WLAN Security | The Best Practices

Security in wireless network is a very essential and while designing a WLAN you have to focus and consider the following important aspects of security.

1EEE 802.11i/WPA2:

In WLAN we have different security protocols for security. One of the famous protocol is WEP (Wired Equivalent Privacy) that emerge with 802.11b standard but it is faulty and vulnerable to several attaches. WPA2 is a better option as compare to WEP where you have more security. WPA2 involves 802.1x which work on the top 802.3 and 802.11 and provide you the authentication to individual users and devices using the protocol EAP and with some authentication server like RADIUS. WPA2 also involve RSN (Robust Security Network) which keep track of your the association to each access point. For confidentially and integrity we have AES (Advanced Encryption Standard), which have strong encryption like 128bit or 256 bit or more.

Unauthorized Access:

Another security design issue we have to deal with that is unauthorized access. Remember in WLAN there is no physical boundary of a network, so an attacker can access your network from outside of your physical security with using mobile devices or with laptop having Wi-Fi. We have MAC address filtering using this we can provide access to only authorize users and devices but now a day there are number of software out their which can spoof MAC addresses into your Access point (AP). Also MAC filter is not a scalable way and it is difficult to manage and control with large number of users.  You can use the 802.1x for limiting unauthorized access.


802.1x provide the port base security and it is the best for handling unauthorized access and good alternative for MAC address filtering. 802.1x authenticate the user before providing the access to network.

Authentication Choices for WLAN:

In WLAN you can understand the authentication process with the following figure:

Wireless authentication process

In 802.1x you have a supplicant as a end device like computer or laptop and you have a authenticator which can be a switch or an access point. Also you have an authentication server which may a Radius server. Authenticator has control channels which are used for authentication the supplicant (Laptop) to Radius Server and have uncontrolled cannels which authenticate the supplicant by using different security protocols.  These security protocols are very important for choosing the final security protocol for you wireless design and as follows:

  • PEAP
  • LEAP


EAP-TLS (Extensible Authentication Protocol- Transport layer security):

It is commonly use EAP wireless network, you need to a certificates at supplicant and authentication server end and it is the most secure available method. You need to have the key pair for these certificates which have to sign by some certificate authority.  You can place your CA server with authentication server or in server form. The EAP-TLS use a communication method like the SSL and you have a secure tunnel for sending these user certificates. Although EAL-TLS is most secure method but it is more complex and expensive to deploy as compare to other security protocols.  EAP-TLS is the complete security solution for large organization.

 PEAP (Protected Extensible Authentication Protocol)

PEAP is a wireless security protocol. In PEAP as compare to EAP-TLS you only have the server side certificates and these certificates are used to create the tunnel and real authentication are take place inside that tunnel. PEAP is the mostly used by Cisco and Microsoft, in Microsoft windows-PEAP uses the CHAP and MS-CHAP for authenticating users inside the tunnel.

EAP-TTLS (Extensible Authentication Protocol- Tunneled Transport Layer Security):

EAP-TTLS is a one of the old security protocol which is use for the wireless security and only used where you the old authentication devices or in Windows NT environment. It is like the PEAP and use a TLS tunnel for protection. EAP-TTLS mostly use the CHAP, MS-CHAP and EAP-MD5. Although EAP-TTLS are introduces earlier but Microsoft and Cisco are mostly using the PEAP.

 LEAP (Lightweight Extensible Authentication Protocol)

LEAP is a Cisco Property security protocols for wireless network, it work with the 802.1x standard. It is support by Cisco Aironet products and other wireless devices and also support by most Microsoft and Linux operating systems. LEAP has some vulnerability and can be crack with different software but it is still used by different organization having Cisco devices.


EAP-FAST is security protocol use for wireless network.

This is flexible security via a tunneling and it also develops for overcoming the weakness and vulnerabilities of the LEAP. With EAP-FAST server certificates are optional but it gives you a lower cost solution as compare to PEAP and EAP-TLS. EAP-EAST use the PAC (Protected access credentials) for establishes the TLS tunnel for protection of credentials and transfer. PAC (Protected access credentials) is basically a strong shared secret key and it is unique on every single client. EAP-FAST is the best option for small to medium wireless network.

