CHAPTER 5: Wireless Networking 186 zone to another. Many wireless-enabled devices such as laptops and hand-held computers use battery power and should be able to conserve power when not actively communicating with the network. Wireless communication over the air has to be secure to mitigate both passive and active attacks. WAP The WAP is an open specification designed to enable mobile wireless users to easily access and interact with information and services. WAP is designed for hand-held digital wireless devices such as mobile phones, pagers, two- way radios, smartphones, and other communicators. It works over most wireless networks and can be built on many operating systems (OSs) includ- ing PalmOS, Windows CE, JavaOS, and others. The WAP operational model is built on the World Wide Web (WWW) programming model with a few enhancements and is shown in Figure 5.5. WAP browsers in a wireless client are analogous to the standard WWW browsers on computers. WAP URLs (uniform resource locators) are the same as those defined for traditional networks and are also used to identify local resources in the WAP-enabled client. The WAP specification added two significant enhancements to the abovementioned programming model: push and telephony support (wireless telephony application [WTA]). WAP also provides for the use of proxy servers, as well as supporting servers that provide functions such as PKI support, user profile support, and provisioning support. Wireless Transport Layer Security Wireless Transport Layer Security (WTLS) is an attempt by the WAP Forum to introduce a measure of security into WAP. The WTLS Protocol is based on the Transport Layer Security (TLS) Protocol that is itself a derivative of the Secure Sockets Layer (SSL) Protocol. However, several changes were made to these protocols to adapt them to work within WAP. These changes include: Support for both datagram- and connection-oriented protocols Support for long round-trip times Low-bandwidth, limited memory, and processor capabilities WTLS is designed to provide privacy as well as reliability for both the client and the server over an unsecured network and is specific to applications FIGURE 5.5 WAP 2.0 Architecture Programming Model. Wireless Network Concepts 187 that utilize WAP. These applications tend to be limited by memory, proces- sor capabilities, and low bandwidth environments. IEEE 802.11 The original IEEE 802.11 standard was developed in 1989 and defines the operation of wireless networks operating in the 2.4 GHz range using either DSSS or FHSS at the physical layer of the OSI model. This standard also defines the use of infrared for wireless communication. The intent of the standard is to provide a wireless equivalent for standards, such as 802.3, that are used for wired networks. DSSS devices that follow the 802.11 standard communicate at speeds of 1 and 2 Mbps and generally have a range of approximately 300 feet. Because of the need for higher rates of data transmission and to provide more functionality at the MAC layer, the 802.11 Task Group developed other standards (in some cases the 802.11 standards were developed from technologies that preceded them). The IEEE 802.11 standard provides for all the necessary definitions and constructs for wireless networks. Everything from the physical transmission specifications to the authentication negotiation is defined by this standard. Wireless traffic, like its wired counterpart, consists of frames transmitted from one station to another. The primary feature that sets wireless networks apart from wired networks is that at least one end of the communication pair is either a wireless client or a wireless AP. IEEE 802.11b Still a common standard used today for wireless networks, the IEEE 802.11b standard, defines DSSS networks that use the 2.4 GHz ISM band and communicate at speeds of 1, 2, 5.5, and 11 Mbps. The 802.11b stan- dard defines the operation of only DSSS devices and is backward compat- ible with 802.11 DSSS devices. The standard is also concerned only with the physical and MAC layers: Layer 3 and higher protocols are considered payload. There is only one frame type used by 802.11b networks, and it is significantly different from Ethernet frames. The 802.11b frame type has a maximum length of 2346 bytes, although it is often fragmented at 1518 bytes as it traverses an AP to communicate with Ethernet networks. The frame type provides for three general categories of frames: management, control, Exam Warning The following information must be mastered for the Network exam; you need to know the 802.11 standards, the speeds, operation, and so on for the Network exam. Make sure that you follow the next sections very carefully as you study. CHAPTER 5: Wireless Networking 188 and data. In general, the frame type provides methods for wireless devices to discover, associate (or disassociate), and authenticate with one another; to shift data rates as signals become stronger or weaker; to conserve power by going into sleep mode; to handle collisions and fragmentation; and to enable encryption through WEP. Regarding WEP, it should be noted that the standard defines the use of only 64-bit (also sometimes referred to as 40-bit to add to the confusion) encryption, which may cause issues of interoperability between devices from different vendors that use 128-bit or higher encryption. IEEE 802.11a Despite its nomenclature, IEEE 802.11a is a more recent standard than 802.11b. This standard defines wireless networks that use the 5 GHz UNII bands. 