Professional Documents
Culture Documents
Study Guide
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or used to
make any derivative such as translation, transformation, or adaptation without permission from Fortinet,
Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
WIRELESS CONCEPTS ..................................................................................4
CHALLENGES TO WIRELESS NETWORKING ....................................................5
The Dynamics of Noise and Wireless Networks.....................................................................5
Noise............................................................................................................................................................ 5
Congestion ................................................................................................................................................... 6
Distance ....................................................................................................................................................... 7
Summary The Dynamics of Noise and Wireless Networks .......................................................................8
Wireless Concepts
Wireless networks such as Wi-Fi and cellular/4G are
similar to wired networks in their fundamental purpose.
The main difference is that wireless networks use radio
signals instead of cables to carry signals between
devices.
Unplugging from the constraints of a fully wired
network provides for the mobility needs of modern
business and consumer trends in mobile computing
(Figure 1). Many people now have a mobile phone as
their primary phone, instead of a land line.
effects of noise
network security
Noise
Noise disrupts communication, whether near the speaker, the listener,
or both. Many times we find ourselves in a situation where we cant
clearly hear what another person is saying. This could be due to a
number of varying factors, such as a loud aircraft flying overhead, loud
music from a passing car, a blender on your kitchen counter, or other
noise in the environment.
With sound, there are multiple techniques that can be used to ensure
that a listener can hear the message despite noise. You can wait until
the noise stops, reduce it to a manageable level by turning down the
volume on surrounding devices such as music players, move closer to the other person with whom you
are talking, or move to a quieter location.
With radio frequency (RF) noise that disrupts communications for wireless devices, some similar
techniques can be used. Unfortunately, unlike sound noise that affects talking, RF noise is very difficult to
detect unless you have tools designed to measure RF noise levels. Finding the origin of the noise may be
a complicated and time-consuming task.
Congestion
When only twoor a fewpeople talk, they usually take turns talking and
listening. This makes it easier to hear and understand the other persons
speaking, because it provides time for listeners to focus on the other
persons message. If something is not understood, the speaker can repeat
it to ensure the listener understands the message.
Another option besides repeating the message for better understanding is
to change other characteristics such as how fast you speak, how loudly, or
how high or low the pitch of voice. For example, slowing the speed at
which you speak can make it less difficult for the listener to hear and understand the message so that you
dont need to repeat yourself, but the tradeoff is that speaking slower takes longer to convey the
message. Volume that is too loud may result in distortion or the listener attempting to tune out the
message.
When many people try to talk and listen at the same time,
receiving a clear message becomes very difficult. We
have the ability to effectively conduct duplex
conversationswe speak and then we listen, but not both
simultaneously. We do not have the ability to multiplex in
conversation effectivelythat is, we cannot listen to
multiple messages or transmit while receiving effectively.
As multiple people try to be heard, the aggregated volume
increases to the level when no conversations may
effectively take place in the environment.
Similar to people, wireless device radios operate in halfduplex mode as they are only able to either transmit or
receive data at any point in time. They cannot transmit
and receive at the same time. When there are few wireless devices communicating on a network, they
can easily take turns transmitting and receiving, enhancing the chances of clear communication (Figure
4). However, even in an environment with few devices communicating, these devices cannot operate in
full duplex: each one may only transmit or receive, but not both simultaneously.
Distance
Distance is an important factor in communications. When people
are close to each other, they may communicate easily with
reasonable volumes, as well as being able to more clearly see
when one person has stopped talking so the other person may
start to talk.
As distance between
people increases, the
intensity of sound
diminishes. This is
because the sound waves are spread over an increasing area
the further they are from the source. As sound travels farther
from the transmitter, sound wave intensity diminishes
exponentially (following the inverse-square law) across the
distance between transmitter and receiver, eventually being
reduced to a level below that discernable to the human ear.
Power
Distance
Supports tens of
Wireless Devices
Wireless Router
Cloud-based
Wireless Controller
Cloud-Controlled AP
Power over
Ethernet (PoE)
Supports thousands of
Wireless Devices
10
Large
Ongoing management:
Configuration
Policies
User authentication
Audit trails
Roaming
Connectivity dynamics change with the type of device, and as the scope of the network grows from a
small wireless network to a larger, more distributed network. The first and simplest case is that of a
stationary device, such as the desktop system pictured in figure 11. This device is likely to wirelessly
connector associate as we say in the wireless industryto the closest AP and stay associated with it.
This is because a desktop system typically does not move.
11
4)
WLAN Controller
3)
2)
First
Access 1)
Point
1)
2)
3)
Application Priorities
Unlike copper or fiber-optic wires that are only usable by
the two devices they connect, air is a shared medium.
Traffic from all devices in the area must share airtime
(Figure 13). Congestion can result when too many
devices try to transmit RF signalstalkat the same
time.
