Wireless Personal Area Networks (WPANs)

The market for wireless personal area networks is expanding rapidly. As people use more electronic devices at home and in the office, and with the proliferation of
peripherals, a clear need for wireless connectivity between these devices has emerged. Examples of the devices that need to be networked are desktop computers,
handheld computers, printers, microphones, speakers, pagers, mobile phones, bar code readers, and sensors. Using cables to connect these devices with a PC and
with each other can be a difficult task in a stationary location.

Here are the main characteristics of a WPAN:

 Short-range communication

 Low power consumption

 Low cost

 Small personal networks

 Communication of devices within a personal space

Three wireless standards are leading the way for WPANs: IrDA, Bluetooth, and IEEE 802.15. Each of these standards enables users to connect a variety of devices
without having to buy, carry, or connect cables. They also provide a way to establish ad hoc networks among the abundance of mobile devices on the market.

WPAN Standards

Each standard has strengths and weaknesses, making it suitable for specific application scenarios.

IrDA

IrDA, the acronym for Infrared Data Association, is an international organization that creates and promotes interoperable, low-cost infrared data connection
standards. IrDA has a set of protocols to support a broad range of appliances, computing, and communication devices. These protocols are typically aimed at
providing high-speed, short-range, line-of-sight, and point-to-point wireless data transfer. IrDA protocols use IrDA DATA as the data delivery mechanism, and IrDA
CONTROL as the controlling mechanism.

The original goal of IrDA was to provide a cable replacement technology, much like the other PAN standards. The idea was that two computers could communicate
simply by pointing them at each other. For example, to print a document, you would simply point the infrared (IR) port at the printer and be able to send the data. No
cables would be required.

Technically, infrared technology is well suited for such tasks. The following are some of infrared's features:

 Communication range of up to 1 meter, although a distance of 2 meters can often be reached.

 A low-power option for communication up to 20 centimeters. This requires 10 times less power than the full-power implementation.

 Bidirectional communication.

 Data transmission from 9600 bps to a maximum speed of 4 Mbps.

For IR to work, the communicating devices have to maintain line of sight. This means that they have to situated within the operating range (typically up to 2 meters
apart), point at each other, and have no physical impediments. In most office environments, this limitation is not practical for many peripherals such as printers or
scanners. Using infrared to transfer data between two devices is more realistic.

.One of the major advantages of IrDA from a device manufacturer's perspective is cost. IR ports can be incorporated into a device for as low as $1 (U.S.). This is a
very low cost for implementing wireless communication into a device compared to other WPAN standards.

Bluetooth

Bluetooth is a standard for enabling wireless communication between mobile computers, mobile phones, and portable handheld devices. Unlike IR, Bluetooth does
not require a line of sight between devices to be effective. It is able to communicate through physical barriers, typically with a range of 10 meters, although with
power amplifiers, 100 meters is possible. Bluetooth uses the unlicensed 2.4-GHz spectrum for communication, with a peak throughput of 720 Kbps. It is expected
that this throughput will increase to around 10 Mbps with future Bluetooth specifications.

The origins of Bluetooth date back to 1994 when Ericsson was researching ways to enable mobile phones to communicate with peripherals. Four years later, in
1998, Ericsson, along with Nokia, Intel, Toshiba, and IBM, formed the Bluetooth Special Interest Group (SIG) to define a specification for small form-factor, low-cost
wireless communication.

Bluetooth provides an autodiscovery mode, whereby Bluetooth devices will automatically discover other devices that are within range. Once they are detected, they
can start communicating. There is some concern that this will overload the 2.4-GHz spectrum as more Bluetooth devices become available. To address this issue,
the Bluetooth specification defines three device modes:

 Generally discoverable mode. This allows a Bluetooth device to be detected by any other Bluetooth device within its proximity.

 Limited discoverable mode. Only well-defined devices will be able to detect a device in this mode. This mode will be used when a user has many
Bluetooth devices and wants them to discover each other automatically.

 Nondiscoverable mode. This makes the device invisible to other devices so it cannot be detected.
 Ad hoc literally means "for this" in Latin,
and in English this almost always means "for this specific purpose"
When two or more devices connect, they form a piconet, an ad hoc network that can consist of a maximum of eight devices. Every device in a piconet can
communicate directly with the other devices. It is also possible to have networks with more than eight devices. In this case, several piconets can be combined
together into a scatternet. In a scatternet configuration, not all devices can see each other; only the devices within each piconet are able to communicate.

Figure 3.1 helps to illustrate how this works. In this figure there is one scatternet consisting of five piconets; the hands-free mobile phone is a member of three
different piconets and is able to communicate directly with the headset, the Bluetooth pen, and the access point, but is not able to communicate directly with the
laptops, printer, or fax machine.

