Securing Wireless LANs

Transcription

1 Securing Wireless LANs Oct 30th, 2002 Louis Senecal 4515_03_2002_c1 2002, Cisco Systems, Inc. All rights reserved. 1

2 Agenda WLAN Overview Intro to WLAN Security Attack Scenarios Mitigation Stategies 2

3 Benefits of Wireless Mobility within building or campus Lots of Notebooks / Handhelds Convenience (no cables) Flexibility (anytime, anywhere access) Challenging Work Environments Easier to set-up temporary spaces Cost Effective No cable infrastructure / trenching Moves / Adds / Changes Reduce / Eliminate Recurring Network Costs Investment Protection Pick it up and move it out Productivity gains Rapid Deployment 3

4 Wireless Office Quickly emerging market New solutions being developed Ad hoc network may be the answer May want site survey for future growth All Cisco Offices Use WLANs as infrastructure overlay Wireless Technology becoming Pervasive Public Hotspots 4

5 NOP Study Wireless LANs Increase Productivity Based on a survey of 300+ U.S.- based organizations with more than 100 employees: End users stayed connected an average of 1¾ hours more per day to their corporate network Average daily time savings: 70 minutes Productivity: +22% Source: NOP World-Technology, Sept

6 Wireless LAN Technologies b a g Frequency Band 2.4 GHz 5 GHz 2.4 GHz Availability Worldwide US/AP Worldwide Maximum Data Rate 11 Mbps 54 Mbps 54 Mbps 6

7 Frequency Bands Audio Short Wave Radio AM Broadcast FM Broadcast Television Cellular (840MHz) NPCS (1.9GHz) Infrared wireless LAN Extremely Low Very Low Low Medium High Very Ultra High High Super High Infrared Visible Light Ultraviolet X-Rays 900 MHz 26 MHz 11.b 11.g 11.a 2.4GHZ 83.5 MHz 5 GHz Older Devices 11 FC (3 non-overlapping) Industrial, Scientific & Medical (ISM) band (8 non-overlapping) Unlicensed National Information Infrastructure (U-NII) band7

8 IEEE Standard Activities a 54 Mbps, 5 GHz, ratified in 1999, b 11Mbps, 2.4 GHz, ratified in d World Wide Roaming e Quality of Service f Inter-Access Point Protocol (IAPP) To be ratified soon g Higher Data rate (54 Mbps) 2.4 GHz h Dynamic Frequency Selection and Transmit Power Control mechanisms i Authentication and Security 8

9 Local Area Network (LAN) Wireless LAN (WLAN) as an extension to wired LAN Cisco Switch Cisco Switch Cisco Access Point Server Cisco Switch Rogue Access Point?? Internet Work Group Bridge 9

10 Typical Multicell Configuration Channel 1 Channel 6 LAN Backbone Wireless Cell Access Point Wireless Cell Wireless Clients 10

11 Association Process -- Passive Scanning Access Point A Access Point B Steps to Association: Client sends probe. AP sends probe response. Client evaluates AP response, selects best AP. Client sends authentication request to selected AP (A). AP A confirms authentication and registers client. Client sends association request to selected AP (A). Initial connection to an Access Point AP A confirms association and registers client. 11

12 Aironet b: Power and Range 11 Mbps DSSS feet 30mW feet radius@ 100mW 5.5 Mbps DSSS feet radius@ 30mW feet radius@ 100mW 2 Mbps DSSS feet radius@30mw feet radius@100mw 12

13 Channel Setup Site Survey Channel Example Channel 1 Channel 11 Channel 6 Channel 11 Channel 6 Channel 6 Channel 1 Channel 11 Channel 1 Channel 11 13

14 Multi-rate Implementation Site Survey Bandwidth Example 2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps 14

15 Things to Consider for Site Survey Floor Plan Bandwidth required Dense or sparse user population Know your users: Protocols Types of applications mainly being used Possibility to connect AP to wired network 15

16 Aironet Ethernet In-Line Power Ethernet In-line Power Source: Catalyst 3524 Power Switch Catalyst 6000 Power Blade Catalyst 4000 Power Blade 48 Port Power Patch Panel Power Ethernet In-line Power Source: Aironet Power Injector No Power Power Aironet 350 uses Ethernet in-line power ONLY Eliminates need for local power and AC infrastructure cost Draws in-line power from edge devices (-48 Volts) Catalyst power switches support device discovery mode 16

