Wireless is a pretty nice technology, set it up and go. Plus it beats wired devices, one hand down. A wired device has great speed and bandwidth, but there has to be a ethernet run for each computer that needs to be connected. With new wireless standards, the speed and bandwidth is now starting to rival that of wired devices.
From a users point of view, wireless means you're able to move around unconfined by wires. But from an administrators point of view, wireless means another device that needs to be setup. Setting up a wireless device is a small, relatively easy process, but when you are setting up a couple thousand devices it can become time consuming. When you have that many devices it also becomes hard to distinguish who is a legitimate user and who is not.
Enterprise Management
There are a couple of ways to make sure everyone that is attaching to the network is an authorized user. The easiest is mac authentication, but it is also the most time consuming. It works by the network engineer recording the mac address of all devices in the wireless system. Only the devices that are entered into the system will be able to attach. If an authenticated user brings another device in, it will not work. This is an OK method, but if you have a lot of turn-over it can be time consuming to keep it up to date.
Another method would be a radius server. A radius server is much like the mac address list mentioned earlier, except it contains a list of users that have the ability to have access. A radius server is good because the list is built off of another list like LDAP or AD. LDAP and AD is a sort of database of all users that have the ability to login to the network. Those user rights are just extended to the wireless devices. This keeps you from having to maintain multiple lists.
One nicety of having wireless authentication verified through AD is that all wireless profiles (setup) can be pushed out with a group policy. Meaning you never have to touch a computer to setup the wireless configuration. At least with a Microsoft Windows box.
Wednesday, March 30, 2011
Sunday, March 27, 2011
Wireless Security
Wireless Networks provide many benefits to network users such as, mobility, decreased workload on the engineer from pulling cables through ceilings, and increasing diversity of devices. But wireless network has some serious security holes that increase the risk of deploying WiFi in your school or enterprise.
Any time you reference any WiFi network you are using a family of 802.11 standard protocols that make wireless possible.
Authentication
802.11 networks use two authentication methods: open-system authentication and shared-key authentication. In both schemes, each mobile client must authenticate to the access point. Open-system authentication might better be called "no authentication", because no actual authentication takes place: the wireless client says "please authenticate me, I need access", and the AP does so, and asks no questions.
The shared-key authentication method is much like the open-system authentication, the wireless client requests access to the wireless network the AP says "ok" but what is the password. The client must then return the correct password in order to connect to the network.
Other issues arise for WiFi that create major security concerns
1. The wireless client doesn't have any way to challenge the validity of the identity of the AP that they are attaching to, so an attacker can easily set up a rogue AP that unaware clients can connect to.
2. The AP has no way to tell whether the wireless client is authorized to be on the network or not. If you have the password not matter how you got it, you can jump right in the network, whether you're supposed to be there or not.
3. A major problem that I had is the AP authenticates only the wireless client and not the user of the the station. Any computer that has a legal right to be attached to the network has full access, but the user may not be very honest.
So to keep yourself a little safe, use at least WEP (wired equivalency privacy) the password is passed in the clear text, but it is better than nothing. It will keep the novices users from accessing your network. For a more robust authentication you can used WPA, the data is encrypted and little harder to break.
Speaking of encrypted....
Encryption
Wireless access point is much like a radio station and the radio in your car. No matter where you are you are able to hear the same broadcast as everyone else. Now what if you has a sensitive information that was being broadcasted out and you didn't want non-authorized users to get it. The best way would be to jumble up the information so that only the correct receiver would know how to unjumble it to get the information.
Encryption in wireless network does just as you think it would, all data is scrambled and encoded with the same key that allows you to attach to the network.
Any time you reference any WiFi network you are using a family of 802.11 standard protocols that make wireless possible.
Authentication
802.11 networks use two authentication methods: open-system authentication and shared-key authentication. In both schemes, each mobile client must authenticate to the access point. Open-system authentication might better be called "no authentication", because no actual authentication takes place: the wireless client says "please authenticate me, I need access", and the AP does so, and asks no questions.
The shared-key authentication method is much like the open-system authentication, the wireless client requests access to the wireless network the AP says "ok" but what is the password. The client must then return the correct password in order to connect to the network.
Other issues arise for WiFi that create major security concerns
1. The wireless client doesn't have any way to challenge the validity of the identity of the AP that they are attaching to, so an attacker can easily set up a rogue AP that unaware clients can connect to.
2. The AP has no way to tell whether the wireless client is authorized to be on the network or not. If you have the password not matter how you got it, you can jump right in the network, whether you're supposed to be there or not.
