CiscoWirelessLANSecurity
ByKrishnaSankar,SriSundaralingam,
AndrewBalinsky,DarrinMiller
Publisher :CiscoPress
PubDate :November15,2004
ISBN :1-58705-154-0
Pages :456
Expertguidanceforsecuringyour802.11networks
Learnbestpracticesforsecurelymanaging,operating,and
scalingWLANs
Comprehendthesecurity-relatedtechnological
underpinningsofWLANs
Explorenewsecurityprotocolsin802.11iandWPAand
learnhowtheypreventattacks
Reviewcentralizeddeploymentmodelsforwired/wireless
integration
Deepenyourknowledgeofdefensebyunderstandingthe
toolsthatattackersusetoperformreconnaissanceandto
attackauthenticationandencryptionmechanisms
UnderstandhowtodesignsecureWLANstosupport
enterpriseapplicationswiththenewstandardsandpractices
detailedinthisbook
Tableof
•
Contents
• Index
Referencethenextgenerationauthenticationstandardsand
protocols
Findoutaboutmobility,hotspots,andcampuswireless
networks
GraspOpenAuthentication,MAC-basedauthentication,
sharedkeyauthentication,EAPauthenticationprotocols,
WEP,WPA,and802.11i
CiscoWirelessLANSecurityisanin-depthguidetowirelessLAN
technologyandsecurity,introducingthekeyaspectsof802.11
securitybyillustratingmajorwirelessLAN(WLAN)standardsthat
canprotecttheentirenetwork.BecauseaWLANislesseffective
asanisolatedpieceofthenetwork,thisbookemphasizeshowto
effectivelyintegrateWLANdevicesintothewirednetworkwhile
maintainingmaximumsecurity.
CiscoWirelessLANSecuritycoversthespectrumofWLAN
security,includingprotocolsandspecifications,vulnerabilitiesand
threats,and,especially,deploymentpatternsanddesign
guidelines.Withauniquecombinationoftheoryandpractice,this
bookaddressesfundamentalwirelessconcepts,suchasWEP,and
innovations,suchasEAP,switching,andmanagement.Each
chapterincludesdetailedillustrations,checklists,design
templates,andotherresources.Youwillalsofindgenericwireless
deploymentpatternsbasedonreal-worldcustomerinstallations
andfunctionalexamplesofarchitecture,design,andbest
practices.
Whetheryoucurrentlydesign,configure,implement,and
maintainWLANsorsimplywanttoexplorewirelesssecurity
issues,CiscoWirelessLANSecurityhaseverythingyouneedto
understandhowtocreateaseamlesslysecure,impenetrable
802.11network.
ThisbookispartoftheNetworkingTechnologySeriesfromCisco
Press,whichoffersnetworkingprofessionalsvaluableinformation
forconstructingefficientnetworks,understandingnew
technologies,andbuildingsuccessfulcareers.
CiscoWirelessLANSecurity
ByKrishnaSankar,SriSundaralingam,
AndrewBalinsky,DarrinMiller
Publisher :CiscoPress
PubDate :November15,2004
Tableof
•
ISBN :1-58705-154-0
Contents
Pages :456
• Index
Copyright
AbouttheAuthors
AbouttheTechnicalReviewers
Acknowledgments
IconsUsedinThisBook
Introduction
WhoShouldReadthisBook?
