Download presentation source

Wireless LAN @ DESY Zeuthen
15.10.02
I.Meier: WLAN at DESY Zeuthen
1
Wireless LAN at DESY Zeuthen
Agenda
•
•
•
•
•
15.10.02
Applications (IEEE 802.11)
Wireless Technologies and Standards
Components and Features
Wireless LAN & Security
WLAN ínstallation at DESY Zeuthen
I.Meier: WLAN at DESY Zeuthen
2
Applications (IEEE 802.11)
15.10.02
I.Meier: WLAN at DESY Zeuthen
3
Wireless Connections
Router
Ethernet HUB
15.10.02
Router
Access Point
10 Mbps shared bandwidth
11 Mbps shared bandwidth
CSMA/CD
CSMA/CA
I.Meier: WLAN at DESY Zeuthen
4
Mobile Office
Internet
 Home Office
 Head Office
 Branch Office
 Airports
 Convention Center
 Hotels
 Industries
 Education
 ...
15.10.02
I.Meier: WLAN at DESY Zeuthen
Hot Spots
IP
anywhere
anytime
5
15.10.02
I.Meier: WLAN at DESY Zeuthen
6
Why Wireless LAN
 Office mobility
 Common areas, meeting rooms
 Temporary offices
 Office expansion
 Quick installation
 Cost effective alternative
 Minimale infrastructure costs
 Flexible growth
15.10.02
I.Meier: WLAN at DESY Zeuthen
7
Wireless Technologies and
Standards
15.10.02
I.Meier: WLAN at DESY Zeuthen
8
Wireless Technologies
• Wireless Personal Area Network
IEEE 802.15
(100 m)
Bluetooth (10 m)
HomeRF 1.2 (100 m)
HomeRF 2.0 (100 m)
Bandwidth: 0.8 - 10 Mbps
• Wireless Local Area Network
IEEE 802.11
(100 m)
802.11
802.11b
802.11a
802.11g
HiperLAN-1 HiperLAN-2
Bandwidth: 1 – 54 (100) Mbps
• Wide Area Network
(GSM, GPRS: 2 km, UMTS: 1 km)
GSM (9.6 kbps)
GPRS (14.4 – 115 kbps)
CDMA
UMTS (14.4 kbps – 2 Mbps)
15.10.02
I.Meier: WLAN at DESY Zeuthen
9
802.11 Task Group Outline
•
•
•
•
•
•
•
802.11a
802.11b
802.11d
802.11e
802.11f
802.11g
802.11h
• 802.11i
• 802.11j
15.10.02
54 Mbps, 5 GHz (PHY for UNII), ratified in 1999
11 Mbps, 2.4 GHz, ratified in 1999
additional regulatory domains
MAC Enhancements, Quality of Service
(Draft 4.0)
Inter Access Point Protocol (IAPP)
(Draft 4.0)
higher datarate (> 20 Mbps), 2.4 GHz
(Draft 3.0)
Managed Spectrum for 802.11a, Dynamic Channel
Selection and Transmit Power Control Mechanisms
Authentication and Security
802.11a/HiperLAN Internetworking
I.Meier: WLAN at DESY Zeuthen
10
802.11 Task Group Outline
Layer 3 and higher
802.11f
802.11
WLAN Media
Access Control
(MAC) and
Physical Layer
(PHY)
Specifications
(1997, 1999)
Inter Access Point Protocol
MAC layer extensions
802.11d
802.11e
802.11i
Regulatory
Domains
Quality of
Service
Security
Extensions
2.4 GHz PHYs
802.11b
Physical Layer
2.4 GHz, 11 Mbps
802.11g
Physical Layer
2.4 GHz, 54 Mbps
5 GHz PHYs
802.11a
Highspeed Physical
Layer, 5 GHz
15.10.02
802.11h
Spectrum Managed
802.11a (DFS/TCP)
