|
Certified Wireless Network Administrator Day 1-4
These are the actual labs taught in the course:
Spectrum Analysis
This lab is designed to familiarize the student with a laptop-based spectrum analyzer.
Area of interest include:
- Swept Spectrogram
- Real Time FFT
- FFT Duty Cycle
- Channel Utilization
- Interference with Wi-Fi Channels
- Interfering Device Discovery
In the first sections of this lab, students will install the spectrum analyzer software followed by loading the pre-recorded spectrum captures for review as a class. In the last section of this lab, the instructor may optionally do a live capture of the RF environment for classroom discussion purposes. Doing a live capture requires spectrum analysis hardware (typically a USB or CardBus radio adapter).
Wireless LAN Security
This lab is built around measuring WLAN throughput under various circumstances and is separated into three sections:
- Section A: Greenfield mode throughput (802.11b vs. g vs. a vs. n)
- Section B: Mixed mode throughput
- Section C: Adjacent and co-channel interference
Understanding the "speeds and feeds" of all Wi-Fi technologies is crucial to optimizing WLAN installations, applications, and good network design. This lab demonstrates the varying throughputs for Wi-Fi connectivity standards by using FTP to transfer large files from client devices to servers. You will see and compare actual throughputs of each different standard technology and the impact of using mixed technologies.
Using Laptop Analyzers
This lab is focused on the use of laptop analyzers for WLAN discovery and protocol analysis. Understanding security and performance related protocol analysis will aid the WLAN administrator in policy compliance, proper implementation, and troubleshooting. The following steps will be covered in this lab exercise.
- Installing and configuring a WLAN discovery tool.
- Installing and configuring a laptop protocol analyzer
- Locating 2.4 GHz and 5 GHz WLANs
- Capturing and analyzing Management, Control, and Data frames
- Capturing and analyzing a WPA2-Personal authentication
A protocol analyzer is provided on the student CD.
Site Survey
Two specific classes of site survey methodology exist and are used in the WLAN market today. This exercise is separated into two sections identifying each methodology:
- Section A: Manual site surveys (sometimes called, “the walkabout”)
- Section B: Predictive analysis (sometimes called, “automated site surveying”)
Within each class exist two distinct categories. Manual site surveying can be categorized as active mode or passive mode, one or both modes can be used at any given time.
Predictive analysis software tools are based on a mathematical model of a facility blueprint and can be performed in two distinct ways. First, importing an AutoCAD (vector graphic) drawing allows the predictive analysis software tool to understand detailed complex layers of a facility's construction, including wall attenuation, attenuation between floors, and channel interference. Second, importing of raster graphics, such as .jpg or .bmp, allows for faster but often less accurate modeling.
Neither methodology is 100% accurate, since each has its own individual weaknesses. Used together, the surveyor can create a more complete RF snapshot of any facility.
In this exercise, students will conduct both manual and predictive analysis surveying, using software and hardware tools (determined by the instructor or specific class needs).
Basic WLAN Security
The Wi-Fi Alliance has standardized security mechanisms for SOHO and enterprise environments. Two distinct classes of security mechanisms exist:
- WPA compliant
- WPA2 compliant
Within each class are two categories: Personal and Enterprise. WPA implies a pre-802.11i snapshot that addresses only TKIP encryption. WPA2 implies 802.11i compliant CCMP (default) and/or TKIP. Enterprise implies the use of 802.1X/EAP authentication mechanisms, and Personal implies that passphrases are the authentication mechanism being used.
| Wi-Fi Alliance Security Mechanism |
Authentication Mechanism |
Cipher Suite |
Encryption Mechanism |
WPA-Personal |
Passphrase |
TKIP |
RC4 |
WPA-Enterprise |
802.1X/EAP |
TKIP |
RC4 |
WPA2-Personal |
Passphrase |
CCMP (default)
TKIP (optional) |
AES (default)
RC4 (optional) |
WPA2-Enterprise |
802.1X/EAP |
CCMP (default)
TKIP (optional) |
AES (default)
RC4 (optional) |
Wi-Fi Alliance security mechanisms are only applicable at Layer 2 of the OSI model. Other security mechanisms for WLANs exists such as VPNs and secure applications, but this lab exercise addresses only those security mechanisms provided by the 802.11-2007 standard.
