Maximum Data Rate per Single Client (Mbps) Throughput per Client (Mbps) Number of Concurrent Wireless Client Channels Access Point Total Capacity (Mbps) 802.11b 11 6 3 18 802.11g (with 802.11b clients) 54 8 3 24 802.11g 54 22 3 66 802.11a 54 25 12 300 802.11a 54 25 24 600
Figure 2-12 shows the various WLAN radio speeds, technology, and timeframes. Figure 2-12 Wireless LAN Radio Speeds and Technology
Wireless LAN Security
As with any IT infrastructure, security must be properly planned and deployed to keep wireless traffic secure. While security might be a discretionary feature for wired LANs, it is often mandatory for wireless LANs. That is because it is much easier and covert to “sniff the air” for wireless data packets than it is to tap a specific wire within a wired LAN environment. Wireless data can often be detected and copied beyond an organization’s facilities and physical security measures. Proper security designs and a defense in-depth approach are important considerations for wireless LANs. Some of the wireless LAN security techniques include the following:
•
Wired Equivalent Privacy (WEP)•
Lightweight Extensible Authentication Protocol (LEAP)•
802.1x•
Extensible Authentication Protocol (EAP)•
Protected Extensible Authentication Protocol (PEAP)•
IP Security (IPSec)The 1999 IEEE 802.11 wireless LAN standards include a low-level security feature called Wired Equivalent Privacy (WEP). WEP was never intended to support a highly secure, impenetrable encryption for the wireless air link. WEP uses a 128-bit RC4 encryption algorithm, but that alone is not sufficient to ensure air link security. With WEP, the encryp- tion algorithm could be broken with a determined intercept of a significant number of
Network Radio Speed
Proprietary 802.11g 2.4 GHz-OFDM/DSSS Up to 54 Mbps 802.11a 5 GHz-OFDM Up to 54 Mbps 802.11b 2.4 GHz-DSSS Up to 11 Mbps IEEE 802.11a/b Ratified 1999 2000 2001 2002 2003
Mobile IP Networks 77
encrypted packets: the more packets available allow for the software “cracker” to easily derive the WEP key, performing its work in less time. The use of WEP is essentially a fixed security key that is employed for all users of an access point on each and every session throughout the day. Reconfiguring the WEP key is administratively prohibitive for both the WLAN access point and all the wireless clients. Stronger encryption measures, authentica- tion options, and manageability are required.
Cisco introduced a proprietary version of wireless encryption technology called Lightweight Extensible Authentication Protocol (LEAP). LEAP makes use of the same WEP-based, 128-bit RC4 cipher mechanism; however, LEAP enhances WEP security in a couple of different ways. First, LEAP automatically and randomly changes the WEP key per user as well as per session. As a result, it is difficult to intercept a significant number of packets containing the same encrypted key, increasing the difficulty in cracking the cipher. Even if a per-user, per-session WEP key were determined, the key would change during the next user session.
Second, LEAP adds usage of the Remote Authentication Dial-In User Service (RADIUS), requiring wireless users to authenticate via the username and password factors stored in the database. Wireless clients that fail authentication cannot complete wireless session setup and are, therefore, dropped from wireless access. In addition, a RADIUS timeout feature can be used to automatically send an in-session wireless client a new WEP key at periodic intervals, enhancing security for users who stay online wirelessly for long durations. These capabilities of LEAP help to strengthen wireless air link encryption. Both WEP and LEAP are considered Layer 2 security.
In 2001, the IEEE introduced the 802.1x standard for stronger wireless security. 802.1x added port-based access control, the Extensible Authentication Protocol (EAP) for authentication between wireless users, and an authentication server such as a RADIUS server. The standard even provides a method for WEP key or other key distribution and management that can include per-session keying for increased security. The 802.1x standard also equally applies to wired Ethernet LANs.
