- Direct Sequence Spread Spectrum - signal spread
through the use of sequence, uses more bandwidth with lower power
- CSMA/CA (carrier sense multiple access/collision avoidance
- ack packet from AP indicates packet received and checksummed correctly. if no ack, resend entire packet
- Active Scanning - Send probe packet, wait for probe
response packet from AP.
- Passive Scanning - Listen for beacon frame from AP.
- Association - Info about station, capabilities of BSS
- Roaming - moving from one cell to another without
- ISM band 2.4-2.4835GHz. UNII band 5-6GHz.
- Power limited to 100mW ETSI limits DSSS
power density to 20 dbW/MHz and FHSS power density to -10dbW/100kHz.
- Speeds of each standard downshift as you get farther
away from transmitting source (e.g. AP).
||1997. Original std. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS and IR. Barker11. BPSK/QPSK. Up to 2 Mbps.
||1999. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS. Barker11. BPSK/QPSK/CCK. Rated at 1, 2, 5.5, and 11Mbps. Wifi Alliance certs DSSS as "wifi".
(achieved throughput is 4.3-6Mbps). Range
~38meters depending on environment.
Uses CCK (Complementary Code Keying) as opposed to Barker
Chipping Codes. Taken from Webopedia.
"Not interoperable with 802.11a. Requires fewer access points than
802.11a for coverage of large areas. Offers high-speed access to data
at up to 300 feet from base station. 14 channels (5MHz) available in the
2.4GHz band (only 11 of which can be used in the U.S. due to FCC
regulations) with only three non-overlapping channels." US
typically uses channel 1, 6, and 11. Consider using different
channels when you have neighboring APs. Channel is 22MHz wide
with 1MHz carrier. Each channel is 5MHz away from next
and 22 MHz wide, which is way there are overlapping channels.
||1999 5GHz (4.915 - 5.825) range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Chan avail varies country to country. Theoretical Max
bandwidth of 6,9,12,18,24,36,48,and 54Mbps. (achieved throughput 32Mbps). Range max -
Taken from Webopedia.
"Eight available channels. Less potential for RF interference than
802.11b and 802.11g. Better than 802.11b at supporting multimedia
voice, video and large-image applications in densely populated user
environments. Relatively shorter range than 802.11b. Not interoperable
with 802.11b." Allows for 12 non-overlapping channels (not
bands available in all countries). Can be colocated with more
than 802.11a/g. Uses OFDM (Orthogonal Freq Div Multiplexing)
transmit sub-signals simultaneously on diff frequencies.
||2003. 2.4 GHz FCC unregulated range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Backwards
compatable with 802.11b. Theoretical max speed of 6,9,12,18,24,36,48,54Mbps. Cells are smaller than 802.11b because power is lower for OFDM.
(achieved throughput 32Mbps). OFDM.
Taken from Webopedia.
"Improved security enhancements over 802.11. Compatible with 802.11b.
14 channels available in the 2.4GHz band (only 11 of which can be used
in the U.S. due to FCC regulations) with only three non-overlapping
channels." US typically uses channel 1, 6, and 11.
Consider using different channels when you have neighboring
APs. If used with 802.11b will slow down and use CCK
modulation. Otherwise uses Barker code. Uses OFDM.
- To coexist b and g rts/cts (with duration) sent in b before g data frame. could also send (less clean) 'CTS to self' only. This protection good for b, not g clients drops percieved throughtput from ~23Mbps to ~8Mbps
- In beacons: non-ERP (802.11b), in the cell yes/no, use protection yes/no
||2009. Focus on features not band
Taken from Webopedia. An extension to 802.11 specification developed by the IEEE for wireless LAN (WLAN) technology. 802.11n builds upon previous 802.11 standards by adding multiple-input multiple-output (MIMO). The additional transmitter and receiver antennas allow for increased data throughput through spatial multiplexing and increased range by exploiting the spatial diversity (up to 4 streams) through coding schemes like Alamouti coding. The speed is 100 Mbit/s (even 250 Mbit/s in PHY level), and so up to 4-5 times faster than 802.11g. 802.11n also offers a better operating distance than current networks.