Figure 3.1: Bluetooth scatternet with five piconets.

802.15

802.15 is a specification driven by the Institute of Electrical and Electronics Engineers (IEEE) to develop consensus standards for short-range wireless networks or
wireless personal area networks. It has similar goals to Bluetooth in that it looks to address wireless networking of portable and mobile computing devices such as
PCs, PDAs, mobile phones, peripherals, and consumer electronics. The 802.15 WPAN Working Group was established in 1999 as part of the Local and Metropolitan
Area Networks Standards Committee of the IEEE.

Table 3.2: Comparison of WPAN Technologies

OPTIMUM
STANDARD FREQUENCY BANDWIDTH OPERATING RANGE POINTS OF INTEREST

IrDA 875nm 9600 bps to 4 Mbps. Future of 15 1-2 meters (3–6 feet) Requires line of site for
wavelength Mbps
communication.

Bluetooth 2.4 GHz v1.1: 720 Kbps; 10 meters (30 feet) to 100 Automatic device discovery;
meters (300 feet)
v2.0: 10 Mbps communicates through physical barriers.

IEEE 802.15 2.4 GHz 802.15.1: 1 Mbps 10 meters (30 feet) to 100 Uses Bluetooth as the foundation;
meters (300 feet)
802.15.3: 20-plus Mbps coexistence with 802.11 devices.

IEEE 802.15 is a working group of the Institute of Electrical and Electronics Engineers (IEEE) IEEE 802 standards committee
which specifies wireless personal area network (WPAN) standards. There are 10 major areas of development, not all of which
are active.

Ad hoc literally means "for this" in Latin, and in English this almost always means "for this specific purpose"."Ad hoc"
means makeshift, or improvised, so a wireless ad hoc network (WANET) is a type of on-demand, impromptu device-to-
device network. In ad hoc mode, you can set up a wireless connection directly to another computer or device without
having to connect to a Wi-Fi access point or router.

A personal operating system is used on an individual computing device that can run without being part of a network
Video Cassette Recording (VCR) is an early domestic analog recording format designed by Philips in 1972.

The industrial, scientific and medical (ISM) radio bands are radio bands(portions of the radio spectrum) reserved
internationally for the use of radio frequency (RF) energy for industrial, scientific and medical purposes other than
telecommunications.

Full-duplex data transmission means that data can be transmitted in both directions on a signal carrier at the same
time.

The infrared part of the electromagnetic spectrum covers the rangefrom roughly 300 GHz to 400 THz (1
mm - 750 nm). Before visible light spectrum…Infra=below
ShareIt & Xender – Transfer and Share has recently established itself as one of the best offline file transfer tool for
Android devices and even PC Connectivity. It allows transfer of various file types such as music, applications,
images, videos, documents and much more. It lets you transfer files from one mobile device to the otherwithout
any mobile data or additional data cost. It is evaluated high on the Google Play Store with a rating of 4.5/5 beating
the majority of its options. Starting at now, the application has more than 100 million client downloads.

It's works through wifi connectivity that's why shareit is faster than bluetooth because bluetooth have
connectivity in kbps but wifi have in mbps. It utilizes the idea of Wi-Fi direct – an element pre installed in all most
recent Android devices accessible in the market. By utilizing Wi-Fi Direct, a host server is made inside the application
for different devices to interface and offer in. The recipient at that point needs join the facilitated server and the
record exchange should be possible as long as both the sender and beneficiary devices are associated with one
another on the server.

Xender, File Transfer & Share and ShareIt both uses WiFi direct concept or WiFi hotspot to transfer files b/w devices.
It actually creates a server of files i.e. your device and the network i.e. WiFi hotspot or direct. And since there is no
 data connection required it uses the max speed of your WiFi.
Vulnerability Details

