Wireless local area network

A wireless local area network (LAN) is a flexible data communications system implemented as an extension to, or as an alternative for, a wired LAN. Using radio frequency (RF) technology, wireless LANs transmit and receive data over the air, minimizing the need for wired connections. Thus, wireless LANs combine data connectivity with user mobility.A wireless LAN is a system, which enables the mobile user to connect to the Ethernet through a low microwave frequencies (Lower than about 10 GHz) which can support data rates as high as 10 Mbit/s, or millimetric waves (at about 60GHz). The area covered by such a scheme is restricted by the low allowable power radiation.

Technology

Wireless LANs (WLANs) utilizes electromagnetic waves, particularly spread-spectrum technology based on radio waves, to transfer information between devices in a limited area.

There are two types of WLANs, infrastructure WLANs and independent WLANs. Infrastructure WLANs, where the wireless network is linked to a wired network, is more commonly deployed today. In an infrastructure WLAN, the wireless network is connected to a wired network such as Ethernet, via access points, which possesses both Ethernet links and antennas to send signals. These signals span microcells, or circular coverage areas (depending on walls and other physical obstructions), in which devices can communicate with the access points, and through these, with the wired network. In a wireless LAN, devices can move within and between coverage areas without experiencing disruption in connectivity as long as they stay within range of an access point or extension point (similar to an access point) at all times.

The Wireless Local Area Network (WLAN) industry has emerged as one of the fastest-growing segments of the communications industry. WLAN equipment shipments grew to almost 12 million units in 2001 and market research firm Cahners In-Stat expects sales of wireless network cards and WLAN base stations to grow from $1.9 billion in 2001 to $5.2 billion in 2005. This growth was due, in large part, to the introduction of standards-based WLAN products. These products - based on the 802.11b standard - are faster, lower in cost, and simpler to setup and use than previous generation products. The majority of WLAN products today communicate at speeds up to 11 megabits per second (Mbps).



Standards

Over the years, wireless communication has significantly advanced. Wireless frequency spectrum has been released by government agencies to be used for commercial purposes. The unlicensed 2.4 GHz band is used by several kinds of wireless devices, including two-way communicators, cordless phones and WLAN access points.

Some wireless devices are also using the 5 GHz band. The availability of the spectrum has played an important role in facilitating the acceptance and growth of wireless technology within the enterprise.

The Institute of Electrical and Electronics Engineers1 (IEEE) has developed several specifications for WLAN technology. Here are some of the specifications that are available today or are in the works.

802.11a

This specification operates at 5 GHz frequency with a proposed throughput of 54 Mbps and a range of 50 to 60 feet. 802.11a provides up to 12 channels for communications using Orthogonal Frequency Division Multiplexing3 (OFDM). Its high performance and throughput is in demand for bandwidth-hungry applications. However, their range is much shorter, and multiple 802.11a access points are required to cover the same range provided by one 802.11b access point. This makes it more expensive to install and manage. Yet many enterprises prefer to bear the cost rather than risk interference and compromise security and quality of service.

802.11b

This specification operates at 2.4 GHz frequency with a proposed throughput of 11 Mbps and a range of 200 to 300 feet. This specification is the most widely used and is good for basic WLAN deployment in the enterprise or at home. The 802.11b WLAN specification is being deployed in many enterprises today in an experimental manner, and in some cases even in limited production. Most industry analysts agree that enterprises must go ahead and deploy 802.11b WLANs and leverage the experience they get from this to then deploy more robust specifications as they are released. 802.11b WLANs are relatively inexpensive to set up and many enterprises have derived immediate benefits. However, since they operate in the unlicensed and extremely crowded 2.4 GHz band, there have been many complaints about interference with devices using the same band for their wireless communications. Although 802.11b offers 11 channels for communication using Direct Sequence Spread Spectrum Modulation2, only three, or maximum four, can realistically be used with minimal interference. This limits the number of unique channels that enterprises can use for wireless data transfer without interfering with, or being interfered by, WLANs belonging to other organizations in facilities that are physically close to one another.

