`
`802.11 Network Deployment
`
`CHAPTER 15
`
`Deploying a wireless LAN is a considerable undertaking. Significant planning is
`required before you can even touch the hardware. Deploying a wireless networkis not
`simply a matter of identifying user locations and connecting them to the backbone.
`Wireless LANs provide mobility through roaming capabilities, but this feature comes
`with a price. Wireless LANs are much moresusceptible to eavesdropping and unau-
`thorized access. Working to mitigate the security problems while offering high levels
`of service makes large wireless LAN deployments topologically more complex, espe-
`cially because solving security problems means that a great deal of integration work
`maybe required to getall the different pieces of the solution workingin concert.
`
`Wireless networks require far more deployment planning because of the nature of
`the radio link. Every building has its own personality with respect to radio transmis-
`sions, and unexpected interference can pop up nearly everywhere because of micro-
`wave ovens, electrical conduits, or severe multipath interference. As a result, each
`wireless LAN deployment is unique in many respects, and careful planning and a
`meticulous site survey are required before removing any equipmentfrom the box.
`
`Beyond considerations due to the physical environment, wireless networks often
`extend an existing wired infrastructure. The wired infrastructure may be quite com-
`plex to begin with, especially if it spans several buildings in a campussetting. Wire-
`less networks depend on having a solid, stable, well-designed wired network in
`place. If the existing network is not stable, chances are the wireless extension is
`doomedtoinstability as well.
`
`This chapter is about deployment considerations for wireless LANs, written from a
`technical perspective. How do the features of wireless LANs influence network
`topology? Besides the 802.11 equipment, what do you need to deploy a network?
`How should the logical network be constructed for maximum mobility? What do
`you need to lookfor in a site survey to make a deploymentsuccessful?
`
`
`
`
`
`
`
`DELL-1031, Part 3
`10,079,707
`
`DELL-1031, Part 3
`10,079,707
`
`

`

` ' O
`
`lPAeeSe
`
`
`
`
`Access control device
`(router, firewall, VPN,etc.)
`
`DHCPserver
`(Web documentation,
`drivers, etc.)
`
`i APT mo AP2 Y AP3
`
`=
`
`Ww
`
`Access point backbone
`network
`
`J
`4)’
`
`c¢€(
`
`c
`
`Wirelessclient
`
`——es
`
`Figure 15-1. Standard wireless LAN deployment topology
`
`Some deployments may look like multiple instances of Figure 15-1. The topology
`shownin thefigure provides seamless mobility between the access points connected
`to the access point backbone network. In very large deployments, such as a campus-
`wide deploymentacross a large numberof buildings, it may be desirable to limit the
`coverage areas in which seamless roaming is provided. One commonstrategy is to
`provide seamless mobility within individual buildings, but not provide roaming
`between buildings. Each building would have a wireless LAN that looked something
`like Figure 15-1, and all the access point backbone networks would ultimately con-
`nect to a campus backbone.
`
`
`294
`|
`Chapter 15: 802.11 Network Deployment
`
`
`
`The Topology Archetype
`Figure 15-1 shows how manywireless LAN deployments evolve. This figure serves as
`the road map for this chapter. The guiding principle of Figure 15-1 is that mobility
`must be limited to the link layer, because network-layer mobility is not generally
`available on IP networks. The other design decisions help augmentthe access con-
`trol of the wireless device and lower management overhead by taking advantage of
`existing services, each of which will be considered in turn.
`
`Fs
`<a
`y
`ail:
`ai
`RADIUS
`server
`
`o oS
`#
`sa
`Al)
`Server
`
`i (
`
`7 _ Internal
`Sj
`a
`PKI
`Mainfirewall
`
`i
`
`network = Internet
`f6
`
`

