Friday 27 July 2012

Logarithm

So here's an interesting topic and one I think I'll remember because I already half know it under another guise.

The reason I'm posting about logarithms is because wireless networking uses a logarithmic scale in decibels. Binary is also a logarithmic scale.

Logarithm is essentially the power of, or "base". For example the logarithm of binary is base 2.

For example:
Log10 (1000) = 3 - You read this as Log of 1000 to base 10 is 3 - 10 x 10 x 10 = 1000 = 10 power3

References:
http://en.wikipedia.org/wiki/Logarithm

Monday 23 July 2012

CCNA Wireless Revision

So I'm starting to get down to revision for the CCNA Wireless. I'm trying to pick a specialisation and I figure the best way to do this is get immersed enough with each technology without going too deep, see if I can find something that I really enjoy and will be happy for the next few years focusing on.

I'm starting with wireless because it's interesting, it's very relevant and the knowledge will definitely be useful even if I decide to go a different way.

I haven't decided exactly how I'm going to do this yet but I'll be posting my revision notes up somewhere on this blog any comments are welcome, I'd also love to hear from anyone who's recently done the CCNA wireless especially because there is very little current study material out, only the old stuff IUWNE 640-721 when really I need 640-722. Hopefully it'll be released soon! If not well then, we'll just crack on and see what happens.

Wednesday 18 July 2012

Wireless Authentication - 4 Way Handshake

The authentication process for WPA is known as the 4 way handshake, this is required for a client to be authenticated onto the network.

At the start of the process the client and the AP both know the passphrase (PSK) and the Pairwise Master Key (PMK) which is computed from the PSK and SSID.

The first step is for the AP and Client to form a new key called the Pairwise Transient Key (PTK), this key is a function of the PMK, a random number from the AP (A-nonce) a random number from the client (S-nonce) and the MAC address of the AP and client.
  1. The AP sends an A-nonce to the client
  2. The client sends a S-nonce to the AP as well as a MIC. - The AP uses the MIC to verify that the client has the PMK. If the MIC is incorrect then the PTK and PMK are incorrect because the PTK is derived from the PMK.
  3. The AP sends a GTK (group Temporal Key) to the client, plus a MIC.
  4. The client sends an acknowledgement to the AP
The client and AP can now install the key and begin encrypting the traffic.

This 4 way handshake is also used for WPA Enterprise as well as WPA PSK, the difference being that the PMK is derived from the clients authentication with the RADIUS server with EAP

Here is a good reference from Wikipedia which details a drawing to help remember the process:
http://upload.wikimedia.org/wikipedia/commons/a/ac/4-way-handshake.svg

Full article is below:
http://en.wikipedia.org/wiki/IEEE_802.11i-2004

Wednesday 11 July 2012

TOS / COS - Type of Service / Class of Service

Type of Service (TOS) is an 8 bit field in the IP header which can be used for differentiating the treatment for that packet. TOS is an older method not used as much any more because it has been superseded by the Class of Service (COS). This redefining of the TOS field is called the Differentiated Services (DiffServ) Framework.

COS uses 6 bits in the DiffServ field, called the DiffServ Code Point (DSCP). 6 bits allows 64 classes, which can be the predefined classes or manually chosen. The queueing and forwarding treatment of the IP packet is called Per Hop Behaviour (PHB).

The last 2 bits in the DiffServ field is the ECN - Explicit Congestion Notification. This can be used to signal congestion.

Routing Protocols Interesting Tidbit

Here's something I didn't realise; BGP and RIP are actually application layer protocols, in regards to the TCP/IP Stack, because BGP uses TCP to send messages, and RIP uses UDP. In contrast other routing protocols, such as OSPF, are at the Internet layer (Network layer in the OSI model) because they encapsulate messages directly into IP packets.