- Channel Aggregation
- 128 subcarriers (vs. 64) for 40MHz channel aggregate, 14 zero subcarriers (vs. 12) for calibration on sides and center. 6 pilot subcarriers (vs. 4) for synch and tracking. Result 108 data subcarrriers (vs. 48).
- Cisco doesn't do channel aggregation in 2.4. not enough channels
- only aggregate channels that aren't going to conflict with your neighbors (e.g. 46 and 40 not 40 and 44)
- block acknowledgements
- short guard intervals - reduce from 800ns to 400ns - affected by echos
- mimo - send and recieve several useful signals (instead of unused echoes). Input to antenna. Output from antenna. siso - single in single out. simo - single in multi out, miso, mimo, etc. radio chain multiple radios and antennas. spatial stream. sending symbols from 1 source across multiple streams - recombine at receiving end - spacial multiplexing.
- Transmit Beamforming (Cisco calls ClientLink - based on signal back from client) - form beams so receiving station receives all parts of mimo transmissions at same time.
- OR Maximal Ration Combining - receiving side synch signals for stronger signal
- up to 4 streams, in practice max is 3, most handheld devices have 1 or 2 SS, save battery
||Data rate (20MHz channel, 800ns GI)
||Data rate (20MHz channel, 400ns GI)
||Data rate (40MHz channel, 800ns GI)
||Data rate (40MHz channel, 400ns GI)
- now protection header bit is modulated at slow speed, rest of fram higher speed
||Only on 5GHz. Up to 80 MHz or 160 MHz channels. Up to 8 spatial streams/radio circuits (hard). up to 256-QAM. Better manage the cell.
Taken from wikipedia. Expected multi-station throughput of at least 1 gbit/sec. Single link throughput of at least 500 mbits/sec. Wider RF bandwitdth up to 160 MHz, more MIMO spacial streams (upt o 80, downlink multi-user MIMO (up to 4 clients), hi density modulation (up to 256-QAM).
- MU-MIMO - use unused antenna/radios to communicate with another client. downstream only
- 160 MHz-wide channel, 8 antenna AP with MU-MIMO support - Example best case depending on stations
- One 4-SS, 160MHz client, 3.47Gbps data rate, AT THE SAME TIME AS
- One 2-SS, 160MHz client, 1.73Gbps data rate, AT THE SAME TIME AS
- Two 1-SS, 160MHz client, 867 MBps data rate.
- 256-QAM - need high quality signal and snr. only works very close. a lot of points. bbecause so many points, slow down modulation a little.
- Protection header bit modulated at slow speed, same as 802.11n, also protects against channel width RTS on all 4 sub channels, client only responds where it can
- Wave 1 - 80 MHz, 3 ss, no MU-MIMO, 256-QAM Optional
- Wave 2 - 160 MHz, 4 ss, yes MU-MIMO, 256-QAM included
- 80 MHz channel bandwidth, 160 MHz channel optional
- Up to 8 spatial streams
- Coexistence between 802.11ac and 802.11a/n
- 4 new fields in PPDU header identifying fram as VHT
|802.11ad||WiGig, 60 GHz millimeter wave spectrum, 7gbit/sec. 802.11aj rebands 802.11ad for use in 45GHz unlicenseced spectrum available in some regions of world (esp China)|
|802.11af||White-Fi, Super WiFi, operates in TV white space between VHF and UHF between 54 and 797mhz. uses cognitive radio tech to transmit on unused tv channels, limiting interference for regular analog/digital tv signals, wireless microphones. OFDM, based on 802.11ac. Increased range, adn can get through brick/concrete better. 5 - 8 MHz wide freq channells. up to 4 channels may be bonded. MIMO possible with up to 4 streams with either space-time block code or multi-user operation. 26.7 Mbit/s or 35.6 mbit/s. 4 spacial streams and 4 bonded channls = max data rate of 426.7 bit/s for 6 an d 7 MHz, and 568.9 Mbit/s for 8 Mhz channels|
|802.11ah||sub 1GHz license exemt bands. improved transmission range compared to conventianal 802.11. purposes inclde large scale sensor networks, extended range hotspot, outdoor wifi for cel traffic offloading|
|802.11ax||successor to 802.11ac. increase efficiency of WLAN networks. Goal to provide 4x throughput of 802.11ac|
||QoS standards over wireless LANs. Geered towards real-time apps like IP telpehony. 4 potential classes - voice, video, best-effort, background. Allows client to mark priority. enhances from PCF and DCF with HCCA and EDCA to define traffic categories. TCMA protocol variation on csma/ca using shorter arbitration interframe space for hi prio packets. ECDA/Transmit Op (TXOP) bounded time interval given whicha station can send as many frames as possible. TXOP time interval of 0 means single MAC svc data unit or MAC mgmt proto data unit. ECDA also has access categories (ACs). Contention window set according to AC of packet.
