ProSafe Smart Wireless Switch
WFS709TP
Section 1: Course Introduction
© .1996-2006 NETGEAR® . All rights reserved
2
Course Description
» This course will cover product specifications, product features,
hardware installation and software administration of the
WFS709TP ProSafe Smart Wireless Switch.
» The course is intended for L1, L2, L3 technical support engineers,
VARs and sales.
© .1996-2006 NETGEAR® . All rights reserved
3
Course Prerequisites
» Students should have a basic understanding of OSI reference
model and be familiar with 802.11 standard.
» Understanding of 802.1Q and DHCP will be very helpful.
© .1996-2006 NETGEAR® . All rights reserved
4
Course Objectives
» Upon successful completion of this course, students will be able
to answer questions about hardware specifications and features
of the wireless switch and the light wireless access points.
» Students will be able to physically install the hardware, initialize
the wireless switch for management, provision access points to
be managed by the wireless switch, use RF planning tool to plan
WLAN deployment and configure their wireless network.
© .1996-2006 NETGEAR® . All rights reserved
5
Course Agenda
»
»
»
»
»
»
»
»
Section 1: Course Introduction
Section 2: Product Information
Section 3: Product Features
Section 4: Competitive Information
Section 5: Pre-install / Site Survey
Section 6: Hardware Installation
Section 7: Software Installation
Section 8: Software configuration
• RF Planning
• Guest Access
• Multiple controller and Redundancy
• IDS
» Section 9: Testing the completed installation
» Section 10: Troubleshooting
© .1996-2006 NETGEAR® . All rights reserved
6
Section 2: Product Information
© .1996-2006 NETGEAR® . All rights reserved
7
Product Description
» The WFS709TP ProSafe Smart Wireless switch is a full-featured
wireless switch that centrally manages NETGEAR light access
points.
» It provides wireless mobility, security and converged services for
both wired and wireless users.
© .1996-2006 NETGEAR® . All rights reserved
8
Design and Architecture
» WFS709TP uses “thin APs”. There is very little functionality
included in the AP.
» WFS709TP work with WGL102 and WAGL102 or WG102 and
WAG102 converted with new firmware. Once converted to “thin
AP” firmware, WG102/WAG102 cannot be restore back to
standalone AP.
© .1996-2006 NETGEAR® . All rights reserved
9
Section 3: Product features
© .1996-2006 NETGEAR® . All rights reserved
10
Features Overview
» Controlled up to 16 access points
» 8 Fast Ethernet ports with PoE support. 802.3af compliance 48VDC with
maximum aggregate power draw of 100W
» Gigabit Ethernet ports: One 10/100/1000Base-T
» One serial console port
» Centralized management and monitoring of wireless infrastructure
» Built-in RF Planning tool
» Wireless intrusion detection and protection
» Advanced security features such as 802.1x that support EAP-PEAP, EAPTLS, EAP-TTLS; 802.11i, MAC address authentication, captive-portal
» 802.1Q VLAN
» Layer-3 routing
© .1996-2006 NETGEAR® . All rights reserved
11
Wireless LAN Security and Control Features
»
»
»
»
»
»
»
»
»
»
»
802.11i security (WFA certified WPA2 and WPA)
802.1x user and machine authentication
EAP-PEAP, EAP-TLS, and EAP-TTLS support
802.11i PMK caching for fastroaming applications
EAP offload for AAA server scalability and survivability
Stateful 802.1x authentication for standalone APs
MAC address, SSID and locationbased authentication
Multi-SSID support for operation of multiple WLANs
SSID-based RADIUS server selection
Secure AP control and management over IPSEC or GRE
Simultaneous centralized and distributed WLAN support
© .1996-2006 NETGEAR® . All rights reserved
12
Identity-Based Security Features
» Wired and wireless user authentication
» Captive portal; 802.1x and MAC address authentication
» Username, IP Address, MAC address and encryption key binding
for strong network identity creation
» Per-packet identity verification to prevent impersonation
» RADIUS and LDAP based AAA server support
» Internal user DB for AAA server failover protection
» Per-user session accounting for usage auditing
» Configurable acceptable use policies for guest access
© .1996-2006 NETGEAR® . All rights reserved
13
Convergence Features
»
»
»
»
»
»
»
»
»
»
»
»
Voice and data on a single SSID for convergence devices
Flow-based QoS using Voice Flow Classification (VFC)
SIP, Spectralink SVP, Cisco SCCP and Vocera ALG
Strict priority queuing for over-the-air QoS
DiffServ marking and 802.1p support for network QoS
On-hook and off-hook
VoIP client detection VoIP call admission control (CAC) using VFC
Call reservation thresholds for mobile VoIP calls
Voice-aware RF management for ensuring voice quality
Fast-roaming support for ensuring voice quality
SIP early media and ring tone generation (RFC 3960)
Per-user and per-role rate limits (Bandwidth contracts)
© .1996-2006 NETGEAR® . All rights reserved
14
IntelliFi Radio Management Features
»
»
»
»
»
»
»
Automatic channel and power settings for controlled APs
Simultaneous air monitoring and end user services
Self-healing coverage based on dynamic RF conditions
Dense deployment options for capacity optimizations
AP load balancing based on number of users
Coverage hole and RF interference detection
802.11h support for radar detection and avoidance
© .1996-2006 NETGEAR® . All rights reserved
15
Wireless Intrusion Protection Features
» Integration with wireless infrastructure
» Simultaneous or dedicated monitoring capabilities
» Rogue AP detection and built-in location visualization
© .1996-2006 NETGEAR® . All rights reserved
16
Networking features
»
»
»
»
»
»
»
»
L2 and L3 switching over the air and over the wire
VLAN pooling for easy, scalable network designs
VLAN mobility for seamless L2 roaming
Proxy mobile IP and proxy DHCP for L3 roaming
Built-in DHCP server and DHCP relay
VRRP-based N+I controller redundancy (L2)
AP provisioning-based N+I controller redundancy (L3)
802.1d Spanning Tree Protocol
© .1996-2006 NETGEAR® . All rights reserved
17
Wireless switch management features
»
»
»
»
»
»
»
»
»
RF planning and AP deployment toolkit
Centralized AP provisioning and image management
Live coverage and visualization heat maps
Detailed statistics visualization for monitoring
Remote packet capture for RF troubleshooting
Interoperable with Ethereal®, Airopeek and AirMagnet© analyzers
Multi-controllers configuration and management
Location visualization and device tracking
System-wide event collection and reporting
© .1996-2006 NETGEAR® . All rights reserved
18
Wireless switch administration features
» Web-based user interface access over HTTP and HTTPS
» Quickstart screens for easy controller configuration
» Restricted CLI access using console, disabled by default CLI
access, SSH and telnet console
» Role-based access control for restricted admin access
» Authentication access via RADIUS, LDAP or internal DB
» SNMPv3 and SNMPv2 for controller monitoring
» Standard MIBS and private enterprise MIBS
» Detailed message logs with syslog event notification
© .1996-2006 NETGEAR® . All rights reserved
19
Section 4 Competitive Information
© .1996-2006 NETGEAR® . All rights reserved
20
Section 5 Pre-Installation; Site Survey
© .1996-2006 NETGEAR® . All rights reserved
21
Package Contents
»
»
»
»
»
»
»
»
WFS709TP wireless switch
Power adapter cord
Four 12-24 screws for attaching the switch to an equipment rack
RS-232 serial cable with RJ-45 male connectors and serial
adapter to connect the serial cable to a terminal or PC with a DB-9
serial port
Ethernet cable
Resource CD
Warranty and Support Card
Quick Install Guide
© .1996-2006 NETGEAR® . All rights reserved
22
Unpacking the hardware
» Check the contents of the boxes to make sure that all items are
presents before beginning the installation.
• 1. Place the container on a clean flat surface and cut all straps
securing the container.
• 2. Unpack the hardware from the boxes.
• 3. Remove all packing material.
• 4. Make sure that all items are present. If any item is found
missing or damaged, contact local NETGEAR reseller for
replacement.
• 5. Inspect the products and accessories for damage .Report any
damage immediately.
© .1996-2006 NETGEAR® . All rights reserved
23
Site Requirements
» Reliable power
• Make sure the electrical outlet is compatible with the WFS709TP
»
»
»
»
Power consumption: 170W maximum
AC input voltage: 90-132VAC, 180-264VAC, auto-sensing
AC input current: 4A@110VAC
AC input frequency: 47-63Hz
• Power cord must be rated to 10 A and must conform to grounded electrical
standard in the country in which the WFS709TP operates.
• Use of a power line conditioner or UPS can decrease or mitigate problems caused
by power services fluctuations. Make sure that the output of any power shaping
device is compatible with the WFS709TP power supply.
