Wireless LANS

1
Wireless LANS
2
Electromagnetic Radiation

• An electron is surrounded by an electric field.
• When an electron moves, a magnetic field forms
  around it.
• By increasing and decreasing the density of
  electrons in a wire (antenna), we can create a
  ripple effect in the two fields.

3
Electromagnetic Radiation

• The ripples travel
• at the speed of
• lightc3108m/s.
• The frequency of an electromagnetic wave
  determines its properties. X-rays, ordinary
  light and radio waves are all electro-magnetic
  waves.

4
(No Transcript)
5
Radio Transmission
Site B
Site A
Radio Waves
Receiver
Transmitter

• Suppose we set up a transmitter that emits radio
  waves of a selected frequency.
• An aerial and receiver can be designed to
  electrically resonate with the same frequency and
  so pick up that frequency.

6
Radio Channel

• We can send signals using a radio channel by
  switching our transmitter on and off (just like
  the simple telegraph circuit). This was how
  Morse code used to be send.
• The signal quality is much improved if the signal
  is send by varying the amplitude of a continuous
  carrier wave.
• Most noise is out of phase with the carrier wave
  and so gets ignored by the receiver.

7
Electromagnetic Communication Systems

• Radio, television, satellite systems are all
  designed around the principles of antennas.
• The frequencies of microwaves and light are much
  higher than radio waves. They are produced more
  efficiently by other means.
• Microwaves are produced by a special electronic
  valve called a magnetron.
• Light can be produced by LEDs.

8
Microwave Channels
Microwaves
Transmitter Dish
Receiver Dish

• Microwaves are transmitted and received using
  parabolic dishes (the special shape focuses the
  microwave beam).
• The receiver and transmitter dishes must be in
  line of sight with each other. Microwaves can
  pass through walls, trees and clouds but not
  through the ground.

9
Wireless LANS

• A wireless LAN (WLAN) is a flexible data
  communication system implemented as an extension
  to, or as an alternative for, a wired LAN within
  a building or campus. Using electromagnetic
  waves, WLANs transmit and receive data over the
  air, minimizing the need for wired connections.
  Thus, WLANs combine data connectivity with user
  mobility, and, through simplified configuration,
  enable movable LANs.

• Of late, WLANs have gained strong popularity in a
  number of vertical markets, including the
  health-care, retail, manufacturing, warehousing,
  and academic arenas. These industries have
  profited from the productivity gains of using
  hand-held terminals and notebook computers to
  transmit real-time information to centralized
  hosts for processing.
• Today WLANs are becoming more widely recognized
  as a general-purpose connectivity alternative for
  a broad range of business customers.

10
Benefits of Wireless LANS

• With wireless LANs, users can access shared
  information without looking for a place to plug
  in, and network managers can set up or The
  widespread strategic reliance on networking among
  competitive businesses and the meteoric growth of
  the augment networks without installing or moving
  wires. Wireless LANs offer the following
  productivity, service, convenience, and cost
  advantages over traditional wired networks
• Mobility-Wireless LAN systems can provide LAN
  users with access to real-time information
  anywhere in their organization..
• Installation Speed and Simplicity-Installing a
  wireless LAN system can be fast and easy and can
  eliminate the need to pull cable through walls
  and ceilings.
• Reduced Cost-of-Ownership-While the initial
  investment required for wireless LAN hardware can
  be higher than the cost of wired LAN hardware,
  overall installation expenses and life-cycle
  costs can be significantly lower. Long-term cost
  benefits are greatest in dynamic environments
  requiring frequent moves, adds, and changes.
• Scalability-Wireless LAN systems can be
  configured in a variety of topologies to meet the
  needs of specific applications and installations.
  Configurations are easily changed and range from
  peer-to-peer networks suitable for a small number
  of users to full infrastructure networks of
  thousands of users that allows roaming over a
  broad area

11
Which type

• In wireless networking, a peer-to-peer (or
  point-to-point) wireless network means that each
  computer can communicate directly with every
  other computer on the network. But some wireless
  networks are client/server. They have an access
  point, which is a wired controller that receives
  and transmits data to the wireless adapters
  installed in each computer

• There are various types of wireless networks,
  ranging from slow and inexpensive to fast and
  expensive such as.
• Bluetooth
• IrDA
• HomeRF (SWAP)
• Wi-Fi

12
Bluetooth

• Bluetooth technology is a wireless personal
  area networking (WPAN) technology that has gained
  significant industry support and will coexist
  with most wireless LAN solutions.

