Blog posts related to general networking and IT infrastructure related updates.
This blogpost will focus on the configuration of QoS policies on Extreme Cloud IQ (Portal). Aiming to provide a real scenario which led to the implementation of QoS for an organisation. Before diving into this I cannot stress on the point that QoS solution will be successful only if it is implemented end to end. The QoS marking and policing if not honoured by the subsequent hops in the access <> distribution <> core.
The Need for QoS
The issues arise when packets do not get prioritisation and are either dropped or queued. The network transmission quality is determined by latency, jitter and packet loss. It becomes even more crucial with Wi-Fi being a shared and half-duplex medium it becomes all the more necessary to mark and prioritise the relevant traffic on the network. One may have 10Gbps internet or more but AP are often the bottlenecks in the network. With the adaptation of VoIP/Skype/Zoom and similar RTP/SIP applications, there is a need to make sure voice/video traffic get priority over other traffic. Moreover, Wireless networks and protocols are mostly designed for data services... so it is normally not possible “ just to drop” Rich Media on top and expect positive results.
Extreme Cloud IQ configuration
Let's start with looking at the Extreme Cloud IQ configuration.
QoS Classifier Maps > Classifier map is used to mark traffic with Extreme Network QoS classes by various QoS classification systems (802.1p/DiffServ/802.11e).
Incoming Traffic - AP prioritises and forwards the incoming traffic as determined by the mapped QoS level.
Outgoing Traffic - AP uses marker maps.
If you login and navigate to below for checking the first option of "Classifier Maps".
Configure > Network Policies > Edit "Policy Name" > Additional Settings > QoS Options
The incoming traffic is mapped based on the network/application service defined in the classifier map. In the above screenshot you can see LYNC, LYNC AUDIO and others set as VOICE and action being PERMIT.
MAC OUIs and SSIDs
I haven't used this in our config but one can choose to map traffic to classes based on either the source/destination MAC OUI in the packet or based on SSID
802.1p is a layer 2 prioritisation often described as Class of Service can be seen in the TCI field of the Ethernet frame. The 3 bits give 8 different classes as shown below. In my scenario I have used the DiffServ and 802.11e(WMM) for layer 3 QoS.
DiffServ is concerned with classifying packets as they enter the local network. This classification then applies to Flow of traffic where a Flow is defined by 5 elements; Source IP address, Destination IP, Source port, Destination port and the transport protocol. The DSCP QoS is retained end to end and one of the reason it is preferred more than 802.1p.
Before moving to 802.11e, let's get basics correct.
802.11 use collision avoidance mechanisms unlike collision detection for Ethernet. The DCF (Distributed Coordinated Function) algorithm is used for media access. Regardless of any clients on the medium, a 802.11 WLAN device will wait for a DCF interframe space and then begin the transmission. Once the DIFS is counted down to 0, a random backoff timer is generated if the medium is not free.
QoS is not possible with DCF alone and hence 802.11e was ratified. The EDCA (Enhanced Distributed Channel Access) included 4 queues(Background, Best Effort, Video, Voice), AIFS (ACs) and a range of contention windows (CWmin and CWmax). Two additional 802.11e enhancements included TxOP and Call Admission Control (CAC)
For outgoing traffic, one can define marker maps to map classes to priority numbers in standard classification systems (802.11e, 802.1p, and DiffServ). After defining classifier and marker maps, you then define classifier and marker profiles that enable one or more of the methods defined in the maps. Finally, you associate those profiles with SSIDs or interfaces to apply the mappings to traffic arriving at or exiting those interfaces.
Verifying if WMM QoS is working
The QoS Data Frame includes the QoS Control field which provides the information in the Priority field.
Adding Custom Application for QoS Categorisation
Navigated to > Configure > Application > Add Custom
Helpful links for more readingRead more link text
Planning Wireless Solution cover 30% of the exam syllabus.
This blog focusses on Cellular Networks (Overview and Understanding) - chapter 6.
CWISA exam does not require one to know in and out of cellular wireless networking. It only aims at making one able to make decisions required to select appropriate cellular network when designing and maintaining wireless networks. So this chapter will focus on the same and relevant only to the CWISA exam requirements.
First Mobile Phone: Motorola DynaTAC 8000x - 1983, Huge and power intensive.
According to research in 2019 more than 5 billion people have mobile phone and over 65% of them own a smart phone. I think the trend will only go up and only come down after it is replaced by the next-gen technology.
