US Robotics USR2450 Technical information

Practical Wireless IP:
Concepts, Administration, and Security
Brad C. Johnson &
Philip Cox
SystemExperts Corporation
Just checking...
n
This is a top level bullet
n
This is the next level in
n
this would be level 3
n this would be level 4
n
Can you hear?
Check 1…2…3…Check
n
Is it too hot?
Too cold?
V 2.2 Copyright SystemExperts 2001,2002,2003
2
1
Course Contents
n
What is is
n
Wireless, focused on
n
n
n
n
IP services for laptops
n and a little on
handheld and cellphone Internet
access
n
n
Wireless, for
understanding
n
What it isn’t
A Radio Frequency Primer
An in-depth analysis of
Cellular Wireless
protocols
An exhaustive list of
wireless providers and
devices
Security, configuration,
and usage
V 2.2 Copyright SystemExperts 2001,2002,2003
3
Course Objectives
n
When you leave this course, you should be
able to:
n
n
n
Identify major protocols and standards used by, first
and foremost, wireless LANs as well as PDAs and
cell-phones
Identify important features and configuration options
associated with Access Point and client cards
Understand major threats to wireless IP networks
V 2.2 Copyright SystemExperts 2001,2002,2003
4
2
Where are We?
n
From 50,000’ to 5’
in about 24 slides
n
n
*NIX and Wireless
Threats
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
5
What is Wireless
10 mbps
Spread
Spectrum
WLAN
2 mbps
1 mbps
Infrared
WLAN
D a t a
4 mbps
128 kbps
Broadband PCS
56 kbps
Circuit &
19.6 kbps
9.6 kbps
Packet Data
Narrowband WLAN
Narrowband PCS
Local
Coverage Area
V 2.2 Copyright SystemExperts 2001,2002,2003
Satellite
Wide
6
3
Wireless Component Overview
This Course
802.11
PDA
Wired
Network
PSTN
This Course
Gateway
Gateway
V 2.2 Copyright SystemExperts 2001,2002,2003
WEB
WAP
APP
Server
7
Wireless Devices
n
Historically
n
Single function device (very small)
n
n
n
n
General purpose devices (small)
n
n
use a phone to talk
use a pager to get a phone call notification
use a PDA to load appointments
desktop or laptop for “anything”
Now and moving into the future
n
n
Simple devices becoming more flexible
General purpose devices becoming (almost) as
small/light as the single function devices
V 2.2 Copyright SystemExperts 2001,2002,2003
8
4
Single Function Device Migration
n
Handheld
n
Cellular Phone
n
n
n
n
PDA
n
n
voice and data
increasing speeds
more complex displays
viable as stand-alone wireless device
(without requiring desktop download first)
Pager
n
interactive
V 2.2 Copyright SystemExperts 2001,2002,2003
9
General Purpose Devices
n
HomeRF
n
n
n
n
2.4 GHz band
1.6 Mbps from a distance of about 150 feet
Residential market
Bluetooth
n
n
n
n
2.4 GHz band
Creates Personal Area Networks (PANs)
Up to 780 Kbps within a 10-meter range
“Appliance” market
V 2.2 Copyright SystemExperts 2001,2002,2003
10
5
802.11b
n
Unlicensed 2.4 GHz band
n
Uses direct-sequence
spread-spectrum (DSSS)
n
n
1 - 11 Mbps from a distance of about 150 to
2000 feet (without special antenna)
n
n
Frequency-Hopping FHSS can only be used for 1 &
2 Mbps in US because of FCC regulations
…more on this later
Home business and business markets
V 2.2 Copyright SystemExperts 2001,2002,2003
11
802.11 Plain and Simple
Application
Presentation
Network
Operating
System
(NOS)
802.11
Session
TCP
Transport
Network
Data Link
Physical
V 2.2 Copyright SystemExperts 2001,2002,2003
IP
Logical Link Control (LLC) – 802.2
Media Access Control (MAC) – Power Security, Etc.
FH, DS, IR, CCK(b), OFDM(a)
12
6
802.11b
n
Physical Layer
n
n
n
Physical Medium
Dependent (PMD) –
wireless encoding
Physical Layer
Convergence Protocol
(PLCP) – common
interface
n
n
MAC Layer
n
n
n
Inter Frame Space (IFS)
Physical Carrier Sense
Virtual Carrier Sense
n
n
n
n
long preamble for all
802.11b systems
short preamble for
special case: e.g.,
streaming video, Voiceover IP
e.g., hidden-node
Frame Control
Power Management
Fragmentation
13
V 2.2 Copyright SystemExperts 2001,2002,2003
802.11 A Little Less Plain & Simple
Logical Link Control
Connection-less Service
Connection Service
MAC
Point Coordination Function (pcf)
Distributed Coordination Function (pcf)
2.2 GHz
FHSS
2.4 GHz
DSSS
Infrared
PHY
Data Rates
1Mbps and 2 Mbps
IEEE 802.11
V 2.2 Copyright SystemExperts 2001,2002,2003
2.4GHz
DSSS
5GHz
OFDM
5.5 and
6,9,12,
11 Mbps 18,24,36
,48,54
Mbps
802.11b
802.11a
14
7
802.11b Frame Control
n
3 types of 802.11b packets
n
Management (type 00)
n
n
n
n
n
Control (01)
n
n
{association, re-association, probe} {request, response}
authentication, de-authentication, & disassociation
beacon
n e.g., time-stamp, traffic indication map, supported rates
ATIM – Announcement Traffic Information Message
n sent after each frame
RTS, CTS, ACK, CF*, PS-Poll
Data (10)
n
n
ok, data! plus
CF-ACK/Poll, etc.
V 2.2 Copyright SystemExperts 2001,2002,2003
15
802.11b IBSS
n
Independent Basic
Service Set (IBSS)
n
n
n
Ad-Hoc mode
Often called peer-to-peer
No Access Point (AP)
n
n
i.e., with just your client
cards
No wired connections,
only link wireless clients
V 2.2 Copyright SystemExperts 2001,2002,2003
16
8
802.11b BSS
n
Wired LAN
Basic Service Set
(BSS)
n
n
Infrastructure mode
Uses an AP to connect
clients to a wired network
V 2.2 Copyright SystemExperts 2001,2002,2003
Access Point
17
802.11b ESS
n
Wired LAN
Extended Service
Set (ESS)
n
n
n
Infrastructure mode
Uses multiple APs
Clients may roam
between APs
n
Access Points
…more on roaming
later
V 2.2 Copyright SystemExperts 2001,2002,2003
18
9
Exposures
n
Technology problems
n
Theft of hardware
n
Insecure configuration information
n
Masquerading
n
Virus
n
Eavesdropping
n
Authorization
V 2.2 Copyright SystemExperts 2001,2002,2003
19
Technology Problems
n
What does “technology” mean?
n
The current state of common hardware and
software solutions, examples include
n
n
n
n
protocol issues
n the raging debate over WEP
specification issues
n WEP doesn’t encrypt the SSID and, in general,
management packets
configuration issues
n default AP is WEP disabled, open authentication,
default SNMP community string
interoperability issues
n the Gap in WAP
V 2.2 Copyright SystemExperts 2001,2002,2003
20
10
Theft of hardware
n
Wireless stuff is small
n
n
Wireless cards fit in a shirt-pocket
Most of the APs fit in a jacket pocket or are easily
hidden in any kind of bag
n
should they be tagged like clothes in a store?
n
Cisco 340 cards write WEP keys to the card
n
If a laptop were stolen, how long would it
take to re-key your Wireless network?
n
APs have WEP Keys in them
n
Data is stored locally
V 2.2 Copyright SystemExperts 2001,2002,2003
21
Insecure Configuration Information
n
Where does the client store the information?
n
Cisco: On the card
n
n
Lucent:
n
n
n
n
so steal it
on Windows, it’s in a world-readable registry key:
so copy the values and import them into your configuration
on other OSs, it’s stored in a file
Other cards are storing the data someplace too J
Let’s take a closer look at the Lucent
Windows example
V 2.2 Copyright SystemExperts 2001,2002,2003
22
11
Lucent Client Registry Entries
SSID
Obfuscated
or encrypted
WEP Key
V 2.2 Copyright SystemExperts 2001,2002,2003
23
Registry Permissions
Any authenticated user
Can read and copy
this data L
V 2.2 Copyright SystemExperts 2001,2002,2003
24
12
Masquerading
n
Client side
n
n
n
n
Access Point
n
n
AP identifies system, not user
System may be used by more than one user
No authorization schemes for different user groups
Clients don’t authenticate AP’s
Solution
n
Per user authentication: EAP
V 2.2 Copyright SystemExperts 2001,2002,2003
25
Virus
n
Various ways that virus can “get” to your
wireless device
n
n
n
Host based that is carried forward on a PDA
(HotSync) or phone (TrueSync) sync
PDA passes on through infrared
Web phone downloads
n
examples include the European EPOC OS
Courtesy of Information Security
V 2.2 Copyright SystemExperts 2001,2002,2003
26
13
Eavesdropping
n
Indirect: listening to the network that the wireless
access point is connected to (PROMISC)
n
n
n
Remember: WEP only encrypts data between the client and
the access point!
