ScaN InstructorPPT Chapter4 Wireless LANs

7/26/2019 ScaN InstructorPPT Chapter4 Wireless LANs

1/75

2008 Cisco Systems, Inc. Al l r ights reserved. Cisco ConfidentialPresentation_ID

Cha!ter "#

$ireless %A&s

Scaling Networks


2/75

Presentation_ID 2 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Chapter 4

".0 Introd'ction

". $ireless %A& Conce!ts

".2 $ireless %A& (!erations

".) $ireless %A& Sec'rity"." $ireless %A& Config'ration

".* S'mmary


3/75

Presentation_ID ) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Chapter 4: Objectives

Descri+e ireless %A& technology and standards.

Descri+e the com!onents of a ireless %A& infrastr'ct're.

Descri+e ireless to!ologies.

Descri+e the 802. frame str'ct're.

Descri+e the media contention method 'sed +y ireless technology.

Descri+e channel management in a $%A&.

Descri+e threats to ireless %A&s.

Descri+e ireless %A& sec'rity mechanisms.

Config're a ireless ro'ter to s'!!ort a remote site.

Config're ireless clients to connect to a ireless ro'ter.

-ro'+leshoot common ireless config'ration iss'es.


4/75

2008 Cisco Systems, Inc. Al l r ights reserved. Cisco ConfidentialPresentation_ID "

". $ireless Conce!ts


5/75

Presentation_ID * 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN Components

Supporting Mobilit

Prod'ctivity is no longer restricted to a fied or/ location or adefined time !eriod.

Peo!le no e!ect to +e connected at any time and !lace, fromthe office to the air!ort or the home.

sers no e!ect to +e a+le to roam irelessly. 1oaming ena+les a ireless device to maintain Internet access

itho't losing a connection.


6/75

Presentation_ID 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN Components

!ene"its o" Wireless

Increased flei+ility

Increased !rod'ctivity

1ed'ced costs

A+ility to gro and ada!t tochanging re3'irements


7/75Presentation_ID 4 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN Components

Wireless #echnologies

$ireless netor/s can +e classified +roadly as#

Wireless personal$area network %W&AN'5 (!erates in the rangeof a fe feet 67l'etooth.

Wireless LAN %WLAN'5 (!erates in the range of a fe h'ndred

feet. Wireless wi(e$area network %WWAN'5 (!erates in the range of

miles.

!luetooth5 An I999 802.* $PA& standard: 'ses a device;

!airing !rocess to comm'nicate over distances '! to .0* mile

600m. Wi$)i %wireless "i(elit'5 An I999 802. $%A& standard:

!rovides netor/ access to home and cor!orate 'sers, to incl'de

data, voice and video traffic, to distances '! to 0.8 mile 6)00m.



WLAN Components

Wireless #echnologies %cont*'

Worl(wi(e +nteroperabilit "or Microwave Access %WiMA,'5 AnI999 802. $$A& standard that !rovides ireless +road+and

access of '! to )0 mi 6*0 /m.

Cellular broa(ban(5 Consists of vario's cor!orate, national, and

international organi


9/75Presentation_ID = 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN Components

-a(io )re.uencies



WLAN Components

/01*22 Stan(ar(s


11/75Presentation_ID 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN Components

Wi$)i Certi"ication

-he $i;>i Alliance certifies $i;>i and the folloing !rod'ctcom!ati+ility#

I999 802.a?+?g?n?ac?ad;com!ati+le.

I999 802.i sec're 'sing $PA2@ and 9tensi+le A'thentication

Protocol 69AP

$i;>i Protected Set'! 6$PS to sim!lify device connections.

$i;>i Direct to share media +eteen devices

$i;>i Pass!oint to sim!lify sec'rely connecting to $i;>i hots!ot

netor/s

$i;>i iracast to seamlessly dis!lay video +eteen devices



WLAN Components

Comparing WLANs to LANs


13/75Presentation_ID ) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

Wireless N+Cs

$ireless de!loyment

re3'ires#

9nd devices ith

ireless &ICs

Infrastr'ct're device,

s'ch as a ireless

ro'ter or ireless AP


14/75Presentation_ID " 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

Wireless 3ome -outer

A home 'ser ty!ically

interconnects ireless

devices 'sing a small,

integrated ireless

ro'ter.

