Networks and IoT

Blog posts related to general networking and IT infrastructure related updates.

The need for QoS, configuration on Extreme Aerohive

Introduction

ΝΟΤ 
ENABlt ρος

This blogpost will focus on the configuration of QoS policies on Extreme Cloud IQ (Portal). Aiming to provide a real scenario which led to the implementation of QoS for an organisation. Before diving into this I cannot stress on the point that QoS solution will be successful only if it is implemented end to end. The QoS marking and policing if not honoured by the subsequent hops in the access <> distribution  <> core.

The Need for QoS

The issues arise when packets do not get prioritisation and are either dropped or queued. The network transmission quality is determined by latency, jitter and packet loss.  It becomes even more crucial with Wi-Fi being a shared and half-duplex medium it becomes all the more necessary to mark and prioritise the relevant traffic on the network. One may have 10Gbps internet or more but AP are often the bottlenecks in the network. With the adaptation of VoIP/Skype/Zoom and similar RTP/SIP applications, there is a need to make sure voice/video traffic get priority over other traffic. Moreover, Wireless networks and protocols are mostly designed for data services... so it is normally not possible “ just to drop” Rich Media on top and expect positive results.

Extreme Cloud IQ configuration

Let's start with looking at the Extreme Cloud IQ configuration.

Classifier Maps

QoS Classifier Maps > Classifier map is used to mark traffic with Extreme Network QoS classes by various QoS classification systems (802.1p/DiffServ/802.11e).

Incoming Traffic - AP prioritises and forwards the incoming traffic as determined by the mapped QoS level.

Outgoing Traffic - AP uses marker maps.

If you login and navigate to below for checking the first option of "Classifier Maps".

Configure > Network Policies >  Edit "Policy Name" > Additional Settings > QoS Options

ExtremeCIoud IQ Pilot 
Classifier Maps 
WIRELESS NETWORKS 
O 
O 
Network Policies 
POLICY DETAILS 
MANAGEMENT SERVER 
POLICY SETTINGS 
NETWORK SERVICES 
GOS OPTIONS 
Classifier Maps 
Marker Maps 
QoS Overview 
SECURITY 
DEVICE TEMPLATES 
Classifier Maps 
ROUTER SETTINGS 
ADDITIONAL SETTINGS 
DEPLOY POLICY 
Please note that Classifier Maps are only supported by IQ Engine devices and will not take effect on other devices. 
Classifier Maps 
Maps anonymous incoming traffic into the Extreme Networks 
classification system. Traffic classification can be performed based on 
following criteria. 
Re-use Classifier Maps Settings 
(Pick existing settings) 
Name • 
Description 
SERVICES 
Services 
LYNC 
LYNC AUDIO 
LYNC CONTROL 
SKYPE VOICE 
FACETIME 
MAC ouls 
Classifier-Map 
SSIDs 
802.1p/Diffserv/802.11e 
aos Class 
VOICE 
VOICE 
VOICE 
VOICE 
VIDEO 
Action 
PERMIT 
PERMIT 
PERMIT 
PERMIT 
PERMIT

The incoming traffic is mapped based on the network/application service defined in the classifier map. In the above screenshot you can see LYNC, LYNC AUDIO and others set as VOICE and action being PERMIT.

MAC OUIs and SSIDs

I haven't used this in our config but one can choose to map traffic to classes based on either the source/destination MAC OUI in the packet or based on SSID

Add MAC OUI 
MAC OUI 
Gos Class 
Action 
Logging 
Apple-iPhone 
Background 
permit 
Enable

Add SSID 
SSID 
oos Class 
ssidO 
Voice

802.1p/DiffServ/802.11e

802.1p is a layer 2 prioritisation often described as Class of Service can be seen in the TCI field of the Ethernet frame. The 3 bits give 8 different classes as shown below. In my scenario I have used the DiffServ and 802.11e(WMM) for layer 3 QoS.