Performance can also decrease when too many
applications must equally share limited network or
Internet bandwidth.
12
Client #1
Client #2
13
14
Shared Medium
We generally dont want people to eavesdrop on our private
conversations. Think about what mischief could happen if we
were telling someone our credit card number and an identity
thief overheard it. Or what could happen if someone watched
you use an ATM and you were not careful about ensuring others
could not see your PIN or card information? In either case, this
allows potential compromise of your personal, confidential
information and subsequent theft.
Wireless networks are no different. Like an ordinary
conversation, wireless signals can be overheard by anyone
within range. In order to stop unauthorized people from using the
data within those signals, valuable data should be encrypted. This makes sure that potential attackers
cannot understand what were communicating.
It is also important to make sure we are actually speaking to the right person! Authentication verifies that
someone is actually who they say they are. uthentication may be accomplished through a variety of
means, from simple methods involving a user name and password or PIN to more complex ways with
two-factor authentication or authentication tokens. This is the network equivalent to checking a persons
drivers license or other identification card along with their name and password.
Rogue Networks
Some security factors are unique to wireless networks. Because multiple wireless networks may be
nearby, but we cant physically see which AP we are connecting to, we need to make sure clients can
only connect to the right wireless network. It can be difficult for users to be sure. Often, the only
identification a wireless device uses when connecting to the network is whats known as the Service Set
Identifier (SSID), also called its network name. For example, in the illustration below (Figure 17) the
SSID is named CorpNet.
Unfortunately, an AP that doesnt belong to us can also broadcast our SSID. This is called a rogue AP.
More precisely, it's an access point that can be seen by our network but is not authorized for operation
on our network. We can tell that it doesn't belong to us because our APs can detect its radio
transmissions and our WLAN controller will recognize that the rogue is not under our management
control.
Rogue access points are a concern because without investigation, we cannot tell if they're benign
perhaps an access point that belongs to a neighbor's wireless networkor if it belongs to an attacker. For
example, an access point could pretend to be from our network. Wireless signals are often not
directional, so an unsuspecting wireless device could see the correct SSID (broadcast by the rogue AP)
and attempt to connect to it. Attackers associated with the same rogue AP can potentially gather
sensitive information like usernames and passwords, and use them later to penetrate our network.
WLAN Controller
CorpNet
Rogue AP
CorpNet
15
16
17
18
Key Acronyms
Key Acronyms
AAA
IaaS
Infrastructure as a Service
Accounting
ICMP
AD
Active Directory
ICSA
ADC
ADN
Association
ID
Identification
IDC
AM
Antimalware
IDS
AP
Access Point
IM
Instant Messaging
API
IMAP
APT
ASIC
ASP
IoT
Internet of Things
ATP
IP
Internet Protocol
AV
Antivirus
IPS
Secure
AV/AM Antivirus/Antimalware
IPTV
CPU
IT
Information Technology
J2EE
DLP
LAN
DNS
DoS
Denial of Service
LLB
DPI
LOIC
DSL
MSP
FTP
FW
Firewall
GB
Gigabyte
NSS
NSS Labs
GbE
Gigabit Ethernet
OSI
Gbps
OTS
PaaS
Platform as a Service
GUI
PC
Personal Computer
Standard
PHP
19
Key Acronyms
PoE
SYN
Quality of Service
Message Logging
TCP
RDP
SaaS
Software as a Service
TLS
SDN
Software-Defined Network
SEG
SFP
SFTP
SIEM
SLA
SM
Security Management
SMB
SMS
SQL
SSL
SWG
Layer Authentication
UDP
URL
USB
UTM
Virtual Machine
VoIP
VPN
WAF
XSS
Cross-site Scripting
20
Glossary
Glossary
802.11. Refers to the IEEE standard for wireless local area network (WLAN) communication.
Access Point (AP). An access point is a networking hardware device that allows wireless devices to
connect to a wired network using Wi-Fi or related standards.
Amplitude. A measure of the power transmitted by a wave is over a single period. Amplitude is similar to
the concept of volume in sound.
Audit Trail. An audit trail is a series of records of computer events, about an operating system, an
application, or user activities. A computer system may have several audit trails, each devoted to a
particular type of activity. Auditing is a review and analysis of management, operational, and technical
controls.
ATM. Automatic Teller Machine. Electronic way to deposit or withdraw money, transfer funds, and check
account balances.
Authentication. The process of determining whether someone or something is actually who or what they
claim to be. In computer networks, the purpose of authentication is to make sure that attackers cannot
mimic authorized people.
Authentication Token. Authentication tokens (or sometimes a hardware token, security token, USB
token, cryptographic token, software token, virtual token, or key fob) are used to prove a persons identity
electronically. The token is used in addition to or in place of a password for stronger authentication, to
prove that the person is who they claim to be.