» Cool, non-condensing ventilation
• Operating temperature: 0 to 40C Storage temperature 0 to 50C
• Humidity: 5% to 95% (non-condensing)
• Altitude: up to 10,000 feet
» Ample space
• For proper air circulation, leave at least 10cm clearance for the vents on the left
and right side of the chassis.
» Limited electromagnetic interference
• For best operation, keep the WFS709TP and all cords and cables at 0.7 meters
from fluorescent lighting fixtures, and 2 meters from photocopiers, radio
transmitters, electric generators and other source of strong electromagnetic
interferences.
© .1996-2006 NETGEAR® . All rights reserved
24
Deployment recommendations
» AP Deployment
• Whatever makes sense from a cabling perspective
• AP configuration is the same in either case
• AP don’t care if they are directly or indirectly attached
» Controller Deployment
• Follow the database
• Deploy controllers close to the terminus of user data
• Typically this is the data center.
© .1996-2006 NETGEAR® . All rights reserved
25
Section 6: Hardware Installation
© .1996-2006 NETGEAR® . All rights reserved
26
Front and rear panel
© .1996-2006 NETGEAR® . All rights reserved
27
1. System LED
© .1996-2006 NETGEAR® . All rights reserved
28
2. Eight Fast Ethernet ports
» A. Link LED
» B. PoE LED
» C. Access point status.
• Red (Solid) – AP on this port has failed (highest precedence)
• Red (Flashing) – An air-monitor on this port has detected an unsecure AP.
• Green (flashing) – An air monitor on this port has detected interference. The
interfering device has been detected by your valid APs, but has no wired presence on
your network.
• Amber (solid) – Load balancing is enabled on this port, or an AP has reached the
maximum number of clients it is configured to support.
• Green (solid) – All detected APs on this port are operating as expected.
• Off – No AP is detected on this port.
© .1996-2006 NETGEAR® . All rights reserved
29
3. Gigabit Uplink port
» The gigabit interface is not user-replaceable. Do not remove the
port cover plate.
© .1996-2006 NETGEAR® . All rights reserved
30
4. Serial port
» The port support RS-232 cable with RJ-45 connector.
» WFS709TP only support limited CLI access. No enable mode
access to CLI.
© .1996-2006 NETGEAR® . All rights reserved
31
Mounting the chassis
» Make sure that your rack environment meets the installation
requirements.
» Position the chassis in the equipment rack and align the
brackets’ mounting holes with the corresponding holes in the
rack frame.
» Use a Phillips or cross-head screwdriver to secure the chassis to
the rack with two 12-24 screws for each mounting bracket.
© .1996-2006 NETGEAR® . All rights reserved
32
Verifying the installation
» 1. Check the Power LED lights solid green immediately upon
power up and remains solid green during and after boot.
» 2. Check the fans to verify they are working.
» 3. Connect appropriate network cable.
» 4. Perform the initial software setup.
© .1996-2006 NETGEAR® . All rights reserved
33
Section 7: Software Installation/Update Process
© .1996-2006 NETGEAR® . All rights reserved
34
Initialize the switch for management
» Two methods to initialize the switch for management
• Using Web GUI – default IP address192.168.0.250
• Using serial console port
© .1996-2006 NETGEAR® . All rights reserved
35
Initialization – Web GUI
Default IP address – 192.168.0.250
© .1996-2006 NETGEAR® . All rights reserved
36
Initialization – Serial port
© .1996-2006 NETGEAR® . All rights reserved
37
Factory default reset
» Bring up the console and on the hyper-terminal type the following
commands
• Reboot the box and hit enter when you see “Hit any key to stop
autoboot” on the console.
• On the cpboot prompt enter
» cpboot > setenv cfgfile foo
» cpboot >saveenv
» boot
• The system will reset to factory default and when it boot up it will
go to the initial setup screen.
© .1996-2006 NETGEAR® . All rights reserved
38
Provisioning access point
» How access point communicate to the wireless switch?
© .1996-2006 NETGEAR® . All rights reserved
39
AP Communications to controller
» AP is attached to any switch port. AP is powered on and receives
DHCP address (or statically assigned).
» AP find the address of WFS709TP (DNS or broadcast).
» AP boot image from controller and create a PAPI (UDP 8211)
connection to controller. AP authenticates to controller and
creates a GRE tunnel between AP and controller.
» All client communicates to the AP are encapsulated in the GRE
tunnel and forwarded to the controller.
© .1996-2006 NETGEAR® . All rights reserved
40
AP boot sequence
» AP learn location ID from bootrom
» AP sends out DHCP request for IP address
» If DHCP response includes vendor option 43 (masterip), AP will use this
for master IP address. Netgear APs identify themselves with a vendor
class identifier set to NetgearAP in their DHCP request.
» If no vendor option specified, AP send “ADP” packet to multicast group
224.0.82.11.
» If no response to multicast ADP, AP sends “ADP” packet as L2/L3
broadcast.
» If no response, AP sends DNS query to server given by DHCP for
hostname “netgear-master”. AP will use this for Master IP address.
» AP sends messages to controller with its location ID.
» If needed, AP sends TFTP request to controller and downloads OS
image.
» Based on the AP’s location ID, the current controller may take control of
this AP or direct it to another controller.
» AP authenticates to controller and establishes GRE tunnel.
© .1996-2006 NETGEAR® . All rights reserved
41
Location ID
» Uniquely identifies APs
» Location ID indicates:
• Building
• Floor
• Specific AP
• [Building number].[Floor number].[AP number]
• [1-255].[1-255].[1-65536]
• For example, 1.1.1 (Building 1, 1st Floor, AP #1)
» Zero(0) is a wildcard:
• 1.0.0 – All AP in building 1
• 1.1.0 – All AP in building 1, 1st Floor)
© .1996-2006 NETGEAR® . All rights reserved
42
Unprovisioned AP
© .1996-2006 NETGEAR® . All rights reserved
43
Provision new access point
© .1996-2006 NETGEAR® . All rights reserved
44
Provision new access points
» Two methods to provision new access point
• Access point installation wizard
• Manual provisioning
© .1996-2006 NETGEAR® . All rights reserved
45
Provision AP
Configuration->Basic->Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
46
Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
47
Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
48
Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
49
Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
50
Access Point Installation Wizard
© .1996-2006 NETGEAR® . All rights reserved
51
Provision AP – manual
Maintenance->WLAN->Program AP
© .1996-2006 NETGEAR® . All rights reserved
52
Lab one – Initialize the wireless switch
© .1996-2006 NETGEAR® . All rights reserved
53
Lab two – Provision access point
© .1996-2006 NETGEAR® . All rights reserved
54
Section 8: Software Setup / Configuration
© .1996-2006 NETGEAR® . All rights reserved
55
Software Configuration
»
»
»
»
RF Planning
Guess Access
IDS – rogue AP detection and containment
Multiple controller and redundancy
© .1996-2006 NETGEAR® . All rights reserved
56
RF Planning
© .1996-2006 NETGEAR® . All rights reserved
57
RF Plan
» Use RF Plan as an initial tool to place APs
» RF Plan makes many assumptions and does not factor in building
construction materials (walls, doors, furniture, etc)
» Works well for typical office environments
» After installation, turn on ARM
» Update RF Plan with actual AP locations
© .1996-2006 NETGEAR® . All rights reserved
58
Pre-installation activities
» You will
• Create floor plan files to use for post-installation RF Plan use
» RF Plan will
• Provide number of AP/AM you will need for each floor/building
• Derive recommended location for AP/AM on the floor plans
© .1996-2006 NETGEAR® . All rights reserved
59
Required Information for RF Plan
»
»
»
»
»
»
Building (drawing) dimensions
Protocols (802.11a/g)
AP types
Desired data rate
Desired monitoring rate for Air Monitors
Floor maps in JPEG format
• Maximum 2048x2048 pixels
© .1996-2006 NETGEAR® . All rights reserved
60
Importing Floor Plans
Step 1 – Edit floor plan in a graphics editor
Step 3 – Scale pixels
per feet (or meters) against
known dimension
Step 2 – Move mouse to bottom right of image to measure picture (not Bldg) width
and height in pixels
© .1996-2006 NETGEAR® . All rights reserved
61
Sizing Floor Plans
Step 4 – Save floor
image File as JPG
Step 5 – Calculate image dimensions:
• Calculating pixels per feet (or meters)
against a known dimension
• Use that value to calculate dimensions
of JPG image width and length in feet
or meters
© .1996-2006 NETGEAR® . All rights reserved
62
Importing Floor Plans Best Practice
» Make sure the image is scaled. If image is not scaled and
proportional, triangulation and heat-map calculation will be
flawed.
