manualshive.com logo in svg

AirMagnet PRG-Laptop 7.0, Справочное руководство, Страница: 48 / 210

Поделиться
Скачать
AirMagnet PRG-Laptop 7.0 Скачать руководство пользователя страница 48

40

Chapter 2: IDS—Denial of Service Attack

AirMagnet Laptop Wireless LAN Policy Reference Guide

DoS Attack Against Client Station

Denial-of-Service attacks against wireless client stations are typically 

carried out based upon the fact that 802.11 management frames and 

802.1x authentication protocols have no encryption mechanism and 

can therefore be spoofed. For example, wireless intruders can disrupt 

the service to a client station by continuously spoofing a 802.11 dis-

association or de-authentication frame from the AP to the client 

station. The 802.11 association state machine as specified by the IEEE 

standard is illustrated below to show how an associated station can 

be tricked out of the authenticated and associated state by various 

types of spoofed frames.

Figure 2-12: 802.11 Association and Authentication State Machine

Besides the 802.11 authentication and association state attack, there 

are similar attack scenarios for 802.1x authentication.  For example, 
802.1x EAP-Failure or EAP-logoff messages are not encrypted and 

can be spoofed to disrupt the 802.1x authenticated state, thus 

disrupting wireless service.  See the diagram below for 802.1x 

authentication and key exchange state change.

Laptop Wireless LAN Policy Reference Guide.book  Page 40  Thursday, January 25, 2007  5:36 PM

Содержание PRG-Laptop 7.0

Страница 1: ...AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 2: ...nt without notice AIRMAGNET INC SHALL NOT BE HELD LIABLE FOR ERRORS OR OMISSIONS CONTAINED HEREIN NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THIS CONETENT This product inclu...

Страница 3: ...tected 15 Exposed Wireless Station Detected 17 LEAP Vulnerability Detected 19 Chapter 2 IDS Denial of Service Attack 23 DoS Attack Against AP 23 DoS Attack Association Flood 24 DoS Attack Association...

Страница 4: ...57 Fast WEP Crack ARP Replay Detected 60 Device Probing for APs 61 Dictionary Attack on EAP Methods 64 EAP Attack Against 802 1x Authentication Type 65 Fake APs Detected 66 Fake DHCP Server Detected...

Страница 5: ...and Authentication Methods 104 Device Unprotected by Other Encryption 104 Device Unprotected by Fortress Encryption 105 Static WEP Encryption 106 AP with Encryption Disabled 107 Client with Encryption...

Страница 6: ...ance Options 142 Simultaneous PCF and DCF Operation 143 Unassociated Station Detected 144 Device Down or Malfunction 144 AP System or Firmware Reset 145 AP with Flawed Power Save Implementation 145 IE...

Страница 7: ...0 Excessive Frame Retries 171 Excessive Low Speed Transmission 172 Excessive Missed AP Beacons 174 Excessive Packet Errors 175 Excessive Roaming or Reassociation 177 High Management Traffic Overhead 1...

Страница 8: ...vi Table of Contents AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 9: ...of outside penetration and attack and there are many other possible wireless security risks and intrusions such as mis configured AP unconfigured AP and Denial of Service attacks Figure 1 1 Wireless S...

Страница 10: ...irMagnet Mobile security alarms can be customized to best match your security deployment policy For example if your WLAN deployment includes Access Points made by a specific vendor the product can be...

Страница 11: ...ile generates a warning alarm when it detects an AP broadcasting its SSID The AirMagnet Mobile alarm description in this case will recommend that the wireless administrator turn off the SSID broadcast...

Страница 12: ...ons to easily identify available WLANs and the APs providing the service War drivers equipped with tools such as Netstumbler sometimes scan for the SSIDs sent by Access Points to discover potential ta...

Страница 13: ...below Figure 1 4 Disabling SSID broadcast for Cisco Aironet Access Point AP Configuration Changed Most of the current day wireless 802 11b LAN equipment use Direct Sequence Spread Spectrum DSSS techn...

Страница 14: ...Ghz UNII Unlicensed National Information Infrastructure band 802 11a devices cannot interoperate with 802 11b g devices as they operate in different frequency bands Table 1 1 Channel Assignment for 80...

Страница 15: ...ISM band with each channel occupying 22 MHz Adjacent channels overlaps with each other in RF frequency usage see illustration below Figure 1 5 802 11b g Channel Allocation and Frequency Overlaps Wirel...

Страница 16: ...uration This can cause all valid clients to get disconnected from the AP as they now are not talking on the same network Please connect to the AP whose configuration has changed and assign a stronger...

Страница 17: ...ess bridge inside the corporate network that would invariably extend the corporate network to any location outside the corporate premises Detection of such wireless bridge devices indicates that somet...

Страница 18: ...FIND tool to locate the rogue device Figure 1 8 Locating a device with AirMagnet Mobile s FIND tool AP Using Default Configuration Access Points shipped by wireless equipment vendors usually come wit...

