Cisco press cisco wireless LAN security nov 2004 ISBN 1587051540
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (3.76 MB, 668 trang )
CiscoWirelessLANSecurity
ByKrishnaSankar,SriSundaralingam,
AndrewBalinsky,DarrinMiller
Publisher :CiscoPress
PubDate :November15,2004
ISBN :1-58705-154-0
Pages :456
Expertguidanceforsecuringyour802.11networks
Learnbestpracticesforsecurelymanaging,operating,and
scalingWLANs
Comprehendthesecurity-relatedtechnological
underpinningsofWLANs
Explorenewsecurityprotocolsin802.11iandWPAand
learnhowtheypreventattacks
Reviewcentralizeddeploymentmodelsforwired/wireless
integration
Deepenyourknowledgeofdefensebyunderstandingthe
toolsthatattackersusetoperformreconnaissanceandto
attackauthenticationandencryptionmechanisms
UnderstandhowtodesignsecureWLANstosupport
enterpriseapplicationswiththenewstandardsandpractices
detailedinthisbook
Tableof
•
Contents
• Index
Referencethenextgenerationauthenticationstandardsand
protocols
Findoutaboutmobility,hotspots,andcampuswireless
networks
GraspOpenAuthentication,MAC-basedauthentication,
sharedkeyauthentication,EAPauthenticationprotocols,
WEP,WPA,and802.11i
CiscoWirelessLANSecurityisanin-depthguidetowirelessLAN
technologyandsecurity,introducingthekeyaspectsof802.11
securitybyillustratingmajorwirelessLAN(WLAN)standardsthat
canprotecttheentirenetwork.BecauseaWLANislesseffective
asanisolatedpieceofthenetwork,thisbookemphasizeshowto
effectivelyintegrateWLANdevicesintothewirednetworkwhile
maintainingmaximumsecurity.
CiscoWirelessLANSecuritycoversthespectrumofWLAN
security,includingprotocolsandspecifications,vulnerabilitiesand
threats,and,especially,deploymentpatternsanddesign
guidelines.Withauniquecombinationoftheoryandpractice,this
bookaddressesfundamentalwirelessconcepts,suchasWEP,and
innovations,suchasEAP,switching,andmanagement.Each
chapterincludesdetailedillustrations,checklists,design
templates,andotherresources.Youwillalsofindgenericwireless
deploymentpatternsbasedonreal-worldcustomerinstallations
andfunctionalexamplesofarchitecture,design,andbest
practices.
Whetheryoucurrentlydesign,configure,implement,and
maintainWLANsorsimplywanttoexplorewirelesssecurity
issues,CiscoWirelessLANSecurityhaseverythingyouneedto
understandhowtocreateaseamlesslysecure,impenetrable
802.11network.
ThisbookispartoftheNetworkingTechnologySeriesfromCisco
Press,whichoffersnetworkingprofessionalsvaluableinformation
forconstructingefficientnetworks,understandingnew
technologies,andbuildingsuccessfulcareers.
CiscoWirelessLANSecurity
ByKrishnaSankar,SriSundaralingam,
AndrewBalinsky,DarrinMiller
Publisher :CiscoPress
PubDate :November15,2004
Tableof
•
ISBN :1-58705-154-0
Contents
Pages :456
• Index
Copyright
AbouttheAuthors
AbouttheTechnicalReviewers
Acknowledgments
IconsUsedinThisBook
Introduction
WhoShouldReadthisBook?