taken from wikipedia
HCCA - multi beacon frams CP and CP. CFP is Controlled Access Phase (CAP. initiated whenever AP wants to send or receive frame contention free. Traffic Clas and Traffic Streams defined. HC can giv prio to one station over another depeending on queue information of station. Prio can also be given using TXOP.
||Priority Code Point (PCP)
||Access Category (AC)
||limit scanning needs. ap can return channels for neighboring APs
||wireless for car to car comms
||Roaming speedup. Standard designed to
speed handoffs between access points or cells in a wireless LAN. Makes
sure QoS and Security are in place before transition to new AP
- Prenegotiate QoS and Credentials on new wap before leaving old one
||Standard submitted to IETF to
allow for wireless mesh of WiFi networks. A wireless mesh uses a radio
to interconnect the access points and route wireless packets over the
best available route. Mesh benefits include potentially higher
performance and more reliable nets.
||hotspot 2.0 - describe how station can discover svcs - free wifi or, private, internet, can you connect me to my cell isp secure svr? automate authentication with EAP-SIM/WPA2
||BSS Transition Mgmt (better than 802.11k). AAP returns list of neighbors where to roam to.
||Secures mgmt frames by signing them. eliminates de-auth hacking
||faster initial link setup
||enable pre-association discovery of services. extends mechanisms in 802.11u to discover services running on a device or provided by a network
||Obsolete security scheme.
- RC4 stream cipher for confidentiality
- CRC-32 checksum for integrity.
- 64-bit WEP uses a 40-bit key, and 24-bit
initialization vector (IV). 24-bit IV is too short.
- 128-bit WEP with 104-bit key size was put in
place after US
Gov export restrictions lifted. Key size turned out not to be the issue
with this standard. Weak keys and related-key attacks.
- RC4 stream cipher, 128-bit key, 48-bit IV.
- 'Michael' Message Auth Code/Message Integrity
Code (MIC) - as opposed to CRC for integrity.
- TKIP - dynamically changes keys as system is
that every data packet is sent with its own unique encryption key.
Can detect whther or not pkt has been damaged or altered using
message-integrity check (MIC or Mikey). Makes sure packets arrive
in sequence (uing sequence id (incr by one for each pkt). When
key changes, seq goes to zero). Combined with larger IV
(initialization vector), defeats key recovery attacks on WEP.
- 802.1X or (less-secure) pre-shared key
- Put in place because WPA2 work was taking
longer then anticipated.
|Updated security standard.
Interoperable implementations called WPA2 by Wi-Fi Alliance. Superceeds
WEP and WPA which have demonstrated security weaknesses.
- AES block cipher (block size of 128 bits, key
size of 128, 192 or 256 bits)
- CCMP Message Authentication Code
|802.1x||Port-based access ctrl to the network at L2. Users are not allows to join network until they are authenticated. Uses one of the EAPs to authenticat.|
|WISPr||(Wireless Internet Service Provider roaming) - allows users to roam between wireless internet service providers.|
Extensible Authentication Protocol
- LEAP - Lightweight
Extensible Authentication Protocol -
Cisco Special - Crackable, thoguht Cisco claims secure if sufficiently
complex passwords are used.
- EAP-TLS - IETF open
standard. Uses TLS (Transport
Layer Security) with PKI to a Radius auth svr. Client-side certs
needed, so can be hard to deploy. Mostly widely supported
standard. Only weakness is that username passed from client in
the clear before certs are exchanged.
