Developing a Secure Wireless Infrastructure - Pt. 1


Wireless Security Best Practice

Wi-Fi networking is ubiquitous; it is in use everywhere around us. Some of the more familiar technologies are the wireless Internet access, and the cell phones that we use. Convergence and DLNA are bringing the workplace, entertainment, telephony, and data to our home, vehicles, and our mobile devices. Wireless connectivity gives mobility and flexibility, however, it is not as robust or secure as a wired connection. Wireless connectivity also usually entails shared access, resulting in everyone at your place of business, school or hotspot competing for the same resource, with a subsequent decrease in bandwidth. Whether it is because wireless must connect with a wired LAN backbone to access the Internet, or because of throughput and security issues, eventually the two components combine.

Thus, no matter our degree of reliance upon the usefulness and convenience upon wireless networking, the wireless and wired networks will ultimately interconnect, and co-exist. Therefore when planning the integration of our wireless network with the wired components, we must be consider the security not only of the WLAN itself;  but also how it may affect the security of other networks.  The “Guidelines for Securing Wireless Local Area Networks” from the NIST states, “A WLAN is usually connected to an organization’s wired networks, and WLANs may also be connected to each other. This means that the WLANs and WLAN devices are not only subject to WLAN-specific attacks, but also nearly all the attacks that wired networks and devices on those networks face”.

Therefore, best practice dictates that for WLANs that need wired network access, that their client devices should access only the necessary hosts on the wired network using the minimum required protocols. In addition, an organization should have separate WLANs if there is more than one security profile for WLAN usage; for example, an organization should have logically separated WLANs for external use, such as for their guests and their internal end-users. Additionally, devices on one WLAN should not be able to connect to devices on a logically separated WLAN.

Organizations should have policies that clearly outline which forms of dual connections they permit for their WLAN client devices. These policies should be enforced by disabling all network interfaces that are non-authorized for use with WLAN client devices. . Further, configure these devices to prevent end-users from enabling them, or otherwise circumventing the restrictions.  The devices should also be configured to disable bridging, which will prevent passing traffic between the networks. This is precautionary in the event an unauthorized dual connection occurs.

However, there are instances when WLAN clients is authorized for dual connections, on those occasions we should ensure that that these connections occur only when necessary, and that any other non-essential connection are not allowed. Once again, we should configure the devices to prevent bridging.

As control mechanisms, we can configure the device’s BIOS so that WLAN connections terminate automatically when wired connections are detected, this type of configuration is known as LAN/WLAN switching.  We may also implement software-based controls that permit either WLAN or wired network access, but not both simultaneously. These controls typically favor wired connections over WLAN because of their relative reliability, performance, and security.

An additional control mechanism is the utilization of host-based IDS / IPS applications to prevent multiple network interfaces from implementation at one time. By the use of OS / domain controls, third party policy-based software, et cetera, we may designate and enforce authorized network profiles and/or unauthorized profiles.

Wired Broadband Delivery Systems


As previously stated, the wireless and wired elements of our network are interwoven; we cannot discuss one without considering the other. Therefore, we shall begin our discussion with an overview of the features, and vulnerabilities of a few common wired broadband delivery systems

Cable networks. For cable networks, the Data Over Cable Service Interface Specification (DOCSIS) is the telecommunications standard that permits the addition of high-speed data transfer to an existing cable TV (CATV) system. It allows many cable television operators to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure.

Cable networks are shared-media networks. All users within the same hybrid fiber-coax (HFC) segment share a common cable line running between their cable modems (CM) and the cable modem termination system (CMTS) servicing that segment. The traffic to and from any user is visible to all other users on the same network segment, and an eavesdropper can view this traffic using a packet-sniffing tool (A Guide to Securing Broadband Cable Networks: DOCSIS 2001). Figure 1(a) illustrates a typical setup of a cable access network.Figure.1(a)

Cable security. To counter this problem the cable operators employ a system known as Baseline Privacy Plus (BPI+). This encrypts all your data to ensure that no one can intercept your transmissions. The BPI+ also stops the illegal use of someone's connection to gain free access ("DOCSIS, Insecure by Design", 2008)

The encryption used must travel with the information wherever it goes. The US has laws as to the level of encryption that is permitted to be exported; as such the maximum encryption level is 128 bit. To have a data exchange there is first a key exchange. The key exchange uses triple DES as its encryption. This is quite a strong encryption level, and provides a satisfactory protection for the key exchange, and the algorithm used is a public key exchange. Cable Modems do not require a username and password in the same way the dial up connections do.