HowthisBookisOrganized
Chapter1.SecuringWLANsOverview
WLAN:APerspective
WirelessLANComponentsandTerminology
WLANStandards
WLANSecurity
WLANSecurityDomainConceptualModel
NavigatingthisBookandChapterContexts
Summary
Chapter2.BasicSecurityMechanicsandMechanisms
SecurityMechanics
AuthenticationandIdentityProtocols
Summary
Chapter3.WLANStandards
StandardsOrganizations,Position,Context,andInfluence
Hardware/Radio/WavesandModulation
FCCRegulations
BriefDiscussiononRelevantStandards
Summary
Chapter4.WLANFundamentals
WLAN:ElementsandCharacteristics
WLANBasicTopology
WLANBuildingBlocks
WLANStateDiagram
BasicChoreography
Summary
Chapter5.WLANBasicAuthenticationandPrivacyMethods
AuthenticationMechanics
OpenAuthentication
MAC-BasedAuthentication
Shared-KeyAuthentication
WEPPrivacyMechanics
Summary
Chapter6.WirelessVulnerabilities
AttackerObjectives
ReconnaissanceAttacks
DoSAttacks
AuthenticationAttacks
WEPKeystreamandPlaintextRecovery
WEPKeyRecoveryAttacks
AttacksonEAPProtocols
RogueAPs
Ad-HocModeSecurity
Summary
Chapter7.EAPAuthenticationProtocolsforWLANs
AccessControlandAuthenticationMechanisms
EAP
PEAP
802.1x:IntroductionandGeneralPrinciples
CiscoLEAP(EAP-CiscoWireless)
EAP-FAST
Summary
Chapter8.WLANEncryptionandDataIntegrityProtocols
IEEE802.11i
EncryptionProtocols
KeyManagement
WPAandCiscoProtocols
SecurityProblemsAddressed
Summary
Chapter9.SWAN:End-to-EndSecurityDeployment
OverviewofSWANSecurityFeatures
WLANDeploymentModesandSecurityFeatures
SWANInfrastructureAuthentication
RadioManagementandWirelessIntrusionDetection
SWANFastSecureRoaming(CCKM)
Local802.1xRADIUSAuthenticationService
Summary
Chapter10.DesignGuidelinesforSecureWLAN
WLANDesignFundamentals
GeneralSecurityRecommendations
NewWLANDeployments
IntegrationwithExistingWLANDeployments
SWANCentralSwitchDesignConsiderations
AdmissionControlDesign
Summary
Chapter11.OperationalandDesignConsiderationsforSecureWLANs
RogueAPDetectionandPrevention
WLANServicesScaling
EnterpriseGuestAccess
Summary
Chapter12.WLANSecurityConfigurationGuidelinesandExamples
CiscoEnterpriseClassWirelessLANProducts
WLANSecurityMethods:ConfigurationGuidelinesandExamples
SWANNonswitchingDeployment:ConfigurationGuidelinesandExamples
SecuringBridge-to-BridgeLinks
SecureWLANManagementConfigurationGuidelines
SWANCentralSwitchingDeployment:ConfigurationGuidelinesandExamples
Summary
Chapter13.WLANDeploymentExamples
LargeEnterpriseDeploymentExamples
VerticalDeploymentExamples
SmallandMediumBusinessesandSOHOWLANDeployments
Hotspot(PublicWLAN)DeploymentExamples
Summary
AppendixA.ResourcesandReferences
GeneralTools
DefensiveTools
CryptographyandCryptanalysis
WirelessStandardsandAssociations
Index
Copyright
CiscoWirelessLANSecurity
KrishnaSankar,SriSundaralingam,AndrewBalinsky,Darrin
Miller
Copyright©2005CiscoSystems,Inc.
CiscoPresslogoisatrademarkofCiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingNovember2004
LibraryofCongressCataloging-in-PublicationNumber:
2003100133
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.cannotattestto
theaccuracyofthisinformation.Airopeekisatrademarkof
WildPackets,Inc.SnifferisatrademarkofNetworkAssociates
Technology,Inc.Useofaterminthisbookshouldnotbe
regardedasaffectingthevalidityofanytrademarkorservice
mark.
WarningandDisclaimer
Thisbookisdesignedtoprovideinformationaboutwireless
LANs.Everyefforthasbeenmadetomakethisbookas
completeandasaccurateaspossible,butnowarrantyor
fitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorsand
arenotnecessarilythoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.