I.Meier: WLAN at DESY Zeuthen
802.11j
802.11a/Hiperlan
Internetworking
11
Wireless LAN Standards
IEEE 802.11
1 or 2 Mbps
2.4 GHz
IEEE
WLAN
IEEE 802.11b
1, 2, 5.5, 11 Mbps
(22+ Mbps in future)
2.4 GHz
IEEE
WLAN
IEEE 802.11g
1 – 54 Mbps
2.4 GHz
IEEE
WLAN
IEEE 802.11a
1 – 54 Mbps
(100 Mbps in future)
5 GHz
IEEE
WLAN
HiperLAN-1
24 Mbps
5.2 GHz
ETSI
WLAN
HiperLAN-2
20 - 54 Mbps
5.2 GHz
ETSI
WLAN -- ATM
HomeRF 1.2
0.8 or 1.6 Mbps
2.4 GHz
HomeRF
home
HomeRF 2.0
0.8, 1.6, 5, 10 Mbps
2.4 GHz
HomeRF
home
Bluetooth
1 Mbps
2.4 GHz
Bluetooth SIG
personal
15.10.02
I.Meier: WLAN at DESY Zeuthen
12
5 GHz Frequence Band – HiperLAN & IEEE 802.11a
5 GHz UNII – Unlicensed National
Information Infrastructure (USA)
IEEE 802.11a
1W
250 mW
50 mW
5.000 5.100 5.200 5.300 5.400 5.500 5.600 5.700 5.800 5.900 6.000 GHz
Aeronautical Satellite Radar,Space Aeron.
Radionavigation, Radiolocation,
Navigation
FSS
Research Navigation Maritime Navig. Amateur
15.10.02
I.Meier: WLAN at DESY Zeuthen
13
5 GHz Frequence Band – HiperLAN & IEEE 802.11a
5 GHz Spectrum Europe
HiperLAN
HiperLAN
HiperLAN
1W
200 mW
Indoor/Outdoor
Indoor
ISM
25 mW
5.000 5.100 5.200 5.300 5.400 5.500 5.600 5.700 5.800 5.900 6.000 GHz
Aeronautical Satellite Radar,Space Aeron.
Radionavigation, Radiolocation,
Navigation
FSS
Research Navigation Maritime Navig. Amateur
15.10.02
I.Meier: WLAN at DESY Zeuthen
14
5 GHz Frequence Band – HiperLAN & IEEE 802.11a
• HiperLAN
–
–
–
–
15.10.02
ETSI (European Telecommunications Standards Institute) standard
Ratified in 1996
HiperLAN-1
5 GHz radio band up to 24 Mbps
HiperLAN-2
5 GHz radio band up to 54 Mbps
connection-oriented protocol for sharing access
among end-user devices
I.Meier: WLAN at DESY Zeuthen
15
5 GHz Frequence Band – HiperLAN & IEEE 802.11a
• IEEE 802.11a
– 5 GHz radio band up to 54 Mbps (100 Mbps in future)
– Orthogonal Frequency-Division Multiplexing (OFDM)
– 3 UNII bands per 100 MHz bandwidth and 4 nonoverlapping channels of
20 MHz
– each 20 MHz channel comprises 52 300-kHz-wide subchannels
– 48 subchannels for data transmission, 4 subchannels for error correction
– UNII-1:
15.10.02
5.15-5.25 GHz frequency range
maximum transmit power: 50 mW
maximum antenna gain: 6 dBi
only indoors
I.Meier: WLAN at DESY Zeuthen
16
5 GHz Frequence Band – HiperLAN & IEEE 802.11a
– UNII-2:
5.25-5.35 GHz frequency range
maximum transmit power: 250 mW
removeable antennas possible
maximum antenna gain: 6 dBi
indoors and outdoors
– UNII-3:
5.725-5.825 GHz frequency range
maximum transmit power: 1W
removeable antennas
maximum antenna gain: 23 dBi for point-to-point installations
6 dBi for point-to-multipoint inst.