Wireless LAN Standards | 802.11a vs 802.11b vs 802.11g

The main standard for wireless LAN is the 802.11. WLAN applications include inside-building access, LAN extension, outside building-to building communications, public access, and small office/home office communications. Some of the famous standards that are used in wireless communication are:

802.11 Wireless Standard:

802.11 is for wireless local area network standard and the original 802.11 standard was introduced in 1997 by IEEE.

  • It uses two different types of RF technologies that are FHSS (Frequency-hopping spread spectrum) and DSSS (direct-sequence spread spectrum).
  • FHSS and DSSS operating on in 1 Mbps or 2Mbps and 802.11 operate in 2.5 GHz frequency range.
  • 802.11 family use half duplex modulation.
  • 802.11b and 802.11g are most famous standard used in wireless communication.


802.11b Wireless Standard:

The 802.11b standard was introduced in 1999 by IEEE.

  • It uses the DSSS (direct-sequence spread spectrum) at the frequency range 2.4 GHz.
  • 802.11b use the bracker-11 and CCK encoding scheme. Modulation types that are used in 802.11b are DBPSK and DQPSK.
  • 802.11b has the data rates from 1Mbps to 11Mbps, for the different data rates (1, 2, 5.5, 11Mbps) you have different modulation techniques.
  • In 802.11b you have three non overlapping channels which are 1, 6 and 11.

802.11g Wireless Standard:

802.11g was introduced in 2003 and also compatible with 802.11b.

  • RF modulation technologies that are used by 802.11g are DSSS and OFDM.
  • 802.11g operate in 2.4 GHz spectrum.
  • In 802.11g you have three non overlapping cannels 1, 6, 11.


This standard was come in 1999.

  • 802.11a use OFDM.
  • 802.11a provides a maximum 54-Mbps data rate.
  • 802.11a operates in 5.0 GHz frequency.
  • 802.11a is incompatible with 802.11 b and g.
  • 802.11a is not mainly used standard as compared to 802.11b and 802.11g.
  • 802.11a has the data rate from 6-54 Mbps.
  • The data rate is reduced to 48, 36, 24, 18, 12, 9 then 6 Mbit/s if required. 802.11a originally had 12/13 non-overlapping channels

802.11n Wireless Standard

  • The IEEE 802.11n standard was ratified in 2009.
  • It added multiple-input multiple-output (MIMO) antennas and expected maximum data rate up to 600 Mbps using four spatial streams, each with a 40-MHz width.
  • In addition to DSSS, it uses orthogonal frequency-division multiplexing (OFDM) as a digital carrier modulation method. IEEE 802.11n uses both the 2.4-GHz and 5-GHz bands.

How to increase wifi signals of wifi router.

how do wifi extenders work.

How to secure your wireless network:

Network management Design and Solution | CCDA

Once your network is design and deployed, then it must be managed by the operations team. Network management tools are used to gather operating statistics and to manage devices. Statistics are gathered on WAN bandwidth utilization, router CPU and memory utilization, and interface counters. In a large network you need proper network management to control the flow of network. For controlling and managing network there are many tools out there which help you accomplishing network related tasks. In this article we will discuss the solid techniques to manage your network properly.

Designing Network Management Steps:

–          Network Management Essentials or Key thing for network management

–          FCAPS Network Management Model

  • Network Fault Management
  • Network  Configuration Management
  • Network Accounting Management
  • Network Performance Management
  • Network Security Management

–          SLA Resources

Key thing for network management:

There are some important protocols and tools that are necessary for network management which includes SNMP, Cisco Netflow, RMON, RMON 2, CDP etc.

Network management systems are base on SNMP (Simple Network Management Protocols) that use the IP with UDP. SNMP is used to share the management information between the network devices, also it is helpful in controlling troubleshooting and planning a network. SNMP v3 is new version of SNMP and as a network Engineer you need to make sure SNPM v3 which is more secure, runs in network. But keep in mind that SNMP older version is also stilling running so you can go with older version by addressing its security weaknesses. Cisco Works (Network Manager) is a Network management tool that you can use for management.  RMON 2 is another tool for network management which helps in monitoring LAN traffic, tracks numbers of packets and size, broadcasts utilization, error and statistics. RMON agents run on various network devices.