The Bluetooth specification is for a 1 Mbps,
small form-factor, low-cost radio solution that
can provide links between mobile phones, mobile
computers and other portable handheld devices and
connectivity to the internet. This technology,
embedded in a wide range of devices to enable
simple, spontaneous wireless connectivity is a
complement to wireless LANs which are designed
to provide continuous connectivity via standard
wired LAN features and functionality.
13
IrDA

• IrDA (Infrared Data Association) is a standard
  for devices to communicate using infrared light
  pulses....like remote controls. The fact that all
  remotes use this standard allows a remote from
  one manufacturer to control a device from another
  manufacturer.
• IrDA devices use infrared light gt depend on
  being in direct line of sight with each other.
  ....capable of transmitting data at speeds up to
  4 megabits per second (Mbps), the requirement for
  line of sight means that you would need an access
  point in each room, limiting the usefulness of an
  IrDA network in a typical home layout.
• Infrared (IR) systems use very high frequencies,
  just below visible light in the electromagnetic
  spectrum, to carry data. Like light, IR cannot
  penetrate opaque objects
• it is either directed (line-of-sight) or diffuse
  technology. Inexpensive directed systems provide
  very limited range (3 ft) and typically are used
  for PANs but occasionally are used in specific
  WLAN applications.
• Diffuse (or reflective) IR WLAN systems do not
  require line-of-sight, but cells are limited to
  individual rooms.

14
HomeRF and SWAP

• HomeRF (RF stands for radio frequency) is an
  alliance of businesses that have developed a
  standard called Shared Wireless Access Protocol
  (SWAP). A hybrid standard, SWAP includes six
  voice channels based on the DECTstandard and the
  802.11 standard
• Here are the advantages of SWAP
• It's inexpensive and easy to install. Requires no
  additional wires.
• It has no access point.
• It uses six full-duplex voice channels and one
  data channel.
• It allows up to 127 devices multiple networks
  in same location.
• You can use encryption to make your data secure.

Disadvantages of SWAP
It's not very fast (normally 1 Mbps). It has a
limited range (75 to 125 ft / 23 to 38 m). It's
not compatible with FHSS devices physical
obstructions (walls, large metal objects) can
interfere with communication. It's difficult to
integrate into existing wired networks.
15
802.11b (Wi-Fi)

• This standard is clearly the market leader.
  802.11b operates in the 2.4GHz unlicensed
  frequency band (same as the one used by 2.4GHz
  cordless phones and microwaves), and uses DSSS
  (Direct Sequence Spread Spectrum) and FHSS
  modulation. It generally has raw data rate of
  ranging from 2Mbps to 100Mbps.
• Widely used in businesses, 802.11b has been
  adopted for many home networks due to its
  relatively high speed, wide availability, and
  falling prices (although we've probably gotten
  pretty close to the bottom of the price curve at
  this point). It's also the standard that's used
  for wireless public access in places like
  airports, malls, etc., and for enterprising
  individuals, companies, and community groups who
  are trying to grow their own wireless broadband
  networks.
• Negatives include 802.11b's WEP network security
  method
• Most access points have an integrated Ethernet
  controller to connect to an existing
  wired-Ethernet network.
• It also has an omni-directional antenna to
  receive the data transmitted by the wireless
  transceivers.

16
Wi-Fi

• Below shows a 3Com Airconnect wireless system.
  This allows staff to freely roam about the
  workplace with their laptops constantly connected
  to the network. This is the access point.

This is the base unit of a wireless system used
to connect workers with laptops.
17
Wireless LAN Technology Options

• Manufacturers of wireless LANs have a range of
  technologies to choose from when designing a
  wireless LAN solution. Each technology comes with
  its own set of advantages and limitations.
• Spread SpectrumMost wireless LAN systems use
  spread-spectrum technology, a wideband radio
  frequency technique developed by the military for
  use in reliable, secure, mission-critical
  communications systems. Spread-spectrum is
  designed to trade off bandwidth efficiency for
  reliability, integrity, and security. In other
  words, more bandwidth is consumed than in the
  case of narrowband transmission, but the tradeoff
  produces a signal that is, in effect, louder and
  thus easier to detect, provided that the receiver
  knows the parameters of the spread-spectrum
  signal being broadcast. If a receiver is not
  tuned to the right frequency, a spread-spectrum
  signal looks like background noise. There are two
  types of spread spectrum radio frequency hopping
  and direct sequence.