» Leave some border to help triangulate WiFi devices to just
outside the building.
» For building with multiple floors, the rectangle size needs to
cover the same exact dimensions. For buildings with floors are
different shapes/dimension, it’s critical that the cropped area be
the same square footage for all floors and that the floors be
anchored against something such as elevator shafts.
© .1996-2006 NETGEAR® . All rights reserved
63
RF Plan – Create New building
Click Plan, then New Building
© .1996-2006 NETGEAR® . All rights reserved
64
RF Plan – Default Overview
Click Building Dimension
© .1996-2006 NETGEAR® . All rights reserved
65
RF Plan – Set building dimension
The inter floor height is used by RF Plan to allow APs on one floor to service users
on adjacent floors. If you do not wish RF Plan to factor in adjacent floors, set this
value to be very large (300).
© .1996-2006 NETGEAR® . All rights reserved
66
RF Plan – AP modeling spec.
Which bands to support? Which APs will be used?
These settings are on a per-building basis. If you have a mix of AP
types, choose the most common one.
© .1996-2006 NETGEAR® . All rights reserved
67
RF Plan
» Coverage
• Coverage is typically based on WLAN transmit rate
» Desired speed rate define estimated minimum connect speed
» The higher the rate, the smaller the coverage area, more APs required
» Capacity-based coverage is recommended for high capacity conference
or training rooms.
» Customer coverage is for deployments where the AP count is already
known
» Overlap
• 100% (Low) – best for open spaces – warehouses, etc.
• 150% (Medium) – best for office spaces
• 200% (High) – offer twice the minimum AP, high redundancy/performance
and dense deployments.
• Custom – allow specific overlap. Many office spaces work well with 120%
overlap.
© .1996-2006 NETGEAR® . All rights reserved
68
RF Plan – AM Modeling Parameters
Decide on AM coverage rates
Coverage rates for AMs refer to the rate at which an AM can
capture packets and will tell RF Plan how close to place AMs to
one another. If you will be using AMs purely for IDS purposes, use
the lowest rate values for the a and b/g radio.
© .1996-2006 NETGEAR® . All rights reserved
69
RF Plan – Building Planning
Click “Add New Floor”, then “Edit floor”
Browse to JPEG image and click “Apply”
© .1996-2006 NETGEAR® . All rights reserved
70
Edit Floor – Import Floor Plan
© .1996-2006 NETGEAR® . All rights reserved
71
RF Planning – Enlarge/Reduce Floor image
The zoom control enlarge or reduce
the floor image.
© .1996-2006 NETGEAR® . All rights reserved
72
RF Planning – Delete existing AP in plan
Delete and clear to start with
a clean deployment
© .1996-2006 NETGEAR® . All rights reserved
73
AP Planning - Initialize
Clicking on initialize will cause the RF
plan to place AP on the map. Clicking on
“Start” cause RF Plan to optimize the
placement of the APs.
If you wish to add more AP than what RF
Plan recommend, DO NOT click initialize
again. This will reset the drawing to the
recommended and erase any manually
added AP.
© .1996-2006 NETGEAR® . All rights reserved
74
AP Planning - Start
© .1996-2006 NETGEAR® . All rights reserved
75
AP Planning – Assign AP Name
» Use AP names
that help identify
and locate the
APs.
» Define channel
and power
settings to
override auto
settings.
» Use note session
for comments.
© .1996-2006 NETGEAR® . All rights reserved
76
AM Planning
© .1996-2006 NETGEAR® . All rights reserved
77
New area
» “Don’t care” area tell RF Plan to not deploy AP in that area, and
that you don’t care if there is RF coverage in that space or not.
» “Don’t Deploy” area tell RF Plan to not place APs in that area but
that you do want as much RF coverage in that area as possible.
© .1996-2006 NETGEAR® . All rights reserved
78
AP Planning – New Area
© .1996-2006 NETGEAR® . All rights reserved
79
AP Planning – New Area
Drag and drop the area to
desired location
© .1996-2006 NETGEAR® . All rights reserved
80
AP Planning – New Area
After drag and drop the
area into desired location,
click initialize and start to
re-calculate.
© .1996-2006 NETGEAR® . All rights reserved
81
Optimize AP locations
• Drag and drop APs as needed (conference rooms, hallways, etc)
• Avoid metal and non-RF friendly obstacles
• New APs can be manually added if needed.
© .1996-2006 NETGEAR® . All rights reserved
82
Save Plan Information
Review and save the RF Plan
• Verify the building information, AP and AM count and coverage rates
• Save the building info
© .1996-2006 NETGEAR® . All rights reserved
83
RF Plan – Exporting Plan
» Used to back up and
move RF Plan Info
» Export/Import
between controllers
or between offline
version and
controller
» Click on include
images if any images
are present
» Multiple buildings
can be saved into a
single RF Plan
Export file
© .1996-2006 NETGEAR® . All rights reserved
84
RF Plan - Deployed
To see the heat map, enable
ARM and let it run for a
few minutes.
© .1996-2006 NETGEAR® . All rights reserved
85
Lab three – Use RF Plan to create plan
© .1996-2006 NETGEAR® . All rights reserved
86
RF Management
© .1996-2006 NETGEAR® . All rights reserved
87
Post-installation Activities
» Review dynamic heat maps and validate
coverage
» Track location of WLAN devices such as
clients, Interfering and Rogue APs
© .1996-2006 NETGEAR® . All rights reserved
88
Dynamic Heat Maps
• Near real-time view of RF
coverage and interference
• Information reported by
APs and AMs
• Helps identify coverage
holes and interference
© .1996-2006 NETGEAR® . All rights reserved
89
Location Tracking
(continued)
Two Web UI options to locate APs and clients
1. Monitor
•
Viewing client/AP info and clicking on “Locate”
2. RF Plan
•
Performing a search for a specific client wireless
MAC or AP BSSID
© .1996-2006 NETGEAR® . All rights reserved
90
Location Tracking: Monitor
• Monitor -> Switch -> Clients/APs
• Select and click Locate button
• At least three devices must be on the same
channel to triangulate a device (AP or AM)
© .1996-2006 NETGEAR® . All rights reserved
91
Location Tracking: Monitor
(continued)
• Click Locate to show
either contour shapes
(shown here) and/or
rings
• “Keep data for” should
be set to maximum of
10 minutes for best
results
• The more APs/AMs on
same channel as the
device the better the
result will be
© .1996-2006 NETGEAR® . All rights reserved
92
Location Tracking: MAC
Copy client MAC address or AP BSSID from Web
UI screen or from CLI
© .1996-2006 NETGEAR® . All rights reserved
93
Location Tracking: MAC
(continued)
Use the MAC/BSSID to select the device
© .1996-2006 NETGEAR® . All rights reserved
94
Location Tracking: MAC
(continued)
• Use “Add Device” to enter
the device MAC address
• Click OK to locate
© .1996-2006 NETGEAR® . All rights reserved
95
Calibration
» Active calibration allows the switch to learn which APs and AMs
are in rage of each other and adjust their channel and power
settings for optimum performance.
» Purpose:
• To learn and implement optimal channel plan.
• To learn and implement optimal power level plan.
© .1996-2006 NETGEAR® . All rights reserved
96
Adaptive Radio Management (ARM)
» Adaptive Radio Management is a real time dynamic calibration
mechanism.
» ARM allow each AP to figure out its own best channel and power
settings.
» ARM, if enabled, is a continuous process. It allows the system to
detect changes in the RF and to dynamically react to maintain the
most optimized RF system possible.
© .1996-2006 NETGEAR® . All rights reserved
97
Enable ARM
Configuration->Advanced->WAN->RADIO
Enable ARM Scanning with single band
© .1996-2006 NETGEAR® . All rights reserved
98
How ARM works
» APs constantly scan other channels during dead intervals
» AP analyzes BSSIDs and interference seen on current and other
channels
» AP reports back to controller when a better channel is found
» “Better” is defined as “least number of APs seen on a channel”
or “better SNR statistics”
» Controller analyzes reports from APs and make calculations
based on known WLAN topology database
» If controller finds no conflicts, it will instruct AP to move to the
new channel
» Dampening factor prevents channel “flapping”
© .1996-2006 NETGEAR® . All rights reserved
99
Power Level adjustment
» Radio power levels are adjustable between 0 and 4
» 4 is the highest
» Calibration will automatically set the power level to avoid interference
with other APs
» Power levels will be dynamically adjusted to fill in holes is an AP fails
B/G Radio
A Radio
Level
dB
mW
Level
dB
mW
0
0
1
1
0
1
1
11
13
2
9
8
2
14
25
3
12
16
3
17
50
4
15
32
4
20
100
5
18
63
© .1996-2006 NETGEAR® . All rights reserved
100
Channel Selection
» APs operate most efficiently when they are the only AP on the
channel
» Calibration will automatically assign channels to each AP to
minimize interference
» Only channel approved by the appropriate country regulations
will be assigned
» For example, in North America this is
• 802.11b/g = 1, 6, 11
• 802.11a = 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161
© .1996-2006 NETGEAR® . All rights reserved
101
Before Calibration
•All .11a radios on
channel 36
•All .11g radios on
channel 1
•All power levels
at 50%
© .1996-2006 NETGEAR® . All rights reserved
102
After Calibration
•Network learns
optimal channel
plan to avoid
interference
•Learns optimal
power levels to
avoid coverage
holes
© .1996-2006 NETGEAR® . All rights reserved
103
ARM assignment options
» Disabled
• Disables ARM calibration and reverts AP back to default channel
and power settings
» Single band
• Enable the AP to change channels, in same band, and transmit
power
» Multi band
• Not supported (for future use)
» Maintain
• Cause AP to hold last used channel and power settings. Useful for
customers concerned with APs changing channel/power during
user.
