manualshive.com logo in svg

AirMagnet PRG-Laptop 7.0, Reference Manual, Page: 74 / 210

Share
Download
AirMagnet PRG-Laptop 7.0 Reference Manual Download Page 74

66

Chapter 3: IDS—Security Penetration

AirMagnet Laptop Wireless LAN Policy Reference Guide

Intruders with the legitimate 802.1x user identity and password 

combination (or valid certificate) can penetrate the 802.1x 

authentication process without the proper knowledge of the exact 

EAP-type. The intruder will try different EAP-types such as TLS, 

TTLS, LEAP, EAP-FAST, PEAP, etc. to successfully logon to the 

network. This is on a trial and error basis, as there are only a handful 

EAP-types for the intruder to try and somehow manage to get 

authenticated to the network.
AirMagnet 

Mobile 

detects such an attempt by an intruder to gain 

access to the network using different 802.1x authentication types. 

Please take appropriate steps to locate the device and remove it from 

the wireless environment. Use the FIND tool for this purpose.

Figure 3-6: The AirMagnet Mobile FIND tool locates devices by tracking 
down the signal level.

Fake APs Detected

The Fake AP tool is meant to protect your WLAN by acting as a 

decoy to confuse war-drivers using NetStumbler, Wellenreiter, 

MiniStumbler, Kismet, etc. The tool generates beacon frames 

emulating thousands of counterfeit 802.11b access points.  War-

drivers encountering such large amount of APs will not be able to 

Laptop Wireless LAN Policy Reference Guide.book  Page 66  Thursday, January 25, 2007  5:36 PM

Summary of Contents for PRG-Laptop 7.0

Page 1: ...AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 2: ...nt without notice AIRMAGNET INC SHALL NOT BE HELD LIABLE FOR ERRORS OR OMISSIONS CONTAINED HEREIN NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THIS CONETENT This product inclu...

Page 3: ...tected 15 Exposed Wireless Station Detected 17 LEAP Vulnerability Detected 19 Chapter 2 IDS Denial of Service Attack 23 DoS Attack Against AP 23 DoS Attack Association Flood 24 DoS Attack Association...

Page 4: ...57 Fast WEP Crack ARP Replay Detected 60 Device Probing for APs 61 Dictionary Attack on EAP Methods 64 EAP Attack Against 802 1x Authentication Type 65 Fake APs Detected 66 Fake DHCP Server Detected...

Page 5: ...and Authentication Methods 104 Device Unprotected by Other Encryption 104 Device Unprotected by Fortress Encryption 105 Static WEP Encryption 106 AP with Encryption Disabled 107 Client with Encryption...

Page 6: ...ance Options 142 Simultaneous PCF and DCF Operation 143 Unassociated Station Detected 144 Device Down or Malfunction 144 AP System or Firmware Reset 145 AP with Flawed Power Save Implementation 145 IE...

Page 7: ...0 Excessive Frame Retries 171 Excessive Low Speed Transmission 172 Excessive Missed AP Beacons 174 Excessive Packet Errors 175 Excessive Roaming or Reassociation 177 High Management Traffic Overhead 1...

Page 8: ...vi Table of Contents AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 9: ...of outside penetration and attack and there are many other possible wireless security risks and intrusions such as mis configured AP unconfigured AP and Denial of Service attacks Figure 1 1 Wireless S...

Page 10: ...irMagnet Mobile security alarms can be customized to best match your security deployment policy For example if your WLAN deployment includes Access Points made by a specific vendor the product can be...

Page 11: ...ile generates a warning alarm when it detects an AP broadcasting its SSID The AirMagnet Mobile alarm description in this case will recommend that the wireless administrator turn off the SSID broadcast...

Page 12: ...ons to easily identify available WLANs and the APs providing the service War drivers equipped with tools such as Netstumbler sometimes scan for the SSIDs sent by Access Points to discover potential ta...

Page 13: ...below Figure 1 4 Disabling SSID broadcast for Cisco Aironet Access Point AP Configuration Changed Most of the current day wireless 802 11b LAN equipment use Direct Sequence Spread Spectrum DSSS techn...

Page 14: ...Ghz UNII Unlicensed National Information Infrastructure band 802 11a devices cannot interoperate with 802 11b g devices as they operate in different frequency bands Table 1 1 Channel Assignment for 80...

Page 15: ...ISM band with each channel occupying 22 MHz Adjacent channels overlaps with each other in RF frequency usage see illustration below Figure 1 5 802 11b g Channel Allocation and Frequency Overlaps Wirel...

Page 16: ...uration This can cause all valid clients to get disconnected from the AP as they now are not talking on the same network Please connect to the AP whose configuration has changed and assign a stronger...

Page 17: ...ess bridge inside the corporate network that would invariably extend the corporate network to any location outside the corporate premises Detection of such wireless bridge devices indicates that somet...