As discussed earlier, CWISA exam does not aim at intending us to help us deploy cell tower radios or configuring core cellular networks. Cell-based coverage plan is used by the cellular networks. Communications across the network function through base station transceivers communicating with local base station controller at the cell site. The base station controller connect back to a mobile switching center via wired/wireless connection
Each cell site can service multiple carriers. It can provide range of services ranging from Voice, SMS, Locationing (GPS based locationing) and Data (internet access). The Data service plays a crucial role in enablement of IoT cellular deployments.
LTE / 4G
Long Term Evolution is a next step before 5G and also known as 4G. The original 4G was established in Release 10 from the 3GPP organisation. Between 4G and 5G are Release 11, 12, 13 and 14 which provide enhancement to 4G networks. Careful planning must be done in selection of devices based on their compatibility with the technology, usually mobile devices which use LTE (4G) have fallback capability to use 3G. In years to come when 3G is phased out, the fallback option will be gone too. Same is applicable in case of 5G enabled devices. Narrowband IoT (NB-IoT) is used in Release 13 for the 4G standards.
Frequency Bands - More than 50 different frequency bands (in MHz) are used in LTE/4G deployments. The exam does not require one to memorise all the bands but should know which bands are available in their regulatory domain.
Modulation Methods - ODFM is used in general LTE/4G technology. OFDMA is used in downlink communication, and single carrier FDMA (SC-FDMA) is used in uplink communication. Each subcarrier in LTE uses QPSK/16-QAM or 64-QAM.
QPSK - 2 bits per symbol, 28000 bits per/sec
16-QAM - 4 bits per symbol, 56000 bits per/sec
64-QAM - 6 bits per symbol, 84000 bits per/sec
Devices - Primary consideration for mobile devices, backup links for uplink devices like Routers/Firewall etc. Many WBAN (Wireless Body Area Network) connect via Bluetooth to gain access to the cellular network. 5G evolution which means not 5G yet but LTE-A (advanced) offer 1Gpbs/500Mbps uplink and download speeds respectively.
Still based on 4G/LTE model with OFDM as the primary modulation scheme. 5G can also support frequency bands above 6GHz, Ultra low latency at under 1 ms, Higher data rates are some of the enhancements.
Frequency bands - These vary by the regulatory domain one is in. https://www.cablefree.net/wirelesstechnology/4glte/5g-frequency-bands-lte/ - Phase one of 5G rollouts focuses on the uses of existing bands of 4G/LTE. Phase two will begin to explore the mmWave bands.
Modulation methods - Similar to LTE/4G, however it adds support for BPSK and 256-QAM as well.
BPSK - 1 bit per symbol
256-QAM - 8 bits per symbol
The ultimate goal of 5G is a max downlink of 20 Gbps and uplink speed of 10 Gbps with 100Mbps/Downlink, 50Mbps uplink at the cell edges.
Cellular - Service Provider Network - General user case scenario where service provider network used. Some areas tend to have better cellular coverage than other.
Cellular - Private Network - A private LTE/5G cells can latch on to service provider network for backhaul or connect them to your own network. Private LTE uses unlicenced frequency bands (1.9GHz, 2.4GHz, 3.5GHz and 5GHz). The 2.4GHz and 5GHz are well known for their use in Wi-Fi networks. The 1.9GHz and 3.5GHz band are lesser known bands but may be used as well.
The CBRS Alliance is focused on promoting the use of LTE and 5G in the 3.5GHz Citizens Broadband Radio Service band. Band 48 is used by CBRS as defined by 3GPPP.Read more link text
I'd like to provide some tips and tricks to help one achieve the CWNP certification. The CWSP-206 Exam was revised in November 2019 from CWSP-205 with added topics on OWE/WPA3 and SAE and removing some older security concepts around pre-RSNA technologies like WEP.
The exam in itself is not as hard compared to CWAP. I'd still suggest guys to take CWAP exam before CWSP and CWDP. CWAP exam does provide a good base/foundation for the security concepts. Some concepts for 802.11 Discovery/ Secure Roaming are covered in CWAP. Some design concepts around security are covered in CWDP as well.
CWSP-206 tests on below area with %age allocation.
|Vulnerabilities, Threats, and Attacks||30%|
|WLAN Security Design and Architecture||45%|
|Security Lifecycle Management||15%|
If one focusses on the bulk areas of WLAN Security Design and Vulnerabilities/Threats and Attacks it will be able to cover 75% of the exam topics and thereby easily covering the passing marks 70% required for the exam. The Security Policy and Lifecycle Management mostly rely on your work experience or experience dealing with security in the real world/office environments. If one is up to date with how new security attacks like social engineering etc. are carried out and extensive use of smartphone/email in hacking the way into the network it can help achieve few easy wins in this exam.