only outdoors
15.10.02
I.Meier: WLAN at DESY Zeuthen
17
HiperLAN – IEEE 802.11a Implementation Comparison
• HiperLAN/2 & 802.11a share common components
– Similar Physical Layer (Orthogonal-Frequency-Division-Multiplexing
modulation (OFDM), similar radio)
• different MAC implementation
– HiperLAN/2:
– 802.11a:
– Hiperlan/2:
15.10.02
QoS and Radio Link Control Features
MAC classic Ethernet
uses ATM like scheme
I.Meier: WLAN at DESY Zeuthen
18
2.4 GHz Frequence Band– IEEE 802.11g
•
•
•
•
provides higher data rates at 2.4 GHz
similar speeds as 802.11a
backward compatible with 802.11b
modulation
–
–
–
–
BPSK (Binary Phase Shift Keying)
 1 Mbps
QPSK (differential Quaternary Phase Shift Keying)  2 Mbps
CCK (Complementary Code Keying)
 5.5 Mbps, 11 Mbps
OFDM (Orthogonal Frequency Devision Multiplexing)  12 – 54 Mbps
• same modulation as 802.11a (OFDM)
• Draft-Status (3.0)
• more information: IEEE 802.11 website
www.ieee802.org/11
15.10.02
I.Meier: WLAN at DESY Zeuthen
19
2.4 GHz Frequence Band– IEEE 802.11b
• IEEE 802.11b Standard
– 2.4 GHz-ISM-Band (Industrial, Scientific and Medical)
– frequency spectrum classed as unlicensed  anyone can use it as it
complies with FCC regulations (public radio spectrum)
– max. transmit power of radios, type of encoding and frequency
modulation
– WECA (Wireless Ethernet Compatibilty Alliance)  Wi-Fi (WirelessFidelity) compliant devices
– LLC-Layer (Logical-Link-Control Layer 2)
– 48 bit MAC address (classic Ethernet)
– max. 11 Mbps
– Wireless LAN Radio Frequency Methods
• FHSS (Frequency Hopping Spread Spectrum)  2 Mbps
• DSSS (Direct-Sequence-Spread-Spectrum)
 1, 2, 5.5, 11 Mbps
15.10.02
I.Meier: WLAN at DESY Zeuthen
20
2.4 GHz Frequence Band– IEEE 802.11b
• spread spectrum technology
– 2.4 GHz ISM band has other primary owners, operates at 600 W power
level; IEEE 802.11b: max. 100 mW
– spread-spectrum-technology
power
signal
after spread spectrum
F
Spectrum after
modulation
F
frequence
– non-sensitive against narrow-band interference (e.g. noise)
15.10.02
I.Meier: WLAN at DESY Zeuthen
21
2.4 GHz Frequence Band– IEEE 802.11b
• 2 different types of layer 1 physical interfaces
– Frequency-hopping architecture
– Direct-sequencing architecture (single-frequency approach) DSSS
• Frequency Hopping
– 2.4 GHz ISM band provides 83.5 MHz of available frequency spectrum
– frequency-hopping-architecture: transmit radio on 1 of 79x 1-MHz-wide
frequencies (channel) for max. 0.4 sec
–  interference tolerant network
– one channel stumbles across an interference => because frequencyhopping data retransmission is realized on another frequency
– achievable data rate: 2 Mbps
15.10.02
I.Meier: WLAN at DESY Zeuthen
22
2.4 GHz Frequence Band– IEEE 802.11b
• Direct-Sequence-Spread-Spectrum (DSSS)
– 11x 22-MHz overlapping channels of 83.5 MHz (2.4 GHz – 2.4835 GHz)
– 3x 22-MHz-wide non-overlapping channels
– large bandwidth & modulation based on Complementary Code Keying
(CCK) primary reason for higher data rates (11 Mbps)
– 3 channels without overlap  3 Access Points can be used to provide