You might also encounter Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), defined by RFC 2716, that is often used with certificate-based security environments. EAP-TLS is an extension of the PPP authentication method used for PPP connections. Another protocol, Protected EAP (PEAP), was developed by Microsoft, RSA Security, and Cisco Systems, Inc. PEAP adds encryption and integrity to the initial negotiation and authentication requests of the EAP protocol. Tunneled Transport Layer Security (TTLS) is yet another wireless protocol seeking to ease certificate management. For a defense-in-depth approach, you can add Layer 3 security to wireless clients, such as an IPSec VPN client. IPSec is a proven, highly secure encryption method for VPNs, and the use of IPSec VPNs at Layer 3 over WEP-encrypted Layer 2 wireless sessions is considered secure. Using an IPSec VPN provides security beyond the WLAN access point all the way across any wireline backhaul networks, or even the Internet, to the employee’s home organization. Designs can include tokens, intrusion detection systems, and firewalls, which
are technologies used to enhance security for nonwireless computing clients. Figure 2-13 shows an example of wireless LAN security using several of the mentioned techniques. Figure 2-13 A Highly Secure Wireless Network
Source: Cisco Systems, Inc.
Significant gains in wireless security have occurred in recent years, including the delivery of a new industry standard encryption algorithm called the Advanced Encryption Standard (AES). AES works within IPsec. Along with IPsec and VPN technology, several effective security techniques are available to extend the privacy of corporate data and voice networks into the wireless space.
Chapter 9 contains more detail about 802.11 WLAN technology.
Public Wireless LANs
Personal computer laptops are responsible for carrying 802.11b wireless LAN technology out of the enterprise and into the public domain. Mass production of 802.11b standard chipsets improved the affordability of the technology for mass consumer acceptance, becoming an integrated standard feature in business and consumer-level laptops. Public WLANs and home-based WLANs are the result of that acceptance.
MAC and/or User- Authenticated Clients RADIUS AP VPN Firewall Corporate Network WEP, LEAP, 802.1x IPSec
Mobile IP Networks 79
During the rapid growth of consumer demand for Internet access, numerous service providers emerged with public WLANs (PWLANs). Known as wireless Internet service providers (ISPs), their business approach is to provide wireless Internet access at public locations by taking advantage of the unlicensed 2.4 GHz wireless spectrum of 802.11b and 802.11g wireless LANs.
PWLAN services have become very popular because they offer high-bandwidth Internet access at select locations where users gather for short-term periods. These are generally public access areas including cafés and coffee shops, hotels, airports, and convention halls, to name just a few. Extensions of PWLAN technology to in-flight airplanes and trains are also increasing. Both the industry and the media generally refer to public WLAN areas as
hotspots.
The PWLAN market is still in its early stages of development. PWLAN deployment currently leads in Europe, followed by Asia Pacific and then North America, although North America has the largest density of WLAN-enabled laptops at present. Many service providers and operators are making plans for PWLAN services. Found in different stages, some are deploying wireless service, some are conducting trials, and others are still monitoring the market—waiting for either technology maturity or anticipating a revenue forecast trigger. Cities and municipalities are also examining and deploying PWLANs as a way to improve productivity, first for downtown-area workers and then for constituents. PWLANs are likely to be a mixture of “for free” and “for fee” access. The desire to combine a WLAN hotspot fee contract with a mobility contract is still very much in flux.
PWLANs, like WLANs, are generally classified as portability technology, distinguished from mobility technology. PWLANs tend to bridge the gap between fixed networking services, such as an Ethernet wall jack at work, and mobility networking services, such as cellular broadband data using CDMA or Global System for Mobile Communications (GSM) data features. PWLANs at 11 Mbps and 54 Mbps also fill in the speed gap between fixed networking (100 Mbps to 1 Gbps) and mobility networking (80 Kbps to 2.4 Mbps). PWLANs must also deal with concerns of user segmentation, security, user roaming between PWLAN networks, billing, and competition from many traditional public networking service offerings. PWLANs are being deployed across all segments of service providers. Some are seizing market opportunity through service differentiation, some are complementing existing wireless services for bundling opportunities and coverage expansion, and others are deploying in response to competitive positioning.
Many other technologies such as WiMAX, wireless mesh, and mobility data all have the potential to complement or corner the market for profitable PWLANs. WiMAX seeks to deliver higher bandwidth (up to 70 Mbps shared throughput) and at a greater range (up to 31 miles) than Wi-Fi 802.11 technology. Wireless mesh is a relatively new twist on WLAN technology, using additional dedicated wireless channels between access points (wireless backhaul) rather than using a wired uplink back to a nearby Ethernet switch. Mobile cellular phones are increasing their data speeds and approaching broadband rates.
