Wireless by yaofenji



CIS Plan for Testing and Rollout
• Wire Equivalent Privacy
• 40 bit (64 bit), 128 bit
• Already defeatable without additional
  security measures
• Most clients use software encryption, which
  significantly decreases performance
           EAP and LEAP
• Extensible Authentication Protocol
• Light-weight Extensible Authentication
• EAP is an extension to RADIUS –
  Remote Access Dial-In User Service
           Wireless Standards
• 802.11b – 11 Mbps
• 802.11g – ratified but no products currently
  available for it. An extension to 802.11b that will
  allow 22 Mbps rates
• 802.11a – have only seen one vendor producing
  these but supposed to be more widely available by
  year end. 6-54 Mbps, uses 5ghz band and isn’t
  compatible. Range is about half of 802.11b
• Realistically is 2-3 years away from widespread
           OIT Observations
• Wlan Encryption takes overhead of about 3%
  on Cisco -already starting at less than 5 mbps
• [Less than 50% effective vs 70% for 802.11]
• Should only use wireless to augment wired
  not replace it.
• Membership to SONNET requires
  authentication of clients
      OIT Recommendations
• 1) use WEP for now
• 2) require application level security where
• 3) doesn’t see any value in MAC
• 4) authentication & logging required by OSU
• 5) use OIT’s authentication script for now
         OIT Standards proposals
•    802.11b compliance
•    client authentication
•    client dhcp by server not by AP
•    NAT (Network Address Translation)
• 5) encryption of sensitive data - WEP
• 6) follow channel reservation scheme
    OIT Standards proposals
• 7) Only channels 1,6,11 can be used
     but only 1 is for departments, 6 is
     for OIT, 11 is campus wide
• 8) Other channels can't be used

• 11 Mbps (theoretical) per Access Point (AP) –
  limited by 10 Mbps wired connection
• 25 clients or less per AP is recommended by Cisco
  and others
• 250 clients is theoretical limit
• Client (theoretical) – 11 Mbps at 100 ft., 5.5Mbps
  at 150ft, 2Mbps at 300 ft indoors. Segment load,
  obstructions and overhead will reduce these rates
• Cells can’t overlap w/o interference
• Underlap creates dropouts
• 11 Mbps X 55% = 6.05 Mbps - testing of various
  Aps often produce results of less than 5Mbps
• 6.05 Mbps/25 clients = 242 kbps aprox.
• 6.05 Mbps/250 clients = 24kbps - phone grade
• Could not provide adequate bandwidth for lecture
  halls like 113 – if everyone had wireless. Access
  to wired network is through OIT, elevator shafts
  create obstacles to provide from new Dreese
• Dropout will occur in elevators, stairwells and
  similar areas
• 2.4 ghz band is “crowded” - Interference from
  portable phones and microwaves is possible,
  especially when device is directly in path of
• Interference from rogue Aps would be detrimental
  to entire Wlan
• Use of any channel other than 11 can potentially
  cause some interference, particulary on the edge of
  cell ranges. Even ch 11 would interfere with OIT
         Non-Cisco PC Cards
• Cisco’s Secure client only works with Cisco cards
  at this time
• EAP is now a standard. 802.1x standard is pushing
  toward LEAP
• Cisco’s security will fall back to MAC
  authentication but it compromises security
• Doesn’t meet OIT’s proposed standards
• Owner of MAC would be implicated in
  unauthorized use of our system if their MAC is
  spoofed, or card is stolen
    WEP Vulnerabilities – addressed
          by Cisco LEAP
   • Static keys allow enough packets to be captured to
     defeat encryption
   • A WEP key can be derived in 100,000 to
     1,000,000 packets
   • Cisco LEAP forces reauthentication
   • WEP key timeout is configurable
   • Rogue Access Point – WEP client doesn’t
     authenticate AP
• Immune to AirSnort – popular wireless
  packet sniffing software
• Worst case – change key every 8 min 20 sec
• We would probably be fine changing key
  every 30 minutes
          Vendor Comparison
• Cisco only one with 100mw transmitter others are
  30 mw
• We tried Intel AP which is characteristic of many
  other vendor offerings. It is underpowered
  compared to the Cisco equipment, and it only
  offers static WEP
• Cisco cards WEP encryption takes place in
  hardware and requires less overhead - about 3%
             Why Cisco?
• They provide the strongest commercially available
  security scheme.
• Their products will integrate better with our
  existing Cisco network.
• They are the only vendor identified whose
  products meet and exceed the proposed OIT
• Their products have strongest throughput and
  reliability results.
           Aironet 350 AP
• Adjustable transmit power – several
  increments between 1-100 mW
• 128-bit WEP
• Hot-standby AP mode for critical areas
• Rugged version – plenum rated for ceiling
  mount locations
• Indoor 130 ft. @ 11 Mbps, 350ft. @ 1 Mbps
         Aironet 350 PC Card
• Range - indoor 130 ft. @ 11 Mbps, 350ft. @ 1
  Mbps - outdoor 800 ft. @ 11 Mbps, 2000 ft @ 1
• Can create profiles for home, work, Starbucks, etc.
  for easy configuration changes. Seems to require
  less rebooting
• Adjustable power 1-100 mw
• Support tools for determining connection
  strength/quality and configuring client adapter
  seem to be better and more detailed
    Proximity                       Distance