© .1996-2006 NETGEAR® . All rights reserved
104
ARM Options
» ARM Scanning
• Enable ARM scanning
» ARM Client Aware
• Prevent AP from changing channel if clients are associated.
» ARM Rogue AP Aware
• If no other APs are on the same channel as the rogue or no AM
are available the AP can change channel to contain a rogue. An
AP can always contain a rogue on the same channel.
» ARM VoIP Aware
• Pause ARM scanning when a VoIP call is detected (SIP, SCCP,
SVP, Vocera)
» ARM Multi Band Scan
• Allows APs to scan across bands for Rogue detection.
© .1996-2006 NETGEAR® . All rights reserved
105
Air Monitor
Turn an AP into Air monitor
© .1996-2006 NETGEAR® . All rights reserved
106
RF Management
Calibration
© .1996-2006 NETGEAR® . All rights reserved
107
RF Management
Calibration
© .1996-2006 NETGEAR® . All rights reserved
108
RF Management
Calibration
© .1996-2006 NETGEAR® . All rights reserved
109
RF Management
Optimization – Self Healing
© .1996-2006 NETGEAR® . All rights reserved
110
RF Management
Optimization – Load Balancing
© .1996-2006 NETGEAR® . All rights reserved
111
RF Management
Protection - DoS Protection
© .1996-2006 NETGEAR® . All rights reserved
112
RF Management
Monitoring – Coverage hole detection
© .1996-2006 NETGEAR® . All rights reserved
113
RF Management
Monitoring – Interference detection
© .1996-2006 NETGEAR® . All rights reserved
114
RF Management
Monitoring – Event Thresholds
© .1996-2006 NETGEAR® . All rights reserved
115
RF Management
Monitoring - Advanced
© .1996-2006 NETGEAR® . All rights reserved
116
Encryption and Authentication
© .1996-2006 NETGEAR® . All rights reserved
117
Module Overview
» Authentication
•
•
•
•
SSID
MAC
Captive Portal
802.1x
» Encryption
• Layer 2 vs. Layer 3
» Wireless security protocols
• WPA
• 802.11i/WPA 2.0
© .1996-2006 NETGEAR® . All rights reserved
118
Security Overview
Wireless security standards and protocols fall into
3 categories:
» Encryption
• Ensures privacy of data transmitted through the air
• Can be done at Layer 2 (WEP, TKIP, AES)
» Authentication
• Ensures that only authorized users with proper credentials
are allowed to use the network
• Authentication methods include EAP, captive portal.
» Access Control
• Provides a policy enforcement structure to control the traffic
of authorized users, including networks, bandwidth, time of
day, and protocols
© .1996-2006 NETGEAR® . All rights reserved
119
Authentication
Authentication Overview
Information Security has 3 goals:
• Confidentiality
• Integrity
• Availability
» Authentication assists with confidentiality and
integrity
» Ensures “you are who you say you are”
» Necessary for both client and network/server
© .1996-2006 NETGEAR® . All rights reserved
121
Authentication Methods
(continued)
• WFS709TP supports a variety of authentication
methods.
• Authentication methods are configured at:
• Configuration -> Security -> Authentication Methods
© .1996-2006 NETGEAR® . All rights reserved
122
Authentication Methods
(continued)
» Authentication methods are used by the
WFS709TP to authenticate to wireless access.
© .1996-2006 NETGEAR® . All rights reserved
123
Authentication Methods
» SSID
» MAC
» Captive Portal
» 802.1x
• EAP
© .1996-2006 NETGEAR® . All rights reserved
124
SSID Authentication
» A user can be authenticated simply by associating
with a given SSID
» A policy is created such that anyone associating with
a given SSID is granted certain permissions
» Weak encryption offerings (WEP), and high
administrative overhead (creating a separate SSID for
each user group) make SSID a poor choice
» No real security value
© .1996-2006 NETGEAR® . All rights reserved
125
SSID Authentication Configuration
© .1996-2006 NETGEAR® . All rights reserved
126
SSID Authentication Configuration
(continued)
© .1996-2006 NETGEAR® . All rights reserved
127
MAC Authentication
» A user’s MAC address can be used to establish Identity
» However, MAC addresses can be spoofed by an attacker
» Useful for devices that cannot run authentication software
(handheld scanners, printers, etc)
© .1996-2006 NETGEAR® . All rights reserved
128
MAC Authentication
© .1996-2006 NETGEAR® . All rights reserved
(continued)
129
Internal Database
» Built in on the controller
» Simple authentication option
» Can be used with PEAP-offload
© .1996-2006 NETGEAR® . All rights reserved
130
Internal Database
© .1996-2006 NETGEAR® . All rights reserved
(continued)
131
Captive Portal
» Web-based authentication method (SSL)
» Enabled by default
» Typically found in Public Hotspots,
Universities
» User associates (open or static WEP),
receives IP address.
» Launches web browser, forced to
authentication web page
» May authenticate against internal or external
server
» Can also be used with Sygate On Demand
Agent (SODA) for client integrity
» After successful authentication, Role
assigned
132
© .1996-2006 NETGEAR® . All rights reserved
Captive Portal
© .1996-2006 NETGEAR® . All rights reserved
(continued)
133
Captive Portal Login
© .1996-2006 NETGEAR® . All rights reserved
134
Customized Captive Portal
© .1996-2006 NETGEAR® . All rights reserved
135
802.1x
» Standard protocol for authenticating user *prior* to
granting access to L2 media
» Utilizes EAP (Extensible Authentication Protocol)
• Evolved from PPP, used for wired network authentication -
unencrypted
• Several types of “Wireless” EAP
»
»
»
»
Cisco LEAP
EAP-TLS
PEAP
EAP-TTLS
• These sub-types intended for use on untrusted networks such as
wireless
© .1996-2006 NETGEAR® . All rights reserved
136
EAP Definitions
Supplicant: client station
Authenticator: WFS709TP
Authentication Server: RADIUS Server
© .1996-2006 NETGEAR® . All rights reserved
137
EAP Overview
1. Supplicant communicates with authentication server through
the authenticator
2. Authenticator reformats 802.1x to RADIUS and forwards to
Authentication Server
3. EAP exchange happens between supplicant and authentication
server
4. On success, server delivers EAP Success via RADIUS message
5. Details often hidden from authenticator
6. The WFS709TP is EAP agnostic
© .1996-2006 NETGEAR® . All rights reserved
138
EAP Exchange
EAP Exchange
(Controller used as pass-through doesn’t have to know EAP type)
Trusted
Network
802.11 a/b/g
Secured Link
Client
© .1996-2006 NETGEAR® . All rights reserved
WFS709TP
Authentication
Server
139
802.1x Process
802.1x Access Control – Sequence of events
Request Identity
Response credentials
Authentication Server
Authenticator
Client
Response Identity
Response Identity (anonymous)
PEAP Start
Certificate
Client Key exchange
Cert. verification
Request credentials
Success
© .1996-2006 NETGEAR® . All rights reserved
140
EAP Flavors
LEAP
» Cisco proprietary
» Dynamic WEP
» Has been broken. Not recommended for current deployment
EAP-FAST
» Cisco proprietary
» Uses a PSK in phase 0 to obtain a PAC file, PAC is used as credentials
on network
» Subject to man in the middle attacks; poor Windows AD integration
EAP-TLS (EAP with Transport Layer Security)
»
»
»
»
RFC 2716 - based on SSL
Uses both client and server certificates
Provides for mutual authentication
Supported by Windows 2000, XP, 3rd party clients
© .1996-2006 NETGEAR® . All rights reserved
141
EAP Flavors
(continued)
EAP-PEAP
»
»
»
»
Based on TLS
Hides EAP exchange
Requires both server and client authentication
Developed by Microsoft, Cisco and RSA Security
EAP-MD5
» Early implementation of EAP using only MD5 hash with no encryption
» Rarely used
EAP-TTLS
» Similar to PEAP, but allows for any EAP authentication protocol
» Requires 3rd party client
» Developed by Funk Software
© .1996-2006 NETGEAR® . All rights reserved
142
802.1x Configuration
© .1996-2006 NETGEAR® . All rights reserved
143
PEAP-Offload
EAP Exchange
Trusted
Network
802.11 a/b/g
Secured Link
Client
NAS
Authentication
Server
© .1996-2006 NETGEAR® . All rights reserved
144
PEAP Offload
(continued)
802.1x termaination
© .1996-2006 NETGEAR® . All rights reserved
145
Encryption
WEP
» Wired Equivalent Privacy
» Based on RC4 stream cipher
» Part of 1997 802.11 specification
» WEP was defeated in 2000
» Keys made up of 24-bit Initialization Vector
(IV) and either a 40-bit or 104-bit key
» Usually statically configured on both AP and
client
• Makes key rotations difficult
• Can be dynamically assigned through 802.1x - LEAP
© .1996-2006 NETGEAR® . All rights reserved
147
WEP (cont.)