HowthisBookisOrganized
Chapter1.SecuringWLANsOverview
WLAN:APerspective
WirelessLANComponentsandTerminology
WLANStandards
WLANSecurity
WLANSecurityDomainConceptualModel
NavigatingthisBookandChapterContexts
Summary
Chapter2.BasicSecurityMechanicsandMechanisms
SecurityMechanics
AuthenticationandIdentityProtocols
Summary
Chapter3.WLANStandards
StandardsOrganizations,Position,Context,andInfluence
Hardware/Radio/WavesandModulation
FCCRegulations
BriefDiscussiononRelevantStandards
Summary
Chapter4.WLANFundamentals
WLAN:ElementsandCharacteristics
WLANBasicTopology
WLANBuildingBlocks
WLANStateDiagram
BasicChoreography
Summary
Chapter5.WLANBasicAuthenticationandPrivacyMethods
AuthenticationMechanics
OpenAuthentication
MAC-BasedAuthentication
Shared-KeyAuthentication
WEPPrivacyMechanics
Summary
Chapter6.WirelessVulnerabilities
AttackerObjectives
ReconnaissanceAttacks
DoSAttacks
AuthenticationAttacks
WEPKeystreamandPlaintextRecovery
WEPKeyRecoveryAttacks
AttacksonEAPProtocols
RogueAPs
Ad-HocModeSecurity
Summary
Chapter7.EAPAuthenticationProtocolsforWLANs
AccessControlandAuthenticationMechanisms
EAP
PEAP
802.1x:IntroductionandGeneralPrinciples
CiscoLEAP(EAP-CiscoWireless)
EAP-FAST
Summary
Chapter8.WLANEncryptionandDataIntegrityProtocols
IEEE802.11i
EncryptionProtocols
KeyManagement
WPAandCiscoProtocols
SecurityProblemsAddressed
Summary
Chapter9.SWAN:End-to-EndSecurityDeployment
OverviewofSWANSecurityFeatures
WLANDeploymentModesandSecurityFeatures
SWANInfrastructureAuthentication
RadioManagementandWirelessIntrusionDetection
SWANFastSecureRoaming(CCKM)
Local802.1xRADIUSAuthenticationService
Summary
Chapter10.DesignGuidelinesforSecureWLAN
WLANDesignFundamentals
GeneralSecurityRecommendations
NewWLANDeployments
IntegrationwithExistingWLANDeployments
SWANCentralSwitchDesignConsiderations
AdmissionControlDesign
Summary
Chapter11.OperationalandDesignConsiderationsforSecureWLANs
RogueAPDetectionandPrevention
WLANServicesScaling
EnterpriseGuestAccess
Summary
Chapter12.WLANSecurityConfigurationGuidelinesandExamples
CiscoEnterpriseClassWirelessLANProducts
WLANSecurityMethods:ConfigurationGuidelinesandExamples
SWANNonswitchingDeployment:ConfigurationGuidelinesandExamples
SecuringBridge-to-BridgeLinks
SecureWLANManagementConfigurationGuidelines
SWANCentralSwitchingDeployment:ConfigurationGuidelinesandExamples
Summary
Chapter13.WLANDeploymentExamples
LargeEnterpriseDeploymentExamples
VerticalDeploymentExamples
SmallandMediumBusinessesandSOHOWLANDeployments
Hotspot(PublicWLAN)DeploymentExamples
Summary
AppendixA.ResourcesandReferences
GeneralTools
DefensiveTools
CryptographyandCryptanalysis
WirelessStandardsandAssociations
Index
Copyright
CiscoWirelessLANSecurity
KrishnaSankar,SriSundaralingam,AndrewBalinsky,Darrin
Miller
Copyright©2005CiscoSystems,Inc.
CiscoPresslogoisatrademarkofCiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingNovember2004
LibraryofCongressCataloging-in-PublicationNumber:
2003100133
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.cannotattestto
theaccuracyofthisinformation.Airopeekisatrademarkof
WildPackets,Inc.SnifferisatrademarkofNetworkAssociates
Technology,Inc.Useofaterminthisbookshouldnotbe
regardedasaffectingthevalidityofanytrademarkorservice
mark.
WarningandDisclaimer
Thisbookisdesignedtoprovideinformationaboutwireless
LANs.Everyefforthasbeenmadetomakethisbookas
completeandasaccurateaspossible,butnowarrantyor
fitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorsand
arenotnecessarilythoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.