aggregate data rate of combination of the 3 available channels
–  11/22/33 Mbps data rate
15.10.02
I.Meier: WLAN at DESY Zeuthen
23
WLAN Media Access Control
Router
broadcast-domain
15.10.02
Router
Ethernet HUB
Access Point
broadcast-domain
10 Mbps shared bandwidth
11 Mbps shared bandwidth
CSMA/CD
CSMA/CA
I.Meier: WLAN at DESY Zeuthen
24
WLAN Media Access Control
• CSMA/CA - Carrier-Sense-Multiple-Access with Collision Avoidence
• frames
– data frames
– control frames (RTS,- CTS-, ACK-frames)
– management frames (beacon frames)
• frame format
Praeambel PLCP-header
MAC-data
CRC
– Praeambel:
- 80 bit synchronization sequence
- 16 bit start-delimeter-frame
– PLCP-header: - contains information about encryption on physical layer,
packet length
15.10.02
I.Meier: WLAN at DESY Zeuthen
25
WLAN Media Access Control
– MAC-data field
frame duration address1 address2 address3 sequence address4 frame body CRC
control
control
• control frames
• RTS
• CTS
• ACK
Request to Send packet
Clear to Send packet
Acknowledgement packet
frame format
Byte 2
Frame Control
15.10.02
2
Duration
6
Receiver
6
Sender
I.Meier: WLAN at DESY Zeuthen
4
CRC
26
Wireless LAN Components and
Features
15.10.02
I.Meier: WLAN at DESY Zeuthen
27
WLAN Components
Components
•
•
•
•
Bridge
Access Point
Workgroup-Bridge
NIC (WLAN Network Interface Card (ISA, PCI, PCMCIA))
• Router with WLAN-extension
(xDSL-Router, ISDN-Router)
15.10.02
I.Meier: WLAN at DESY Zeuthen
28
WLAN Components and Features
Wired LAN
L2 Access Switch
Building A
Access Point
WLAN Bridge
ISA, PCI or
PCMCI
Point-to-multipoint
Point-to-point
WLAN Bridge
L2 Access Switch
Workgroup
Bridge
L2 Access Switch
Building B
15.10.02
Building C
I.Meier: WLAN at DESY Zeuthen
29
WLAN Components and Features
•
•
•
•
•
•
•
•
•
point-to-point and point-to-multipoint installation
inline power over Ethernet, up to 100 m with Cat.5
selectable transmit power (1, 5, 20, 30, 50, 100 mW)
antenna flexibility
variable data rate (1, 2, 5.5, 11 Mbps)
aggregate bandwidth 33 Mbps
hot standby implementation, increase availability
roaming
load balancing
• but:
– no Quality of Service
– Voice over IP & multimedia applications supported on „best efford“
15.10.02
I.Meier: WLAN at DESY Zeuthen
30
Availability
LAN
active
standby
• access points with identical configuration
• hot standby access point per RF channel
• transparent failover from active to standby access point
15.10.02
I.Meier: WLAN at DESY Zeuthen
31
Roaming
•
Media Access Control
– CSMA/CA
•
Beacon Frames
– are broadcast from access point at regular intervals
– contain access-point information (e.g. Service Set Identifier (SSID), supported data
rates and Radio Frequency Methods (FHSS, DSSS), capacity)
AP-A
AP-B
– client triggers „Roaming Event“ (max. retries)  starting scanning process for
available access points
– new association to AP-B based on criteria such
• Signal strength 20% better?
• Fewer hops to backbone?
• Count of associations (AP-B) + 4 < count of associations (AP-A)?
