Sunday, 27 April 2014

Configuring Our Wireless Internetwork

Configuring through the SDM is definitely the easiest way to go for wireless configurations, that is, if you’re using any type of security. And of course you should be! Basically, all you need to do to bring up an access point is to just turn it on. But if you do have a wireless card in your router.

Here’s a screen shot of my R2 router showing that I can configure the wireless card I have installed in slot 3.
There really isn’t too much you can do from within SDM itself, but if I were to click on the Edit Interface/Connection tab and then click Summary, I could enable and disable the interface, as well as click the Edit button, which would allow me to add NAT, access lists, and so on to the interface.

From either the Create Connection screen shown in the first screen of this section, or from the screen that appears when you click the Edit button of the second screen, you can click Launch Wireless Application. This will open up a new HTTP screen that your wireless device is configured from called Express Set-up.
This is the same screen you would see if you just typed HTTP into an access point—one like our 1242AP. The SDM will be used with wireless interfaces for monitoring, to provide statistics, and for gaining access into the wireless configuration mode on a router that has wireless interfaces. This is so we don’t have to use the CLI for the hard configurations.

Again, you can only configure some basic information from here. But from the next screen, Wireless Express Security, we can configure the wireless AP in either bridging mode or routing mode—a really cool feature!
 The next screen shows the wireless interfaces and the basic settings.
The following screen shot is the second part of the Wireless Interfaces screen.
Under the Wireless Security heading is really where HTTP management shines! You can configure encryption, add SSIDs and configure your Radius sever settings.
Now, if we just HTTP in to the 1242AG AP, we’ll see this screen.

This looks amazingly like the APs we’ll find in our ISR routers, and we can configure the same devices and security too.

Cisco Unified Wireless Network Security

The Cisco Unified Wireless Network delivers many innovative Cisco enhancements and supports Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2), which provide access control per user, per session via mutual authentication and data privacy and through strong dynamic encryption. Quality of service (QoS) and mobility are integrated into this solution to enable a rich set of enterprise applications.

The Cisco Unified Wireless Network provides the following:

Secure Connectivity for WLANs Strong dynamic encryption keys that automatically change on a configurable basis to protect the privacy of transmitted data.

1.WPA-TKIP includes encryption enhancements like MIC, per-packet keys via initialization vector hashing, and broadcast key rotation.

2.WPA2-AES is the “gold standard” for data encryption.

Trust and Identity for WLANs A robust WLAN access control that helps to ensure that legitimate clients associate only with trusted access points rather than rogue, or unauthorized access points. It’s provided per user, per session via mutual authentication using IEEE 802.1X, a variety of Extensible Authentication Protocol (EAP) types, a Remote Authentication Dial-In User Service (RADIUS), and a Authentication, Authorization, and Accounting (AAA) server. It supports the following:

1.The broadest range of 802.1X authentication types, client devices, and client operating
systems on the market

2.RADIUS accounting records for all authentication attempts

Threat Defense for WLANs Detection of unauthorized access, network attacks, and rogue access points via an Intrusion Prevention System (IPS), WLAN NAC, and advanced location services. Cisco’s IPS allows IT managers to continually scan the RF environment, detect rogue access points and unauthorized events, simultaneously track thousands of devices, and mitigate network attacks. NAC has been specifically designed to help ensure that all wired and wireless endpoint devices like PCs, laptops, servers, and PDAs that are trying to access network resources are adequately protected from security threats. NAC allows organizations to analyze and control all devices coming into the network. Okay—let’s configure some wireless devices now!

WPA or WPA 2 Pre-Shared Key

Okay, now we’re getting somewhere. Although this is another form of basic security that’s really just an add-on to the specifications, WPA or WPA2 Pre-Shared Key (PSK) is a better form of wireless security than any other basic wireless security method mentioned so far. I did say basic.

The PSK verifies users via a password or identifying code (also called a passphrase) on both the client machine and the access point. A client only gains access to the network if its password matches the access point’s password. The PSK also provides keying material that TKIP or AES uses to generate an encryption key for each packet of transmitted data. While more secure than static WEP, PSK still has a lot in common with static WEP in that the PSK is stored on the client station and can be compromised if the client station is lost or stolen even though finding this key isn’t all that easy to do. It’s a definite recommendation to use a strong PSK passphrase that includes a mixture of letters, numbers, and nonalphanumeric characters.