Formoreinformation,pleasecontact:U.S.Corporateand
GovernmentSales1-800-382-3419
ForsalesoutsidetheU.S.,pleasecontact:InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbookorotherwisealterittobettersuityour
needs,youcancontactusthroughe-mailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
JohnWait
Editor-in-Chief
JohnKane
ExecutiveEditor
BrettBartow
AcquisitionEditor
MichelleGrandin
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgramManager
NannetteM.Noble
ProductionManager
PatrickKanouse
DevelopmentEditor
GinnyBessMunroe
SeniorCopyEditor
AmyLepore
TechnicalEditors
BrianCox,DavidPollino,Dr.Peter
Welcher,andNancyCam-Winget
EditorialAssistant
TammiBarnett
CoverDesigner
LouisaAdair
ProjectManagement
ArgosyPublishing
Composition
ProspectHillPublishingServices
Indexer
EricT.Schroeder
Proofreader
KarenA.Gill
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublic•Denmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•New
Zealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•
Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•
UnitedKingdom•UnitedStates•Venezuela•Vietnam•
Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotient,andiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotient,IOS,IP/TV,iQExpertise,
theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,
RateMUX,Registrar,SlideCast,SMARTnet,StrataViewPlus,
Stratm,SwitchProbe,TeleRouter,TransPath,andVCOare
registeredtrademarksofCiscoSystems,Inc.and/orits
affiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedications
KrishnaSankarTomymotherandUsha'smomanddad
SriSundaralingamForAmmaandAppa
AndrewBalinskyForJuliaandRufus
DarrinMillerForJill,Megan,Beth,andKatie
AbouttheAuthors
KrishnaSankariscurrentlywithCiscoSystemsasa
distinguishedengineerintheGlobalGovernmentSolutions
Group.Hehasabout20yearsofexperiencerangingfrom
softwarearchitectureanddevelopmenttoindustrialengineering
toauthor,speaker,teacher,entrepreneur,andtechnology
evangelist.Hehasworkedwithmanyorganizationsincluding
theU.S.AirForce,theU.S.Navy,Hewlett-Packard,Qantas
Airlines,AirCanada,andFord.
Heispartof(eitherbyobservingorasamember)manyweb
services,security,andnetworkingstandardsbodies.Healso
hasworkedwithsecuritybodiesintheEuropeanUnion:
ElectronicSignatureInfrastructureandComitéEuropéende
Normalisation(CEN).
Histechnologyinterestsincludenetwork-centricoperationsand
transformation;dynamicself-configuringandadaptive
networks;multihop,sensor,andidentitynetworks;peer-to-peer
andgridnetworks;distributedsecurity;andLinuxkernel
security.KrishnalivesinSiliconValleywithhiswife,Usha,and
son,Kaushik.
SriSundaralingamiscurrentlyatechnicalmarketingmanager
intheWirelessNetworkingBusinessUnitatCiscoSystems,Inc.
Srihasextensivecustomercontactandisresponsiblefor
developingandmarketingenterpriseandcarriernetworking
solutionsusingtheCiscoAironetseriesofwirelessLAN
products.SrihasfocusedintheareasofwirelessLANsecurity
andwireless/wiredLANintegrationinthepastthreeyearsat
Cisco.PriortojoiningtheWirelessNetworkingBusinessUnit,
SriwasanetworkconsultingengineerintheCiscoCustomer
Advocacyorganization.Inthisrole,heworkedwithservice
providersandFortune500companiestodesignanddeployIP-,
DSL-,andATM-basednetworks.Srihasbeeninthedata
communicationsandnetworkingindustryforthepast10years.
BeforejoiningCisco,SriwasaconsultingengineeratNewbridge
NetworksandfocusedondesigninganddeployingCoreCarrier
networks.SriattendedUniversityofWaterlooinOntario,
Canadawherehemajoredincomputerengineering.
AndrewBalinskyisabirdwatcherwhosupportshishabitwith
professionalcomputersecuritywork.Hisloveofcomputers
datesbacktoaCommodorePETandhascontinuedthrougha
bachelor'sdegreeincomputerscienceatHarvardandmaster's
degreeincomputerscienceattheUniversityofMarylandat
CollegePark.Hisintroductiontocomputersecuritywasthrough
theAirForceInformationWarfareCenter,wherehedid
everythingfromtrackinghackerstodevelopingsecurity
software.HecontinuedthisworkatWheelGroupandatCisco.
