Chap 7 - PowerPoint PPT Presentation

About This Presentation
Title:

Chap 7

Description:

Chap 7 Configure Wireless Routers Learning Objectives Describe the components and operations of basic wireless LAN topologies. Describe the components and ... – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 41
Provided by: PhillH
Category:
Tags: chap | regulation

less

Transcript and Presenter's Notes

Title: Chap 7


1
Chap 7 Configure Wireless Routers Learning
Objectives
  • Describe the components and operations of basic
    wireless LAN topologies.
  • Describe the components and operations of basic
    wireless LAN security.
  • Configure and verify basic wireless LAN access.
  • Configure and troubleshoot wireless client access.

2
Why Wireless?
  • Mobility
  • Scalability
  • Flexibility
  • Short long term cost savings
  • Installation advantages
  • Reliability in harsh environments
  • Reduced installation time

3
Basic Wireless LAN Topologies
  • Wireless signals are electromagnetic waves
  • No physical medium is necessary
  • The ability of radio waves to pass through walls
    and cover great distances makes wireless a
    versatile way to build a network.

4
Wired Versus Wireless
  • RF does not have boundaries, allowing data frames
    traveling over the RF media to be available to
    anyone that can receive the RF signal.
  • RF is unprotected from outside signals, whereas
    cable is in an insulating sheath. Radios
    operating independently in the same geographic
    area but using the same or a similar RF can
    interfere with each other.
  • RF transmission is subject to range limitations,
    as the signal is attenuated severely with
    distance from a transmitter. Wired LANs have
    cables that are of an appropriate length to
    maintain signal strength.
  • RF bands are regulated differently in various
    countries. The use of WLANs is subject to
    additional regulations and sets of standards that
    are not applied to wired LANs.

5
Wireless LANs
  • 802.11 wireless LANs extend the 802.3 Ethernet
    LAN infrastructures to provide additional
    connectivity options.
  • However, additional components and protocols are
    used to complete wireless connections

Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5
Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
PC6 172.17.30.24/24 (VLAN 30)
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4
Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
6
Wireless LAN Standards
7
IEE 802.11n
  • The IEEE 802.11n draft standard is intended to
    improve WLAN data rates and range without
    requiring additional power or RF band allocation.
  • 802.11n uses multiple radios and antennae at
    endpoints, each broadcasting on the same
    frequency to establish multiple streams.
  • The multiple input/multiple output (MIMO)
    technology splits a high data-rate stream into
    multiple lower rate streams and broadcasts them
    simultaneously over the available radios and
    antennae.
  • This allows for a theoretical maximum data rate
    of 248 Mb/s using two streams.

8
Wi-Fi
  • Wi-Fi Alliance
  • WECA changed its name to Wi-Fi
  • Wireless Fidelity Alliance
  • 170 members
  • Over 350 products certified
  • Wi-Fis Mission
  • Certify interoperability of WLAN products
    (802.11)
  • Wi-Fi is the stamp of approval
  • Promote Wi-Fi as the global standard

9
Wireless Infrastructure Components
  • Wireless NICs are most often associated with
    mobile devices, such as laptop computers. In the
    1990s , wireless NICs for laptops were cards that
    slipped into the PCMCIA slot. PCMCIA wireless
    NICs are still common, but many manufacturers
    have begun building the wireless NIC right into
    the laptop.
  • Desktops located in an existing, non-wired
    facility can have a wireless PCI NIC installed.
  • To quickly set up a PC, mobile or desktop, with a
    wireless NIC, there are many USB options
    available as well.

10
Wireless Infrastructure Components
  • An access point (AP) connects wireless clients
    (or stations) to the wired LAN. Client devices do
    not typically communicate directly with each
    other they communicate with the AP.
  • Access points convert the TCP/IP data packets
    from their 802.11 frame encapsulation format in
    the air to the 802.3 Ethernet frame format on the
    wired Ethernet network.