» Static WEP vulnerabilities include:
• No privacy between users - same keys
• Weak IV’s lead to linear key discovery
• No authentication mechanism
• Vulnerable to Man-in-the-Middle/replay attacks
» Dynamic WEP an improvement
• Keys generated by authentication server through 802.1x -
unique to each user
• Keys rotated periodically
• Keys still able to be attacked directly, just takes longer
© .1996-2006 NETGEAR® . All rights reserved
148
WPA/TKIP
» WPA (Wi-Fi Protected Access) is an industrysponsored interim security standard
• Subset of 802.11i RSN (Robust Security Network)
• Dramatic improvement over WEP
» WPA consists of 2 parts:
• 802.1x Authentication
• TKIP encryption (Temporal Key Integrity Protocol)
» TKIP
• Provides per-packet key mixing, strong MIC (Message Integrity
Check), extended IV, and a re-keying mechanism
• Based on RC4 - only requires a software upgrade for most
devices
• Can use a Pre-Shared Key (PSK) like WEP or dynamic keys
through 802.1x (recommended)
© .1996-2006 NETGEAR® . All rights reserved
149
WPA Disadvantages
Major drawbacks of WPA include:
• Backwards-compatibility limits crypto operations
» Encryption is still ultimately based on RC4, as is WEP/TKIP
» Not FIPS-certified or approved for US government use
• WPA designed as an interim solution before 802.11i
• Not compatible with pure 802.11i/RSN environments
© .1996-2006 NETGEAR® . All rights reserved
150
802.11i/Wi-Fi Protected Access 2.0
» Amendment to the original 802.11 standard
» Specifies security mechanisms for wireless networks (Wi-Fi)
Major 802.11i components include:
» 802.1X for authentication
» RSN for keeping track of associations
» AES-based CCMP encryption
» Four-way authentication handshake
© .1996-2006 NETGEAR® . All rights reserved
151
xSec
xSec enjoys all of the same security benefits as
802.11i with the addition of higher levels of
encryption and FIP compliancy
» xSec functionality is same as 802.11i with:
• Wired and wireless functionality
• Higher encryption levels
Major xSec components are:
•
•
•
•
802.1X for authentication
RSN for keeping track of associations
AES-CBC-256 and HMAC-SHA1
Four-way authentication handshake
© .1996-2006 NETGEAR® . All rights reserved
152
Configuring 802.1x/802.11i
© .1996-2006 NETGEAR® . All rights reserved
153
Wireless Security Best Practices
• Use WPA or WPA2 wherever possible
• Migrate to full 802.11i as drivers and equipment allow
• Leverage firewall policies to protect legacy networks
• Pure Windows environments: use EAP-PEAP
• Pure Windows rollouts with existing PKI: TLS is an
option for greater security
• Always validate server certificate to prevent man in the
middle attacks
© .1996-2006 NETGEAR® . All rights reserved
154
EAP Methods Comparison
MD5
TLS
TTLS
PEAP
LEAP
FAST
Client-side
authentication/certificate
required
No
Yes
No
No
No
No (PAC)
Server-side
authentication/certificate
required
No
Yes
Yes
Yes
No
No (PAC)
Authentication method
One-way
Mutual
Mutual
Mutual
Mutual
Mutual
Deployment complexity
Low
High
Moderate
Moderate
Moderate
Moderate
to high
Security strength
Low
Highest
High
High
Low
Medium
to high
Feature/Benefit
© .1996-2006 NETGEAR® . All rights reserved
155
WFS709TP RADIUS Compatibility
MD5
TLS
TTLS
PEAP
LEAP
FAST
Cisco ACS 3.2 and higher
Yes
Yes
No
Yes
Yes
Yes
Microsoft IAS
Yes
Yes
No
Yes
No
No
Funk Steel Belted
RADIUS
Yes
Yes
Yes
Yes
Yes
Yes
InfoBlox
Yes
Yes
No
Yes
Yes
No
FreeRADIUS
Yes
Yes
No
Yes
Yes
No
Radiator
Yes
Yes
Yes
Yes
Yes
No
RADIUS Server
© .1996-2006 NETGEAR® . All rights reserved
156
Lab four
Create SSID and test client association
© .1996-2006 NETGEAR® . All rights reserved
157
Guest Access
© .1996-2006 NETGEAR® . All rights reserved
158
Guest Access
» Guess access can be created from the Basic or Advanced
configuration menu.
© .1996-2006 NETGEAR® . All rights reserved
159
Guest Access
Configuration->Basic->WLAN
© .1996-2006 NETGEAR® . All rights reserved
160
Guest Access
Configuration->Advanced
» 1. Add user to internal database for authentication
» 2. Create guest SSID
» 3. Enable Captive Portal
© .1996-2006 NETGEAR® . All rights reserved
161
Add guest user to internal database
Configuration->Advanced->Security->AAA Servers
© .1996-2006 NETGEAR® . All rights reserved
162
Create Guest SSID
Configuration->Advanced->WAN->Network
© .1996-2006 NETGEAR® . All rights reserved
163
Enable Captive portal
Configuration->Advanced->Security->Authentication->Captive Portal
Enter guest SSID
© .1996-2006 NETGEAR® . All rights reserved
164
Captive Portal Login
DNS must be operational to access the captive portal page
© .1996-2006 NETGEAR® . All rights reserved
165
Captive Portal Authenticated
© .1996-2006 NETGEAR® . All rights reserved
166
Authenticated guest
© .1996-2006 NETGEAR® . All rights reserved
167
Lab five – Create guess login and captive portal
© .1996-2006 NETGEAR® . All rights reserved
168
Multiple VLAN/ESSID support
© .1996-2006 NETGEAR® . All rights reserved
169
Scenario
»
»
»
»
Two VLANs: Corp, Guest
DHCP provided by Layer3 switch
Two ESSID: Corp, Guest
Guest ESSID not allow to access
Corp but allow to access Internet
Internet
NETGEARTM
Cable/DSL VPN Router
PWR TEST
INTERNET
LNK
ACT
LOCAL
1
2
3
4
5
6
7
8
MODELFV318
100
LNK/ACT
Router
TM 24 PORT
10/100 Mbps Fast Ethernet Switch
100Mbps
1
12
Link FDX
Green = Rx/Tx, Yellow = Collision
100Mbps
24
13
Green = Rx/Tx,Yellow = Collision
NETGEAR
1
Bay Networks
13
Power
MODELFS524
12
Normal / Uplink
Layer3 switch
24
VLAN Trunk
NETGEARTM
Cable/DSL
VPN Router
INTERNET
PWR
TEST
LNK
ACT
LOCAL
1
2
3
4
5
6
7
8
MODELFV 318
100
LNK/ACT
WFS709TP
NETGEAR
Internet Access Firewall Router
PWR TEST
INTERNET
LNK
ACT
LOCAL
1
2
3
4
100
LNK/ACT
MODELFR314
NETGEAR
Internet Access Firewall Router
PWR TEST
INTERNET
LNK
ACT
LOCAL
1
2
3
4
100
LNK/ACT
MODELFR314
Access Point
© .1996-2006 NETGEAR® . All rights reserved
170
Multiple VLAN/ESSID
»
»
»
»
»
»
»
