Embed Size (px)
Citation preview
1
Welcome!
Constructing Wireless LANs – A Technology Update
Connect System 3.0(Mobility for Wireless Voice)
802.11 Fortified Security, Enhanced Mobility and Centralized Management
Solutions
2
Topics for Discussion
Wireless LAN Technology Update Integrating Wireless in the Enterprise –
Providing Mission Critical Wireless Services 7 “Deadly Sins” to Avoid With Wireless LANs Questions (anytime!)
3
The Unlicensed Radio Spectrum
902 Mhz
928 Mhz
26 Mhz 83.5 Mhz 200 Mhz
2.4 Ghz
2.4835 Ghz5.15 Ghz
5.35 Ghz
cordless phonesbaby monitorsWireless LANs
802.11b802.11gBluetooth2.4 Ghz cordless phonesMicrowave oven
802.11a
33cm 12cm 5cm
4
RF Design - Cost, Power, Range Tradeoff
1
11
1
1
6
1111 111
1
1
61111
111
1
161111
611 6
16
6
16
11
• 802.11b, 802.11g: 3 Non-Overlapping Channels• 802.11a: 8 Non-Overlapping Channels
5
802.11 System Architecture
Basic Service Set (BSS): a set of stations which communicate with one another
Infrastructure Basic Service Set (Infrastructure
Mode)
• AP provides • connection to wired
network• relay function
• stations not allowed to communicate directly
Independent Basic Service Set (Ad Hoc
Mode)
• only direct communication possible
• no relay function
6
The Extended Service Set
• ESS and all of its stations appear to be a single MAC layer• AP communicate among themselves to forward traffic • Station mobility within an ESS is invisible to the higher
layers• From Configuration Standpoint – The ESS is the set of
Access Points with Same SS-ID
ESS: a set of BSSs interconnected by a distribution system (DS)
7
802.11 Beacon & Probes
Client (station) Scanning Passive
listen for beacons on each channel
Active send probe and wait for
response on each channel
Beacon & probe response packets: AP timing information, Beacon period, AP capability information, SSID,
SSID (Service set identifier) identifies an ESS or IBSS
Access Point
Access Point
Access Point
Probe R
equestP
robe Response
Station
8
802.11b
802.11a
11Mbps (actual ~6Mbps) 11 channels, 3 non-
overlapping WEP w/40 bit key, 104
optional
Low cost and available worldwide
WEP can be easily hacked Vendor interoperability
issues
54Mbps (actual ~25Mbps) 8 non-overlapping channels
Requires ~2-4x more 11a APs to cover the same area as with 11b
Proprietary
Extensions
Dynamic WEP: Key rotation
LEAP: Cisco authentication protocol
Requires single-vendor solution
Price premium/vendor lock-in
802.1x
LEAP is Cisco’s version All-or-nothing access control Some security vulnerabilities
“Port-based” access control for wired & wireless networks
802.11: Where We Are Today
9
Devices expected by end of year
Supports European requirements for .11a
802.11h
Improved security, WEP replacement
Requires hardware & protocol replacement!
Interim TKIP available Expected late 2003
802.11i
22-54 Mbps data rate Backward compatible
with 802.11b
Scheduled to be ratified in 2Q03
Prototypes already on market
802.11g
Inter-Access Point Communication
Only layer 2 communications802.11f
QoS for WLANs Standard approval imminent802.11e
802.11 Alphabet Soup: The Future
10
The 802.1x Environment Today
Authentication Technique
What is it? Comments
LEAP Cisco’s approachRequires all-Cisco environment, username visible
TLSIETF RFC built Microsoft into Windows XP
Requires X.509 certificates on every client
TTLS (EAP-TLS)
Funk’s approach Uses PAP/CHAP over EAP
PEAP Microsoft Initiative
User ID/Password – Emerging (Not Ubiquitous), Lot of Promise
11
Encryption
Robust Security
UbiquitousSingle Vendor orNot Available
Poor Security
DEGREE OF SECURITY
DEGREE OF INTEROPERABILITY
WEP
TKIP
LEAP,Dynamic WEP
IPsec (3-DES)AESFIPS-140-2Minimum
12
802.11 Deployment Lifecycle
Home
Departmental
Personal
Enterprise-Wide
Adoption
13
Mission-Critical WLAN Questions
How will I secure the WLAN?
How do I provide a seamless user experience?
How do I leverage my existing network investment?
Can I handle multiple user types on the WLAN?
How will my WLAN support voice and other applications?
Can my WLAN span multiple sites?
Can I detect rogue access points?
How will I monitor RF performance?
How do I configure the WLAN?