17 Mixed Antenna Example Maximum Coverage Autorate Negotiation Channel 11 Wireless for Students DiPole Indoor, Patch Outdoor Channel 1 Channel 6 Class 1 Class 2 Class 3 Class Hallway Class 8 Class 9 Class 10 Class 11 Channel 6 Building 1000 Channel 11 Channel 1 Courtyard

18 Cisco Aironet 350 Series Wireless LAN Solution The Cisco Aironet 350 Series of b compliant high speed wireless solutions offers the best performance, manageability, scalability and security for both in-building and building to building wireless applications PC Card/PCI Client Adapters Access Points Line-of-Sight Bridge Products Antennas & Accessories 18

19 Cisco Aironet 350/340 Series Client Adapters Client access for both notebook and desktop systems Broad Operating Systems Support: Windows 95, 98, Windows NT 4.0 Windows 2000 Windows Millennium Windows CE Linux MacOS Easy, simple installation Lifetime limited warranty 19

20 New AP1200 Dual-Band Access Point The Cisco Aironet 1200 Series Access Point delivers on enterprise requirements 20

21 AP1200 Access Point GHz antenna connectors 2. DC input 3. Ethernet 4. Console Port 5. Reserved 6. LEDs (Ethernet, Status, Radio) 7. Mounting plate 5GHz PC-Cardbus Module 2.4GHz mini-pci radio 21

22 Investment Protection and Future Proofing Modular platform for single or dual band operation Field upgradeable radios Eight megabytes of storage and support for Cisco management tools 22

23 Cisco Aironet 1100 Series Scalable Fully functional access point ideal for all enterprise deployments without expensive controllers Affordable Lowest priced upgradable Cisco Aironet access point protects customer investment Enterprise-class features End-to-end intelligent networking extended to WLAN Secure Enterprise-class interoperable security for WLAN Easy-to-use Intuitive installation and set up for rapid deployment FCS Friday Oct 18, 2002 GA Approx mid-nov 23

24 Wireless Antennas Access Points Rubber DiPole Pillar Mount Ground Plane Patch Wall Ceiling Mount Type Omni Directional Omni Directional Omni Ceiling Mount High Gain Omni Gain 2.15 dbi 5.2 dbi 5.2 dbi 8.5 dbi 2.2 dbi 5.2 dbi Beam Width 360 H 75 V 360 H 75 V 360 H 75 V 60 H 55 V 360 H 75 V 360 H 75 V ~ Indoor Range at 1 Mbps ~ Indoor Range at 11 Mbps Cable Length N/A

25 Agenda WLAN Overview Intro to WLAN Security Attack Scenarios Migigation Strategies 25

26 Toronto Insecure?? (Pearson to Downtown Cab ride yesterday) 50 AP out of 102 with WEP 26

27 HAS Your Building Been Chalked? War Driver s Results 27

28 (Some) WLAN Security Issues Default setups: WEP: AP Technology: Rogue APs: RF Propagation: New Attacks: Safeguards: Policy: Newness: Work well, but are not secure Broken at any key length Many flawed implementations Impact security of wired network Extends network environment beyond the walls Radio protocol attacks are nasty (ECM) Poorly architected/implemented Monitoring, updating and enforcement Confusion, lots of attacks and variants 28

29 Intruder/Safeguard Cycle Hackers Continually Optimize Attacks Automated Scanning Tools Widespread Use We are Here Today Vulnerability Discovery Crude Tools Appear 1999 Basic Safeguards Inherent in Technology Hackers Exploit Crude Tools Survey Scripts RSA 01 Kismet Wellenreiter Netstumbler WEP Crack Air Jack Jul 01 Better Safeguards Appear Intruders move to newer, more interesting exploits Time Safeguards Mature, Attackers move on Legacy Systems Still Vulnerable! 29

30 Typical Security Environment Border guards SSL Employees Suppliers Customers Web Servers App Servers Directory/ Database 30

31 Wireless Breaches The Perimeter Border guards SSL Employees Suppliers Customers Web Servers App Servers Directory/ Database Attacker Wireless Sniffer 31