Quite frankly, this is what most people are doing when they
talk about “sniffing wireless”
Direct: listening to the airwaves (RFMON)
n
n
Sender can not detect eavesdropping
Frequency band largely determines range
n
n
it is quite possible that it goes outside the building
special electromagnetic shielding is needed to “stop” leakage
V 2.2 Copyright SystemExperts 2001,2002,2003
27
MAC Layer
n
Can configure the AP to talk to specific Media
Access Control addresses
(MAC, a.k.a. hardware address)
n
Not to be confused with Message Authentication Code (MAC)
n
Controls access to wired network not wireless
n
Some APs will use RADIUS to get the information
n
Problem:
n
MAC addresses can be manually set very easily
(see next slide)
V 2.2 Copyright SystemExperts 2001,2002,2003
28
14
MAC address configuration
L
V 2.2 Copyright SystemExperts 2001,2002,2003
29
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
30
15
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
31
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
32
16
Where are We?
n
From 50,000’ to 5’
n
*NIX and Wireless
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
33
Section Contents
n
Transports
n
Mobile Data Services
V 2.2 Copyright SystemExperts 2001,2002,2003
34
17
Key Factors in Technology
n
Regulation
n
n
In US “competition” was king
n
n
Regional Bell’s and one other (1/2 each)
In Europe “interoperability” was king
n
n
n
Determines who gets what and how
Government owned “Bells”, so no competition, so let’s
interoperate
Need to exchange billing and accounting information
Security was designed to protect against fraud
n
As opposed to protecting your data
V 2.2 Copyright SystemExperts 2001,2002,2003
35
Cellular Basics
n
Two Connections Types
n
n
Circuit Switched
Packet Switched
n
n
More efficient (~10x) than circuit switched
Transmission techniques
n
Frequency Division Multiple Access (FDMA)
n
n
n
Time Division Multiple Access (TDMA)
n
n
Frequency range is divided into channels
Dedicated channel/frequency per call
Each call gets a “timeslot” of time on a certain frequency
Code Division Multiple Access (CDMA)
n
n
Uses spread spectrum techniques (i.e., is spread over the
available frequencies)
Each call has a unique code
V 2.2 Copyright SystemExperts 2001,2002,2003
36
18
Major Cellular Systems
n
n
n
n
n
n
Advanced Mobile Phone System (AMPS)
IS-54/IS-136
IS-95
Global System for Mobile Communications
(GSM)
Integrated Digital Enhanced Network (iDEN)
PCS
Note Telecommunications Industry Association (TIA) is the
main standards carrier for the Interim Standards (IS)
V 2.2 Copyright SystemExperts 2001,2002,2003
37
GSM
“THE” system outside of the US
n A digital system using a modified version of TDMA
n Data at 9.6k
n
n
n
900 MHz (GSM800) and 1800 MHz (GSM1800) in
Europe and Asia, 1900 MHz US (GSM1900)
n
n
No modem needed for circuit or packet switched data
They are not compatible
Use Subscriber Identification Module (SIM) cards
to store all the connection data and identification
numbers you need to access a particular wireless
service provider
V 2.2 Copyright SystemExperts 2001,2002,2003
38
19
GSM Security
n
International Mobile Equipment Identity (IMEI) for
each device to determine if device is allowed on the
network
n
Shared secret: Stored in the Authentication Center
(AuC) and subscriber's SIM card
n
n
Authentication: The AuC generates a random number sends it to
the mobile. Mobile uses A3 cipher and shared key to generate a
signed response sent back to the AuC
Encryption: Use a key derived from A8 cipher using the same
pseudo random number+subscriber-key as above. Cipher key is
used with the TDMA frame number, in the A5 cipher to create a
value to XOR with data
n
same process in IS-54/136 & PCS1900
V 2.2 Copyright SystemExperts 2001,2002,2003
39
Today’s Data Systems
n
Primary mobile wireless data services are…
n
n
n
n
n
Cellular Digital Packet Data (CDPD)
iDEN packet service
Circuit-switched data service for CDMA networks
(e.g., SprintPCS)
Circuit-switched data services for GSM networks
Modems and analog phones
n
All of these services offer speeds in the 9.6 Kbps to
19.2 Kbps range
n
How they deliver…
n
n
Smart phones (phones with micro-browsers)
Wireless modems (PC card or cable with phone)
V 2.2 Copyright SystemExperts 2001,2002,2003
40
20
CDPD
n
IS-732
n
n
It enables analog AMPS networks to carry
packetized data alongside voice
n
n
n
n
Uses idle voice channel or dedicated data channel
depending on network configuration
CDPD is to AMPS what D-AMPS+ is to TDMA
(IS-136/D-AMPS) a way to do
Packet Data vice Circuit Data
Operates on the 800 MHz frequency
Data only, up to 19.2k
Requires a modem to convert analog
V 2.2 Copyright SystemExperts 2001,2002,2003
41
CDPD Security
n
Clone prevention: Asks 2 questions
n
n
n
How many times have you accessed the network?
What was the last password you used?
Network level security based on RC4
n
Diffie-Hellman to get session key
V 2.2 Copyright SystemExperts 2001,2002,2003
42
21
Other Popular Systems
n
Cingular (a.k.a. Mobitex)
n
n
n
Operated by Bell South and RAM Mobile Data
Data up to 8k
Wide coverage
n
n
n
Australia, Belgium, Canada, Korea, Netherlands, Sweden,
United Kingdom, United States
Used by PALM VII and Blackberry
ARDIS (DataTAC)
n
n
n
Connection oriented
Two versions: MDC4800 and RD-LAP
Most widely used version is Radio Data Link Access Protocol
(RD-LAP)
n
used by Motient for Blackberry
V 2.2 Copyright SystemExperts 2001,2002,2003
43
What is 3G?
n
Generic term covering a range of future wireless
network technologies
n
a.k.a. IMT-2000
n
Includes …
n
n
n
n
n
n
cdma2000
UMTS (Universal Mobile Telecommunications System)
GPRS (General Packet Radio Service)
WCDMA (Wideband Code Division Multiple Access)
EDGE (Enhanced Data rate for GSM Evolution)
Focus is to combine high-speed mobile access with
Internet Protocol (IP) based services
V 2.2 Copyright SystemExperts 2001,2002,2003
44
22
In a box …
Network Type
Technology
Provider
Speed
Packet (data)
Mobitex
Cingular
8k
CDPD
AT&T , Verizon, BC TEL Mobility, TELUS
Mobility
19.2k
RD-LAP
Motient
19.2k
iDEN
Nextel Online
9.6k
CDMA
Verizon, Sprint PCS, Bell Mobility &
Clearnet PCS, Airtouch, GTE, Bell Atlantic,
Primeco, others
14.4k
GSM
Cingular (old PacBell), Voicestream,
Omnipoint, BellSouth Mobility, Sprint,
others
9.6k
TDMA
AT&T , BellSouth, Southwestern Bell
9.6k
AMPS
AT&T
19.2k
iDEN
Nextel (voice)
9.6k
Circuit (voice
and data)
V 2.2 Copyright SystemExperts 2001,2002,2003
45
Observations
n
A lot of things are changing quickly here, and it’s
hard to keep them straight
n
Watch IMT-2000 and your wallet J
n
IS-54, IS-136, and IS-95 will default to AMPS
when their signal cannot be detected
n
Arguably the best site to find technical information
n
n
n
www.privateline.com/Cellbasics/Cellbasics.html
www.howstuffworks.com/cell-phone.htm
As time passes, we’ll watch and see what actually
shakes out
V 2.2 Copyright SystemExperts 2001,2002,2003
46
23
Section Contents
n
Transports
n
Mobile Data Services
V 2.2 Copyright SystemExperts 2001,2002,2003
47
Mobile Data Services
n
Currently there are three main services
provided:
n
n
n
n
Messaging
Wireless Web
Proprietary applications
As time goes on, specific applications will be
written or ported to provide mobile services
V 2.2 Copyright SystemExperts 2001,2002,2003
48
24
Mobile Data Services: Messaging
n
Short Messaging Service (SMS)
n
n
n
Cell Broadcast Service (CBS)
n
n
n
n
Available on all digital technologies
140-260 byte messages, store and forward
Available on GSM only
1,395 byte messages
Limited deployment: No way to bill, it’s broadcast J
Unstructured Supplementary Services Data (USSD)
n
n
Connection oriented, GSM based (also UMTS, GSM
successor)
182 bytes, uses control channel
V 2.2 Copyright SystemExperts 2001,2002,2003
49
Mobile Data Services: Wireless Web
n
Factors: speed, screen size, and CPU/memory
n
Uses a micro-browser
n
Popular delivery standards
n
n
n
Compact HTML (C-HTML)
Web Clipping
Wireless Application Protocol (WAP)
V 2.2 Copyright SystemExperts 2001,2002,2003
50
25
C-HTML
n
Created by W3C
n
Simplified version of HTML
n
Heavily used in Japan via i-mode service
n
Virtually unknown elsewhere
n
Advantage: Displays equally well on regular
browsers
n
Disadvantage: Not optimized for handheld
limitations
V 2.2 Copyright SystemExperts 2001,2002,2003
51
Web Clipping
n
Palm proprietary
n
n
Palm VII (US only)
Palm Query Application (PQA) loaded on each
server interprets HTML and tell the PALM which
parts of the page to download
n
n
A separate PQA must be installed for each site
Downloaded to Palm from desktop
n
Uses Mobitex and OmniSKY networks
n
Advantage: Fast access and off-line browsing
n
Disadvantage: Need to have PQA on each system
V 2.2 Copyright SystemExperts 2001,2002,2003
52
26
Wireless Application Protocol (WAP)
n
An application environment
n
A set of communication protocols for
wireless devices
n
Derived from Handheld Device Markup
Language (HDML) by Phone.com
(a.k.a. Unwired Planet)
n
Client/server philosophy
n
Uses a micro-browser and a WAP Gateway
connected to the mobile network
V 2.2 Copyright SystemExperts 2001,2002,2003
53
WAP Architecture
HTTP
WSP/WTP
WAP
Gateway
Web
Server
Note: WAP Server = WAP Gateway + Web Server
V 2.2 Copyright SystemExperts 2001,2002,2003
54
27
WAP Protocol Layers
Applicaiton
Wireless Application Environment (WAE)
Session
Wireless Session Protocol (WSP)
Transaction
Wireless Transaction Protocol (WTP)
Security
Wireless Transport Layer Security (WTLS)
Transport
Network
V 2.2 Copyright SystemExperts 2001,2002,2003
Wireless Datagram Protocol
(WDP)
UDP
Bearers
(GSM, SMS, CDMA, CDPD, GPRS, etc.)
55
The Gap in WAP
n
Not to be confused with WAP Gap
n
n
…which is hundreds of millions of devices
that are NOT using WAP
What is the Gap in WAP?
n
n
n
WAP handset to WAP server handled by WTLS
WAP server to Internet handled by SSL
Once decrypted by WTLS, data is exposed until it is
re-encrypted by SSL
n
this of service providers, like PalmNet
V 2.2 Copyright SystemExperts 2001,2002,2003
56
28
Gap in WAP
WTLS
SSL
HTTP
SERVER
WAP Gateway
SSL
Encrypt
V 2.2 Copyright SystemExperts 2001,2002,2003
Plain Text
Client
Decrypt
WTLS
57
VPNs
n
Certicom’s movianVPN
n
Basis for iPassConnect PDA service
n
n
n
n
requires a modem and two pieces of software on the PDA
lightweight version of iPass’ dialer, called iPass Synch and
movianVPN
n users dial up an iPass-affiliated ISP, then establish a
VPN
Cisco VPN concentrators will support the client
Texas Instruments/SafeNet VPN
V 2.2 Copyright SystemExperts 2001,2002,2003
58
29
What Really Matters?
n
Security
n
Encryption options by…
n
n
n
n
n
n
the Bearer
the Application
WTLS
n
n
Device cost
n
n
Ease of configuration,
upgrades
constantly changing
options and services
Handheld
n
n
Where can you use it?