11
Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA)
  • Access points oversee a distributed coordination
    function (DCF) called Carrier Sense Multiple
    Access with Collision Avoidance (CSMA/CA).
  • Devices on a WLAN must sense the medium for
    energy and wait until the medium is free before
    sending. Because all devices are required to do
    this, the function of coordinating access to the
    medium is distributed.
  • If an access point receives data from a client
    station, it sends an acknowledgement to the
    client that the data has been received. This
    acknowledgement keeps the client from assuming
    that a collision occurred and prevents a data
    retransmission by the client.

12
Hidden Nodes
  • PC1 and PC2 can reach AP
  • PC1 and PC2 cannot reach each other
  • PC1 Doesnt detect PC2 activity
  • PC1 transmits at the same time as PC2
  • A collision occurs
  • If two clients can connect to an access point,
    but not each other due to their distance from
    each other, neither of those stations sense the
    other on the medium, and they may end up
    transmitting simultaneously.
  • This is known as the hidden node (or station)
    problem.

13
Shared Service Set Identifier (SSID)
  • A unique identifier that clients use to
    distinguish between multiple WLANs in the same
    vicinity.
  • Can be any alphanumeric, case-sensitive entry
    from 2 to 32 characters long.
  • Several access points on a network can share an
    SSID.

14
Frequency Selection
  • Best practices for WLANs that require multiple
    access points are to use non-overlapping
    channels.
  • If there are three adjacent access points, use
    channels 1, 6, and 11.
  • If there are just two, select any two that are 5
    channels apart, such as channels 5 and 10

15
802.11 Wireless LAN Topologies
Adhoc
  • The IEEE 802.11 standard refers to an ad hoc
    network as an Independent Basic Service Set (IBSS)

16
802.11 Wireless LAN Topologies
Basic Service Set (BSS)
Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5
  • The coverage area for both an IBSS and a BSS is
    the Basic Service Area (BSA)

Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4
Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
17
802.11 Wireless LAN Topologies
Extended Service Set (ESS)
Fa0/0.10 172.17.10.1/24
Fa0/0.30 172.17.30.1/24
S3
S1
Fa0/1
Fa0/1
Fa0/5
Fa0/2
Fa0/2
Fa0/3
Fa0/4
Fa0/3
Fa0/4
PC6 172.17.30.24/24 (VLAN 30)
Fa0/2
Fa0/3
S2
Fa0/1
Fa0/4
  • An ESS generally includes a common SSID to allow
    a user to roam from access point to access point

Fa0/11
Fa0/6
Fa0/18
PC1 172.17.10.21/24 (VLAN 10)
PC2 172.17.20.22/24 (VLAN 20)
PC3 172.17.30.23/24 (VLAN 30)
18
Client / AP Association
  • A key part of the 802.11 process is
    discovering a WLAN and subsequently connecting to
    it. The primary components of this process are
  • Beacons - Frames used by the WLAN network to
    advertise its presence.
  • Probes - Frames used by WLAN clients to find
    their networks.
  • Authentication - A process which is an artifact
    from the original 802.11 standard, but still
    required by the standard.
  • Association - The process for establishing the
    data link between an access point and a WLAN
    client.

19
Client / AP Association
Probe SSID Supported Rates
1. Probing
Probe Response SSID Supported
Rates Security Implementation
Authentication Request Type Key
2. Authentication
Authentication Response Type
Key successful/unsuccessful
20
Client / AP Association
Association Request Client
MAC AP MAC (BSSID) ESS Identifier (ESSID)
3. Association
Association Response
Successful/unsuccessful Association ID (AID)
21
WLAN Planning
  • Position access points above obstructions.
  • Position access points vertically near the
    ceiling in the center of each coverage area, if
    possible.
  • Position access points in locations where users
    are expected to be. For example, conference rooms
    are typically a better location for access points
    than a hallway.

22
Wireless Security Issues
Unauthorised Access
  • War driving - driving around a neighborhood with
    a laptop and an 802.11b/g client card looking for
    an unsecured 802.11b/g system to exploit.
  • Hacker/Cracker - malicious intruders who enter
    systems as criminals and steal data or
    deliberately harm systems.
  • Rogue Access Point - installed by employees
    without authorisation. Employees install access
    points intended for home use on the enterprise
    network. These APs typically do not have the
    necessary security configuration, so the network
    ends up with a security hole.

