A Journey into Wireless JD Chaves. 2 Introduction Wireless Wireless a. Types a. Types b. Which one to use b. Which one to use c. Security Types c. Security.

A Journey into A Journey into WirelessWireless

JD ChavesJD Chaves

22

IntroductionIntroduction

• WirelessWireless a.a. TypesTypes b. Which one to useb. Which one to use c. Security Typesc. Security Types

• Shelby County ImplementationShelby County Implementation a. Our Current Implementationa. Our Current Implementation b. What Users Asked forb. What Users Asked for c. What Solutions we came up c. What Solutions we came up

withwith

33

• 802.11b802.11b

• 802.11g802.11g

• 802.11a802.11a

• 802.11n802.11n

Types of WirelessTypes of Wireless

44

802.11b802.11b

• First form of WiFi intended for First form of WiFi intended for general consumersgeneral consumers

• Operates in the 2.4GHz RF bandOperates in the 2.4GHz RF band

• Transfers data at a rate of 11 Transfers data at a rate of 11 megabitsmegabits

per second (Mbps)per second (Mbps)

55

802.11g802.11g • WiFi 802.11g is a newer extension of the WiFi 802.11g is a newer extension of the

WiFi standardWiFi standard• Like the older 802.11b equipment, 802.11g Like the older 802.11b equipment, 802.11g

equipment operates in the 2.4GHz bandequipment operates in the 2.4GHz band• Transfers data at a rate of 54 MbpsTransfers data at a rate of 54 Mbps• Extreme G is different equipment. It Extreme G is different equipment. It

achieves data transfer rates of 108 Mbps, achieves data transfer rates of 108 Mbps, equipmentequipmentfrom one manufacturer may be from one manufacturer may be incompatible with similar equipment from incompatible with similar equipment from a different manufacturera different manufacturer

66

77

802.11a802.11a • Uses the less-crowded 5.0GHz RF Uses the less-crowded 5.0GHz RF

bandband

• Transfers data at 54 Mbps ratesTransfers data at 54 Mbps rates

• Generally harder to find and may Generally harder to find and may cost morecost more

88

802.11n802.11n• Expected release in 2008. Expected release in 2008.

• Transfer rates between 200 Mbps and Transfer rates between 200 Mbps and 600600

Mbps. Mbps.

• Transmission is in the 2.4GHz bandTransmission is in the 2.4GHz band

• Uses "multiple in, multiple out" Uses "multiple in, multiple out" (MIMO) antennas to provide a higher (MIMO) antennas to provide a higher throughput as well as extended rangethroughput as well as extended range

99

Pre-nPre-n

• Some manufacturers, such as Belkin and Some manufacturers, such as Belkin and Linksys, are currently selling equipment Linksys, are currently selling equipment that they call "pre n" or "draft-n." that they call "pre n" or "draft-n."

• This equipment does not adhere to the notThis equipment does not adhere to the notyet-finalized 802.11n standardyet-finalized 802.11n standard

• Transfer rates are said to be at least twice Transfer rates are said to be at least twice asasfast as existing 802.11g productsfast as existing 802.11g products

• Eventual compatibility with true 802.11n Eventual compatibility with true 802.11n products is not assured.products is not assured.

1010

So…..Which one is best?So…..Which one is best?

• Older equipment is most likely 802.11b, which is Older equipment is most likely 802.11b, which is compatible with newer 802.11g equipment.compatible with newer 802.11g equipment.

• If you experience interference with other wireless devices, If you experience interference with other wireless devices, consider moving to 802.11a equipment. These products are consider moving to 802.11a equipment. These products are just as fast as 802.11g products but operate in the 5.0GHz just as fast as 802.11g products but operate in the 5.0GHz band for reduced interference, but usually harder to find.band for reduced interference, but usually harder to find.

• Once the 802.11n standard gets finalized, you'll definitely Once the 802.11n standard gets finalized, you'll definitely want to consider upgrading to this newer equipment. True want to consider upgrading to this newer equipment. True 802.11n products should be at least four times as fast as 802.11n products should be at least four times as fast as current equipment and have a longer range.current equipment and have a longer range.

