DePaul University Networks and Telecom J. Kristoff Request for Comments: 6 R&D/N&T Category: Informational October, 2002 Class: Public Revision: 1.0 802.11b Wireless LANs at DePaul Status of this Memo This memo provides information for the DePaul University community and does not specify a standard of any kind. Redistribution of this memo is unlimited. Copyright Notice Copyright (C) DePaul University (2002). All rights reserved. Abstract DePaul University has begun deploying wireless LAN technology onto its existing internetwork infrastructure. This memo details the rationale and trade-offs in the University's design and setup of its wireless LAN deployment. Kristoff Informational [Page 1] RFC 6 802.11b Wireless LANs October 2002 Table of Contents 1. Technology Overview.....................................2 1.1. CSMA/CA...............................................2 1.2. Spectrum and Channel Usage............................2 1.3. Service Set Identity (SSID)...........................2 1.4. Bit Rates, Capacity and Performance...................2 2. DePaul Wireless LAN Design..............................3 2.1. Wireless VLANs and Subnets............................3 2.2. Access Point Deployment...............................3 2.3. End User Client Software and Configuration............3 3. Wireless LAN Security Concerns..........................4 3.1. Authentication........................................4 3.2. Encryption and Wired Equivalent Privacy (WEP).........4 3.3. Audit Trails and Incident Response....................4 4. Networks and Telecom Support Structure..................5 4.1. Availability Monitoring...............................5 4.2. Authentication Monitoring.............................5 4.3. Resource Usage........................................5 4.4. Remote Access Point Management........................5 4.5. Wireless Support Tools................................5 4.5.1. Ethereal............................................5 4.5.2. Personal Digital Assistants (PDAs)..................5 4.5.3. SYSLOG monitoring...................................5 4.5.4. Rogue Access Point Tracking.........................5 5. Future Issues...........................................6 5.1. Security..............................................6 5.1.1. Virtual Private Networks (VPNs).....................6 5.1.2. 802.1x..............................................6 5.2. 802.11a/802.11g.......................................6 Acknowledgements...........................................7 References.................................................7 Security Considerations....................................8 Editor's Address...........................................8 1. Technology Overview The Institute of Electrical and Electronics Engineers (IEEE), the standards organization behind 802.3 (also commonly referred to as Ethernet), develops and maintains the 802.11b wireless LAN standard. 802.11b is an extension to the original 802.11 wireless LAN system, with the primary enhancement of running at theoretical speeds of up to 11 Mb/s. 802.11b networks are typically deployed either in "ad-hoc" mode or using access points. Access points provide a centralized coordination function for all wireless devices on a single wireless network. This document is concerned only about wireless networks that are deployed using access points unless otherwise noted. Kristoff Informational [Page 2] RFC 6 802.11b Wireless LANs October 2002 1.1. CSMA/CA The access method to the medium used in 802.11b is referred to as carrier sense multiple access with collision avoidance (CSMA/CA). As do 802.3 devices, 802.11 stations sense the medium (they listen) before transmitting to determine whether the channel is available or not. However, unlike 802.3 networks, 802.11 nodes use collision avoidance (CA) instead of collision detection (CD). Wireless nodes in an 802.11 network may be unable to reach all other nodes directly without the help of a relay device. Therefore, a request and acknowledgement scheme using Request To Send (RTS) and Clear To Send (CTS) signals helps nodes share the use of the spectrum without interference. 1.2. Spectrum and Channel Usage 802.11b wireless LANs operate within the 2.4 GHz frequency band, which is set aside worldwide for unlicensed use. This means that deployment of FCC approved equipment can transmit signals in this frequency band without the operator of the equipment needing to license use of this spectrum space. This type of frequency band is commonly referred to as a Industrial, Scientific and Medical (ISM) band. The good news is that ISM bands allow various types of services for all sorts of uses. This is also the bad news, because competing transmissions within this band may occur, causing interference for all affected systems. While, there are limits to the allowable radiated power of ISM devices, it is very possible that competing ISM devices will be close enough to cause interference between each system. For example, microwave ovens and some cordless telephones operate in or around the same spectrum in the 2.4 GHz band that 802.11b uses and may interfere with wireless network connectivity. In the United States, 802.11b products can be configured to use one of eleven different 25 MHz direct sequence channels within the ISM band with a starting center frequency of 2.412 GHz and ending at 2.472 GHz. Due to the width of the 25 MHz band each channel uses, 802.11b networks with overlapping spacial coverage area must each be separated by five or more channels to prevent interference. This limits the maximum number of non-overlapping channels to three (or channels 1, 6 and 11). 