Page 18: ...FIND tool to locate the rogue device Figure 1 8 Locating a device with AirMagnet Mobile s FIND tool AP Using Default Configuration Access Points shipped by wireless equipment vendors usually come wit...

Page 19: ...cess is made available for the general public One often finds hotspots in airports hotels coffee shops and other places where business people tend to congregate It is probably one of the most importan...

Page 20: ...valid users with a wireless enabled laptop or handheld and valid login for accessing the Hotspot network WLAN Access Points These can be SOHO gateways or enterprise level access points depending upon...

Page 21: ...ndependent of the encryption mechanism used Using the attack tool the intruder can passively monitors the wireless network for probe request frames to identify the SSIDs of the networks of the Windows...

Page 22: ...they were temporarily disconnected from the Internet due to some unknown issue will try to login again to resume their activities Innocent wireless clients that associate to the Airsnarf access point...

Page 23: ...uary 2004 the IEEE announced that it had formed a new 802 11 Task Group TGn to develop a new amendment for the existing standard for wireless local area networks It was expected to provide transmissio...

Page 24: ...ntage of multipath propagation This is a stark contrast to the disadvantages multipath users have complained about Multiple antennas are used to divide a single fast signal into multiple slower signal...

Page 25: ...sed Wireless Station Detected The popularity of WLANs results in user laptops with multiple WLAN configuration profiles to be used in various environments such as an enterprise office home or a wirele...

Page 26: ...ions that constantly search for association thus leaving thesmelves vulnerable Typically they are client stations mis configured manually or automatically by the vendor profile selector This scenario...

Page 27: ...tool LEAP Vulnerability Detected It is well publicized that WLAN devices using static WEP key for encryption are vulnerable to the WEP key cracking attack see the paper Weaknesses in the Key Scheduli...

Page 28: ...sers on LEAP networks forcing them to re authenticate This makes the capture of LEAP passwords very fast Only de authenticating users who have not already been seen doesn t waste time on users who are...

Page 29: ...advantages of EAP FAST are that it is not proprietary is compliant with the IEEE 802 11i standard supports TKIP and WPA does not use certificates thus avoiding complex PKI infrastructures and support...

Page 30: ...22 Chapter 1 Configuration Vulnerabilities AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 31: ...loping new standards like 802 11i to tackle some of these issues AirMagnet Mobile contributes to this solution by providing an early detection system where the attack signatures are matched AirMagnet...

Page 32: ...ack signatures against the AP Incomplete authentication and association transactions trigger the AirMagnet Mobile attack detection and statistical signature matching process Detected DoS attacks resul...

Page 33: ...ure 2 1 Emulated client associations overflowing AP s client association table AirMagnet Mobile detects spoofed MAC addresses and tracks the follow up 802 1x actions and data communication after a suc...

Page 34: ...ss Point under attack has maintained a state in the client association table for each emulated client Once the AP s resources and client association table are filled up with these emulated clients and...

Page 35: ...create a client entry in state 1 in the association table If Open System authentication is used on the AP the AP would send back an authentication success frame and move the client to state 2 If Share...

Page 36: ...less service provided by this AP DoS Attack EAPOL Start Attack The IEEE 802 1x standard defines the authentication protocol using EAP Extensible Authentication Protocol over LANs or EAPOL The 802 1x p...

Page 37: ...if it has any data frames waiting for it After it completes a handshake with the AP it can receive the data frames The beacons from the AP include the Delivery Traffic Indication Map DTIM to inform th...

Page 38: ...ated Association This form of denial of service attack attempts to exhaust the AP s resources particularly the client association table by flooding the AP with a large number of emulated and spoofed c...

Page 39: ...re 2 5 Emulated client associations overflowing AP s client association table AirMagnet Mobile detects spoofed MAC addresses and tracks the follow up 802 1x actions and data communication after a succ...

Page 40: ...the attack Different attacks are covered under this section CTS flood attack Queensland University of Technology exploit RF jamming attack Virtual carrier attack DoS Attack CTS Flood Attack tool CTS...

Page 41: ...privilege granted to the CTS frame to reserve the RF medium for transmission By transmitting back to back CTS frames an attacker can force other wireless devices sharing the RF medium to hold back th...

Page 42: ...Access with Collision Avoidance CSMA CA as the basic access mechanism in which the WLAN device listens to the medium before starting any transmission and backs off when it detects any existing transmi...

Page 43: ...transmission of data for the duration of the attack When under attack the device behaves as if the channel is always busy preventing the transmission of any data over the wireless network This DoS at...

Page 44: ...4GHz or 802 11a at the 5GHz RF spectrum they are all susceptible to RF noise impact An attacker leveraging this WLAN vulnerability can perform two types of DoS attacks Disrupt WLAN service At the 2 4G...

Page 45: ...ntenna 30 yards away from an AP can pulse enough high energy RF power to damage electronics in the AP resulting in it being permanently out of service Such HERF high energy RF guns have been demonstra...