Страница 19: ...cess is made available for the general public One often finds hotspots in airports hotels coffee shops and other places where business people tend to congregate It is probably one of the most importan...

Страница 20: ...valid users with a wireless enabled laptop or handheld and valid login for accessing the Hotspot network WLAN Access Points These can be SOHO gateways or enterprise level access points depending upon...

Страница 21: ...ndependent of the encryption mechanism used Using the attack tool the intruder can passively monitors the wireless network for probe request frames to identify the SSIDs of the networks of the Windows...

Страница 22: ...they were temporarily disconnected from the Internet due to some unknown issue will try to login again to resume their activities Innocent wireless clients that associate to the Airsnarf access point...

Страница 23: ...uary 2004 the IEEE announced that it had formed a new 802 11 Task Group TGn to develop a new amendment for the existing standard for wireless local area networks It was expected to provide transmissio...

Страница 24: ...ntage of multipath propagation This is a stark contrast to the disadvantages multipath users have complained about Multiple antennas are used to divide a single fast signal into multiple slower signal...

Страница 25: ...sed Wireless Station Detected The popularity of WLANs results in user laptops with multiple WLAN configuration profiles to be used in various environments such as an enterprise office home or a wirele...

Страница 26: ...ions that constantly search for association thus leaving thesmelves vulnerable Typically they are client stations mis configured manually or automatically by the vendor profile selector This scenario...

Страница 27: ...tool LEAP Vulnerability Detected It is well publicized that WLAN devices using static WEP key for encryption are vulnerable to the WEP key cracking attack see the paper Weaknesses in the Key Scheduli...

Страница 28: ...sers on LEAP networks forcing them to re authenticate This makes the capture of LEAP passwords very fast Only de authenticating users who have not already been seen doesn t waste time on users who are...

Страница 29: ...advantages of EAP FAST are that it is not proprietary is compliant with the IEEE 802 11i standard supports TKIP and WPA does not use certificates thus avoiding complex PKI infrastructures and support...

Страница 30: ...22 Chapter 1 Configuration Vulnerabilities AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 31: ...loping new standards like 802 11i to tackle some of these issues AirMagnet Mobile contributes to this solution by providing an early detection system where the attack signatures are matched AirMagnet...

Страница 32: ...ack signatures against the AP Incomplete authentication and association transactions trigger the AirMagnet Mobile attack detection and statistical signature matching process Detected DoS attacks resul...

Страница 33: ...ure 2 1 Emulated client associations overflowing AP s client association table AirMagnet Mobile detects spoofed MAC addresses and tracks the follow up 802 1x actions and data communication after a suc...

Страница 34: ...ss Point under attack has maintained a state in the client association table for each emulated client Once the AP s resources and client association table are filled up with these emulated clients and...

Страница 35: ...create a client entry in state 1 in the association table If Open System authentication is used on the AP the AP would send back an authentication success frame and move the client to state 2 If Share...

Страница 36: ...less service provided by this AP DoS Attack EAPOL Start Attack The IEEE 802 1x standard defines the authentication protocol using EAP Extensible Authentication Protocol over LANs or EAPOL The 802 1x p...

Страница 37: ...if it has any data frames waiting for it After it completes a handshake with the AP it can receive the data frames The beacons from the AP include the Delivery Traffic Indication Map DTIM to inform th...

Страница 38: ...ated Association This form of denial of service attack attempts to exhaust the AP s resources particularly the client association table by flooding the AP with a large number of emulated and spoofed c...

Страница 39: ...re 2 5 Emulated client associations overflowing AP s client association table AirMagnet Mobile detects spoofed MAC addresses and tracks the follow up 802 1x actions and data communication after a succ...

Страница 40: ...the attack Different attacks are covered under this section CTS flood attack Queensland University of Technology exploit RF jamming attack Virtual carrier attack DoS Attack CTS Flood Attack tool CTS...

Страница 41: ...privilege granted to the CTS frame to reserve the RF medium for transmission By transmitting back to back CTS frames an attacker can force other wireless devices sharing the RF medium to hold back th...

Страница 42: ...Access with Collision Avoidance CSMA CA as the basic access mechanism in which the WLAN device listens to the medium before starting any transmission and backs off when it detects any existing transmi...

Страница 43: ...transmission of data for the duration of the attack When under attack the device behaves as if the channel is always busy preventing the transmission of any data over the wireless network This DoS at...

Страница 44: ...4GHz or 802 11a at the 5GHz RF spectrum they are all susceptible to RF noise impact An attacker leveraging this WLAN vulnerability can perform two types of DoS attacks Disrupt WLAN service At the 2 4G...

Страница 45: ...ntenna 30 yards away from an AP can pulse enough high energy RF power to damage electronics in the AP resulting in it being permanently out of service Such HERF high energy RF guns have been demonstra...

Страница 46: ...el access to the legitimate users Under normal circumstances the only time a ACK frame should carry a large duration value is when the ACK is part of a fragmented packet sequence The only legitimate o...