18
Terms

• IEEE 802.11 Standards
• IEEE has developed several specifications
  for WLAN technology, the names of which resemble
  the alphabet. There are basically two categories
  of standards those that specify the fundamental
  protocols for the complete wireless system, these
  are called 802.11a, 802.11b and 802.11g and
  those that address specific weaknesses or provide
  additional functionality, these are 802.11d, e,
  f, h, I, j, k, m and n.
• Frequency Hopping Spread Spectrum (FHSS)
• Here the signal hops from frequency to
  frequency over a wide band of frequencies. The
  transmitter and receiver change the frequency
  they operate on in accordance with a
  Pseudo-Random Sequence (PRS) of numbers. To
  properly communicate both devices must be set to
  the same hopping code.
• Denial of Service.
• A denial of service (DoS) attack is an
  incident in which a user or organization is
  deprived of the services of a resource they would
  normally expect to have. Typically, the loss of
  service is the inability of a particular network
  service to be available or the temporary loss of
  all network connectivity and services

19
Terms

• ... Direct Sequence Spread Spectrum (DSSS)
• DSSS combines a data signal with a higher
  data rate bit sequence, referred to as a
  chipping code. The data is exclusive ORed
  (XOR) with a PRS which results in a higher bit
  rate, This increases the signals resistance to
  interference.
• Wireless Access Point (AP)
• An Access Point (AP) is a piece of hardware
  that connects wireless clients to a wired
  network. It usually has at least two network
  connections and the wireless interface is
  typically an onboard radio or an embedded PCMCIA
  wireless card.
• Wireless Network Interface Cards (NICs)
• Each NIC has a unique Media Access Control
  (MAC) address burned into it at manufacture, to
  uniquely identify it it also contains a small
  radio device and an antenna.
• Jamming
• Jamming is a simple, yet highly effective
  method of causing a DoS on a wireless LAN.
  Jamming, as the name suggests, involves the use
  of a device to intentionally create interfering
  radio signals to effectively jam the airwaves,
  resulting in the AP and any client devices being
  unable to transmit.

20
Wireless LANS NarrowBand

• Narrowband Technology
• A narrowband radio system transmits and receives
  user information on a specific radio frequency.
  Narrowband radio keeps the radio signal frequency
  as narrow as possible just to pass the
  information. Undesirable crosstalk between
  communications channels is avoided by carefully
  coordinating different users on different channel
  frequencies.
• A private telephone line is much like a radio
  frequency. When each home in a neighborhood has
  its own private telephone line, people in one
  home cannot listen to calls made to other homes.
  In a radio system, privacy and noninterference
  are accomplished by the use of separate radio
  frequencies. The radio receiver filters out all
  radio signals except the ones on its designated
  frequency.

21
Frequency-Hopping Spread Spectrum Technology

• Frequency-hopping spread-spectrum (FHSS)
  uses a narrowband carrier that changes frequency
  in a pattern known to both transmitter and
  receiver. Properly synchronized, the net effect
  is to maintain a single logical channel. To an
  unintended receiver, FHSS appears to be
  short-duration impulse noise.

22
Direct-Sequence Spread Spectrum Technology

• Direct-sequence spread-spectrum (DSSS) generates
  a redundant bit pattern for each bit to be
  transmitted. This bit pattern is called a chip
  (or chipping code).
• The longer the chip, the greater the probability
  that the original data can be recovered (and, of
  course, the more bandwidth required).
• Even if one or more bits in the chip are damaged
  during transmission, statistical techniques
  embedded in the radio can recover the original
  data without the need for retransmission.
• To an unintended receiver, DSSS appears as
  low-power wideband noise and is rejected
  (ignored) by most narrowband receivers.

23
802.11 Introduction

• On the surface WLANs act the same as their
  wired counterparts, transporting data between
  network devices. However, there is one
  fundamental, and quite significant, difference
  WLANs are based upon radio communications
  technology, as an alternative to structured
  wiring and cables.
• Data is transmitted between devices through
  the air by utilizing the radio waves. Devices
  that participate in a WLAN must have a Network
  Interface Card (NIC) with wireless capabilities.
  This essentially means that the card contains a
  small radio device that allows it to communicate
  with other wireless devices, within the defined
  range for that card e.g. 2.4-2.4 GHz.
• For a device to participate in a wireless
  network it must, firstly, be permitted to
  communicate with the devices in that network and,
  secondly, it must be within the transmission
  range of the devices in that network. To
  communicate, radio-based devices take advantage
  of electromagnetic waves and their ability to be
  altered in such a manner that they can carry
  information, known as modulation .