14
The Numbers are Great…
Lots of devices Low cost Built-in wireless
Viable business case Network maintenance Employee productivity
with fluid work-style
Many pilot deployments … but few large
enterprise deployments
WLAN Adapter Shipments
0
5
10
15
20
25
30
35
40
45
2001 2002 2003 2004 2005 2006
$0
$500
$1,000
$1,500
$2,000
$2,500
WLAN AdapterShipments(thousands)
WLAN AdapterRevenues ($ millions)
WLAN Access Point Revenues ($ millions)
$0
$100
$200
$300
$400
$500
$600
$700
2001 2002 2003 2004 2005 2006
Branch/Small Office
Large Enterprise
Remote Workers
Source: Gartner Wireless LAN Summit, 11/2001
15
connectivity
•Laptops
•Handhelds
•Voice Phones
•Specialized devices
•802.11b
•802.11a
•802.11g
•Bluetooth
connectivityconnectivity
•Technology Agnostic
•Vendor Agnostic
•Standards Based
•Investment Protection
•Layered Security
•Centralized Management
•Enhanced Mobility
•Customization via APIs
““wireless LAN services fabric”wireless LAN services fabric”
•Enterprise Portal
•Vertical Applications
•Authentication Services
•Directory Services
•Network Management
•Accounting & Billing
enterprise resourcesenterprise resources
Building Mission-Critical Wireless LANs
16
WLANs
WLANs Wired LANs
Management challengesStable management environment
New attacks frequently announced
Attacks are well understood and containable
802.11b (~6Mbps) & 802.11a (~25Mbps) shared by many users
Virtually unlimited bandwidth
RF “ports” of WLANs cannot be isolated
VLANs used for isolation
Mobile devices are the normUsually assume stationary devices
Open accessPhysical security
Wired LANs
17
The Seven Deadly Sins of Wireless LANs
Top mistakes made during wireless LAN pilots
and deployments
(and how to avoid them)
18
1. Succumbing to Insecurity
Most WLAN deployments do not have any! Wired Equivalent Privacy (WEP) in 802.11b
standard Link-layer encryption with per-packet encryption
key Used to validate client access Badly flawed, so intruders can
Bypass client access control Analyze and decrypt data Modify data without being detected
Various attempts to fix Still not secure Sacrifice scalability, interoperability, complexity,
cost
19
Absolution
Beware WEP Deploy systems that provide
User authentication Per-user access control Data privacy via distributed VPN encryption Policy administration Logging and audit
20
2. Praying to the Giant VLAN 802.11 is a link-layer technology
(like Ethernet) All users affected by
Subnet mobility Session persistence
Limited ScalabilityLimited ScalabilityLimited ScalabilityLimited Scalability
Inefficient RoutingInefficient RoutingInefficient RoutingInefficient Routing
Tough to ManageTough to ManageTough to ManageTough to Manage
WirelessVLAN
Create a single VLAN for all access points?
21
Absolution
Beware rewiring your network to make it wireless
Instead Plug access points into existing LAN Deploy layer 3 roaming technologies in the
network
22
3. Deploying Questionable Coverage 11 Mbps of coverage
up to 100 meters
Getting 55 Mbps? Radios are tough!
Only 3 non-colliding channels
Unpredictable coverage
APs have different characteristics
23
Absolution
Beware the temptation of plugging in access points
Instead Understand the radio environment through an
RF site survey Select radio equipment according to range and
coverage needs Tune power levels to match coverage needs
24
4. Providing Quality of Disservice
Must share 11Mbps wireless link
Result Contention for limited capacity Very unhappy wireless users
Users and applications accustomed to 100Mbps or 1Gbps switched LANs
25
Absolution
Beware the bandwidth bottleneck Instead
Install bandwidth management software to coordinate wireless bandwidth usage
Look to 802.11a, 802.11g for higher capacity 802.11e for link-layer traffic prioritization
26
5. Embracing the Heretics
The 802.11b standard Interoperability between clients and access points Compatibility testing through WECA (Wireless Ethernet
Compatibility Alliance) Result: Low cost, large quantity
The threat: Proprietary extensions Examples
Early 802.1x implementations PPP over 802.11 Inter-access point communication
Non-vendor equipment does not support extra features May even deny access by non-vendor clients Cannot control all clients (guest users, built-in wireless) High cost vendor lock-in
27
Absolution
Beware temptation by your vendor salesperson
Instead Use WLAN equipment according to the WECA
compatibility standards Address WLAN issues in the network with
vendor-independent infrastructure Avoid special-purpose client software
28
Today802.11b, laptops
“Nomadic mobility”
6. Re-living the Past
Heterogeneity will be the order of the day New applications, services supporting a mobile work style
Tomorrow802.11a, 802.11b, 802.11g, HiperLAN, Bluetooth, …
Laptops, web pads, industrial devices, PDAs, cell phones, …“True mobility”
29
Absolution
Beware the forward march of technology Instead
Plan for technology change Encourage new applications to enhance mobile
productivity
30
7. Hiding from the Future
Fear delays the enterprise deployment
Users are becoming accustomed to the benefits of wireless LANs
Users will do it themselves (and they do!)
31
Absolution
Beware the temptation of time Instead
Actively watch for rogue access points Take control of the enterprise wireless LAN
before your users do!
32
Summary
1. Succumbing to Insecurity2. Praying to the Giant VLAN3. Deploying Questionable
Coverage4. Providing Quality of Disservice5. Embracing the Heretics6. Re-living the Past7. Hiding from the Future
Beware the Seven Deadly Sins
33
About ReefEdge
Network appliances supporting enterprise WLANs Security: authentication, access control, encryption Management: policy definition, WLAN configuration,
bandwidth control, back-end IT integration Usability: subnet roaming, session persistence,
application services
Partner with integrators providing design, site survey, installation, and support services
For more information Visit us at www.reefedge.com
34
Summary
[email protected](201) 548-2600
Contact:
1. Succumbing to Insecurity2. Praying to the Giant VLAN3. Deploying Questionable
Coverage4. Providing Quality of Disservice5. Embracing the Heretics6. Re-living the Past7. Hiding from the Future
Beware the Seven Deadly Sins