HisworkatCiscoincludestestingforsecurityvulnerabilitiesand
educatingothershowtodoso.
DarrinMillerhasbeeninthenetworkingindustryformore
than15years.HehasbeenanITsecuritymanager,asecurity
consultant,andaconsultingsystemsengineer.Darrincurrently
worksasasecurityresearcheratCiscoSystems,Inc.andhas
authoredseveralwhitepapersonthesubjectofnetwork
security.Darrinholdsabachelor'sdegreeincomputerscience
fromtheUniversityofCincinnati.Whennotworkinginthearea
ofnetworksecurity,heenjoysspendingtimewithhiswifeand
threedaughters.
AbouttheTechnicalReviewers
NancyCam-Wingethasmorethan20yearsofexperiencein
architectureandsystemsdesign.Sheiscurrentlyasecurity
architectfortheWirelessNetworkingBusinessUnitatCisco
Systems.SheisanactiveparticipantinboththeIEEE802.11
securitystandardsandWi-Fisecuritytaskgroups.Priorto
joiningCisco,Nancywasleadengineerinwirelesssecurityat
Atheros.Shehasalsodesignedanddeveloped3Dgraphicsand
image-processingsystemsatIntrinsicandSiliconGraphics.
BrianCoxisanetworkconsultingengineerwithCisco
AdvancedServicesWirelessatCiscoSystems.HeholdshisCCIE
inroutingandswitchingandreceivedhismaster'sdegreein
engineeringatRMIT.Brianhas25yearsofindustryexperience.
DavidPollinohasastrongbackgroundinsecurityand
networkingandleadsresearchfocusingonwirelessandsecurity
technologies.Duringhiscareer,hehasworkedforanindustryleadingsecurityconsultingcompany,alargefinancialservices
company,andatier1Internetserviceprovider.Davidoften
speaksatsecurityeventsandhasbeenfrequentlyquotedinthe
pressonsecurityissuesinonlineandprintedjournals.During
hiscareerasaconsultantandnetworkengineer,Davidhas
workedforclientsacrossmultipleindustries,includingfinancial
services,serviceproviders,hightechnology,manufacturing,
andgovernment.DavidhasauthoredsuchbooksasRSAPress's
WirelessSecurityandOsbourne'sTheHacker'sChallengeBooks
1and2.
Dr.PeterJ.Welcher,CCIENo.1773,hasaPh.D.inmath
fromMIT.HestartedoutteachingmathattheU.S.Naval
AcademywhilesimultaneouslybuyingandmaintainingUNIX
systems,writingabook,andwritingamajorcomputerprogram
inC.Hesawthelightin1993andthentaughtawidevarietyof
theCiscocoursesforMentorTechnologies,formerlyChesapeake
ComputerConsultants,whilealsodoingnetworkconsulting
wheneverpossible.Peteisnowdoinghigh-levelnetwork
consultingwithChesapeakeNetcraftsmen,withtasksincluding
networkdesign,security,QoS,andIPtelephonyforseveral
majorenterprisecustomers.Hehasreviewedalargenumberof
booksforCiscoPressandotherpublishersandhasauthoredor
manageddevelopmentofseveralcoursesforCiscoandothers.
PetewritesarticlesforEnterpriseNetworkingmagazine.Hecan
alsosometimesbefoundpresentinghisownseminarsatEast
CoastCiscooffices,ontopicsrangingfromcampusdesignto
WLANsecurity.Thearticlesandseminarscanbefoundat
PetealsoholdstheCCIP
certificationandisacertifiedCiscoSystemsinstructor.
Acknowledgments
KrishnaSankarOfcourse,thisbookwouldnotbeinyour
handswithoutperseveranceandhardworkfromalotoffolks.