Wi-Fi Protected Access (WPA) is a standard developed in 2003 by the Wi-Fi Alliance, formerly known as WECA. WPA provides a standard for authentication and encryption of WLANs that’s intended to solve known security problems existing up to and including the year 2003. This takes into account the well-publicized AirSnort and man-in-the-middle WLAN attacks.

WPA is a step toward the IEEE 802.11i standard and uses many of the same components, with the exception of encryption—802.11i uses AES encryption. WPA’s mechanisms are designed to be implementable by current hardware vendors, meaning that users should be able to implement WPA on their systems with only a firmware/software modification.

Note: The IEEE 802.11i standard has been sanctioned by WPA and is termed WPA version 2.

SSIDs, WEP, and MAC Address Authentication

What the original designers of 802.11 did to create basic security was include the use of Service Set Identifiers (SSIDs), open or shared-key authentication, static Wired Equivalency Protocol(WEP), and optional Media Access Control (MAC) authentication. Sounds like a lot, but none of these really offer any type of serious security solution—all they may be close to adequate for is use on a common home network. But we’ll go over them anyway…

SSID is a common network name for the devices in a WLAN system that create the wireless LAN. An SSID prevents access by any client device that doesn’t have the SSID. The thing is, by default, an access point broadcasts its SSID in its beacon many times a second. And even if SSID broadcasting is turned off, a bad guy can discover the SSID by monitoring the network and just waiting for a client response to the access point. Why? Because, believe it or not, that information, as regulated in the original 802.11 specifications, must be sent in the clear—how secure!

Two types of authentication were specified by the IEEE 802.11 committee: open and shared-key authentication. Open authentication involves little more than supplying the correct SSID—but it’s the most common method in use today. With shared-key authentication, the access point sends the client device a challenge-text packet that the client must then encrypt with the correct Wired Equivalency Protocol (WEP) key and return to the access point. Without the correct key, authentication will fail and the client won’t be allowed to associate with the access point. But shared-key authentication is still not considered secure because all an intruder has to do to get around this is detect both the clear-text challenge and the same challenge encrypted with a WEP key and then decipher the WEP key. Surprise—shared key isn’t used in today’s WLANs because of clear-text challenge.

With open authentication, even if a client can complete authentication and associate with an access point, the use of WEP prevents the client from sending and receiving data from the access point unless the client has the correct WEP key. A WEP key is composed of either 40 or 128 bits and, in its basic form, is usually statically defined by the network administrator on the access point and all clients that communicate with that access point. When static WEP keys are used, a network administrator must perform the time-consuming task of entering the same keys on every device in the WLAN. Obviously, we now have fixes for this because this would be administratively impossible in today’s huge corporate wireless networks!

Last, client MAC addresses can be statically typed into each access point, and any of them that show up without that MAC addresses in the filter table would be denied access. Sounds good, but of course all MAC layer information must be sent in the clear—anyone equipped with a free wireless sniffer can just read the client packets sent to the access point and spoof their MAC address.

WEP can actually work if administered correctly. But basic static WEP keys are no longer a viable option in today’s corporate networks without some of the proprietary fixes that run on top of it. So let’s talk about some of these now.

Open Access

All Wi-Fi Certified wireless LAN products are shipped in “open-access” mode, with their security features turned off. While open access or no security may be appropriate and acceptable for public hot spots such as coffee shops, college campuses, and maybe airports, it’s definitely not an option for an enterprise organization, and likely not even adequate for your private home network.

Security needs to be enabled on wireless devices during their installation in enterprise environments. It may come as quite a shock, but some companies actually don’t enable any WLAN security features. Obviously, the companies that do this are exposing their networks to tremendous risk!

The reason that the products are shipped with open access is so that any person who knows absolutely nothing about computers can just buy an access point, plug it into their cable or DSL modem, and voilĂ —they’re up and running. It’s marketing, plain and simple, and simplicity sells.

Wireless Security

By default, wireless security is nonexistent on access points and clients. The original 802.11 committee just didn’t imagine that wireless hosts would one day outnumber bounded media hosts, but that’s truly where we’re headed. Also, and unfortunately, just like with the IPv4 routed protocol, engineers and scientists didn’t add security standards that are robust enough to work in a corporate environment.

So we’re left with proprietary solution add-ons to aid us in our quest to create a secure wireless network. And no—I’m not just sitting here bashing the standards committees because the security problems we’re experiencing were also created by the U.S. government because of export issues with its own security standards. Our world is a complicated place, so it follows that our security solutions are going to be as well.