Formoreinformation,pleasecontact:U.S.Corporateand
GovernmentSales1-800-382-3419
ForsalesoutsidetheU.S.,pleasecontact:InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbookorotherwisealterittobettersuityour
needs,youcancontactusthroughe-mailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
JohnWait
Editor-in-Chief
JohnKane
ExecutiveEditor
BrettBartow
AcquisitionEditor
MichelleGrandin
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgramManager
NannetteM.Noble
ProductionManager
PatrickKanouse
DevelopmentEditor
GinnyBessMunroe
SeniorCopyEditor
AmyLepore
TechnicalEditors
BrianCox,DavidPollino,Dr.Peter
Welcher,andNancyCam-Winget
EditorialAssistant
TammiBarnett
CoverDesigner
LouisaAdair
ProjectManagement
ArgosyPublishing
Composition
ProspectHillPublishingServices
Indexer
EricT.Schroeder
Proofreader
KarenA.Gill
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublic•Denmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•New
Zealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•
Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•
UnitedKingdom•UnitedStates•Venezuela•Vietnam•
Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotient,andiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotient,IOS,IP/TV,iQExpertise,
theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,
RateMUX,Registrar,SlideCast,SMARTnet,StrataViewPlus,
Stratm,SwitchProbe,TeleRouter,TransPath,andVCOare
registeredtrademarksofCiscoSystems,Inc.and/orits
affiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedications
KrishnaSankarTomymotherandUsha'smomanddad
SriSundaralingamForAmmaandAppa
AndrewBalinskyForJuliaandRufus
DarrinMillerForJill,Megan,Beth,andKatie
AbouttheAuthors
KrishnaSankariscurrentlywithCiscoSystemsasa
distinguishedengineerintheGlobalGovernmentSolutions
Group.Hehasabout20yearsofexperiencerangingfrom
softwarearchitectureanddevelopmenttoindustrialengineering
toauthor,speaker,teacher,entrepreneur,andtechnology
evangelist.Hehasworkedwithmanyorganizationsincluding
theU.S.AirForce,theU.S.Navy,Hewlett-Packard,Qantas
Airlines,AirCanada,andFord.
Heispartof(eitherbyobservingorasamember)manyweb
services,security,andnetworkingstandardsbodies.Healso
hasworkedwithsecuritybodiesintheEuropeanUnion:
ElectronicSignatureInfrastructureandComitéEuropéende
Normalisation(CEN).
Histechnologyinterestsincludenetwork-centricoperationsand
transformation;dynamicself-configuringandadaptive
networks;multihop,sensor,andidentitynetworks;peer-to-peer
andgridnetworks;distributedsecurity;andLinuxkernel
security.KrishnalivesinSiliconValleywithhiswife,Usha,and
son,Kaushik.
SriSundaralingamiscurrentlyatechnicalmarketingmanager
intheWirelessNetworkingBusinessUnitatCiscoSystems,Inc.
Srihasextensivecustomercontactandisresponsiblefor
developingandmarketingenterpriseandcarriernetworking
solutionsusingtheCiscoAironetseriesofwirelessLAN
products.SrihasfocusedintheareasofwirelessLANsecurity
andwireless/wiredLANintegrationinthepastthreeyearsat
Cisco.PriortojoiningtheWirelessNetworkingBusinessUnit,
SriwasanetworkconsultingengineerintheCiscoCustomer
Advocacyorganization.Inthisrole,heworkedwithservice
providersandFortune500companiestodesignanddeployIP-,
DSL-,andATM-basednetworks.Srihasbeeninthedata
communicationsandnetworkingindustryforthepast10years.
BeforejoiningCisco,SriwasaconsultingengineeratNewbridge
NetworksandfocusedondesigninganddeployingCoreCarrier
networks.SriattendedUniversityofWaterlooinOntario,
Canadawherehemajoredincomputerengineering.
AndrewBalinskyisabirdwatcherwhosupportshishabitwith
professionalcomputersecuritywork.Hisloveofcomputers
datesbacktoaCommodorePETandhascontinuedthrougha
bachelor'sdegreeincomputerscienceatHarvardandmaster's
degreeincomputerscienceattheUniversityofMarylandat
CollegePark.Hisintroductiontocomputersecuritywasthrough
theAirForceInformationWarfareCenter,wherehedid
everythingfromtrackinghackerstodevelopingsecurity
software.HecontinuedthisworkatWheelGroupandatCisco.