Inparticular,thecoauthorsSri,Darrin,andAndy,fromwhomI
learnedalotandithasbeenapleasuretoworkwith.Weowe
thankstoMichelle,whohasbeenourmentor;shereallykept
thechaptersfrommushrooming(bypromisingusanotherbook
withinfinitetimeandresources).Thedirectionandgentle
guidancefromthereviewers,NancyCam-Winget,BrianCox,
DavidPollino,andPeterWelcher,madethisworkcompleteand
correct;thehardworkbyeditorsGinnyBessMunroeandSan
DeePhillipshasmadethisbookreadableandcohesive.Tammi
Barnetthasbeenthegluethatholdsthiswell-oiledteam
together.IwanttothankMerikeKaeoformaterialsinChapter
2.
Onapersonalnote,Iamstandingontheshouldersofgiants.I
wanttothankSueStemelandGregAkersfortheirguidance
andencouragement.Theyhavetremendouspositiveinfluence,
andIhopeallofyougettoknow,watch,learnfrom,andbeled
byguruslikeGregandSue.Inthesamevein,Lt.Col.Terry
MorganUSMC(Ret.),Col.PatRyanUSAF(Ret.),Cdr.Charlie
BoothUSN(Ret.),PaigeAtkins,JimMassa,RickSanford,Brett
Biddington,BobMaskell,andTomFrommackhavebeenmy
supportsystem.Icouldbouncemycrazyideasoffthemand
alwaysreceivewell-thought-out,rationalencouragementand
gentleproddingtowardvariousformsofappropriateness.
FinallythebestforlastIthankmyfamily,whogivemeprideand
joy(andgriefoccasionally,whenIstartveeringfromtrack):
Usha(myNorthStar,friend,philosopher,andguide),little
Kaushik,andourextendedfamilyUsha'sandmyparentsand
ourrespectivesiblings.
SriSundaralingamIwanttothankmyfamily,including
Amma,Appa,mysistersNalayiniandPathanchaliandtheir
families,myfriends,andmycoworkerswhohaveinspiredme
toachieveaboveandbeyond.Thisbookisaresultofhardwork
bymany,includingmycoauthorsKrishna,Andy,andDarrin.I
wouldliketothankKrishnaforinspiringustoauthorthisbook.
IalsowanttothankMichelleGrandinatCiscoPressforher
patienceanddedicationformakingthishappen.Lastbutnot
least,Iwanttothankoureditors,Brian,Dave,Nancy,and
Peter,whogaveustimelyanddetailedfeedbackonour
chapters.
AndrewBalinskyFirstandforemost,Igivethankstomywife,
Julia,andourcaninecompanion,Rufus,whospentmany
eveningsurgingmetofinish.ThanksalsotoMum,who
encouragedmetoacceptthechallenge,andDad,whowould
havebeenproudtoseeanothergenerationofBalinskysin
print.I'mgratefultomycoworkersontheSTATteamatCisco
whoenduredfar-too-detaileddescriptionsofsomeofthese
protocols.ThanksgotoKrishnaforaskingmetoparticipateand
myfellowauthorsfortheirfeedback.AtCiscoPress,Ithank
MichelleGrandinforkeepingusontaskandremindingusofthe
realitiesofauthorship.Ithankthetreesthatgavetheirlivesfor
thisbooktobeprinted.Finally,I'mindebtedtothenesting
screechowlsinourbackyardthatkeptawatchfuleyeonthe
writingprocessfromtheirperches.Theirdedicationtotheir
familyandtheirworkkeptmeontrack.
DarrinMillerIwanttothankmywife,Jill,andourdaughters,
Megan,Beth,andKatie,fortheirlove,patience,andsupport.
Theyremindmethattherearemoreinterestingthingsinlife
thannetworksecurity.ThanksalsotoMom,Dad,andmy
brothersfortheirsupportandtheimportantlifelessonsthat
theyteachme.I'mgratefultoallofmycoworkersatCiscowho
challengedmewithnewandexcitingproblemstosolveona
dailybasis.Thanksgotomycoauthorsforaskingmeto
participate.Finally,IwouldliketothankMichelleGrandinat
CiscoPressforkeepingusfocusedontheendgoal.