Страница 47: ...data frame The IEEE 802 11 standard specifies the exact times for the subsequent CTS and data frames So the duration value of RTS is respected till the following data frame is received not receive Ei...

Страница 48: ...tion frame from the AP to the client station The 802 11 association state machine as specified by the IEEE standard is illustrated below to show how an associated station can be tricked out of the aut...

Страница 49: ...on DoS Attack Authentication Failure Attack IEEE 802 11 defines a client state machine for tracking station authentication and association status Wireless clients and APs implement such a state machin...

Страница 50: ...s codes from an associated client in State 3 to an AP Upon receiving the invalid authentication requests the AP updates the client to State 1 which disconnects its wireless service AirMagnet Mobile de...

Страница 51: ...02 11 defines a client state machine for tracking the station authentication and association status Wireless clients and APs implement such a state machine illustrated below according to the IEEE stan...

Страница 52: ...pically client stations would re associate and re authenticate to regain service until the attacker sends another de authentication frame AirMagnet Mobile detects this form of DoS attack by detecting...

Страница 53: ...ed and associated to State 3 Figure 2 16 Attacker spoofs 802 11 de authentication frames from AP to client station to bring client to state 1 A form of DoS attack aims to send a client of an AP to the...

Страница 54: ...ng to test the wireless service provided by this AP DoS Attack Disassociation Broadcast Attack tool ESSID Jack IEEE 802 11 defines a client state machine for tracking the station authentication and as...

Страница 55: ...uld re associate to regain service until the attacker sends another disassociation frame An attacker would repeatedly spoof the disassociation frames to keep all clients out of service AirMagnet Mobil...

Страница 56: ...tion until it is authenticated and associated to State 3 Figure 2 18 Attacker spoofs 802 11 disassociation frames from AP to client station to bring client to state 2 A form of DoS attack aims to send...

Страница 57: ...authentication transaction At the end of an authenticated session when a client station wishes to log off the client station sends an 802 1x EAPOL Logoff frame to terminate the session with the AP Fig...

Страница 58: ...ack Tool Detected IEEE 802 11 defines a client state machine for tracking station authentication and association status Wireless clients and APs implement such a state machine illustration below based...

Страница 59: ...t in State 3 to an AP Upon reception of the invalid authentication requests the AP would update the client to State 1 which disconnects its wireless service FATA jack is one of the commonly used tools...

Страница 60: ...ds Open System Shared Key etc 802 1x and EAP based authentications are monitored by other AirMagnet Mobile alarms DoS Attack Premature EAP Failure Attack The IEEE 802 1x standard defines the authentic...

Страница 61: ...uthentication An attacker could keep the client interface from coming up therefore DoS by continuously spoofing pre mature EAP Failure frames from the AP to the client to disrupt the authentication st...

Страница 62: ...ntication See the protocol exchange highlighted below Figure 2 23 Attacker spoofs pre mature EAP Success frames from an AP before the authentication is completed The IEEE 802 1X specification prohibit...

Страница 63: ...erprise detects this form of DoS attack by tracking spoofed pre mature EAP Success frames and the 802 1x authentication states for each client station and AP Locate the device and take appropriate ste...

Страница 64: ...56 Chapter 2 IDS Denial of Service Attack AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 65: ...brella by validating the best security policy implementation as well as detecting intrusion attempts If such vulnerabilities or attack attempts are detected AirMagnet Mobile generates alarms to bring...

Страница 66: ...ng upon the Hotspot implementation Hotspot Controllers This box deals with user authentication gathering billing information tracking usage time filtering func tions etc This can be an independent mac...

Страница 67: ...address from the rogue Airsnarf Access Point instead of the legitimate AP installed by the hotspot operator The users will be shown a webpage that requests a username and password as now the DNS quer...

Страница 68: ...e vulnerable to WEP key cracking attack Refer to Weaknesses in the Key Scheduling Algorithm of RC4 I by Scott Fluhrer Itsik Mantin and Adi Shamir Figure 3 3 WEP Encipherment Block Diagram The WEP secr...

Страница 69: ...ill respond with encrypted replies thus providing new and possibly weak IVs AirMagnet Mobile alerts on weak WEP implementations and recommends a device firmware upgrade if available from the device ve...

Страница 70: ...ing tools to discover APs and publish their information MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers discover WLAN APs and mark...

Страница 71: ...ngo client utility and the WiNc client utility Once associated this client station can be accessed by an intruder leading to a major security breach To make matters worse the client station may even u...

Страница 72: ...y the AirWISE alarm to determine which of your APs is broadcasting announcing their SSID in the beacons You may then adjust the AP properties to turn off the SSID broadcast feature Dictionary Attack o...

Страница 73: ...tching user name and password based authentication methods to encrypted tunnel based authentication methods such as PEAP and EAP FAST which are supported by many vendors including Cisco EAP Attack Aga...

Страница 74: ...nage to get authenticated to the network AirMagnet Mobile detects such an attempt by an intruder to gain access to the network using different 802 1x authentication types Please take appropriate steps...