HisworkatCiscoincludestestingforsecurityvulnerabilitiesand
educatingothershowtodoso.
DarrinMillerhasbeeninthenetworkingindustryformore
than15years.HehasbeenanITsecuritymanager,asecurity
consultant,andaconsultingsystemsengineer.Darrincurrently
worksasasecurityresearcheratCiscoSystems,Inc.andhas
authoredseveralwhitepapersonthesubjectofnetwork
security.Darrinholdsabachelor'sdegreeincomputerscience
fromtheUniversityofCincinnati.Whennotworkinginthearea
ofnetworksecurity,heenjoysspendingtimewithhiswifeand
threedaughters.
AbouttheTechnicalReviewers
NancyCam-Wingethasmorethan20yearsofexperiencein
architectureandsystemsdesign.Sheiscurrentlyasecurity
architectfortheWirelessNetworkingBusinessUnitatCisco
Systems.SheisanactiveparticipantinboththeIEEE802.11
securitystandardsandWi-Fisecuritytaskgroups.Priorto
joiningCisco,Nancywasleadengineerinwirelesssecurityat
Atheros.Shehasalsodesignedanddeveloped3Dgraphicsand
image-processingsystemsatIntrinsicandSiliconGraphics.
BrianCoxisanetworkconsultingengineerwithCisco
AdvancedServicesWirelessatCiscoSystems.HeholdshisCCIE
inroutingandswitchingandreceivedhismaster'sdegreein
engineeringatRMIT.Brianhas25yearsofindustryexperience.
DavidPollinohasastrongbackgroundinsecurityand
networkingandleadsresearchfocusingonwirelessandsecurity
technologies.Duringhiscareer,hehasworkedforanindustryleadingsecurityconsultingcompany,alargefinancialservices
company,andatier1Internetserviceprovider.Davidoften
speaksatsecurityeventsandhasbeenfrequentlyquotedinthe
pressonsecurityissuesinonlineandprintedjournals.During
hiscareerasaconsultantandnetworkengineer,Davidhas
workedforclientsacrossmultipleindustries,includingfinancial
services,serviceproviders,hightechnology,manufacturing,
andgovernment.DavidhasauthoredsuchbooksasRSAPress's
WirelessSecurityandOsbourne'sTheHacker'sChallengeBooks
1and2.
Dr.PeterJ.Welcher,CCIENo.1773,hasaPh.D.inmath
fromMIT.HestartedoutteachingmathattheU.S.Naval
AcademywhilesimultaneouslybuyingandmaintainingUNIX
systems,writingabook,andwritingamajorcomputerprogram
inC.Hesawthelightin1993andthentaughtawidevarietyof
theCiscocoursesforMentorTechnologies,formerlyChesapeake
ComputerConsultants,whilealsodoingnetworkconsulting
wheneverpossible.Peteisnowdoinghigh-levelnetwork
consultingwithChesapeakeNetcraftsmen,withtasksincluding
networkdesign,security,QoS,andIPtelephonyforseveral
majorenterprisecustomers.Hehasreviewedalargenumberof
booksforCiscoPressandotherpublishersandhasauthoredor
manageddevelopmentofseveralcoursesforCiscoandothers.
PetewritesarticlesforEnterpriseNetworkingmagazine.Hecan
alsosometimesbefoundpresentinghisownseminarsatEast
CoastCiscooffices,ontopicsrangingfromcampusdesignto
WLANsecurity.Thearticlesandseminarscanbefoundat
PetealsoholdstheCCIP
certificationandisacertifiedCiscoSystemsinstructor.
Acknowledgments
KrishnaSankarOfcourse,thisbookwouldnotbeinyour
handswithoutperseveranceandhardworkfromalotoffolks.