IconsUsedinThisBook
Throughoutthisbook,youwillseethefollowingiconsusedfor
networkingdevices:
Introduction
TheWLANindustryhasallthethrillsandchillsofawell-written
(and-directed)drama.WLANisadisruptivetechnologythat
questionsconventionalwisdominmanyways.Thedomainis
shapedbyregulationsandstandards,vendorswhosometimes
trytocompensateforinadequaciesandidiosyncrasiesof
standardsandregulations,anoverheatedtechnologyadoption
withanimpatientuserbaseforever-increasingfeatures,and
mostimportantly,asecurityspacethathassome
vulnerabilities,tosaytheveryleast.
ThisbookcoversthespectrumofWLANsecuritythestandards,
theprotocols,thespecifications,andaboveall,deployment
patternsanddesignguidelines.Whatmakesthisbookuniqueis
thecombinationoftheoryandpractice,andwe,asauthors,
hopewehavetherightbalance.Inthesamevein,theauthors
(andeditors)alsohopethatwehavehitthesweetspoton
breadthanddepthintermsofdetails.Inonecorner,thereare
the30,000-footviews,andontheotherside,wehavethe
intimate,minutedetailsofalgorithms,securityconsiderations,
andprotocols.Thisbookcoverstheprotocolsand
formatsenoughtosatisfyinquiringmindsandincludespointers
forthemostdetailedmindstoponder.Thisbookalsohasa
wealthofknowledgegleanedfromtheauthors'experiencein
termsofguidelines,deployments,andconfiguration.
ThefieldofWLANsiscontinuallychanging;therefore,covering
allaspects,especiallytheemergingones,ischallenging.This
bookachievesthenew-oldbalancebycoveringnotonlythe
oldermethods(suchasclassicalWEP)butalsonewerconcepts
andarchitectures(suchasEAPandswitching).
WhoShouldReadthisBook?
Thisbookisplannedandwrittenfornetworkengineerswho
design,configure,implement,andmaintainsecureWLANs.
Becausethetopicissecurity,theaudiencealsoincludessecurity
practitionersinenterpriseanybodywhowantstogainagood
understandingonwirelessLANsecurity.Withthatinmind,this
bookhasthreeaims:toarticulatethevariousaspectsof
wirelessLANsecurity,toillustratehowsecurityisimplemented
inCiscoproducts,andfinallytoimplementinthearchitecture,
design,andconfigurationofwirelessnetworks(ofdifferent
typessuchascampus,hotspots,office,andsoon).Ontheway,
thisbookalsocoversthebighairytopicslike802.xstandards
andvulnerabilities.
HowthisBookisOrganized
Thisbookincludessevenchapterscoveringallthestandards
andtheoreticalaspectsofWLANconceptsandsixchaptersthat
coverthepracticalaspectsofapplyingthefundamental
concepts.Thechaptersareofvaryinglengthdependingonthe
topic.Webelieveinthe"brevityisthesoulofwit"paradigmand
havetriedtobeasbriefasrequiredtodescribethevarious
mechanicsandmechanisms.
Note
Forthosewhowonderwhatexactlyisthedifference
betweenmechanicsandmechanisms:
Mechanicsisthetechnology,theworking,the
processes,andthedetailsofhowsomethingworks
orthewaysomethingisdone.Forexample,WEPis
themechanicsforprovidingconfidentialityinthe
WLANworld.
Mechanismisthemachinerythatimplementsthe
mechanics.Forexample,differentvendorscould
havedifferentmechanismstoimplementWEP.
Chapter1,"SecuringWLANsOverview,"isanintroductionto
theWLANdomain,anditcoversthebasicconceptsandlexicon
ofWLAN.
Chapter2,"BasicSecurityMechanicsandMechanisms,"deals
withthebasicsofcryptographysothattheuninitiatedwillnot
feeloverwhelmed.Thischaptercoversthesecurityconcepts
relevanttotheWLANdomain.