With regards to WLAN Security Design familiarise yourself with below concepts to make sure you understand them in depth.
- 4 Way Handshake
- 802.11 EAP types
- Encryption types
- 802.11r Fast BSS Transition.
- Guest Access/Captive Portal/MDM
- Concepts of containerisation and segmentations.
- CVE/NVD concepts
- WLAN attacks
If you read my previous post about Chunk of CWSP-206, I've focussed on the areas which you should be focussing on for 45% of the exam requirements and some concepts in depth which can help with the exam.
When it comes to exam resources, work experience in network security will really benefit. Apart from that CWNP practice exam will be of great help. I have real the CWSP-205 and Exam PW0-204 CWSP book. Both of these books are not the recent ones but still cover up to 80%+ topics of this exam. You can buy CWSP-206 exam guide from CWNP.com for more exam-specific help. There are some video courses offered by INE but I haven't really used them to provide any feedback but should be helpful. All the best with your certification.Read more link text
Topics covered below are not in a great deal but should get the important aspects required. The below content cover 45% of the exam syllabus for CWSP-206 which means around 25-27 questions approx.
- Select and implement appropriate authentication solutions
- WPA/WPA2-Personal (Pre-Shared Key)
- Introduced in 802.11-2012 after the vulnerabilities discovered for WEP.
- WPA/WPA2 are pretty much the same except for WPA2 using better encryption.
- WPA2 is the preferred authentication method as it uses CCMP/AES encryption mechanisms.
- WPA/WPA2 have the presence of 4 unicast frames used in 4-way handshake.
- Authentication occurs during the 4-way handshake process via the pre-shared key. If the key on AP and Client STA fail to match, the authentication fails.
- Three primary authentication components - Radius, IEEE 802.1X & EAP (Extensible Authentication Protocol).
- Radius Server allows centralised authentication. Microsoft NPS, Cisco ISE are some of the forms of typical radius servers in use.
- IEEE 802.1X standard defines port-based access control. The components are - The supplicant (Client STA), The Authentication Server (The Radius server) & Authenticator (AP STA).
- WPA3-SAE and 192-Bit enterprise security
- The intention of standardising the mesh networking of 802.11 WANs was part of 802.11-2012 (802.11s) standard but did not succeed for vendor competitive reasons. Also known as HWMP (Hybrid Wireless Mesh Protocol), the mesh portals and AP can dynamically determine best path selection for traffic flow through the meshed WLAN. Although SAE was not implemented for mesh networks, the Wi-Fi Alliance views as more secure replacement for PSK authentication.
- SAE (Simultaneous Authentication of Equals), uses Dragonfly key exchange with Forward Secrecy feature. It is a patent-free technology in which the client/user has prove the knowledge of the password without having to reveal a password.
- SAE does not send the passphrase between 802.11 stations during the key exchange. The process consists of commitment message exchange and confirmation message exchange.
- The security modes supported by WPA3 Personal is 128-bit SAE, WPA3 Enterprise is 192 bit SAE.
- WPA3 mandates the use of PMF (Protected Management Frames).
- EAP over LAN (EAPOL) packets are used across the medium between client STA & the AP controller, Encapsulated EAP over Radius is used between AP/WLAN controller and the Radius Server.
- EAP is L2 protocol used by 802.3 & 802.11 networks.
- Access to the network is managed via controlled & uncontrolled port.
- The most secure methods of authentication use 'mutual authentication'. Most EAP protocols use server-side certificate for completing the user authentication.
- EAP methods
|Developer||IEEE RFC 5216||Juniper (Certicom & Funk Software)||Cisco/Microsoft||Cisco||IETF RFC 4186||Cisco|
|Server Side Certificate||Required||Required||Required||Uses PACs||n/a||Uses Tokens|
|Client Side Certificate||Required||No||No||No||No||No|
|Wi-Fi Security||Very High||High||High||High||High||High|
|Deployment Level||Difficult (Need of PKI)||Moderate||Easier||Easier||Mobile networks only||Moderate|
- Select and implement appropriate encryption solutions
- Encryption methods and concepts (CWSP exam no longer tests on frame overhead knowledge of WEP, TKIP and CCMP).
- Developed by Wi-Fi alliance to combat WEP dictionary attacks.
- TKIP uses 128-bit temporal key, plus a 48-bit TKIP sequence counter, along with transmit address (TA).
- Michael (MIC) is the name of the integrity algorithm used with TKIP that enhances the legacy ICV mechanism. MIC is meant to improve integrity protection while remaining backwards compatible.