Name 
Description 
SERVICES 
56-63 
48-55 
40-47 
32-39 
00-07 
MAC OUIs 
Classifier-Map 
SSIDs 
802.1p/DiffServ/802.11e 
OFF 
802.1p 
7 
6 
5 
4 
3 
O 
2 
802.1p 
QoS Class 
Network Control 
Voice 
Video 
Controlled Load 
Excellent Effort 
Best Effort 1 
Best Effort 2 
Background 
ON 
DiffServ 
24-31 
16-23 
08-15 
DiffServ 
QoS Class 
Best Effort 1 
Network Control 
Voice 
Video 
Controlled Load 
Best Effort 1 
Excellent Effort 
Best Effort 2 
ON 
802.11e 
7 
6 
5 
4 
3 
O 
2 
802.11e 
QoS Class 
Network Control 
Voice 
Video 
Controlled Load 
Excellent Effort 
Best Effort 1 
Best Effort 2 
Background

DiffServ is concerned with classifying packets as they enter the local network. This classification then applies to Flow of traffic where a Flow is defined by 5 elements; Source IP address, Destination IP, Source port, Destination port and the transport protocol. The DSCP QoS  is retained end to end and one of the reason it is preferred more than 802.1p.

Before moving to 802.11e, let's get basics correct.

802.11 use collision avoidance mechanisms unlike collision detection for Ethernet. The DCF (Distributed Coordinated Function) algorithm is used for media access. Regardless of any clients on the medium, a 802.11 WLAN device will wait for a DCF interframe space and then begin the transmission. Once the DIFS is counted down to 0, a random backoff timer is generated if the medium is not free.

Wait Until Medium is Free 
Count Down the DIFS & 
keep listening to medium 
Is the Medium Still Free? 
No 
Generate a random 
backoff value between 0 
and CWmin 
The DCF 
Decision Process 
Continually listen to 
medium to ensure it 
is quiet 
Yes 
Transmit the 
Frame 
Done 
Was an ACK 
received? (i.e. 
confirm there was 
no collision) 
Decrement the CW value to zero. 
If another station begins to 
transmit, defer until it is done, then 
wait another DIFS period before 
counting down the CW 
Double the previous 
cw. 
Choose 
a new random number between 
zero and the new CW, up to a 
maximum of CWmax

QoS is not possible with DCF alone and hence 802.11e was ratified. The EDCA (Enhanced Distributed Channel Access) included 4 queues(Background, Best Effort, Video, Voice), AIFS (ACs) and a range of contention windows (CWmin and CWmax). Two additional 802.11e enhancements included TxOP and Call Admission Control (CAC)

EDCA 1 WMM AC 
Legacy DCF 
Voice 
Video 
Best Effort 
Background 
AIFS Number 
DIES > 2 
2 
2 
3 
7 
CWmin 
15 
3 
7 
15 
15 
CWmax 
1023 
7 
15 
1023 
1023

QoS Classification and Marking: Mapping External Systems to Aerohive Classes 
56-63 
56 - 63 
48-55 
48 - 55 
40 - 47 
40 - 47 
32-39 
32 - 39 
24 • 31 
24-31 
16 - 23 
16 - 23 
8-15 
8-15 
For traffc traversing its wifi interfaces, the HiveAP 
maps Aerohive classes to IEEE 802. Ile tramc classes 
(defined in the wireless frame header) or to DSCP 
values (defined in the layer-3 packet header). 
For traffc traversing its Ethernet interface, the HiveAP 
maps Aerohive classes to 802.1 p traffic classes 
(defined in the layer-2 frame header) or to DSCP 
values (defined in the layer-3 packet header). 
Wireless 
Network 
802.11e Traffic Class 
7 
6 
5 
4 
3 
wifiO. 1 
DSCP Value 
Inbound Outbound 
56 
48 
32 
24 
16 
8 
ethO 
802.1p Traffic Class 
7 
6 
5 
4 
3 
2 
1 
Ethernet 
Network 
DSCP Value 
Inbound Outbound 
HiveAP 
erohive Clas 
7 
6 
5 
4 
3 
2 
2 
1 
802.11e 
Wire L2 
Header 
DSCP 
L3 
Header 
Default mappings of the Aerohive 
class system to standard OOS 
classification systems 
Data 
802.1p 
Wired L2 
Header 
DSCP 
Header 
56 
48 
40 
32 
24 
16 
8 
Data

Marker Maps

For outgoing traffic, one can define marker maps to map classes to priority numbers in standard classification systems (802.11e, 802.1p, and DiffServ). After defining classifier and marker maps, you then define classifier and marker profiles that enable one or more of the methods defined in the maps. Finally, you associate those profiles with SSIDs or interfaces to apply the mappings to traffic arriving at or exiting those interfaces.

