wireless notesWPA has 2 types of authentication, WPA-802.1x(AKA WPA-Enterprise) and WPA-PSK (or WPA-Home) WPA-802.1x radius, raduis server
act as certificate authenticator allowing only authorized client to the access point.
AP now days, comes with own authentication servers acting as radius servers, giving soho users the ability to use wpa 802.1x authentication schemes if they want. but, WPA PSK is the better choice for soho users, because of its simple setup and
deployment across a multi vendor environmen. PSK is also wifi protected access with pre shared key, enables users to easily
setup and manage a secured WLAN.
PSK uses pass phrase, between 8 to 63 char long. pass phrase is created and entered by the user into any client station's
config utiliy, as well as into the AP, generally when setting a wireless lan, the first thing would be the AP, then follows
the client stations. AP config highly depneds on the manufacturer's instructions.
PSK AP config, has a TKIP temporal key integrity protocol, adds extra security ciphers and algorithms to the preexisting WEP
encryption.
issues: 1 windows firewall, even if its disabled, wireless card might still be under control of windows firewall. 2 multiple
configuration utilities are enabled at once. 3 wrong type of security.
WPA uses enhanced data encryption technology viz the terporal key integrity protocol. TKIP provides important data encryption
enhancements, including a per packet key mixing function, a message integrity check MIC, and extended initialization vector
IV with sequencing rules, and a re keying mechanism.
WPA keeps out unauthorized users by requiring all TKIP encryption process begins, based on the original password, TKIP wireless clients for netwrok access. TKIP will auto update this key on encryption keys are extremely difficult to decode. here is the difference from WEP, WEP use the same static key over and over again.
WAP2: based on the final ieee 802.11i amendment to the 802.11 standard and is sligible for federal information processing standards 140-2 compliance. the differnce between WAP and WAP2, is the inclusion of the advanced encryption standard AES,
AES is an encrption algorithm for securing sensitive but unclasified material.
802.11i improves encryption over other standards, include key caching, facilitates fast reconnection to the server for users who have temporarily gone offline and pre authentication which allows fast roaming and is ideal for use with advanced applications such as voip, upgrade from WAP to WAP2, can be done by software or others may require hardware change dut AES.
WMM: wi-fi multimedia, created to define QOS in wifi networks. it's a precursor to the 802.11e standard, meant to improve audio video and voice applications transmitted over wifi. admins will be able to prioritize traffic preventing suffers of delay.
VPN pass through is a feature typically comes in on home or small office internet gateway devices, because of its less expensive than a router with a full vpn feature set. A route with built in VPN support generally means that the router itself is capable of supporting the various IPsec, PPTP, L2TP, or SSL. means that the device actaully has an implementation
of these VPN protocols running on it. since the router it self if equipped with these rpotocols, it doesn't need to relay on a network server or workstation to establish the VPN connection. so the entire workgroup would be able to communicate with a remote network through a single VPN tunnel and without the need to have VPN client software installed on every individual PC. on the other hand, a router that supports
VPN passthrough simply means that it can support passing through packets that originate from VPN clients,
adn example of this would be your laptio or home office PC trying to connect to the VPN server at your corp office location. VPN passthrough is needed, because most routers are NAT enabled and VPN protocols such as IPSEC, don't have a specific port number for the device to multiplex the port address translation back to. this feature enables special processing of IPSEC data packets and allows the device to keep a table of active connected VPN tunnels.
Null data frames: where wireless vendors use. contains an empty frame body, carrying specail control information to another staion. wireless clients commonly use a null data frame sent to the access point to indicate a change in sleep state by setting the power management but in the frame control field appropriately. this most often occurs after a wireless client implementing power save mode has been a wake receiving buffered frames from the access point. the null data frame tells the access point to start buffering frames again fot that
client staion because the client is going back to sleep. another use, client staion sends a null data frame to the access point to indicate sleep state prior to performing active scanning, which is the process of looking for access points on different channels for the purpose of possible roaming the access point then buffers frames for the client station while the client scans other RF channels. while on another channel, the client can't receive frames from the access point. once the clinet station comes back to the associated access point channel, the client sends another null data frame to the access point with the power management bit reset to indicate that the client is ready to receive frames again.this maneuver somewhat fools the access point to think that client is in sleep mode, however, it works very well to reduce frame retransmissions while the cilent is busy scanning other channels.