Inparticular,thecoauthorsSri,Darrin,andAndy,fromwhomI
learnedalotandithasbeenapleasuretoworkwith.Weowe
thankstoMichelle,whohasbeenourmentor;shereallykept
thechaptersfrommushrooming(bypromisingusanotherbook
withinfinitetimeandresources).Thedirectionandgentle
guidancefromthereviewers,NancyCam-Winget,BrianCox,
DavidPollino,andPeterWelcher,madethisworkcompleteand
correct;thehardworkbyeditorsGinnyBessMunroeandSan
DeePhillipshasmadethisbookreadableandcohesive.Tammi
Barnetthasbeenthegluethatholdsthiswell-oiledteam
together.IwanttothankMerikeKaeoformaterialsinChapter
2.
Onapersonalnote,Iamstandingontheshouldersofgiants.I
wanttothankSueStemelandGregAkersfortheirguidance
andencouragement.Theyhavetremendouspositiveinfluence,
andIhopeallofyougettoknow,watch,learnfrom,andbeled
byguruslikeGregandSue.Inthesamevein,Lt.Col.Terry
MorganUSMC(Ret.),Col.PatRyanUSAF(Ret.),Cdr.Charlie
BoothUSN(Ret.),PaigeAtkins,JimMassa,RickSanford,Brett
Biddington,BobMaskell,andTomFrommackhavebeenmy
supportsystem.Icouldbouncemycrazyideasoffthemand
alwaysreceivewell-thought-out,rationalencouragementand
gentleproddingtowardvariousformsofappropriateness.
FinallythebestforlastIthankmyfamily,whogivemeprideand
joy(andgriefoccasionally,whenIstartveeringfromtrack):
Usha(myNorthStar,friend,philosopher,andguide),little
Kaushik,andourextendedfamilyUsha'sandmyparentsand
ourrespectivesiblings.
SriSundaralingamIwanttothankmyfamily,including
Amma,Appa,mysistersNalayiniandPathanchaliandtheir
families,myfriends,andmycoworkerswhohaveinspiredme
toachieveaboveandbeyond.Thisbookisaresultofhardwork
bymany,includingmycoauthorsKrishna,Andy,andDarrin.I
wouldliketothankKrishnaforinspiringustoauthorthisbook.
IalsowanttothankMichelleGrandinatCiscoPressforher
patienceanddedicationformakingthishappen.Lastbutnot
least,Iwanttothankoureditors,Brian,Dave,Nancy,and
Peter,whogaveustimelyanddetailedfeedbackonour
chapters.
AndrewBalinskyFirstandforemost,Igivethankstomywife,
Julia,andourcaninecompanion,Rufus,whospentmany
eveningsurgingmetofinish.ThanksalsotoMum,who
encouragedmetoacceptthechallenge,andDad,whowould
havebeenproudtoseeanothergenerationofBalinskysin
print.I'mgratefultomycoworkersontheSTATteamatCisco
whoenduredfar-too-detaileddescriptionsofsomeofthese
protocols.ThanksgotoKrishnaforaskingmetoparticipateand
myfellowauthorsfortheirfeedback.AtCiscoPress,Ithank
MichelleGrandinforkeepingusontaskandremindingusofthe
realitiesofauthorship.Ithankthetreesthatgavetheirlivesfor
thisbooktobeprinted.Finally,I'mindebtedtothenesting
screechowlsinourbackyardthatkeptawatchfuleyeonthe
writingprocessfromtheirperches.Theirdedicationtotheir
familyandtheirworkkeptmeontrack.
DarrinMillerIwanttothankmywife,Jill,andourdaughters,
Megan,Beth,andKatie,fortheirlove,patience,andsupport.
Theyremindmethattherearemoreinterestingthingsinlife
thannetworksecurity.ThanksalsotoMom,Dad,andmy
brothersfortheirsupportandtheimportantlifelessonsthat
theyteachme.I'mgratefultoallofmycoworkersatCiscowho
challengedmewithnewandexcitingproblemstosolveona
dailybasis.Thanksgotomycoauthorsforaskingmeto
participate.Finally,IwouldliketothankMichelleGrandinat
CiscoPressforkeepingusfocusedontheendgoal.