Wireless Intrusion Prevention Systems
This lab is focused on Wireless Intrusion Prevention Systems (WIPS). WIPS are known for three specific functions: security monitoring, performance monitoring, and reporting. In this lab exercise, we will focus only on security monitoring and reporting. Areas of particular interest include:
- Installation and configuration of WIPS
- Properly classifying authorized, rogue/unauthorized, and external/interfering access points or clients
- Event monitoring and notification
- Identifying and mitigating rogue devices
Note:
Although WIPS can identify, and often act upon, hundreds of wireless attacks, we will only use one type of common attack in this lab exercise to demonstrate WIPS functionality. If time permits, the instructor may perform additional attacks that can be recognized and perhaps mitigated.
The following list contains the materials covered in the lecture portion of the course:
Introduction to 802.11 WLANs
- Discuss the standards organizations responsible for shaping the 802.11 Wireless LAN protocol
- Learn how standards compliance is enforced for 802.11 WLAN vendors
- Examine the 802.11 standard and various amendments
- Discuss additional networking standards that are commonly used to enhance 802.11 WLANs
Radio Frequency Fundamentals
- Physical aspects of RF propagation
- Types of losses and attenuation that affect RF communications
- Types of modulation and coding schemes (MCS) used for 802.11 communications
- How channels and bandwidth are related to each other in wireless networks
- Types of Spread Spectrum used in wireless networking
|
RF Power Output Regulations
- Understand international, regional, and local RF spectrum management organizations
- Understand RF channels in the unlicensed 2.4 GHz and 5 GHz frequency ranges
- Understand how power output limitations are enforced by the FCC for Point-to-Multipoint (PtMP) and Point-to-Point (PtP) wireless connections
Power over Ethernet
- Recognize the two types of devices used in Power over Ethernet (PoE)
- Recognize the differences between the two types of Power Sourcing Equipment (PSE)
- Understand the two ways in which power can be delivered using PoE
- Understand the importance of planning to maximize the efficiency of Power over Ethernet
- Understand the two standards currently available for PoE
- Powering 802.11n APs
|
Basic WLAN Analysis
- Protocol Analysis
- 802.11 Frame Types
- Data Frames
- Control Frames
- Management Frames
- Protection Mechanisms
- Legacy Power Saving operations
- Transmission Rates
Coordinating 802.11 Frame Transmissions
- Differences between CSMA/CD and CSMA/CA
- Distributed Coordination Function (DCF)
- Network Allocation Vector (NAV)
- Clear Channel Assessment (CCA)
- Interframe Spacing (IFS)
- Contention Window (CW)
- Quality of Service in 802.11 WLANs
- Point Coordination Function (PCF)
- Hybrid Coordination Function (HCF)
|
RF Math and System Operating Margin
- RF units of measure
- Basic RF mathematics
- RF signal measurements
- Understand link budgets
802.11 Service Sets
- Three types of service sets defined for use within 802.11 WLANs
- 802.11 authentication and association
- 802.11 network infrastructure
- Roaming within a WLAN
- Load-balancing as a method to improve congestion in WLANs
The 802.11n Amendment
- Challenges addressed by 802.11n
- 802.11n PHY/MAC layer enhancements
- MIMO and SISO systems
- 802.11n coexistence mechanisms
- 802.11n integration and deployment considerations
- 802.11n site surveying and analysis
|
Wireless LAN Operation
- WLAN Hardware Devices
- WLAN Software
- Architecture Types and Evolution
- Ad Hoc & Infrastructure Connectivity Operation
- AP Modes
- Bridging & Repeating
- Mesh Networking
- WLAN Controller Deployments
- WLAN Profiles
- Multichannel Architecture (MCA)
- Single Channel Architecture (SCA)
- WLAN Management Systems (WNMS)
WLAN Security
- The Importance of WLAN Security
- Security Policy
- Legacy WLAN Security Mechanisms
- Modern WLAN Security Mechanisms
- Baseline WLAN Security Practices
|
Site Surveying
- Defining an RF site survey
- Spectrum Analysis
- Types of RF site surveys
- Manual RF site surveys
- Predictive Modeling
- Dense AP deployments
Antennas
- Types of antennas and antenna systems commonly used in 802.11 WLANs
- Antenna Polarization and Gain
- Antenna implementation and safety
- Types of antenna cables, connectors, and other accessories
|

AirMagnet Trio/Reporter - Performance and Security Analysis
AirMagnet Distributed with Hardware Sensors


Ekahau Site Survey Training and Certification
easy planning, quick site surveys, state-of-the-art visual representation, and advanced analysis, optimization, and reporting features.