24
Intro....
Wired networks have always presented their own
security issues, but wireless networks introduce
a whole new set of rules with their own unique
vulnerabilities. Most wired security measures
are just not appropriate for application within a
WLAN environment this is mostly due to the
complete change in transmission medium. However,
some of the security implementations developed
specifically for WLANs are also not terribly
strong. Indeed, this aspect could be viewed as
a work-in-progress new vulnerabilities are
being discovered just as quickly as security
measures are being released. Perhaps the issue
that has received the most publicity is the major
weaknesses in WEP, and more particularly the use
of the RC4 algorithm and relatively short
Initialisation Vectors. WLANs suffer from all
the security risks associated with their wired
counterparts however, they also introduce some
unique risks of their own. The main issue with
radio-based wireless networks is signal leakage.
Due to the properties of radio transmissions it
is impossible to contain signals within one
clearly defined area.
25
WLAN Intro

• In addition, because data is not enclosed within
  cable it makes it very easy to intercept without
  being physically connected to the network .
  This puts it outside the limits of what a user
  can physically control signals can be received
  outside the building and even from streets away.
• Signal leakage may not be a huge priority when
  organisations are implementing their WLAN, but it
  can present a significant security issue. The
  same signals that are transmitting data around an
  organisations office are the same signals that
  can also be picked up from streets away by an
  unknown third party. This is what makes WLANs so
  vulnerable.
• Before WLANs became common, someone wishing to
  gain unauthorised access to a wired network had
  to physically attach themselves to a cable within
  the building. This is why wiring closets should
  be kept locked and secured. Any potential hacker
  had to take great risks to penetrate a wired
  network.
• Today potential hackers do not have to use
  extreme measures, theres no need to smuggle
  equipment on site when it can be done from two
  streets away. It is not difficult for someone to
  obtain the necessary equipment access can be
  gained in a very discrete manner from a distance.

26
DSSS Continued
27
How WLANs Work

• Wireless LANs use electromagnetic airwaves (radio
  and infrared) to communicate information from one
  point to another without relying on any physical
  connection. Radio waves are often referred to as
  radio carriers because they simply perform the
  function of delivering energy to a remote
  receiver.
• The data being transmitted is superimposed on the
  radio carrier so that it can be accurately
  extracted at the receiving end. This is generally
  referred to as modulation of the carrier by the
  information being transmitted. Once data is
  superimposed (modulated) onto the radio carrier,
  the radio signal occupies more than a single
  frequency, since the frequency or bit rate of the
  modulating information adds to the carrier.
• Multiple radio carriers can exist in the same
  space at the same time without interfering with
  each other if the radio waves are transmitted on
  different radio frequencies. To extract data, a
  radio receiver tunes in (or selects) one radio
  frequency while rejecting all other radio signals
  on different frequencies.

28
Wireless LANS Working

• In a typical WLAN configuration, a
  transmitter/receiver (transceiver) device, called
  an access point, connects to the wired network
  from a fixed location using standard Ethernet
  cable. At a minimum, the access point receives,
  buffers, and transmits data between the WLAN and
  the wired network infrastructure.
• A single access point can support a small group
  of users and can function within a range of less
  than one hundred to several hundred feet. The
  access point (or the antenna attached to the
  access point) is usually mounted high but may be
  mounted essentially anywhere that is practical as
  long as the desired radio coverage is obtained.
• End users access the WLAN through wireless LAN
  adapters, which are implemented as PC cards in
  notebook computers, or use ISA or PCI adapters in
  desktop computers, or fully integrated devices
  within hand-held computers. WLAN adapters provide
  an interface between the client network operating
  system (NOS) and the airwaves (via an antenna).
  The nature of the wireless connection is
  transparent to the NOS.

29
Wireless LANS Configurations

• Independent WLANs
• The simplest WLAN configuration is an
  independent (or peer-to-peer) WLAN that connects
  a set of PCs with wireless adapters. Any time two
  or more wireless adapters are within range of
  each other, they can set up an independent
  network (Figure 3). These on-demand networks
  typically require no administration or
  preconfiguration.

Independent WLAN
30
Wireless LAN Configurations

• Access points can extend the range of independent
  WLANs by acting as a repeater (see below)
  effectively doubling the distance between
  wireless PCs.