3. A major problem that I had is the AP authenticates only the wireless client and not the user of the the station. Any computer that has a legal right to be attached to the network has full access, but the user may not be very honest.
So to keep yourself a little safe, use at least WEP (wired equivalency privacy) the password is passed in the clear text, but it is better than nothing. It will keep the novices users from accessing your network. For a more robust authentication you can used WPA, the data is encrypted and little harder to break.
Speaking of encrypted....
Encryption
Wireless access point is much like a radio station and the radio in your car. No matter where you are you are able to hear the same broadcast as everyone else. Now what if you has a sensitive information that was being broadcasted out and you didn't want non-authorized users to get it. The best way would be to jumble up the information so that only the correct receiver would know how to unjumble it to get the information.
Encryption in wireless network does just as you think it would, all data is scrambled and encoded with the same key that allows you to attach to the network.
Wednesday, March 16, 2011
Wireless Network Management Devices
It can take a lot of access points to give blanket coverage for a build, because just when you think that you have all the spots covered, someone will find a spot in the whole building that doesn't have access. I think sometimes that people just go around looking for a deadzone.
In one of my schools there is 37 access points, it would be a full time job to correctly configure all those access points to work correctly. Like I have stated in previous blogs, you have to survey the building for wall density, calculate for a common receiving area, placement for adjacent access points.
Building Structure
When you are in the process of finding a place to put the access, you need to look at a couple of things. 1) Remember an access point emits radio wave, and all radio waves travel in a clear line of sight. 2) Don't put the access point to close to a wall, you need a good centrical wave pattern. 3) Radio wave will go through walls, but you loose speed and bandwidth throughput. Don't try to broadcast through concrete, it may go through. but you wont be happy with the results. Always spring for another access point.
AP Placement
When you are mounting you APs you need to keep a couple things in mind. 1) you need to adjust channels on the AP's to not conflict with each other. When you have AP's that are adjacent to each other that are on the same channel they are going to butt heads, you can see in my previous blog for example. 2) If you have the AP's to close together, the client workstation with jump back and forth between the APs. This toggling of wireless connectivity will cause problems with the client, so one of the AP broadcasting power needs to reduced.
Now couple all that with other features that can be provided via stand alone access points, like multiple SSids, Radius Accounting and Authentication. You can see why you need a device to manage all you access points. So stay tuned for an introduction to a Wireless Lan Controller (WLC).
In one of my schools there is 37 access points, it would be a full time job to correctly configure all those access points to work correctly. Like I have stated in previous blogs, you have to survey the building for wall density, calculate for a common receiving area, placement for adjacent access points.
Building Structure
When you are in the process of finding a place to put the access, you need to look at a couple of things. 1) Remember an access point emits radio wave, and all radio waves travel in a clear line of sight. 2) Don't put the access point to close to a wall, you need a good centrical wave pattern. 3) Radio wave will go through walls, but you loose speed and bandwidth throughput. Don't try to broadcast through concrete, it may go through. but you wont be happy with the results. Always spring for another access point.
AP Placement
When you are mounting you APs you need to keep a couple things in mind. 1) you need to adjust channels on the AP's to not conflict with each other. When you have AP's that are adjacent to each other that are on the same channel they are going to butt heads, you can see in my previous blog for example. 2) If you have the AP's to close together, the client workstation with jump back and forth between the APs. This toggling of wireless connectivity will cause problems with the client, so one of the AP broadcasting power needs to reduced.
Now couple all that with other features that can be provided via stand alone access points, like multiple SSids, Radius Accounting and Authentication. You can see why you need a device to manage all you access points. So stay tuned for an introduction to a Wireless Lan Controller (WLC).
Wednesday, March 2, 2011
Wireless Access Points
When we first started the iLearn project, we didn't allow the ipods to connect to the wireless network in the schools. Instead single access points was installed in the classrooms where the ipods was to be used. We did this for a couple of reasons, 1) we had not perfected the wireless security for the ipods 2) we didn't realize how the ipods would be used, and 3) the terms of the iLearn grant stipulate that their be unlimited access to the students. The third item is what cause the most problem, the networks in the schools are protected by a content filter, and to allow access to the ipods would require that access be given to all users attached to the network. When you used a single access point you have to do a little bit of research, to keep from conflicting with other APs in the area. Here is a couple of rules for installing APs for use:
1) Check the signal strength and channel of adjacent APs, if you are going install a new AP you need to make sure you are ample distance away from the other APs. If you are to close to the other APs and also happen to talk on the same channel, the signal will be diminished or there could be areas where there is not signal.