- TKIP is deprecated encryption method, and apart from security concerns, it can slow down the network to 54Mbps.
- CCMP is based on CCM of the AES encryption algorithm.
- WPA2 requires the use of CCMP/AES encryption, older legacy devices will not support this and have to be upgraded.
- CCMP starts with 128 bit temporal key which can either be PTK or GTK used to encrypt the broadcast/multicast traffic.
- The 48-bit packet number is much like TKIP sequence number.
- SAE and 192-bit security
- SAE is a variant of Dragonfly Key Exchange defined in RFC 7664 based on Diffie Hellman key change.
- WPA3 capabilities include WPA-3 Personal & WPA3 Enterprise.
- WPA3 Personal leverages SAE, a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties.
- WPA3 Enterprise offers 192-bit cryptographic strength, providing additional protections for network transmitting sensitive data.
- OWE (Opportunistic Wireless Encryption)
- Improved security feature for open wireless network, OWE provides a way for devices to connect to open Wi-Fi networks with an encryption session.
- Currently only Cisco & Aruba solutions support OWE on their latest firmware.
- OWE performs and unauthenticated Diffie-Hellman at association time, it may not be fully secure but still between than shared/public hotspot/PSK in a public place like a coffee shop.
- Select and implement wireless monitoring solutions
- Wireless Intrusion Prevention System (WIPS) - overlay and integrated
- Rouge Detection, Classification, Mitigation/Containment.
- Laptop-based monitoring with protocol and spectrum analysers (Covered in CWAP blogs)
- Understand and explain 802.11 Authentication and Key Management (AKM) components and processes
- Basic Terminology
- RSN - Robust Security Network. RSN can be identified by the identification of RSN-IE element in the Beacon frames.
- RSNA - Robust Security Network Association - used by a pair of STA which use 4-way handshake for auth/association.
- Pre-RSNA - WEP, pre 802.11i
- TSN - Transition Security Network - Transitioning network allows configuration of pre-RSNA+RSNA in the same environment.
- MSK - Master Session Key - 64 Octets in length, used between EAP client and authentication server.
- PMK - Pairwise Master Key - The highest key order, derived from key generated by EAP method or may be obtained by PSK.
- PTK - Pairwise Transient Key = PMK + AA (authenticator address) + SPA (supplicant address) + Anonce + Snonce using a pseudo-random function (PRF). PTK is split up into as many as 5 keys - Temporal encryption key, two temporal message integrity code (MIC) keys, Eapol-key encryption key and Eapol-key confirmation key.
- GMK - Group Master Key - Axillary key used to derive GTK.
- GTK - Random value, assigned by the broadcast/multicast source, which is used to protect MPDUs from the source.
• Encryption keys and key hierarchies
- Key Hierarchies
- The 802.11-2012 standard specifies RSN key hierarchy for authentication and dynamic encryption keys. The is often referred to as AKM (authentication key management). The process works from top down, starting with either a paraphrase, PSK or MSK.
- PSK is 256bits in length or 64 characters when expressed in hex. The static key is configured on AP/WLAN controller. Remembering and entering a 64-bit PSK can be tedious at times. The way around it is to configure a short ASCII password or paraphrases, which is 8 to 63 character string entered into the client software utility (laptop/mobile device) and the AP. The passphrase must match at both the ends.
- The whole point of the passphrase-PSK mapping formula is to simplify the configuration for the average end-user. Most people can remember the 8-character password as opposed to 256-bit PSK
- Encryption Terminologies
- Encryption Algorithm - Mathematical procedures used to obscure information so it appears meaningless. AES, RC4, RC5, RC6 are some of the examples.
- Hash Function/Algorithm - Procedure which takes an arbitrary block of data and returns a fixed size bit string.
- Cipher Suite - Named combination of authentication, encryption and the message authentication code use to negotiate security settings for a network connection.
- Stream cipher - Symmetric key cipher where plaintext bits are combined with a keystream typically by an xor operation.
- 802.11 WAN uses RC4 stream cipher with WEP/TKIP.
- Block cipher - Symmetric key cipher operating on fixed length group of bits called blocks.
- Block cipher specify the size of the block to be encrypted and CCMP/AES uses 128-bit block.
- Symmetric Key Encryption - Class of algorithms for cryptography that use trivially related, often identical cryptographic keys for decryption and encryption.
- Static/Dynamic key implementations
- The actual encryption keys are never transmitted over the Wi-Fi medium. Instead anonce/snonce and other required information is transmitted and then each participating device generates the keys. This adds additional layer of security.
- Asymmetric Encryption - Class of algorithms using separate key pairs for encryption and decryption.