1. Authenticated Arbitrary File Download

When a download request is initiated, SHAREit client sends a GET request to sender’s HTTP server. The requested URL looks like
the
following http://shareit_sender_ip:2999/download?metadatatype=photo&metadataid=1337&filetype=thumbnail&msgid=c60088c13d6
.
 metadatatype: is the parameter that defines what resource we are trying to download, is it a photo, a video, a music file, an application
or just a regular file (accepts any of the following values music, video, photo, app, game, file, doc, zip, ebook, contact.
 metdataid: The identifier for the resource we are trying to download, in case of a photo, video or a sound clip it is an incremented
number representing asset id in Android MediaStore, for applications it would be package name and for files it would be the full path
of the file.
 filetype: the file type parameter accepts one of the following values thumbnail, raw, data, external. As the name
suggests, thumbnail would fetch a preview of the resource (small image of a video or a photo, application icon, …etc.) and raw would
fetch the original file.
 msgid: Is a unique identifier for each request to make sure that download request was originally initiated by the sender.
The problem occurs mainly because the application fails to validate msgid parameter enabling a malicious client with a valid session
to download any resource by directly referencing its identifier. For example to download a file from user’s device, all you need to do
is to have a valid SHAREit session with this user at least once to be added to recognized devices then go to
1. http://shareit_sender_ip:2999/download?metadatatype=file&metadataid=%2Fdata%2Fdata%2Fcom.lenovo.anyshare.gps%2Fs
hared_prefs%2FSettings.xml&filetype=raw.
This will download /data/data/com.lenovo.anyshare.gps/shared_prefs/Settings.xml which is the settings file for SHAREit application.
So we can download whatever files we want from victim’s device but getting a valid session would trigger the alarms when they see
unusual session and limiting it only to people we exchanged files before would dramatically decrease success rate, so what is next?
2. Authentication Bypass

SHAREit <= v4.0.34 exhibited a very odd behavior that lead to authentication bypass. When a user with no valid session tries to
download a file from the device using the previously mentioned URL, the application responds with 403 response code with an error
message saying “The request is not from anyshare user!”. Once a valid session is retrieved at least once, application adds the user
to recognized devices and accepts any incoming download requests from this user.
The odd behavior occurs when unauthenticated user tries to fetch non-existing page, instead of a regular 404 page, the application
responds with 200 status code empty page and adds user into recognized devices!! Making this the weirdest and simplest
authentication bypass we ever seen :). Yes! a fully functional proof of concept would be as simple as
curl http://shareit_sender_ip:2999/DontExist
Attack Surface

Older versions of SHAREit (< v4.0.X) used to keep the download server running regardless of whether an active file transfer session
is running or not. This means that only what attacker needs is to be with your SHAREit android device in the same network to have
full unrestricted access to all your files.
Newer versions turn off download server when not in use, this means to exploit the vulnerability, you need to find an active file
exchange session around you. Luckily for us, vulnerable SHAREit versions create an easily distinguished open Wi-Fi hotspot which
can be used not only to intercept traffic (since it uses HTTP with no SSL/TLS encryption) between the two devices (Both
independently reported by SecureAuth Core Security Team), but to exploit the discovered vulnerabilities and have unrestricted access
to vulnerable device storage. (We managed to download ~ 3000 files having ~ 2GBs in 8 minute transfer session)
Exploitation

If you know the exact location of the file you would like to retrieve, exploitation can be as simple as a curl command referencing the
path of the target file. However, this is not usually the case. To overcome this, we started looking for files with known paths that may
contain interesting information in this regard. Analysis showed that two distinct database files related to SHAREit application may be
useful in this case:
 SHAREit History: SHAREit history database contains records of all files exchanged using SHAREit application with full path of the
file which we can use to fetch it; Not very useful when we are running the exploit against a not so frequent SHAREit user and of
course would not contain all nor even most of the records.
 SHAREit MediaStore Database: A smaller instance of Android’s MediaStore database, it exists only in newer versions of SHAREit but
if found it will be like a jackpot, since it contains records of most of media files on the device as seen in the following screenshot.
Screenshot of SHAREit MediaStore database containing interesting information about files in the system including file name, type, size, path
and many other information.

So to retrieve all/most of interesting files in the device we start by retrieving such databases and get the files in them. If we could not
find those files for whatever reason, we start multi-threaded bruteforcing of Android MediaStore ID (since they are incrementing
numeric values) and fetch files of valid IDs.
There are other files that contain juicy information such as user’s Facebook token, Amazon Web Service user’s key, auto-fill data and
cookies of websites visited using SHAREit webview and even the plaintext of user’s original hotspot (the application stores it to reset
the hotspot settings to original values) and much more.

PCMCIA- Personal Computer Memory Card International Association.

PCI (Peripheral Component Interconnect) is an interconnection system between a microprocessor and attached
devices in which expansion slots are spaced closely for high speed operation.

What are difference between Hubs, Switches, Routers, and Access Points

Hubs, Switches, Routers, and Access Points are all used to connect computers together on a network, but each of them has
different capabilities.

Hubs
Hubs are used to connect computers on a network so as to communicate with each other. Each computer plugs into the hub
with a cable, and information sent from one computer to another passes through the hub.

A hub can’t identify the source or destination of the information it receives, so it sends the information to all of the computers
connected to it, including the one that sent it. A hub can send or receive information, but it can’t do both at the same time.