`

`
`
`serves as
`mobility
`enerally
`ess con-
`
`otage of
`
`
`
`ology
`ected
`
`ipus-
`it the
`is to
`ming
`hing
`con-
`
`Roaming and Mobility
`In Figure 15-1, the network linking all the access points, whichI call the access point
`backbone,is a single IP subnet. To allow users to roam between access points, the
`network should be a single IP subnet, evenif it spans multiple locations, because IP
`does not generally allow for network-layer mobility. To understand this design
`restriction,it is importantfirst to appreciate the difference between true mobility and
`mere portability.’
`Portability certainly results in a net productivity gain because users can access infor-
`mation resources whereverit is convenient to do so. At the core, however, portabil-
`ity removes only the physical barriers to connectivity. It is easy to carry a laptop
`between several locations, so people do. Butportability does not changetheritual of
`connecting to networks at each new location.It isstill necessary to physically con-
`nect to the network and reestablish network connections, and network connections
`cannotbe used while the device is being moved.
`Mobility, on the other hand,is a far more powerful concept: it removes furtherbarri-
`ers, most of which are based on the logical network architecture. Network connec-
`tions stay active even while the device is in motion. Thisis critical for tasks requiring
`persistent,
`long-lived connections, which may be found in database applications.
`Support personnel frequently access a tracking database that logs questions, prob-
`lems, and resolutions. The same argument can be made for a number of tracking
`applications in a health care setting. Accessing the database through a wireless net-
`work can boost productivity becauseit allows people to add small amountsofinfor-
`mation from different locations without needing to reconnect to the database each
`time. Inventory applications are another example and one of the reasons whyretail
`andlogistics are two of the markets that have been quicker to adopt 802.11. When
`taking inventory, it makes far more sense to count boxes or products wheretheysit
`and relay data over a wireless network than to record data on paper andcollate the
`data at the end of the process.
`I can take my laptop
`Traditional wired Ethernet connections provide portability.
`computer anywhere on the campus at work and plugin. (If I’m willing to tolerate
`slow speeds, I can even make a phone call and access my corporate network from
`anywhere in the world.) Each time I access the network, though, I’m starting from
`scratch, I have to reestablish connections,even if I only moved a few feet. What I’d
`really like is to walk into the conference room and connectto the corporate network
`without doing anything.
`
`* The exceptionto this generalruleis, of course, a network in which Mobile IP is deployed. I am enthusiastic
`about Mobile IP, especially on wireless networks, but it is far from ubiquitous as I write this book. Most net-
`work engineersare, therefore, designing networks withoutthe benefit of network-layer mobility,
`
`
`The Topology Archetype
`|
`295
`
`
`
`