Control frames:
RTS frame: request to send, RTS/CTS function is optional and reduces frame collisions present when hidden stations have
associations with the same access point. A station sends a RTS frame to another station as the first phase of a two way
handshake necessary before sending a data frame.
CTS frame: clear to send, a station responds to a RTS with a CTS frame, providing clearance for the requesting station to
send a data frame, the CTS includes a time calue that causes all other staions including hidden stations to hold off
transmission of frames for a time period necessary for the requesting station to send its frame. this minimizes collisions
among hidden stations, which can result in higher throughput
if you implment it properly.
ACK frame: Ackknowledgement frame, after receiving a data frame, the receiving station will utilize an error checking processes to detect the presence of errors, the receiving station will send an ACK frame to the sending station if no errors are found, if the sending station doesn't receive an ACK after a period of time, the sending station will retransmit the frame.
RTS, CTS, sends data, receive data, ACK
management frames:
Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC, the NIC begins the process by sending an authentication frame containing its identity to the access point. with open system authentication default, the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance or rejection. with the optional shared key authentication, the radio NIC sends an initial authentication frame and the access point responds with an authentication frame containing challenge text. the radio NIC must send an encrypted version of the challenge text using its WEP key in an authentication frame back to the access point the access point ensures that the radio NIC has the correct WEP key which is the basis by seeing whether the challenge text recovered after decryption is the same that was sent previously based on the results of this comparision the acccess point replies to the radio NIC with an authentication frame signifying the result of authentication.
Deauthentication frame: a station sends a deauthentication frame to another station if it wishes to terminate secure communications.
Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC, A NIC begins the assocation preocess by sending an association request to an access point. this frame carries information about the NIC and the SSID of the network it wishes to associate with after receiving the association request, the access point ocnsiders associating with the NIC, and if accepted reserves memory space and establishes an association ID for the NIC.
Association response frame: an access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. if the access point accepts the radio NIC, the frame includes information regarding the association such as association ID and supported data rates. if the outcome of the association is postive the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the the distrubution ethernet side of the access point.
Reassociation request frame: If a radio NIC roams away from the currently
associated access point and finds another access point having a stronger beacon
signal, the radio NIC will send a reassociation frame to the new access point.
The new access point then coordinates the forwarding of data frames that
may still be in the buffer of the previous access point waiting for transmission
to the radio NIC.
Reassociation response frame: An access point sends a reassociation
response frame containing an acceptance or rejection notice to the radio NIC
requesting reassociation. Similar to the association process, the frame includes
information regarding the association, such as association ID and supported
data rates.
Disassociation frame: A station sends a disassociation frame to
another station if it wishes to terminate the association. For example, a
radio NIC that is shut down gracefully can send a disassociation frame to
alert the access point that the NIC is powering off. The access point can
then relinquish memory allocations and remove the radio NIC from the association
table.
Beacon frame: The access point periodically sends a beacon frame
to announce its presence and relay information, such as timestamp, SSID, and
other parameters regarding the access point to radio NICs that are within
range. Radio NICs continually scan all 802.11 radio channels and listen to
beacons as the basis for choosing which access point is best to associate
with.
Probe request frame: A station sends a probe request frame when it
needs to obtain information from another station. For example, a radio NIC
would send a probe request to determine which access points are within range.
Probe response frame: A station will respond with a probe response
frame, containing capability information, supported data rates, etc., when
after it receives a probe request frame.
|