1111

Wireless Security TypesWireless Security Types

• WEPWEP

• Wi-Fi Protected Access (WPA) Wi-Fi Protected Access (WPA)

and 802.11i (WPA2)and 802.11i (WPA2)

• Protected Extensible Authentication Protected Extensible Authentication Protocol (PEAP)Protocol (PEAP)

• Remote Authentication Dial In User Remote Authentication Dial In User Service (RADIUS)Service (RADIUS)

1212

Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)• 64 and 128 bit encryption with an64 and 128 bit encryption with an

IV (Initialization Vector)IV (Initialization Vector)• Uses 13 – 26 hexadecimal characters in a Uses 13 – 26 hexadecimal characters in a

shared key systemshared key system• Uses Key + IV to encrypt each packetUses Key + IV to encrypt each packet• Weakness is that the IV is sent in Plain text Weakness is that the IV is sent in Plain text

and can be stolen and used to decrypt the and can be stolen and used to decrypt the WEP key.WEP key.

• NIST.Org reports that WEP has been broken NIST.Org reports that WEP has been broken in under a minute, using a packet capture in under a minute, using a packet capture utility from the internet.utility from the internet.

1313

WPA and WPA2WPA and WPA2

• Everyone uses a Pre-Shared KeyEveryone uses a Pre-Shared Key• Improved over WEP by changing the key Improved over WEP by changing the key

dynamically for each packet (“Packet dynamically for each packet (“Packet Mixing”) Mixing”)

• Also encrypts the IV, called Hashing, Also encrypts the IV, called Hashing, instead of Plain text like WEPinstead of Plain text like WEP

• Common weakness: Short pass phrases Common weakness: Short pass phrases can be broken with Dictionary attacks. can be broken with Dictionary attacks. Once the key is captured, the attacker can Once the key is captured, the attacker can spend time off-line to break the key. spend time off-line to break the key.

1414

RADIUSRADIUS

• Uses a Username and password through a Uses a Username and password through a challenge/response methodchallenge/response method

• Uses Policies and restrictions based on user Uses Policies and restrictions based on user access needed. access needed.

• Further Protection:Further Protection:Protected Extensible Authentication Protocol Protected Extensible Authentication Protocol (PEAP) uses only server-side public key (PEAP) uses only server-side public key certificates to authenticate clients by creating an certificates to authenticate clients by creating an encrypted SSL/TLS tunnel between the client and encrypted SSL/TLS tunnel between the client and the authentication server, which protects the the authentication server, which protects the ensuing exchange of authentication information ensuing exchange of authentication information from casual inspection.from casual inspection.

1515

• Site survey at location of request for wirelessSite survey at location of request for wireless

• Determine area of coverage using a test Determine area of coverage using a test WAPWAP

• Determine equipment needed (WAP, cat5 Determine equipment needed (WAP, cat5 cable, surge protection, etc.) for coverage cable, surge protection, etc.) for coverage areaarea

• Install WAP/s using pre-determined security Install WAP/s using pre-determined security standards (Authentication type, encryption, standards (Authentication type, encryption, etc.)etc.)

How we provide Wireless How we provide Wireless services currentlyservices currently

1616

What Users Asked forWhat Users Asked for

• ““We need Wireless Access for our We need Wireless Access for our entire School.”entire School.”

• ““We don’t have enough class rooms We don’t have enough class rooms to allocate to another lab.”to allocate to another lab.”

• ““What if a Guest user wants access What if a Guest user wants access to the internet?”to the internet?”

1717

““We need Wireless Access for We need Wireless Access for our entire School.”our entire School.”

• ProblemsProblems::

a.) Administration of Multiple WAP/sa.) Administration of Multiple WAP/s

b.) Security administration per laptop b.) Security administration per laptop for connectivityfor connectivity

c.) Lack of monitoring for rogue c.) Lack of monitoring for rogue accessaccess

d.) Guest access fairly complicated, d.) Guest access fairly complicated, and exposes securityand exposes security

1818

““We need Wireless Access for We need Wireless Access for our entire School.”our entire School.”• SolutionSolution: Cisco Wireless Controller and Cisco WAP/s: Cisco Wireless Controller and Cisco WAP/s

a.) Central administration through web browsera.) Central administration through web browserb.) Certificate authentication handled through b.) Certificate authentication handled through group group policy automaticallypolicy automaticallyc.) WAP/s monitor and report on rogue access c.) WAP/s monitor and report on rogue access pointspointsd.) Multiple policies for guest and employee accessd.) Multiple policies for guest and employee access