`

`
`
` Andtherein lies the rub. 802.11 is implemented atthe link layer and provides link-
`
`layer mobility. IP affords the network designer no such luxury. 802.11 hosts can
`move within the last network freely, but IP, as it is currently deployed, provides no
`way to move across subnet boundaries. To the IP-based hosts of the outside world,
`the VPN/access control boxes of Figure 15-1 are the last-hop routers. To get to an
`802.11 wireless station with an IP address on the wireless network, simply go
`throughthe IP router to that network. It doesn’t matter whether a wireless station is
`connected to the first or third access point because it is reachable through the last-
`hoprouter. Asfar as the outside world cantell, the wireless station mightas well be a
`workstation connected to an Ethernet.
`A second requirementfor mobility is that the IP address does not change when con-
`necting to any of the access points. New IP addresses interrupt open connections.If a
`wireless station connects to the first access point, it must keep the same address
`whenit connectsto the third access point.
`A corollary to the second requirementis thatall the wireless stations must be on the
`same IP subnet. As long asa station stays on the sameIP subnet, it does not needto
`reinitialize its networking stack and can keep its TCP connections open.Ifit leaves
`the subnet, though,it needs to get a IP new address andreestablish any open connec-
`tions. The purpose of the design in Figure 15-1 is to assign a single IP subnetto the
`wireless stations and allow them to movefreely between access points. Multiple sub-
`nets are not forbidden, but if you have different IP subnets, seamless mobility
`between subnetsis not possible.
`The “single IP subnet backbone”restriction of the design in Figure 15-1 is a reflec-
`tion on the technology deployed within most organizations. Mobile IP was standard-
`ized in late 1996 in RFC 2002, butit has yet to see widespread deployment. (See the
`sidebar for a description of how Mobile IP allowsstations to change IP addresses
`without interrupting connections.) Until Mobile IP can be deployed, network design-
`ers must live within the limitations of IP and design networks based on fixed loca-
`tions for IP addresses. In Figure 15-1, the backbone network maybe physically large,
`butit is fundamentally constrained by the requirementthat all access points connect
`directly to the backbonerouter (and each other) at the link layer.
`
`Spanning multiple locations with an 802.11 network
`Access points that cooperate in providing mobility need to be connected to each
`other at layer 2. One method ofdoing this, shown in Figure 15-2a, builds the wire-
`less infrastructure of Figure 15-1 in parallel to the existing wired infrastructure.
`Access points are supported by a separate set of switches, cables, and uplinks in the
`core network. Virtual LANs (VLANs) can be employed to cut down on the required
`physical infrastructure, as in Figure 15-2b. Rather than acting as a simple layer-2
`
`
`
`296
`
`| Chapter 15: 802.11 Network Deployment
`
`
`
`

`

`
`
`repeater, the switch in Figure 15-2b can logically divide its ports into multiple layer-2
`networks. The access points can be placed on a separate VLAN from theexisting
`wired stations, and the “wireless VLAN” can be given its own IP subnet. Frames
`leaving the switch for the network core are tagged with the VLAN numberto keep
`them logically distinct and may be sent to different destinations based on thetag.
`Multiple subnets can be run over the same uplink because the VLAN tag allows
`frames to be logically separated. Incoming frames for the wired networks are tagged
`with one VLAN identifier, and frames for the wireless VLAN are tagged with a differ-
`ent VLANidentifier. Frames are sent only to ports on the switch thatare part of the
`same VLAN, so incoming frames tagged with the wireless VLAN are delivered only
`to the access points.
`
`
`
`a: Non-VLAN deployment
`
`b: VLAN deployment
`
`Network
`4 core f
`
`fe \
`
`| =
`Wired switch
`
`= “
`:
`Wireless switch
`
`aaetotleeciom
`User ports on wired network
`|
`AP
`
`i AP
`
`ww
`va
`
`CCCr+
`
`Network")
`core 4
`
`Taggedlink
`
`1 a
`Switch
`
`AP
`
`AP
`
`‘a
`ed
`al
`—_
`
`
`(r+
`
`Wireless coverage area
`
`
`
`
`Figure 15-2. Physical topologies for 802.11 network deployment
`
`Even better, VLANs can easily span long distances. VLAN-aware switches can be
`connected to each other, and the tagged link can be used to join multiple physical
`locationsinto a single logical network. In Figure 15-3, two switches are connected by
`a tagged link, and all four access points are assigned to the same VLAN. The four
`access points can be put on the same IP subnet and will act as if they are connected
`to a single hub. The taggedlink allows the two switches to be separated, and the dis-
`tance can depend onthe technology. By using fiber-optic links, VLANs can be made
`to go between buildings, so a single IP subnet can be extended across as many build-
`ings as necessary.
`
`meeOo
`
`
`
`
`
`~The Topology Archetype
`
`|
`
`297
`
`