Page 46: ...el access to the legitimate users Under normal circumstances the only time a ACK frame should carry a large duration value is when the ACK is part of a fragmented packet sequence The only legitimate o...

Page 47: ...data frame The IEEE 802 11 standard specifies the exact times for the subsequent CTS and data frames So the duration value of RTS is respected till the following data frame is received not receive Ei...

Page 48: ...tion frame from the AP to the client station The 802 11 association state machine as specified by the IEEE standard is illustrated below to show how an associated station can be tricked out of the aut...

Page 49: ...on DoS Attack Authentication Failure Attack IEEE 802 11 defines a client state machine for tracking station authentication and association status Wireless clients and APs implement such a state machin...

Page 50: ...s codes from an associated client in State 3 to an AP Upon receiving the invalid authentication requests the AP updates the client to State 1 which disconnects its wireless service AirMagnet Mobile de...

Page 51: ...02 11 defines a client state machine for tracking the station authentication and association status Wireless clients and APs implement such a state machine illustrated below according to the IEEE stan...

Page 52: ...pically client stations would re associate and re authenticate to regain service until the attacker sends another de authentication frame AirMagnet Mobile detects this form of DoS attack by detecting...

Page 53: ...ed and associated to State 3 Figure 2 16 Attacker spoofs 802 11 de authentication frames from AP to client station to bring client to state 1 A form of DoS attack aims to send a client of an AP to the...

Page 54: ...ng to test the wireless service provided by this AP DoS Attack Disassociation Broadcast Attack tool ESSID Jack IEEE 802 11 defines a client state machine for tracking the station authentication and as...

Page 55: ...uld re associate to regain service until the attacker sends another disassociation frame An attacker would repeatedly spoof the disassociation frames to keep all clients out of service AirMagnet Mobil...

Page 56: ...tion until it is authenticated and associated to State 3 Figure 2 18 Attacker spoofs 802 11 disassociation frames from AP to client station to bring client to state 2 A form of DoS attack aims to send...

Page 57: ...authentication transaction At the end of an authenticated session when a client station wishes to log off the client station sends an 802 1x EAPOL Logoff frame to terminate the session with the AP Fig...

Page 58: ...ack Tool Detected IEEE 802 11 defines a client state machine for tracking station authentication and association status Wireless clients and APs implement such a state machine illustration below based...

Page 59: ...t in State 3 to an AP Upon reception of the invalid authentication requests the AP would update the client to State 1 which disconnects its wireless service FATA jack is one of the commonly used tools...

Page 60: ...ds Open System Shared Key etc 802 1x and EAP based authentications are monitored by other AirMagnet Mobile alarms DoS Attack Premature EAP Failure Attack The IEEE 802 1x standard defines the authentic...

Page 61: ...uthentication An attacker could keep the client interface from coming up therefore DoS by continuously spoofing pre mature EAP Failure frames from the AP to the client to disrupt the authentication st...

Page 62: ...ntication See the protocol exchange highlighted below Figure 2 23 Attacker spoofs pre mature EAP Success frames from an AP before the authentication is completed The IEEE 802 1X specification prohibit...

Page 63: ...erprise detects this form of DoS attack by tracking spoofed pre mature EAP Success frames and the 802 1x authentication states for each client station and AP Locate the device and take appropriate ste...

Page 64: ...56 Chapter 2 IDS Denial of Service Attack AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 65: ...brella by validating the best security policy implementation as well as detecting intrusion attempts If such vulnerabilities or attack attempts are detected AirMagnet Mobile generates alarms to bring...

Page 66: ...ng upon the Hotspot implementation Hotspot Controllers This box deals with user authentication gathering billing information tracking usage time filtering func tions etc This can be an independent mac...

Page 67: ...address from the rogue Airsnarf Access Point instead of the legitimate AP installed by the hotspot operator The users will be shown a webpage that requests a username and password as now the DNS quer...

Page 68: ...e vulnerable to WEP key cracking attack Refer to Weaknesses in the Key Scheduling Algorithm of RC4 I by Scott Fluhrer Itsik Mantin and Adi Shamir Figure 3 3 WEP Encipherment Block Diagram The WEP secr...

Page 69: ...ill respond with encrypted replies thus providing new and possibly weak IVs AirMagnet Mobile alerts on weak WEP implementations and recommends a device firmware upgrade if available from the device ve...

Page 70: ...ing tools to discover APs and publish their information MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers discover WLAN APs and mark...

Page 71: ...ngo client utility and the WiNc client utility Once associated this client station can be accessed by an intruder leading to a major security breach To make matters worse the client station may even u...

Page 72: ...y the AirWISE alarm to determine which of your APs is broadcasting announcing their SSID in the beacons You may then adjust the AP properties to turn off the SSID broadcast feature Dictionary Attack o...

Page 73: ...tching user name and password based authentication methods to encrypted tunnel based authentication methods such as PEAP and EAP FAST which are supported by many vendors including Cisco EAP Attack Aga...