According to an IDC forecast, worldwide PWLAN hotspots are reaching 136,000 installations in 2005 and are forecasted to approach 250,000 in 2008.3 Based on such rapid growth, coverage is filling in quickly. Near the end of this decade, the ability to seamlessly roam wirelessly across WLANs will make mobility networks and PWLANs a reality in major metropolitan coverage areas.
Cisco has assembled a PWLAN solution using carrier-class platforms, and many deploy- ments are already in service worldwide. Figure 2-14 shows a diagram of the Cisco PWLAN architecture.
Figure 2-14 Cisco PWLAN Architecture Overview
Source: Cisco Systems, Inc.
The components and features of the Cisco PWLAN architecture include the following:
•
Access points—The Cisco PWLAN solution uses Cisco 1100, 1200, and 1300 Seriesaccess points. GPRS/CDMA Wi-Fi Zones VPN AZRSSG ITP AZR Corporate Network Public and Private
WLAN Services Location/Provider Branding Cisco Access Zone Routers Backhaul Network Cisco Access Points Billing/ Prepaid Partner 7600 + CSG Internet HLR/AuC SS7 Network 802.1x/EAP-SIM Authentication Managed Guest Access Mobile Data Integration Premium Services Public WLAN Operator
Cisco CNS Access
Registrar Cisco ITP MAP Gateway Cisco SESM Cisco Packet Gateway
Mobile IP Networks 81
•
Access Zone Router (AZR)—Originally based on the Cisco 1700 platform withsolution features now available for Cisco 2600 and Cisco 3700 platforms, the AZR provides connectivity, client address management, security services, and routing across a WAN from each access point to an operator’s point of presence (POP) or data center.
•
Access control and service enablement—Access control is based on the Cisco IOSService Selection Gateway (SSG) technology that is now available across a broad range of platforms, including the Cisco 2651XM Router, Cisco 2691 Router, Cisco 3725 Router, Cisco 3745 Router, Cisco 7200 Series, and Cisco 7301 Router. Together with the Cisco CNS Subscriber Edge Services Manager (SESM), the Cisco SSG provides subscriber authentication, service selection, service connection, and accounting capabilities to subscribers of Internet and intranet services.
•
Captive portal and branding server—The Cisco CNS SESM works with the CiscoSSG to provide complete control over the subscriber experience, supporting customization and personalization based on device, client, location, service, and other criteria to offer higher value to end users and maximize service and advertising revenue.
•
Access Policy Server—The Cisco CNS Access Registrar is a RADIUS-compliant,access policy server used to support web and 802.1x/EAP user authentication. When used in conjunction with the Cisco IP Transfer Point (ITP) Manufacturing Automation Protocol (MAP) gateway, Cisco CNS Access Registrar performs home location register (HLR) proxy services in support of EAP-subscriber identity module (SIM) authentication for mobile operator networks. Cisco CNS Access Registrar provides carrier-class performance and scalability, as well as the extensibility required for integration with evolving service management systems.
•
Mobile operator Signaling System 7 (SS7) interconnect—The Cisco ITP is aproduct for transporting SS7 traffic over IP (SS7oIP) networks. When deployed in a mobile operator’s PWLAN network, the Cisco ITP acts as a gateway by taking SIM authentication credentials from 802.1x/EAP-SIM and formatting them into standard SS7 MAP messages for routing to the operator’s HLR/AuC (Authentication Center).
•
Network management—Cisco provides a feature-rich element management systemcombined with a scalable service management layer for robust fault, configuration, and performance capabilities of the PWLAN solution. This includes the CiscoWorks Wireless LAN Solution Engine (WLSE), CiscoWorks LAN Management Solution (LMS), Cisco Distributed Administration Tool (DAT), Cisco Signaling Gateway Manager (SGM), Cisco Information Center (Cisco Info Center), Cisco Networking Services Configuration Engine, and Cisco CNS Performance Engine (CNS-PE).4