbps.

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Media Access (Layer 2)
• • • The solution to the media access problem with WLANs is to use the carrier sense multiple access with collision avoidance (CSMA/CA) algorithm. However, CSMA/CA does not prevent collisions, so the WLAN standards must have a process to deal with collisions when they do occur. Because the sending device cannot tell if its transmitted frame collided with another frame, the standards all require an acknowledgment of every frame. Each WLAN device listens for the acknowledgment, which should occur immediately after the frame is sent. If no acknowledgment is received, the sending device assumes that the frame was lost or collided, and it resends the frame. – Step 1: Listen to ensure that the medium (space) is not busy (no radio waves currently are being received at the frequencies to be used). – Step 2: Set a random wait timer before sending a frame to statistically reduce the chance of devices all trying to send at the same time. – Step 3: When the random timer has passed, listen again to ensure that the medium is not busy. If it isn’t, send the frame. – Step 4: After the entire frame has been sent, wait for an acknowledgment. – Step 5: If no acknowledgment is received, resend the frame, using CSMA/CA logic to wait for the appropriate time to send again.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Deploying WLANs

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation Checklist
The following basic checklist can help guide the installation of a new BSS WLAN: • Step 1: Verify the Existing Wired Network – Verify that the existing wired network works, including DHCP services, VLANs, and Internet connectivity. • Step 2: Install and Configure the AP’s Wired and IP Details – Install the AP and configure/verify its connectivity to the wired network, including the AP’s IP address, mask, and default gateway. • Step 3: Configure the AP’s WLAN Details – Configure and verify the AP’s wireless settings, including Service Set Identifier (SSID), but no security. • Step 4: Install and Configure One Wireless Client – Install and configure one wireless client (for example, a laptop), again with no security. • Step 5: Verify that the WLAN works from the laptop

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation
Step 1: Verify the Existing Wired Network

w w w .h a n o ic tt.c o m

different non-overlapping or frequencies channels for best performance

For wireless voice networks, an overlap of 15 to 20 percent is recommended.

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation
Step 2: Install and Configure the AP’s Wired and IP Details

• •

Just like an Ethernet switch, wireless APs operate at Layer 2 and do not need an IP address to perform their main functions. However, just as an Ethernet switch in an Enterprise network should have an IP address so that it can be easily managed, APs deployed in an Enterprise network should also have an IP address. In particular, the AP needs an IP address, subnet mask, default gateway IP address, and possibly the IP address of a DNS server.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation
Step 3: Configure the AP’s WLAN Details

• The following list highlights some of the features mentioned earlier in this chapter that may need to be configured: – IEEE standard (a, b, g, or multiple) – Wireless channel – Service Set Identifier (SSID, a 32-character text identifier for the WLAN) – Transmit power
w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation
Step 4: Install and Configure One Wireless Client
• • • To be a WLAN client, the device simply needs a WLAN NIC that supports the same WLAN standard as the AP. When the client starts working, it tries to discover all APs by listening on all frequency channels for the WLAN standards it supports by default. WLAN clients may use wireless NICs from a large number of vendors. To help ensure that the clients can work with Cisco APs, Cisco started the Cisco Compatible Extensions Program (CCX). With Microsoft operating systems, the wireless NIC may not need to be configured because of the Microsoft Zero Configuration Utility (ZCF). This utility, part of the OS, allows the PC to automatically discover the SSIDs of all WLANs whose APs are within range on the NIC. The user can choose the SSID to connect to. Or the ZCF utility can automatically pick the AP with the strongest signal, thereby automatically connecting to a wireless LAN without the user’s needing to configure anything. Note that most NIC manufacturers also provide software that can control the NIC instead of the operating system’s built-in tools such as Microsoft ZCF.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Implementation
Step 5: Verify that the WLAN works from the laptop
• if the new client cannot communicate, you might check the following: – Is the AP at the center of the area in which the clients reside? – Is the AP or client right next to a lot of metal? – Is the AP or client near a source of interference, such as a microwave oven or gaming system? – Is the AP’s coverage area wide enough to reach the client? The following list notes a few other common problems with a new installation: – Check to make sure that the NIC and AP’s radios are enabled. In particular, most laptops have a physical switch with which to enable or disable the radio, as well as a software setting to enable or disable the radio. This allows the laptop to save power (and extend the time before it must be plugged into a power outlet again). It also can cause users to fail to connect to an AP, just because the radio is turned off. – Check the AP to ensure that it has the latest firmware. AP firmware is the OS that runs in the AP. – Check the AP configuration—in particular, the channel configuration—to ensure that it does not use a channel that overlaps with other APs in the same location.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless LAN Security