1.3. Service Set Identity (SSID) In the most basic sense, a SSID is the network name for a single 802.11b wireless LAN coverage area, or that coverage area provided by an access point (AP) on its designated channel. The SSID is used to help wireless nodes identify the proper wireless network to communicate with if there are competing wireless networks available. It should be noted that the SSID is not intended to be used to protect access to a wireless network from outsiders. Since the SSID is transmitted in plain text and often broadcast periodically, it offers no secrecy or protection for a wireless network operator. Kristoff Informational [Page 3] RFC 6 802.11b Wireless LANs October 2002 1.4. Bit Rates, Capacity and Performance The IEEE has standardized on four standard bit rates for 802.11b networks. They are 1 Mb/s, 2 Mb/s, 5.5 Mb/s and 11 Mb/s. It is common for wireless devices to support multiple rates on a wireless network. This is useful where the trade-off of a lower rate at further distances is preferred over no connectivity at higher rates and shorter distances. Wireless networks by their nature are shared mediums. Therefore, unlike dedicated connections such as those found in switched wired LANs, each node must share a portion of the available capacity. In practice, overall throughput for a 802.11b wireless network is usually between 30% to 40% of its maximum theoretical capacity or about 4 Mb/s when operating at 11 Mb/s. While there are no upper bounds on how many nodes may participate in any one wireless network, it is best to limit maximum saturation to about forty typical wireless users. 2. DePaul Wireless LAN Design Wireless LANs at DePaul have been designed with a small handful of guiding principles. These principles include simplicity, flexibility manageability and security. In some instances, trade-offs have had to be made in one area. Unfortunately, current 802.11 products and standards prevent us from deploying wireless networks in ways we would have often preferred. 2.1. Wireless VLANs and Subnets Wireless networks are separate physical networks from their wired counterparts and hence come with their own challenges and management techniques. Therefore, we have separated wireless networks onto their own logical VLANs. This means that there are no other types of network devices on a wireless subnet/VLAN other than wireless access points or wireless end nodes (users). With this configuration, wireless networks have well known and easily identifiable IP addresses as they each fall into their own IP subnet. Furthermore, each wireless network can span up to a single building. This provides enhanced mobility between floors without having to lose IP addresses when moving around. While it is possible to build VLANs or subnets that span entire campuses or more, we felt this was not optimum for a number of reasons. First, this increases the layer 3 networking broadcast domain, potentially reducing overall performance. Second, it is anticipated that users requiring wireless LAN mobility between building areas would be the exception rather than the norm. Third, if mobility between building areas is required, we would prefer to push for the use of mobility services at the network layer using technologies such as Mobile IP. Kristoff Informational [Page 4] RFC 6 802.11b Wireless LANs October 2002 2.2. Access Point Deployment Currently DePaul has standardized on a Cisco-based wireless networking infrastructure. While competing products had some advantages, our existing relationship with Cisco as a vendor and familiarity with their products, support and account team carried enough weight to offset any disadvantages, of which, we considered relatively minor anyway. The physical security of access points was seen as one of the first priorities in any deployment. We enlisted the help of DePaul's Facilities Operations group. Facility Ops built customized access point enclosures into the walls in wireless network areas. These enclosures include a locking door that only we have the key to. In addition, the boxes are designed so that we may locate the antenna outside of the box in the middle of a room's ceiling for example. Futhermore, connectivity for power and wired LAN uplinks are individually routed between enclosures and our intermediate distribution frame (IDF). Initially we had third parties perform site surveys, but found the service to be less valuable than we anticipated. Now our own staff is performing site surveys for new access point installations. We now have the expertise to properly identify locations for mounting access points, antennas and cable paths for network and power connectivity. 