-hese serve as#

access !oint

9thernet sitch

ro'ter


15/75Presentation_ID * 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

!usiness Wireless Solutions


16/75Presentation_ID 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

Wireless Access &oints



Components o" WLANs

Small Wireless eploment Solutions



Components o" WLANs

Small Wireless eploment Solutions %cont*'

9ach AP is config'red

and managed

individ'ally.

-his can +ecome a

!ro+lem hen several

APs are re3'ired.


19/75Presentation_ID = 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

Small Wireless eploment Solutions

S'!!ort the cl'stering ofAPs itho't the 'se of a

controller.

'lti!le APs can +ede!loyed and !'shed to a

single config'ration to alldevices ithin the cl'ster,managing the irelessnetor/ as a singlesystem itho't orrying

a+o't interference+eteen APs, and itho'tconfig'ring each AP as ase!arate device.



Components o" WLANs

Large Wireless eploment Solutions

>or larger organi



Components o" WLANs

Large Wireless eploment Solutions %cont*'


23/75Presentation_ID 2) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Components o" WLANs

Wireless Antennas

Cisco Aironet APs can 'se# Omni(irectional Wi$)i Antennas5 >actory $i;>i gear often 'ses

+asic di!ole antennas, also referred to as Br'++er d'c/ design,

similar to those 'sed on al/ie;tal/ie radios. (mnidirectional

antennas !rovide )0;degree coverage.

irectional Wi$)i Antennas5 Directional antennas foc's the

radio signal in a given direction, hich enhances the signal to and

from the AP in the direction the antenna is !ointing.

5agi antennas5 -y!e of directional radio antenna that can +e

'sed for long;distance $i;>i netor/ing.


24/75Presentation_ID 2" 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

/01*22 WLAN #opologies

/01*22 Wireless #opolog Mo(es


25/75

Presentation_ID 2* 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential


/01*22 Wireless #opolog Mo(es %cont*'


26/75



A( 3oc Mo(e

#ethering6!ersonal hots!ot 5 ariation of the Ad Eoc to!ology

hen a smart !hone or ta+let ith cell'lar data access is ena+led to

create a !ersonal hots!ot.


27/75



+n"rastructure Mo(e


28/75



+n"rastructure Mo(e %cont*'


29/75

2008 Cisco Systems, Inc. Al l r ights reserved. Cisco ConfidentialPresentation_ID 2=

".2 $ireless %A& (!erations


30/75

Presentation_ID )0 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

/01*22 )rame Structure

Wireless /01*22 )rame


31/75



Wireless /01*22 )rame


32/75



)rame Control )iel(


33/75

Presentation_ID )) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential


Wireless )rame #pe


34/75

Presentation_ID )" 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential


Management )rames


35/75

Presentation_ID )* 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential


Control )rames


36/75


Wireless Operation

CSMA6CA

CSA?CA >lochart


37/75


Wireless Operation

Wireless Clients an( Access &oint Association


38/75


Wireless Operation

Association &arameters

SS+5ni3'e identifier that ireless clients 'se to disting'ish+eteen m'lti!le ireless netor/s in the same vicinity.

&asswor(51e3'ired from the ireless client to a'thenticate to theAP. Sometimes called the sec'rity /ey.

Network mo(e51efers to the 802.a?+?g?n?ac?ad $%A&

standards. APs and ireless ro'ters can o!erate in a mied mode:i.e., it can sim'ltaneo'sly 'se m'lti!le standards.

Securit mo(e51efers to the sec'rity !arameter settings, s'ch as$9P, $PA, or $PA2.

Channel settings51efers to the fre3'ency +ands 'sed to transmitireless data. $ireless ro'ters and AP can choose the channelsetting or it can +e man'ally set.


39/75

Presentation_ID )= 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Wireless Operation

iscovering A&s

&assive mo(e AP advertises its service +y sending +roadcast +eacon frames

containing the SSID, s'!!orted standards, and sec'rity settings.