23
Wireless Security Issues
Man-In-The-Middle Attack
  • A hacker selects a station as a target and uses
    packet sniffing software, such as Wireshark, to
    observe the client station connecting to an
    access point. The hacker might be able to read
    and copy the target username, server name, client
    and server IP address, the ID used to compute the
    response, and the challenge and associate
    response, which is passed in clear text between
    station and access point.
  • If an attacker is able to compromise an access
    point, the attacker can potentially compromise
    all users in the BSS. The attacker can monitor an
    entire wireless network segment and wreak havoc
    on any users connected to it.

24
Wireless Security Issues
Denial of Service
  • A hacker using a PC as an access point, can flood
    the BSS with clear-to-send (CTS) messages, which
    defeat the CSMA/CA function used by the stations.
    The access points, in turn, flood the BSS with
    simultaneous traffic, causing a constant stream
    of collisions.
  • Another DoS attack that can be launched in a BSS
    is when an attacker sends a series of
    disassociate commands that cause all stations in
    the BSS to disconnect. When the stations are
    disconnected, they immediately try to
    reassociate, which creates a burst of traffic.
    The attacker sends another disassociate command
    and the cycle repeats itself.

25
Wireless Security Protocols
  • Today, the standard that should be followed in
    most enterprise networks is the 802.11i standard.
    This is similar to the Wi-Fi Alliance WPA2
    standard.
  • For enterprises, WPA2 includes a connection to a
    Remote Authentication Dial In User Service
    (RADIUS) database.

26
Extensible Authentication Protocol (EAP)
AAA Server
Client
Access Point
  • If stricter security is required, network login
    can be enforced prior to granting clients access
    to the WLAN.
  • This login process is managed by the Extensible
    Authentication Protocol (EAP).
  • IEEE developed the 802.11i standard for WLAN
    authentication and authorisation to use IEEE
    802.1x.

27
Extensible Authentication Protocol (EAP)
AAA Server
Client
Access Point
  • The 802.11 association process creates a virtual
    port for each WLAN client at the access point,
    but blocks all data frames, except for
    802.1x-based traffic.
  • The 802.1x frames carry the EAP authentication
    packets via the access point to a server that
    maintains authentication credentials. This server
    is an Authentication, Authorization, and
    Accounting (AAA) server running a RADIUS
    protocol.
  • If the EAP authentication is successful, the AAA
    server sends an EAP success message to the access
    point, which then allows data traffic from the
    WLAN client to pass through the virtual port.
  • Before opening the virtual port, data link
    encryption between the WLAN client and the access
    point is established to ensure that no other WLAN
    client can access the port that has been
    established for a given authenticated client.

28
Encryption
  • Both protocols encrypt the Layer 2 payload, and
    carry out a message integrity check (MIC) to help
    ensure against a message being tampered with.
  • Although TKIP addresses all the known weaknesses
    of WEP, the AES encryption of WPA2 is the
    preferred method, because it brings the WLAN
    encryption standards into alignment with broader
    IT industry standards and best practices, most
    notably IEEE 802.11i.

29
Configuring the AP
  • With a PC is connected to the access point via a
    wired connection, access the web utility with a
    web browser - enter the WRT300N default IP
    address, 192.168.1.1, in the address field.
  • Setup - Enter your basic network settings (IP
    address).
  • Management - Click the Administration tab and
    then select the Management screen. The default
    password is admin. To secure the access point,
    change the password from its default.
  • Wireless - Change the default SSID in the Basic
    Wireless Settings tab. Select the level of
    security in the Wireless Security tab and
    complete the options for the selected security
    mode.

30
Wireless Settings
  • Network Mode
  • Wireless-N, Wireless-G, and 802.11b devices are
    in the network, keep Mixed, the default setting.
  • Wireless-G and 802.11b devices, select BG-Mixed.
  • Wireless-N devices, select Wireless-N Only.
  • Wireless-G devices, select Wireless-G Only.
  • Wireless-B devices, select Wireless-B Only.
  • To disable wireless networking, select Disable.