Page 74: ...nage to get authenticated to the network AirMagnet Mobile detects such an attempt by an intruder to gain access to the network using different 802 1x authentication types Please take appropriate steps...

Page 75: ...sends a DHCP request informing the DHCP server that it wants to be assigned the IP address offered 4 The server returns a DHCP ACK acknowledging that the NIC has sent a request for a specific IP addre...

Page 76: ...he FIND tool to locate the device Figure 3 7 The AirMagnet Mobile FIND tool locates devices by tracking down the signal level Hotspotter Tool Detected A hotspot is any location where Wi Fi network acc...

Page 77: ...of a basic Hotspot network are Hotspot Subscribers These are valid users with a wireless enabled laptop or handheld and valid login for accessing the Hotspot network WLAN Access Points These can be SO...

Page 78: ...spot network names Once a match is found the Hotspotter client will now act as an access point The clients can then authenticate and associate unknowingly to this Fake AP Once the client gets associat...

Page 79: ...have in strange manners It is a well known fact that illegal packets can cause the firmware of a few vendors wireless network cards to crash Examples of such vulnerability include NULL probe response...

Page 80: ...use the FIND tool to locate it Figure 3 10 Locating a device using AirMagnet Mobile FIND tool Man in the Middle Attack Detected Man in the Middle MITM attack is one of the most common 802 11attacks t...

Page 81: ...r de authentication frame After that the hacker station now will spoof the MAC address of the client to continue being associated with the AP At the same time the hacker will set up a spoofed AP in an...

Page 82: ...used by ex employees who may have not returned all their wireless equipment These nodes may be added to the monitor list to alert the wireless administrator the next time the AP or STA shows up in th...

Page 83: ...s hacker uses war driving tools to discover APs and publish their information MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers disc...

Page 84: ...etected It is well publicized that WLAN devices using static WEP key for encryption are vulnerable to the WEP key cracking attack see the paper Weaknesses in the Key Scheduling Algorithm of RC4 I by S...

Page 85: ...ed libpcap files Using a dynamic database table and index to make lookups on large files very fast This reduces the worst case search time to 0015 as opposed to lookups in a flat file Writing just the...

Page 86: ...ntended boundaries can expose the network to unauthorized users The Rogue AP can put the entire corporate network at risk of outside penetration and attack Not to understate the threat of the rogue AP...

Page 87: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 3 IDS Security Penetration 79 Figure 3 13 Locating a device using AirMagnet Mobile FIND tool...

Page 88: ...ireless traffic between wireless clients For most WLAN environments wireless clients communicate only with devices such as web servers on the wired network Enabling PSPF protects wireless clients from...

Page 89: ...represents two potential threats to enterprise security Firstly host based APs are typically not part of the enterprise wireless infrastructure and are likely to be rogue devices that do not conform t...

Page 90: ...devices by tracking down the signal level Spoofed MAC Address Detected Spoofing tools SMAC macchanger SirMACsAlot Gentle MAC Pro A wireless intruder wishing to disrupt the wireless network has a wide...

Page 91: ...Suspicious After Hour Traffic Detected One way to detect a wireless security penetration attempt is to analyze wireless usage during a time in which there is not supposed to be any wireless traffic su...

Page 92: ...ting AirMagnet Enterprise to accept all or a specific subset of existing APs or STAs discovered by AirMagnet SmartEdge sensors Rogue APs installed by unauthorized employees usually do not follow enter...

Page 93: ...ed automatically as soon as it is detected Use the AirMagnet Enterprise wireless trace and block Rogue feature provided by the IDS Rogue page on the AirMagnet Enterprise Console to allow the AirMagnet...

Page 94: ...86 Chapter 3 IDS Security Penetration AirMagnet Laptop Wireless LAN Policy Reference Guide Figure 3 17 AirMagnet Enterprise wired trace and block Rogue feature suspends rogue APs...

Page 95: ...ation MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers discover WLAN APs and mark the WLAN configuration at public locations with u...

Page 96: ...adcasting their SSID their WEP capabilities and provides vendor information automatically It also creates an ethereal tcpdump compatible dumpfile and an Application savefile It also has GPS support Us...

Page 97: ...rder to protect the integrity of the wireless and the wired enterprise network AirMagnet Mobile provides the following methods to detect rogue devices One or more of these methods can be used to diffe...

Page 98: ...respond to detected rogue APs In such a case the AirMagnet Smartedge Sensor emulates a wireless client using the rogue AP s announced SSID to associate with the AP After associating the sensor perform...

Page 99: ...AP alarm will be generated Rogue APs installed by unauthorized employees may not follow enterprise standard deployment procedures and may thus compromise security on the wireless and wired network Th...

Page 100: ...P alarm whenever an AP is discovered outside of the vendor list i e a non Cisco Aironet or non Symbol Technologies AP Rogue APs installed by unauthorized employees usually do not follow enterprise sta...

Page 101: ...erated by requesting the AirMagnet Enterprise product to accept all or a specific subset of existing APs discovered by the AirMagnet SmartEdge Sensors Rogue APs installed by unauthorized employees usu...