Switches
Switches functions the same way as hubs, but they can identify the intended destination of the information that they receive,
so they send that information to only the computers that its intended for.
Switches can send and receive information at the same time, and faster than hubs can. Switches are best recommended on
a home or office network where you have more computers and want to use the network for activities that require passing a lot
of information between computers.

Functions of a Switch
Routers
Routers are better known as intermediary devices that enable computers and other network components to communicate or
pass information between two networks e.g. between your home network and the Internet.

The most astounding thing about routers is their capability to direct network traffic. Routers can be wired (using cables)
or wireless. Routers also typically provide built-in security, such as a firewall.

Access Points
Access points provide wireless access to a wired Ethernet network. An access point plugs into a hub, switch, or wired router
and sends out wireless signals. This enables computers and devices to connect to a wired network wirelessly.

You can move from one location to another and continue to have wireless access to a network. When you connect to the
Internet using a public wireless network in an airport, hotel or in public, you are usually connecting through an access point.
Some routers are equipped with a wireless access point capability, in this case you don’t need a wireless access Point.

IEEE 802.11 is part of the IEEE 802 set of LAN protocols, and specifies the set of media access control and physical
layer protocols for implementing wireless local area network Wi-Fi computer communication in various frequencies,
including but not limited to 2.4, 5, and 60 GHz frequency bands.
 802.11 Data Link Layer

Fig.1 Data Link Layer

The data link layer within 802.11 consists of two sublayers: Logical Link Control (LLC) and Media Access Control (MAC). 802.11
uses the same 802.2 LLC and 48-bit addressing as other 802 LANs, allowing for very simple bridging from wireless to IEEE wired
networks, but the MAC is unique to WLANs.

The 802.11 MAC is very similar in concept to 802.3, in that it is designed to support multiple users on a shared medium by having
the sender sense the medium before accessing it. For 802.3 Ethernet LANs, the Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) protocol regulates how Ethernet stations establish access to the wire and how they detect and handle
collisions that occur when two or more devices try to simultaneously communicate over the LAN.

Why we need different MAC from wired LAN?

Reason One: "near/far" problem: To detect a collision, a station must be able to transmit and listen at the same time, but in an
802.11 WLAN, the transmission of radio systems drowns out the ability of the station to �hear?a collision.

Fig.2 "near/far" problem, in which S can not "hear" collision at R

Reason Two: "hidden node" issue, in which two stations on opposite sides of an access point can both �hear?activity from an
access point, but not from each other, usually due to distance or an obstruction.

Fig.3 "hidden node" problem: when A is transmitting, C can not detect it's activity, thus C is not able to sense the carrier, which
is being used by A, correctly

Reason Three: constraint of power. Portable devices' activity reply very much on battery life.

MAC Solutions:

CSMA/CA: To solve the "near/far" problem, 802.11 uses a slightly modified protocol known as Carrier Sense Multiple Access
with Collision Avoidance (CSMA/CA) or the Distributed Coordination Function (DCF).
CSMA/CA works as follows. A station wishing to transmit senses the air, and, if no activity is detected, the station waits an
additional, randomly selected period of time and then transmits if the medium is still free.

CSMA/CA reduces the probability that two or more stations will begin transmitting at the same time and ensures some degree of
fairness.

But, CSMA/CA can not guarantee that collision does not happen. Thus, 802.11 uses explicit acknowledgement (ACK) to ensure
transmission correctness. An ACK packet is sent by the receiving station to confirm that the data packet arrived intact. If the packet
is received intact, the receiving station issues an ACK frame that, once successfully received by the sender, completes the process.
If the ACK frame is not detected by the sending station, either because the original data packet was not received intact or the ACK
was not received intact, a collision is assumed to have occurred and the data packet is transmitted again after waiting another
random amount of time.

CSMA/CA thus provides a way of sharing access over the air. This explicit ACK mechanism also handles interference and other
radio-related problems very effectively. However, it does add some overhead to 802.11 that 802.3 does not have, so that an 802.11
LAN will always have slower performance than an equivalent Ethernet LAN.

RTS/CTS protocol: To address the "hidden node" issue, 802.11 specifies an optional Request to Send/Clear to Send (RTS/CTS)
protocol at the MAC layer. When this feature is in use, a sending station transmits an RTS and waits for the access point to reply
with a CTS. Since all stations in the network can hear the access point, the CTS causes them to delay any intended transmissions,
allowing the sending station to transmit and receive a packet acknowledgment without any chance of collision. Since RTS/CTS
adds additional overhead to the network by temporarily reserving the medium, it is typically used only on the largest-sized packets,
for which retransmission would be expensive from a bandwidth standpoint.