    720 kbps
                                    599 kbps
    Closest                         Next
    628 kbps                        Closest
                                    541 kbps

Source: Network                Tested: Cisco 340
World 2/5/01                   series – 30 mw version
                  Overall Performance

Source: Network World
• Eavesdropping - authentication
• Unauthorized network access - encryption
• WEP cracked - Can capture enough packets in 12
  hours or less to break if using static keys.
• Can pick up a non-directional wireless signal from
  as far away as 8 miles with a parabolic dish
• Cisco secure server authenticates AP to eliminate
  Rogue AP threat
          Proposed Security
• Authentication by Cisco Secure ACS server
• Firewall – same settings as Region 1 –
  would allow printing but not SMB, NFS,
  NIS, etc.
• Would need to move files via client –
  Citrix, ssh, ftp, etc.
   Secure ACS – other benefits
• Usage Accounting
• Ability to limit User Max Sessions and
  Group Max Sessions
• Disable account after X number of failed
         Cisco Secure Clients
• Windows 95, 98, NT, 2000, XP or Me
• PDA - No current support for Palm, but
  there is for Windows CE 2.11, 3.0
• Linux kernel 2.2.xx and Macintosh OS 9.x
• 802.1x standard – Cisco hopes it will lead to
  more LEAP enabled clients
                Authentication Model

       Wired Network Support
• Power injectors come with Access Points and
  would be mounted in switch closets – power
  would be supplied by special cat 5
• Wired Network would have one dedicated Vlan
  with class C network – would require another NIC
  in the firewall
• We project having 10-11 APs at first – so
  aproximately 240 addresses for clients should
  work out about right
 Wired Network Support - Cont.
• A second class C network would require
  one more NIC on the firewall
• Switches would require no special
Wireless Network Model
        Expected configuration
• 1 AP per floor except on 2nd floor, where there
  would probably be a 2nd AP on the Baker side. EE
  has also indicated they would eventually need an
  AP here. Might be able to use ch 1 in that area
  and ch 6 on the North side of Dreese
• 2nd AP in rooms like 280, 480 might be possible if
  antenna gain can be turned down far enough
• No servers or desktops acting as servers.
  Sustained 1-2 Mbps would use up 30% or more of
  bandwidth with one client
           Expected Support
• Cisco cards and clients will be used
• Personal laptops - will help with
  configuration issues relating to connection,
  authentication, passing of allowed protocols
                 Site Survey
• Roam around halls of Dreese with 2 APs, 2
  ladders, 2 0r 3 notebooks with wireless and collect
  data on signal strength and throughput for various
  offices, labs etc.
• Won’t be able to test all types of antennas
• Cisco recommends outsourcing this function to
  someone with proper tools and expertise to
  minimize dead spots and interference
• Maximum allowable packet loss 29%
         Secure ACS Server
• Configure and test functionality
• Make sure it performs as advertised
         Timeline – phase 1
• Secure Server testing – end of January
• Site Analysis – end of February
• Testing – should be done by start of spring
• Final Recommendation – Early April
           Timeline – phase 2

• April-June Testing available on 8th and 7th floors
  to test group
• Late June, early July – order APs, and hardware
  for secure server
• Rollout – Aug – early Sept. to all floors in Dreese
• Other buildings – some time during fall quarter or
  winter break. Unknown interference problems
  from rogue access points may complicate rollout

To top