`

`
`
`
`
`
`
`
`
`
`
`Physical topology
`
`SS
`
`lagged link
`
`“a
`
`Spey
`Switch
`
`VY
`wt
`
`~~
`
`CCC(-4
`
`mt AP a mie
`
`a
`
`—— ~—,
`
`EYted
`Switch
`
`aa SingleIPsubnet
`
`m"
`
`=
`Ne AP
`
`ss decpsemenettiaa cman Sy
`
`
`
`=
`a AP
`CCC
`Figure 15-3. Using VLANsto span multiple switches
`Tagged links can vary widely in cost and complexity. To connect different physical
`locations in one building, you can use a regular copper Ethernet cable. To connect
`two buildings together, fiber-optic cable is a must. Different buildings are usually at
`different voltage levels relative to each other. Connecting two buildings with a con-
`ductor such as copper would enable current to flow between (and possibly through)
`the two Ethernet switches, resulting in expensive damage. Fiber-optic cable does not
`conductelectricity and will not pick up electrical noise in the outdoor environment,
`whichis a particular concern during electrical storms. Fiber also has the added bene-
`fit of high speeds for long-distance transmissions. If several Fast Ethernet devices are
`connected to a switch, the uplink will be a bottleneckif it is only a Fast Ethernet
`interface. For best results on larger networks, uplinks are typically Gigabit Ethernet.
`For very large organizations with very large budgets, uplinks do not need to be Ether-
`net. One companyI have worked with uses a metro-area ATMcloudto connect build-
`ings throughout a city at
`the link layer. With appropriate translations between
`Ethernet and ATM,sucha service can be used as a trunk between switches. Computer
`trade shows such as Comdex and Interop regularly use metro-area networks to show-
`case both the metro-area services and the equipment used to access those services.
`
`
`
`Are
`L
`
`Limits on mobility
`The access point backbone network must be a single IP subnet andasingle layer-2
`connection throughout an area over which continuous coverage is provided. It may
`span multiple locations using VLANs. Large campuses maybeforced to break up the
`
`
`298
`|
`Chapter 15: 802.11 Network Deployment
`
`
`
`

`

` access point backbone network into several smaller networks, each of which resem-
`
`bles Figure 15-1.
`802.11 allows an ESS to extend across subnet boundaries, as in Figure 15-4a. Users
`can roam throughouteach “island” of connectivity, but network connections will be
`interrupted when moving betweenislands. One solution is to teach users one SSID
`and let them know that mobility is restricted; another alternative is to name each
`SSID separately. Both solutions have advantages. In thefirst case, there is only one
`SSID and nouserconfusion, but there may be complaintsif the coverage areas do not
`provide mobility in the right ways. In the secondcase, mobility is always provided
`within an SSID, but there are several SSIDs and more opportunity for user confusion.
`
`
`b: Multiple SSIDs
`a: Single SSID
`West WLAN —— East WLAN
`WLAN
`WLAN a oe
`—192.168.252/24
`Y_192.168.253/24
`192,168.252/24
`_192.168,253/24
`———|
`Core ee eS Core —————————
`a4
`i
`%
`
`WLAN
`192.168.251/24
`
`South WLAN
`192,168,251/24
`
`Figure 15-4. Noncontiguous deployments
`
`When a campusis broken into several disjointed coverage areas as in Figure 15-4, be
`sure to preserve the mobility most important to the users. In mostcases, mobility
`within a building will be the most important, so each building’s wireless network can
`be its own IP subnet. In some environments, mobility mayberestricted to groups of
`several buildings each,so theislands in Figure 15-4 may consist of multiple buildings.
`
`Address assignment through DHCP
`Multiple independent data sets that must be synchronized are an accident waiting to
`happen in anyfield. With respect to wireless LANs, they presenta particular prob-
`lem for DHCPservice. To makelife as easy as possible for users, it would bebestif
`Stations automatically configured themselves with IP network information, DHCPis
`the best way to do this. Access points frequently include DHCP servers, but it would
`be folly to activate the DHCP server on every access point. Multiple independent
`DHCPlease databases are the network equivalent of a tanker-truck pile-up waiting
`to happen. To avoid the “multiple independent database” problem, have a single
`source for IP addressing information. Furthermore, some access points may reclaim
`addresses if an association lapses, regardless of whether the lease has expired. For
`these reasons, I recommendusing an existing DHCPserverorinstalling a new server
`specifically to support wireless clients. Depending on the importance of the wireless
`infrastructure, it may be worth considering a backupserveras well.
`
`ical
`rect
`
`y at
`‘on-
`
`igh)
`not
`
`ent,
`ne-
`are
`
`net
`
`her-
`tild-
`‘een
`iter
`ow-
`
`21-2
`
`nay
`the
`
`
`299
`
`The Topology Archetype
`
`
`
`|
`
`