Tuesday 10 July 2012

Home Network Update - New Items

So I've sourced a few items from the wonderful place which is eBay and I've got a few ideas for them:
Cisco2811-SEC/K9 - Cisco 2811 router with security licence
AIR-AP1131AG-E-K9 - Cisco 1131 autonomous access point

The 2811 was at a price I couldn't refuse, so I'm not 100% sure what to do with it yet, but I'll have a think and implement it somehow. I'm umming and ahhing about converting it to run CCME? That would be a really interesting little project, I've got a couple of phones lying around, so I'd only need PVDMs, CCME software, and licenses.

The access point is an easy one, it'll extend the wireless network, hopefully giving me decent signal throughout the house, but it'll be interesting to see exactly how this works without a controller...

Next purchases will likely be a small switch of some kind, 2960C maybe, because I'm rapidly running out of ports. I also want an ASA5505 because I'm starting to worry I can't achieve what I wanted to with my little 877W and it's IOS SSL WebVPN.

Friday 6 July 2012

Wireless Connection Process

Below is the process a wireless client goes through in order to get access to a wireless network:

Step 1 - Start
This is the initial connection between the client and AP. This is where L2 security authentication and encryption mechanisms are in place, for example: none, static WEP, 802.1X, WPA / WPA2.

Step 2 - DHCP
L3 operations start here, an IP address is attained as well as L3 security elements, such as authentication via a webpage at a hotspot. This could be the first phase if L2 security isn't configured.

Step 3 - Mobility
The clients final IP address is applied here and it can fully function at L3. The address could have well changed here from step 2 if web authentication was used.

Step 4 - Run
The client is live and sending data.

Layer 2 security comprises of:
Authentication - 802.1X or PSK
Encryption - None, WEP, WPA or WPA2 (TKIP or AES)


Thursday 5 July 2012

Cisco WLC Interfaces

Ports on a WLC are physical interfaces. below are the different types of ports:
Service Port - RJ45 connection used for Out Of Band (OOB) management. It cannot carry traffic and is not auto sensing so it must connect to a switch access port and must have the correct cable. No default gateway can be set so the management station should be on the same subnet or a static route will need to be defined.
Console Port - standard DB9 console port
Utility Port - For future use
Distribution Ports - These ports are for controlling APs and network connectivity.

Interfaces on a WLC are logical and need to be mapped to a port. Many interfaces can be mapped to a single port. Interfaces are either predefined or user defined. user defined interfaces are dynamic and are used for VLANs for WLAN access. Predefined interfaces are static. Interfaces need to be on all controllers in the mobility group in order to ensure seamless roaming otherwise clients will drop and need to re-associate. Types of static interfaces:
Management - This interface is used for in band management for example connections to AAA and L2 communications to other controllers. This interface should be in a different subnet from the service port. This address is used for the GUI
AP Manager - This interface is used for WLC to AP communications at L3. This address is also the tunnel source address when packets are sent from the WLC to the AP and destination address visa versa. It should be in the same subnet as the management interface. If the distribution ports are grouped in a LAG then only a single AP manger port is needed. All LWAPP traffic goes through this interface
Virtual - This interface is used to support Mobility Management (mobile client uses the same virtual IP address when roaming across controllers), DHCP relay (DHCP address for clients) and L3 security (redirect for the web page authentication).
Service port - This controls the above mentioned service port

Dynamic interfaces are also known as VLAN interfaces. They are user defined interfaces and are used to carry the data from wireless clients. They are created with the following details:
VLAN ID, Physical port assignment, DHCP server information, ACL information.
Dynamic interfaces can be assigned to many different types of ports: Distribution, WLANs, L2, management, L3 and AP manager interfaces. WLANs are associated with a SSID and dynamic interface. Up to 512 dynamic interfaces can be configured on a WLC.