IconsUsedinThisBook
Throughoutthisbook,youwillseethefollowingiconsusedfor
networkingdevices:
Introduction
TheWLANindustryhasallthethrillsandchillsofawell-written
(and-directed)drama.WLANisadisruptivetechnologythat
questionsconventionalwisdominmanyways.Thedomainis
shapedbyregulationsandstandards,vendorswhosometimes
trytocompensateforinadequaciesandidiosyncrasiesof
standardsandregulations,anoverheatedtechnologyadoption
withanimpatientuserbaseforever-increasingfeatures,and
mostimportantly,asecurityspacethathassome
vulnerabilities,tosaytheveryleast.
ThisbookcoversthespectrumofWLANsecuritythestandards,
theprotocols,thespecifications,andaboveall,deployment
patternsanddesignguidelines.Whatmakesthisbookuniqueis
thecombinationoftheoryandpractice,andwe,asauthors,
hopewehavetherightbalance.Inthesamevein,theauthors
(andeditors)alsohopethatwehavehitthesweetspoton
breadthanddepthintermsofdetails.Inonecorner,thereare
the30,000-footviews,andontheotherside,wehavethe
intimate,minutedetailsofalgorithms,securityconsiderations,
andprotocols.Thisbookcoverstheprotocolsand
formatsenoughtosatisfyinquiringmindsandincludespointers
forthemostdetailedmindstoponder.Thisbookalsohasa
wealthofknowledgegleanedfromtheauthors'experiencein
termsofguidelines,deployments,andconfiguration.
ThefieldofWLANsiscontinuallychanging;therefore,covering
allaspects,especiallytheemergingones,ischallenging.This
bookachievesthenew-oldbalancebycoveringnotonlythe
oldermethods(suchasclassicalWEP)butalsonewerconcepts
andarchitectures(suchasEAPandswitching).
WhoShouldReadthisBook?
Thisbookisplannedandwrittenfornetworkengineerswho
design,configure,implement,andmaintainsecureWLANs.
Becausethetopicissecurity,theaudiencealsoincludessecurity
practitionersinenterpriseanybodywhowantstogainagood
understandingonwirelessLANsecurity.Withthatinmind,this
bookhasthreeaims:toarticulatethevariousaspectsof
wirelessLANsecurity,toillustratehowsecurityisimplemented
inCiscoproducts,andfinallytoimplementinthearchitecture,
design,andconfigurationofwirelessnetworks(ofdifferent
typessuchascampus,hotspots,office,andsoon).Ontheway,
thisbookalsocoversthebighairytopicslike802.xstandards
andvulnerabilities.
HowthisBookisOrganized
Thisbookincludessevenchapterscoveringallthestandards
andtheoreticalaspectsofWLANconceptsandsixchaptersthat
coverthepracticalaspectsofapplyingthefundamental
concepts.Thechaptersareofvaryinglengthdependingonthe
topic.Webelieveinthe"brevityisthesoulofwit"paradigmand
havetriedtobeasbriefasrequiredtodescribethevarious
mechanicsandmechanisms.
Note
Forthosewhowonderwhatexactlyisthedifference
betweenmechanicsandmechanisms:
Mechanicsisthetechnology,theworking,the
processes,andthedetailsofhowsomethingworks
orthewaysomethingisdone.Forexample,WEPis
themechanicsforprovidingconfidentialityinthe
WLANworld.
Mechanismisthemachinerythatimplementsthe
mechanics.Forexample,differentvendorscould
havedifferentmechanismstoimplementWEP.
Chapter1,"SecuringWLANsOverview,"isanintroductionto
theWLANdomain,anditcoversthebasicconceptsandlexicon
ofWLAN.
Chapter2,"BasicSecurityMechanicsandMechanisms,"deals
withthebasicsofcryptographysothattheuninitiatedwillnot
feeloverwhelmed.Thischaptercoversthesecurityconcepts
relevanttotheWLANdomain.