32 Dispelling Misinformation Security With Antennas? Textbook radiation patterns of the AP isotropic monopole antenna 32

33 Engineering Theory Some Experts say you can place the antenna to get better security and control the perimeter 33

34 Reality Access Point Elevator or Utility Shaft WLAN Station Indoor Propagation in a Typical Crowded Office Building: Reflections Re-Radiation Attenuation Un-intentional wave guide structures Not a perfect environment 34

35 Reality in Practice There are limits to what you can achieve with directional antennas, site surveys are needed if local physical environment requires it 35

36 Add Some Antenna Gain Typical 2.4 GHz WLAN AP has mono-pole antennas with 0dBi gain. A Low Profile patch antenna can provide 8 dbi gain at 2.4 GHz and costs about $65 US 36

37 Hacking with a Pringle Tube ~12 db gain, +/ calorie Yagi antenna $

38 Now Available SAFE: Wireless LAN Security in Depth Now available as of 12/31/01 Shows what changes when WLAN is introduced into the SAFE Enterprise and SMB designs 38

39 SAFE Blueprint for Secure E-Business 39

40 Agenda WLAN Overview Intro to WLAN Security Attack Scenarios Mitigation Strategies 40

41 The Network Layers 41

42 The Bottom Layers Manipulating the bottom 2 layers of the OSI Data Link (Layer 2) Media Access Control (MAC) Access to medium Logical Link Control (LLC) Frame sync, flow control Physical (Layer 1) Radio bit stream Divided into channels 42

43 The Bottom Layers 43

44 Management Frames Management frames can control link characteristics and physical medium properties b management frames are NOT authenticated Why is this bad? Maybe DOS 44

45 WLAN-Jack Denial of Service De-authentication Use MAC address of Access Point Send deauthenticate frames Send continuously Send to broadcast address or specific MAC Users are unable to reassociate with AP Air-Jack + WLAN-Jack 45

46 WLAN-Jack 46

47 Attack Scenarios WLAN-Jack 47

48 Attack Scenarios WLAN-Jack Decode of Deauthentication Frame 48

49 Attack Scenarios WLAN-Jack This is your connection 49

50 Attack Scenarios WLAN-Jack This is your connection on WLAN-Jack. 50

51 Past Security Methods SSID (Service Set Identifier) Commonly used feature in Wireless LANs which provides a rudimentary level of security Serves to logically segment the users and Access Points that form part of a Wireless subsystem May be advertised or manually pre-configured at the station 51

52 Network Stumbler or MiniStumbler FREE Free! 52

53 Or Kismet (Also Free) 53

54 SSID no Broadcast 54

55 ESSID-Jack Is the ESSID a shared secret? If I mask the ESSID from the AP beacons then unauthorized users will not be able to associate with my AP? Discover Masked ESSID Send a deauthenticate frame to the broadcast address. Obtain ESSID contained in client probe request or AP probe response. 55

56 ESSID-Jack 56

57 ESSID-Jack 57

58 Rogue Access-Point Men in the Middle Attack 58

59 Monkey-Jack MITM Attack Taking over connections at layer 1 and 2 Insert attack machine between victim and access point Management frames Deauthenticate victim from real AP Send deauthenticate frames to the victim using the access point s MAC address as the source 59

60 Monkey-Jack Victim s card scans channels to search for new AP Victim s card associates with fake AP on the attack machine Fake AP is on a different channel than the real one Attack machine s fake AP is duplicating MAC address and ESSID of real AP 60

61 Monkey-Jack Attack machine associates with real AP Attack machine duplicates MAC address of the victim s machine. Attack machine is now inserted and can pass frames through in a manner that is transparent to the upper level protocols 61

62 Monkey-Jack Before Monkey-Jack 62

63 Monkey-Jack After Monkey-Jack 63

64 Monkey-Jack 64

65 Open Authentication With Client AP Open Authentication Authentication request Authentication response Open or Shared needs to be setup identically on both the Access Point and Client 65

66 Shared Key - WEP/RC4 in

67 Shared-key Authentication With Client AP Shared-Key Authentication Authentication request Challenge text packet Encrypted challenge text packet Authentication response Open or Shared needs to be setup identically on both the Access Point and Client 67