-he +eaconFs !rimary !'r!ose is to allo ireless clients to learn

hich netor/s and APs are availa+le in a given area.

Active mo(e

$ireless clients m'st /no the name of the SSID.

$ireless client initiates the !rocess +y +roadcasting a !ro+e re3'est

frame on m'lti!le channels.

Pro+e re3'est incl'des the SSID name and standards s'!!orted. ay +e re3'ired if an AP or ireless ro'ter is config'red to not

+roadcast +eacon frames.


40/75

Presentation_ID "0 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Wireless Operation

Authentication

Open authentication5 A&%% a'thentication herethe ireless client saysBa'thenticate me and the APres!onds ith Byes. sed

here sec'rity is of noconcern.

Share( ke authentication5-echni3'e is +ased on a /eythat is !re;shared +eteen

the client and the AP.


41/75

Presentation_ID " 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Channel Management

)re.uenc Channel Saturation

irect$se.uence sprea( spectrum %SSS' ses s!read;s!ectr'm mod'lation techni3'e: designed to s!read

a signal over a larger fre3'ency +and ma/ing it more resistant to

interference.

sed +y 802.+.

)re.uenc$hopping sprea( spectrum %)3SS'

1elies on s!read;s!ectr'm methods to comm'nicate.

-ransmits radio signals +y ra!idly sitching a carrier signal among

many fre3'ency channels.

-his channel;ho!!ing !rocess allos for a more efficient 'sage ofthe channels, decreasing channel congestion.

sed +y the original 802. standard.


42/75


Channel Management

)re.uenc Channel Saturation %cont*'

Orthogonal )re.uenc$ivision Multiple7ing %O)M'

S'+set of fre3'ency division m'lti!leing in hich a single channel

'tiliD 'ses s'+channels, channel 'sage is very efficient.

sed +y a n'm+er of comm'nication systems, incl'ding802.a?g?n?ac.


43/75

Presentation_ID ") 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Channel Management

Selecting Channels


44/75

Presentation_ID "" 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Channel Management

Selecting Channels %cont*'

-he sol'tion to 802.+ interference is to 'se

nonoverla!!ing channels , , and .


45/75

Presentation_ID "* 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Channel Management


se channels in the larger, less;croded * HE< +and,

red'cing Baccidental denial of service 6DoS, this +and can

s'!!ort fo'r non;overla!!ing channels.


46/75


Channel Management


Channel +onding com+ines to 20;E< channels into one

"0;E< channel.


47/75


Channel Management

&lanning a WLAN eploment

If APs are to 'se eisting

iring, or if there are

locations here APs

cannot +e !laced, note

these locations on the

ma!.

Position APs a+ove

o+str'ctions.

Position APs vertically

near the ceiling in thecenter of each coverage

area, if !ossi+le.

Position APs in locations

here 'sers are e!ected

to +e.


48/75

2008 Cisco Systems, Inc. Al l r ights reserved. Cisco ConfidentialPresentation_ID "8

".) $ireless %A& Sec'rity


49/75

Presentation_ID "= 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN #hreats

Securing Wireless


50/75

Presentation_ID *0 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN #hreats

oS Attack

$ireless DoS attac/s can +e the res'lt of#

Im!ro!erly config'red devices.

Config'ration errors can disa+le the $%A&.

A malicio's 'ser intentionally interfering ith the ireless

comm'nication. Disa+le the ireless netor/ here no legitimatedevice can access the medi'm.

Accidental interference

$%A&s o!erate in the 'nlicensed fre3'ency +ands and are !rone to

interference from other ireless devices. ay occ'r from s'ch devices as microave ovens, cordless !hones,

+a+y monitors, and more.

2." HE< +and is more !rone to interference than the * HE< +and.


51/75


WLAN #hreats

Management )rame oS Attacks

A spoo"e( (isconnect attack

(cc'rs hen an attac/er sends a series of Bdisassociate

commands to all ireless clients.

Ca'se all clients to disconnect.