What can you get to?
Device management
n
Phones
n
Interoperability
PocketPC vs. CE vs.
PALM
Expandability
V 2.2 Copyright SystemExperts 2001,2002,2003
59
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
60
30
Where are We?
n
From 50,000’ to 5’
n
*NIX and Wireless
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
61
Section Contents
n
802.11
n
Access Points 101
n
Deployment Examples
V 2.2 Copyright SystemExperts 2001,2002,2003
62
31
Wireless LAN Technologies
n
Made up of three primary semi-competing
technologies
n
n
n
IEEE 802.11 {802.11b is our focus}
Bluetooth
HomeRF
V 2.2 Copyright SystemExperts 2001,2002,2003
63
Upcoming WLAN
n
IEEE 802.11g (Next generation WLAN)
n
n
n
n
Data rates of 20+ Mbps
Selected Intersil's Orthogonal Frequency Division
Multiplexing (OFDM)
TI's Packet Binary Convolution Coding (PBCC)
technology was not selected
802.11a
n
…more later
V 2.2 Copyright SystemExperts 2001,2002,2003
64
32
802.11 Local Area Wireless
n
IEEE 802.11 makes up the majority of
Wireless LANs
n
802.11b (a.k.a. Wi-Fi™) is the current
favorite
n
n
Encodes data using DSSS (direct-sequence
spread-spectrum) technology
Runs in the 2.4-GHz range
n
n
different ranges in different regions US, Europe, Japan,
France, Spain
Four “speed” ranges: 1-Mbps, 2-Mbps,
5.5-Mbps, and 11Mbps
V 2.2 Copyright SystemExperts 2001,2002,2003
65
802.11b Components
n
Client
n
n
Wireless Stations
“Servers”
n
n
n
n
Residential Gateways
Enterprise Access Points
Access Servers
Outside Routers
V 2.2 Copyright SystemExperts 2001,2002,2003
66
33
Current 802.11 Security
n
Privacy
n
n
Authentication
n
n
n
Wired Equivalent Privacy (WEP)
Shared key
Open system
Authorization
n
MAC
V 2.2 Copyright SystemExperts 2001,2002,2003
67
Wired Equivalent Privacy (WEP)
n
Purpose it to provide “privacy of a wire”
n
Uses RC4 for encryption
n
n
The IV, Encrypted Message, and checksum are sent
in the 802.11 packet
n
n
Checksum is not WEP key dependent
IV is changed periodically
n
n
WEP Key + initialization vector (IV) are fed into a
pseudorandom number generator
Implementation dependant, but best if every packet (problem
is running out)
Packet-by-packet data encryption
V 2.2 Copyright SystemExperts 2001,2002,2003
68
34
More on WEP Keys
n
Standard says 40bit, but many vendors
support or 128 bit
n
n
40bit is actually 64bit: a 40bit key and 24-bit IV
128bit is a 104-bit key with a 24-bit IV
n
No key-management protocol
n
Also no inter AP protocol (IAPP) to pass
keys
V 2.2 Copyright SystemExperts 2001,2002,2003
69
Access Points and WEP
Q: What does WEP do for you?
A: Think of SSL and WTLS
WEP
Client
Not WEP
Wired Network
Access Point
SSL
Client
Not SSL
Backend Server
HTTP Server
WTLS
Client
V 2.2 Copyright SystemExperts 2001,2002,2003
SSL
HTTP Server
WAP Gateway
70
35
WEP Encryption Steps
n
Integrity Check Value computed
n
n
Checksum of payload (i.e., plaintext) using CRC32
Select encryption key
n
One of four keys selected
Generate IV
n Use RC4 to generate a keystream RC4(IV,Key)
n
n
Note IV is prepended to key
Concatenate ICV to payload, then XOR with the
generated keystream to get ciphertext
n Send IV+keynumber+ciphertext over the air
n
n
Key number is the key selected in the second step
71
V 2.2 Copyright SystemExperts 2001,2002,2003
WEP Encryption
IV
Secret Key
Payload
ICV
RC4
XOR
IV Ciphertext
Message
V 2.2 Copyright SystemExperts 2001,2002,2003
72
36
WEP Decryption Steps
n
Use key number to get private key
n
Use sent IV to generate keystream
n
n
RC4(IV,Key)
XOR received ciphertext with keystream
n
Get ICV+Payload
n
Compute ICV on Payload
n
If new ICV == sent ICV, then packet good
73
V 2.2 Copyright SystemExperts 2001,2002,2003
WEP Decryption
IV
Secret Key
Payload
ICV
RC4
XOR
ICV
IV Ciphertext
Message
V 2.2 Copyright SystemExperts 2001,2002,2003
74
37
128-bit Version (WEP2)
n
Stronger Key
n
Non-standard, but in wide use
n
104-bit key instead of 40-bit in standard
WEP
V 2.2 Copyright SystemExperts 2001,2002,2003
75
WEP Key Management
n
Static keys
n
Manually distributed
n
Up to four keys
n
n
Can be mixture of 40/128 bit keys
Either set as hex data or ASCII
n
ASCII string is converted into key by key generator
n
n
n
this limits the key strength to 2^21 because of high ASCII
bit and PRNG not being very random
to interoperate, they all use the same algorithm
Configuration tool usually determines
V 2.2 Copyright SystemExperts 2001,2002,2003
76
38
The Major WEP Problems
n
Key Generators
n
Keystream Reuse
n
RC4 Key Scheduling Algorithm
n
Message Authentication
V 2.2 Copyright SystemExperts 2001,2002,2003
77
Problem: 40-Bit ASCII Generator
n
n
n
Folds the ASCII string into a 32-bit number
(2^40 now 2^32)
Use this in a PRNG to generate the 40-bit
key, same key every 2^24
Folding method guarantees only 2^21 unique
sets of WEP keys
n
n
It takes about 35 seconds of time on a 500MHz PIII
128-bit Generator
n
n
Not the same problems
Relies on strength of ASCII test and MD5
V 2.2 Copyright SystemExperts 2001,2002,2003
78
39
Problem: Keystream Reuse
n
The shared key is static and rarely changed
n
Randomness of key stream depends on IV
n
n
n
When IV is reused, then you have two messages
encrypted with same keystream (a collision)
2^24 possible IV, so repeated after ~16 million
packets
Most clients reset IV to 0 and increment by 1 for
each packet
n
lots of collisions
V 2.2 Copyright SystemExperts 2001,2002,2003
79
Problem: Keystream Reuse Attack
n
Attacker sends you a known packet (i.e., ping)
n
n
n
A bunch of them J
Sees the response: Ciphertext and IV
Now knows Plaintext and Ciphertext, can get
keystream
n
K = P XOR C
n
n
note: the attacker does *not* know the key, but the keystream
Makes a database indexed with IV
n
n
Now for any IV he/she sees in the future, then have the
keystream needed to decrypt the packet
Major problem because of shared keys
V 2.2 Copyright SystemExperts 2001,2002,2003
80
40
Problem: Key Scheduling Algorithm of RC4
n
Documented by Scott Fluhrer, Itsik Mantin and
Adi Shamir
n
n
n
Paper indicated that an attacker could gain access to an entire
WLAN in less than 15 minutes
Requires between 1 million and 8 million packets, and does
not require significant CPU power
Main problem is a weakness in the way the RC4
encryption algorithm is implemented in WEP
n
n
By having a “known” plaintext prepended on the key (I.e., the
IV), it leads to weak keys that will generate known ciphertext
output from the RC4 engine
It allows the attacker to go back and "reverse engineer" the
secret key from encrypted packets
V 2.2 Copyright SystemExperts 2001,2002,2003
81
Problem: Key Scheduling Algorithm of RC4
n
Longer keys won’t help because the attack
recovers each key byte individually, rather
than attempting to decrypt the key as a whole
n
The attack scales linearly -- not exponentially
-- as key length increases
V 2.2 Copyright SystemExperts 2001,2002,2003
82
41
Problem: Message Authentication
n
The Cyclical Redundancy Check (CRC)
chosen for the authentication is weak
n
It is designed for errors, not authentication
n
It is possible to modify a message such that
the CRC will be valid for the messages, but is
not the messages that was sent
n
Can also inject messages in much the same
manner
V 2.2 Copyright SystemExperts 2001,2002,2003
83
Current Status of WEP
IEEE 802.11 Task Group I (tgi)
n Message Integrity Check (MIC): Doc 594
n
n
n
Re-keying
Add MIC to data before encrypting
n
n
n
No replay protection (done with IV)
Temporal Key Hash: Doc 550
n
n
n
Algorithm not yet selected
Temporal key to derive per-packet key
Countermeasure to key-scheduling algorithm
Re-Keying
n
Re-key Proposal: Doc 540
n
n
Re-key faster than the attacker can attack
Authenticated Key Exchange at the MAC Layer: Doc 508
n
A different way J
V 2.2 Copyright SystemExperts 2001,2002,2003
84
42
Current Status of WEP (cont)
Use AES vice RC4
n 802.1X rekey be accepted as normative text
n “WEP2” to be known as “Temporal Key Integrity
Protocol (TKIP)”
n
V 2.2 Copyright SystemExperts 2001,2002,2003
85
Current 802.11b Authentication
n
Two specified in the standard: Open and Shared
n
Open system authentication: This is the default
n
n
any client can associate with the access point
n doesn’t mean the get an IP though
Shared key authentication: Uses a shared secret key (i.e., the
WEP Key) to authenticate the client to the AP
n
n
n
n
client sends an Authentication frame to the AP
AP replies with an Authentication frame containing a 128bit
challenge
client will send the “encrypted” challenge back
AP will decrypt and compare, if it matches, then replies with a
“success” authentication
V 2.2 Copyright SystemExperts 2001,2002,2003
86
43
Other 802.11b Authentication Mechanisms
n
Closed network (no broadcast SSID)
n
Enhanced Security Network (ESN)
n
n
Many call it 802.1x inappropriately
Captive Portals
n
NoCat
V 2.2 Copyright SystemExperts 2001,2002,2003
87
Current 802.11 Authorization
n
MAC Layer
n
n
Can configure the AP to talk to specific MAC
addresses
Controls access to wired network not wireless
V 2.2 Copyright SystemExperts 2001,2002,2003
88
44
ESN: The Wireless Security Future?