68 Security Issues Authentication is one-way No way to dynamically generate keys No integration with existing network authentication methods on LAN Authentication is device-based No method for account auditing Keys are static 68

69 Improved Attacks on RC4 (WEP) In order to carry out the attack, the cryptanalyst needs the first output word of a large number RC4 streams along with the IV that was used to generate each one of them. Since in WEP, the IVs are transmitted in the clear, and the first message word in most packets is a known constant these requirements are satisfied. Optimizations of the attack have lead to deduction of a 128 bit RC4 key in 15 minutes from an actual network. RSA Laboratories Volume 5, No. 2, Summer / Fall

70 AirSnort, WEPCrack and the others 70

71 UC Berkeley Study Bit flipping Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated Replay Bit flipped frames with known IVs resent AP accepts frame since CRC32 is correct Layer 3 device will reject, and send predictable response Response database built and used to derive key 71

72 UC Berkeley Study PlainText Cisco Stream Cipher 1234 WEP CipherText XXYYZZ PlainText Data Is XORed with the WEP Stream Cipher to Produce the Encrypted CipherText Predicted PlainText Cisco CipherText Stream Cipher XXYYZZ WEP 1234 If CipherText Is XORed with Guessed PlainText, the Stream Cipher Can Be Derived 72

73 UC Berkeley Study Bit Flipped Frame Sent Frame Passes ICV Forwarded to Dest MAC Attacker Anticipates Response from Upper Layer Device and Attempts to Derive Key AP WEP Encrypts Response and Forwards to Source MAC Upper Layer Protocol Fails CRC Sends Predictable Error Message to Source MAC 73

74 Agenda WLAN Overview Intro to WLAN Security Attack Scenarios Mitigation Stategies 74

75 WEP Mitigation: Temporal Key Integrity Protocol (TKIP) Base key and IV hashed Transmit WEP Key changes as IV changes Key hashing is still pre-standards, awaiting i ratification 75

76 WEP and TKIP Implementations WEP today uses an IV and base key; this includes weak IVs which can be compromised TKIP uses the IV and base key to hash a new key thus a new key every packet; weak keys are mitigated WEP Encryption Today TKIP IV Base Key Plaintext Data IV Base Key Plaintext Data RC4 XOR CipherText Data Hash XOR CipherText Data IV Packet Key Stream Cipher RC4 Stream Cipher 76

77 WECA (Wireless Ethernet Compatibility Alliance) Security Improvements Will develop a new test plan that will require TKIP as part of certification This will include 128 bit encryption Products certified prior to new plan will not need to be re-tested (and do not need to include TKIP) 77

78 UC Berkeley Study Mitigation Message Integrity Check (MIC) The MIC will protect WEP frames from being tampered with The MIC is based on seed value, destination MAC, source MAC, and payload Any change to these will change MIC value The MIC is included in the WEP encrypted payload 78

79 Message Integrity Check MIC uses a hashing algorithm to stamp frame The MIC is still pre-standards, awaiting i ratification WEP Frame No MIC DA SA IV Data ICV WEP Encrypted WEP Frame MIC DA SA IV Data SEQ MIC ICV WEP Encrypted 79

80 WEP & Rogue Access Point Cisco LEAP Overview Provides centralized, scalable, user-based authentication Algorithm requires mutual authentication Network authenticates client, client authenticates network Uses 802.1X for authentication messaging APs will support WinXP s EAP-TLS also Dynamic WEP key support with WEP key session timeouts 80

81 802.1X 81

82 Solution: 802.1X over Wireless 802.1X is IEEE draft standard for port-based network access control Leverages existing standards Extensible Authentication Protocol (EAP) RADIUS 802.1X for overcomes limitations of security Mutual authentication Dynamic, session-based encryption keys Centralized user administration Extensible authentication support 1 2 client EAP AP RADIUS RADIUS server 3 4 user database 82

83 802.1X for Authentication Types Authentication type Operates over 802.1X for (EAP and RADIUS) Enables client and authentication server to: Do mutual authentication Derive session-based encryption key Available authentication types EAP-Cisco Wireless (LEAP): Uses password as shared secret EAP-TLS: Uses certificates 83