Страница 75: ...sends a DHCP request informing the DHCP server that it wants to be assigned the IP address offered 4 The server returns a DHCP ACK acknowledging that the NIC has sent a request for a specific IP addre...

Страница 76: ...he FIND tool to locate the device Figure 3 7 The AirMagnet Mobile FIND tool locates devices by tracking down the signal level Hotspotter Tool Detected A hotspot is any location where Wi Fi network acc...

Страница 77: ...of a basic Hotspot network are Hotspot Subscribers These are valid users with a wireless enabled laptop or handheld and valid login for accessing the Hotspot network WLAN Access Points These can be SO...

Страница 78: ...spot network names Once a match is found the Hotspotter client will now act as an access point The clients can then authenticate and associate unknowingly to this Fake AP Once the client gets associat...

Страница 79: ...have in strange manners It is a well known fact that illegal packets can cause the firmware of a few vendors wireless network cards to crash Examples of such vulnerability include NULL probe response...

Страница 80: ...use the FIND tool to locate it Figure 3 10 Locating a device using AirMagnet Mobile FIND tool Man in the Middle Attack Detected Man in the Middle MITM attack is one of the most common 802 11attacks t...

Страница 81: ...r de authentication frame After that the hacker station now will spoof the MAC address of the client to continue being associated with the AP At the same time the hacker will set up a spoofed AP in an...

Страница 82: ...used by ex employees who may have not returned all their wireless equipment These nodes may be added to the monitor list to alert the wireless administrator the next time the AP or STA shows up in th...

Страница 83: ...s hacker uses war driving tools to discover APs and publish their information MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers disc...

Страница 84: ...etected It is well publicized that WLAN devices using static WEP key for encryption are vulnerable to the WEP key cracking attack see the paper Weaknesses in the Key Scheduling Algorithm of RC4 I by S...

Страница 85: ...ed libpcap files Using a dynamic database table and index to make lookups on large files very fast This reduces the worst case search time to 0015 as opposed to lookups in a flat file Writing just the...

Страница 86: ...ntended boundaries can expose the network to unauthorized users The Rogue AP can put the entire corporate network at risk of outside penetration and attack Not to understate the threat of the rogue AP...

Страница 87: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 3 IDS Security Penetration 79 Figure 3 13 Locating a device using AirMagnet Mobile FIND tool...

Страница 88: ...ireless traffic between wireless clients For most WLAN environments wireless clients communicate only with devices such as web servers on the wired network Enabling PSPF protects wireless clients from...

Страница 89: ...represents two potential threats to enterprise security Firstly host based APs are typically not part of the enterprise wireless infrastructure and are likely to be rogue devices that do not conform t...

Страница 90: ...devices by tracking down the signal level Spoofed MAC Address Detected Spoofing tools SMAC macchanger SirMACsAlot Gentle MAC Pro A wireless intruder wishing to disrupt the wireless network has a wide...

Страница 91: ...Suspicious After Hour Traffic Detected One way to detect a wireless security penetration attempt is to analyze wireless usage during a time in which there is not supposed to be any wireless traffic su...

Страница 92: ...ting AirMagnet Enterprise to accept all or a specific subset of existing APs or STAs discovered by AirMagnet SmartEdge sensors Rogue APs installed by unauthorized employees usually do not follow enter...

Страница 93: ...ed automatically as soon as it is detected Use the AirMagnet Enterprise wireless trace and block Rogue feature provided by the IDS Rogue page on the AirMagnet Enterprise Console to allow the AirMagnet...

Страница 94: ...86 Chapter 3 IDS Security Penetration AirMagnet Laptop Wireless LAN Policy Reference Guide Figure 3 17 AirMagnet Enterprise wired trace and block Rogue feature suspends rogue APs...

Страница 95: ...ation MAC address SSID security implemented etc on the Internet with the APs geographical location information War chalkers discover WLAN APs and mark the WLAN configuration at public locations with u...

Страница 96: ...adcasting their SSID their WEP capabilities and provides vendor information automatically It also creates an ethereal tcpdump compatible dumpfile and an Application savefile It also has GPS support Us...

Страница 97: ...rder to protect the integrity of the wireless and the wired enterprise network AirMagnet Mobile provides the following methods to detect rogue devices One or more of these methods can be used to diffe...

Страница 98: ...respond to detected rogue APs In such a case the AirMagnet Smartedge Sensor emulates a wireless client using the rogue AP s announced SSID to associate with the AP After associating the sensor perform...

Страница 99: ...AP alarm will be generated Rogue APs installed by unauthorized employees may not follow enterprise standard deployment procedures and may thus compromise security on the wireless and wired network Th...

Страница 100: ...P alarm whenever an AP is discovered outside of the vendor list i e a non Cisco Aironet or non Symbol Technologies AP Rogue APs installed by unauthorized employees usually do not follow enterprise sta...

Страница 101: ...erated by requesting the AirMagnet Enterprise product to accept all or a specific subset of existing APs discovered by the AirMagnet SmartEdge Sensors Rogue APs installed by unauthorized employees usu...