`

`
`
`
`
`Mobile IP and Roaming
`802.11 performsa sleight-of-hand trick with MAC addresses: stations communicate
`with a MAC address as if it were fixed in place, just like any other Ethernet station.
`Instead of being fixed in a set location, however, access points note when the mobile
`station is nearby and relay frames from the wired networkto it over the airwaves. It
`does not matter which access point the mobile station associates with because the
`appropriate access point performstherelay function. The station on the wired network
`can communicate with the mobile station asif it were directly attached to the wire.
`Mobile IP performs a similar trick with IP addresses. The outside world uses a single
`IP address that appears to remain inafixed location, called the homelocation. Rather
`than being serviced by a user’s system, however, the IP address at the homelocation
`(the home address) is serviced by whatis called the home agent. Like the access point,
`the homeagent is responsible for keeping track of the currentlocation of the mobile
`node. When the mobile nodeis “at home,” packets can simply be delivered directly to
`it. If the mobile node attaches to a different network (called a foreign network orvisited
`network), it registersits so-called foreign location with the homeagentso that the home
`agent can redirectall traffic from the home address to the mobile node on the foreign
`network.
`
`—continued—
`
`
`
`i}
`
`Consider an example in which two wireless LANsare built on different IP subnets. On
`its home subnet, a wireless station can send andreceivetraffic “normally,” since it is
`on its home network.
`
`When the wireless station moves from its home subnet to the second subnet, it
`attachesto the network using the normal procedure.It associates with an access point
`and probably requests an IP address using DHCP. Onawireless station that is unable
`to use Mobile IP, connections are interrupted at this point because the IP address
`changes suddenly, invalidating the state of all open TCP connections.
`Wireless stations equipped with MobileIP software, however, can preserve connection
`state by registering with the home agent. The homeagent can accept packets for the
`mobile station, check its registration tables, and then send the packets to the mobile
`station at its current location. The mobile station has, in effect, two addresses. It has
`its home address, and it can continue to use this address for connections that were
`established using the home address.It mayalso use the address it has been assigned on
`the foreign network. No TCPstate is invalidated because the mobile station never
`stoppedusing its home address.
`
`—aaa
`
`
`
`
`
`300
`
`| Chapter 15: 802.11 Network Deployment
`
`
`
`