-he ireless clients immediately try to re;associate, hich creates

a +'rst of traffic.A C#S "loo(

An attac/er ta/es advantage of the CSA?CA contention method

to mono!oli


52/75


WLAN #hreats

-ogue Access &oints

A rog'e AP is an AP or ireless ro'ter that has +een# Connected to a cor!orate netor/ itho't e!licit a'thori


53/75

Presentation_ID *) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

WLAN #hreats

Man$in$the$Mi((le Attack

B9vil tin AP attac/# A !o!'lar ireless I- attac/ here an attac/er introd'ces a

rog'e AP and config'res it ith the same SSID as a legitimate AP.

%ocations offering free $i;>i, s'ch as air!orts, cafes, and

resta'rants, are hot+eds for this ty!e of attac/ d'e to the o!en

a'thentication.

Connecting ireless clients o'ld see to APs offering ireless

access. -hose near the rog'e AP find the stronger signal and most

li/ely associate ith the evil tin AP. ser traffic is no sent to the

rog'e AP, hich in t'rn ca!t'res the data and forards it to the

legitimate AP.

1et'rn traffic from the legitimate AP is sent to the rog'e AP,

ca!t'red, and then forarded to the 'ns's!ecting S-A.


54/75

Presentation_ID *" 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Securing WLANs

Wireless Securit Overview

se a'thentication and encry!tion to sec're a ireless netor/.


55/75

Presentation_ID ** 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Securing WLANs

Share( 8e Authentication Metho(s


56/75


Securing WLANs

9ncrption Metho(sI999 802.i and the $i;>i Alliance $PA and $PA2 standards 'se

the folloing encry!tion !rotocols#

#emporal 8e +ntegrit &rotocol %#8+&'

sed +y $PA.

a/es 'se of $9P, +'t encry!ts the %ayer 2 !ayload 'sing

-IP, and carries o't a Cisco essage Integrity Chec/ 6IC. A(vance( 9ncrption Stan(ar( %A9S'

9ncry!tion method 'sed +y $PA2.

Preferred method +eca'se it aligns ith the ind'stry standard

I999 802.iA.

Stronger method of encry!tion.

ses the Co'nter Ci!her ode ith 7loc/ Chaining essage

A'thentication Code Protocol 6CCP.

Alays choose $PA2 ith A9S hen !ossi+le.


57/75


Securing WLANs

Authenticating a 3ome ser$PA and $PA2 s'!!ort to ty!es of a'thentication#

&ersonal

Intended for home or small office netor/s, or a'thenticated

'sers ho 'se a !re;shared /ey 6PS.

&o s!ecial a'thentication server is re3'ired.

9nterprise

1e3'ires a 1emote A'thentication Dial;In ser Service

61ADIS a'thentication server.

Provides additional sec'rity.

sers m'st a'thenticate 'sing 802.J standard, hich 'sesthe 9tensi+le A'thentication Protocol 69AP for

a'thentication.


58/75


Securing WLANs

Authentication in the 9nterprise

.9nter!rise sec'rity mode choices re3'ire an A'thentication,

A'thori


59/75

2008 Cisco Systems, Inc. Al l r ights reserved. Cisco ConfidentialPresentation_ID *=

8." $ireless %A& Config'ration


60/75


Con"igure a Wireless -outer

Con"iguring a Wireless -outer

7efore installing a ireless ro'ter, consider the folloing settings#


61/75



Con"iguring a Wireless -outer

An Im!lementation Plan consists of the folloing ste!s#

Step 2*Start the $%A& im!lementation !rocess ith a single AP and

a single ireless client, itho't ena+ling ireless sec'rity.

Step 1*erify that the client has received a DECP IP address and can!ing the local, ired defa'lt ro'ter, and then +rose to the

eternal Internet.

Step ;*Config're ireless sec'rity 'sing $PA2?$PA ied Personal.

&ever 'se $9P 'nless no other o!tions eist.

Step 4*7ac/ '! the config'ration.


62/75



Set p an( +nstall the Linkss 9AS


63/75



Con"iguring a Linkss Smart Wi$)i 3omepage


64/75



Smart Wi$)i Settings

Smart $i;>i settings ena+le yo' to# Config're the ro'terFs +asic settings for the local netor/.

Diagnose and tro'+leshoot connectivity iss'es on the netor/.