802.11a supports much higher rates of data transmission than 802.11b. These rates are 6, 9, 12, 16, 18, 24, 36, 48, and 54 Mbps, although higher rates are possible using proprietary technology and a technique known as rate doubling. Unlike 802.11b, 802.11a does not use spread spectrum and Quadrature Phase Shift Keying (QPSK) as a modulation technique at the physical layer. Instead, it uses a modulation technique known as Orthogonal Frequency Division Multiplexing (OFDM). To be 802.11a compliant, devices are only required to support data rates of 6, 12, and 24 Mbps – the standard does not require the use of other data rates. Although identical to 802.11b at the MAC layer, 802.11a is not backward compatible with 802.11b because of the use of a different frequency band and the use of OFDM at the physical layer, although some vendors are provid- ing solutions to bridge the two standards at the AP. However, both 802.11a and 802.11b devices can be easily co-located because their frequencies will not interfere with each other, providing a technically easy, but relatively expensive migration to a pure 802.11a network. At the time of this writing, 802.11a-compliant devices are becoming more common, and the prices for them are falling quickly. However, even if the prices for 802.11b and 802.11a devices were identical, 802.11a would require more APs and would therefore be more expensive than an 802.11b network to achieve the highest pos- sible rates of data transmission, because the higher frequency 5 GHz waves attenuate more quickly over distance. Exam Warning Remember that IEEE 802.11b functions up to 11 Mbps in the ISM band. Exam Warning Remember that IEEE 802.11a functions up to 54 Mbps in the UNII band. Wireless Network Concepts 189 IEEE 802.11g To provide both higher data rates (up to 54 Mbps) in the ISM 2.4 GHz band and backward compatibility with 802.11b, the IEEE 802.11g Task Group members along with wireless vendors introduced the 802.11g standard spec- ifications. To achieve the higher rates of transmission, 802.11g devices use OFDM in contrast to QPSK, which is used by 802.11b devices as a modula- tion technique. However, 802.11g devices are able to automatically switch to QPSK to communicate with 802.11b devices. 802.11g has advantages over 802.11a in terms of providing backward compatibility with 802.11b; how- ever, migrating to and co-existence with 802.11b may still prove problematic because of crowding in the widely used 2.4 GHz band. IEEE 802.11n To provide both higher data rates (up to 300 Mbps) in the ISM 2.4 GHz bands and the 5 GHz UNII band, 802.11n was introduced. It is backward compatibility with 802.11b/g and to achieve the higher rates of transmis- sion, 802.11n devices use MIMO (multiple input/multiple output) to take advantage of multiple antennas. Ad-Hoc and Infrastructure Network Configuration The 802.11 standard provides for two modes for wireless clients to communicate: ad-hoc and infrastruc- ture. The ad-hoc mode is geared for a network of stations within commu- nication range of each other. Ad-hoc networks are created spontaneously between the network participants. In infrastructure mode, APs provide more permanent structure for the network. An infrastructure consists of one or more APs as well as a distribution system (that is, a wired network) behind the APs that tie the wireless network to the wired network. Figures 5.6 and 5.7 show an Exam Warning Remember that IEEE 802.11g functions up to 54 Mbps in the ISM band. FIGURE 5.6 Ad Hoc Network Configuration. CHAPTER 5: Wireless Networking 190 ad hoc network and an infrastructure network, respectively. To distinguish different wireless networks from one another, the 802.11 standard defines the service set iden- tifier (SSID). The SSID is considered the identity element that “glues” vari- ous components of a WLAN together. Traffic from wireless clients that use one SSID can be distinguished from other wireless traffic using a differ- ent SSID. Using the SSID, an AP can determine which traffic is meant for it and which is meant for other wire- less networks. 802.11 traffic can be subdivided into three parts: Control frames Management frames Data frames Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and ACK messages. Management frames include bea- con frames, probe request/response, authentication frames, and association frames. Data frames are 802.11 frames that carry data, which is typically con- sidered network traffic, such as Internet Protocol (IP) encapsulated frames. IEEE 802.15 (Bluetooth) Bluetooth uses the same 2.4 GHz frequency that the IEEE 802.11b and 802.11g wireless networks use, but unlike those networks, Bluetooth can select from up to 79 different frequencies within a radio band. Unlike 802.11 networks where the wireless client can only be associated with one network at a time, Bluetooth networks allow clients to be connected to seven net- works at the same time. Bluetooth devices typically have a maximum use- able range of about 10 m (33 feet). Test Day Tip Remember for the Network exam that there are two main wireless networking models: ad-hoc and infrastructure. FIGURE 5.7 Infrastructure Network Configuration. Wireless Network Concepts 191 Bluetooth, by its very design, is not intended for the long ranges or high data throughput rates that 802.11 wireless networks have. This is largely due to the fact that the hop rate of Bluetooth devices is about 1600 hops per second with an average of a 625 µs dwell time, thus producing exceptionally more management overhead than 802.11. Although this exceptionally high hop rate does tend to make Bluetooth