Let me elaborate on this a little: Wireless signal operates in a radio frequency, the WiFi signal is a relatively weak signal. Its signal strength follows the same laws as all wireless devices. 1) the farther away from the source the weaker you signal will become. 2) objects that interfere with the signal, also decrease the signal strength. Walls, doors, Low-E glass will limit radio waves 3) radio waves propagate out in a circle fashion, they don't bend around corners.
1) Check the signal strength and channel of adjacent APs, if you are going install a new AP you need to make sure you are ample distance away from the other APs. If you are to close to the other APs and also happen to talk on the same channel, the signal will be diminished or there could be areas where there is not signal.
Let me elaborate on this a little: Wireless signal operates in a radio frequency, the WiFi signal is a relatively weak signal. Its signal strength follows the same laws as all wireless devices. 1) the farther away from the source the weaker you signal will become. 2) objects that interfere with the signal, also decrease the signal strength. Walls, doors, Low-E glass will limit radio waves 3) radio waves propagate out in a circle fashion, they don't bend around corners.
The channel of the AP. Since an AP uses radio frequency to broadcast data, different AP have to be on different channels to keep from butting heads. The picture to the left shows the loss in signal if a channel conflict is created. Notice the breaks in the rings, for good signal the rings would be complete and not broken, much like the rings in a tree.
Here is a example of what it looks like when two APs are to close together and talking on the same channel.
2) Different SSIDs The SSID is the name of the AP that gets broadcast. If the AP is going to be a continuation of a existing wireless network which would allow roaming, then it is best to keep the same SSID name. This way no matter where you are at in the school the same wireless network would be available. But on the otherhand, if you are just going to have a hotspot, which is a dedicated wireless area that usually has one use, in this case connecting ipod to the internet.
After we figured out the wireless security of the ipod and realized that all the teachers will be using the devices in the school; we allowed the ipods to attach to the wireless network in the school which also allowed roaming.
Tuesday, March 1, 2011
Network Segmentation
Background knowledge:
1. Ethernet a electronic signaling method related to the physical cabling of a network. Ethernet communication allows only one device to talk at a time. So out of 253 device only one can talk, if two try to talk it is considered a network collision. Ethernet can have multiple architectures, most common is a hybrid between hub-spoke and star.
2. Access Points(AP) is a device that allow wireless device to connect to the network. Access Points are usually connected via ethernet to a switch. Access Points broadcast on certain frequencies 2.4ghz range small variations allow for channels.
3. IP address is much like a phone number for any network device.
In our schools the networks are divided into class C ranges. A class C network can support 253 network devices. This sounds like a lot of devices, but really after you figure in everybodys laptop, desktop, smartboard computer, printer, and student workstations these devices amount up. Now, All these devices are scattered all over a school and all are just waiting to talk, which shows the reason to have a traffic handling device with some intelligence. A traffic handling device that connects a computer to the network is a switch, a switch has some intelligence in that it keeps a log everyone that has talked on the network and trys to keep traffic decreased by linking the talker to the listener instead of pushing it out to every device on the network aka broadcast. But what if you have more that 253 devices, what if you have 400 device. Then you have to create another network and logically divide the school into to separate pieces. This is why you probably should create a network just for your wireless traffic, something totally different from the network that desktop computer talk on.
If you connect to a AP with a handheld or mobile device you are competing on the same network.
Example 1:
If you have two APs each on different ends of the school. After you have join the network you are given an IP address, while you stay in the location of the AP can get to the network of internet, but if it is a mobile device then it is likely to move. If a student goes to the other end of the school, the mobile device won't work, because it was joined to AP on the other network. For the device to work it will have to renew the IP address that is was previously issued. This is called "Roaming". This is a reason to have just a network for wireless devices and have it the same throughout the school. If all APs are on the same network, then the student will not have to renew the IP address on the mobile device. RECOMMENDED.
Example 2:
If you have a limited number of wireless mobile devices, then there is not reason that they could not be on the same network as you desktop computers. This makes it easier to communicate with other devices since they are on the sames. But just remember this way provides little growth. And since all devices are on the same network they are all competing to talk and share the bandwidth.