Captive Portal. A captive portal is a special web page that is shown before a user is allowed to use the
Internet. The portal is often used to present a login page.
DSL. DSL (Digital Subscriber Line) is a technology for bringing high- bandwidth information to homes and
small businesses over ordinary copper telephone lines.
Encryption. The process of encoding messages or information in such a way that only the intended
recipient can read it. The purpose of encryption is to ensure data privacy.
Ethernet. The most widely installed local area network (LAN) technology. Ethernet is a link layer protocol
in the network stack, describing how networked devices can format data for transmission to other network
devices on the same network segment.
Interference. See RF interference.
Multiplex. Multiplexing consists of combining two or more signals into a single transmission pathway or
channel.
Network Name. See Service Set Identifier (SSID).
PIN. A personal identification number (PIN) is a numeric password used to authenticate. The term "PIN"
is also now to refer to any short numeric password in other contexts such as door access, or unlocking
a smartphone screen.
Policy. Conditions, constraints, and settings that determine who or what is authorized to connect to the
network, when, and to where.
Power over Ethernet (PoE). Any of several standardized or ad-hoc systems that pass electrical power
along with data on Ethernet cabling. This allows a single cable to provide both data connection and
electrical power to devices such as wireless access points. PoE allows long cable lengths and power may
be carried on the same conductors as the data, or it may be carried on dedicated conductors in the same
cable.
21
Glossary
Rate-limiting. Rate limiting is used to control the rate of traffic sent or received by a network interface
controller. It can be induced by the network protocol stack of the sender due to a received ECN-marked
packet and also by the network scheduler of any router along the way.
RF Interference. Radio frequency interference (RFI) is the radiation or conduction of radio frequency
energy (or electronic noise produced by electrical and electronic devices at levels that interfere with the
operation of adjacent equipment.
RF Noise. See RF interference.
Rogue AP. A rogue access point (Rogue AP) is a wireless access point that has been installed on a
secure network without explicit authorization from a local network administrator, whether added by a wellmeaning employee or by a malicious attacker.
Role Derivation. Role derivation allows administrators to derive one or more roles from a single master
role. The master role serves as the template for the authorizations and attributes. Organizational levels
differentiate the derived roles from the master role and each other.
Router. A router is a networking device that forwards data packets between computer networks.
Routers perform the "traffic directing" functions on the Internet. A data packet is typically forwarded from
one router to another through the networks that constitute the internetwork until it reaches its destination
node.
Service Set Identifier (SSID). SSID is a unique identifier attached to the header of packets sent over a
wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the
basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture. The SSID differentiates
one WLAN from another; so all access points and all devices attempting to connect to a specific WLAN
must use the same SSID to enable effective roaming.
Spoofing. To successfully mimic another person or program by falsifying identity data, thereby gaining
unauthorized access. This attack is possible when an identifying characteristic, such as an IP address, is
not authenticated.
Switch. A network switch is a computer networking device that connects devices together on a computer
network, by using packet switching to receive, process and forward data to specific destination devices.
Unlike less advanced network hubs, switches forwards data only to one or multiple devices that need to
receive it, rather than broadcasting the same data out of each of its ports.
Thick Access Point. Also called a fat AP. In wireless local area networks (WLANs), an AP with
sufficient program logic and processing power to allow it to provide routing, and often enforce policies
relating to access and usage, rather than working under the supervision of a centralized wireless
controller. In a mobile application, users moving between AP zones of coverage realize faster handoffs
with fat APs.
Traffic Profile. A traffic profile is a sequence of measures over a specific period of time. It can be
the traffic profile of a flow or a link count.
Traffic Shaping. Delay and prioritization of some network traffic to optimize use of limited bandwidth,
preventing other applications from impacting time-sensitive or important traffic.
Two-step Authentication. Two-factor authentication (also known as 2FA or 2-Step Verification) is a
technology patented in 1984 that provides identification of users by means of the combination of
two different components.
Unified Threat Management (UTM). UTM is the evolution of the traditional firewall into an all-inclusive
security device able to perform multiple security functions within one system: network firewalling, network
intrusion prevention, gateway antivirus, gateway anti-spam, VPN, content filtering, load balancing, data
loss prevention and on-appliance reporting.
Wireless Access Point (WAP). See Access Point (AP).
Wireless Controller. Also called a wireless LAN (WLAN) controller, network administrators use this to
configure and manage many thin APs.
22
Glossary
Wireless Router. A device that performs the functions of a router and also includes the functions of
a wireless access point. It is used to provide access to the Internet or a private computer network. It can
function in a wired LAN (local area network), in a wireless-only LAN (WLAN), or in a mixed wired/wireless
network.
WLAN Controller. See Wireless Controller.
23