Cisco netflow is another useful protocol for network management, Cisco NetFlow allows the tracking of IP flows as they are passed through routers and multilayer switches. IP flows are a set of IP packets within a specific timeslot that share a number of properties, such as the same source address, destination address, type of service, and protocol number. NetFlow information is forwarded to a network data analyzer, network planning tools, RMON applications, or accounting and billing applications. Net-Flow allows for network planning, traffic engineering, billing, accounting, and application monitoring.

Cisco Discovery Protocol (CDP) is also useful protocol for gaining data-link layer information from Cisco Devices.

FCAPS Network Management Model:

FCAPS is ISO network management model that focuses on following

Network Fault Management:

You can handle the abnormal network operation, fault and issues. You can accomplish the fault management by

  • Detecting the problem
  • Identify the Issue
  • Bypass and Recovery
  • Resolve the Situation
  • Track and manage the problem

For fault management you can check the Events or log of different network devices like router and switches. The devices that generate the log are termed as Event Generators and you can view these events on Event collector like on Cisco Works, a device that is running network management tools. Events are some activity happen on network like stat-events or perform events, link goes down is an example of state event.

Network Configuration Management

Configuration management is the Process of collecting different information to drive consistency, track the changes in the network, and Keep the document according to international standards. Configure control setting in the network like ISO up gradation and other updates. Network configuration management also includes that configuration according to standard and according to network design, also includes IP addressing scheme, DNS DNCP setting.

Network Accounting Management

Network accounting management is about authentication and other security checks. With AAA server you can make sure that people are who they claim are, if they trying to access some object and want to do something, you can authorize the people for accessing different objects. Network Accounting management are techniques that made the network resources available only to authorize people and keep all the records and Event logging of network activities.

Network Performance Management:

The goal of performance management is to

  • Keep network uncongested and accessible
  • Reduce overhead and downtime
  • Provide service level management (SLA)
  • Identify Trends like bandwidth monitoring
  • Exception Management
  • QOS management
  • Fix Performance issues

Network Security Management

Security management is about defining the measures that can improve the network security, implementing access control and different checks like restricting telnet while allowing SSH, HTTPs, implement AAA etc.

SLA Resources

SLA is a security agreement with some organization for importing and providing.


Designing an IPv6 Network

As a CCDA candidate you need to have high level understanding of IPv6, specification and IPv6 design issues.  Also must understand how an IPv6 address is represented and the different types of IPv6 addresses.

Why we need IPv6?

IPv6 is a mechanism that is really put together to overcome the limitation of IPv4 standard. The shortcoming of IPv4 that it is of 32 bits and we have 4.2 billion maximum number of IP addresses most part of these IP addresses include private IP addresses, multicast IP addresses and some portion is reserved for experiment, so we are running out of IPv4 addresses. Explosion of IP devices and growth of internet all over the world especially in some Asian countries like China, India, Russia and Japan, it is predicted that one day we have finish all the IPv4 addresses. So we have the IPv6 for future purposes, in USA different organizations and agencies start using IPv6. Google and Facebook are also accessible in the IPv6 Internet. Some countries such as Japan directed IPv6 compatibility back in 2005. Other countries, such as China, France, and Korea, have been implementing IPv6. The 2008 Summer Olympics was accessible from the IPv6 Internet. The U.S. federal government had mandated all agencies to support IPv6 by mid 2008. Operating systems such as Windows 7, Vista, Linux, Mac OS, and others all support IPv6.

Designing IPv6 Network:

While designing an IPv6 network you should be aware of certain thing like different types of IPv6 addresses, different rules for representation of IPv6 and different IPv4 to IPv6 transitions strategies. So go through all these articles then decides the correct IPv6 scheme/range and best transition technique for your network. Also you need to considers as above different other aspect related to IPv6 like DNS, DHCP, routing protocol and other protocols which we will discus at the end of this article.