- Also known as public key cryptography
- The public key is distributed whereas the private key is kept by one entity alone.
- 4-way handshake
- Final process used to generate PTK for encryption of unicast transmissions and a GTK for broadcast/multicast transmissions.
- Uses 4 EAPOL-key frame messages between authenticator and the supplicant for 6 major purposes.
- Confirm the existence of PMK at the peer station.
- Ensure that the PMK is current
- Derive new PTK from PMK
- Install PTK on the supplicant and the authenticator
- Transfer the GTK from the authenticator to the supplicant and install GTK on the supplicant and authenticator if necessary.
- Confirm the selection of the cipher suits.
- AP ~ Authenticator, Client - Supplicant
- M1 - AP >> sends EAPOL-Key frame containing "Anonce" for PTK. Client STA will use this to generate "Snonce" and derive PTK.
- M2 - Client >> sends EAPOL-Key frame containing "Snonce + RSNE + MIC". The supplicant derives a PTK. The MIC will be set to bit 1 and will be confirmed by the AP. The RSN element will be visible in this message.
- M3 - The AP >> sends the EAPOL-Key frame and derives the PTK. The MIC is verified and GTK is sent in M3.
- M4 - The client >> sends the last EAPOL-Key frame to the AP. It notifies the AP if the temporal keys will be installed and the secure bit will be sent.
- Group Key Handshake
- 2 frame handshake used to distribute new GTK to client stations that have already obtained a PTK and GTK in a previous 4-Way Handshake exchange.
3.2 Implement or recommend appropriate wired security configurations to support the WLAN
3.2.1 Physical port security in Ethernet switches
3.2.2 Network segmentation, VLANs, and layered security solutions
3.2.3 Tunnelling protocols and connections
3.2.4 Access Control Lists (ACLs)
- Implement authentication and security services
3.3.1 Role-Based Access Control (RBAC)
3.3.2 Certificate Authorities (CAs)
3.3.3 AAA Servers
3.3.4 Client onboarding
3.3.5 Network Access Control (NAC)
3.3.6 BYOD and MDM
3.4 Implement secure transitioning (roaming) solutions
3.4.1 802.11r Fast BSS Transition (FT)
3.4.2 Opportunistic Key Caching (OKC)
3.4.3 Pre-Shared Key (PSK) - standard and per-user
3.5 Secure public access and/or open networks
3.5.1 Guest access
3.5.2 Peer-to-peer connectivity
3.5.3 Captive portals
3.5.4 Hotspot 2.0/Passpoint
3.6 Implement preventative measures required for common vulnerabilities associated with wireless infrastructure devices and avoid weak security solutions
3.6.1 Weak/default passwords
3.6.3 Firmware/software updates
3.6.4 HTTP-based administration interface access
3.6.5 Telnet-based administration interface access
3.6.6 Older SNMP protocols such as SNMPv1 and SNMPv2Read more link text
After the deployment of new Extreme Aerohive Wireless solution at an Enterprise office, a number of user complaints were received for applications resetting and disconnecting while working on Wi-Fi. The users did not have this problem while working from other offices or their home.
Some of the applications like Teradata SQL Assistant & other applications which used SQL backend reset itself while executing queries. From the Wi-Fi standpoint, the client had no issues with the Signal/Noise/RSSI which was received.
Teradata SQL and other SQL application use TCP port 125. After engaging the TAC team requested for remote pcap aka frames for wireless for wired/wireless interfaces of the Extreme Access Points. Below are the steps required to run the remote captures.
- Enable remote capture on the Extreme Aerohive AP 650/510C with the cli command - exec capture remote-sniffer
- Logon to the machine with Wireshark installed and configure the remote interfaces. Enter the management IP of the Access Point (Host), leave the port field blank.
3. Install Wireshark on a remote machine and apply packet slicing as the pcap/frame capture will be huge. Make sure the system capturing has enough disk space for doing so.
4. Choose all the interfaces/required interfaces and start the capture.
After analysing the pcap it was found that there were some TCP retransmissions being caused on TCP port 1025 but the root cause/reason was not yet determined.
After a few days of captures and analysing the frames, it was discovered that the issues were primarily caused due to DoS prevention rule in place for the SSID as an optional setting. We had to disable this feature and the issue just vanished. The below option caused TCP to reset if the client IP session was idle.
Though it took a while to come to this it was interesting to learn on how to perform remote frame captures which is still helpful to understand and analyse on what is going on the wireless end.
As in most cases, this was not a radio/wireless issue all together but still resolved from the vendor side after disabling the feature.Read more link text