Name * 
Description 
802.1p 
DiffServ 
QoS Class 
7 - Network Control 
6 - Voice 
5 - Video 
4 - Controlled Load 
3 - Excellent Effort 
2 - Best Effort 1 
1 - Best Effort 2 
O - Background 
DiffServ 
ON 
Marker-Map 
note: If both 802.1p and DiffServ are selected only DiffServ will take effect 
WMM Queue 
Voice 
Voice 
Video 
Video 
Best Effort 
Best Effort 
Background 
Background 
DiffServ Code Points 
48 
46 
34 
26 
18 
O 
10 
8

Verifying if WMM QoS is working

The QoS Data Frame includes the QoS Control field which provides the information in the Priority field.

Frame check sequence: øx412667cb [unverified] 
(FCS Status: Unverified] 
Qos control: øxeoø6 
0110 = TID: 6 
. .110 = Priority: Voice (Voice) 
. — QoS bit 4: Bits 8—15 of QoS Control field are TXOP Duration Requested 
. = Ack Policy: Normat Ack (øxø) 
. = Payload Type: MSDU 
= TXOP Duration Requested: e (no TXOP requested) 
CCMP pa rameters 
ccmp Ext. Initialization vector: øxøeeøøøee315F 
Key Index: ø 
Data (64 bytes) 
Data: 1968135a7bec2dfd1ø24aee916d562ac3d3ccd3f2d359f914978d8b2cf6872ed8ø6e39c8„. 
[Length: 64] 
IEEE 8ø2.11 Qos Data, Flags: .p.....TC 
Type/Subtype: Qos Data (øxoø28) 
Frame Control Field: ex8841 
. .øø = Version: 0 
eøøø eøøø 
løøø 
Flags: 
= Type: Data frame (2) 
= Subtype: 8 
øx41 
. ..øl = DS status: Frame from STA to DS via an AP (To DS: 
= More Fragments: This is the last fragment 
Retry: Frame is not being retransmitted 
= PWR MGT: STA witt stay up 
. = More Data: No data buffered 
. = Protected flag: Data is protected 
. = Order flag: Not strictly ordered 
1 From DS: e) 
(øxl) 
.øøø eøøø eø11 eeøø = Duration: 48 microseconds 
Receiver address: ExtremeN_3b: 81:54 3b:81: 54) 
Transmitter address: HuiZhouG_b7:2c:a3 (d4:ab: cd:b7:2c:a3) 
Destination address: WistronN_d3:3c:57 (44:e4:ee:d3:3c:57) 
Source address: HuiZhouG_b7:2c:a3 (d4:ab: 
BSS Id: 
STA address: HuiZhouG_b7:2c:a3 (d4:ab: :a3) 
Fragment number: ø 
. eeøø = 
1110 0110 eøll 
= Sequence number: 3683

Adding Custom Application for QoS Categorisation

Navigated to > Configure > Application > Add Custom

Helpful links for more reading

http://www.rhyshaden.com/qos.htm

https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8155_ra-2620_atmg/content/ch04s04.html

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan41dg-book/vowlan_ch2.html

https://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-classifier-maps.htm

https://docs.microsoft.com/en-us/microsoftteams/qos-in-teams

Read more link text

CWISA - Cellular Networks #CWSA #IoT #LTE #CWNP

Planning Wireless Solution cover 30% of the exam syllabus.

This blog focusses on Cellular Networks (Overview and Understanding) - chapter 6.

CWISA exam does not require one to know in and out of cellular wireless networking. It only aims at making one able to make decisions required to select appropriate cellular network when designing and maintaining wireless networks. So this chapter will focus on the same and relevant only to the CWISA exam requirements.

First Mobile Phone: Motorola DynaTAC 8000x - 1983, Huge and power intensive.