NOT RECOMMENDED
NAT/PAT
Not related to the network topology or implementation, but important none the less. Many network like Radford City operate on private numbers. The difference between private and public numbers is private numbers are non-routable, which means that can't go out onto the internet and public can. So why not use public numbers, well public numbers require money and private are free. Well we are using private number, but they are not routable, this is where NAT comes in. NAT (Network Address Translation) is the process of modifying IP address information in IP packet while in transit across a traffic routing device for the purpose of mapping one IP address into another. Basically this means the translation changes the IP address from a non-routable to a number that is routable. This way you can purchase less numbers and use what you have more efficiently. PAT is much the same idea as NAT but it involves ports on the IP address. With PAT it is possible to have thousands of computers using the same IP address, just each network computer is assigned a port number.
Bandwidth Competition
I talked a little bit about this is example 2. As stated before Ethernet is a shared medium. Everyone has to wait until it is there turn to talk. The time a device has to wait depends on the network bandwith, and the amount the device has to transmit. When I mentioned the network bandwidth, I mean the amount of throughput a network has. Throughput is a typical method of performing a measurement is to transfer a 'large' file and measure the time taken to do so. The throughput is then calculated by dividing the file size by the time to get the throughput in megabits. The more devices that you have on network the more the throughput is shared.
1. Ethernet a electronic signaling method related to the physical cabling of a network. Ethernet communication allows only one device to talk at a time. So out of 253 device only one can talk, if two try to talk it is considered a network collision. Ethernet can have multiple architectures, most common is a hybrid between hub-spoke and star.
2. Access Points(AP) is a device that allow wireless device to connect to the network. Access Points are usually connected via ethernet to a switch. Access Points broadcast on certain frequencies 2.4ghz range small variations allow for channels.
3. IP address is much like a phone number for any network device.
In our schools the networks are divided into class C ranges. A class C network can support 253 network devices. This sounds like a lot of devices, but really after you figure in everybodys laptop, desktop, smartboard computer, printer, and student workstations these devices amount up. Now, All these devices are scattered all over a school and all are just waiting to talk, which shows the reason to have a traffic handling device with some intelligence. A traffic handling device that connects a computer to the network is a switch, a switch has some intelligence in that it keeps a log everyone that has talked on the network and trys to keep traffic decreased by linking the talker to the listener instead of pushing it out to every device on the network aka broadcast. But what if you have more that 253 devices, what if you have 400 device. Then you have to create another network and logically divide the school into to separate pieces. This is why you probably should create a network just for your wireless traffic, something totally different from the network that desktop computer talk on.
If you connect to a AP with a handheld or mobile device you are competing on the same network.
Example 1:
If you have two APs each on different ends of the school. After you have join the network you are given an IP address, while you stay in the location of the AP can get to the network of internet, but if it is a mobile device then it is likely to move. If a student goes to the other end of the school, the mobile device won't work, because it was joined to AP on the other network. For the device to work it will have to renew the IP address that is was previously issued. This is called "Roaming". This is a reason to have just a network for wireless devices and have it the same throughout the school. If all APs are on the same network, then the student will not have to renew the IP address on the mobile device. RECOMMENDED.
Example 2:
If you have a limited number of wireless mobile devices, then there is not reason that they could not be on the same network as you desktop computers. This makes it easier to communicate with other devices since they are on the sames. But just remember this way provides little growth. And since all devices are on the same network they are all competing to talk and share the bandwidth.
NOT RECOMMENDED
NAT/PAT
Not related to the network topology or implementation, but important none the less. Many network like Radford City operate on private numbers. The difference between private and public numbers is private numbers are non-routable, which means that can't go out onto the internet and public can. So why not use public numbers, well public numbers require money and private are free. Well we are using private number, but they are not routable, this is where NAT comes in. NAT (Network Address Translation) is the process of modifying IP address information in IP packet while in transit across a traffic routing device for the purpose of mapping one IP address into another. Basically this means the translation changes the IP address from a non-routable to a number that is routable. This way you can purchase less numbers and use what you have more efficiently. PAT is much the same idea as NAT but it involves ports on the IP address. With PAT it is possible to have thousands of computers using the same IP address, just each network computer is assigned a port number.
Bandwidth Competition
I talked a little bit about this is example 2. As stated before Ethernet is a shared medium. Everyone has to wait until it is there turn to talk. The time a device has to wait depends on the network bandwith, and the amount the device has to transmit. When I mentioned the network bandwidth, I mean the amount of throughput a network has. Throughput is a typical method of performing a measurement is to transfer a 'large' file and measure the time taken to do so. The throughput is then calculated by dividing the file size by the time to get the throughput in megabits. The more devices that you have on network the more the throughput is shared.
Subscribe to:
Posts (Atom)