Sec're and !ersonali


65/75



Smart Wi$)i #ools

evice List5 %ists ho is connected to the $%A&. Personaliuest Access5 Creates a se!arate netor/ for '! to *0 g'ests at

home hile /ee!ing netor/ files safe ith the H'est Access -ool.

&arental Controls5 Protects /ids and family mem+ers +yrestricting access to !otentially harmf'l e+sites

Me(ia &rioriti?ation5 Prioriti


66/75



!acking p a Con"iguration

-o +ac/ '! the config'ration ith the %in/sys 9A*00 ireless ro'ter,!erform the folloing ste!s#

Step 2*%og in to the Smart Wi$)i 3ome !age. Clic/

the #roubleshootingicon to dis!lay the -ro'+leshooting

Stat's indo.

Step 1*Clic/ the iagnosticta+ to o!en the Diagnostic-ro'+leshooting indo.

Step ;*nder the 1o'ter config'ration title, clic/ !ackupand save

the file to an a!!ro!riate folder.


67/75


Con"iguring Wireless Clients

Connecting Wireless Clients

After the AP or ireless ro'ter has +een config'red, the ireless&IC on the client m'st +e altered to allo it to connect to the

$%A&.

-he 'ser sho'ld verify that the client has s'ccessf'lly connected

to the correct ireless netor/, +eca'se there may +e many

$%A&s availa+le ith hich to connect.


68/75


#roubleshoot WLAN +ssues

#roubleshooting Approaches

-hree main tro'+leshooting a!!roaches 'sed to resolve netor/!ro+lems#

!ottom$up5 Start at %ayer and or/ '!.

#op$(own5 Start at the to! layer and or/ don.

ivi(e$an($con.uer5 Ping the destination. If the !ings fail,verify the loer layers. If the !ings are s'ccessf'l, verify the

'!!er layers.


69/75

Presentation_ID = 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential


Wireless Client Not Connecting


70/75



#roubleshooting When the Network +s Slow


71/75



p(ating )irmware


72/75


Chapter 4: Summar

$%A&s are often im!lemented in homes, offices, and cam!'s

environments.

(nly the 2.", HE


73/75

Presentation_ID 4) 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Chapter 4: Summar %cont*'

A Cisco Aironet AP can 'se an onmidirectional antenna, a directional

antenna, or a yagi antenna to direct signals.

I999 802.n?ac?ad 'se I( technology to im!rove thro'gh!'tand s'!!ort '! to fo'r antennas, sim'ltaneo'sly.

In ad;hoc mode or I7SS, to ireless devices connect to each other

in a P2P manner. In infrastr'ct're mode, APs connect to netor/ infrastr'ct're 'sing

the ired DS.

9ach AP defines a 7SS and is 'ni3'ely identified +y its 7SSID.

'lti!le 7SSs can +e Goined into an 9SS.

sing a !artic'lar SSID in an 9SS !rovides seamless roamingca!a+ilities among the 7SSs in the 9SS.


74/75

Presentation_ID 4" 2008 Cisco Systems, Inc. Al l r ights reserved. Cisco Confidential

Chapter 4: Summar %cont*' Additional SSIDs can +e 'sed to segregate the level of netor/

access defined +y hich SSID is in 'se.

An S-A first a'thenticates ith an AP, and then associates ith thatAP.

-he 802.i?$PA2 a'thentication standard sho'ld +e 'sed. se theA9S encry!tion method ith $PA2.

$hen !lanning a ireless netor/, nonoverla!!ing channels sho'ld+e 'sed hen de!loying m'lti!le APs to cover a !artic'lar area.-here sho'ld +e a 05* !ercent overla! +eteen 7SAs in an 9SS.

Cisco APs s'!!ort Po9 to sim!lify installation.

$ireless netor/s are s!ecifically s'sce!ti+le to threats s'ch asireless intr'ders, rog'e APs, data interce!tion, and DoS attac/s.Cisco has develo!ed a range of sol'tions to mitigate against thesety!es of threats.


75/75

ScaN InstructorPPT Chapter4 Wireless LANs

Documents

Transcript of ScaN InstructorPPT Chapter4 Wireless LANs