According to research in 2019 more than 5 billion people have mobile phone and over 65% of them own a smart phone. I think the trend will only go up and only come down after it is replaced by the next-gen technology.

4 Cell Phone Generations Compared 
SMS Switching Switching 
3G 
GSM, CDUA. EDGE, GPRS 
UTMS, CDhA2000, HSPDA. EVDO 
LTE Advanced, IEEE 802.16 (WiMax) 
Analog 
Digital 
Digital 
No 
Circuit 
Data Rates 
236.8 kbps 
384 kbps 
Gbps

As discussed earlier, CWISA exam does not aim at intending us to help us deploy cell tower radios or configuring core cellular networks. Cell-based coverage plan is used by the cellular networks. Communications across the network function through base station transceivers communicating with local base station controller at the cell site. The base station controller connect back to a mobile switching center via wired/wireless connection

Each cell site can service multiple carriers. It can provide range of services ranging from Voice, SMS, Locationing (GPS based locationing) and Data (internet access).  The Data service plays a crucial role in enablement of IoT cellular deployments.

LTE / 4G

Long Term Evolution is a next step before 5G and also known as 4G. The original 4G was established in Release 10 from the 3GPP organisation. Between 4G and 5G are Release 11, 12, 13 and 14 which provide enhancement to 4G networks. Careful planning must be done in selection of devices based on their compatibility with the technology, usually mobile devices which use LTE (4G) have fallback capability to use 3G. In years to come when 3G is phased out, the fallback option will be gone too. Same is applicable in case of 5G enabled devices. Narrowband IoT (NB-IoT) is used in Release 13 for the 4G standards.

Frequency Bands - More than 50 different frequency bands (in MHz) are used in LTE/4G deployments. The exam does not require one to memorise all the bands but should know which bands are available in their regulatory domain.

Modulation Methods - ODFM is used in general LTE/4G technology. OFDMA is used in downlink communication, and single carrier FDMA (SC-FDMA) is used in uplink communication. Each subcarrier in LTE uses QPSK/16-QAM or 64-QAM.

QPSK - 2 bits per symbol, 28000 bits per/sec
16-QAM - 4 bits per symbol, 56000 bits per/sec
64-QAM - 6 bits per symbol, 84000 bits per/sec

Devices - Primary consideration for mobile devices, backup links for uplink devices like Routers/Firewall etc. Many WBAN (Wireless Body Area Network) connect via Bluetooth to gain access to the cellular network. 5G evolution which means not 5G yet but LTE-A (advanced) offer 1Gpbs/500Mbps uplink and download speeds respectively.

5G

Still based on 4G/LTE model with OFDM as the primary modulation scheme. 5G can also support frequency bands above 6GHz, Ultra low latency at under 1 ms, Higher data rates are some of the enhancements.

Frequency bands - These vary by the regulatory domain one is in. https://www.cablefree.net/wirelesstechnology/4glte/5g-frequency-bands-lte/ -  Phase one of 5G rollouts focuses on the uses of existing bands of 4G/LTE. Phase two will begin to explore the mmWave bands.

Modulation methods - Similar to LTE/4G, however it adds support for BPSK and 256-QAM as well.

BPSK - 1 bit per symbol
256-QAM - 8 bits per symbol

The ultimate goal of 5G is a max downlink of 20 Gbps and uplink speed of 10 Gbps with 100Mbps/Downlink, 50Mbps uplink at the cell edges.

Cellular - Service Provider Network - General user case scenario where service provider network used. Some areas tend to have better cellular coverage than other.

Cellular - Private Network - A private LTE/5G cells can latch on to service provider network for backhaul or connect them to your own network. Private LTE uses unlicenced frequency bands (1.9GHz, 2.4GHz, 3.5GHz and 5GHz). The 2.4GHz and 5GHz are well known for their use in Wi-Fi networks. The 1.9GHz and 3.5GHz band are lesser known bands but may be used as well.

The CBRS Alliance is focused on promoting the use of LTE and 5G in the 3.5GHz Citizens Broadband Radio Service band. Band 48 is used by CBRS as defined by 3GPPP.