WildPackets
WildPackets iNetTools
AiroPeek NX - Performance and Security Analysis
AiroPeek NX - Distributed Analysis with RF Grabber
WiSPY - $99!
Wi-Fi Integration : Information such as SSID, Channel and dBm are overlayed on the 2.4 GHz data. (This does not use the Wi-Spy hardware. It uses the computer's Wi-Fi card) Video Tutorial
Networked Wi-Spy : Connect to a Wi-Spy through an IP address. (See Recon for Wi-Spy )
Configuration Options : Zoom into a channel with greater resolution, for detailed troubleshooting.
Signature Identification : A “Signatures” sidebar makes it easy to match the shape appearing in your graph to the device signature (from MetaGeek's growing Signatures Library) – so you can identify the interference. More
Data Inspector : Shows frequency, amplitude, time, and other data of any point in any view. Read More
Embedded Notes : Textual information can now be added to any recording by embedding user notes. Read More
Wi-Fi Reports

|
SSID Overlay

|
Wireless Devices

|
Chanalyzer turns data collected from a Wi-Spy into highly interactive charts and graphs, allowing users to “visualize” their wireless landscape. Together, Wi-Spy and Chanalyzer enable both enterprise and small business users to visualize, troubleshoot, and optimize their wireless networks.
Air Defense
AirDefense BlueWatch is the industry's first Bluetooth monitoring solution
Airtight Networks
Multi Wireless Device Monitoring and prevention
Certified Wireless Security Professional Day 5-8
These are the actual labs taught in the Wireless LAN Security Course:
- Packet Analysis & Spoofing
- Rogue Hardware & Default Settings
- RF Jamming & Data Flooding
- Information Theft
- Wireless Hijacking and DoS Attacks
- Access Point VPNs
|
- Scalable Wireless VPN Solutions
- EAP - Cisco Wireless (LEAP)
- Layered Wireless Security
- Wireless Bridging Security
- 802.1x and EAP-TTLS
- SSH2 Tunneling & Local Port Redirection
|
Course Outline
WLAN Controller Security
The WLAN controller is currently the center piece of 802.11 security. All other pieces of the WLAN security puzzle orbit around the WLAN controller. For this reason, gaining an in-depth understanding of how to secure access to the controller and how to use the controller to secure the WLAN is essential.
This lab is focused on WLAN controller security, and primarily covers the following areas:
- Secure access to the WLAN controller using secure management protocols
- Configuring multiple WLAN profiles, each with its own authentication and cipher suites including WPA/WPA2 Personal and Enterprise
- Configuring the WLAN controller for RADIUS connectivity and authentication
- Client station connectivity to the controller - including DHCP and browsing
- Integrated rogue device discovery
Wireless Intrusion Prevention Systems (WIPS)
This lab is focused on Wireless Intrusion Prevention Systems (WIPS). WIPS are known for three overriding functions: security monitoring, performance monitoring, and reporting. In this lab exercise, we will focus only on security monitoring and reporting. Areas of particular interest include:
- WIPS installation, licensing, adding/configuring sensors, and secure console connectivity
- Configuration according to organizational policy
- Properly classifying authorized, unauthorized, and external/interfering access points
- Identifying and mitigating rogue devices
- Identifying specific attacks against the authorized WLAN infrastructure or client stations
Using Laptop Analyzers
This lab is focused on the use of laptop analyzers for spectrum analysis, protocol analysis, and WLAN discovery. Understanding driver issues, security-related protocol analysis (authentication and encryption), and spectrum analysis will aid the wireless security professional in policy compliance, proper implementation, and troubleshooting. The following steps will be covered in this lab exercise.