1. Setup VLAN and trunk port on switch.
2. Configure DHCP pools (switch / WFS709TP / DHCP server)
3. Create trunk port on WFS709TP
4. Create VLAN on WFS709TP
5. Define ESSID with associated VLAN on WFS709TP.
6. Create ACL on switch.
7. Create static routes on router for internal subnets.
© .1996-2006 NETGEAR® . All rights reserved
171
Create Trunk port on wireless controller
Enable trunk port and allow all VLAN
© .1996-2006 NETGEAR® . All rights reserved
172
Create VLAN on wireless controller
© .1996-2006 NETGEAR® . All rights reserved
173
Define ESSID associated with VLAN
Assign VLAN to ESSID
© .1996-2006 NETGEAR® . All rights reserved
174
Lab six – Multiple BSSID with VLAN and guess access
© .1996-2006 NETGEAR® . All rights reserved
175
IDS
© .1996-2006 NETGEAR® . All rights reserved
176
Overview
• Threats and countermeasures
» WLAN Discovery
•
Active/Passive
» DoS Attacks
» Surveillance
» Impersonation/Man-in-the-Middle
» Intrusion
•
Client-Client
• Client-Network
» Rogue Detection and Containment
© .1996-2006 NETGEAR® . All rights reserved
177
Probing/Network Discovery
» Probing not an “attack”, but may precede an attack
» Often, probes are people looking for free access (War Driving)
» Can be active or passive
© .1996-2006 NETGEAR® . All rights reserved
178
Passive Probe Detection and Prevention
» Behavior
• Station listens for AP beacons
• Most operating systems perform this by default and present the user
with a list of “available networks”
» Detection
• Impossible to detect - station is not transmitting
• Enabling hidden SSIDs will stop AP beacons but monitoring legitimate
traffic will reveal SSID
• May discourage the casual War Driver
© .1996-2006 NETGEAR® . All rights reserved
179
Active Probe Detection and Prevention
» Behavior
• Station transmits probe-request frame with a null ESSID (Broadcast
BSSID, empty ESSID)
• APs receiving this request will send a probe response indicating their
SSID and other capabilities
» Detection
• Some tools (Netstumbler, Wellenreiter) may be detected through
signature analysis
• Disabling broadcast probe response will prevent Aps from responding
to active probes
• SSID will still be revealed through monitoring legitimate traffic
© .1996-2006 NETGEAR® . All rights reserved
180
Probing Event Reports
© .1996-2006 NETGEAR® . All rights reserved
181
Denial of Service Attacks
Two types of Denial of Service (DoS) attacks:
• Layer 1
• Layer 2
© .1996-2006 NETGEAR® . All rights reserved
182
Layer 1 Jamming Attacks
» Involves sending sufficient RF noise to
drown out any 802.11 communication
» Illegal in most countries – but difficult to
enforce because the jammer can be hard
to find
» YDI “DoS-in-a-box” costs $695
© .1996-2006 NETGEAR® . All rights reserved
183
Layer 1 Jamming Detection
» Aruba Air Monitors and APs constantly measure signal-to-noise ratio (SNR)
» Interference Detection logs can be correlated to detect a jamming attack in
progress
» If SNR drops below a certain threshold on a single channel, ARM will be able to
react and move to a new channel
» If SNR drops below a certain threshold across a wider spectrum, the
administrator can be automatically notified that a jamming attack is taking
place
© .1996-2006 NETGEAR® . All rights reserved
184
Interference Detection
© .1996-2006 NETGEAR® . All rights reserved
185
Layer 2 Attacks
» DoS Attacks that work within the 802.11 protocol framework
» Examples include associate/disassociate attacks, authenticate/deauthenticate
attacks, network overload attacks, and NIC firmware flaws
» An attacker may try to disconnect clients from an AP by sending deauthenticate or disassociate frames with a spoofed source address. This often
signals an attempted man-in-the-middle attack
» In the US, these attacks are not prohibited by the FCC, but are covered by other
information security laws (Communications Act of 1934)
© .1996-2006 NETGEAR® . All rights reserved
186
L2 Client Attack
»
»
»
»
Enable “Station DoS Prevention” (stm sta-dos-prevention)
Generates a security event
Quarantines the station from the network for [sta-dos-block-time] seconds.
Prevents a man-in-the-middle attack from taking place.
© .1996-2006 NETGEAR® . All rights reserved
187
L2 AP Attack
» Ignores attacks against the AP with DoS protection enabled (stm dosprevention).
» Switch will ignore all disassociate/deauthenticate frames.
» Idle stations age out according to sta-ageout-interval parameter
© .1996-2006 NETGEAR® . All rights reserved
188
DoS Protection
© .1996-2006 NETGEAR® . All rights reserved
189
Layer 2 Event Reporting
© .1996-2006 NETGEAR® . All rights reserved
190
Other Layer 2 Attacks
» EAP Start Floods
• An attacker may try to overwhelm the authentication server in an 802.1x
network by sending EAP handshake floods
» WFS709TP will detect this as a rate anomaly
» FakeAP
• An attacker may run a tool such as “FakeAP” that generates a large
number of beacons with different BSSIDs
» Tool was developed for stress-testing wireless networks and
to confuse War Drivers by making clients think there are a
large number of APs – same tool can be used as a DoS
attack
» WFS709TP will detect FakeAP and generate a security
event
© .1996-2006 NETGEAR® . All rights reserved
191
Other Layer 2 Attacks
(continued)
» Association Floods
• An attacker may try to fill an AP’s association table using association or
authentication floods
» Rate anomaly detection will sense an abnormally high
number of associate/authenticate frames coming from the
same physical location
» Stations that associate but send no data will be aged out
after 30 seconds
» Probe Floods
• An attacker may send a high number of probe request frames to
consume resources on the AP
» Rate anomaly detection will sense and report this
© .1996-2006 NETGEAR® . All rights reserved
192
Surveillance
» The nature of Wi-Fi makes surveillance easy – all that is required is an
802.11 NIC and software to decode frames
» Surveillance leads to exposure of sensitive information, network
topology information, addressing, client information, and in some cases,
authentication information
© .1996-2006 NETGEAR® . All rights reserved
193
Preventing Surveillance
» Strong encryption is the key to defeating surveillance
» Static WEP is NOT strong encryption
• WEP is sufficient to discourage the casual War Driver and cause them
to go elsewhere
• WEP can be broken in as little as 4 hours on a busy network just
through monitoring alone – active attacks (like “reinj.c”) can break it in
30-60 minutes
» Use WPA 1.0 with dynamic TKIP for now, and WPA 2.0/802.11i when
equipment supports it.
• If this is not possible, at a minimum use dynamic WEP and a strongly
encrypted L3 VPN
© .1996-2006 NETGEAR® . All rights reserved
194
A Note on Cracking WEP
» WEP is broken, but is better than no encryption at all
» Deploying an Aruba network significantly reduces an attacker’s ability to
crack WEP
• WEP cracking tools (Airsnort, WEPcrack) rely on packets with weak
initialization vectors (IVs) in order to conduct analysis
• Aruba controllers will not generate packets with weak IVs – thus all
downstream packets will be unusable for cracking purposes
• Clients will still generate weak IVs – some percentage of client traffic
will contain packets with weak IVs
• A determined attacker will eventually crack the WEP key – though it
may take weeks using client traffic alone
© .1996-2006 NETGEAR® . All rights reserved
195
Impersonation Attacks
» Pretending to be someone you are not
• Could be a client impersonating another client
• Could be a client impersonating an AP
• Could be an AP configured with your enterprise SSID
© .1996-2006 NETGEAR® . All rights reserved
196
Impersonation Attacks
» In order for an impersonation attack to succeed in a useful way, the
attacker must have already cracked the Layer 2 encryption key
• Moral of this story: Don’t use static WEP
• If WEP is required, use dynamic WEP with 1-minute re-keying intervals
• If you must use static WEP, supplement it with a L3 VPN technology such
as IPSEC or PPTP
© .1996-2006 NETGEAR® . All rights reserved
197
Client Impersonation Attacks
»
»
»
Client impersonation attacks involve taking the MAC address and/or IP
address of a valid wireless station
End goal: Gain access to the network while appearing to be an authenticated
and valid user
Three types possible:
1) Use DoS attack to remove valid station from the network.