Read more link text

CWSP-206 Exam Feedback

I'd like to provide some tips and tricks to help one achieve the CWNP certification. The CWSP-206 Exam was revised in November 2019 from CWSP-205 with added topics on OWE/WPA3 and SAE and removing some older security concepts around pre-RSNA technologies like WEP.

The exam in itself is not as hard compared to CWAP. I'd still suggest guys to take CWAP exam before CWSP and CWDP. CWAP exam does provide a good base/foundation for the security concepts. Some concepts for 802.11 Discovery/ Secure Roaming are covered in CWAP. Some design concepts around security are covered in CWDP as well.

CWSP-206 tests on below area with %age allocation.

 Knowledge Domain  Percentage 
Security Policy  10% 
Vulnerabilities, Threats, and Attacks  30% 
WLAN Security Design and Architecture  45% 
Security Lifecycle Management  15% 

If one focusses on the bulk areas of WLAN Security Design and Vulnerabilities/Threats and Attacks it will be able to cover 75% of the exam topics and thereby easily covering the passing marks 70% required for the exam. The Security Policy and Lifecycle Management mostly rely on your work experience or experience dealing with security in the real world/office environments. If one is up to date with how new security attacks like social engineering etc. are carried out and extensive use of smartphone/email in hacking the way into the network it can help achieve few easy wins in this exam.

With regards to WLAN Security Design familiarise yourself with below concepts to make sure you understand them in depth.

  • 4 Way Handshake
  • 802.11 EAP types
  • Encryption types
  • 802.11r Fast BSS Transition.
  • Guest Access/Captive Portal/MDM
  • Concepts of containerisation and segmentations.
  • CVE/NVD concepts
  • WLAN attacks

If you read my previous post about Chunk of CWSP-206, I've focussed on the areas which you should be focussing on for 45% of the exam requirements and some concepts in depth which can help with the exam.

When it comes to exam resources, work experience in network security will really benefit. Apart from that CWNP practice exam will be of great help. I have real the CWSP-205 and Exam PW0-204 CWSP book. Both of these books are not the recent ones but still cover up to 80%+ topics of this exam. You can buy CWSP-206 exam guide from CWNP.com for more exam-specific help. There are some video courses offered by INE but I haven't really used them to provide any feedback but should be helpful. All the best with your certification.

Read more link text

A Chunk of CWSP! (Work in Progress)

Topics covered below are not in a great deal but should get the important aspects required. The below content cover 45% of the exam syllabus for CWSP-206 which means around 25-27 questions approx.

  1.  Select and implement appropriate authentication solutions

  •  WPA/WPA2-Personal (Pre-Shared Key) 

  • Introduced in 802.11-2012 after the vulnerabilities discovered for WEP.
  • WPA/WPA2 are pretty much the same except for WPA2 using better encryption.
  • WPA2 is the preferred authentication method as it uses CCMP/AES encryption mechanisms.
  • WPA/WPA2 have the presence of 4 unicast frames used in 4-way handshake.
  • Authentication occurs during the 4-way handshake process via the pre-shared key. If the key on AP and Client STA fail to match, the authentication fails.

  •  WPA/WPA2-Enterprise 

  • Three primary authentication components - Radius, IEEE 802.1X & EAP (Extensible Authentication Protocol).
  • Radius Server allows centralised authentication. Microsoft NPS, Cisco ISE are some of the forms of typical radius servers in use.
  • IEEE 802.1X standard defines port-based access control. The components are - The supplicant (Client STA), The Authentication Server (The Radius server) & Authenticator (AP STA).

  •  WPA3-SAE and 192-Bit enterprise security 

  • The intention of standardising the mesh networking of 802.11 WANs was part of 802.11-2012 (802.11s) standard but did not succeed for vendor competitive reasons. Also known as HWMP (Hybrid Wireless Mesh Protocol), the mesh portals and AP can dynamically determine best path selection for traffic flow through the meshed WLAN. Although SAE was not implemented for mesh networks, the Wi-Fi Alliance views as more secure replacement for PSK authentication.
  • SAE (Simultaneous Authentication of Equals), uses Dragonfly key exchange with Forward Secrecy feature. It is a patent-free technology in which the client/user has prove the knowledge of the password without having to reveal a password.
  • SAE does not send the passphrase between 802.11 stations during the key exchange. The process consists of commitment message exchange and confirmation message exchange.
  • The security modes supported by WPA3 Personal is 128-bit SAE, WPA3 Enterprise is 192 bit SAE.
  • WPA3 mandates the use of PMF (Protected Management Frames).