Страница 102: ...raises a rogue AP alarm when an AP operating in a different SSID is discovered Rogue APs installed by unauthorized employees usually do not follow enterprise standard deployment practices and can thus...

Страница 103: ...e enterprise implements only 802 11b g APs If there is an 802 11a AP detected AirMagnet Mobile will immediately raise an alarm Rogue APs installed by unauthorized employees usually do not follow enter...

Страница 104: ...oughly investigated To use this feature please ensure that the laptop running the AirMagnet software is connected to the wired network and check the Enable Trace option present in the configuration se...

Страница 105: ...detection mechanisms are by MAC address vendor ID SSID radio media type and RF channels In addition any station that is associated with a rogue AP also triggers a rogue station alarm Rogue Station by...

Страница 106: ...ld then include Cisco and Symbol in the authorized vendor list After the vendor list is imported AirMagnet Mobile raises a rogue station alarm whenever a station is discovered outside of the vendor li...

Страница 107: ...figured address list The authorized MAC address list can be imported to AirMagnet Enterprise from a file AccessControl txt This file is common for APs Infrastructure stations and Ad hoc stations It ca...

Страница 108: ...ID list For example if your enterprise deployed WLAN is configured only with MyOfficeWlan and MyVoIPWlan you would then include these two SSIDs in the SSID list AirMagnet Mobile raises a rogue station...

Страница 109: ...enever a client station operating outside of the enterprise standardized radio media is discovered by AirMagnet Mobile a rogue station alarm will be generated For example consider a case in which the...

Страница 110: ...Laptop Wireless LAN Policy Reference Guide Once a Rogue station is identified and reported by AirMagnet Mobile the WLAN administrator may use the FIND tool to locate the rogue device Figure 4 12 Locat...

Страница 111: ...User authentication blocks out unauthorized access to your wired and wireless resources Traffic encryption goes hand in hand with user authentication during which the encryption secrets are exchanged...

Страница 112: ...ms to ensure that AirMagnet Mobile monitors your network accordingly Device Unprotected by Other Encryption If your WLAN security deployment mandates the use of encryption technologies provided by Cra...

Страница 113: ...re being followed in every installation worldwide In addition shared notifications among both systems will allow Cranite administrators to see external wireless threats The integration of the AirMagne...

Страница 114: ...w security alert identifies users who fail to run Fortress Security System This will allow security conscious customers who have chosen Fortress to verify that their authentication encryption policies...

Страница 115: ...to eavesdropping by intruders Typically for an AP that is operating without any sort of encryption mechanism there can be unauthorized clients without encryption keys that can associate with the AP a...

Страница 116: ...hrer Itsik Mantin and Adi Shamir Figure 5 2 WEP Encipherment Block Diagram The WEP secret key that has been cracked by any intruder results in no encryption protection thus leading to compromised data...

Страница 117: ...appears to be more secure but actually has been proven to be vulnerable to WEP key cracking by wireless intruders because the challenge text and response are both clear and unencrypted This means tha...

Страница 118: ...h a passive attack by eavesdropping An attacker can use brute force to compute the challenge response off line after capturing challenge text which is in clear text Once the match is found the attacke...

Страница 119: ...h is determined by the transmitting station The IV can be reused frequently in consecutive frames thus increasing the chance of the secret key being recovered by wireless intruders AirMagnet Mobile al...

Страница 120: ...provide access control and most importantly Quality of Service QoS Using VPN in addition to WEP in the network also provides encryption all the way to the VPN gateway This can be very effective for tr...

Страница 121: ...reless vendors support WPA and consider it to be a more secure alternative to static WEP Figure 5 5 802 1x user based authentication and encryption framework There are three major end user benefits pr...

Страница 122: ...t is as weak as static WEP which is subject to key recovery attacks By continuously monitoring on WLAN 802 1x authentication and encryption transactions AirMagnet Mobile can detect an AP configured wi...

Страница 123: ...a shared encryption key and re key mechanism has to be implemented It has been found that very few wireless devices implement the multicast and broadcast encryption key mechanism correctly In reality...

Страница 124: ...y standard As time passed by equipment vendors increased this to 128 bit keys as so forth Some implementations even announced that they were using upto 256 bit WEP keys Since then Static WEP has been...

Страница 125: ...The server based mechanism requires an authentication server such as a RADIUS server to securely and dynamically distribute session keys Pairwise Master Key or PMK When PSK is used instead of 802 1x...

Страница 126: ...mporal Key Integrity Protocol TKIP and Advanced Encryption Standard Counter Mode CBC MAC Protocol WLAN traffic encrypted with TKIP and MIC defeats packet forgery and replay attack TKIP is most importa...

Страница 127: ...ed after the decryption AES CCMP mode provides authentication and encryption using the AES block cipher CCMP is a combination of the Counter CTR mode encryption for data privacy and Cipher Block Chain...

Страница 128: ...steps to avoid any security holes in the network and upgrade the wireless network infrastructure and devices to use the more secure IEEE 802 11i standard Device Unprotected by 802 11x If your WLAN sec...