Lightweight AP Architecture Part 2 - Roaming

AP Modes of Operation:
Local Mode - This mode is the standard AP mode, it handles data transfer for clients and also monitors all channels. It uses a 180 secs cycle in the 2.4GHz frequency where is spends 13 seconds on it's assigned channel, then spends 60msec scanning another channel, where after it returns to it's assigned channel for 13 sec and the cycle continues. In the 5GHz frequency the AP spends 10sec on the assigned channel due to the large number of channels.
Monitor Mode - Only allows for monitoring and no client data traffic. The AP can be used as a sensor for wireless IDS (scanning for rouge APs and clients), data gathering for performance related issue troubleshooting, as a site survey tool, as a triangulation point when using the Wireless Location Appliance. Each channel is scanned for 1.1ms and the channels to be scanned are set on the AP.
Sniffer Mode - The AP captures frames on a specific channel and sends the frames to a device running an analyser e.g. wireshark. Sniffer mode causes a reboot of the AP.
Rogue detection mode - AP is connected to a trunk link and operates with using it's radios. The controller updates the AP with the MAC addresses of known rouge APs and clients. The AP listens on the wired network for ARP packets and if it sees the rogues MAC then sends an alarm to the WLC. Stations cannot associate in rouge detection mode.
H-REAP Mode - H-REAP APs are deployed at remote sites that do not warrant a WLC. If the connection to the WLC is lost the AP continues to function. There are a number of restrictions on the WAN link required for H-REAP: cannot be less than 128kbps, round trip latency cannot exceed 100ms, at least 500bytes MTU, code updates over 4MB cannot be received. The AP also needs to have at least 32MB of memory because it needs to store additional information such as: DTIM period, beacon period, time between beacon frames, preambles, power level, country code, black list of forbidden MACs. Also, an AP in H-REAP mode cannot used L2 or L3 broadcasts to find it's WLC, it needs to use DHCP option 43, DNS, or OTAP via another AP.
Bridging Mode - The AP is used as a point-to-point or point-to-multipoint bridge. Only some models can handle this: 1130AG, 1240 and 1500 series.

Roaming:
A Mobility domain is a group of controllers. Clients roam between APs attached to WLC in a mobility group. Clients can only roam between mobility groups if they are part of the same mobility domain. If they are not then a complete re-authentication process has to take place. In order for a controller to be part of a mobility domain it must be configured with MAC and IP addresses which map to existing WLC in the group. They also need the same domain name and the same virtual gateway address. Up to 24 controllers can be part of a group.
In order for roaming to occur there are a few more prerequisites: The controllers must have the same code version, the same LWAPP mode and the same ACLs, the same SSIDs. When roaming occurs either the new WLC can handle all the APs connections (asymmetric tunnelling) or traffic can be sent back to the old controller (symmetric tunnelling).

Layer 2 roaming:
When an client roams to a new AP within the same subnet the AP authenticates with the new AP and traffic is tunnelled back to the original controller. Intra-controller roaming is when the client roams between APs on the same controller and typically takes about 10 msec. Inter-controller roaming is when a client roams between APs to 2 different controllers and typically takes about 20msec.

Layer 3 roaming:
In L3 roaming either the client changes subnets but retains it's old IP address or it re-authenticates. The controller creates a tunnel which makes the client and network think the subnet hasn't changed. If both the to and from traffic is tunnelled between the new and old controller this is known as symmetric tunnelling. If the traffic from the client uses normal IP routing and just the return traffic is tunnelled between the controllers this is known as asymmetric tunnelling. L3 roaming is a quick process because unlike L2 roaming not all the client information is handed over. Instead the old controller marks the client data as an anchor entry and the new controller marks it as foreign entry.
Asymmetric routing path is:
client -> foreign controller -> destination
destination -> anchor controller -> client
Symmetric routing path is:
client -> foreign controller -> anchor controller -> destination
destination -> anchor controller -> foreign controller -> client
The option on the controller which determines if symmetric or asymmetric tunnelling is used is called Symmetric Mobility Tunnelling.
If you want one controller to have symmetric tunnelling and the rest to be asymmetric, for example a guest WLAN which is only allowed internet access. To do this a special anchor must be defined, a mobility anchor. When using a mobility anchor all traffic to and from the client must go through this anchor, regardless of where the client is located. The client gets it's IP address and security configuration from this mobility anchor. It is possible to have redundant mobility anchor controllers. Anchors must be connected to a VLAN trunk port in order to all stations to keep their IP addresses when roaming