- EAP-MD5 - IETF open standard
- MD5 hash function vulnerable to dictionary attacks. EAP does not
support dynamic WEP. Client has no way to auth svr. Challeng string sent to client in the clear.
- EAP-POTP - Protected One-Time Password (RFC4793) - developed by RSA Laboratories, uses one-time password (OTP) tokens to generate auth keys. Provides 2-factor user auth - user needs phys access to token and knowledge of PIN to perform authentication
- EAP-PSK - Preshared key (RFC4764) - provides protected comm channel, when mutual auth is successful. Lightweight and extensible EAP metho does not require any public-key crtyto. 4 msg exchange
- EAP-PWD - shared pw used for auth (RFC5931) - low entryopy pw may be used and drawn from some set of possible pws like a dictionary. Underlying key exchange resistant to active / passive / dictionary attacks. Android 4.0+, freeradious, radioator servers, hostapd wpasupplicant
- EAP-TTLS/MSCHAPv2 - Funk
Software/Certicom - IETF draft open standard. Good security. PKI certs
only on auth svr.
- EAP-IKEv2 - based on Internet Key Exchange protocol v2 (RFC5106) - provides mutual auth, and session key establishemnt between peer and server. Auth techniques can be asymmetric key pairs, passwords, symmetric keys. Possible to use different credtials/techniques in each directionn.
- EAP-FAST - replacment for LEAP, whil maintaining lightweight implementation. Uses Protected Access Credential (PAC) to establish TLS tunnel in which client credentials are verified. PAC can be intercepted and compromise user credential - mitigted by manual PAC provisioning or by using server certs for provisioning phase. PAC file issued per-user
- PEAPv0/EAP-MSCHAPv2 -
Cisco/Microsoft/RSA - open
standard. Good Security. Similar to EAP-TTLS. Only requires server side
PKI cert. Usually what people most commonly refer to as PEAP. 2nd most
commonly supported form of EAP. Internet Draft.
- PEAPv1/EAP-GTC - Cisco -
PEAPv0/EAP-MSCHAPv2. Uses inner auth protocol other then (Microsoft's)
MSCHAPv2. Microsoft doesn't suppoort PEAPv1.
- EAP-SIM - auth/session key distribution using GSM SIMs.
- EAP-AKA - auth/session key distribution using UMTS SIMs.
- EAP-AKA-PRIME - ???auth/session key distribution using UMTS SIMs.
- EAP-GTC - Generic Token Card (RFC2284 and RFC3748 - meant as alternative to PEAPv0/EAP-MSCHAPv2. Carries text challenge from auth server, reply generated by security token
- EAP-EKE - Encrypted key exchange (RFC6124) - provide secure mutual auth using short passwords and no public key cert. 3-route exchange, based on DiffieHellman veriant.
|IPSec||Use IPSec over WLAN. Especially ESP.|
Hacking tools can listen on the air an dgain access ot the following info:
DON'T USE DEFAULT SETTINGS.
- MAC addr of AP
- Channel is was heard on
- WEP enabled (yes/no)
- Signal strenth and signal strength-to-noise ratio
CONSIDER NOT ATTACHING A WLAN INSTALLATION DIRECTLY TO YOUR WIRED INSTALLATION.
Types of WLAN attacks
- Active Attacks
- Impersonation - use a spoofed MAC addr
- Jamming - generate a signal strong enough so WLAN clients and APs can no longer hear each other.
- Man-in-the-middle - Generate a stronger AP signaland users are forced to roam
- Modification and insertion - modify packet and get CRC correct
- Passive attacks - eavesdrop. What isn't encrypted...?
- Stealing bandwidth - use for access.
- Do not connect WLAN dirctly to wired lan. FW or security switch.
(at least) 128-bit WEB. Basic form of auth between client and AP.
Even better WPA2. Nortel suggests VPN (IPSec).
- Implement MAC filters.
- Turn of AP's SSID broadcasting beacons and probe responses.
- Turn on 802.1x and EAP (preferable EAP-TTLS or some other strong EAP).
- Set up AP to notify net admin of rogue APs.