Extended-Range Independent WLAN Using Access
Point as Repeater
31
Infrastructure WLANs

• In infrastructure WLANs, multiple access
  points link the WLAN to the wired network and
  allow users to efficiently share network
  resources. The access points not only provide
  communication with the wired network but also
  mediate wireless network traffic in the immediate
  neighborhood. Multiple access points can provide
  wireless coverage for an entire building or
  campus

32
Microcells and Roaming

• Wireless communication is limited by how far
  signals carry for given power output. WLANs use
  cells, called microcells, similar to the cellular
  telephone system to extend the range of wireless
  connectivity. At any point in time, a mobile PC
  equipped with a WLAN adapter is associated with a
  single access point and its microcell, or area of
  coverage.

Individual microcells overlap to allow continuous
communication within wired network. They handle
low-power signals and hand off users as they
roam through a given geographic area.
33
Range/Coverage

• The distance over which RF waves can communicate
  is a function of product design (including
  transmitted power and receiver design) and the
  propagation path, especially in indoor
  environments.
• Interactions with typical building objects,
  including walls, metal, and even people, can
  affect how energy propagates, and thus what range
  and coverage a particular system achieves.
• Most wireless LAN systems use RF because radio
  waves can penetrate many indoor walls and
  surfaces.
• The range (or radius of coverage) for typical
  WLAN systems varies from under 100 feet to more
  than 500 feet.
• Coverage can be extended, and true freedom of
  mobility via roaming, provided through
  microcells.

34
Throughput

• As with wired LAN systems, actual throughput in
  wireless LANs is dependent upon the product and
  how it is configured.
• Factors that affect throughput include
• airwave congestion (number of users), propagation
  factors such as range and multipath,
• the type of WLAN system used,
• as well as the latency and bottlenecks on the
  wired portions of the WLAN.
• Typical data rates range from 1 to 100 Mbps.

35
Multipath Effects

• As below shows, a radio signal can take multiple
  paths from a transmitter to a receiver, an
  attribute called multipath. Reflections of the
  signals can cause them to become stronger or
  weaker, which can affect data throughput. Affects
  of multipath depend on the number of reflective
  surfaces in the environment, the distance from
  the transmitter to the receiver, the product
  design and the radio technology.

Radio Signals Traveling over Multiple Paths
36
Putting a WLAN together

• The actual wireless transceiver, with a small,
  integrated antenna, is built into an ISA, PCI or
  PCMCIA card. If you have a laptop computer, the
  PCMCIA card plugs directly into one of the PCMCIA
  slots. For desktop computers, you will either
  need a dedicated ISA or PCI HomeRF card, or a
  PCMCIA card with a special adapter.
• ISA and PCI adapters are inserted inside the
  computer and have a slot that is accessible from
  the back of your computer so you can plug in the
  PCMCIA card. USB adapters are external devices
  that you plug the PCMCIA card into and then
  connect to a USB port on the computer.
• Some of the WLAN manufacturers sell kits that
  include the appropriate adapter along with the
  PCMCIA cards and installation software.
  Currently, because of the need to use dedicated
  cards, only computers can participate in a WLAN
  network. Printers and other peripheral devices
  need to be physically connected to a computer and
  shared as a resource by that computer.

37
Interference and Coexistence

• The unlicensed nature of radio-based wireless
  LANs means that other products that transmit
  energy in the same frequency spectrum can
  potentially provide some measure of interference
  to a WLAN system.
• Micro-wave ovens are a potential concern, but
  most WLAN manufacturers design their products to
  account for microwave interference.
• Another concern is the co-location of multiple
  WLAN systems. While co-located WLANs from
  different vendors may interfere with each other,
  others coexist without interference.
• This issue is best addressed directly with the
  appropriate vendors.

38
Simplicity/Ease of Use

• Users need very little new information to take
  advantage of wireless LANs. ....applications work
  the same as they do on tethered LANs.
• WLAN products incorporate a variety of diagnostic
  tools to address issues associated with the
  wireless elements of the system however,
  products are designed so that most users rarely
  need these tools. WLANs simplify many of the
  installation and configuration issues that plague
  network managers.
• Since only the access points of WLANs require
  cabling, network managers are freed from pulling
  cables for WLAN end users. Lack of cabling also
  makes moves, adds, and changes trivial operations
  on WLANs. Finally, the portable nature of WLANs
  lets network managers pre-configure and
  troubleshoot entire networks before installing
  them at remote locations.