Page 102: ...raises a rogue AP alarm when an AP operating in a different SSID is discovered Rogue APs installed by unauthorized employees usually do not follow enterprise standard deployment practices and can thus...

Page 103: ...e enterprise implements only 802 11b g APs If there is an 802 11a AP detected AirMagnet Mobile will immediately raise an alarm Rogue APs installed by unauthorized employees usually do not follow enter...

Page 104: ...oughly investigated To use this feature please ensure that the laptop running the AirMagnet software is connected to the wired network and check the Enable Trace option present in the configuration se...

Page 105: ...detection mechanisms are by MAC address vendor ID SSID radio media type and RF channels In addition any station that is associated with a rogue AP also triggers a rogue station alarm Rogue Station by...

Page 106: ...ld then include Cisco and Symbol in the authorized vendor list After the vendor list is imported AirMagnet Mobile raises a rogue station alarm whenever a station is discovered outside of the vendor li...

Page 107: ...figured address list The authorized MAC address list can be imported to AirMagnet Enterprise from a file AccessControl txt This file is common for APs Infrastructure stations and Ad hoc stations It ca...

Page 108: ...ID list For example if your enterprise deployed WLAN is configured only with MyOfficeWlan and MyVoIPWlan you would then include these two SSIDs in the SSID list AirMagnet Mobile raises a rogue station...

Page 109: ...enever a client station operating outside of the enterprise standardized radio media is discovered by AirMagnet Mobile a rogue station alarm will be generated For example consider a case in which the...

Page 110: ...Laptop Wireless LAN Policy Reference Guide Once a Rogue station is identified and reported by AirMagnet Mobile the WLAN administrator may use the FIND tool to locate the rogue device Figure 4 12 Locat...

Page 111: ...User authentication blocks out unauthorized access to your wired and wireless resources Traffic encryption goes hand in hand with user authentication during which the encryption secrets are exchanged...

Page 112: ...ms to ensure that AirMagnet Mobile monitors your network accordingly Device Unprotected by Other Encryption If your WLAN security deployment mandates the use of encryption technologies provided by Cra...

Page 113: ...re being followed in every installation worldwide In addition shared notifications among both systems will allow Cranite administrators to see external wireless threats The integration of the AirMagne...

Page 114: ...w security alert identifies users who fail to run Fortress Security System This will allow security conscious customers who have chosen Fortress to verify that their authentication encryption policies...

Page 115: ...to eavesdropping by intruders Typically for an AP that is operating without any sort of encryption mechanism there can be unauthorized clients without encryption keys that can associate with the AP a...

Page 116: ...hrer Itsik Mantin and Adi Shamir Figure 5 2 WEP Encipherment Block Diagram The WEP secret key that has been cracked by any intruder results in no encryption protection thus leading to compromised data...

Page 117: ...appears to be more secure but actually has been proven to be vulnerable to WEP key cracking by wireless intruders because the challenge text and response are both clear and unencrypted This means tha...

Page 118: ...h a passive attack by eavesdropping An attacker can use brute force to compute the challenge response off line after capturing challenge text which is in clear text Once the match is found the attacke...

Page 119: ...h is determined by the transmitting station The IV can be reused frequently in consecutive frames thus increasing the chance of the secret key being recovered by wireless intruders AirMagnet Mobile al...

Page 120: ...provide access control and most importantly Quality of Service QoS Using VPN in addition to WEP in the network also provides encryption all the way to the VPN gateway This can be very effective for tr...

Page 121: ...reless vendors support WPA and consider it to be a more secure alternative to static WEP Figure 5 5 802 1x user based authentication and encryption framework There are three major end user benefits pr...

Page 122: ...t is as weak as static WEP which is subject to key recovery attacks By continuously monitoring on WLAN 802 1x authentication and encryption transactions AirMagnet Mobile can detect an AP configured wi...

Page 123: ...a shared encryption key and re key mechanism has to be implemented It has been found that very few wireless devices implement the multicast and broadcast encryption key mechanism correctly In reality...

Page 124: ...y standard As time passed by equipment vendors increased this to 128 bit keys as so forth Some implementations even announced that they were using upto 256 bit WEP keys Since then Static WEP has been...

Page 125: ...The server based mechanism requires an authentication server such as a RADIUS server to securely and dynamically distribute session keys Pairwise Master Key or PMK When PSK is used instead of 802 1x...

Page 126: ...mporal Key Integrity Protocol TKIP and Advanced Encryption Standard Counter Mode CBC MAC Protocol WLAN traffic encrypted with TKIP and MIC defeats packet forgery and replay attack TKIP is most importa...

Page 127: ...ed after the decryption AES CCMP mode provides authentication and encryption using the AES block cipher CCMP is a combination of the Counter CTR mode encryption for data privacy and Cipher Block Chain...