2) Leave valid client alone, and send packets to the network pretending to be that
client
3) Wait for the valid client to shut down, then assume its MAC address and IP
address
© .1996-2006 NETGEAR® . All rights reserved
198
DoS Client Impersonation
• Use DoS to get them “out of the way” by getting them to associate to
another AP (or a fake AP) on a different channel
» Aruba will quarantine wireless clients following a de-
auth attack
» Air Monitors will detect a non-valid AP using the
SSID of the valid network and will prevent clients
from connecting to it
© .1996-2006 NETGEAR® . All rights reserved
199
Share the Air Client Impersonation
» The “share the air” attack – leaving valid client on the network while
impersonation takes place
• Aruba supports 802.11 sequence number analysis (ids-policy
sequence-check enable) to detect this type of attack
» Possible, though difficult, to overcome sequence number
analysis
• Client itself will often detect this attack, displaying “duplicate IP address”
messages
• TCP cannot be used here – the valid client will receive TCP packets it
does not recognize, and will send a TCP RST
© .1996-2006 NETGEAR® . All rights reserved
200
MAC Address Spoofing Detection
© .1996-2006 NETGEAR® . All rights reserved
201
Off-Air
» Wait for Client
valid clientImpersonation
to shutdown, then impersonate
• Most clients never send a disassociate message when they shut down
– leaving their association ID active in the AP
• An attacker could watch for a client shutdown (NetBIOS sessions
closing, DHCP release, person walking out the front door, etc.) and then
assume the client’s association ID and MAC/IP addresses
• Use of strong encryption will prevent this attack
» WPA (802.1x with TKIP)
» IPSEC/PPTP VPNs
© .1996-2006 NETGEAR® . All rights reserved
202
AP Impersonation Attacks
» AP Impersonation
• Any time an unauthorized device is advertising itself as an AP with a
valid enterprise SSID, Aruba supports the ability to launch a de-auth
attack against this AP
» Air Monitors perform the monitoring function, and
also generate de-auth frames
• This prevents “honey pot” attacks – an attacker sitting outside the
building advertising an enterprise SSID and attempting to lure
enterprise clients to connect with it
» A honey pot attack is normally a prelude to some
other type of attack, such as man-in-the-middle or
client vulnerability probing
© .1996-2006 NETGEAR® . All rights reserved
203
Rogue Detection and Containment
© .1996-2006 NETGEAR® . All rights reserved
204
Rogue APs, Ad-Hoc Networks, and Bridges
» Rogue APs and ad-hoc networks are typically set up by employees who do not
understand the security risks
» Rogue APs represent one of the single largest threats to network security
• A rogue AP in an office, with default configuration parameters, is no different
than an Ethernet jack on the outside of a building
» Ad-Hoc networks can be dangerous because they may turn a PC into a
wireless-wired bridge
• There is no security in an ad-hoc network – anyone can join one
• If the PC is bridging between network interfaces, an ad-hoc network is just like a
rogue AP
» Wireless bridges can expose the network in the same way that rogue APs do
• Bridges are relatively rare
© .1996-2006 NETGEAR® . All rights reserved
205
Ad-Hoc Network and Bridge Detection
» Air Monitors constantly scan the air looking for “deviant topologies”
• Ad-hoc networks transmit all 802.11 frames with the “ToDS” and
“FromDS” bits in the header set to 0
• Wireless bridges transmit all 802.11 frames with the “ToDS” and
“FromDS” bits in the header set to 1
» When an ad-hoc network or wireless bridge is detected, a security event
notification is generated
© .1996-2006 NETGEAR® . All rights reserved
206
Ad-Hoc Network Protection
» Configuration/WLAN Intrusion Detection/Policies/Ad hoc Network
© .1996-2006 NETGEAR® . All rights reserved
207
Rogue AP Detection and Containment
» Aruba supports automatic detection and classification of rogue APs
• APs are first detected on the wireless side as “interfering” – meaning
that they appear in the radio spectrum
• Air Monitors constantly compare MAC addresses between the wireless
and wired sides of the network. If a match is found, a rogue AP is
present
• Rogue APs are automatically shut down through a DoS attack against
them
© .1996-2006 NETGEAR® . All rights reserved
208
Classification
Corporation with WFS709TP
Neighboring
Company or
Public Hotspot
Valid
Interfering
Mobility Controller
Known Interfering
BACKBONE
Parking Lot
© .1996-2006 NETGEAR® . All rights reserved
Rogue
209
Rogue AP Detection
» WFS709TP IDS security event generated
» Syslog message and SNMP trap sent
© .1996-2006 NETGEAR® . All rights reserved
210
Rogue AP Detection
© .1996-2006 NETGEAR® . All rights reserved
211
Locating Rogue APs
Rogue
AP
© .1996-2006 NETGEAR® . All rights reserved
Air Monitors
and/or APs
212
Rogue AP/Station Location
© .1996-2006 NETGEAR® . All rights reserved
213
Rogue AP Configuration
Configuration/WLAN Intrusion Detection/Rogue AP
© .1996-2006 NETGEAR® . All rights reserved
214
Configuring an Air Monitor
» To convert an AP to an AM, you must first create a location describing
the specific AP you wish to convert
» From the Web UI, select:
• Configuration/WLAN/Advanced
• Click “Add” and specify the AP in x.x.x format
• Select the radio to change, click “Air Monitor”, then “Apply”
© .1996-2006 NETGEAR® . All rights reserved
215
IDS Best Practices
» Always start with detection first
• Recommended start:
»
»
»
»
»
Rogue AP detection (on by default)
Ad hoc detection
Fake AP detection
AP impersonation
Signature detection
» Add protection/countermeasures later
• Take time to understand what is triggering events
• Might be legitimate users/devices
» Create baseline prior to threshold setting changes
• Allows for evaluation of usefulness
© .1996-2006 NETGEAR® . All rights reserved
216
Security
Firewall Settings
© .1996-2006 NETGEAR® . All rights reserved
217
RF Policy
© .1996-2006 NETGEAR® . All rights reserved
218
Lab Seven – Rogue AP detection and containment
© .1996-2006 NETGEAR® . All rights reserved
219
Multiple Controller and Redundancy
© .1996-2006 NETGEAR® . All rights reserved
220
Multi controller
» For large multi-site deployments, multiple controllers may be
required.
» WFS709TP uses a Master-Local architecture
• All configuration and management is handled by master controller.
• AP boot either from the master controller or a local controller, and
are assigned to a local controller for processing based on location
ID.
• Only VLANs and other local port attributes configured on local
controller.
© .1996-2006 NETGEAR® . All rights reserved
221
Multi-Controller
(continued)
Master
Local
AP Location 2.0.0
Local Controller IP
Building 2
Building 1
Local
Building 3
GRE Tunnel
© .1996-2006 NETGEAR® . All rights reserved
222
AP Boot Sequence
» During an AP boot, the AP identifies itself to the master controller
with its location ID. The master uses the location ID to determine
where the AP should terminate its GRE tunnel. When using
VRRP, this should be the virtual IP address of the VRRP router.
» On the master controller, tie APs to their local controller by
location ID. This must be done even if AP bootstrap from their
local controller.
» For the local controller, local mode is configured during intial
setup.
» After that, only VLAN and IP information is configured on the
Local controller. Al lother configuration is done on the master.
© .1996-2006 NETGEAR® . All rights reserved
223
Moving to a Multi-Switch Environment
» For a single WLAN configuration, the master switch is the
WFS709TP that controls the RF and security settings of the
WLAN.
» Additional WFS709TP to the same WLA serve as local switches to
the master WFS709TP.
» A local WFS709TP operates independently of the master and
depends on the master only for its security and RF setting.
» The local WFS709TP needs to have connectivity to the master at
all times to ensure that any changes on the master are
propagated to the local WFS709TP.
© .1996-2006 NETGEAR® . All rights reserved
224
Reasons to move to multi-switch environment
» Scaling to include a larger coverage area
» Setting up remote APs
» Network setups requires APs to be redistributed from a single to
multi-switch environment.
© .1996-2006 NETGEAR® . All rights reserved
225
Steps to migrate from single-switch to multi-switch environment
» 1. Configure the role of the local WFS709T to local and specify
the IP address of the master.
» 2. Configuration the layer2/layer3 settings on the local WFS709TP
(VLANs, IP subnets, IP routes).
» 3. Configure as trusted ports the ports the master and local
WFS709TP use to communicate with each other.
» 4. For those APs that need to boot off the local WFS709tp,
configure the LMS IP address to point to the new local
WFS709TP.
» 5. Reboot the APs that are already on the network, so that they
now connect to the local WFS709TP.
© .1996-2006 NETGEAR® . All rights reserved
226
Configuring the local WFS09TP
» Set the mode of the WFS709TP to local.
» Set the master IP address to the IP address of the master
WFS709TP. If master redundancy is enabled on the master, this
address should be the VRRP address for the VLANs instance
corresponding to the IP address of the WFS8709TP.
© .1996-2006 NETGEAR® . All rights reserved
227
Configure the AP for local controller
» Set LMS IP to local controller IP address.
© .1996-2006 NETGEAR® . All rights reserved
228
Roaming
» Standard 802.11 mobility
• There is no standard protocol for inter-AP handoff
• There is no standard protocol for client-AP handoff
• Client find an AP to associated with, and will hold that association
for as long as possible
• When error rates climb high enough, client will drop association
and look for a new AP
• In a legacy fat-AP network, client had to re-authenticate, get a new
IP address, etc when roaming. All data sessions interrupted.