Security:

IEEE 802.11 provides for security via two methods: authentication and encryption. Authentication is the means by which one
station is verified to have authorization to communicate with a second station in a given coverage area. In the infrastructure mode,
authentication is established between an AP and each station.

802.11 provides two methods of authentication: open system or shared key. An open system allows any client to authenticate as
long as it conforms to any MAC address filter policies that may have been set. All authentication packets are transmitted without
encryption. Shared key authentication, on the other hand, requires WEP be enabled, and identical WEP keys on the client and AP
(for more information on WEP keys, see below). The initiating endpoint requests a shared key authentication, which returns
unencrypted challenge text (128 bytes of randomly generated text) from the other endpoint. The initiator encrypts the text and
returns the data.

Fig.4 Open Authentication Fig.5 Shared Key Authentication

Encryption is intended to provide a level of security comparable to that of a wired LAN. The Wired Equivalent Privacy (WEP)
feature uses the RC4 PRNG algorithm from RSA Data Security Inc. According to the protocol, WEP generally uses a 64-bit RC4
stream cipher (see information on 128-bit below). RC4 is a symmetric encryption algorithm, meaning the same key is used to both
encrypt and decrypt the data payload. This encryption key is generated from a seed value created by combining a 40-bit user defined
WEP key with a 24-bit Initialization Vector (IV). The WEP key generally takes the form of a 10-character hexadecimal string (0-
9,A-F) or a 5-character ASCII string, which must be present on both ends of the wireless transmission. The protocol allows for up
to four concurrently defined WEP keys.

The standard does not, however, currently define how the IV is established, so the implementation varies by vendor. When an
encrypted wireless client starts transmitting data, the IV can start with a value of zero or another randomly defined starting value,
and generally increments upwards in a predictable manner, with each successive frame. However, some vendors (such as Cisco)
use a more sophisticated, random determination of the IV.

Although not yet part of the protocol specification, many 802.11b vendors also support 128-bit RC4 encryption. This requires a
104-bit WEP key (26 character hexadecimal or 13 character ASCII), but uses the same 24-bit IV value. The figure below shows
that the 128-bit encrypted implementations from several vendors are interoperable despite the lack of a standard.

Fig.6 Wireless Performance numbers (from Previously undisclosed performance numbers provided by PC Magazine, Volume 21
Issue 5. All values reported in Mbps.)

Other robustness features provided in 802.11 MAC

Finally, the 802.11 MAC layer provides some other robustness features:

CRC checksum: Each packet has a CRC checksum calculated and attached to ensure that the data was not corrupted in transit.
This is different from Ethernet, where higher-level protocols such as TCP handle error checking.

Packet fragmentation: allows large packets to be broken into smaller units when sent over the air, which is useful in very
congested environments or when interference is a factor, since larger packets have a better chance of being corrupted. This
technique reduces the need for retransmission in many cases and thus improves overall wireless network performance. The MAC
layer is responsible for reassembling fragments received, rendering the process transparent to higher-level protocols.

Roaming Provisions: 802.11 allows a client to roam among multiple APs that can be operating on the same or separate
channels. But this feature is perhaps least defined features discussed. The standard does identify the basic message formats to
support roaming, but everything else is left up to network vendors. In order to fill the void, the Inter-Access Point Protocol (IAPP)
was jointly developed by Aironet, Lucent Technologies, and Digital Ocean. Among their things, IAPP extends nulti-vendor
interoperability to the roaming function. It addressed roaming within a single ESS and between two or more ESSs.

Support for Time-Bounded Data: Time-bounded data such as voice and video is supported in the 802.11 MAC specification
through the Point Coordination Function (PCF). As opposed to DCF, where control is distributed to all stations, in PCF mode a
single access point controls access to the media. If a BSS is set up with PCF enabled, time is spliced between the system being in
PCF mode and in DCF (CSMA/CA) mode. During the periods when the system is in PCF mode, the access point will poll each
station for data, and after a given time move on to the next station. No station is allowed to transmit unless it is polled, and stations
receive data from the access point only when they are polled. Since PCF gives every station a turn to transmit in a predetermined
fashion, a maxium latency is guaranteed. A downside to PCF is that it's not particularly scalable, in that a single point needs to
have control of media access and must poll all stations, which can be ineffective in large networks.