84 Availability Cisco Aironet access points support 802.1X and EAP AP can act as 802.1X middleman when wireless client and authentication (RADIUS) server support authentication type Cisco introduced LEAP in December 2000 Is supported by Cisco Aironet client adapters on wide range of client operating systems (Windows, CE, Mac OS, Linux) Is supported by Cisco Secure ACS RADIUS server Will be supported by other RADIUS servers in 2001 Microsoft supports EAP-TLS authentication type in Windows XP and Windows CE 4.0 Cisco is first to fully support EAP-TLS with its client adapters and APs 84

85 LEAP Authentication Process Client AP RADIUS Server Start Request Identity Identity AP Blocks All Requests Until Authentication Completes Identity RADIUS Server Authenticates Client Derive Key Client Authenticates RADIUS Server Broadcast Key Key Length Derive Key AP Sends Client Broadcast Key, Encrypted with Session Key 85

86 How LEAP Challenges and Responses Work challenge Create challenge password from database challenge one-way hash response A LEAP algorithm password hash Using password from database, generate response to own challenge 86

87 How LEAP Challenges and Responses Work challenge usersupplied password response B response A one-way hash password hash challenge LEAP algorithm response B If response A = response B, then authenticate user Why? Using user-supplied password, generate response to challenge 87

88 Comparing Responses usersupplied password password from database one-way hash challenge challenge one-way hash password hash LEAP algorithm response B response A LEAP algorithm password hash If response A = response B, then user-supplied password = password from database 88

89 Deriving the Session Key hash (hash (password)) RADIUS response to client client response to RADIUS client challenge to RADIUS RADIUS challenge to client MD5 128-bit key 89

90 WEP Keys WEP key is calculated by the Radius server, only after the authentication is completed The key is passed to Access Point for THAT single authenticated client. This is a session key Client calculates the same WEP key Key is never transmitted over RF 90

91 Advantages of 802.1X for Open, extensible and standards based. Enables interoperable user identification, centralized authentication, key management. Leverages existing standards: EAP (extensible authentication protocol), RADIUS. Compatible with existing roaming technologies, enabling use in hotels and public places. User-based identification. Dynamic key management. Centralized user administration. Support for RADIUS (RFC 2138, 2139) enables centralized authentication, authorization and accounting. RADIUS/EAP (draft-ietf-radius-ext-07.txt) enables encapsulation of EAP packets within RADIUS. 91

92 Deploying LEAP Clients Cisco Aironet adapters Turn on LEAP in ACU Windows: Use Windows Networking logon to supply username/password Others: Use ACU window to supply username/password Others: No support for LEAP Use static WEP On Windows XP, use EAP-TLS One AP can support LEAP, EAP-TLS, and static WEP RADIUS servers Cisco Secure ACS Supports LEAP Needs access to an NTformatted database or ODBC connection to NT Domain Controller or Active Directory With LEAP proxy in V3.0, can interact with database manager that supports MS-CHAP* Others: Cisco is working with: Funk Software Interlink Networks Open Systems Consultants * LDAP and NDS do not support MS-CHAP 92

93 Managing Your Secure Network Static WEP keys not only are insecure, but difficult to manage and scale Cisco EAP (Leap) utilizes RADIUS servers, and a single database to manage users credentials Cisco APs support management via SNMP, WEB (with secure User Manager settings), CiscoWorks 2000, and Wavelink 93

94 Wireless Access VPN 3000 Concentrator Series Presentation_ID 1999, Cisco Systems, Inc. 94

95 Wireless Access VPNs VPN 3000 Internet Corporate Network Cisco Aironet using WEP/128 bit Certicom Palm OS IPSec VPN Client - movianvpn (AVVID Partner) Cisco 3000 VPN Client with Aironet b PCMCIA card SOHO 95

96 Attack Mitigation Roles for Standard VPN WLAN Design Two-Factor Authentication RFC2827 Filtering Inter-Subnet Filtering Authenticate Remote VPN Gateway Terminate IPSec Personal Firewall for Local Attack Mitigation Wireless Computer with VPN Client DHCP/RADIUS/OTP Servers Access Point VPN Concentrator Authenticate Remote Users Terminate IPsec Protocol Filter to Discard none IPSEC traffic 96