» Some vendor improved on this, requires proprietary software/clients
© .1996-2006 NETGEAR® . All rights reserved
229
WFS709TP mobility
» Because WFS709TP provides a central management point for
wireless traffic, mobility is seamless
» APs are simply radios – when a client roams from one AP to
another, it only change radios. The wireless switch maintains
state of authentication and encryption
» Ultimately, client still controls mobility
• Client will hang onto an AP as long as it can
• No way to schedule a handoff without client software
© .1996-2006 NETGEAR® . All rights reserved
230
Single Controller Mobility
» When a client roams between APs all mobility
processing is done internally - client retains its IP
address
» Authentication, ACLs, flow classification, state
information is all maintained by the controller
1.1.1
1.1.2
© .1996-2006 NETGEAR® . All rights reserved
L2 Roaming
L3 Roaming
ap location 1.1.0
vlan 100
ap location 1.1.1
vlan 100
ap location 1.1.2
vlan 200
231
Inter-controller mobility
» There are two options for inter-controller mobility
» If controllers are L2 connected, L2 (VLAN mobility) is
recommended.
» If controllers are L3 connected, L3 mobility is recommended.
© .1996-2006 NETGEAR® . All rights reserved
232
Layer 2 Mobility
» If 2 or more controller are layer2 connected, simply trunk all user
VLANs to all controllers in the same site.
» When user roams to another controller, the new controller will
continue to place their traffic on the same VLAN.
© .1996-2006 NETGEAR® . All rights reserved
233
Layer 2 Mobility
ap location 1.0.0
vlan 100
ap location 2.0.0
vlan 200
14, 100, 200
14
100
200
1.1.1
VLAN 100
© .1996-2006 NETGEAR® . All rights reserved
14
100
200
2.1.1
VLAN 100
234
Layer3 Mobility
» L3 mobility should be enabled when controller are separated by
an layer3 network.
» Controllers build mobile-IP tunnels to transmit client traffic to
original controller (home agent).
» When a client roam to an AP controller by different controller, the
new controller (foreign agent) recognizes the client and tunnels
the traffic back to the original controller (home agent).
© .1996-2006 NETGEAR® . All rights reserved
235
Layer 3 Mobility
» L3 mobility should be enabled when controllers are
separated by an L3 network
» Controllers build mobile-IP tunnels to transmit client
traffic to original controller (home agent)
ap location 1.0.0
vlan 100
ap location 2.0.0
vlan 200
L3 Network
14
100
1.1.1
VLAN 100
© .1996-2006 NETGEAR® . All rights reserved
15
200
Mobile IP
2.1.1
VLAN 100
236
Inter-Controller Mobility
1.
2.
3.
4.
Master
Client roams to different
controller (foreign agent)
FA recognizes client
FA builds tunnel to HA
Client’s traffic tunneled
through HA to destination
3
Local
Local
Local
1
© .1996-2006 NETGEAR® . All rights reserved
237
Tunnel Objectives
» Reasons for Mobile IP tunnel:
• IP Addresses are hierarchical - the wired network will still route
traffic to the HA
• Wired-side anti-spoofing rules will not be violated
• Traffic continues through existing Firewall states at HA
© .1996-2006 NETGEAR® . All rights reserved
238
Switch Role
Enable Mobility
© .1996-2006 NETGEAR® . All rights reserved
239
LMS IP
LMS IP
© .1996-2006 NETGEAR® . All rights reserved
240
Multi-controller redundancy
» WFS709TP can be configured in a redundant configuration to
provide fault tolerance in the case of failure.
» Two options:
• Local controller redundancy
• Master controller redundancy
© .1996-2006 NETGEAR® . All rights reserved
241
Local Redundancy
» A pair of WFS709TP with the primary master serving all the APs.
» When the primary master fails, the backup controller take control
of the APs.
» The two WFS709TP must be in the same broadcast domain and
they should have the same firmware version.
© .1996-2006 NETGEAR® . All rights reserved
242
Configuring local controller redundancy
» Collect the VLAN ID on the two WFS709TP that are on the layer2
network and will be used to configure the VRRP instance.
» Decided on a virtual IP.
» Go to Configuration->Switch->VRRP and create a new VRRP
instance.
» Setup the VRRP instance with the proper parameters.
» Configure the APs to terminate their tunnel using the virtual IP.
© .1996-2006 NETGEAR® . All rights reserved
243
VRRP
© .1996-2006 NETGEAR® . All rights reserved
244
VRRP
© .1996-2006 NETGEAR® . All rights reserved
245
VRRP instance for local redundancy
© .1996-2006 NETGEAR® . All rights reserved
246
N + 1 local redundancy
» Master serve as backup of each of the local controller.
© .1996-2006 NETGEAR® . All rights reserved
247
Configure N+1 local redundancy
» Configure the master WFS709TP interface as a trunk port for
VLANs belongs to the #N local controllers.
» The master WFS709TP is set with #N VRRP instance for each
local controller that it is providing redundancy to.
» For each VRRP instance:
» Collect the VLAN ID between the master and local controller.
» Decided on a virtual IP.
» Go to Configuration->Switch->VRRP and create a new VRRP
instance.
» Setup the VRRP instance with the proper parameters, plus:
• Configure the master WFS709TP priority to be 100 and the local
controller to be 110.
• Enable pre-emption.
• Configure master up time or master state tracking with an added
value of 20.
» Configure the APs to terminate their tunnel using the virtual IP.
© .1996-2006 NETGEAR® . All rights reserved
248
Master controller redundancy
»
»
»
»
»
»
WFS709TP can support master controller redundancy
Both WFS709TP are configured as master controllers
Master controllers also support redundancy using VRRP.
Local controllers set master controller IP to VIP
All configuration done on primary master
If master discovery is through DHCP option 43 or through DNS, make
sure they assign the master’s virtual address.
» Besides supporting AP boot sequences, configurations of local
controllers, and mobility support, master controllers can also have APs
terminate traffic on them. If the primary master fails, then the backup
master must take over all responsibilities of the master. Some of these
depend upon database information which is stored in the master. The
backup master need to receive periodical updates from the active to
ensure that it has the latest copy for when it needs to take over the
master duties.
» Database synchronization is configurable in the VRRP setup. You can
also specify how often sync should occur.
© .1996-2006 NETGEAR® . All rights reserved
249
Configure master redundancy
» Collect the VLAN ID on the two WFS709TP that are on the layer2
network and will be used to configure the VRRP instance.
» Decided on a virtual IP.
» Go to Configuration->Switch->VRRP and create a new VRRP
instance.
» Setup the VRRP instance with the proper parameters as local
redundancy except:
• Set the initial prefer master’s priority to 110 and the back to 100.
• Enable pre-emption.
• Configure master up time or master state tracking with an added
value of 20.
» Associate the master VRRP instance with the master WFS709TP
redundancy.
» Configure the APs to terminate their tunnel using the virtual IP.
» The master controller IP need to be set in the local controller.
» The WFS709TP need to be rebooted after the master controller IP
is changed.
250
© 1996-2006 NETGEAR . All rights reserved
.
®
Associate master VRRP ID with the master WFS709TP redundancy
© .1996-2006 NETGEAR® . All rights reserved
251
Section 10: Troubleshooting
© .1996-2006 NETGEAR® . All rights reserved
252
Maintenance
© .1996-2006 NETGEAR® . All rights reserved
253
Maintenace – Reboot Switch
© .1996-2006 NETGEAR® . All rights reserved
254
Maintenance – Clear config
© .1996-2006 NETGEAR® . All rights reserved
255
Maintenance – Synchronize database
© .1996-2006 NETGEAR® . All rights reserved
256
Maintenance – Boot Parameter
© .1996-2006 NETGEAR® . All rights reserved
257
File – Copy File
© .1996-2006 NETGEAR® . All rights reserved
258
File – Copy Crash Files
© .1996-2006 NETGEAR® . All rights reserved
259
File – Copy Log
© .1996-2006 NETGEAR® . All rights reserved
260
Lab Exercise
© .1996-2006 NETGEAR® . All rights reserved
261
Known issues
» 1. Cannot manage wireless controller using IE7 on Vista.
» 2. In some GUI pages, the table width can be longer than the
window size when using resolution lower than 1260x1048
© .1996-2006 NETGEAR® . All rights reserved
262
WFS709TP access
» http://71.140.56.164:8888
» User name: admin
» Password: Netgearwfs709tp
© .1996-2006 NETGEAR® . All rights reserved
263
Q&A
© .1996-2006 NETGEAR® . All rights reserved
264