39
Scalability, Battery Security

• ScalabilityWireless networks can be designed to
  be extremely simple or quite complex. Wireless
  networks can support large numbers of nodes
  and/or large physical areas by adding access
  points to boost or extend coverage.
• Battery Life for Mobile PlatformsEnd-user
  wireless products are capable of being completely
  untethered, and run off the battery power from
  their host notebook or hand-held computer. WLAN
  vendors typically employ special design
  techniques to maximize the host computeracircs
  energy usage and battery life.
• SafetyThe output power of wireless LAN systems
  is very low, much less than that of a hand-held
  cellular phone. Since radio waves fade rapidly
  over distance, very little exposure to RF energy
  is provided to those in the area of a wireless
  LAN system. Wireless LANs must meet stringent
  government and industry regulations for safety.
  No adverse health affects have ever been
  attributed to wireless LANs.

40
Wireless Security Mechanisms

•  To go some way towards providing the same level
  of security the cable provides in wired networks,
  the Wired Equivalent Protocol (WEP) was
  developed. WEP was designed to provide the
  security of a wired LAN by encryption through use
  of the RC4 (Rivest Code 4) algorithm.
• Its primary function was to safeguard against
  eavesdropping (sniffing), by making the data
  that is transmitted unreadable by a third party
  who does not have the correct WEP key to decrypt
  the data. RC4 is not specific to WEP, it is a
  random generator, also known as a keystream
  generator or a stream cipher, and was developed
  in RSA Laboratories by Ron Rivest in 1987 (hence
  the name Rivest Code (RC)).
• It takes a relatively short input and produces a
  somewhat longer output, called a pseudo-random
  key stream.
• This key stream is simply added modulo two that
  is exclusive ORed (XOR), with the data to be
  transmitted, to generate what is known as
  ciphertext .

41
WEP

• WEP is applied to all data above the 802.11b
  WLAN layers (Physical and Data Link Layers, the
  first two layers of the OSI Reference Model) to
  protect traffic such as Transmission Control
  Protocol/Internet Protocol (TCP/IP), Internet
  Packet Exchange (IPX) and Hyper Text Transfer
  Protocol (HTTP).
• It should be noted that only the frame body
  of data frames are encrypted and the entire frame
  of other frame types are transmitted in the
  clear, unencrypted . To add an additional
  integrity check, an Initialisation Vector (IV) is
  used in conjunction with the secret encryption
  key. The IV is used to avoid encrypting multiple
  consecutive ciphertexts with the same key, and is
  usually 24 bits long.
• The shared key and the IV are fed into the
  RC4 algorithm to produce the key stream. This is
  XORed with the data to produce the ciphertext,
  the IV is then appended to the message. The IV
  of the incoming message is used to generate the
  key sequence necessary to decrypt the incoming
  message. The ciphertext, combined with the
  proper key sequence, yields the original
  plaintext and integrity check value (ICV)

42
WEP

• The decryption is verified by performing the
  integrity check algorithm on the recovered
  plaintext and comparing the output ICV to the ICV
  transmitted with the message. If it is in error,
  an indication is sent back to the sending
  station. The IV increases the key size, for
  example, a 104 bit WEP key with a 24bit IV
  becomes a 128 bit RC4 key. In general,
  increasing the key size increases the security of
  a cryptographic technique.
• Research has shown that key sizes of greater than
  80 bits make brute force code breaking extremely
  difficult. For an 80 bit key, the number of
  possible keys - 1024 which puts computing power
  to the test but this type of computing power is
  not beyond the reach of most hackers. The
  standard key in use today is 64-bit. However,
  research has shown that the WEP approach to
  privacy is vulnerable to certain attacks
  regardless of key size. Although the application
  of WEP may stop casual sniffers, determine
  hackers can crack WEP keys in a busy network
  within a relatively short period of time.
•  A method that relies on sheer computing power to
  try all possibilities until the solution to a
  problem is found, usually refers to cracking
  passwords by trying every possible combination of
  a particular key space.

43
WEPs Weaknesses

• When WEP is enabled in accordance with the
  802.11b standard, the network administrator must
  personally visit each wireless device in use and
  manually enter the appropriate WEP key.
• This may be acceptable at the installation stage
  of a WLAN or when a new client joins the network,
  but if the key becomes compromised and there is a
  loss of security, the key must be changed. This
  may not be a huge issue in a small organisation
  with only a few users, but it can be impractical
  in large corporations, who typically have
  hundreds of users.
• As a consequence, potentially hundreds of users
  and devices could be using the same, identical,
  key for long periods of time. All wireless
  network traffic from all users will be encrypted
  using the same key this makes it a lot easier
  for someone listening to traffic to crack the key
  as there are so many packets being transmitted
  using the same key.
• Unfortunately, there were no key management
  provisions in the original WEP protocol.