Power Management: To extend the battery life of portable devices, 802.11 supports two power- utilization modes, called
Continuous Aware Mode and Power Save Polling Mode. In the former, the radio is always on and drawing power, whereas in the
latter, the radio is "dozing" with the AP queueing any data for it. The client radio will wake up periodically in time to receive
regular beacon signals from the AP, The beacon includes information regarding which stations have traffic waiting for them, and
the client can thus awake upon beacon notification and receives its data, returning to sleep forward. 802.11 also specified that APs
include buffers to queue messages to support sleeping clients. APs are permitted to dump unread messages after a specified time
passes.

TCP (Transmission Control Protocol) is connection oriented, whereas UDP (User Datagram Protocol) is connection-less. This means that TCP tracks all data

sent, requiring acknowledgment for each octet (generally). UDP does not use acknowledgments at all, and is usually used for protocols where a few lost

datagrams do not matter.

Because of acknowledgments, TCP is considered a reliable data transfer protocol. It ensures that no data is sent to the upper layer application that is out of order,

duplicated, or has missing pieces. It can even manage transmissions to attempt to reduce congestion.

UDP is a very lightweight protocol defined in RFC 768. The primary uses for UDP include service advertisements, such as routing protocol updates and server

availability, one-to-many multicast applications, and streaming applications, such as voice and video, where a lost datagram is far less important than an out-of-

order datagram.*
TCP UDP
Reliable Unreliable
Connection-oriented Connectionless
Segment retransmission and flow control No windowing or
through windowing retransmission
Segment sequencing No sequencing
Acknowledge sequencing No acknowledgment

*Source: Network Maintenance and Troubleshooting Guide, Second Edition, by Neal Allen.
Wireless Local Area Networks (WLANs)

Wireless local area network solutions comprise one of the fastest growing segments of the telecommunications industry. The finalization of industry standards,
and the corresponding release of WLAN products by leading manufacturers, has sparked the implementation of WLAN solutions in many market segments,
including small office/home office (SOHO), large corporations, manufacturing plants, and public hotspots such as airports, convention centers, hotels, and even
coffee shops.

 Range/coverage. The range for WLAN products is anywhere from 50 meters to 150 meters.

 Throughput. The data transfer rate ranges from 1 Mbps to 54 Mbps.

 Interference. Some standards will experience interference from standard household electronics and other wireless networking technologies.

 Power consumption. The amount of power consumed by the wireless adapter differs between product offerings, often depending on standards they
implement.

 Cost. The cost of a solution can vary significantly depending on the requirements of the deployment and which standard is being implemented.

In this section we provide some insight into typical WLAN configurations, as well as the leading WLAN standards.

WLAN Configurations

Wireless LAN configurations range from extremely simple to very complex. The simplest WLAN is an independent, peer-to-peer configuration where two or more
devices with wireless adapters connect to each other, as depicted in Figure 3.2. Peer-to-peer configurations are often called ad hoc networks since they do not
require any administration or pre-configuration. They also do not require the use of an access point, as each adapter communicates directly to another adapter
without going through a central location.

Figure 3.2: Peer-to-peer WLAN configuration.

Peer-to-peer networks are very useful when a group of users need to communicate with one another in an unstructured way. These networks can be extended by
adding a wireless access point (AP) to the configuration. The AP can act as a repeater between the devices, essentially doubling the range of operation. In
addition, access points can provide connectivity to a wired network allowing wireless users to share the wired network resources. Figure 3.3 illustrates this
configuration.
 Figure 3.3: WLAN configuration with access point.

In a SOHO environment, access points can be used to provide multiple users access to a single high-speed connection without having to run Ethernet wires to
each computer. In a corporate environment, many access points can work together to provide wireless coverage for an entire building or campus. The coverage
area from each access point is called a microcell. To ensure coverage over a large area, the microcells will overlap at their boundaries, allowing users to freely
move between cells without losing connectivity. This movement between a cluster of access points in a wireless network is called roaming. Roaming is made
possible by a handoff mechanism whereby one access point passes the client information to another access point. This entire process is invisible to the client.

In more advanced configurations, extension points (EP) may be used in conjunction with access points. These EPs extend the range of the network by relaying
signals to client devices, other EPs, or to an access point. They do not have to be tethered to the wired network, making it possible to service far-reaching clients.
One other piece of WLAN equipment is a directional antenna. It allows a signal to be extended to locations many kilometers away. At the second location, the
antenna is then connected to an access point, which provides wireless LAN connectivity for the rest of the facility.

Companies should realize that WEP was never designed to provide end-to-end security. It is intended for usage in conjunction with existing security mechanisms
such as firewalls, virtual private networks (VPNs), and application-level security. The following are some suggestions for corporations that are using, or planning
on using, WEP security as part of their WLAN:

 Use a firewall to separate the wireless network from the wired network.