  •  802.1X/EAP 

  • EAP over LAN (EAPOL) packets are used across the medium between client STA & the AP controller, Encapsulated EAP over Radius is used between AP/WLAN controller and the Radius Server.
  • EAP is L2 protocol used by 802.3 & 802.11 networks.
  • Access to the network is managed via controlled & uncontrolled port.
  • The most secure methods of authentication use 'mutual authentication'. Most EAP protocols use server-side certificate for completing the user authentication.

  •  EAP methods

  EAP-TLS EAP-TTLS PEAP EAP-FAST EAP-SIM EAP-GTC
Developer IEEE RFC 5216 Juniper (Certicom & Funk Software) Cisco/Microsoft Cisco IETF RFC 4186 Cisco
Server Side Certificate Required Required Required Uses PACs n/a Uses Tokens
Client Side Certificate Required No No No No No
Wi-Fi Security Very High High High High High High
Deployment Level Difficult (Need of PKI) Moderate Easier Easier Mobile networks only Moderate

  1. Select and implement appropriate encryption solutions

  •  Encryption methods and concepts (CWSP exam no longer tests on frame overhead knowledge of WEP, TKIP and CCMP).

  •  TKIP/RC4 

  • Developed by Wi-Fi alliance to combat WEP dictionary attacks.
  • TKIP uses 128-bit temporal key, plus a 48-bit TKIP sequence counter, along with transmit address (TA).
  • Michael (MIC) is the name of the integrity algorithm used with TKIP that enhances the legacy ICV mechanism. MIC is meant to improve integrity protection while remaining backwards compatible.
  • TKIP is deprecated encryption method, and apart from security concerns, it can slow down the network to 54Mbps.

  •  CCMP/AES 

  • CCMP is based on CCM of the AES encryption algorithm.
  • WPA2 requires the use of CCMP/AES encryption, older legacy devices will not support this and have to be upgraded.
  • CCMP starts with 128 bit temporal key which can either be PTK or GTK used to encrypt the broadcast/multicast traffic.
  • The 48-bit packet number is much like TKIP sequence number.

  •  SAE and 192-bit security 

  • SAE is a variant of Dragonfly Key Exchange defined in RFC 7664 based on Diffie Hellman key change.
  • WPA3 capabilities include WPA-3 Personal & WPA3 Enterprise.
  • WPA3 Personal leverages SAE, a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties.
  • WPA3 Enterprise offers 192-bit cryptographic strength, providing additional protections for network transmitting sensitive data.

  •  OWE (Opportunistic Wireless Encryption)

  • Improved security feature for open wireless network, OWE provides a way for devices to connect to open Wi-Fi networks with an encryption session.
  • Currently only Cisco & Aruba solutions support OWE on their latest firmware.
  • OWE performs and unauthenticated Diffie-Hellman at association time, it may not be fully secure but still between than shared/public hotspot/PSK in a public place like a coffee shop.

  1.  Select and implement wireless monitoring solutions

  • Wireless Intrusion Prevention System (WIPS) - overlay and integrated 
  • Rouge Detection, Classification, Mitigation/Containment.

  •  Laptop-based monitoring with protocol and spectrum analysers (Covered in CWAP blogs)

  1. Understand and explain 802.11 Authentication and Key Management (AKM) components and processes

  • Basic Terminology
    • RSN - Robust Security Network. RSN can be identified by the identification of RSN-IE element in the Beacon frames.
    • RSNA - Robust Security Network Association - used by a pair of STA which use 4-way handshake for auth/association.
    • Pre-RSNA - WEP, pre 802.11i
    • TSN - Transition Security Network - Transitioning network allows configuration of pre-RSNA+RSNA in the same environment.
    •  MSK - Master Session Key - 64 Octets in length, used between EAP client and authentication server.
    • PMK - Pairwise Master Key - The highest key order, derived from key generated by EAP method or may be obtained by PSK.
    • PTK - Pairwise Transient Key = PMK + AA (authenticator address) + SPA (supplicant  address) + Anonce + Snonce using a pseudo-random function (PRF). PTK is split up into as many as 5 keys - Temporal encryption key, two temporal message integrity code (MIC) keys, Eapol-key encryption key and Eapol-key confirmation key.
    • GMK - Group Master Key - Axillary key used to derive GTK.
    • GTK - Random value, assigned by the broadcast/multicast source, which is used to protect MPDUs from the source.

