Friday, April 2, 2010


Implementing a wireless network without security is like implementing Ethernet wall jacks all around the building for the public to access. Wireless is prone to wardriving, hackers and employees.
Wardialing is when a computer automatically dials through a range of numbers to detect modems that they can dial into. Wardriving is a when person moves around a place to detect wireless networks available.

Banning wireless access in a company is the most dangerous move. When a company bans wireless as part of their policy, some employee might connect their own rogue wireless APs because they want to access the company network using their laptops.

Wireless Security is done through Authentication, Encryption and IPS. Authentication can require a user name or password, or setting up a PKI. Encryption is so that people cannot easily sniff packets. IPS/IDS detects rogue WAPs and acts like a tripwire.

WEP was the original security measure which was really weak. WEP is an example of a pre-shared key system, where keys must be typed in all devices. If an employee leaves the company, he would have the keys and you would have to change all keys on all devices.

WPA was invented to replace WEP. It was an intermediate solution. It was designed to work with devices that worked with WEP. It used an encryption method called TKIP which rotated the WEP key for every packet sent. This, however, still uses pre-shared key.

WPA and 802.1x authentication required a user name and password. It dynamically negotiates new sets of keys for every login. However it still uses TKIP, which is based on WEP. With enough packets sniffed, it could eventually be broken if you know the correct initialization vector.

WPA2 Enterprise is similar to WPA with 802.1x, but uses stronger encryption. Administrators typically choose AES, which is impractical to brute force with. It also doesn't have the weaknesses that TKIP and WEP have. Devices shipped since 2004 has hardware that is capable of doing WPA2.

SSID uniquely identifies and separates wireless networks. You can have a WAP that sends out multiple SSIDs that provides access to multiple VLANs and different authentication methods. A WAP does not constantly sends out beacon. Instead, it sends out beacons only when a client requests with a probe. A typical process is like this:
1) Client issues a probe
2) WAPs respond with beacon
3) Client associates with SSID
4) Access point adds client MAC to the association table

When the signal gets too weak, the client will send out another probe. If another access point with the same SSID exists with a stronger signal, the client would perform reassociation with the new one. This type of roaming, however, is not seamless and connectivity would be loss for a second.

RF service areas should have 10-15% overlap. Repeaters should have 50% overlap. Bordering access points should use different channels (This includes repeaters). BSS stands for Basic Service Set. It refers to a single AP. An ESS is two or more APs connected to the same switched network. ESS allows configuration for seamless roaming.

Before you set up a WAP, pre-test the siwtch port with a laptop. If it's good, connect the WAP and set up the SSID with no security. If it works, set up test security (pre-shared key). If it's working, test 802.1x authentication. This is the best way to set up because typically if we rush through the process, we would be able to troubleshoot if it doesn't work in the end.

No comments :

Post a Comment