802.11g

This specification, ratified in mid-2003, operates at 2.4 GHz frequency with a throughput of 54 Mbps and a range of 100 to 200 feet. Many enterprises are seriously considering moving to 802.11g due to its higher throughput, even though the associated costs might be a bit higher. Many access points today support both 802.11b and 802.11g. It is quite possible that 802.11g will take over 802.11b as the next WLAN standard. However, there are several performance issues that need to be sorted out with 802.11g before that happens.

802.11h

This specification is a European variant of 802.11a with additional optimization features. These two 5 GHz standards are nearly identical, except that 802.11h adds Transmit Power Control (TPC), which limits the wireless network card from emitting more radio signal than is needed, and Dynamic Frequency Selection (DFS), which lets the device listen to what is happening in the airspace before picking a channel. TPC and DFS are both required features in Europe.

802.11i

This specification, still in progress, is an overlay to existing WLAN specifications and will have enhanced security measures such as stronger encryption and access control. The IEEE is working on other specifications, each with a specific goal, that are likely to be released in the near future.

Some of them include:
802.11c-to improve interoperability between devices.
802.11d-to improve roaming.
802.11e-for improved quality of service.
802.11f-to regulate inter-access point handoffs.

No matter which WLAN specification is employed, the basic concepts of deployment and security are the same.

Benefits of using WLAN

Increased Productivity - WLAN provides "untethered" network and Internet access.

Fast and Simple Network Set-up - There are no cables to install at a users desk or work area.

Installation Flexibility - WLANs can be installed in places where wires can't, and they facilitate temporary set-up and relocation.

Reduced Cost-of-Ownership - Wireless LANS reduce installation costs because there is no cabling;as a result, savings are greatest in frequently changing environments.

Scalability - Network expansion and reconfiguration may be less complicated than expanding a wired network.

WEP

WEP, short for Wired Equivalent Privacy, is a protocol for wireless LANs or local area networks. This WEP is defined in the 802.11 Standard. WEP is designed so security levels are maintained at the same level as the wired LAN.

WEP's aim is to provide security by encrypting data over radio waves. WEP protects data as it's transmitted from one end point to another. WEP is used at the two lowest layers, the data link and physical layer.

WEP is designed to make up for the inherent security in wireless transmission as compared to wired transmission. The goal of WEP is to provide an equivalent level of privacy as is ordinarily present with an unsecured wired LAN. WEP is not an industrial security algorithm.

WEP is based on a security scheme called RC4 that utilizes a combination of secret user keys and system-generated values. The original implementations of WEP supported so-called 40-bit encryption, having a key of length 40 bits and 24 additional bits of system-generated data (64 bits total). Research has shown that 40-bit WEP encryption is too easy to decode, and consequently product vendors today employ 128-bit encryption (having a key length of 104 bits, not 128 bits) or better.

WEP presents a major cryptographic weakness. A reasonably determined war driver can capture sufficient data in short order to crack the encryption keys and render the network vulnerable to intrusion.

WEP's disadvantages include:

Station identification relies on hardware addresses that can be easily captured and forged by miscreants.

Static keys are rarely changed by users.

Keys are duplicated on client stations.

A weak implementation of the RC4 algorithm is used.

An Initialization Vector (IV) sequence that is too short and therefore repeats within a timeframe that allows the calculation of the key.

Once cracked, the data stream between the supplicant and the access point is visible to the attacker. This opens the link to types of attack beyond simple packet sniffing, which include: man-in-the-middle, offline dictionary attacks, and session hijacking. Countermeasures are made difficult because packet sniffing and man-in-the middle attacks are passive and difficult to detect.

802.1X/EAP

802.1X represents IEEE's standard for port-level authentication for 802-based wireless and wired networks.Within the 802.1X framework, port access refers to 'user port' access controlled by a wireless access point or wired switch.