97 AP Radio Protocol Filter (Inbound/Outbound) Protocol Type Protocol Value Disposition Ethertype ARP 0x0800 Forward Ethertype IP 0x0806 Forward IP Protocol UDP 17 Forward IP Protocol ESP 50 Forward IP Port BootPC 68 Forward IP Port DNS 53 Forward IP Port IKE 500 Forward 97

98 Cisco AP Allows for Filtering 98

99 Cisco Advantages GoC Environment Cisco VPN Client/Gateway technology is Best in Class for WLAN Applications John Pavelich, Senior Consultant Entrust Strong encryption, True IPSec VPN Auto-initiate VPN tunnel for WLAN connections Force Disable Split Tunneling Stateful Inspection Firewall Client Strong, certificate based authentication Security Hardware and Software from a Mature vendor 99

100 Cisco VPN Gateway Forces a Client Policy 100

101 Auto Initiation of VPN in a Wireless Environment (New VPN 3.6) The Cisco VPN Client can be configured to automatically initiate a VPN based on the network that the user's machine is connected to (that is, based on a user s assigned address). This feature is called Auto Initiation for on-site Wireless LANs (WLANs). The auto initiation feature was designed to make the user experience more like a traditional wired network in those environments in which VPNs are being used to secure WLANs. These environments are also known as on-site WLANs. 101

102 Adopted Safe Wireless Architecture Addison Texas Office, HQ Kanata Access Point 350 and 1200 Concentrator 3060 VPN Using Digital Certificates Client PC used the Integrated Zone Alarm PF Filtering Protocol on the AP 102

103 LEAP / IPSec & Static WEP Differentiation LEAP IPSec Static WEP Key Length (bits) Encryption Algorithm RC4 3 DES RC4 Packet Integrity CRC32/MIC MD5-HMAC/SHA-HMAC CRC32/MIC Device Authentication None Pre-shared secret or Certificates None User Authentication Username/Password Username/Password or OTP None User Differentiation * No Yes No Transparent user experience Yes No Yes ACL requirements None Substantial N/A Additional Hardware Authentication Server Authentication Server and VPN Gateway No Per user keying Yes Yes No Protocol Support Any IP Unicast Any Client Support PCs and high end PDAs. Wide range of OSs supported from Cisco PCs and high end PDAs. Wide range of OSs supported from Cisco and 3 rd Party Vendors. Open Standard No Yes Yes Time based key rotation Configurable Configurable No All clients supported Client hardware Encryption Yes Available, software is most common method Additional Software No IPSec client No Per-flow QoS Policy Management At access switch After VPN gateway At access switch Yes 103

104 Cisco VPN 3000 Concentrator Series Includes a standards based VPN Client and management GUI Allows mobile workers and telecommuters broadband connectivity over Cable and DSL Uses RADIUS for Authentication (Softoken) Split tunneling corporate and Internet Implement behind the Internet access router and parallel to the PIX Firewall 104

105 Cisco VPN 3000 Concentrator Series Simultaneous Users ,000 Performance (Mbps) Encryption Cards Memory (Mb) Upgradable No Yes Yes Yes n/a Dual Power Supply No Optional Optional Optional Yes Redundancy No Yes Yes Yes Yes Site-to-Site Tunnels

106 Platform Highlights Models 3015, 3030, 3060, 3080 Modular Expandable Redundant Hardware Encryption Extensive Instrumentation 2U Form Factor 106

107 Cisco Remote Access VPN Cisco VPN 3000 Concentrator Series Cisco 3000 VPN Client HTML-Based Management 107

108 VPN Device Manager (VDM) HTML Based NETWORK COMPUTING 11/15/99..has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile management and excellent troubleshooting tools. 108

109 Wireless Best Practices Enable WEP Key rotation when equipment supports it Change default SSID Disable broadcast of ESSID Change default password AP Block null ESSID connection Restrict access by MAC address Use VPN technology or Dynamic WEP Use strong mutual authentication Monitor wireless network medium (air space) for suspicious activity 109

110 For more information... Home Page Technical documents (white papers, app notes, etc.) Product Catalog Product Support 110

111 Questions?? 111

112 4515_03_2002_c1 2002, Cisco Systems, Inc. All rights reserved. 112