 Have the wireless users authenticate with a VPN to access the corporate network.

 Incorporate security at the application level for highly confidential information.

 Implement dynamic key refreshing for the WEP keys.

 Do not assume that WEP guarantees absolute data privacy.

WLAN Summary

 Capacity requirements. If you are installing a WLAN for a large number of users, and population density is a concern, then 802.11a may be a good
choice since it provides larger bandwidth to accommodate more users per access point. If not, 802.11b/g might be more appropriate.

 Interoperability of wireless devices. Wireless LAN solutions from different vendors may not be interoperable, perhaps because of the frequency band
used, the frequency modulation technology (FHSS, DSSS, or OFDM), or just due to the implementation of a particular vendor. Wi-Fi certification helps
to ensure that 802.11b and 802.11a products will work with products using the same standard. (The first 802.11g products became available in January
2003.)

 Timing of high-speed requirement. If high-speed access is needed immediately, a WLAN technology such as 802.11a or HIPERLAN/2 is probably
the right choice. If it can wait, then 802.11b with an upgrade to 802.11g might be suitable.

 Migration plan. If a WLAN solution is already in place, or if you are looking to take advantage of proven technology such as 802.11b, keep in mind the
migration plans for incorporating higher speeds or, possibly, other frequencies. A range of dual-mode WLAN products are available that support both
802.11a and 802.11b.

 Interference concerns. If interference is expected on the 2.4-GHz frequency band from products such as Bluetooth, cordless phones, or even
microwave ovens, it might make sense to select a product that is using the less-crowded 5-GHz frequency band.

 Range/penetration. Higher-frequency signals have shorter range and worse penetration than lower-frequency signals. In some ways, these effects are
mitigated by the system manufacturers, but it is still a worthwhile consideration. In some cases, you may prefer a solution that cannot penetrate walls,
to prevent eaves-dropping from outside parties. For longer range and better penetration, the 2.4-GHz standards such as 802.11b and 802.11g are
better choices than those using the 5-GHz frequency band.

 Power requirements. Does the device using the WLAN technology have a limited power source? If so, power requirements for each standard must be
a factor. The rule of thumb is that higher frequencies require more power to transmit the signal the same distance as lower frequencies. This may not
apply in all cases, but it is a safe guideline to go by.

 Regulatory factors. Are there limitations imposed by your geographic location that you have to consider when choosing a technology? How about the
availability of products in your region? These should be taken into account before making any decision.

One of the most exciting uses of WLAN technology is for providing high-speed Internet access to public hotspots such as hotels, airports, school campuses, and
coffee shops. In this scenario, WLAN technologies are being incorporated to wireless wide area network (WWAN) deployments to provide more reliable
connectivity at a lower cost. As we discuss WWAN technologies in the next section, we will take a closer look at how WLAN technology is playing a role in the
third-generation (3G) wireless deployments.
Wireless LAN Components

Wireless LANs consist of components similar to traditional Ethernet-wired LANs. In fact, wireless LAN protocols are similar to Ethernet and comply with the same
form factors. The big difference, however, is that wireless LANs don't require wires.

A wireless network interface controller (WNIC) is a network interface controller which connects to a wireless radio-
based computer network, rather than a wired network, such as Token Ring or Ethernet. A WNIC, just like other NICs,
works on the Layer 1 and Layer 2 of the OSI Model.
Access Points

An access point contains a radio card that communicates with individual user devices on the wireless LAN, as well as a wired NIC that interfaces to a distribution
system, such as Ethernet. System software within the access point bridges together the wireless LAN and distribution sides of the access point. The system
software differentiates access points by providing varying degrees of management, installation, and security functions. Figure 5-1 shows an example of access-
point hardware.

Figure 5-1. Wireless LAN Access Points Connect Wireless LANs to Wired Networks (Photo Courtesy of Linksys)

In most cases, the access point provides an http interface that enables configuration changes to the access point through an end-user device that is equipped
with a network interface and a web browser. Some access points also have a serial RS-232 interface for configuring the access point through a serial cable as
well as a user device running terminal emulation and Telnet software, such as hyper terminal.

Configuring an Access Point

Look at the basic radio configuration settings for a Cisco 350 access point. These types of settings are common for other access points as well.

One parameter that you should set is the service set identifier (SSID). The SSID provides a name for the specific wireless LAN that users will associate with.
For security purposes, it's a good idea to set the SSID to something other than the default value.

For most applications, set the transmit power of the access point to the highest value, which is typically 100 milliwatt (mW) in the United States. This will
maximize the range of the wireless LAN. The actual maximum effective power output is 1 watt, but the lower transmit power allows enough margin to allow
the use of a higher-gain antenna and still remain within limitations.