`

`
`
`
`
`
`Naturally, this sidebar has omitted a great dealof the detail of the protocoloperations.
`Designing a protocol to allow a station to attach anywhere in the world and use an
`address from its home networkis a significant engineering endeavor. Several security
`problemsare evident, mostnotably the authentication of protocol operations and the
`security of the redirected packets from the home network to the mobile station’s cur-
`rent location. Maintaining accurate routing information, both thetraditional forward-
`ing tables at Internet gateways and the Mobile IP agents, is a major challenge. And,of
`course, the protocol must work with both IPv4 and IPv6. For a far moredetailed treat-
`ment of Mobile IP, I highly recommend Mobile IP: Design Principles and Practices by
`Charles Perkins (Prentice Hall).
`
`
`
`Within the context of Figure 15-1, there are two places to put a DHCPserver. Oneis
`on the access point backbone subnetitself. A standalone DHCP server would be
`responsible for the addresses available for wireless stations on the wireless subnet.
`Each subnet would require a DHCP serveras part of the rollout. Alternatively, most
`devices capable of routing also include DHCPrelay. The security device shown in
`Figure 15-1 includes routing capabilities, and many firewalls and VPN devices
`include DHCP relay. With DHCP relay, requests from the wireless network are
`bridged to the access point backbone bythe access point and then furtherrelayed by
`the access controller to the main corporate DHCPserver. If your organization cen-
`tralizes address assignment with DHCP, take advantage of the established,reliable
`DHCPservice by using DHCPrelay. One drawback to DHCPrelay is that the relay
`process requires additional time and notall clients will wait patiently, so DHCPrelay
`may notbe an option.
`
`Static addressing is acceptable, of course. The drawback to static addressing is that
`more addresses are required becauseall users, active or not, are using an address. To
`minimize end user configuration,it is worth considering using DHCPtoassignfixed
`addresses to MAC addresses.
`
`Asa final point, there may be an interaction between address assignment and secu-
`rity. If VPN solutions are deployed, it is possible to use RFC 1918 (private) address
`space for the infrastructure. DHCP servers could hand out private addresses that
`enable nodes to reach the VPN servers, and the VPN servers hand out routable
`addresses once VPN authentication succeeds.
`@ a,
`.
`.
`_¢,
`Use a single DHCPserverper access point backbone or DHCPrelay at
`eS
`the access point network router to assign addresses to wireless sta-
`as:
`__"*4s tions. Static addressing or fixed addressing through DHCPis also
`"acceptable.
`
`
`
`
`301
`The Topology Archetype
`|
`
`
`
`
`
`

`

` Security
`
`
`
`Informally, data security is defined in terms of three attributes, all of which must be
`maintained to ensure security:”
`
`Integrity
`Broadly speaking, integrity is compromised when data is modified by unautho-
`rized users. (“Has somebody improperly changed the data?”)
`Secrecy
`Of the three items, secrecy is perhaps the easiest to understand. Weall have
`secrets and can easily understand the effect of a leak. (“Has the data been
`improperly disclosed?”)
`Availability
`Data is only as good as yourability to use it. Denial-of-service attacks are the
`most commonthreat to availability. (“Can I read my data when I want to?”)
`
`Wireless LAN technology has taken a fair number of knocks forits failures in all
`three areas. Most notably,
`though, wireless LANs have two major failings with
`respect to the informal definition of security. First, secrecy is difficult on a wireless
`network. Wireless networks do not have firm physical boundaries, and frames are
`transmitted throughout a general area. Attackers can passively listen for frames and
`analyze data. To defeat attacks against secrecy, network security engineers must
`employ cryptographic protocols to ensure the confidentiality of data as it travels
`across the wireless medium. WEP has beena failure in this respect, but other proto-
`cols and standards may be employedinstead ofor in addition to WEP.
`
`integrity may be compromised by wireless hosts. Quick wireless LAN
`Second,
`deployments are often connected directly to a supposedly secure internal network,
`allowing attackers to bypass the firewall. In many institutions, internal stations are
`afforded higher levels of access privileges. Physical security may have made some
`additional privileges rational or inevitable, but wireless stations may not necessarily
`be trusted hosts run by internal users. Attacks against integrity may frequently be
`defeated by strong access control.
`
`Vendors often tout WEPasa security solution, but the proven flaws in the design of
`WEPshould give even the most freewheeling security administrators cause for con-
`cern. WEPis, in the words of one industry observer, “unsafe at any key length.”
`Future approaches based on 802.1x and EAP may improvethe picture, but current
`deployments must depend on solutions that are available now. Although products
`
`* Mydefinitions here are not meant to be formal. In this section, I’m trying to take a fundamental approach
`to security by showing how wireless LAN security fails and how someofthefailures can be solved by apply-
`ing solutionsthe industry has already developed.
`+t Or, in the wordsof one reviewer, “WEPis trash that just gets in the way.”
`
`
`302
`|
`Chapter15: 802.11 Network Deployment
`
`
`
`