A good place to start is by discussing the standard basic security that was added into the original 802.11 standards and why those standards are way too flimsy and incomplete to enable us to create a secure wireless network relevant to today’s challenges.

MESH and LWAPP

As more vendors migrate to a mesh hierarchical design, and as larger networks are built using lightweight access points, we really need a standardized protocol that governs how lightweight access points communicate with WLAN systems. This is exactly the role filled by one of the Internet Engineering Task Force’s (IETF’s) latest draft specification, Lightweight Access Point Protocol (LWAPP).

With LWAPP, large multi-vendor wireless networks can be deployed with maximum capabilities and increased flexibility. Well…okay, this is mostly true. No one, and I do mean no one, has actually deployed a Cisco and Motorola network within the same company and is sitting back smugly saying, “Dude, this is really cool!” They’re saying something loud for sure, but it isn’t that! Cisco is Cisco and Motorola is well, not Cisco, and even though they supposedly run the same IETF protocols, they just don’t seem to see the standards exactly the same way. Basically, they don’t play well with each other.

So, let’s say we’re using only Cisco. (Hey, we already have an unlimited budget here, so why not put in all Cisco too, I mean, this is a “Cisco” book, right?)

Okay—so Cisco’s mesh networking infrastructure is decentralized and comparably inexpensive for all the nice things it provides because each node only needs to transmit as far as the next node. Nodes act as repeaters to transmit data from nearby nodes to peers that are too far away for a manageable cabled connection, resulting in a network that can span a really large distance, especially over rough or difficult terrain. Figure 1 shows a large meshed environment using Cisco 1520 APs to “umbrella” an area with wireless connectivity:

Plus, mesh networks also happen to be extremely reliable—since each node can potentially
be connected to several other nodes, if one of them drops out of the network because of hardware failure or something, its neighbors simply find another route. So you get extra capacity and fault tolerance by simply adding more nodes.

FIGURE 1  Typical Large meshed outdoor environment

Mesh is a network topology in which devices are
connected with many redundant connections
between nodes.

Wireless mesh connections between AP nodes are formed with a radio, providing many possible paths from a single node to other nodes. Paths through the mesh network can change in response to traffic loads, radio conditions, or traffic prioritization.

Cisco LWAPP-enabled mesh access points are configured, monitored, and operated from and through any Cisco Wireless LAN Controller deployed in the Cisco Mesh Networking Solution—and they must go through a controller, which is why having redundant controllers is an absolute necessary.

Let’s define a couple terms used in mesh networks:

Root Access Points (RAPs) This access point is connected to the wired network and serves as the “root” or “gateway” to the wired network. RAPs have a wired connection back to a Cisco Wireless LAN Controller. They use the backhaul wireless interface to communicate with neighboring Mesh APs.

Mesh Access Points (MAPs) The Mesh APs are remote APs that are typically located on rooftops or towers and can connect up to 32 MAPs over a 5GHz backhaul. During bootup, an access point will try to become a RAP if it’s connected to the wired network. Conversely, if a RAP loses its wired network connection, it will attempt to become a MAP and will search for a RAP.

A typical mesh network would include the devices shown in Figure 2.

In Figure 2 , you can see that there’s one RAP connected to the infrastructure, and the MAPs connect to each other as well to the controller through the RAP.

But we’re not quite done with this yet—I want to explain one more mesh term before we get into wireless security: AWPP.

FIGURE 2 Typical devices found in a Cisco mesh network


AWPP

Each AP runs the Adaptive Wireless Path Protocol (AWPP)—a new protocol designed from the ground up by Cisco specifically for the wireless environment. This protocol allows RAPs to communicate with each other to determine the best path back to the wired network via the RAP. Once the optimal path is established, AWPP continues to run in the background to establish alternative routes back to the RAP just in case the topology changes or conditions cause the link strength to weaken.

This protocol takes into consideration things like interference and characteristics of the specific radio so that the mesh can be self-configuring and self-healing. AWPP actually has the ability to consider all relevant elements of the wireless environment so that the mesh network’s functionality isn’t disrupted and can provide consistent coverage.

This is pretty powerful considering how truly dynamic a wireless environment is. When there’s interference or if APs are added or removed, the Adaptive Wireless Path Protocol reconfigures the path back to the rooftop AP (RAP). Again, in response to the highly dynamic wireless environment, AWPP uses a “stickiness” factor to mitigate routes that ensure that an event, such as a large truck passing through the mesh causing a temporary disruption, doesn’t cause the mesh to change unnecessarily.