15.10.02
I.Meier: WLAN at DESY Zeuthen
32
Load Balancing
•
•
•
only 3 non-overlapping cells available
max. Bandwidth for single client 11 Mbps
load balance criteria
–
–
–
–
15.10.02
signal strength
number of users
transmit load
hops to backbone
AP
AP
AP
1
6
11
I.Meier: WLAN at DESY Zeuthen
33
Wireless LAN & Security
15.10.02
I.Meier: WLAN at DESY Zeuthen
34
Wireless LAN & Security
„... As standardized by the IEEE, security for 802.11
networks can be simplified into two main components:
encryption and authentication. The implementation of
these components has been proven and documented as
insecure by the security community at large. ...“
SAFE: Wireless LAN Security in Depth, White Paper
Cisco Systems, Inc., 2001
http://www.cisco.com/go/safe
15.10.02
I.Meier: WLAN at DESY Zeuthen
35
Security Mechanisms
SSID
AP-Auth
none
WEP
static
SSID
AP-Auth
WEP
static WEP
dynamic WEP
15.10.02
VPN
dynamic
(EAP)
Service Set Identifier
Access Point Authentication (open/shared key authentication)
Wired Equivalent Privacy (encryption)
static key
dynamic key derivation
EAP (Extensible Authentication Protocol) / LEAP (Ligth EAP)
I.Meier: WLAN at DESY Zeuthen
36
Network Selection
Service Set Identifier (SSID)
• defines the name of the network, ASCII-string
• SSID is not a security mechanism
• transmitted as clear text in Probe & Probe Response frames
• „Broadcast SSID“ disabled stops SSID in beacon frames only
• association to dedicated networks/access points
15.10.02
I.Meier: WLAN at DESY Zeuthen
37
Access Point Authentication
• Open authentication
open authentication = „null“ authentication
authentication request packet
authentication response packet
• Shared Key Authentication and static WEP-encryption
challenge text packet for authentication
cryptographically insecure
plaintext and corresponding encrypted
text are visible
15.10.02
authentication request packet
challenge text packet (plaintext)
challenge response packet with predet. WEP
authentication response packet
I.Meier: WLAN at DESY Zeuthen
38
Static Wired Equivalent Privacy (WEP)
header: use key3 data: encrypted using key3 trailer
Key1 = 123...
Key2 = 432...
Key3 = 987...
trailer data: encrypted using key2 header: use key2
Key1 = 123...
Key2 = 432...
Key3 = 987...
• knowledge of WEP key required
• key needs to be changed frequently
• key distribution and management problematic
15.10.02
I.Meier: WLAN at DESY Zeuthen
39
MAC Authentication
• MAC address filter on Access Points
• Cisco supports centralized configuration and management
of permitted MAC addresses in RADIUS database
(Remote Access Dial-In User Service)
• easily spoofed
15.10.02
I.Meier: WLAN at DESY Zeuthen
40
2nd Generation Security Mechanisms
• WLAN IEEE 802.11b is in secure
• security extensions necessary
Backend infrastructure (kerberos, RADIUS, ...)
IEEE 802.1x
TLS
GSS_API
IKE
LEAP
Method Layer
EAP
VPN
APIs
EAP
EAP Layer
NDIS
APIs
PPP
15.10.02
802.3
802.11
...
I.Meier: WLAN at DESY Zeuthen
Media Layer
41
EAP/LEAP
• EAP - Extensible Authentication Protocol
(centralized authentication and dynamic key distribution)
• LEAP – Ligth Extensible Authentication Protocol (Cisco)
EAP/LEAP
RADIUS
Radius Sever
client
–
–
–
–
–
15.10.02
client authenticates to access point which disables all further IP requests
next step: user network logon (username, password; Radius-Server)
WEP session key calculation based on username/password
Radius server sends key to access point
Access point enables network connection
I.Meier: WLAN at DESY Zeuthen
42
VPN - Virtual Private Network
• support a variety of cryptographically strong options to
authenticate the client at the VPN concentrator
• encrypted IP-tunnel client – VPN concentrator
• Triple DES encryption