• Encryption keys and key hierarchies 

  • Key Hierarchies
    • The 802.11-2012 standard specifies RSN key hierarchy for authentication and dynamic encryption keys. The is often referred to as AKM (authentication key management). The process works from top down, starting with either a paraphrase, PSK or MSK.
    • Master 
Session 
Key 
(MSK) 
IS derived from 802.1X/EAP 
authentication or is the 
equivalent Of the passphrase 
Authenticator uses 
separate derivation 
process to produce the 
GMK. 
Group 
Pairwise Master 
aster Key Key (PMK) 
(PMK) 
Temporal Keys 
Highest order 802.11 key. Derived 
from MSK (802.1X) or PSK 
Derived from PMK. Composed 
Group Temporal 
Key (GTK) 
—J 
of encryption keys. 
Pairwise Transient 
Key (PTK) 
Encryption Keys 
Encryption and MIC keys 
Key Encryption Key (KEK) 
Key Confirmation Key (KCK) 
Figure 5-4: 
Temporal MIC Keys 
Temporal Encryption Key (TEK) 
802.11 AICM Key Hieramhy
    • PSK is 256bits in length or 64 characters when expressed in hex. The static key is configured on AP/WLAN controller. Remembering and entering a 64-bit PSK can be tedious at times. The way around it is to configure a short ASCII password or paraphrases, which is 8 to 63 character string entered into the client software utility (laptop/mobile device) and the AP. The passphrase must match at both the ends.
    • The whole point of the passphrase-PSK mapping formula is to simplify the configuration for the average end-user. Most people can remember the 8-character password as opposed to 256-bit PSK

  • Encryption Terminologies
    • Encryption Algorithm  - Mathematical procedures used to obscure information so it appears meaningless. AES, RC4, RC5, RC6 are some of the examples.
    • Hash Function/Algorithm - Procedure which takes an arbitrary block of data and returns a fixed size bit string.
    • Cipher Suite - Named combination of authentication, encryption and the message authentication code use to negotiate security settings for a network connection.
    • Stream cipher - Symmetric key cipher where plaintext bits are combined with a keystream typically by an xor operation.
      • 802.11 WAN uses RC4 stream cipher with WEP/TKIP.
    • Block cipher - Symmetric key cipher operating on fixed length group of bits called blocks.
      • Block cipher specify the size of the block to be encrypted and CCMP/AES uses 128-bit block.
    • Symmetric Key Encryption - Class of algorithms for cryptography that use trivially related, often identical cryptographic keys for decryption and encryption.
      • Static/Dynamic key implementations
      • The actual encryption keys are never transmitted over the Wi-Fi medium. Instead anonce/snonce and other required information is transmitted and then each participating device generates the keys. This adds additional layer of security.
    • Asymmetric Encryption - Class of algorithms using separate key pairs for encryption and decryption.
      • Also known as public key cryptography
      • The public key is distributed whereas the private key is kept by one entity alone.