Page 128: ...steps to avoid any security holes in the network and upgrade the wireless network infrastructure and devices to use the more secure IEEE 802 11i standard Device Unprotected by 802 11x If your WLAN sec...

Page 129: ...s not configured for 802 1x weaken your WLAN security by allowing non compliant users to falsely authenticate and enter your wired network Mis configured client stations without 802 1x protection also...

Page 130: ...versity in Providence Rhode Island has written a hacking tool that compromises wireless LAN networks running LEAP by using off line dictionary attacks to break LEAP passwords The tool after detecting...

Page 131: ...client and the server using a PAC Protected Access Credential to authenticate each other After the tunnel establishment process the client is then authenticated using the user name and password crede...

Page 132: ...uding Cisco have recently added support for PEAP with a firmware upgrade You can rely on this AirMagnet Mobile alarm to alert you of devices that are not using PEAP Please ensure that the PEAP authent...

Page 133: ...atic WEP as well as defeating packet forgery and replay attack Figure 5 14 TKIP and MIC encrypted frames expands the original data by 20 bytes for stronger encryption and integrity check Unlike AES ba...

Page 134: ...h no EAP exchange As there is no RADIUS server and no EAP methods such as EAP TLS or LEAP involved the PSK mode is less secure Figure 5 15 4 way handshake completes the key exchange for the pre shared...

Page 135: ...e of the PSK mode and recommends switching to the more secure 802 1x EAP based key management and authentication system If you decide to stay with PSK mode key management please make sure your choice...

Page 136: ...128 Chapter 5 Authentication and Encryption AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 137: ...ormance and efficiency by monitoring the WLAN and alerting the wireless administrator of early warning signs for trouble Performance alarms are generated and classified in the following categories in...

Page 138: ...130 Part Two Performance Intrusion AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 139: ...al in Maximizing WLAN Throughput and Minimizing Interference Not only does the radio medium have bandwidth limitations WLAN Access Points have limitations and can be overloaded by heavy traffic or a l...

Page 140: ...failed load balancing for the WLAN deployment To remedy the problem you may add additional APs to your existing infrastructure or try to remove unnecessary devices that are currently using up associat...

Page 141: ...ming traffic combined and raises an alarm when the sustained utilization exceeds the user configured threshold To further investigate AP bandwidth utilization you may use the Infrastructure screen to...

Page 142: ...n exceeds the user configured threshold To further investigate AP bandwidth utilization you may use the Infrastructure screen to identify stations associated with this AP and their individual bandwidt...

Page 143: ...r example a 1000 byte broadcast frame would take at least 8 milliseconds to transmit at 1 Mbps which is a considerable delay for a voice application AirMagnet Mobile tracks multicast and broadcast fra...

Page 144: ...136 Chapter 6 Channel or Device Overload AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 145: ...ion Figure 7 1 WLAN Deployment Involves Configuration for Access Points Wireless Bridges and Back end Distribution Service AirMagnet Mobile monitors these configuration parameters and their mutual int...

Page 146: ...eshold fragmentation threshold maximum retry count multiple SSIDs More AirMagnet Mobile monitors and tracks the usage of these configuration parameters Alarms are raised when errors are detected for e...

Page 147: ...ay have their own SSIDs and can co exist in the same RF environment However when infrastructure mode and ad hoc mode devices share the same SSID client connections may become unreliable and inconsiste...

Page 148: ...device using AirMagnet Mobile FIND tool Conflicting AP Configuration One of the ways for AirMagnet Mobile to validate a configuration policy is to check the configuration consistency from APs supporti...

Page 149: ...imization is a key factor during the WLAN site survey and deployment process It is typically impacted by signal quality and distance See the table below for all the supported speeds and what AirMagnet...

Page 150: ...s The IEEE 802 11b standard defines several optional device capabilities to improve performance levels Short preamble The preamble refers to the header information in a packet Generally a longer pream...

Page 151: ...f CSMA CA Carrier Sense Multiple Access Collision Avoidance and a random back off time following a busy medium condition In addition all directed traffic uses immediate positive acknowledgment ACK fra...

Page 152: ...atively the WLAN administrator can also use AirMagnet Mobile s active end to end test tools to further investigate the problem by emulating a client station in the action of association DHCP Ping and...

Page 153: ...t Mobile alarm linkage can be drawn between interrupted service and its root cause in such a scenario AP with Flawed Power Save Implementation The IEEE 802 11 standard defines the power save operation...

Page 154: ...obile detects APs with flawed 802 11 power save implementations similar to the two defects mentioned above This problem generally does not cause any wireless connection issues but causes severe qualit...

Page 155: ...communicate using CCK and OFDM modulation schemes respectively but 802 11g devices have to support both modulation schemes to ensure backward compatibility Figure 7 6 802 11 a b g Range and Modulatio...

Page 156: ...an environment when protection is truly needed malfunctioning or mis configured APs without advertising protection mechanisms can degrade performance significantly It has been observed that many pre 8...