2.3. End User Client Software and Configuration An overriding concern in our wireless deployment was to minimize the need for DePaul Information Services staff to install or configure an end user's wireless node. Therefore, we tried to avoid forcing the use of specific vendor software, hardware or configurations on end systems. This meant the exclusion of many popular security solutions in a wireless network such as the use of many proprietary VPN client software and network concentrator security solutions. 3. Wireless LAN Security Concerns We wanted to minimize new information security threats made possible by a wireless network deployment. Wireless networks by their very nature are inherently less secure than wired networks. However, many of the risks associated with wireless LANs also exist for unsecured wired connections found throughout the University. One way we've managed to limit risk has been to limit the deployment of wireless LANs. However, this is not a sustainable position. We will not be able to prevent rogue wireless LANs if users feel we are moving too slowly with deployment. Therefore, we have been targetting select groups that have identified a justifiable need for wireless networks. We expect that over the course of the coming year wireless LANs will begin to "take off". Kristoff Informational [Page 5] RFC 6 802.11b Wireless LANs October 2002 3.1. Authentication A great deal of attention has focused on a particular aspect of security in wireless LANs. That is, in the weakness of the wired equivalent privacy (WEP) protocol. WEP's goal was to provide a basic level of encryption for data transmitted over the wireless network. While we strongly believe in the use of encryption, an even bigger concern for us is the desire to ensure only properly authenticated users make use of DePaul's wireless networks. A DePaul wireless network should only allow a valid DePaul constituent to associate with DePaul access points, access onto the wired network and usage of transmitting and receiving network traffic through the institution's backbone network. Unfortunately, we have not been able to identify a solution that can perform this authentication function while at the same time meeting our other design goals mentioned earlier. At the moment we use a home grown authentication system that incorporates the use of WEP, DHCP, a DePaul login id/password authentication scheme and a browser based interface. While not impenetrable to a determined attacker, our current authentication system appears to be sufficient until something better comes along or until its determined that we cannot keep up with attackers regularly exploiting its potential weaknesses. 3.2. Encryption and Wired Equivalent Privacy (WEP) As previously mentioned, WEP was designed to provide at least some minimum level of protection from casual eavesdropping on the wireless medium by attackers. WEP is essentially an attempt to provide a basic level of encryption between end nodes and access points. Unfortunately, WEP fails miserably at delivering on this promise. WEP can be easily broken within a matter of minutes or hours depending on the wireless network that is being attacked. While the details of WEP are not important for this document, it should suffice to say that there are freely available and easy to use software tools that allow anyone with a standard laptop and wireless card to break the wireless LAN WEP key(s). It should also be noted that some vendors implement proprietary extensions that attempt to mitigate the attacks against basic WEP key cracking. However, often these techniques are not supported by all vendors, making interoperability difficult, or are still insufficient fixes to the underlying weakness of WEP. Kristoff Informational [Page 6] RFC 6 802.11b Wireless LANs October 2002 3.3. Audit Trails and Incident Response The ability to quickly ascertain unauthorized use of DePaul's wireless networks is an important strategy in mitigating attacks on our wireless infrastructure. While similar risks exist on the wired side of our network, wireless networks exponentially increase the signal accessibility to outsiders. Since wireless signals bypass physical barriers such as building floors and walls, network intruders may not be in plain site. We make extensive use of monitoring, logging and reporting on the authorized use of our wireless network. So even if an attacker is able to compromise access to the network, our ability to detect those events should be top notch. While we will most likely always have ways in which we can improve this process, we believe we have laid the necessary groundwork to build off our existing support infrastructure. 