• ConsCons: : a.) Expensivea.) Expensiveb.) Can be complicated to setup, based on your b.) Can be complicated to setup, based on your

configurationconfiguration

1919

““We don’t have enough class We don’t have enough class rooms to allocate to another rooms to allocate to another lab.”lab.”• Problems:Problems:

a.) Space issues in using another rooma.) Space issues in using another room

b.) Wiring for network and electrical is b.) Wiring for network and electrical is time consuming and can be expensivetime consuming and can be expensive

c.) Wasted materials if the room ever c.) Wasted materials if the room ever changes from a lab back to a classroomchanges from a lab back to a classroom

2020

““We don’t have enough class We don’t have enough class rooms to allocate to another rooms to allocate to another lab.”lab.”• SolutionSolution: Laptop carts: Laptop carts

a.) Provides 20-30 laptops wireless a.) Provides 20-30 laptops wireless connectivityconnectivity

b.) Self contained and Mobile; Plug in b.) Self contained and Mobile; Plug in Network cables and powerNetwork cables and power

c.) 1-2 WAPs depending on number c.) 1-2 WAPs depending on number of of laptops. (Generally 15 per WAP)laptops. (Generally 15 per WAP)

2121

2222

““What if a Guest user wants What if a Guest user wants access to the internet.”access to the internet.”

• ProblemsProblems::a.) Security problems in leaving open a.) Security problems in leaving open Wireless Wireless access, as well as liability access, as well as liability issues.issues.b.) Configuration issues with guest users b.) Configuration issues with guest users

laptops, as well as time consuming.laptops, as well as time consuming.c.) Administration nightmare monitoring c.) Administration nightmare monitoring these these guest laptops.guest laptops.d.) Security risk in exposing your network d.) Security risk in exposing your network

infrastructure. infrastructure.

2323

““What if a Guest user wants What if a Guest user wants access to the internet.”access to the internet.”

• SolutionSolution: Proxy device that allows for : Proxy device that allows for guest web accessguest web access

a.) Devices give web access while keeping a.) Devices give web access while keeping Internal network private.Internal network private.

b.) Web site can give Acceptable Use b.) Web site can give Acceptable Use policy as policy as well as authentication if desired. well as authentication if desired.

c.) Some devices also allow for bandwidth c.) Some devices also allow for bandwidth throttling.throttling.

2424

FeaturesFeaturesProvides instant guest access to the public network Provides instant guest access to the public network HNP Technology protects the host network from guests HNP Technology protects the host network from guests IP Plug and Play for configuration-free client operation IP Plug and Play for configuration-free client operation No configuration required; GUESTGATE automatically detects the No configuration required; GUESTGATE automatically detects the network settings network settings Additional setup functions can be performed by IT administrator Additional setup functions can be performed by IT administrator using Web-based user interface using Web-based user interface Client isolation through Layer 3 VLAN technology Client isolation through Layer 3 VLAN technology Bandwidth control (upstream and downstream) Bandwidth control (upstream and downstream) Password option for Internet access Password option for Internet access Packet filter for IP addresses, domains and TCP/IP service ports Packet filter for IP addresses, domains and TCP/IP service ports Customizable welcome page (banner and text changeable) Customizable welcome page (banner and text changeable) Firmware upgrade through Web-based user interface Firmware upgrade through Web-based user interface Plug and Play experience for your guestsPlug and Play experience for your guests

2525

2626

Questions / CommentsQuestions / Comments

2727

AcknowledgementsAcknowledgements

Thanks to the following Folks:Thanks to the following Folks:

Shawn Nutting and the Trussville City Schools crewShawn Nutting and the Trussville City Schools crewGreg Knight, UAB HospitalGreg Knight, UAB Hospital

Feel free to download a copy of this presentation Feel free to download a copy of this presentation from the following link:from the following link:

http://www.shelbyed.k12.al.us/tech/aetc.htmhttp://www.shelbyed.k12.al.us/tech/aetc.htm