Defined in the 802.11 Security Baseline
n Depends on 802.1X
n
n
n
Provides
n
n
n
n
Enhanced authentication
Key management algorithms
Dynamic, association-specific WEP keys
Open authentication method
n
n
Protocol definitions between client and bridge and bridge and
authentication server
Looks like many vendors are using RADIUS
Uses EAP encapsulated in 802.11b Frames
n
EAP is defined in RFC 2284
V 2.2 Copyright SystemExperts 2001,2002,2003
89
Wireless EAP: Cisco’s Version
n
Lightweight EAP (LEAP)
n
n
n
Provides authentication service for clients
whose host OSs do not support EAP
n
n
n
EAP Type 17: EAP-Cisco Wireless
Based on EAP and IEEE 802.1X
LEAP distinguishes between authentication
provided by the client firmware from that provided
by the host OS
Backend RADIUS server
(Access Control Server 2000 V2.6)
Uses MS-CHAP as Authentication Protocol
V 2.2 Copyright SystemExperts 2001,2002,2003
90
45
Future 802.11 Security Enhancements
n
Standard 128-bit WEP encryption (WEP2)
n
n
n
Advanced Encryption Standard (AES) for
WEP
Standard key exchange and distribution
n
n
Already implemented by all of the major vendors but
has not been standardized yet
EAP & LEAP seem to be the wave of the future
Improved data integrity via keyed message
authentication
n
Better message integrity checking
V 2.2 Copyright SystemExperts 2001,2002,2003
91
Observations
n
This is relatively new territory, so watch for
significant changes
n
WEP can be a legitimate tool in the security arsenal
n
n
n
n
View 802.11 networks as an insecure MAC layer, over which
you run secure IP protocols
Use WEP/EAP/802.1x to protect against casual snoopers,
local DoS attacks, and bandwidth theft
WEP won’t help with stolen equipment and
ex-employees
It appears that ESN/802.1X has more momentum
than anything else
(i.e., Cisco and Lucent support it)
V 2.2 Copyright SystemExperts 2001,2002,2003
92
46
Let’s take a look…J
n
802.11b packets
n
n
n
n
Beacon
Probe Request
Open Authentication
n
n
Shared Authentication
No WEP
WEP
MAC Header
FC
2 bytes
ID
2 bytes
Add 1
6 bytes
Protocol
2 bits
Type
2 bits
SubType
4 bits
b0 b1
b2 b3
Add 2
6 bytes
Add 3
6 bytes
To DS From DS
1 bit
1 bit
b4 b5 b6 b7
V 2.2 Copyright SystemExperts 2001,2002,2003
b8
SC
2 bytes
Add 4
6 bytes
More Frag Retry
1 bit
1bit
b9
b10
Data
0-2312 bytes
Pwr Mgt
1 bit
b11
More Data
1 bit
b12
b13
CRC
4 bytes
WEP
1 bit
Order
1 bit
b14
b15
93
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
94
47
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
95
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
96
48
Section Contents
n
802.11
n
Access Points 101
n
Deployment Examples
V 2.2 Copyright SystemExperts 2001,2002,2003
97
Access Points 101
n
Access Points (AP) broadcast their service
(beacon)
n
FCC (US) allows 11 channels for Direct Sequence
Spread Spectrum (DSSS)
n
n
in North America and Europe, they start at 2412 MHz
(2.412 GHz)
The spread spectrum for DSSS crosses over
several channels
n
i.e., channel bandwidth is 22MHz (25MHz is required to
minimize interference) , yet they are spaced at 5MHz
V 2.2 Copyright SystemExperts 2001,2002,2003
98
49
Frequency Overlap
5
10
4
9
3
8
7
2
1
2400
6
11
Frequency (US)
2500
Channels start at 2414MHz, increase by 5MHz, and have
about a 20MHz range up to 2483.5MHz
V 2.2 Copyright SystemExperts 2001,2002,2003
99
Access Point Usage
n
Number of clients supported depends on
device “memory” size, aggregation,
congestion, noise, quality, etc., etc., etc.
n
n
As we’ll see later, the Apple Airport AP (e.g.) has
enough slots to cover about a dozen clients and the
Cisco Aironet 340 series, up to 2,048 slots
Typically connects wireless and wired
networks
n
If not wired, then it is an Extension Point (EP),
i.e., a wireless bridge
V 2.2 Copyright SystemExperts 2001,2002,2003
100
50
Extension Point
Range
Wireless Extension Point
V 2.2 Copyright SystemExperts 2001,2002,2003
101
Access Point Placement
n
Roaming can be achieved by having slightly
overlapping APs on different channels
n
n
2.4Ghz contains 80MHz of spectrum
n
n
…more on roaming in just a bit
25MHz to minimize interference
Only 3 equivalent-width non-overlapping
DSSS channels
V 2.2 Copyright SystemExperts 2001,2002,2003
102
51
Placement (cont.)
V 2.2 Copyright SystemExperts 2001,2002,2003
103
Placement (cont.)
n
Developing configurations to maximize
roaming and minimize interference is hard
n
n
Remember it’s 3 dimensional broadcasts
Remember it goes through walls!
n
out to the street, to your neighbor, to your competitor!
V 2.2 Copyright SystemExperts 2001,2002,2003
104
52
Placement, 3 Dimensional
V 2.2 Copyright SystemExperts 2001,2002,2003
105
Capacity and Bandwidth
n
Maximum of 11Mbps
n
n
Not really: since the Physical Layer Convergence
Protocol (PLCP) layer is always transmitted at
1Mpbs, 802.11b is only 85% efficient as the physical
layer
Goes down because of
n
Distance, barriers, collisions, interference,
congestion, capacity usage
V 2.2 Copyright SystemExperts 2001,2002,2003
106
53
Capacity and Bandwidth
n
(cont.)
Stays “higher” because of
n
n
n
Reducing size of coverage areas
Reducing client-to-AP ratio
Using aggregation
n
increasing AP-to-client ratio and using load balancing
V 2.2 Copyright SystemExperts 2001,2002,2003
107
Bandwidth Aggregation
V 2.2 Copyright SystemExperts 2001,2002,2003
108
54
Anatomy of 802.11b
n
Looking at some of the guts of the protocol to
help us understand:
n
n
Modulation determines speed/distance
What effects the transmission rate
n
n
n
n
other than distance or barriers
Congestion resolution
Hidden nodes
The MAC layer is our friend!
V 2.2 Copyright SystemExperts 2001,2002,2003
109
Anatomy of 802.11b: the bits
n
As we said before, data is encoded using
DSSS
n
n
i.e., The data stream is modulated (XOR’d) with a
sequence called the Barker code (11 bits:
10110111000 – it’s just a really good pattern for
generating radio waves) to generate a series of data
objects called chips
These chips are then sent out by the wireless radio
(i.e., the wireless card)
V 2.2 Copyright SystemExperts 2001,2002,2003
110
55
Anatomy of 802.11b: the wave
n
…then the wireless radio generates a 2.4
GHz wave and modulates it…
n
n
n
n
1Mbps is done using Binary Phase Shift Keying
2Mbps uses Quadrature Phase Shift Keying (QPSK)
5.5 & 11Mbps use Complementary Sequences
(vs. Barker code) then uses QPSK
…so all of these yield a 22 MHz frequency
spectrum
n
n
Hence, the reason only 3 channels fit without
overlap because there is this ~25MHz range
Hence, all management packets are sent via BPSK:
to ensure they “get there” (they go the furthest!)
V 2.2 Copyright SystemExperts 2001,2002,2003
111
Anatomy of 802.11b: congestion
n
Everybody is “broadcasting” this stuff out,
where is the traffic cop?
n
MAC layer “waits” for a quiet time: it’s been idle for
the Inter-Frame Spacing period
n
n
if it’s still busy, wait for this spacing period plus a random
number of slot times, and try again
so each station is keeping track of it’s allocated number of
slot times (i.e., they trust each other)
n think about TearDrop and Land DoS
V 2.2 Copyright SystemExperts 2001,2002,2003
112
56
Congestion (cont.)
n
Each station listens to the
network
n
1 st station to finish it’s
allocated slot times sends
data
n
If another station “hears”
another station talk, it stops
counting down its back-off
timer
n
In addition to the MAC
back-off, 802.11 adds
another back-off to ensure
fairness
n
When in this “contention
window” it uses these
back-off timers
113
V 2.2 Copyright SystemExperts 2001,2002,2003
Congestion (cont.)
DIFS
Frame
DIFS Contention Window
Medium is fee for DIFS,
so client begins to transmit
V 2.2 Copyright SystemExperts 2001,2002,2003
Frame
Slot time
114
57
Anatomy of 802.11b: Hidden Node Problem
n
AP P sees A, B, and C, but A and C can’t see
each other (see means, the packets don’t
reach)
n
n
Optional feature of RTS/CTS added to 802.11b
RTS packet includes target address
n
n
CTS includes sender address
n
n
A sends: “This is for B” (C doesn’t see this)
B sends: “Please send A” (C DOES see this)
This feature is significant overhead but a very
common condition that needs to be accounted
for
115
V 2.2 Copyright SystemExperts 2001,2002,2003
Hidden Node Problem
B
A
C
AP
“Hidden node”: STA 3 Out of range STA 1, in range STA 2
V 2.2 Copyright SystemExperts 2001,2002,2003
116
58
Hidden Node Problem: Let’s try it again
n
802.11
n
n
n
basically designed for indoor, relatively short
distances, active and long-lived connected clients,
and low noise level
but 802.11 (“wi-fi”) is “winning” in the wireless arena
and being increasingly used as well in outdoor, long
distant, occasionally connected, potentially high
noise level environments
So what does that mean to hidden nodes?
n
The key is the need to minimize the amount of
overhead you introduce to manage them
V 2.2 Copyright SystemExperts 2001,2002,2003
117
Finding those Hidden Nodes
n
Carrier Sense Multiple Access (CSMA)/
Collision Avoidance (CA)
n
n
n
CSMA – the device listens to the media before
transmitting
Request To Send (RTS)/ Clear To Send (CTS) –
media reservation mechanism
Polling – adaptive mechanism
n
n
Device can not start transmission before receiving a
special acknowledgement packet (a marker) from
the AP
Defend against “sudden” chaos
V 2.2 Copyright SystemExperts 2001,2002,2003
118
59
Surprising Results
What does this mean?