4. Networks and Telecom Support Structure The Networks and Telecom (N&T) group currently manages a multitude of network devices. The wireless network infrastructure should be very familiar to those who already manage other network components. Many of the network management tools used for the wireless network are the same as the ones used for the wired network. There are some areas however, where network staff may need to be a little bit more proactive in understanding the unique challenges in supporting wireless users. While N&T doesn't historically support users directly, at least initially, N&T will need to become aware of the common issues in using the network without wires. Performance issues, connectivity issues and security issues are all at least slightly different than what the typical staff member may be used to. It is anticipated that after some time however, support of a wireless network infrastructure will be as well understood as a wired network. 4.1. Availability Monitoring Access points as deployed in the DePaul University environment act as layer 2 bridges, passing traffic between wireless end users and the DePaul backbone devices. Access points are therefore monitored for availability as other connectivity devices such as LAN switches and routers are monitored. 4.2. Authentication Monitoring Associations between end nodes and wireless access points are monitored. Keeping track of wireless access point associations, including MAC and IP address mappings provides the necessary audit trail in order to help respond to incidents. This data also helps staff troubleshoot problems with specific end users. Kristoff Informational [Page 7] RFC 6 802.11b Wireless LANs October 2002 4.3. Resource Usage Access points and wireless networks are monitored for performance data such as utilization. Monitoring performance data assures that the wireless network is operating within acceptable bounds or, to indicate if expansion or upgrades are required. 4.4. Remote Access Point Management Access points unfortunately do not usually have sophisticated remote management capabilities. Management can be done on-site with the use of a terminal and the console port on the physical device, but this is generally too inconvenient for support staff. Access points usually offer SNMP, TELNET and web based management. None of these remote management schemes are ideal. We consider SNMP the least desirable of them all and thus it is completely disabled. Web based management is generally undesirable as well, because of numerous problems web server software often exposes. However, in the case of the current Cisco access point products, the TELNET interface is extremely cumbersome and difficult to use. Therefore, currently HTTP remote access from a selected set of management workstations is allowed. That is, until a a better remote management scheme comes along. We expect that device management will change as Cisco improves the command line and access control interface over time. 4.5. Wireless Support Tools While we have not yet experienced extensive support requests for the DePaul wireless network, we do have a few tools we are preparing to make increased use of. It is not clear that we will need more than those listed below. 4.5.1. Ethereal A common tool in our bag for a variety of specific network issues is a general purpose packet capture package on a laptop. Many of us in the N&T group use Ethereal to capture and analyze packets. Released under the GNU Public License (GPL), Ethereal is an excellent choice not only for its licensing, but also for its capability. Ethereal provides excellent support for 802.11b decoding and analysis. The only requirement is that the machine running Ethereal have the proper kind of wireless card than can promiscously capture 802.11b traffic. 4.5.2. Personal Digital Assistants (PDAs) As a way to quickly test connectivity and verify the proper operation of our authentication system, a PDA makes an excellent diagnostic tool for support staff in the field. As PDAs become more powerful, they may eventually become an adequate all-in-one wireless troubleshooting tool. Kristoff Informational [Page 8] RFC 6 802.11b Wireless LANs October 2002 4.5.3. SYSLOG monitoring Access points have the ability to send their log messages to a secure, remote logging server. The logs collected from access points can be a wealth of information and form the basis of a number of monitoring applications. These log messages can be used to generate reports of usage, track problems and help respond to security incidents. 4.5.4. Rogue Access Point Tracking It is our policy that others outside of N&T should not be deploying wireless networks on the University's infrastructure. Any user who has access to the DePaul network infrastructure however, could connect a wireless network. While it is our current policy not to actively monitor for rogue wireless networks, it is within our capability to locate them if necessary. It is also within our policy to disconnect rogue wireless networks if discovered. We would prefer however to assist the end user(s), who may have been responsible for installing rogue wireless networks, by furthering our wireless deployment into their area. 5. Future Issues It is expected that the use and deployment of wireless networks at DePaul is going to increase, possibly faster than anticipated by our group. It is imperative that we are comfortable with the major responsibilities of wireless network deployment, management and security. 