In the United States, set the access point to operate on any one of the channels in the range from 1 through 11. When installing only one access point, it doesn't
matter which channel you choose. If you install multiple access points, or you know of a nearby wireless LAN within range of yours, you need to select
different non-overlapping channels (such as channels 1, 6, and 11) for each access point within range of one another.

As a minimum, activate wired equivalent privacy (WEP) encryption as a minimum level of security. You'll need to assign an encryption key that all user
devices will need in order to interface with the access point with encrypted data. If you choose to implement 40-bit keys, enter 10 hexadecimal characters, with
each character having the value of 1 through 9 or A through F. The 104-bit keys require 26 hexadecimal characters. Keep in mind that 40-bit keys correspond
with 64-bit encryption and 104-bit keys correspond with 128-bit encryption to the addition of a 24-bit initialization vector in both cases.

Routers

By definition, a router transfers packets between networks. The router chooses the next best link to send packets on to get closer to the destination. Routers
use Internet Protocol (IP) packet headers and routing tables, as well as internal protocols, to determine the best path for each packet.

A wireless LAN router adds a built-in access point function to a multiport Ethernet router. This combines multiple Ethernet networks with wireless connections. A
typical wireless LAN router includes four Ethernet ports, an 802.11 access point, and sometimes a parallel port so it can be a print server. This gives wireless
users the same ability as wired users to send and receive packets over multiple networks.

Routers implement the Network Address Translation (NAT) protocol that enables multiple network devices to share a single IP address provided by an Internet
service provider (ISP). Figure 5-2 illustrates this concept. Routers also implement Dynamic Host Configuration Protocol (DHCP) services for all devices. DHCP
assigns private IP addresses to devices. Together, NAT and DHCP make it possible for several network devices, such as PCs, laptops, and printers to share a
common Internet IP address.

Figure 5-2. NAT and DHCP Are Essential Protocols That Routers Implement
Wireless LAN routers offer strong benefits in the home and small office setting. For example, you can subscribe to a cable modem service that provides a single
IP address through DHCP to the router, and the router then provides IP addresses through DHCP to clients on your local network. NAT then maps a particular
client on the local network to the ISP-assigned IP address whenever that client needs to access the Internet. As a result, you need a router if you plan to have
more than one networked device on a local network sharing a single ISP-assigned address. Instead of having one box for the router and another box for the
access point, a wireless LAN router provides both in the same box. Routers, however, are seldom used in larger implementations, such as hospitals and
company headquarters. In these cases, access points are best because the network will have existing wired components that deal with IP addresses.

Repeaters

Access points, which require interconnecting cabling, generally play a dominant role for providing coverage in most wireless LAN deployments.
Wireless repeaters, however, are a way to extend the range of an existing wireless LAN instead of adding more access points. There are few standalone wireless
LAN repeaters on the market, but some access points have a built-in repeater mode.

A repeater simply regenerates a network signal to extend the range of the existing network infrastructure. (See Figure 5-3.) A wireless LAN repeater does not
physically connect by wire to any part of the network. Instead, it receives radio signals from an access point, end-user device, or another repeater; it retransmits
the frames. This makes it possible for a repeater located between an access point and distant user to act as a relay for frames traveling back and forth between
the user and the access point.

Figure 5-3. Wireless LAN Repeaters Are Simple Devices That Require No Cabling

As a result, wireless repeaters are an effective solution to overcome signal impairments such as RF attenuation. For example, repeaters provide connectivity to
remote areas that normally would not have wireless network access. An access point in a home or small office might not quite cover the entire area where users
need connectivity, such as a basement or patio. The placement of a repeater between the covered and uncovered areas, however, will provide connectivity
throughout the entire space. The wireless repeater fills holes in coverage, enabling seamless roaming.

A downside of wireless repeaters, however, is that they reduce performance of a wireless LAN. A repeater must receive and retransmit each frame on the same
radio channel, which effectively doubles the amount of traffic on the network. This problem compounds when using multiple repeaters, because each repeater will
duplicate the data sent. Therefore, be sure to plan the use of repeaters sparingly.

Antennae

Most antennae for wireless LANs are omnidirectional and have low gain. Nearly all access points, routers, and repeaters come standard with omnidirectional
antennae. Omnidirectional antennae satisfy most coverage requirements; however, consider the use of optional directive antennae to cover a long, narrow area.
In some cases, the antenna is integrated within a radio card or access point and there is no choice to make. If a need exists to use a directive antenna (higher
gain), ensure that the radio card or access point has an external antenna connector.