31
Wireless Settings
  • Network Name (SSID)
  • The SSID must be identical for all devices in the
    wireless network. It is case-sensitive and must
    not exceed 32 characters (use any of the
    characters on the keyboard). For added security,
    change the default SSID (linksys) to a unique
    name.
  • SSID Broadcast - When wireless clients survey the
    local area for wireless networks to associate
    with, they detect the SSID broadcast by the
    access point.
  • To broadcast the SSID, keep Enabled, the default
    setting, to turn off the broadcast, select
    Disabled.

32
Security Settings
  • Security Mode - Select the mode you want to use
    PSK-Personal, PSK2-Personal, PSK-Enterprise,
    PSK2-Enterprise, RADIUS, or WEP.
  • Mode Parameters - Each of the PSK and PSK2 modes
    have configurable parameters. PSK2-Enterprise
    security version, requires a RADIUS server
    attached to the access point. Need to provide
    RADIUS Server IP address and port number
    (normally 1812).
  • Encryption - Select the algorithm required, AES
    or TKIP. (AES is a stronger encryption method
    than TKIP.)
  • Pre-shared Key - Enter the key shared by the
    router and other network devices. It must have 8
    to 63 characters. Key Renewal - Enter the key
    renewal period, which tells the router how often
    it should change encryption keys.

33
Security Settings
  • There are seven wireless security modes
    supported by the WTR300N, listed here in the
    order seen in the GUI, from weakest to strongest
  • WEP
  • PSK-Personal, or WPA-Personal in v0.93.9 firmware
    or older
  • PSK2-Personal, or WPA2-Personal in v0.93.9
    firmware or older
  • PSK-Enterprise, or WPA-Enterprise in v0.93.9
    firmware or older
  • PSK2-Enterprise, or WPA2-Enterprise in v0.93.9
    firmware or older
  • RADIUS
  • Disabled (no encryption)

"Personal" in a security mode indicates that no
AAA server is used. "Enterprise" in the security
mode name means a AAA server and EAP
authentication is used.
34
Configuring a Wireless NIC
  • Verify that the wireless client has successfully
    connected to the correct wireless network, as
    there be many WLANs available with which to
    connect.
  • PCs running Microsoft Windows XP have a built-in
    wireless networks monitor and client utility.

35
Configuring a Wireless NIC
36
Configuring a Wireless NIC
  • Select preferred authentication method - WPA2
    and PSK2 are preferred because of their strength.
  • Select the Data encryption method - AES is a
    stronger cipher than TKIP, but ensure choice
    matches AP configuration.
  • After selecting the encryption method, enter and
    confirm the Network key ensure that it matches
    key set in AP.

37
Troubleshooting in a WLAN
  • 1. Check the client IP address, SSID,
    encryption type, encryption key, RF channel.
  • 2. Poor performance range from AP, other RF
    transmitters in the locality, overlapping RF
    channels in an ESS.
  • 3. Check the AP ping a wired interface, access
    the web-base GUI, check all parameters.

38
Chap 7 Configure Wireless Routers Learning
Objectives
  • Describe the components and operations of basic
    wireless LAN topologies.
  • Describe the components and operations of basic
    wireless LAN security.
  • Configure and verify basic wireless LAN access.
  • Configure and troubleshoot wireless client access.

39
Any Questions?
40
Lab Topology
Chap 7.3.2 Basic Wireless Config
R1 Sub-interfaces Fa0/0.10 172.17.10.1/24 Fa0/0.
20 172.17.20.1/24 Fa0/0.88 172.17.88.1/24
Fa0/0
WPC1 DHCP
Internet 172.17.88.25
Internet 172.17.88.25
Fa0/5
Fa0/7
WPC2 DHCP
Fa0/11
Fa0/18
WPC3 DHCP
PC2 172.17.20.22/24 VLAN 20
PC1 172.17.10.21/24 VLAN 10
Write a Comment
User Comments (0)
About PowerShow.com