Home > Articles > Cisco Network Technology > General Networking > Cisco Network Security Fundamentals: Wireless Security

Cisco Network Security Fundamentals: Wireless Security

Chapter Description

This chapter covers wireless security—what it is, how it works, how it is configured, what threatens it, and what policies can be designed to secure it.

How Wireless Works

The security in the WLAN standard, which applies to 802.11b, 802.11a, and 802.11g, has come under intense scrutiny and inspection. Both researchers and hackers have exposed several vulnerabilities in the authentication, data-privacy, and message-integrity mechanisms defined in the specification. To help you understand these vulnerabilities, the sections that follow go into more detail on how wireless networks work.

WLAN Architecture

WLAN architecture has three components:

  • Wireless end stations

  • Access points

  • Basic service sets

The wireless end station can be any device that can communicate using the 802.11 standard (laptops, workstations, and PDAs, as well as printers and scanners).

The access point (AP) is a device that can provide two functions: It acts as a network platform for connections between WLANs or to a wired LAN and as a relay between stations attached to the same AP.

Whereas the wireless station and the access point are both physical components, the basic service set (BSS) is the logical component of wireless architecture. The BSS in general is a set of wireless stations controlled by a single management function and has two configuration options. In an IBSS, the stations communicate directly to one another without the need for an access point. Please refer to Figure 14-1 to see a configuration in which there is no interconnection to the wired network. In an infrastructure BSS, there is a connection to the wired network. An extended service set (ESS) is a set of infrastructure BSSs that appear as a single BSS. This is important for connection redundancy but has some security issues that need to be addressed.

Setting Up the WLAN Connection

Knowing that a WLAN uses RF technology to transmit and receive data over the air, you can easily understand that the first step in the setup process is the scanning function. As with tuning into a radio station, the scanning function needs a wireless station to find other stations or access points. Therefore, the 802.11 standard defines two different scanning functions, namely active scanning and passive scanning. During the scanning process, the station listens for beacon frames (similar to keepalives) to locate and identify the BSS within the range. The information in the beacon frame contains service set identifiers (SSIDs), supported rates, and timestamps.

Figure 14-5 illustrates the connection setup step by step. Each and every step in the station authentication process is discussed. The 802.11 specification stipulates two mechanisms for authenticating WLAN clients: open authentication and shared key authentication. Two other mechanisms—the SSID and authentication by client MAC address—are also commonly used. The weaknesses of all these mechanisms are addressed in the wireless risk section later in the chapter. Wired equivalent privacy (WEP) keys can function as a type of access control because a client that lacks the correct WEP key cannot send data to or receive data from an access point. WEP, the encryption scheme adopted by the IEEE 802.11 committee, provides encryption with 40 bits or 128 bits of key strength.

Figure 5Figure 14-5 Wireless Station Authentication

As you can see in Figure 14-5, the 802.11 client authentication process consists of six steps:

Step 1

The station broadcasts a probe request frame on every channel, allowing the station to quickly locate either a specific station (via SSID) or any WLAN within range.

Step 2

Access points within range respond with a probe response frame. The response is from the access point in an infrastructure BSS. (For IBSSs, the last station to send a beacon responds.)

Step 3

The client decides which access point (AP) is the best for access and sends an authentication request.

Step 4

The access point sends an authentication reply. This response includes an authentication algorithm ID for open systems. (For shared key systems, WEP is used to generate a random number, and an authentication challenge text is used in the response frame. This results in another request/response encrypted frame pair that is not shown in the figure for simplicity's sake but is discussed later in the chapter.)

Step 5

Upon successful authentication, the client sends an association request frame to the access point. This is an important step to ensure that anyone who wants to send data to the wireless station knows to send data through the access point.

Step 6

The access point replies with an association response.


Figure 14-6 illustrates the station's successful authentication and association with the access point. The client is now able to pass traffic to the access point.

Figure 6Figure 14-6 Successful Wireless Station Authentication

4. Risks of Open Wireless Ports | Next Section Previous Section