`

`
`
`claiming to support 802.1x are currently appearing on the market, they haveyet to
`establish a track record with respectto either securi ty or interoperabilty.
`
`nust be
`
`1autho-
`
`ul have
`a been
`
`are the
`”)
`
`3 in all
`‘s with
`vireless
`les are
`
`es and
`3 must
`
`travels
`
`proto-
`
`i LAN
`twork,
`ms are
`some
`
`ssarily
`itly be
`
`ign of
`rt con-
`
`eth.”
`urrent
`
`»ducts
`
`‘proach
`‘apply-
`
`Access control and authentication
`Connecting to wireless networks is designed to be easy. In fact, the ease of connec-
`tion is one of the major advantages to many newerwireless technologies. 802.11 net-
`works announce themselves to anybody willing to listen for the Beacon frames, and
`access controlis limited by the primitive tools supplied by 802.11 itself. To protect
`networks againstthe threat of unauthorized access, strong access control should be
`applied. A helpful rule of thumbis to treat wireless access points like open network
`dropsin the building lobby. 802.11 networks can benefit from access control at two
`points:
`* Before associating with an access point, wireless stations mustfirst authenticate.
`At present, this processis either nonexistent or based on WEP.
`* After association with the access point, the wireless station is attached to the
`wireless network. However,strong authentication can be applied to any wireless
`stations to ensure that only authorized users are connecting to protected
`resources. This form of access control is no different from the access control
`widely enforcedbyfirewalls today.
`Atthe present time, the initial authentication during the association processis piti-
`fully weak. Current deployments must depend on two methods, one of which was
`never specified by the standard but is widely used.
`One approach is to allow only a specified set of wireless LAN interface MAC
`addresses to connectto access points. Maintainingthelist is its own administrative
`headache. Distributingthelist to access points may be even worse. In a network with
`access points from multiple vendors, the script may need to massagethelist into dif-
`ferentfile formats to cope with whatdifferent products require. Frequently, the list
`of allowed devices must be distributed by TFTP. Even if the distribution is auto-
`mated by administrative scripts, TFTP comes with its own security woes. Further-
`more,
`like wired Ethernet cards, 802.11 cards may change the transmitter MAC
`address, which totally undermines the use of the MAC address as an access control
`token. Attackers equipped with packet sniffers can easily monitor successful associa-
`tions to acquirea list of allowed MAC addresses.
`A second approach is to allow connections from stations that possess a valid WEP
`key. Stations that pass the WEP challenge are associated, andstations that fail are
`not. As noted in Chapter5, this methodis not very strong because WEP is based on
`RC4,andit is possible to fake a legitimate response to a WEP challenge without any
`knowledge of the WEPkey. In spite ofits limitations, WEP makes a useful speed
`bumpforattackers to jumpover. Useit, but be aware ofits limitations. Or disableit,
`but be cognizantofthefact that associationis unrestricted.
`
`
`
`
`303
`The Topology Archetype
`|
`
`
`