In certain circumstances, the method used makes a HUGE difference!
Polling
with RTS/CTS
V 2.2 Copyright SystemExperts 2001,2002,2003
119
What Does This Mean?
n
Media reservation systems (e.g., RTS/CTS)
work “better” in stable environments with
expectations of full/long-lived connectivity
n
n
e.g., in your office building, point-to-point
connections, small number of nodes
Adaptive systems (e.g., polling) work
“better” in other environments
n
n
e.g., city (or larger) wide environments
Remember you’ll tend to have lower speed but
much more predictable and controllable
V 2.2 Copyright SystemExperts 2001,2002,2003
120
60
Anatomy of 802.11b: Roaming
n
More than 1 AP providing signals to a single
client
n
The client is responsible for choosing the best AP
n
n
signal strength (#1) and network utilization (#2)
When existing signal degrades (to poor), it tries to
find another AP
n
n
either passively listening or actively probing the other
channels and getting a response
once it finds one, it tries to authenticate and associate
V 2.2 Copyright SystemExperts 2001,2002,2003
121
Roaming (cont.)
Wireless Extension Point
V 2.2 Copyright SystemExperts 2001,2002,2003
122
61
Important Concepts: Strength vs. Quality
n
Received Signal Strength
n Signal energy at the location of the station
n
n
(i.e., the power level)
Received Signal Quality
n Ability to coherently interpret the signal
n
(i.e., the usability level)
V 2.2 Copyright SystemExperts 2001,2002,2003
123
Roaming Activities
n
IAPP or Inter Access Point Protocol is intended to
standardize roaming features and protocol
n
n
n
Started by Aironet (Cisco), Digital Ocean, and Lucent
802.11f is the proposed extension to 802.11
Wireless Ethernet Compatibility Alliance (WECA)
as part of the Wireless ISP Roaming Initiative has
published a roadmap
n
n
Cisco, IBM, Intel, 3Com, and Microsoft
“Technical Outline for Wi-Fi Inter-Network Roaming
Framework”
V 2.2 Copyright SystemExperts 2001,2002,2003
124
62
IEEE IAPP
n
Accomplishes roaming within a subnet
n
n
2 transfer protocols
n
n
n
Basically, within a corporate wireless LAN
1 for single logical LANs
1 for crossing router boundaries
Crossing subnets is a vendor specific solution
n
n
It requires mobile IP software on every client
Cisco, e.g., is expected to release Mobile IP
V 2.2 Copyright SystemExperts 2001,2002,2003
125
Wi-Fi Inter-Network Roaming Framework
n
Assumptions
n
n
n
n
n
Inter-service roaming
All components are Wi-Fi certified
No client footprint other than browser
RADIUS is the protocol for authentication,
authorization, and accounting data
Pagers, cell-phones, WAP-phones, and PDAs will
be addressed “later”
V 2.2 Copyright SystemExperts 2001,2002,2003
126
63
Wi-FI Roaming
n
(cont.)
802.11b
n
n
n
Boot up with correct SSID
for Wi-Fi network
Local WISP login screen
n
n
n
n
which details charges
separate window tracks
session information
V 2.2 Copyright SystemExperts 2001,2002,2003
802.1x
n
Boot up
Prompted with
username/password for
local WISP
Windows XP is only
1x implementation
available today
127
WISPr
WECA is looking to form a set of relationships and network
standards between wireless ISP’s that will eventually enable
Wireless 802.11b roaming between them.
802.11b
device
Tag
802.11b
AP
Wireless user connects.
A unique tag identifies
users home WISP
account
V 2.2 Copyright SystemExperts 2001,2002,2003
WISP
Roam WISP
passes this
“Tag” &
request for
service to a
clearing house
Clearing
House
Clearing
house
passes info
to users
WISP
Users
WISP
WISP
authenticates user
and authorizes
access. Then bills
user and pays
roaming WISP
128
64
Configuring an Access Point
n
How to manage it
n
n
Security Settings
n
n
n
n
HTTP, Telnet, SNMP or Serial Interface
SSID, WEP, & EAP
RADIUS servers and shared key
MAC layer Filters
Making it work easily with clients
n
DHCP
V 2.2 Copyright SystemExperts 2001,2002,2003
129
Access Point Medicine
n
Enable WEP
n
Change SSID
n
n
Use MAC address
filtering
n Reconsider using
DHCP
n Consider using fixed IP
addresses for your
wireless NICs
n Look into other
mechanisms (SSL,
VPN) for privacy &
confidentiality
n
And not just a little
Disable broadcast
n
Otherwise, your SSID is
there to see
n
Change the password
on your AP
n
Periodically survey
your own site
V 2.2 Copyright SystemExperts 2001,2002,2003
130
65
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
131
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
132
66
Section Contents
n
802.11
n
Access Points 101
n
Deployment Examples
V 2.2 Copyright SystemExperts 2001,2002,2003
133
Wireless at Home
n
Goals
n
n
n
n
Extend network capabilities without physical
alterations and costs – other than wireless
Share existing resources without specialized or
unique (weird) configuration setup
Allow visitors easy access to the home network
resources (e.g., ISDN, printers)
Feel comfortable about the security of the additional
wireless services
V 2.2 Copyright SystemExperts 2001,2002,2003
134
67
Wireless at a Conference
n
Goals
n
n
n
n
Reduce time to setup fully functional temporary
network resources
Scale down terminal room requirements
Reduce effort and cost to provide Internet access to
tutorial instructors and their students
Allow attendees ubiquitous access to the Internet
within a reasonable distance to the conference
center
V 2.2 Copyright SystemExperts 2001,2002,2003
135
Industry Setup: Ariba
n
Goals
n
n
n
Increase efficiency of people in meetings
Readily available communications: Instant
Messenger
802.11b support
n
n
n
Standard design
Speed and Range
n
n
n
wanted the speed that this standard brings to the table
designers had experience with other wireless networks
Cost
Only deployed at headquarters
n
It has met expectations
V 2.2 Copyright SystemExperts 2001,2002,2003
136
68
CyberCafe
n
Typically an Open AP
n
Use a captive portal to allow access
n
Costly
n
Starbucks is one of the first
n
n
n
Use MobileStar as their ISP
Seem to use a combo of special SSID and captive
portal
Watch for Neighborhood Area Networks
V 2.2 Copyright SystemExperts 2001,2002,2003
137
Architectural Considerations
n
n
Need to have a defined goal
Segregate the wireless infrastructure
n
n
Use appropriate data protection mechanisms
n
n
n
n
n
Isolated sub-network/DMZ
VPNs
SSL
SSH
etc.
WEP is good for
n
Protecting against casual snoopers and
bandwidth theft
V 2.2 Copyright SystemExperts 2001,2002,2003
138
69
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
139
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
140
70
Where are We?
n
From 50,000’ to 5’
n
*NIX and Wireless
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
141
Linux Wireless RF Sniffer
n
Most of the existing sniffer renditions use cards
based on the prism II chipset from Intersil
n
n
With either prismdump or patched Libpcap
…and Ethereal
n
AirSnort and WEPCrack both use these
n
Some more popular Prism II cards include the
following:
n
n
n
n
D-Link DWL-650
Linksys WPC11
SMC 2632W
Zoom Telephonics ZoomAir 4100
V 2.2 Copyright SystemExperts 2001,2002,2003
142
71
Linux Sniffer: How-To
Directions at Tim Newsham’s site
http://www.lava.net/~newsham/wlan
n
Get an SMC2632W wireless card
n
Get a wlan-ng driver with RF monitoring code
n
n
n
Get ethereal-0.8.17
n
n
Get linux-wlan-ng-0.1.8-pre13 and apply wlan-monitor.patch
Or linux-wlan-ng-0.1.6.tar.gz
Apply patches from wlan-mods.tgz
Get Libpcap-0.6.2 or Prismdump
n
Apply LibPcap patches from wlan-mods.tgz
V 2.2 Copyright SystemExperts 2001,2002,2003
143
How-To (cont.)
n
Compile them up and install them
n
Start the monitor
n
wlanctl-ng wlan0 lnxreq_wlansniff
channel=<pickone> enable=true
V 2.2 Copyright SystemExperts 2001,2002,2003
144
72
Sniffer Observations
n
It works! Its Linux! Its free!
n
Only one channel at a time L
n
n
You can write a script to change that J
You have to type “prism” as the interface for
ethereal if you use LibPcap
V 2.2 Copyright SystemExperts 2001,2002,2003
145
AirSnort
n
Need wlan-ng and Newsham’s patches
n
You run prismdump to capture packets to a file …
n
Run AirSnort on that file (real-time) to attempt
cracking
n
So after starting the monitor mode …
n
n
prismdump > WEPCapture
capture –c WEPCapture
n
n
n
"Interesting Packets”: ~1500 for 104-bit and 575 for 40-bit
crack (at intervals)
airsnort.sourceforge.net
(also wepcrack.sourceforge.net)
V 2.2 Copyright SystemExperts 2001,2002,2003
146
73
Home Spun Access Point
n
What is it
n
A system that gateways between the wireless and
wired networks
n
n
n
n
n
n
a.k.a. Wireless Gateway
Implements IBSS (Ad-hoc) or BSS modes
Typically provides DHCP and firewall/NAT services
May provide authentication and authorization
Usually some flavor of Unix (Linux or FreeBSD)
What does it entail
n
n
n
Get the equipment
Install the software
Tweak a bit
V 2.2 Copyright SystemExperts 2001,2002,2003
147
Building your own AP
C o n d e n s e d f r o m http://www.oreillynet.com/pub/a/wireless/2001/03/06/recipe.html
n
Equipment
n
n
PC, wireless card, ISA-to-PCMCIA adapter, and a NIC
Operating System: Unix-like
n
Clients can be anything that can do Ad-Hoc
n
Install the PCMCIA adapter in the gateway and insert the
wireless card
n
Build and install the new kernel
n
Don't forget to edit /etc/lilo.conf and then run /sbin/lilo
n
Install the pcmcia-cs package
n
Configure wireless and NIC IP options
n
Install and configure DHCP (if desired)
V 2.2 Copyright SystemExperts 2001,2002,2003
148
74
Directions (cont.)