Страница 129: ...s not configured for 802 1x weaken your WLAN security by allowing non compliant users to falsely authenticate and enter your wired network Mis configured client stations without 802 1x protection also...

Страница 130: ...versity in Providence Rhode Island has written a hacking tool that compromises wireless LAN networks running LEAP by using off line dictionary attacks to break LEAP passwords The tool after detecting...

Страница 131: ...client and the server using a PAC Protected Access Credential to authenticate each other After the tunnel establishment process the client is then authenticated using the user name and password crede...

Страница 132: ...uding Cisco have recently added support for PEAP with a firmware upgrade You can rely on this AirMagnet Mobile alarm to alert you of devices that are not using PEAP Please ensure that the PEAP authent...

Страница 133: ...atic WEP as well as defeating packet forgery and replay attack Figure 5 14 TKIP and MIC encrypted frames expands the original data by 20 bytes for stronger encryption and integrity check Unlike AES ba...

Страница 134: ...h no EAP exchange As there is no RADIUS server and no EAP methods such as EAP TLS or LEAP involved the PSK mode is less secure Figure 5 15 4 way handshake completes the key exchange for the pre shared...

Страница 135: ...e of the PSK mode and recommends switching to the more secure 802 1x EAP based key management and authentication system If you decide to stay with PSK mode key management please make sure your choice...

Страница 136: ...128 Chapter 5 Authentication and Encryption AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 137: ...ormance and efficiency by monitoring the WLAN and alerting the wireless administrator of early warning signs for trouble Performance alarms are generated and classified in the following categories in...

Страница 138: ...130 Part Two Performance Intrusion AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 139: ...al in Maximizing WLAN Throughput and Minimizing Interference Not only does the radio medium have bandwidth limitations WLAN Access Points have limitations and can be overloaded by heavy traffic or a l...

Страница 140: ...failed load balancing for the WLAN deployment To remedy the problem you may add additional APs to your existing infrastructure or try to remove unnecessary devices that are currently using up associat...

Страница 141: ...ming traffic combined and raises an alarm when the sustained utilization exceeds the user configured threshold To further investigate AP bandwidth utilization you may use the Infrastructure screen to...

Страница 142: ...n exceeds the user configured threshold To further investigate AP bandwidth utilization you may use the Infrastructure screen to identify stations associated with this AP and their individual bandwidt...

Страница 143: ...r example a 1000 byte broadcast frame would take at least 8 milliseconds to transmit at 1 Mbps which is a considerable delay for a voice application AirMagnet Mobile tracks multicast and broadcast fra...

Страница 144: ...136 Chapter 6 Channel or Device Overload AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 145: ...ion Figure 7 1 WLAN Deployment Involves Configuration for Access Points Wireless Bridges and Back end Distribution Service AirMagnet Mobile monitors these configuration parameters and their mutual int...

Страница 146: ...eshold fragmentation threshold maximum retry count multiple SSIDs More AirMagnet Mobile monitors and tracks the usage of these configuration parameters Alarms are raised when errors are detected for e...

Страница 147: ...ay have their own SSIDs and can co exist in the same RF environment However when infrastructure mode and ad hoc mode devices share the same SSID client connections may become unreliable and inconsiste...

Страница 148: ...device using AirMagnet Mobile FIND tool Conflicting AP Configuration One of the ways for AirMagnet Mobile to validate a configuration policy is to check the configuration consistency from APs supporti...

Страница 149: ...imization is a key factor during the WLAN site survey and deployment process It is typically impacted by signal quality and distance See the table below for all the supported speeds and what AirMagnet...

Страница 150: ...s The IEEE 802 11b standard defines several optional device capabilities to improve performance levels Short preamble The preamble refers to the header information in a packet Generally a longer pream...

Страница 151: ...f CSMA CA Carrier Sense Multiple Access Collision Avoidance and a random back off time following a busy medium condition In addition all directed traffic uses immediate positive acknowledgment ACK fra...

Страница 152: ...atively the WLAN administrator can also use AirMagnet Mobile s active end to end test tools to further investigate the problem by emulating a client station in the action of association DHCP Ping and...

Страница 153: ...t Mobile alarm linkage can be drawn between interrupted service and its root cause in such a scenario AP with Flawed Power Save Implementation The IEEE 802 11 standard defines the power save operation...

Страница 154: ...obile detects APs with flawed 802 11 power save implementations similar to the two defects mentioned above This problem generally does not cause any wireless connection issues but causes severe qualit...

Страница 155: ...communicate using CCK and OFDM modulation schemes respectively but 802 11g devices have to support both modulation schemes to ensure backward compatibility Figure 7 6 802 11 a b g Range and Modulatio...

Страница 156: ...an environment when protection is truly needed malfunctioning or mis configured APs without advertising protection mechanisms can degrade performance significantly It has been observed that many pre 8...

Страница 157: ...smission include Super G Turbo mode Packet Burst etc AirMagnet Mobile can detect the use of non standard speed settings even if your current WLAN card cannot support such speeds If you wish to enable...