`

`
`
`
`
`
`these methods may be combined. However, both are easily
`In some products,
`defeated. Maintaining strong security over a wireless LAN requires solutionsoutside
`the scope of 802.11, in large part to augment the relatively weak access control sup-
`plied by 802.11.
`Many networks deploy firewalls to protect against unauthorized access and use of
`systems by outsiders. In many respects, wireless stations should be considered
`untrusted until they prove otherwise, simply because of the lack of control over the
`physical connection. In the network topology shown in Figure 15-1, an access con-
`trol device is used to protect the internal network from wireless stations. This access
`control device could be oneofseveral things: a firewall, a VPN termination device, or
`a custom solutiontailored to the requirements of 802.11 networks.
`Atthe time this book was written, many security-conscious organizations opted to
`use existing firewalls or VPN devices or build systems to meet their own internal
`requirements. Firewalls are well-knownfor providing a numberof strong authentica-
`tion mechanisms, and they have a provenability to integrate with one-time pass-
`word systems such as RSA’s SecurID tokens. New releases of IPSec VPN devicesalso
`increasingly have this capability. Initial versions of the IPSec specification allowed
`authentication only through digital certificates. Certificates work well for site-to-site
`VPNs,buttheideaofrolling out a public-key infrastructure (PKI) to support remote
`access was frightening for most users. As a result, several new approachesallow for
`traditional (“legacy”) user authentication mechanisms by passing VPN user authenti-
`cation requests to a RADIUSserver. Several mechanisms were in draft form as this
`book was written: Extended Authentication (XAUTH), Hybrid Mode IKE, and
`CRACK(Challenge/Responsefor Authenticated Control Keys).
`Several wireless LAN vendors havealso stepped up to the plate to offer specialized
`“wireless access controller” devices, which typically combine packet
`filtering,
`authentication, authorization, and accounting services (AAA), and a DHCPserver;
`many devicesalso include a DNSserver and VPN termination. AAA features are typi-
`cally provided by an interface to an existing corporate infrastructure such as
`RADIUS, which frequently has already been configured for remote access purposes.
`Someproducts mayalso include dynamic DNSso that a domain nameis assigned to
`a user, but the IP number can beassigned with DHCP.
`Several vendors have access controller solutions. Cisco offers an external access con-
`trol server for the Aironet productline. Lucent’s ORINOCO AS-2000 access server has
`an integrated RADIUSserver. Nokia’s P020 Public Access Zone Controlleris an inte-
`grated network appliance with a RADIUSclient and DHCPserver, and the compan-
`ion P030 Mobility Services Manageroffers the RADIUSserver andbilling functions.
`
`
`
`|J*
`
`s
`
`Recognize the limitations of WEP. Treat wireless stations as you would
`treat untrusted external hosts. Isolate wireless LAN segments with fire-
`\ walls, and use strong authentication for access control. Consider using
`~ existing user databasesas partof the authentication roll-out.
`
`
`304
`| Chapter 15: 802.11 Network Deployment
`
`
`
`

`

`
`
`easily
`utside
`| sup-
`
`ise of
`dered
`er the
`; con-
`iccess
`
`ce, Or
`
`ed to
`sernal
`ntica-
`
`pass-
`3 also
`owed
`o-site
`mote
`
`w for
`lenti-
`
`3 this
`and
`
`lized
`ring,
`Iver;
`typi-
`h as
`oses.
`
`2d to
`
`con-
`
`thas
`inte-
`pan-
`
`Confidentiality: WEP, IPSec, or something else?
`Confidentiality is the second major goal in wireless LAN deployments. Traffic is left
`unprotected by default, and this is an inappropriate security posture for most organi-
`zations. Users can choose amongthree options:
`* Use WEP.
`
`* Use a proven cryptographic product based on openprotocols.
`* Use a proprietary protocol.
`Option three locks you into a single vendor and leaves you at their mercy for
`upgrades and bug fixes. Proprietary cryptographic protocols also have a poor track
`record at ensuring security. In the end, the choice really comes down to whether
`WEPis good enough. Giventhe insecurity of WEP,there are two questionsto ask:
`“Does the data onthis network needto stay secretfor more than a week?” WEP is
`not strong encryption by any stretch of the imagination, and you should assume
`that a sufficiently motivated attacker could easily capturetraffic from the wire-
`less network, recover the WEPkey, and decrypt any data.
`“Dousers needto be protectedfrom each other?” In most WEP deployments, keys
`are distributed to every authorized station. When all users have access to the
`key, the data is protected from outsiders only. WEP does not protect an autho-
`rized user with the key from recovering the data transmitted by another autho-
`rized user. If users need to be protected from each other, which is a common
`requirement in many computing environment