n
Harden the rest of the system (read: TURN
OFF ALL UNUSED SERVICES)
n
n
Reboot and see what you broke J
n
n
Keep the PCMCIA, firewall, and DHCP services
running
Probably should reboot before the firewall and
DHCP install/configure
Setup clients
V 2.2 Copyright SystemExperts 2001,2002,2003
149
My Problems
n
n
Trouble getting DHCP working correctly on
the wireless net
Setting up firewall rules
n
Getting ipchains to actually pass traffic through
double NAT
n
n
n
n
wireless gateway and my firewall
could do HTTP but not SMB
Links would drop every so often
It worked, but not painlessly using 2.2.x
n
Once I went to 2.4.x and iptables it worked for me
n
no DHCP though L
V 2.2 Copyright SystemExperts 2001,2002,2003
150
75
My Observations
n
Functionality is limited in some instances
n
IBSS only
n
n
WLAN-NG supposedly supports BSS, I never got it to work
Functionality is enhanced in others
n
Firewall and potential authentication/authorization hub
n
If education and experience is what you want, then
this is the way to go
n
If a up and running or many-client is what you
want, then buy an AP
n
Especially for people with limited time and/or experience
V 2.2 Copyright SystemExperts 2001,2002,2003
151
Wireless Firewall Gateway (WFG) by NASA
n
Design Objectives
n
n
n
What it does
n
n
n
A method to authenticate/identify a user
Simplicity
Acts as a router between a wireless and external network with
the ability to dynamically change firewall filters as users
authenticate
Acts as a DHCP server,hosts the user authentication site, and
maintains accounting records
Purpose
n
To keep the wireless network as user-friendly as possible
while maintaining some level of security for everyone
V 2.2 Copyright SystemExperts 2001,2002,2003
152
76
OpenAP
n
OpenAP
http://opensource.instant802.com/
n
n
n
Has the ability to:
n
n
Do multipoint to multipoint wireless bridging, while simultaneously
serving 802.11b stations (i.e. and AP)
Runs on Eumitcom WL11000SA- N board based AP’s
n
n
n
Open-source software
Fully 802.11b compliant wireless access point
US Robotics (USR 2450) (tested)
SMC 2652W EZconnect Wireless AP (tested)
Why use it?
n
n
n
You have the source
It is customizable
It can do anything that Linux can do
V 2.2 Copyright SystemExperts 2001,2002,2003
153
How Does it Work?
n
The basic recipe is this:
n
n
n
n
n
n
Get the hardware
Create a programming image
Write the image to a PCMCIA SRAM card
Open the access point and insert the SRAM card in place of
the 802.11 PCMCIA card
Power on the AP
Short a jumper to boot from the SRAM card and reprogram the
onboard flash
n
n
n
n
Watch what happens on the serial port
Replace the 802.11 card
You are done
Now it can be upgraded over the network
V 2.2 Copyright SystemExperts 2001,2002,2003
154
77
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
155
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
156
78
Where are We?
n
From 50,000’ to 5’
n
*NIX and Wireless
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
157
IEEE 802.11a
n
Next generation High speed WLAN
n
n
Speeds 6, 9,12,18, 24, 36, 48, & 54 Mbps
Uses 5 GHz Unlicensed National Information
Infrastructure (U-NII) band
n
U-NII devices will provide short-range, fixed, point-to-point,
high-speed wireless digital communications on an unlicensed
basis
n
Uses Orthogonal Frequency Division Multiplexing
(OFDM)
n
Different chip set than 802.11b, so no upgrades
n
Can co-exist, as they are on different spectrums
V 2.2 Copyright SystemExperts 2001,2002,2003
158
79
802.11a Spectrum
Band
USA/
Europe
France
Spain
Japan
200mW
Canada
n
5 . 1 5 0 -5.250
50mW
200mW
200mW
200mW
5 . 2 5 0 -5.350
250mW
200mW
200mW
200mW
5 . 7 2 5 -5.825
1W
3 primary non-contiguous bands
n
100MHz each band with power restrictions
n
n
n
n
split into 20MHz channels
5.15-5.25 GHz: Indoor, short-range
5.25-5.35 GHz: Indoor or outdoor, medium
range(campus-type networks)
5.725-5.825 GHz: Outdoor, long-range (several km)
V 2.2 Copyright SystemExperts 2001,2002,2003
802.11a Spectrum
159
(cont.)
n
12 non-overlapping simultaneously
operating networks
n
4 channels in each band
n
OFDM the splits each channel into 52
sub-channels
V 2.2 Copyright SystemExperts 2001,2002,2003
160
80
802.11a Coverage
Tech
Data Rate
Throughput
Range and Data
Shared
802.11b
11Mbps
5- 7 M b p s
100m @ 11Mbps
Yes
802.11g
24Mbps
1 0- 1 1 M b p s
100m @ 12Mbps
Yes
802.11a
54Mbps
31Mbps
50m @ 9Mbps
Yes
3 0- 4 0 m @ 9 - 1 2 M b p s
Yes
1 0- 1 5 m @ 3 6 -5 4 M b p s
Yes
n
802.11a signals lose strength more quickly
n
n
Higher frequencies lose power more quickly
Limited coverage areas
n
n
About ¼ of WiFi for similar data rates and environments
Need to increase (4x) AP density or power to compensate
161
V 2.2 Copyright SystemExperts 2001,2002,2003
802.11a Coverage Graphic
11Mbps
54Mbps
zone
9Mbps
50m
802.11a
100m
802.11b
This is using similar throughput and transmit powers
V 2.2 Copyright SystemExperts 2001,2002,2003
162
81
802.11a Problems
n
Use of 5 GHz band will cause contention in
different parts of the world
n
n
Remember the problems with spectrums in
handhelds
Coverage will cost
n
n
Number of APs
Power (i.e., battery life)
V 2.2 Copyright SystemExperts 2001,2002,2003
163
802.11 Thoughts
n
Usage
n
n
n
Coexistence
n
n
Use 802.11a for dense populations and high speeds
Use 802.11b/g for greater coverage
Likely to be working together for many years to
come
Price
n
802.11b/g will have the price advantage for a while
V 2.2 Copyright SystemExperts 2001,2002,2003
164
82
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
165
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
166
83
Where are We?
n
From 50,000’ to 5’
n
*NIX and Wireless
n
Handheld Practicals
n
Currents
n
LAN Practicals
n
Antennas
V 2.2 Copyright SystemExperts 2001,2002,2003
167
Antennas: The Skinny
n
2.4 GHz ISM Band
n
n
n
You don’t need a license to operate a transmitter…
…But you MUST be prepared to accept interference
from other other users/devices
Good antenna deployment…
n
May be one of the best security measures you can
implement
n
n
n
reduce stray RF signals
less susceptible to interference
better control who can have access to the AP RF
V 2.2 Copyright SystemExperts 2001,2002,2003
168
84
Antennas: Basics
n
A radiation pattern is a diagram that allows
us to visualize in what directions the energy
will radiate from an antenna
n
n
n
If an antenna radiates in all directions equally we
say it is an “isotropic radiator”
The radiation pattern is split into two perpendicular
planes called Azimuth and Elevation
When RF energy is concentrated, it means the
antenna has “gain” over a portion of the radiator
n
gain is measured in decibels and written dBi
V 2.2 Copyright SystemExperts 2001,2002,2003
169
Antennas: Basics (cont.)
n
n
Gaining coverage is achieved thru gain,
which again, is measured in decibels dB
Calculation range
n
n
Indoors, each 1 dB increase in gain results in a
range increase of 2.5%: outdoors it’s 5%
Positioning
n
n
Normally should be mounted as high and as clear
as obstructions as possible
Best performance is when the transmitting and
receiving antenna are at the same height and in
direct line of site
V 2.2 Copyright SystemExperts 2001,2002,2003
170
85
Antennas: Dipole
n
Most common antenna and the default type
on most APs
n
n
n
Usually a 1-inch radiating element
Note: the higher the frequency, the smaller the
antenna and the wavelength become
Radiation pattern
n
n
“Donut” like
Radiates in equally in all directions around its axis
but NOT along the length of the wire
n
also called omnidirectional
V 2.2 Copyright SystemExperts 2001,2002,2003
171
Dipole Radiation
V 2.2 Copyright SystemExperts 2001,2002,2003
172
86
Antennas: Directional
n
Directional antenna concentrate their energy
into a cone
n
n
Known as a beam
Radiation pattern
n
It depends on what kind of directional antenna you
have
V 2.2 Copyright SystemExperts 2001,2002,2003
173
Directional Radiation: Biquad
V 2.2 Copyright SystemExperts 2001,2002,2003
174
87
Antennas: PCMCIA Cards
n
Their terrible, awful, did I mention yuck?
n
n
n
n
It’s hard to form antennas onto the card
The effective gain is low
They tend to be VERY directional
These are some of the reasons that your
signal strength can change dramatically with
small changes
V 2.2 Copyright SystemExperts 2001,2002,2003
175
Typical PCMCIA Radiation
V 2.2 Copyright SystemExperts 2001,2002,2003
176
88
Antennas: More Facts
n
Constant trade-off of range and throughput
n
n
n
Remember that the “low” speed of 1 Mbps is slightly
slower than a T1 connection (1.544 Mbps)
Remember that the top speed of 11 Mbps is only
over the air: the Ethernet it’s connected to is 10
Mbps and then you have contention, etc.
Current client cards have only 1 radio in them
n
that means half-duplex (they can’t listen and talk at the
same time)
V 2.2 Copyright SystemExperts 2001,2002,2003
177
Antennas: More Facts
n
The design of most external cards
(PCMICIA) puts the antenna in the worst
possible orientation: sideways
n
n
Tip your laptop sideways and you’ll see
The Apple built-in AirPort is an exception
n
n
(cont.)
the antenna connector runs up the LCD panel
Attaching external antennas (and orienting it)
makes a really big difference
n
Therefore, buy cards that take an external antenna
V 2.2 Copyright SystemExperts 2001,2002,2003
178
89
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
179
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
180
90
Review
n
Why is it basically impossible to get full 2, 5.5, or
11 Mbps?
n
What’s the common management interface to ALL
APs?
n
What’s the difference between AP aggregation and
AP DoS?
n
What are the security implications of broadcast
SSID?
n
What is the problem with MAC based ACL
security?
V 2.2 Copyright SystemExperts 2001,2002,2003
181
Review
n
What are the security implications of shared keys?
n
How easy/difficult it is to exploit WEP
vulnerabilities?
n
Name one!
n
What is the Gap in WAP?
n
What are the roaming limitations with using a home
spun AP?
n
What is the ratio of 802.11a to 802.11b APs for
constant power and throughput?