IPv6 header is also important to understand, bcause there are a lot of QoS option that can modified with IPv6 header according to your network.

IPv6 header:

IPv6 address space is 128 bits which is four times more than of IPv4, so we have the large number of IP addresses in IPv6 i.e. maximum number IPv6 addresses are 3.4 x 1038. IPv6 have the following Header which include the field like version, class of traffic, flow Label, Payload Length, Next Header, Hop Limit, source IPv6 address and destination IPv6 address.


picture Ref: http://upload.wikimedia.org/wikipedia/commons/6/6b/IPv6_header_rv1.png

Version field of IPv6: Version field is of 4 bits and it is indicating the version of IPv6. 

Class of traffic:  this is 8 bits field and it is like the TOS (traffic of service). It tags the packets with traffics class that uses in Differentiated services.

IPv6 Flow Label: You can use this field for quality of service. It is a new field in IPv6 and Flow label is of 20 bit and it tags the flow for IP packets, this can be used for multilayer switching techniques and give us the fastest packet switching performance.

Payload Length: This field is same as total field length field of IPv4.

Next Header: This is an important IPv6 header field and the value of this field determined the type of information that follows the basic IPv6 header, it could be a transport layer packet (TCP/UDP packet). Next header field is the equivalent to protocol field of IPv4.

IPv6 Hop Limit: this limit the maximum number of hop that an IP packet can traverse, on each router decrement this field by one. This is similar to TTL (time to live field) in IPv4.

 Source address: In IPV6 source address is the IPv6 address of the sender. It is of 128 bits and has 8 octets.

Destination Address: the destination address is the IPv6 address of final destination or receiver.

 IPv6 Mechanisms :

There are different service and protocols that supports IPv6 mechanisms


We have ICMP in IP version 4, for IPv6 we have the modified version of ICMP for IPv6 i.e. ICMPv6 that perform the same functionality as in the IPv4 and it has the header number 58. It has the information like echo request, echo reply, error messages like destination unreachable, packet too big, use for determining the neighbor availability, path MTU, and destination address.

IPV6 ND (Neighbor Discovery Protocol):

IPv6 ND is the network discovery protocol for IPv6. IPV6 does not use the ARP and it use the IPV6 ND to discover all the other node in same link and also check for the duplicate address and find the route in the link. IPv6-ND has some extra features than ARP it perform the auto configuration so a device can find it IPV6 address without any DHCP sever, it discover the prefixes, parameters like link’s MTU and Hope count. It does the address resolution same like ARP in IPv4 and also do the redirection as well.

Name Resolution:

IPv6 for name resolution use the A record in DNS, RFC 3596 define a new record for IPV6 DNS that is called AAAA record (Quad A). Quad A is used for resolving system-name into IPv6 address.

PATH MTU Discovery:

Ipv6 don’t allow the packet fragmentation though the network, only send host are allowed. Routers are allowed to send fragment packets. MTU of every link in IPV6 implement must be greater than 1230.


DHCPv6 is a protocol used for automatic assignment of IPv6 addresses to hosts. It is same like DHCP in IPv4 environment but it gives more control.

 IPv6 Security:

IPv6 have some security methods for providing security. IPv6 support natively IPSEC which is an open security framework and also support AH/ESP which are the main protocols for encryption and security.

 IPV6 Routing Protocols:

Some of routing protocols are redesign for supporting IPv6, these protocols includes:

  • RIP-nG  (RIP new generation)
  • IS-IS
  • EIGRP for IPv6
  • OSPF v3
  • BGP also have some new mechanism for supporting IPv6

You can also learn more about selecting a routing protocol.