Страница 158: ...nisms to resolve this issue RTS CTS and CTS to self It is controlled by the 802 11g AP which advertises and triggers the use of a protection mechanism 802 11g client stations must follow the AP s adve...

Страница 159: ...n overhead is re introduced to a once pure 802 11g environment AirMagnet Mobile raises an alarm for a purity sweep Device Thrashing Between 802 11g and 802 11b The IEEE 802 11g standard requires a 802...

Страница 160: ...se the AirMagnet Infrastructure page and select the List by Station view option to show all historical sessions a client station has with various APs You may also monitor on the client RF mode switch...

Страница 161: ...oint has the same priority as the other stations This is very critical for DCF as the number of devices increases in the BSS and so do the collisions The PCF mechanism provides data transfer via a pol...

Страница 162: ...he QSTA Based on the admission control policy if the request is accepted the HC schedules TXOPs for both the QAP and the QSTA For transmissions from the QSTA the HC polls the QSTA based on the paramet...

Страница 163: ...a limited number of clients When the limit is reached additional clients may find their service requests rejected or existing clients may experience degraded performance This is unacceptable in an env...

Страница 164: ...ilization the VoWLAN calls may be choppy and experience degraded performance AirMagnet Mobile monitors on the AP work load by tracking its active VoWLAN clients You can configure the system to generat...

Страница 165: ...in adjacent channels channel numbers less than 5 apart have their RF frequencies overlapped and will interfere with one another Ideally APs should be 5 channels apart to avoid such a problem See the s...

Страница 166: ...cation and usage to detect their mutual interferenceand the alarm is generated when a channel frequency is overlapped by more than thetolerable number the user configurable alarm threshold of APs For...

Страница 167: ...nce Figure 8 7 AirMagnet Jitter tool to measure jitter Channel Overloaded by Voice Traffic As per the IEEE 802 11e standard for QoS the QoS basic service set QBSS is a basic service set BSS that suppo...

Страница 168: ...160 Chapter 8 IEEE 802 11e and VoWLAN Issues AirMagnet Laptop Wireless LAN Policy Reference Guide Figure 8 8 Beacon frame format as suggested by IEEE 802 11e...

Страница 169: ...by IEEE 802 11e Both these frames include the QBSS Load element The QBSS Load element contains information on the current station population and traffic levels in the QBSS Figure 8 10 Load Element Fo...

Страница 170: ...pany premises Though APs are getting cheaper the overall architecture deployment price is still high AirMagnet Survey part of the AirMagnet Mobile Family can help the users implement such a dense depl...

Страница 171: ...Mobile roaming devices such as VoWLAN phones and bar code scanners on a WLAN frequently perform such a re association act As the phones roam from one AP to another the calls may be dropped and the pho...

Страница 172: ...ower adjustment for optimized coverage and capacity All these technologies improve WLAN efficiency However vendor implementations and fine tuning are not on par with each other Immature new products m...

Страница 173: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 8 IEEE 802 11e and VoWLAN Issues 165 Figure 8 13 Using the Infrastructure Page station List to investigate excessive roaming problem...

Страница 174: ...h another access point Figure 8 14 AirMagnet Roaming tool to measure roaming delays Also the AirMagnet Jitter tool allows the user to effectively measure RF signal jitter in both incoming and outgoing...

Страница 175: ...sfers the DTIM it will transfer the buffered data Figure 8 16 Traffic Indication Map Information Element The important parameter here is the DTIM period which indicates how often the AP will transmit...

Страница 176: ...ces Proprietary solutions Proprietary solutions can be implemented at the access point level Some APs allow users to specify a multicast MAC address to identify the voice frame Once recognized the AP...

Страница 177: ...erformance problem and suggest countermeasures AirMagnet Mobile tracks MAC layer protocol characteristics including the following Frame CRC error Frame re transmission Frame speed 1 2 5 5 11 Mbps usag...

Страница 178: ...illustrated below Figure 9 2 IEEE 802 11 Frame fields for frame fragmentation and defragmentation The increased reliability of the smaller fragmented frames comes at the cost of frame transmission ove...

Страница 179: ...hen there is no acknowledgement observed the transmitter assuming that the receiver did not receive the frame successfully would re transmit the unacknowledged frame with the Retry bit in the frame se...

Страница 180: ...priate steps to avoid such problems For example if the problem stems from noise or interference AirMagnet s Find tool can be used to help track down and remedy the root cause Excessive Low Speed Trans...

Страница 181: ...low speed transmissions The transmit speed selection is a decision made by the transmitter that will also detect reception problems from the lack of acknowledgements The transmitter may vary the tran...

Страница 182: ...nfiguration parameters Wireless clients use these beacon frames to learn of available WLAN services and their characteristics in order to make crucial decisions regarding association and roaming The b...

Страница 183: ...ification defines the PLCP Physical Layer Convergence Protocol header to include a HEC Header Error Check field for error detection See illustration below The receiver performs calculations on the syn...