44
WEP Weaknesses

• A 24 bit initialisation vector WEP is also
  appended to the shared key. WEP uses this
  combined key and IV to generate the RC4 key
  schedule it selects a new IV for each packet, so
  each packet can have a different key.
• Mathematically there are only 16,777,216
  possible values for the IV. This may seem like a
  huge number, but given that it takes so many
  packets to transmit useful data, 16 million
  packets can easily go by in hours on a heavily
  used network. Eventually the RC4 algorithm
  starts using the same IVs over and over.
• Thus, someone passively listening to
  encrypted traffic and picking out the repeating
  IVs can begin to deduce what the WEP key is. Made
  easier by the fact that there is a static
  variable, (the shared key), an attacker can
  eventually crack the WEP key. For example, a busy
  AP, which constantly sends 1500 byte packets at
  11Mbps, will exhaust the space of IVs after 1500
  x 8/(11 x 106) x 224 18,000 seconds, or 5
  hours. (The amount of time may actually be
  smaller since many packets are less than 1500
  bytes).
• This allows an attacker to collect two
  ciphertexts that are encrypted with the same key
  stream. This reveals information about both
  messages. By XORing two ciphertexts that use the
  same key stream would cause the key stream to be
  cancelled out and the result would be the XOR of
  the two plaintexts.

45
Wireless Attack Methods

• A passive attack is an attack on a system that
  does not result in a change to the system in any
  way the attack is purely to monitor or record
  data. Passive attacks affect confidentiality,
  but not necessarily authentication or integrity.
  Eavesdropping and Traffic Analysis fall under
  this category. When an attacker eavesdrops,
  they simply monitor transmissions for message
  content. It usually takes the form of someone
  listening into the transmissions on a LAN between
  stations/devices.
• Eavesdropping is also known as sniffing or
  wireless footprinting. There are various tools
  available for download online which allow the
  monitoring of networks and their traffic
  developed by hackers, for hackers.
• Netstumbler, Kismet, Airsnort, WEPCrack and
  Ethereal are all well known names in wireless
  hacking circles, and all are designed
  specifically for use on wireless networks, with
  the exception of Ethereal, which is a packet
  analyser and can also be used on a wired LAN.
• NetStumbler and Kismet can be used purely for
  passive eavesdropping they have no additional
  active functions, except perhaps their ability to
  work in conjunction with Global Positioning
  Systems to map the exact locations of identified
  wireless LANs.

46
Attack Methods

• NetStumbler is a Windows-based sniffer, where
  Kismet is primarily a Linux-based tool.
  NetStumbler uses an 802.11 Probe Request sent to
  the broadcast destination address, which causes
  all APs in the area to issue an 802.11 Probe
  Response containing network configuration
  information, such as their SSID, WEP status, the
  MAC address of the device, name (if applicable),
  etc
• Using the network information and GPS data
  collected, it is then possible to create maps
  with tools such as StumbVerter and MS Mappoint.
•  Kismet, although not as graphical or user
  friendly as NetStumbler, is similar to its
  Windows counterpart, but it provides superior
  functionality. While scanning for APs, packets
  can also be logged for later analysis. Logging
  features allow for captured packets to be stored
  in separate categories, depending upon the type
  of traffic captured. Kismet can even store
  encrypted packets that use weak keys separately
  to run them through a WEP key cracker after
  capture, such as Airsnort or WEPCrack
  (Sundaralingham, 2005). Wireless network GPS
  information can be uploaded to a site called
  Wigle (http//www.wigle.net). Therefore, if
  wigle data exists for a particular area, there is
  no need to drive around that area probing for
  wireless devices this information can be
  obtained in advance from the Wigle web site.

47
Attack Methods

• Traffic Analysis gains intelligence in a
  more subtle way by monitoring transmissions for
  patterns of communication. A considerable amount
  of information is contained in the flow of
  messages between communicating parties. Airopeek
  NX, a commercial 802.11 monitoring and analysis
  tool for Windows, analyses transmissions and
  provides a useful node view, which groups
  detected stations and devices by their MAC
  address and will also show IP addresses and
  protocols observed for each.
• The Peer Map view, within Airopeek NX,
  presents a matrix of all hosts discovered on the
  network by their connections to each other. This
  can make it very easy to visualise AP and client
  relationships, which could be useful to hackers
  in deciding where to try and gain access or
  target for an attack. Some attacks may begin as
  passive, but and then cross over to active as
  they progress.
• For example, tools such as Airsnort or
  WEPCrack may passively monitor transmissions, but
  their intent is to crack the WEP key used to
  encrypt data being transmitted. Ultimately the
  reasons for wanting to crack the key are so that
  an unauthorised individual can access a protected
  network and then launch an active attack of some
  form or another. These types of attack are
  classed as passive decryption attacks.