Chapter3,"WLANStandards,"describesthevariousstandards
onewillencounterwhendealingwiththeWLANdomain.This
chaptercoversinbrieftheIEEE802familyofstandards,
hardwarestandardsfromETSI,andauthenticationstandards
fromIETF.
Chapter4,"WLANFundamentals,"givesadetailedintroduction
toalltheaspectsofWLANsecurity.Thischaptercoversthe
essentialbasicsoftheWLANtechnology:services,messages,
choreographies,andinteractionprimitives.Italsotalksabit
abouttheWLANsecuritymodel.
Chapter5,"WLANBasicAuthenticationandPrivacyMethods,"
describesthevariousauthenticationmethods,withthemajor
onebeingtheWEP.Itcoversopenauthentication,MAC-based
authentication,shared-keyauthentication,andWEP.The
methodsareanalyzedintermsoftheAAAinfrastructure
requirements,auditingandaccountingrequirements,andthe
vulnerabilitiesandcountermeasures.
Chapter6,"WirelessVulnerabilities,"buildsontheearlier
chaptersanddescribesthevulnerabilitiesofWLANindetail.
Thischapterintroduceswirelessattacksviaattacktrees;
describesreconnaissance,denial-of-service(DoS),
authentication,encryption,andEAPprotocolattacks;describes
thetoolsthatattackersuse;discussesproblemswithrogue
accesspoints;andbrieflydiscussesad-hocmodesecurity.
Chapter7,"EAPAuthenticationProtocolsforWLANs,"dealswith
theExtensibleAuthenticationProtocol(EAP)methods:the
variousstandardsandspecifications,howtheyinteractwith
eachother,andtheprotocols.Thischaptercoverstheaccess
controlandauthenticationmechanicssuchasEAP,PEAP,
802.1x,LEAP,andEAP-FAST.
Chapter8,"WLANEncryptionandDataIntegrityProtocols,"
coversthesecurityenhancementsinthe802.11iandWPA
standards;discusseswirelessencryptionanddataintegrity
protocols,includingWEP,TKIP,andCCMP;discussessecurity
associations;describeskeymanagementprocesses;and
analyzeswhichofthesecurityvulnerabilities(introducedin
Chapter6)802.11iaddressesandwhichitdoesnot.
Chapter9,"SWAN:End-to-EndSecurityDeployment,"covers
theStructuredWirelessAwareNetworksolution.Itdetailsthe
finepointsoftheSWANelements:WLSE,802.1xauthentication
server,IOS-enabledaccesspoints,andwiredelementssuchas
routersandswitches.
Chapters10through13aggregatetheconceptsfromthe
previouschapterstodepictWLANarchitectures:bestpractices,
designguidelines,configurations,anddeploymentexamples.
Chapter10,"DesignGuidelinesforSecureWLAN,"provides
WLANdesignguidelinesandfundamentalsforvarious
technologiesincludingVPNoverlaytechnologies,IPSec,
authenticationsupport,andthreatmitigation.
Chapter11,"OperationalandDesignConsiderationsforSecure
WLANs,"coversthesecuritycomponentbestpractices.This
chapteraddressesrogueAPdetectionandprevention,WLAN
monitoringandintrusiondetection,WLANservicesscaling,and
enterpriseguestaccess.
Chapter12,"WLANSecurityConfigurationGuidelinesand
Examples,"coversthedetailedconfigurationexamplesand
guidelinesforvarioussecurityimplementationssuchasguest
access(open/noWEP),static-WEP,MAC-addressauthentication,
EAP/802.1xwithdynamicWEP,EAP/802.1xwithWPA,WPAPSK,multipleSSIDs/VLANs,andIPSecVPN.Itprovidessecure
managementconfigurationexamplestosecuremanagement
traffictotheWLANinfrastructuredevicesanddiscussessecure
wiredpolicies(forexample,layer-3/layer-4ACLs)tomatch
wirelesspolicies.