Chapter3,"WLANStandards,"describesthevariousstandards
onewillencounterwhendealingwiththeWLANdomain.This
chaptercoversinbrieftheIEEE802familyofstandards,
hardwarestandardsfromETSI,andauthenticationstandards
fromIETF.
Chapter4,"WLANFundamentals,"givesadetailedintroduction
toalltheaspectsofWLANsecurity.Thischaptercoversthe
essentialbasicsoftheWLANtechnology:services,messages,
choreographies,andinteractionprimitives.Italsotalksabit
abouttheWLANsecuritymodel.
Chapter5,"WLANBasicAuthenticationandPrivacyMethods,"
describesthevariousauthenticationmethods,withthemajor
onebeingtheWEP.Itcoversopenauthentication,MAC-based
authentication,shared-keyauthentication,andWEP.The
methodsareanalyzedintermsoftheAAAinfrastructure
requirements,auditingandaccountingrequirements,andthe
vulnerabilitiesandcountermeasures.
Chapter6,"WirelessVulnerabilities,"buildsontheearlier
chaptersanddescribesthevulnerabilitiesofWLANindetail.
Thischapterintroduceswirelessattacksviaattacktrees;
describesreconnaissance,denial-of-service(DoS),
authentication,encryption,andEAPprotocolattacks;describes
thetoolsthatattackersuse;discussesproblemswithrogue
accesspoints;andbrieflydiscussesad-hocmodesecurity.
Chapter7,"EAPAuthenticationProtocolsforWLANs,"dealswith
theExtensibleAuthenticationProtocol(EAP)methods:the
variousstandardsandspecifications,howtheyinteractwith
eachother,andtheprotocols.Thischaptercoverstheaccess
controlandauthenticationmechanicssuchasEAP,PEAP,
802.1x,LEAP,andEAP-FAST.
Chapter8,"WLANEncryptionandDataIntegrityProtocols,"
coversthesecurityenhancementsinthe802.11iandWPA
standards;discusseswirelessencryptionanddataintegrity
protocols,includingWEP,TKIP,andCCMP;discussessecurity
associations;describeskeymanagementprocesses;and
analyzeswhichofthesecurityvulnerabilities(introducedin
Chapter6)802.11iaddressesandwhichitdoesnot.
Chapter9,"SWAN:End-to-EndSecurityDeployment,"covers
theStructuredWirelessAwareNetworksolution.Itdetailsthe
finepointsoftheSWANelements:WLSE,802.1xauthentication
server,IOS-enabledaccesspoints,andwiredelementssuchas
routersandswitches.
Chapters10through13aggregatetheconceptsfromthe
previouschapterstodepictWLANarchitectures:bestpractices,
designguidelines,configurations,anddeploymentexamples.
Chapter10,"DesignGuidelinesforSecureWLAN,"provides
WLANdesignguidelinesandfundamentalsforvarious
technologiesincludingVPNoverlaytechnologies,IPSec,
authenticationsupport,andthreatmitigation.
Chapter11,"OperationalandDesignConsiderationsforSecure
WLANs,"coversthesecuritycomponentbestpractices.This
chapteraddressesrogueAPdetectionandprevention,WLAN
monitoringandintrusiondetection,WLANservicesscaling,and
enterpriseguestaccess.
Chapter12,"WLANSecurityConfigurationGuidelinesand
Examples,"coversthedetailedconfigurationexamplesand
guidelinesforvarioussecurityimplementationssuchasguest
access(open/noWEP),static-WEP,MAC-addressauthentication,
EAP/802.1xwithdynamicWEP,EAP/802.1xwithWPA,WPAPSK,multipleSSIDs/VLANs,andIPSecVPN.Itprovidessecure
managementconfigurationexamplestosecuremanagement
traffictotheWLANinfrastructuredevicesanddiscussessecure
wiredpolicies(forexample,layer-3/layer-4ACLs)tomatch
wirelesspolicies.