• connection access point – VPN concentrator is not
authenticated
15.10.02
I.Meier: WLAN at DESY Zeuthen
43
WLAN installation at
DESY Zeuthen
15.10.02
I.Meier: WLAN at DESY Zeuthen
44
deficits
• security policies
–
–
–
–
security zones
Firewall
Intrusion Detection System (IDS)
mobile computing
 notebooks, PDA, Bluetooth
• „Benutzerordnung“
• central notebook support (MS Windows/Linux)
–
–
–
–
15.10.02
system installation/administration
security patches
root password
application software
I.Meier: WLAN at DESY Zeuthen
45
Supported network features
• network access
-
Ethernet
analogous modem
ISDN
DSL
WLAN
DHCP
- RADIUS
- EAP
- VLAN
• IEEE 802.11b (11 Mbps, 2.4 GHz)
• support meetings, workshops, conferences
• seminar room SR1, SR2, SR3, Foyer
15.10.02
I.Meier: WLAN at DESY Zeuthen
46
Network Structure (Phase I, August 2002)
GWIN-Router
GWIN
34 Mbit/s
Remote Access
Server
10/100 Mbit/s
Telecom
100 Mbit/s
dial-in/mobile user
56 kbit/s (anal. Modem)
64/128 kbit/s
(ISDN)
Backbone Router/Switch
Gigabit Ethernet
SAP-User
Access Switch
(Layer 2 Switch)
10/100/1000 Mbit/s
PC-Cluster Batch-Farm
15.10.02
Server
I.Meier: WLAN at DESY Zeuthen
47
Network Structure (Phase II, October 2002)
GWIN
GWIN-Router
34 Mbit/s
Remote Access
Server
100 Mbit/s
Telecom
Firewall
dial-in/mobile user
Gigabit Ethernet
56 kbit/s (anal. Modem)
64/128 kbit/s
Gigabit Ethernet
(ISDN)
Backbone Router/Switch
Gigabit Ethernet
Access Switch
(Layer 2 Switch)
SAP-User
10/100/1000 Mbit/s
PC-Cluster Batch-Farm
15.10.02
Server
I.Meier: WLAN at DESY Zeuthen
48
Network Structure (Phase III)
GWIN
GWIN-Router
34 Mbit/s
Remote Access
Server
Telecom
100 Mbit/s
dial-in/mobile user
56 kbit/s (anal. Modem)
64/128 kbit/s
Firewall
Gigabit Ethernet
(ISDN)
Access Point
Gigabit Ethernet
Backbone Router/Switch
WLAN user
Gigabit Ethernet
Access Switch
(Layer 2 Switch)
SAP-User
10/100/1000 Mbit/s
PC-Cluster Batch-Farm
15.10.02
Server
I.Meier: WLAN at DESY Zeuthen
49
Abbreviations
•
ETSI
•
•
•
•
•
•
•
IEEE
ITU
RegTP
TKG
WRC
Bluetooth SIG
RR
•
•
Wi-Fi
ÍSM-Band
•
UNII-Band
15.10.02
European Telecommunication Standards Institute
( Hiperlan1/2)
Institute of Electrical and Electronic Engineers, Inc.
International Telecommunication Union (CCITT, CCIR)
Regulierungsbehörde für Telekommunikation und Post
Telekommunikationsgesetz
World Radio Conference (Verwaltung der Funkfrequenzen)
Bluetooth Special Interest Group
Radio Regulations (weltweit gültiges Regelwerk für den Funkverkehr,
vom WRC erarbeitet)
Wireless-Fidelity
2.4 GHz Frequence-Band for Industrial, Scientific and Medical,
unlicensed
5-GHz Frequence-Band for Unlicensed-National-InformationInfrastructure
I.Meier: WLAN at DESY Zeuthen
50
Abbreviations
•
•
•
DSSS
WEP
RC4
•
IPSec
•
•
•
VPN
DES
3DES
15.10.02
Direct Sequencing Spread Spectrum
Wired Equivalent Privacy (40/128 bit encryption)
encryption algorithm invented by Ron Rivest of RSA Data Security
Inc. (RSADSI)
IP Security Protocol (framework of open standards for secure
communication over IP networks)
Vitual Private Network
Data Encryption Standard
Triple DES, encrypts data 3 times with up to 3 different keys
I.Meier: WLAN at DESY Zeuthen
51
Abbreviations
•
•
•
•
•
SSID
AP
CSMA/CD
CSMA/CA
EAP/802.1X
•
•
•
•
•
•
LEAP
MIC
TKIP
EAP-TLS
RADIUS
DHCP
15.10.02
Service Set Identifier (32 char ASCII-string)
Access Point
Carrier-Sense-Multiple-Access with Collision Detection
Carrier-Sense-Multiple-Access with Collision-Avoidence
Extensible Authentication Protocol (centralized authentication
and dynamic key distribution)
Ligth Extensible Authentication Protocol (Cisco)
Message-Integrity-Protocol
Temporal-Key- Integrity-Protocol
EAP Transport Level Security
Remote Access Dial-In User Service
Dynamic Host Configuration protocol
I.Meier: WLAN at DESY Zeuthen
52