V 2.2 Copyright SystemExperts 2001,2002,2003
182
91
The End
n
Thank you for
attending!
n
Please fill out the
Instructor Evaluation
Form!!
n
Thank you for your
comments!
n
www.SystemExperts.com/
tutors/wirelessip.pdf
V 2.2 Copyright SystemExperts 2001,2002,2003
183
Thanks to …
n
David Lounsbury
n
n
Lynda McGinley
n
n
n
Vice President of Research for
The Open Group
University of Colorado
Coordinator or USENIX wireless services
Richard Rothschild
n
Director Ariba Network Operations for Ariba
V 2.2 Copyright SystemExperts 2001,2002,2003
184
92
References
n
Access Points
n
n
n
n
n
www.cisco.com/warp/public/cc/pd/witc/ao340ap/
www.apple.com/airport/specs.html
www.wavelan.com/template.html?section=m58&pag
e=103&envelope=94
www.3com.com/products/proddatasheet/datasheet/
3CRWE74796B.pdf
Cell Phone Internet Services
n
n
n
n
www.sprintpcs.com/wireless
www.verizonwireless.com
www.attws.com/personal/explore/pocketnet
www.nextel.com/phone_services/wirelessweb
V 2.2 Copyright SystemExperts 2001,2002,2003
185
References (cont.)
n
Security
n
n
n
www.datafellows.com/products/whitepapers/sec_wap_env.pdf
www.tml.hut.fi/Opinnot/Tik110.501/1997/wireless_lan.html
Sniffing
n
n
n
www.sniffer.com/products/wireless/
www.robertgraham.com/pubs/sniffing-faq.html
www.wildpackets.com/products/airopeek
V 2.2 Copyright SystemExperts 2001,2002,2003
186
93
References (cont.)
n
Reference material
n
n
n
n
n
n
n
n
n
n
www.cmu.edu/computing/wireless/index.html
www.teleport.com/~samc/psuwireless/
www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
Linux.Wireless.drivers.html
www.proxim.com/wireless/glossary/index.shtml
www.motorola.com/SPS/WIRELESS/information/glossary.html
www.wireless-online.com/glossary.htm
www.zdnet.com/pcmag/stories/reviews/0,6755,2603595,00.ht
ml
http://allnetdevices.com/faq/
www.wapforum.org/
www.ntia.doc.gov/osmhome/allochrt.html (Frequency Map)
V 2.2 Copyright SystemExperts 2001,2002,2003
187
References (cont.)
n
Seminal 802.11 Security Press
n
The Isaac project at UC Berkeley
n
n
n
Wireless Ethernet Compatibility Alliance (WECA) response to
the UC Berkeley paper
n
n
Integrity checking mechanism, and Use of Initialization Vector (IV)
in RC4 algorithm
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
http://www.wi-fi.net/pdf/Wi-FiWEPSecurity.pdf
University of Maryland paper “Your 802.11 Wireless Network
has No Clothes”
n
n
n
Shared Key to derive WEP key, MAC authentication
http://www.cs.umd.edu/~waa/wireless.pdf
RC4 Key Scheduling
n http://www.crypto.com/papers/others/rc4_ksaproc.ps
n Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
V 2.2 Copyright SystemExperts 2001,2002,2003
188
94
Wireless Stuff
n
Wireless performance article
n
n
IEEE 802.11 page
n
n
www.networkcomputing.com/1113/1113f2full.html
www.ieee802.org/11/
802.11b Primer
n
www.personaltelco.net/download/802.11bprimer.pdf
V 2.2 Copyright SystemExperts 2001,2002,2003
189
Mailing Lists
n
Bay Area Wireless Users Group
n
http://lists.bawug.org/mailman/listinfo/wireless/
NOTE: This is THE list to watch!
n
Aironet
n
n
http://csl.cse.ucsc.edu/mailman/listinfo/aironet
O’Reilly
n
http://oreilly.wirelessdevnet.com/
V 2.2 Copyright SystemExperts 2001,2002,2003
190
95
Glossary
3G (third generation) An industry term used to describe the next, still-to-come generation of wireless applications. It
represents a move from circuit-switched communications (where a device user has to dial in to a network) to broadband,
high-speed, packet-based wireless networks (which are always "on"). The first generation of wireless communications
relied on analog technology, followed by digital wireless communications. The third generation expands the digital
premise by bringing high-speed connections and increasing reliability.
802.11 A family of wireless specifications developed by a working group of The Institute of Electrical and Electronics
Engineers. These specifications are used to manage packet traffi c over a network and ensure that packets do not collide—
which could result in loss of data—while traveling from their point of origin to their destination (that is, from device to
device).
AMPS (advanced mobile phone service) A term used for analog technologies, the first generation of wireless technologies.
Analog Radio signals that are converted into a format that allows them to carry data. While cellular phones and other wireless
devices still use analog in geographic areas where there is little or no coverage by digital networks, analog will eventually
give way to faster digital networks, analysts say.
AP (Access Point) A base station in a wireless LAN. Access points are typically standalone devices that plug into an Ethernet
hub or server. Like a cellular phone system, users can roam around with their mobile devices and be handed off from one
access point to the other.
BlackBerry Two-way wireless device, made by Waterloo, Ontario-based Research in Motion, that allows users to check email and voice mail (translated into text), as well as page other users via a wireless network service. Also known as a
RIM device, it has a miniature qwerty keyboard for users to type their messages. It uses the SMS protocol. BlackBerry
users must subscribe to a wireless service that allows for data transmission.
Bluetooth A short-range wireless specification that allows for radio connections between devices within a 30-foot range of
each other.
CDMA (code division multiple access) U.S. wireless carriers, such as Sprint PCS and Verizon, use CDMA to allocate
bandwidth for users of digital wireless devices. CDMA distinguishes between multiple transmissions carried
simultaneously on a single wireless signal. It carries the transmissions on that signal, freeing network room for the
wireless carrier and providing interference-free calls for the user. Several versions of the standard are still under
development. CDMA promises to open up network capacity for wireless carriers and improve the quality of wireless
messages and users' access to the wireless airwaves. It's an alternative to GSM, which is popular in Europe and Asia.
V 2.2 Copyright SystemExperts 2001,2002,2003
191
Glossary (cont.)
CDPD (cellular digital packet data) Telecommunications companies can use CDPD to transfer data on unused cellular
networks to users. If one section, or "cell," of the network is overtaxed, CDPD automatically allows for the reallocation of
resources.
COFDM (Coded Orthogonal Frequency Division Multiplexing) The same as OFDM except that forward error correction is
applied to the signal before transmission. This is to overcome errors in the transmission due to lost carriers from
frequency selective fading, channel noise and other propagation effects. For the discussion of terms OFDM and COFDM
are used interchangeably
Cellular Technology that sends analog or digital transmissions from transmitters that have areas of coverage called cells. As a
user of a cellular phone moves between transmitters from one cell to another, the user's call travels from transmitter to
transmitter uninterrupted.
Circuit switched Used by wireless carriers, this method lets a user connect to a network or the Internet by dialing in, such as
with a traditional phone line. It's a dial-in Internet service provider for wireless device users. Circuit-switched connections
can be slow and unreliable compared with packet-switched networks, but for now circuit-switched networks are the
primary method of Internet and network access for wireless users in the United States.
Dual-band mobile phone Phones that support both analog and digital technologies by picking up analog signals when digital
signals fade. Most mobile phones are not dual-band.
Extensible Authentication Protocol (EAP) A n e x t e n s i o n t o P P P , t h a t p r o v i d e s a s t a n d a r d s u p p o r t m e c h a n i s m f o r
authentication schemes such as token cards, Kerberos, Public Key, and S/Key.
EDGE (enhanced data GSM environment) A faster version of the GSM standard. It is faster than GSM because it can carry
messages using broadband networks that employ more bandwidth than standard GSM networks.
FDMA (frequency division multiple access) An analog standard that lets multiple users access a group of radio frequency
bands and eliminates interference of message traffic.
Frequency hopping spread spectrum A method by which a carrier spreads out packets of information (voice or data) over
different frequencies. For example, a phone call is carried on several different frequencies so that when one frequency is
lost another picks up the call without breaking the connection.
GPS (Global Positioning System) A series of 24 geo-synchronous satellites that continually transmit their position. GPS is
used in personal tracking, navigation, and automatic vehicle loc ation technologies.
V 2.2 Copyright SystemExperts 2001,2002,2003
192
96
Glossary (cont.)
GPRS (general packet radio service) A technology that sends packets of data across a wireless network at speeds of up to
114Kbps. It is a step up from the circuit-switched method; wireless users do not have to dial in to networks to download
information. With GPRS, wireless devices are always on—they can receive and send information without dial-ins. GPRS
is designed to work with GSM.
GSM (global system for mobile communications) A standard for how data is coded and transferred through the wireless
spectrum. The European wireless standard also used in Asia, GSM is an alternative to CDMA. GSM digitizes and
compresses data and sends it down a channel with two other streams of user data. The standard is based on time division
multiple access.
HDML (handheld device markup language) It uses hypertext transfer protocol (HTTP, the underlying protocol for the Web)
to allow for the display of text versions of webpages on wireless devices. Unlike wireless markup language, HDML is not
based on XML. HDML also does not allow developers to use scripts, while WML employs its own version of JavaScript.
Phone.com, now part of Openwave Systems, developed HDML and offers it free of charge. Website developers using
HDML must recode their webpages in this language to tailor them for the smaller screens of handhelds.
iDEN (Integrated Digital Enhanced Network) A Motorola-enhanced mobile radio network technology that integrates twoway radio, telephone, text messaging, and data transmission into a single network.
I-Mode A wildly popular service in Japan for transferring packet-based data to handheld devices. I-Mode is based on a
compact version of HTML and does not use WAP, setting it apart from other widely used transmission method.
Industrial, Scientific, and Medical (ISM) An unlicensed Radio Frequency spectrum used primarily for industrial, scientific,
medical, domestic or similar purposes, excluding applications in the field of telecommunications These bands support
spread spectrum operation on a non-interference unlicensed basis. Operation in this band is authori zed under FCC Rule
Part 15.247. Spread spectrum systems share these bands on a non-interference basis with systems supporting critical
government requirements, secondary only to ISM equipment operated under the provisions of Part 18. Many of these
government systems are airborne radiolocation systems that emit a high ERP, which can cause interference to other users.
Multipath Effect The effect that occurs when a transmitted signal is reflected from objects resulting in multiple copies of a
given transmission arriving at the receiver at different moments in time. Thus the receiver receives multiple copies of the
same signal with many different signal strengths or powers.