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wireless Security
Encryption + Authentication = Security
• To provide a minimum level of security in a WLAN, you need two components: – A means to decide who or what can use a WLAN. This requirement is satisfied by authentication mechanisms for LAN access control. – A means to provide privacy for the wireless data. The requirement is satisfied by encryption algorithms.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

WLAN Security Issues
• The Cisco-authorized CCNA-related courses suggest several categories of threats: – War drivers – Hackers – Employees – Rogue AP To reduce the risk of such attacks, three main types of tools can be used on a WLAN: – Mutual authentication – Encryption – Intrusion tools

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

WLAN Vulnerabilities and Solutions
WLAN Vulnerabilities and Solutions
Vulnerability War drivers Hackers stealing information in a WLAN Solution Strong authentication Strong encryption

Hackers gaining access to the rest of the network Strong authentication Employee AP installation Rogue AP Intrusion Detection Systems (IDS), including Cisco SWAN Strong authentication, IDS/SWAN

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

The Progression of WLAN Security Standards

Name

Year

Who Defined It IEEE Cisco, IEEE 802.1x Extensible Authentication Protocol (EAP) Wi-Fi Alliance

Wired Equivalent Privacy (WEP) 1997 The interim Cisco solution while 2001 awaiting 802.11i Wi-Fi Protected Access (WPA) 802.11i (WPA2)
w w w .h a n o ic tt.c o m

2003

2005+ IEEE

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wired Equivalent Privacy (WEP)
• • WEP is based on the RC4 symmetric stream cipher. The symmetric nature of RC4 requires that matching WEP keys, either 40 or 104 bits in length, must be statically configured on client devices and access points (APs). WEP was chosen primarily because of its low computational overhead.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wired Equivalent Privacy (WEP)
Open Authentication with Differing WEP Keys

• •
w w w .h a n o ic tt.c o m

Open authentication is a null authentication algorithm. Access control in Open authentication relies on the preconfigured WEP key on the client and AP. The client and AP must have matching WEP keys to enable them to communicate. If the client and AP do not have WEP enabled, there is no security in the BSS. Any device can join the BSS and all data frames are transmitted unencrypted.
HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wired Equivalent Privacy (WEP)
Shared Key Authentication Process

w w w .h a n o ic tt.c o m

The following summarizes the Shared Key authentication process: 1. The client sends an authentication request for Shared Key authentication to the AP. 2. The AP responds with a cleartext challenge frame. 3. The client encrypts the challenge and responds back to the AP. 4. If the AP can correctly decrypt the frame and retrieve the original challenge, the client is sent a success message. 5. The client can access the WLAN. The premise behind Shared Key authentication is similar to that of Open authentication with WEP keys as the access control means. The client and AP must have matching keys. The difference between the two schemes is that the client cannot associate in Shared Key authentication unless the correct key is configured

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wired Equivalent Privacy (WEP)
• The main problems were as follows: – Static Preshared Keys (PSK): The key value had to be configured on each client and each AP, with no dynamic way to exchange the keys without human intervention. As a result, many people did not bother to change the keys on a regular basis, especially in Enterprises with a large number of wireless clients. – Easily cracked keys: The key values were short (64 bits, of which only 40 were the actual unique key). This made it easier to predict the key’s value based on the frames copied from the WLAN. Additionally, the fact that the key typically never changed meant that the hacker could gather lots of sample authentication attempts, making it easier to find the key. Because of the problems with WEP, and the fact that the later standards include much better security features, WEP should not be used today.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