resistant to narrow band interference, it has the undesirable side effect of causing disruption of other 2.4 GHz-based network technologies such as 802.11b and 802.11g. This high hop rate causes all-band interference on these 802.11 networks and can, in some cases, completely prevents an 802.11 wireless network from functioning. Infrared Infrared, unlike 802.11 and 802.15, is not a standard itself, but rather is the focus of the Infrared Data Association (IrDA). The IrDA was founded in 1993 as a member-funded organization whose primary function is to create and promote a standardized data transmission mechanism using infrared light. Infrared data transmission has been used for many applications in a non-nonstandard manner by Hewlett Packard calculators and printers. Now, most PDAs (personal digital assistants) and almost all portable computers do or can have infrared capabilities. Infrared devices typically can achieve a maximum data throughput of 4 Mbps, but as it is a light-based technology, it is susceptible to light-based inter- ference and the typical data throughput you can expect is around 100 to 125 Kbps. Also, because infrared is a light-based technology, it does not interfere in any way with RF-based wireless technologies. By that same token, infrared is a fairly secure technology in that an attacker would have to be in the direct path of the transmission, which is typically not very likely given the low power and low transmission range of infrared – the best theoretical outdoor distance you can get out of infrared is about 3,280 feet (1,000 m), and this maximum drops off significantly with the presence of any other form of light. WEP The IEEE 802.11 standard covers the communication between WLAN components. RF poses challenges to privacy in that it travels through and around physical objects. Because of the nature of the 802.11 wireless LANs, the IEEE working group implemented a mechanism to protect the privacy of the individual transmissions, known as the WEP Protocol. Because WEP utilizes a cryptographic security countermeasure for the fulfillment of its stated goal of privacy, it has the added benefit of becoming an authentication mechanism. This benefit is realized through a shared-key authentication that allows for encryption and decryption of wireless transmissions. Up to CHAPTER 5: Wireless Networking 192 four keys can be defined on an AP or a client, and they can be rotated to add complexity for a higher security standard in the WLAN policy. WEP was never intended to be the absolute authority in wireless secu- rity. The IEEE 802.11 standard states that WEP provides for protection from “casual eavesdropping.” Instead, the driving force behind WEP was privacy. In cases that require high degrees of security, other mechanisms should be utilized such as authentication, access control, password protection, and virtual private networks (VPNs). Despite its flaws, WEP still offers a level of security provided that all its features are used properly. This means taking great care in key management, avoiding default options, and ensuring adequate encryption is enabled at every opportunity. Proposed improvements in the 802.11 standard should overcome many of the limitations of the original security options and should make WEP more appealing as a security solution. Additionally, as WLAN technology gains popularity and users clamor for functionality, both the standards com- mittees and the hardware vendors will offer improvements. It is critically important to keep abreast of vendor-related software fixes and changes that improve the overall security posture of a wireless LAN. With data security enabled in a closed network, the settings on the client for the SSID and the encryption keys must match the AP when attempting to associate with the network or it will fail. The next few paragraphs discuss WEP and its relation to the functionality of the 802.11 standard, including a standard definition of WEP, the privacy created, and the authentication. WEP provides security and privacy in transmissions held between the AP and the clients. To gain access, an intruder must be more sophisticated and have specific intent to gain access. Some of the other benefits of implement- ing WEP include the following: All messages are encrypted using a CRC-32 checksum to provide some degree of integrity. Privacy is maintained via the RC4 encryption. Without possession of the secret key, the message cannot be easily decrypted. Exam Warning Most APs advertise that they support WEP in 40-bit encryption, but often the 128-bit option is also supported. For corporate networks, 128-bit encryption-capable devices should be considered as a minimum. Wireless Network Concepts 193 WEP is extremely easy to implement. All that is required is to set the encryption key on the APs and on each client. WEP provides a basic level of security for WLAN applications. WEP keys are user-definable and unlimited. WEP keys can, and should, be changed often. WPA and WPA2 Because of the relative ease that WEP with a preshared key can be broken, the Wifi Alliance has created a new encryption standard called WIFI Protected Access. WPA is based on the IEEE’s 802.11i (WPA2 or WPA Enterprise) stan- dard and enhances security over WEP by using the Temporal Key Integrity Protocol (TKIP) to address some of the weaknesses of WEP including per- packet mixing, a message integrity check, an extended initialization vector (IV), and dynamic rekeying. It should also be noted that the authentication function of WEP has been changed to provide better