Lightweight AP Architecture

AP Discovery of WLC:
When the AP first boots up it tried to discover as many controllers as possible, and will try to associate to the WLC with the highest remaining percentage capacity.
If the AP and controller are not on the same subnet then it wont reach a controller with L2 discovery so it will try L3. Here are the L3 options, and it's worth noting that the AP will try all options before choosing a controller:
  • Subnet broadcast - Default mode. The AP sends out a local subnet broadcast and WLC that receives this broadcast sends a response, much like in DHCP. The AP stores addresses of previous controllers even after it's rebooted so it tries these too
  • Over-The-Air Provisioning (OATP) Mode - The AP listens for over-the-air RRM packets which include the address of an associated WLC. This method should really be disabled because of the security implication of sending OTA RRM packets in plain text, plus it wastes bandwidth
  • AP Priming - This connects the AP and WLC together before they are deployed, the AP keeps the WLC address even on reboots. If the controller is part of a mobility group it learns all the IP addresses of WLC in the group. 
  • DHCP option mode - The WLC address can be received in the DHCP reply. This should be set as an option in the DHCP server. 
  • DNS/DHCP mode - The WLC IP address can be attained from the DNS server. Once the AP has a IP address it will do a hostname lookup for a controller record called CISCO-LWAPP-CONTROLLER. 
If the WLC is not configured for L3 mode it will not respond to any of these methods.

If the AP receives a number of replies it uses a specific order to try and associate to a WLC. If the AP hasn't been primed with a WLC it will try to look for a master controller, this is defined when the mobility domain is created. If the AP was primed it will try to associate with it's primary controller, then secondary then tertiary.  If all this fails then the AP will resort to the controller with the AP-Manager which has the highest percentage of available capacity.

AP Joining to WLC:
The LWAPP join message sent by the AP includes:

  • The MAC address of the WLC and type of controller
  • The hardware and software version of the AP, it's name and the number of radios it has and types of radios
  • The X.509 certificate used to initiate a secure LWAPP connection
The AP now tests the network to see if it supports jumbo frames and it does this by sending 2 different join request packets, one of 1596 bytes and one of 1500 bytes. Once the controller receives the join request it sends ta join reply including:
  • A result code, which will either be 0 or 1 (0 = success, 1 = failure) if it fails the status message will say why
  • The X.509 certificate of the controller
  • A payload check to test for jumbo frame support

If everything goes well the AP will download the code and or configuration. if not then the AP goes back into the discovery phase and starts again.

Radio Resource Management (RRM):
RRM performs the following functions - Radio resource monitoring, client and network load balancing, dynamic channel assignment, coverage hole detection and correction, dynamic transmit power control, interference detection and avoidance.
The characteristics considered to manage channel assignment are: Noise, Client Load, 802.11 interference, utilisation, AP energy received.
It can manage power levels of APs (best practice is neighbours at -65dBm), influence the choice of AP by the stations by making overcrowded APs refuse associations. It can enhance roaming by comparing the RSSI and SNR of stations with regard to each AP.