 IPv6 Deployment Models

Deployment of IPv6 can be done in one of the following models:

Dual-stack model (IPv4 and IPv6 coexist on hosts and network)

Hybrid model (combination of ISATAP or manually configured tunnels and dualstack mechanisms)

Service block model (combination of ISATAP and manually configured tunnels and dual-stack mechanisms)


IPv4 to Ipv6 Transition Strategies and Deployments

As a CCDA candidate we must aware with the IPv4 to Ipv6 transitions, using these transition methods you can design your IPv6 network or you can run both IPv4 and IPv6 in your network. Following are the Models are used for IPv4 to IPv6 transition. Each model provides several advantages and is advantages, the dual-stack model is recommended because it requires no tunneling and is easier to manage

IPv6 using Dual stack backbone:

In this particular method we have the ISP with the ipv4 and IPv6 packets in backbone. In this model you can route both types of packets like IPv4 and IPv6. This is a good model for organization having the mix environments of IPV4 and IPv6 applications. The disadvantage of this model is that you need to have the routers with dual addresses which consume addition memory and MTU.  Also IPv4 and Ipv6 only address can be communicate directly. When using dual stacks, a host also uses DNS to determine which stack to use to reach a destination. If DNS returns an IPv6 (AAAA record) address to the host, the host uses the IPv6 stack. If DNS returns an IPv4 (A record) address to the host, the host uses the IPv4 stack.

IPv6 over dedicate WAN Links:

This model is used for deploying the new network with IPv6, in such type of design we have the all IPv6 tunnels for connecting the remote office sites. In such design all nodes and devices are assigned with IPv6 address.

 IPv6 over IPv4 tunnels:

In this type of network we have the packet of IPv6 only network, and have IPv4 tunnels. With tunneling you can encapsulate the IPv6 packets with IPv4 tunnels. You can transmit your data to remote office without having the main physical circuits, you do not need separate circuits to connect the IPv6 networks with tunneling, and IPv6 traffic is encapsulated within IPv4 packets so that they are sent over the IPv4 WAN. This method increased the protocol overhead of encapsulated IPv6 headers and these tunnels are created manually or automatically.

For static configuration of tunnels, the tunnels are configured with IPv4 and IPv6 addresses for tunnel source and destination. Tunnels can be built between end devices or between routers and hosts. In semiautomatic configured tunnels, a tunnel broker is used. The tunnel broker is a server on the IPv4 network that receives requests from dual-stack clients and builds a tunnel on the tunnel router and associates it with the client.

Automatic tunnel mechanisms are

  • IPv4 compatible tunnels
  • 6to4 tunnels
  • 6over4 tunnels
  • ISATAP tunnels

 IPv4 compatible tunnels:

These tunnels are compatible with IPv4 and use the IPv4-compatible addresses. This mechanism does not scale, and IP-compatible addresses have been deprecated, so this mechanism is appropriate only for testing.

 6to4 tunnels:

6 to 4 tunnel method is for transition by assigning an interim unique IPv6 prefix. 2002::/16 is the assigned range for 6to4. Each 6to4 site uses a /48 prefix that is concatenated with 2002. The border router extracts the IPv4 address that is embedded in forwards it to the IPv6 destination.

 6over4 tunnels:

6 over 4 is another tunnel method that requires an IPv4 multicast-enabled network. IPv6 multicast packets get encapsulated into IPv4 multicast packets to communicate with other 6over4 hosts. 6over4 is of limited practical use.

ISATAP tunnels:

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is another method to tunnel IPv6 over IPv4. With ISATAP, a tunnel is created between dual-stack hosts or routers to transmit IPv6 packets over an IPv4 network. Unlike 6over4 mechanism, ISATAP does not require the IPv4 to be multicast enabled. With ISATAP the link-local address is generated by concatenating FE80:0000:0000:0000:0000:5EFE: with the IPv4 address expressed in hexadecimal. For example, with IPv4 the link-local address is

FE80:0000:0000:0000:0000:5EFE: C0A8:0A0A. 

Protocol translation( NAT PT):

Protocol translation is also known as the NAT PT. Nat-PT provides the translations from IPv4 and IPv6.

Some techniques are

Application layer gateways (ALG): These use dual stacks and allow one host on the IPv4 domain to communicate with the host on the IPv6 domain.

Application programming interfaces (API): An API module intercepts IP traffic through an API and coverts it for the IPv6 counterpart.