Страница 184: ...ile detects these error frames and tracks them based on per device and per channel orientation See illustration below Figure 9 12 AirMagnet Mobile CRC frame error tracking display for a channel or a d...

Страница 185: ...Communication Once an AP with better service is identified the client station will associate with the new AP and break the association with the original AP Mobile roaming devices such as VoIP phones a...

Страница 186: ...ervice Stationary devices such as wireless printers and wireless desktops are not expected to have repeated re associations AirMagnet Mobile watches out for the anomaly of excessive client re associat...

Страница 187: ...e basic frame types Management Control and Data frames Management frames such as beacon probe request response association request response authentication etc do not carry user data but are needed to...

Страница 188: ...cation of more severe problems For example if many client stations fail to associate with AP they constantly retry associating to the AP resulting in large amount of management traffic AirMagnet Mobil...

Страница 189: ...ess Device The WLAN spectrum is a shared medium with a limitation on bandwidth Be it 802 11b at 11 mbps or 802 11a g at 54 mbps bandwidth utilization should be closely monitored on a per channel and p...

Страница 190: ...roblem for wired networks but can cause significant impact to the wireless networks especially VoWLAN Voice over WLAN AirMagnet Mobile tracks such wireless client stations that are constantly streamin...

Страница 191: ...AirMagnet Laptop Wireless LAN Policy Reference Guide Chapter 9 Problematic Traffic Pattern 183 Figure 9 19 The AirMagnet Mobile FIND tool locates devices by tracking down the signal level...

Страница 192: ...184 Chapter 9 Problematic Traffic Pattern AirMagnet Laptop Wireless LAN Policy Reference Guide...

Страница 193: ...allocation problems Channel noise and non 802 11 signals WLAN RF service under coverage area Classic RF hidden node syndrome Many more In addition to complicated technical RF issues there are regulato...

Страница 194: ...At the 5GHz frequency range where 802 11a operates regulatory rules have been more restrictive in favor of WLAN data communication networks The existence of noise is present but not as prevalent as t...

Страница 195: ...remedy the problem If the equipment causing problems is owned by the company this can be an easy fix but if it belongs to a neighboring company remedying the situation can be more difficult This stres...

Страница 196: ...gnet Mobile monitors channel allocation and usage and raises this alarm when a channel is populated by more than the pre defined maximum number of APs the configurable alarm threshold is 3 This alarm...

Страница 197: ...l range but they can both communicate with the same access point Because of this situation Station A may begin sending a frame without noticing that Station B is currently transmitting or vice versa T...

Страница 198: ...rning on the RTS CTS Request to send Clear to send mechanism to coordinate media access In the above example one would re configure Station A and Station B to have a very low threshold packet size to...

Страница 199: ...lem Insufficient RF Coverage A WLAN installation site survey ensures sufficient RF coverage maintaining a user specified minimum RF signal strength with at least one AP to serve the intended coverage...

Страница 200: ...vity issues Figure 10 10 AirMagnet Enterprise tracks RF coverage from multiple WLANs by their SSIDs AirMagnet Mobile tracks multiple WLANs by their SSIDs to make sure each SSID is covered sufficiently...

Страница 201: ...cy Overlaps Wireless devices operating in adjacent channels channel numbers less than 5 apart have their RF frequencies overlapped and will interfere with one another Ideally APs should be 5 channels...

Страница 202: ...tly WLAN system administrators lack sufficient awareness of the RF environment in which their APs and stations operate present day WLAN technologies are only aware of other network elements They have...

Страница 203: ...the unlicensed band and so cannot identify other sources of RF activity which can cause dropped network connections and other problems Lacking full RF spectrum awareness existing WLANs cannot apply a...

Страница 204: ...adcast over those channels AirMagnet Mobile integrated with AirMagnet Spectrum Analyzer measures the duration of gaps between RF pulses If the gaps are very short the network engineer can program the...

Страница 205: ...requency The data in the plot is in essence direct data from the Spectrum Analysis Engine SAgE The plot can provide the average power Avg the maximum power Max and the maximum power detected at any ti...

Страница 206: ...The Air Quality plot displays RF air quality as a function of time Air quality is determined based on a single spectrum measurement such as maximum RF power average RF power pulse activity duty cycle...

Страница 207: ...police the operations of the 802 11 devices to ensure they are operating in the correct channel In the USA this regulating body is the Federal Communications Commission FCC The FCC assigns the non li...

Страница 208: ...luded in the EMEA regulatory domain but only channels 10 through 13 can be used in France AirMagnet Mobile detects 802 11 devices operating in channels that are not authorized for use by the local geo...

Страница 209: ...apter 10 RF Management 195 Once the violating AP is identified and reported by AirMagnet Mobile the WLAN administrator may use the FIND tool to locate the device Figure 10 19 The AirMagnet Mobile FIND...

Страница 210: ...196 Chapter 10 RF Management AirMagnet Laptop Wireless LAN Policy Reference Guide...

Отзывы:

Нет отзывов