Page 157: ...smission include Super G Turbo mode Packet Burst etc AirMagnet Mobile can detect the use of non standard speed settings even if your current WLAN card cannot support such speeds If you wish to enable...

Page 158: ...nisms to resolve this issue RTS CTS and CTS to self It is controlled by the 802 11g AP which advertises and triggers the use of a protection mechanism 802 11g client stations must follow the AP s adve...

Page 159: ...n overhead is re introduced to a once pure 802 11g environment AirMagnet Mobile raises an alarm for a purity sweep Device Thrashing Between 802 11g and 802 11b The IEEE 802 11g standard requires a 802...

Page 160: ...se the AirMagnet Infrastructure page and select the List by Station view option to show all historical sessions a client station has with various APs You may also monitor on the client RF mode switch...

Page 161: ...oint has the same priority as the other stations This is very critical for DCF as the number of devices increases in the BSS and so do the collisions The PCF mechanism provides data transfer via a pol...

Page 162: ...he QSTA Based on the admission control policy if the request is accepted the HC schedules TXOPs for both the QAP and the QSTA For transmissions from the QSTA the HC polls the QSTA based on the paramet...

Page 163: ...a limited number of clients When the limit is reached additional clients may find their service requests rejected or existing clients may experience degraded performance This is unacceptable in an env...

Page 164: ...ilization the VoWLAN calls may be choppy and experience degraded performance AirMagnet Mobile monitors on the AP work load by tracking its active VoWLAN clients You can configure the system to generat...

Page 165: ...in adjacent channels channel numbers less than 5 apart have their RF frequencies overlapped and will interfere with one another Ideally APs should be 5 channels apart to avoid such a problem See the s...

Page 166: ...cation and usage to detect their mutual interferenceand the alarm is generated when a channel frequency is overlapped by more than thetolerable number the user configurable alarm threshold of APs For...

Page 167: ...nce Figure 8 7 AirMagnet Jitter tool to measure jitter Channel Overloaded by Voice Traffic As per the IEEE 802 11e standard for QoS the QoS basic service set QBSS is a basic service set BSS that suppo...

Page 168: ...160 Chapter 8 IEEE 802 11e and VoWLAN Issues AirMagnet Laptop Wireless LAN Policy Reference Guide Figure 8 8 Beacon frame format as suggested by IEEE 802 11e...

Page 169: ...by IEEE 802 11e Both these frames include the QBSS Load element The QBSS Load element contains information on the current station population and traffic levels in the QBSS Figure 8 10 Load Element Fo...

Page 170: ...pany premises Though APs are getting cheaper the overall architecture deployment price is still high AirMagnet Survey part of the AirMagnet Mobile Family can help the users implement such a dense depl...

Page 171: ...Mobile roaming devices such as VoWLAN phones and bar code scanners on a WLAN frequently perform such a re association act As the phones roam from one AP to another the calls may be dropped and the pho...

Page 172: ...ower adjustment for optimized coverage and capacity All these technologies improve WLAN efficiency However vendor implementations and fine tuning are not on par with each other Immature new products m...

Page 173: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 8 IEEE 802 11e and VoWLAN Issues 165 Figure 8 13 Using the Infrastructure Page station List to investigate excessive roaming problem...

Page 174: ...h another access point Figure 8 14 AirMagnet Roaming tool to measure roaming delays Also the AirMagnet Jitter tool allows the user to effectively measure RF signal jitter in both incoming and outgoing...

Page 175: ...sfers the DTIM it will transfer the buffered data Figure 8 16 Traffic Indication Map Information Element The important parameter here is the DTIM period which indicates how often the AP will transmit...

Page 176: ...ces Proprietary solutions Proprietary solutions can be implemented at the access point level Some APs allow users to specify a multicast MAC address to identify the voice frame Once recognized the AP...

Page 177: ...erformance problem and suggest countermeasures AirMagnet Mobile tracks MAC layer protocol characteristics including the following Frame CRC error Frame re transmission Frame speed 1 2 5 5 11 Mbps usag...

Page 178: ...illustrated below Figure 9 2 IEEE 802 11 Frame fields for frame fragmentation and defragmentation The increased reliability of the smaller fragmented frames comes at the cost of frame transmission ove...

Page 179: ...hen there is no acknowledgement observed the transmitter assuming that the receiver did not receive the frame successfully would re transmit the unacknowledged frame with the Retry bit in the frame se...

Page 180: ...priate steps to avoid such problems For example if the problem stems from noise or interference AirMagnet s Find tool can be used to help track down and remedy the root cause Excessive Low Speed Trans...

Page 181: ...low speed transmissions The transmit speed selection is a decision made by the transmitter that will also detect reception problems from the lack of acknowledgements The transmitter may vary the tran...

Page 182: ...nfiguration parameters Wireless clients use these beacon frames to learn of available WLAN services and their characteristics in order to make crucial decisions regarding association and roaming The b...