802.1X made a significant contribution to standards-based WLANs for the enterprise by introducing the 3-component WLAN configuration of suppliant (station,) authenticator (wireless access point), and authentication server (typically a RADIUS server). The use of centralized user profiles for user validation provides the scalability that enterprises require.

In developing 802.1X, scalability that would provide support for very large deployments at low cost were design considerations. Again, using existing and highly effective network infrastructure, such as EAP, RADIUS, LDAP, and Active Directory offered the additional benefit of keeping costs low.

EAP, IETF standard RFC 2284, stands for Extensible Authentication Protocol. EAP is a very flexible standard for wired and wireless networks. EAP acts as a transport for many different types of EAP methods, with ongoing development of new methods. Increasingly sophisticated implementations of EAP methods account for much of the recent evolution in WLAN security. For instance, to counteract the weaknesses of 802.11, Cisco introduced EAP-LEAP. This EAP method provided for mutual authentication for more secure authentication. Mutual authentication requires the user station to authenticate to the network, and the network to the user. This ensures that users are who they claim to be; and that they connect to valid networks only. LEAP also helped introduce the use of per session dynamic keys.

Another major EAP method, EAP-TLS, uses certificates to deliver strong security, but requires the overhead of maintaining client certificates. EAP-TTLS and EAP-PEAP are tunneled EAP methods that, like TLS, offer mutual authentication, but which also create a TLS encrypted tunnel during the authentication process. The challengeresponse dialogue between supplicant (station) and authentication server occurs through the tunnel using another EAP method or earlier legacy authentication method, such as CHAP, PAP, MS-CHAP or MS-CHAPv2. Only EAP-TTLS supports the early legacy authentication methods.

EAP was incorporated into the 802.1X and WPA standards. EAP's flexibility in serving different types of environments and security levels should ensure the longevity of the 802.11-based systems even as data and voice communications ultimately converge in the enterprise.

Wi-Fi Protected Access

The Wi-Fi Alliance announced a security solution that counters the known weaknesses of WEP called Wi-Fi Protected Access (WPA). This standard was formerly known as Safe Secure Network (SSN). WPA is designed to work with existing 802.11-based products and offers forward compatibility with 802.11i. All of the known shortcomings of WEP are addressed by WPA, which features packet key mixing, a message integrity check, an extended initialization vector, and a re-keying mechanism.

WPA can be implemented in the home and small offices that don't have RADIUS servers through the use of preshared keys. However, it is most powerful when deployed with the enterprise configuration originally laid out by the IEEE 802.1X framework. Again, this configuration includes stations, access points, and authentication servers (typically RADIUS servers). The RADIUS server maintains user credentials and validates wireless users before they are granted access to the network.

WPA's strength comes from an integrated sequence of operations that encompass 802.1X/EAP authentication and sophisticated key management and encryption techniques. Its major operations include:

Network security capability determination. This occurs at the 802.11 level and is communicated through WPA information elements in Beacon, Probe Response, and (Re) Association Requests.Information in these elements includes the authentication method (802.1X or Pre-shared key) and the preferred cipher suite (WEP, TKIP, or AES).

Authentication. EAP over 802.1X is used for authentication. Mutual authentication is gained by choosing an EAP method supporting this feature and is required by WPA. 802.1X port access control prevents full access to the network until authentication completes. 802.1X EAPOL-Key packets are used by WPA to distribute per-session keys to those stations successfully authenticated.

Key management. WPA features a robust key generation/management system that ties together the authentication and data privacy functions. Keys are generated during a successful authentication and from these keys other keys are derived through a subsequent 4-way handshake between the station and Access Point (AP). This handshake produces keys that are used to seed the data privacy algorithm.

Data Privacy (Encryption). Temporal Key Integrity Protocol (TKIP) is used to wrap WEP in sophisticated cryptographic and security techniques to overcome most of its weaknesses.

Data integrity. WPA use TKIP for data privacy (encryption). TKIP includes a message integrity code (MIC) at the end of each plaintext message to ensure messages are not being spoofed integrity.

Email this article | Respond to this article