5.1. Security Security continues to be a major concern. Primarily due to the lack of acceptable authentication mechanisms as outlined earlier. We will be constantly keeping an eye on potentially new or useful ways to do authentication. Ideally, we would like the ability to use a system that can be implemented on the wired network as well. 5.1.1. Virtual Private Networks (VPNs) Many organizations provide strong authentication and encryption for wireless users by implementing VPN concentrators between the wireless network and access to the wired network. This is an very effective solution in solving the basic authentication and encryption problem. However, it does trade-off increased end node support, flexibility, and simplicity in the process. At this time, we have avoided the use of using VPN technology, because the trade-offs are at least as costly as the risk of not having a VPN. So far this appears to be justified, but in the future, it may prove not to be. If the DePaul wireless network is frequently used by intruders who bypass our existing authentication system we may want to revisit the use of a VPN. Kristoff Informational [Page 9] RFC 6 802.11b Wireless LANs October 2002 The benefit of using a VPN concentrator between the wireless and wired networks for encryption is secondary to the need for authentication, because we believe there is adequate support in end system protocols and applications for encryption (e.g. IPSEC, SSH and SSL). 5.1.2. 802.1x The IEEE 802 working group has defined a standard that enables port based security on wired networks. 802.1x is based on an IETF standard and attempts to provide simple, flexible authentication between a user end node and the network. A task group within IEEE 802.11 is actively working on ways to apply 802.1x to the 802.11 wireless networks. While it appears that 802.1x will come with its own set of security issues, it seems unlikely that they will be as severe as the weakness of WEP. We anticipate that the IEEE will provide a enhanced standard for authentication that will be deployable. If it is based on 802.1x as we anticipate, the standard will most likely call for a RADIUS back end authentication service. This RADIUS service is something we will need to be prepared to deploy if 802.1x is successful. 5.2. 802.11a/802.11g 802.11a and 802.11g are next generation wireless standards whose primary benefit is increased network speed to a theoretical 54 Mb/s. 802.11a has been standardized and products have recently become available. 802.11a operates in a less crowded 5 GHz ISM band. It also has eight non-overlapping channels for use in a deployment. The disadvantage appears to be that its coverage area may be significantly less than what exists in 802.11b today. 802.11g is a standard very similar to 802.11b with an increased theoretical rate to 54 Mb/s. 802.11g uses the same 2.4 GHz ISM band as does 802.11b. 802.11g also has some of the same limitations including the use of only three channels that do not overlap. At this point its unclear whether upgrades to 802.11a will be necessary. It doesn't appear to be the case and 802.11g may be the more appropriate upgrade path, but only time and users will tell. Acknowledgements This memo was written based on technology and N&T wireless design decisions as known up to this point of writing. Some of the original design discussions dated back to probably at least 2000 or early 2001 within the N&T group. Shortly after some of those initial discussions, the original ResNet group was being transitioned into N&T. Their involvement heavily influenced the authentication architecture. Kristoff Informational [Page 10] RFC 6 802.11b Wireless LANs October 2002 References 802.1x IEEE 802.1X-2001 IEEE Standards for Local and Metropolitan Area networks: Port-Based Access Control 802.1aa IEEE 802.1aa - 802.1X Maintenance 802.11a IEEE 802.11a-1999 Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, High-speed Physical Layer in the 5 GHz Band 802.11b IEEE 802.11b-1999 Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Higher-Speed Physical Layer Extension in the 2.4 GHz Band 802.11g IEEE 802.11g Working Group, Higher Rate for IEEE Std 802.11b-1999 802.3 IEEE 802.3-2002 Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access method and physical layer specifications DPU Wireless homepage, Networks and Telecom Group, Information Services Division, DePaul University, http://wireless.depaul.edu Gast Gast, Matthew S., 802.11 Wireless Networks: The Definitive Guide, O'Reilly, 2002 Security Considerations Wireless networks make possible an attack vector that is by its nature inherently difficult to constrain. Many underlying vulnerabilities in internetworked environments will become more accessible as signals bypass physical barriers protecting wired infrastructures. Wireless networks therefore add not only some new vulnerabilities themselves, but also help expose vulnerabilities of other interconnected networks. Many peculiar attack scenarios are possible, but are outside the scope of this memo. Editor's Address John Kristoff Research & Design, Networks and Telecom DePaul University 1 East Jackson Boulevard Chicago, IL 60604 USA Phone: +01 312 362-5878 EMail: jtk@depaul.edu Kristoff Informational [Page 11]