SSID Cloaking and MAC Filtering
• Normally, the association process occurs like this: – Step 1: The AP sends a periodic Beacon frame (the default is every 100 ms) that lists the AP’s SSID and other configuration information. – Step 2: The client listens for Beacons on all channels, learning about all APs in range. – Step 3: The client associates with the AP with the strongest signal (the default), or with the AP with the strongest signal for the currently preferred SSID. – Step 4: The authentication process occurs as soon as the client has associated with the AP. SSID cloaking is an AP feature that tells the AP to stop sending periodic Beacon frames. This seems to solve the problem with attackers easily and quickly finding all APs. However, clients still need to be able to find the APs. Therefore, if the client has been configured with a null SSID, the client sends a Probe message, which causes each AP to respond with its SSID. In short, it is simple to cause all the APs to announce their SSIDs, even with cloaking enabled on the APs, so attackers can still find all the APs. MAC address filtering: The AP can be configured with a list of allowed WLAN MAC addresses, filtering frames sent by WLAN clients whose MAC address is not in the list. As with SSID cloaking, MAC address filtering may prevent curious onlookers from accessing the WLAN, but it does not stop a real attack. The attacker can use a WLAN adapter that allows its MAC address to be changed, copy legitimate frames out of the air, set its own MAC address to one of the legitimate MAC addresses, and circumvent the MAC address filter.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

The Cisco Interim Solution Between WEP and 802.11i
• The Cisco answer included some proprietary improvements for encryption, along with the IEEE 802.1x standard for end-user authentication. The main features of Cisco enhancements included the following: – Dynamic key exchange (instead of static preshared keys) – User authentication using IEEE 802.1x – A new encryption key for each packet Cisco also added user authentication to its suite of security features. User authentication means that instead of authenticating the device by checking to see if the device knows a correct key, the user must supply a username and password. This extra authentication step adds another layer of security. That way, even if the keys are temporarily compromised, the attacker must also know a person’s username and password to gain access to the WLAN.

• •

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Wi-Fi Protected Access (WPA)
• Wi-Fi alliance took the current work-in-progress on the 802.11i committee, made some assumptions and predictions, and defined a de facto industry standard. The Wi-Fi Alliance then performed its normal task of certifying vendors’ products as to whether they met this new industry standard, calling it Wi-Fi Protected Access (WPA). WPA essentially performed the same functions as the Cisco proprietary interim solution, but with different details. WPA includes the option to use dynamic key exchange, using the Temporal Key Integrity Protocol (TKIP). (Cisco used a proprietary version of TKIP.) WPA allows for the use of either IEEE 802.1X user authentication or simple device authentication using preshared keys. And the encryption algorithm uses the Message Integrity Check (MIC) algorithm, again similar to the process used in the Cisco-proprietary solution. NOTE: The Cisco-proprietary solutions and the WPA industry standard are incompatible.

w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

IEEE 802.11i and WPA-2
• Like the Cisco-proprietary solution, and the Wi-Fi Alliance’s WPA industry standard, 802.11i includes dynamic key exchange, much stronger encryption, and user authentication. However, the details differ enough so that 802.11i is not backward-compatible with either WPA or the Ciscoproprietary protocols. One particularly important improvement over the interim Cisco and WPA standards is the inclusion of the Advanced Encryption Standard (AES) in 802.11i. AES provides even better encryption than the interim Cisco and WEP standards, with longer keys and much more secure encryption algorithms. The Wi-Fi Alliance continues its product certification role for 802.11i, but with a twist on the names used for the standard. Because of the success of the WPA industry standard and the popularity of the term “WPA,” the Wi-Fi Alliance calls 802.11i WPA2, meaning the second version of WPA. So, when buying and configuring products, you will more likely see references to WPA2 rather than 802.11i.


w w w .h a n o ic tt.c o m

HANOICTT NETWORKING ACADEMY CCNA Exploration (640-802)

Comparisons of WLAN Security Features
Standard WEP Cisco WPA Key Distribution Static Dynamic Both Device User Encryption Authentication Authentication Yes (weak) Yes Yes Yes None Yes (802.1x) Yes (802.1x) Yes (802.1x) Yes (weak) Yes (TKIP) Yes (TKIP) Yes (AES)

802.11i (WPA2) Both
w w w .h a n o ic tt.c o m

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.