Wednesday 4 July 2012

Cisco Unified Wireless Network (CUWN)

CUWN was introduced to address the following challenges:

  • Integrating device types so that they work well together
  • Ensure a consistent security configuration despite increasing numbers of APs
  • Monitoring environment for new sources of interference and redeploy if necessary
  • Managing channel allocation to minimise co and adjacent channel interference
CUWN elements - Clients, APs, Network Unification (devices which join wired and wireless networks; WiSM, WLCM), Network Management, Network Services (IDS and admission control)

LWAPP (Lightweight access point protocol) is used to carry data between the APs and WLC. It carries and encapsulates control information over an encrypted tunnel. It encapsulates frames with a 6 byte header which also contains the RSSI and SNR information. Another header is then added with the source and destination address (AP and WLC address). LWAPP operates in L2 or L3 mode, in L2 mode only the MAC addresses are used. Because of this overhead the wireless packets are larger than 1500 bytes, usually 2346 bytes. The fragmentation field for the LWAPP header watches this, the fragments are called segments. 

WCS facilitates the management of several WLC. It is also required for location services (tracking and RFID tags) using the location appliance.

Split MAC is the ability to split 802.11 data link functions between the AP and WLC. The AP handles time real time communication and the WLC handles non-time sensitive. 

Real time Traffic is:
Frame handshake exchange between client and AP done during each frame transfer
Handling of frames for clients in power save mode
Beacon transmission
Responses to probe requests
Real time signal quality information for each received frame
RF channel monitoring including noise, interference, other WLANs and rouge APs
Encryption and decryption, excluding VPN and IPSec clients (Layer 2 wireless)

Non-time sensitive traffic:
802.11 authentication
802.11 association and re-association; also known as mobility
802.11 to 802.3 bridging
The point where all 802.11 frames  terminate at the controller 

Tuesday 3 July 2012

Wireless Security part 2 - Inc RADIUS

RADIUS:
Some benefits of RADIUS are:
Authorisation
Centralised access and control of that access
Accounting supervision - including client network access and rights
Recording access attempts

Encryption:
The basic encryption process is to take plain text, which is scrambled in a process called the cipher, and this gives cipher text. Types of cipers include stream ciphers which consists of performing modifications to each bit of data, and block ciphers, which performs the modifications on a block of data.

Symmetric and Asymmetric Encryption:
Symmetric encryption is faster than Asymmetric encryption because it requires less processing power. The disadvantage is that it is less secure.

Key Management:
There are 2 methods, a common key across all users or a unique key for each user. An issue with individual keys is with unicast and broadcast  / multicast traffic. Individual keys can be generated in 2 ways, either individuals keys should be configured on the client and APs or they can be derived from a common key and generated for each session the user has with the AP.

Encryption methods:
There are 2 types of encryption methods used: TKIP and AES. Prior to these there was only RC4 with static keys which is insecure and should not be used.
TKIP was a replacement to WEP. It is essentially a wrap around WEP with enhanced 128bit encryption but it is made more secure by the following:
It changes the packet's key. The packets key is made up of 3 things, a base key, the transmitting device's MAC, and the packet serial number. This is important because the serial number is a 48bit number which cycles, so a hacker reusing an old serial (replay attacks) are mitigated. Also the Base key is a unique value, so it can't be reused also.
AES is used in the WPA2 and 802.11i standard. It uses 128bit data encryption. AES is a block cipher. 


The 4 improvements of WPA:
Larger initialisation vector (IV) - increases the level of randomness making the encryption harder to crack
Message integrity check
key management using 802.11x
unicast and broadcast key management


Centralised Key Management:
This is a benefit of 802.11i and WPA2. As a client roams often the reauthentication can take long enough to break the applications connections. Two items which mitigate this are: Key Caching (AP caches the credentials of the client so if it roams away and back the AP already has the details) and preauthentication (If the AP comes close but not enough to associate it will perform the authentication process anyway so that if it comes within range later the authentication is much quicker). 