  • 4-way handshake
    • Final process used to generate PTK for encryption of unicast transmissions and a GTK for broadcast/multicast transmissions.
    • Uses 4 EAPOL-key frame messages between authenticator and the supplicant for 6 major purposes.
      • Confirm the existence of PMK at the peer station.
      • Ensure that the PMK is current
      • Derive new PTK from PMK
      • Install PTK on the supplicant and the authenticator
      • Transfer the GTK from the authenticator to the supplicant and install GTK on the supplicant and authenticator if necessary.
      • Confirm the selection of the cipher suits.
    • AP ~ Authenticator, Client - Supplicant
    • M1 - AP >> sends EAPOL-Key frame containing "Anonce" for PTK. Client STA will use this to generate "Snonce" and derive PTK.
    • M2 - Client >> sends EAPOL-Key frame containing "Snonce + RSNE + MIC". The supplicant derives a PTK. The MIC will be set to bit 1 and will be confirmed by the AP. The RSN element will be visible in this message.
    • M3 - The AP >> sends the EAPOL-Key frame and derives the PTK. The MIC is verified and GTK is sent in M3.
    • M4 - The client >> sends the last EAPOL-Key frame to the AP. It notifies the AP if the temporal keys will be installed and the secure bit will be sent.

  • Group Key Handshake
    • 2 frame handshake used to distribute new GTK to client stations that have already obtained a PTK and GTK in a previous 4-Way Handshake exchange.

3.2 Implement or recommend appropriate wired security configurations to support the WLAN

3.2.1 Physical port security in Ethernet switches 

3.2.2 Network segmentation, VLANs, and layered security solutions 

3.2.3 Tunnelling protocols and connections 

3.2.4 Access Control Lists (ACLs) 

3.2.5 Firewalls 

  1.  Implement authentication and security services 

3.3.1 Role-Based Access Control (RBAC) 

3.3.2 Certificate Authorities (CAs) 

3.3.3 AAA Servers 

3.3.4 Client onboarding 

3.3.5 Network Access Control (NAC) 

3.3.6 BYOD and MDM 

3.4 Implement secure transitioning (roaming) solutions

3.4.1 802.11r Fast BSS Transition (FT) 

3.4.2 Opportunistic Key Caching (OKC) 

3.4.3 Pre-Shared Key (PSK) - standard and per-user 

3.5 Secure public access and/or open networks

3.5.1 Guest access 

3.5.2 Peer-to-peer connectivity 

3.5.3 Captive portals 

3.5.4 Hotspot 2.0/Passpoint 

3.6 Implement preventative measures required for common vulnerabilities associated with wireless infrastructure devices and avoid weak security solutions

3.6.1 Weak/default passwords 

3.6.2 Misconfiguration 

3.6.3 Firmware/software updates 

3.6.4 HTTP-based administration interface access 

3.6.5 Telnet-based administration interface access 

3.6.6 Older SNMP protocols such as SNMPv1 and SNMPv2 

Read more link text

Remote Frame Captures & Application Issues on Wi-Fi

After the deployment of new Extreme Aerohive Wireless solution at an Enterprise office, a number of user complaints were received for applications resetting and disconnecting while working on Wi-Fi. The users did not have this problem while working from other offices or their home.

Some of the applications like Teradata SQL Assistant & other applications which used SQL backend reset itself while executing queries. From the Wi-Fi standpoint, the client had no issues with the Signal/Noise/RSSI which was received.

Teradata SQL and other SQL application use TCP port 125. After engaging the TAC team requested for remote pcap aka frames for wireless for wired/wireless interfaces of the Extreme Access Points. Below are the steps required to run the remote captures.

  1. Enable remote capture on the Extreme Aerohive AP 650/510C with the cli command - exec capture remote-sniffer
  2. Logon to the machine with Wireshark installed and configure the remote interfaces. Enter the management IP of the Access Point (Host), leave the port field blank.

3. Install Wireshark on a remote machine and apply packet slicing as the pcap/frame capture will be huge. Make sure the system capturing has enough disk space for doing so.

4. Choose all the interfaces/required interfaces and start the capture.

After analysing the pcap it was found that there were some TCP retransmissions being caused on TCP port 1025 but the root cause/reason was not yet determined.

After a few days of captures and analysing the frames, it was discovered that the issues were primarily caused due to DoS prevention rule in place for the SSID as an optional setting. We had to disable this feature and the issue just vanished. The below option caused TCP to reset if the client IP session was idle.

Though it took a while to come to this it was interesting to learn on how to perform remote frame captures which is still helpful to understand and analyse on what is going on the wireless end.

As in most cases, this was not a radio/wireless issue all together but still resolved from the vendor side after disabling the feature.

Read more link text

Design by ThemesDNA.com