Page 183: ...ification defines the PLCP Physical Layer Convergence Protocol header to include a HEC Header Error Check field for error detection See illustration below The receiver performs calculations on the syn...

Page 184: ...ile detects these error frames and tracks them based on per device and per channel orientation See illustration below Figure 9 12 AirMagnet Mobile CRC frame error tracking display for a channel or a d...

Page 185: ...Communication Once an AP with better service is identified the client station will associate with the new AP and break the association with the original AP Mobile roaming devices such as VoIP phones a...

Page 186: ...ervice Stationary devices such as wireless printers and wireless desktops are not expected to have repeated re associations AirMagnet Mobile watches out for the anomaly of excessive client re associat...

Page 187: ...e basic frame types Management Control and Data frames Management frames such as beacon probe request response association request response authentication etc do not carry user data but are needed to...

Page 188: ...cation of more severe problems For example if many client stations fail to associate with AP they constantly retry associating to the AP resulting in large amount of management traffic AirMagnet Mobil...

Page 189: ...ess Device The WLAN spectrum is a shared medium with a limitation on bandwidth Be it 802 11b at 11 mbps or 802 11a g at 54 mbps bandwidth utilization should be closely monitored on a per channel and p...

Page 190: ...roblem for wired networks but can cause significant impact to the wireless networks especially VoWLAN Voice over WLAN AirMagnet Mobile tracks such wireless client stations that are constantly streamin...

Page 191: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 9 Problematic Traffic Pattern 183 Figure 9 19 The AirMagnet Mobile FIND tool locates devices by tracking down the signal level...

Page 192: ...184 Chapter 9 Problematic Traffic Pattern AirMagnet Laptop Wireless LAN Policy Reference Guide...

Page 193: ...allocation problems Channel noise and non 802 11 signals WLAN RF service under coverage area Classic RF hidden node syndrome Many more In addition to complicated technical RF issues there are regulato...

Page 194: ...At the 5GHz frequency range where 802 11a operates regulatory rules have been more restrictive in favor of WLAN data communication networks The existence of noise is present but not as prevalent as t...

Page 195: ...remedy the problem If the equipment causing problems is owned by the company this can be an easy fix but if it belongs to a neighboring company remedying the situation can be more difficult This stres...

Page 196: ...gnet Mobile monitors channel allocation and usage and raises this alarm when a channel is populated by more than the pre defined maximum number of APs the configurable alarm threshold is 3 This alarm...

Page 197: ...l range but they can both communicate with the same access point Because of this situation Station A may begin sending a frame without noticing that Station B is currently transmitting or vice versa T...

Page 198: ...rning on the RTS CTS Request to send Clear to send mechanism to coordinate media access In the above example one would re configure Station A and Station B to have a very low threshold packet size to...

Page 199: ...lem Insufficient RF Coverage A WLAN installation site survey ensures sufficient RF coverage maintaining a user specified minimum RF signal strength with at least one AP to serve the intended coverage...

Page 200: ...vity issues Figure 10 10 AirMagnet Enterprise tracks RF coverage from multiple WLANs by their SSIDs AirMagnet Mobile tracks multiple WLANs by their SSIDs to make sure each SSID is covered sufficiently...

Page 201: ...cy Overlaps Wireless devices operating in adjacent channels channel numbers less than 5 apart have their RF frequencies overlapped and will interfere with one another Ideally APs should be 5 channels...

Page 202: ...tly WLAN system administrators lack sufficient awareness of the RF environment in which their APs and stations operate present day WLAN technologies are only aware of other network elements They have...

Page 203: ...the unlicensed band and so cannot identify other sources of RF activity which can cause dropped network connections and other problems Lacking full RF spectrum awareness existing WLANs cannot apply a...

Page 204: ...adcast over those channels AirMagnet Mobile integrated with AirMagnet Spectrum Analyzer measures the duration of gaps between RF pulses If the gaps are very short the network engineer can program the...

Page 205: ...requency The data in the plot is in essence direct data from the Spectrum Analysis Engine SAgE The plot can provide the average power Avg the maximum power Max and the maximum power detected at any ti...

Page 206: ...The Air Quality plot displays RF air quality as a function of time Air quality is determined based on a single spectrum measurement such as maximum RF power average RF power pulse activity duty cycle...

Page 207: ...police the operations of the 802 11 devices to ensure they are operating in the correct channel In the USA this regulating body is the Federal Communications Commission FCC The FCC assigns the non li...

Page 208: ...luded in the EMEA regulatory domain but only channels 10 through 13 can be used in France AirMagnet Mobile detects 802 11 devices operating in channels that are not authorized for use by the local geo...

Page 209: ...apter 10 RF Management 195 Once the violating AP is identified and reported by AirMagnet Mobile the WLAN administrator may use the FIND tool to locate the device Figure 10 19 The AirMagnet Mobile FIND...

Page 210: ...196 Chapter 10 RF Management AirMagnet Laptop Wireless LAN Policy Reference Guide...

Reviews:

No comments