- Installing and configuring a WLAN discovery tool
- Installing, licensing, and configuring a laptop protocol analyzer
- Installing, licensing, and configuring a laptop spectrum analyzer
- Locating and analyzing 2.4 GHz and 5 GHz WLANs with a WLAN discovery tool
- Locating and analyzing 2.4 GHz and 5 GHz WLANs with a WLAN protocol analyzer
- Capturing and analyzing a WPA2-Personal authentication in a WLAN protocol analyzer
- Capturing and analyzing a WPA2-Enterprise authentication in a WLAN protocol analyzer
- Capturing and analyzing Hotspot authentication and data traffic in a WLAN protocol analyzer
- Capturing and analyzing Beacons, Probe Requests, Probe Responses, and Association Requests with a WLAN protocol analyzer
- Viewing a normal RF environment, a busy RF environment, and an RF attack on the WLAN in a spectrum analyzer
Fast BSS Transitions (FT)
This lab is focused on fast BSS transition (FT) within an Extended Service Set. Moving quickly and securely between access points attached to a single controller or multiple controllers is a requirement of real-time mobility devices such as wVoIP phones and mobile video devices. An in-depth understanding of the standards-based and proprietary processes of a WLAN infrastructure system's ability to deliver FT services means the difference between a successful deployment and a complete failure. The following steps will be covered in this lab exercise.
- Configure a WLAN infrastructure with two controllers and two APs per controller. Configure APs for specific power and channel settings
- Install and configure a RADIUS server for PEAP
- Configure both controllers and an authorized client device for PEAP authentication using the CCMP cipher suite
- Configure an 802.11 protocol analyzer to capture on a specific channel
- Using an 802.11 frame generator function, deauthenticate the authorized client station to force intra- and inter-controller roaming
- Perform a slow BSS transition within a controller as a baseline
- Enable FT mechanisms within controllers and the client station
- Perform a fast BSS transition within a controller as a comparison
- Perform a slow BSS transition between controllers as a baseline
- Perform a fast BSS transition (if vendor FT mechanisms permit) between controllers as a comparison
The following list contains the materials covered in the lecture portion of the course:
Introduction to WLAN Security Technology
- Security policy
- Security concerns
- Security auditing practices
- Application layer vulnerabilities and analysis
- Data Link layer vulnerabilities and analysis
- Physical layer vulnerabilities and analysis
- 802.11 security mechanisms
- Wi-Fi Alliance security certifications
Small Office / Home Office WLAN Security Technology and Solutions
- WLAN discovery equipment and utilities.
- Legacy WLAN security methods, mechanisms, and exploits
- Appropriate SOHO security
WLAN Mobile Endpoint Security Solutions
- Personal-class mobile endpoint security
- Enterprise-class mobile endpoint security
- User-accessible and restricted endpoint policies
- VPN technology overview
Branch Office / Remote Office WLAN Security Technology and Solutions
- General vulnerabilities
- Preshared Key security with RSN cipher suites
- Passphrase vulnerabilities
- Passphrase entropy and hacking tools
- WPA/WPA2 Personal - how it works
- WPA/WPA2 Personal - configuration
- Wi-Fi Protected Setup (WPS)
- Installation and configuration of WIPS, WNMS, and WLAN controllers to extend enterprise security policy to remote and branch offices
Enterprise WLAN Management and Monitoring
- Device identification and tracking
- Rogue device mitigation
- WLAN forensics
- Enterprise WIPS installation and configuration
- Distributed protocol analysis
- WNMS security features
- WLAN controller security feature sets
Enterprise WLAN Security Technology and Solutions
- Robust Security Networks (RSN)
- WPA/WPA2 Enterprise - how it works
- WPA/WPA2 Enterprise - configuration
- IEEE 802.11 Authentication and Key Management (AKM)
- 802.11 cipher suites
- Use of authentication services (RADIUS, LDAP) in WLANs
- User profile management (RBAC)
- Public Key Infrastructures (PKI) used with WLANs
- Certificate Authorities and x.509 digital certificates
- RADIUS installation and configuration
- 802.1X/EAP authentication mechanisms
- 802.1X/EAP types and differences
- 802.11 handshakes
- Fast BSS Transition (FT) technologies
|
|