48
Active Attack

• An active attack, also referred to as a
  malicious attack, occurs when an unauthorised
  third party gains access to a network and
  proceeds to perform Denial of Service (DoS)
  attack, to disrupt the proper operation of a
  network, to intercept network traffic and either
  modify or delete it, or inject extra traffic onto
  the network.
• There are many active attacks that can be
  launched against wireless networks the following
  few paragraphs outline almost all of these
  attacks, how they work and what affect they have.
  
• DoS attacks are easily the most prevalent
  type of attack against 802.11 networks, and can
  be waged against a single client or an entire
  WLAN. In this type of attack the hacker usually
  does not steal information, they simply prevent
  users from accessing network services, or cause
  services to be interrupted or delayed.
• Consequences can range from a measurable
  reduction in performance to the complete failure
  of the system. Some common DoS attacks are
  outlined below.

49
Man in the middle

• A Man in the Middle attack is carried out by
  inserting a malicious station between the victim
  station and the AP, thus the attacker becomes the
  man in the middle the station is tricked into
  believing that the attacker is the AP, and the AP
  into believing that the attacker is the
  legitimate station.
• To begin the attack the perpetrator
  passively monitors the frames sent back and forth
  between the station and the AP during the initial
  association process with an 802.11 analyser.
• As a result, information is obtained about
  both the station and the AP, such as the MAC and
  IP address of both devices, association ID for
  the station and SSID of the network. With this
  information a rogue station/AP can be set up
  between the two unsuspecting devices.
• Because the original 802.11 does not
  provide mutual authentication, a station will
  happily re-associate with the rogue AP. The
  rogue AP will then capture traffic from
  unsuspecting users this of course can expose
  information such as user names and passwords

50
Association Flood

• An Association flood is a resource
  starvation attack. When a station associates
  with an AP, the AP issues an Associate
  Identification number (AID) to the station in the
  range of 1-2007.
• This value is used for communicating power
  management information to a station that has been
  in a power-save state. This attack works by
  sending multiple authentication and association
  requests to the AP, each with a unique source MAC
  address.
• The AP is unable to differentiate the
  authentication requests generated by an attacker
  and those created by legitimate clients, so it is
  forced to process each request. Eventually, the
  AP will run out of AIDs to allocate and will be
  forced to de-associate stations to reuse
  previously allocated AIDs.
• In practice, many APs will restart after a
  few minutes of authentication flooding, however
  this attack is effective in bringing down entire
  networks or network segments if repeatedly
  carried out, can cause a noticeable decrease in
  network up time

51
SNMP Weaknesses

• The final issue is a threat posed by the
  Simple Network Management Protocol (SNMP). Some
  APs can be managed via wireless link, usually
  with a proprietary application, replying on SNMP.
  
• Executing these operations can represent a
  frightening vulnerability for the whole LAN
  because eavesdroppers can decipher the password
  to access read/write mode on the AP using a
  packet analyser, this means that they share the
  same administration privileges with the WLAN
  administrator and can manage the WLAN in a
  malicious manner .
• The sheer number of attacks, and their
  affects, would seem to put WLANs at a severe
  disadvantage over their wired counterparts.
  However, there are just as many, if not more,
  security measures that users can utilise to
  counteract most of the above attacks.
• Layering one security measure on top of
  another, to strengthening the overall system to
  deter any potential attackers, or make their task
  more difficult, if not impossible.

52
Summary

• Wireless networks have a number of security
  issues. Signal leakage means that network
  communications can be picked up outside the
  physical boundaries of the building in which they
  are being operated, meaning a hacker can operate
  from the street outside or discretely from blocks
  away.
• In addition to signal leakage wireless
  networks have various other weaknesses. WEP, the
  protocol used within WLANs to provide the
  equivalent security of wired networks is
  inherently weak.
• The use of the RC4 algorithm and weak IVs
  makes WEP a vulnerable security measure. In
  addition to WEPs weaknesses there are various
  other attacks that can be initiated against
  WLANs, all with detrimental effects