801.11i:
WPA2 was built with 802.11i in mind, when 802.11i was fully ratified some features were added:
A list of EAP methods that can be used
AES-CCMP instead of RC4
Better key management, for example the master key can be cached permitting a faster reconnect for clients


If performing an upgrade from TKIP to AES the same keys can be used


TKIP is used to encrypt data in WPA where as AES or TKIP can be used in WPA2 or 802.11i

Wireless Security - Inc. EAP, PKI,

DoS Protection:
Management Frame Protection (MFP) can be used to protect against the flooding of probe requests or transmissions. MFP comes in 2 forms, infrastructure and client.
In infrastructure MFP mode controllers generate a signature for each WLAN which is added to each management frame sent. Any attempt to alter this or frames with an unknown SSID are detected by the MIC (Message Integrity Check), an alarm is generated and the controller instructs the AP to drop the frame.
In client mode the client can be configured to detect and drop spoofed or invalid management frames. To support this CCX v5 must be used and WPA2 with TKIP or AES must be used.

Passive vs Active attacks. An Active attack is when the hacker is actively interacting with clients, the AP or the network in real time. A passive attack is usually wireless sniffing, for information gathering, either online (on the fly) or offline for analysis later.
IDS / IPS is used to guard against passive attacks.

Authentication:
The act of identifying a device or person. It should be based on something you know (username and passwords), Something you have (smart card / crypto token) or something you are (biometrics / retina scan etc). Authentication can be per user or per device (certificates).

Two types of authentication are open and shared-key. Open authentication is as it is, you only need the SSID, shared authentication relies on a clear text challenge from the AP, which is then encrypted by the clients WEP key and sent back, if it matches the challenge encrypted by the APs WEP key the user is authenticated. This is not secure as the WEP key can be worked out by a hacker snooping the clear tect challenge, then the encrypted challenge and decipher the WEP key.

EAP can be configured instead as a method of authentication. The AP can be configured to use a RADIUS server, LDAP server or for local-EAP where it does the authenticator and authentication server. Local-EAP supports LEAP, EAP-FAST and EAP-TLS, it is usually used as a backup if the RADIUS server becomes unavailable. A local user director or LDAP directory can be used. Here is the EAP process:

  1. Association request from Client to AP then the AP responds with the authentication response
  2. The EAPOL (over LAN) process starts with an EAPOL request send from the AP to client
  3. The client responds to the AP with an EAPOL response, which the AP forwards to the RADIUS server.
  4. The Server sends a EAP request to the client via the AP, the client sends and EAP response back
  5. If the EAP response is good the server sends back an EAP success and the encryption keys
Certificates and PKI (Public Key Infrasturcture):
Some flavours of EAP require certificates to be used as authentication credentials, this means you must have PKI in your network. A PKI requires a certificate server which issues certificates to devices or users. Certificates consist of a public key private key pair. 
Symmetric keys are both the same, where as Asymmetric the encrypt (public) and decrypt (Private) keys are different. PKI uses asymmetric keys. The certificate server is called the Certificate Authority (CA), this should be trusted by both parties in authentication. 

EAP-TLS:
Is the most secure and also most complicated. Certificates must be installed on both the client and server. Client and authentication server keys must be generated and signed by a PKI, then installed on each device.

EAP-FAST:
Cisco proprietary method of providing the same level of security as EAP-TLS but no PKI or certifictes are needed. It instead creates an encrypted tunnel. the server generates a PAC (Protected Access Credential), this is used in the same way as the key pair used in EAP-TLS. The PAC contains PAK key (like a private key), PAC opaque used to identify the client and retrieve the PAC key and PAC info which contains information about the server authority ID. After the PAC is used to create the tunnel the client is authenticated with passwords or security tokens.

PEAP:
PEAP is in the middle of EAP-TLS and EAP-FAST. It only requires a certificate on the server. The 2 variations are: PEAP-MSCHAPv2 (uses MSCHAPv2 authentication) and PEAP-GTC (uses generic Token Card authentication). Client identifies itself in plain text. Server sends certificate to client to verify identity, Client generates master key, encrypts it with the public key and a secure tunnel is created. Now the client identifies a second time as the transmissions are protected by the tunnel.

LEAP:
This is was developed by Cisco but made available to other devices through licensing and only uses a username and password. However it is no longer secure due to the ease of breaking it.