OFDM (Orthogonal Frequency Division Multiplexing) A multi-carrier transmission technique, which divides the available
spectrum into many carriers, each one being modulated by a low rate data stream. This is the basis for ADSL as well
PCS (personal communications services) An alternative to cellular, PCS works like cellular technology because it sends calls
from transmitter to transmitter as a caller moves. But PCS uses its own network, not a cellular network, and offers fewer
"blind spots"—areas in which access to calls is not available—than cellular. PCS transmitters are generally closer
together than their cellular counterparts.
V 2.2 Copyright SystemExperts 2001,2002,2003
193
Glossary (cont.)
PDA (personal digital assistant) Mobile, handheld devices—such as the Palm series and Handspring Visors—that give users
access to text-based information. Users can synchronize their PDAs with a PC or network; some models support wireless
communication to retrieve and send e-mail and get information from the Web.
Physical Layer Convergence Protocol (PLCP) A p r o t o c o l s p e c i f i e d w i t h i n t h e T r a n s m i s s i o n C o n v e r g e n c e l a y e r t hat specifies
exactly how cells are formatted within a data stream for a particular type of transmission facility.
Physical Medium Dependent (PMD) Performs wireless encoding
Satellite phone Phones that connect callers via satellite. The idea behind a satellite phone is to give users a worldwide
alternative to sometimes unreliable digital and analog connections.
Service Set Identifier (SSID) An identifier attached to packets sent over the WLAN that functions as a "password" for joining
a particular radio network (BSS). All radios and access points within the same BSS must use the same SSID, or their
packets will be ignored
SMS (short messaging service) A service through which users can send text-based messages from one device to another. The
message—up to 160 characters—appears on the screen of the receiving device. SMS works with GSM networks.
Symbol A term for the information contained in a message. I can be though of as a discrete block of digital information.
TDMA (time division multiple access) This protocol allows large numbers of users to access one radio frequency by
allocating time slots for use to multiple voice or data calls. TDMA breaks down data transmission, such as a phone
conversation, into fragments and transmits each fragment in a short burst, assigning each fragment a time slot. With a cell
phone, the caller would not detect this fragmentation. Whereas CDMA (which is used more frequently in the United
States) breaks down calls on a signal by codes, TDMA breaks them down by time. The result in both cases: increased
network capacity for the wireless carrier and a lack of interference for the caller. TDMA works with GSM and digital
cellular services.
WAP (wireless application protocol) WAP is a set of protocols that lets users of mobile phones and other digital wireless
devices access Internet content, check voice mail and e-mail, receive text of faxes and conduct transactions. WAP works
with multiple standards, including CDMA and GSM. Not all mobile devices support WAP.
WASP (wireless application service provider) These vendors provide hosted wireless applications so that companies will not
have to build their own sophisticated wireless infrastructures.
V 2.2 Copyright SystemExperts 2001,2002,2003
194
97
Glossary (cont.)
WCDMA (wideband CDMA) A third-generation wireless technology under development that allows for
high-speed, high-quality data transmission. Derived from CDMA, WCDMA digitizes and transmits
wireless data over a broad range of frequencies. It requires more bandwidth than CDMA but offers
faster transmission because it optimizes the use of multiple wireless signals—not just one, as with
CDMA.
Wireless LAN (WLAN) It uses radio frequency technology to transmit network messages through the air for
relatively short distances, like across an office building or college campus. A wireless LAN can serve as
a replacement for or extension to a wired LAN.
Wireless spectrum A band of frequencies where wireless signals travel carrying voice and data information.
Wireless carriers are bidding at Federal Communications Commission auctions on slivers of airwaves
through which they will ultimately be able to send third-generation communications. The auctions,
which began in December 2000 in the United States and already occurred in several European nations,
will give providers access to new pieces of the spectrum that will allow them to move to thirdgeneration services. More auctions relevant to 3G communications are on tap.
WISP (wireless Internet service provider) A vendor that specializes in providing wireless Internet access.
WML (wireless markup language) A version of HDML, WML is based on XML and will run with its own
version of JavaScript. Wireless application developers use WML to repurpose content for wireless
devices.
V 2.2 Copyright SystemExperts 2001,2002,2003
195
End Matter
n
Pulling apart an Apple Airport
n
Building your own AP on *NIX
n
Linux or FreeBSD
n
Floppy based Wireless Gateway
n
WFG Internals
V 2.2 Copyright SystemExperts 2001,2002,2003
196
98
Apple Airport
Gold 128 bit card
Silver 64 bit card
V 2.2 Copyright SystemExperts 2001,2002,2003
197
Building your own AP
Condensed from http://www.oreillynet.com/pub/a/wireless/2001/03/06/recipe.html
n
Equipment
n
n
1 desktop PC, 386 or better
At least one 802.11b wireless Ethernet PCMCIA
card
n
n
One ISA-to-PCMCIA or PCI-to-PCMCIA adapter
n
n
Lucent WaveLAN/ORiNOCO, Cisco, and Prism II cards are
popular
ISA is preferred
At least one NIC card connected to the network
n
can be any type of connectivity (cable modem, DSL,
ordinary Ethernet, another wireless link, a satellite
downlink, modem and a PPP dialup, etc.)
V 2.2 Copyright SystemExperts 2001,2002,2003
198
99
Building your own AP
n
Operating System
n
A Unix-like operating system
n
n
n
(cont.)
Linux and FreeBSD seem to be the OS of choice
Clients can be anything that can do Ad-Hoc
Hints
n
n
n
Use an ISA-PCMCIA adapter
Lucent cards work great and have ability to have
external antenna
Be prepared to spend time debugging
n
depending on the OS level
V 2.2 Copyright SystemExperts 2001,2002,2003
199
Building your own AP
(cont.)
n
Install the PCMCIA adapter in the gateway and
insert the wireless card
n
Install the OS and software
n
You will need NAT (IP Masquerade )
n
n
n
You will want a DHCP and SSH server
Get kernel source
n
n
firewall software (ipchains or iptables)
At least 2.2.18, 2.4.x is best
Get the latest pcmcia-cs and wireless_tools source
code
n
n
Pcmcia-cs.sourceforge.net
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html
V 2.2 Copyright SystemExperts 2001,2002,2003
200
100
Directions (cont.)
n
Update the kernel
n
n
n
n
n
Enable loadable module support
Enable support for your other NIC cards
Enable kernel firewall support
Enable IP masquerading (i.e., NAT)
Enable Wireless Networking (also known as "nonham")
n
n
do not select any modules
When compiling a 2.4.x kernel Disable PCMCIA
support
n
we’ll use the external pcmcia-cs package
V 2.2 Copyright SystemExperts 2001,2002,2003
201
Directions (cont.)
n
Build and install the new kernel
n
n
n
Install the pcmcia-cs package
Install the wireless_tools package
n
n
Don't forget to edit /etc/lilo.conf and then run
/sbin/lilo
Your OS may have it (i.e., RedHat 7.1)
Edit wireless options
n
n
n
n
/etc/pcmcia/wireless.opts
ESSID to “yourfavoritename”
Rate is “auto”
Mode is “Ad-hoc“
V 2.2 Copyright SystemExperts 2001,2002,2003
202
101
Directions (cont.)
n
Configure wireless IP options
n
n
n
n
Configure NIC IP options
n
n
n
/etc/pcmcia/network.opts
Use private IP range
Set IP, netmask, and broadcast
/etc/sysconfig/network-scripts/eth0
Set it to DHCP or static IP values
Install or configure the firewall/NAT package
n
n
Configure it to masquerade packets from your wireless
network to the outside
Ensure that you do proper “security” filtering (i.e., drop spoofed
IP packets)
V 2.2 Copyright SystemExperts 2001,2002,2003
203
Directions (cont.)
n
Install and configure DHCP (if desired)
n
n
Harden the rest of the system (read: TURN
OFF ALL UNUSED SERVICES)
n
n
Keep the PCMCIA, firewall, and DHCP services
running
Reboot and see what you broke J
n
n
This will only be running on the wireless interface
Probably should reboot before the firewall and
DHCP install/configure
Setup clients
V 2.2 Copyright SystemExperts 2001,2002,2003
204
102
Floppy based Wireless Gateway
n
Same basic hardware requirements
n
n
System, ISA-PCMCIA, NIC, Wireless card
NIC cards are much more sensitive
n
Trinux experience helps when adding modules
n
http://nocat.net/ezwrp.html
n
My Problems
n
n
n
n
Got it up quickly
Problems with DHCP
Never got it passing traffic
Unclear how to manage firewall rules
V 2.2 Copyright SystemExperts 2001,2002,2003
205
WFG Internals
n
OpenBSD Unix
n
Three interfaces on different networks
n
n
n
n
Wireless
external (gateway)
internal (management)
DHCP
n
ISC’s DHCPv3
n
n
modified to dynamically remove hosts from the firewall access list
when DHCP releases a lease for any reason
n the DHCP server will not issue the same IP address until it
frees the lease of the last client
Listens only on the wireless interface
n
also packet filters prevent any DHCP requests coming in on any
other interfaces
V 2.2 Copyright SystemExperts 2001,2002,2003
206
103
WFG Internals (cont.)
n
IP Filtering
n
n
n
OpenBSD's IPF software
IP routing is enabled
Packet filtering between the wireless and external
network interfaces
n
n
static filters are configured on boot up
n limit initial wireless network access
n NTP, DNS, DHCP, and ICMP
n for all users: selected email servers, VPN, and web
When a user authenticates, they are allowed
unrestricted access
V 2.2 Copyright SystemExperts 2001,2002,2003
207
WFG Internals (cont.)
n
Web Authentication
n
n
n
Used for cross-platform
Apache with SSL
User enters username and password
n
n
n
Perl/CGI script then communicates with a Radius server
if accepted, then commands to allow their IP address are
added to the IPF access rules
Security
n
n
System access with SSH
Logs: Syslog, DHCP, and Web authentication logs
V 2.2 Copyright SystemExperts 2001,2002,2003
208
104
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
209
Notes:
V 2.2 Copyright SystemExperts 2001,2002,2003
210
105
Philip Cox
Consultant
Phil.Cox@SystemExperts.com
530-887-9251 direct
530-887-9253 fax
978-440-9388 main
http://www.SystemExperts.com/
Brad C. Johnson
Vice President
Brad.Johnson@SystemExperts.com
401-348-3099 direct
401-348-3078 fax
978-440-9388 main
http://www.SystemExperts.com/
106