security in WPA. Creating Privacy with WEP WEP provides for three implementations: no encryption, 40-bit encryption, and 128-bit encryption. Clearly, no encryption means no privacy. When WEP is set to no encryption, transmissions are sent in the clear form and can be viewed by any wireless sniffing application that has access to the RF signal propagated in the WLAN, unless some other encryption mechanism such as IPSec (IP Security) is being used. In the case of the 40- and 128-bit varieties (just as with password length), the greater the number of characters (bits), the stronger the encryption is. The initial configuration of the AP includes the setup of the shared key. This shared key can be in the form of either alphanumeric or hexadecimal strings and must be matched on the client. WEP uses the RC4 encryption algorithm, a stream cipher developed by Ron Rivest (the “R” in RSA). The process by which WEP encrypts a mes- sage is shown in Figure 5.8. Both the sender and the receiver use the stream cipher to create identical pseudorandom strings from a known shared key. This process entails having the sender logically XOR the plaintext trans- mission with the stream cipher to produce ciphertext. The receiver takes Exam Warning Do not confuse WAP and WEP. Although it may seem that WEP is the privacy system for WAP, you should remember that WTLS is the privacy mechanism for WAP and WEP is the privacy mechanism for 802.11 WLANs. ChApTEr 5: Wireless Networking 194 the shared key and identical stream and reverses the process to gain the plaintext transmission. The steps in the process are as follows: The plaintext message is run through an integrity check algorithm 1. (the 802.11 standard specifies the use of CRC-32) to produce an integrity check value (ICV). This value is appended to the end of the original plaintext message.2. A “random” 24-bit IV is generated and prepended to (added to 3. the beginning of) the secret key (which is distributed through an out-of-band method) that is then input to the RC4 Key Scheduling Algorithm (KSA) to generate a seed value for the WEP pseudoran- dom number generator (PRNG). The WEP PRNG outputs the encrypting cipher-stream.4. This cipher-stream is then XOR’d with the plaintext/ICV message 5. to produce the WEP ciphertext. The ciphertext is then prepended with the IV (in plaintext), encap-6. sulated, and transmitted. A new IV is used for each frame to prevent the reuse of the key from weakening the encryption. This means that for each string generated, a dif- ferent value will be used for the RC4 key. Although this is a secure policy in itself, its implementation in WEP is flawed because of the nature of the 24-bit space. It is so small with respect to the potential set of IVs that in a short period of time all keys are reused. When this happens, two different messages are encrypted with the same IV and key and the two messages can be XOR’d with each other to cancel out the key stream, allowing an attacker who knows the contents of one message to easily figure out the contents of the other. Unfortunately, this weakness is the same for both the 40- and 128-bit encryption levels, because both use the 24-bit IV. FIGurE 5.8 WEP Encryption Process in IEEE 802.11. Initialization Vector (IV) Plaintext Secret Key Key Scheduling Algorithm Plaintext/ ICV Seed PRNG Key Sequence IV Ciphertext Integrity Algorithm (CRC-32) Wireless Network Concepts 195 To protect against some rudimentary attacks that insert known text into the stream to attempt to reveal the key stream, WEP incorporates a check- sum into each frame. Any frame not found to be valid through the checksum is discarded. Authentication There are two authentication methods in the 802.11 standard: open and shared-key. Open authentication is more precisely described as device-oriented authentication and can be considered a null authentication – all requests are granted. Without WEP, open authentication leaves the WLAN wide open to any client who knows the SSID. With WEP enabled, the WEP secret key becomes the indirect authenticator. The open authentication exchange, with WEP enabled, is shown in Figure 5.9. Exam Warning Open authentication can also require the use of a WEP key. Do not assume that just be- cause the Network exam discusses open authentication that a WEP key should not be set. FIGURE 5.9 Open Authentication. The shared-key authentication process shown in Figure 5.10 is a four-step process that begins when the AP receives the validated request for association. After the AP receives the request, a series of management frames are trans- mitted between the stations to produce the authentication. This includes the use of the cryptographic mechanisms employed by WEP as a validation. The four steps break down in the following manner: The requestor (the client) sends a request for association.1. The authenticator (the AP) receives the request, and responds by 2. producing a random challenge text and transmitting it back to the requestor. . Wireless traffic, like its wired counterpart, consists of frames transmitted from one station to another. The primary feature that sets wireless networks apart from wired networks is that at least. so on for the Network exam. Make sure that you follow the next sections very carefully as you study. CHAPTER 5: Wireless Networking 188 and data. In general, the frame type provides methods. commu- nication range of each other. Ad-hoc networks are created spontaneously between the network participants. In infrastructure mode, APs provide more permanent structure for the network. An