The authentication is hard- coded into the cable modems when built. This authentication is the X.509 digital certificate, and is comprised of a serial number, public key, MAC address, and manufactures identification. The X.509 is verified by the head end, also known as distribution hub. Once this has been verified the following data sent by that user is encrypted using their public key (Lee 2005).

Digital subscriber line. DSL access networks use existing telephone wiring to connect home users to the Internet. Unlike cable customers, DSL customers do not share their access link.  Each customer’s DSL modem uses a dedicated point-to-point connection to exchange data with a Digital Subscriber Line Access Multiplexer (DSLAM). The connection carries both data and telephone signals, which are encoded in different frequencies (Dischinger et al. 2007).  On the customer side, a splitter separates the two signals and forwards the data signal to the DSL modem. Figure 1(b) illustrates a typical setup of a DSL access network.


There are two important differences between DSL networks and other access networks. First, like cable networks, DSL networks often have asymmetric bandwidths; their downstream bandwidth is higher than their upstream bandwidth, commonly known as ADSL. Second, the maximum data transmission rate falls with increasing distance from the DSLAM. To boost the data rates, DSL relies on advanced signal processing and error correction algorithms, which can lead to high packet propagation delays.

DSL security. Best practice dictates that the end-user connect through an external device, such as a router, which obscures the connected device from an attacker’s view. Use firewall, IDS and antivirus software. Businesses running sites on broadband links should consider a commercial-grade product that will support e-mail and Web servers. In addition, it advised to turn off all unnecessary network-related services other than basic TCP/IP.

Another major issue reported in “DSL Security Threat” is that many DSL ISPs provide their DSL customers with dynamic IP addresses on Point-to-Point Protocol over Ethernet (PPPoE), an authentication program that sets up Ethernet sessions as needed. By selling customers dynamic IP addresses, as opposed to static IP addresses, they would experience difficulty connecting to VPNs and hosted servers.

Dynamic IP addresses, which some ISPs now use, are less secure than static IP addresses for two reasons. One, they cannot be permanently assigned to a firewall, making it harder for enterprises to control access to their networks. Moreover, PPPoE make it easier for attackers to gain unauthorized access by seizing or guessing at dynamic addresses.   PCs connected to the Internet via cable or DSL service tend to be "always on." They may use the same IP address for days or weeks at a time. This makes them an easy target for attackers.

Another inherent DSL problem stems from the ability of a user to establish an authenticated link to a computer network or location while using a second channel on the line to access the Web. An attacker could get into your PC from your Internet connection and then use the second link to reach headquarters. Solutions include setting up DSL modem passwords and installing firewall software on the user's PC or requiring remote users to access the Net through a firewall at company headquarters.

Fiber to the home (FTTH). The main drivers for fiber are the telecoms use it regain revenue lost to cable companies, and because of consumer demand for IPTV, VoIP and data services. Fiber to the home (FTTH) is the delivery of a communications signal over optical fiber from the operators’ switching equipment all the way to a home or business, thereby replacing existing copper infrastructure such as telephone wires and coaxial cable.

“Advantages of Fiber to the Home” asserts, “Wireless alternatives such as Wi-Fi and WiMAX cannot deliver HDTV – and in fact have trouble delivering standard-definition television. Variants of DSL, and even the latest cable and satellite links, can deliver HDTV only with difficulty, low reliability, and high operating costs”. They further contend, one bundle of fiber cable not much thicker than a pencil can carry “ALL” of the world’s current communications traffic.

Security concerns. A primary concern is the protection of the hardware, software, and systems from power and data loss, viruses, SPAM, denial-of-service attacks, and the like. To do this across the last mile is literally a matter of bandwidth, which fiber has discretionary excess capacity to accommodate sophisticated security and filtering tools available.

With phones, Internet, broadcast TV, alarms, and especially services (such as medical monitoring) all riding the same pipe, a disruption of service for any length of time would be disastrous. These security and business continuity hurdles must be overcome for FTTH to succeed.

Broadband over power lines. On Friday 15 October 2004, the FCC cleared the way for power companies to roll out broadband over power line service. In order to comply with FCC Part 15 regulations, the utility companies must shield their systems from producing interference with other licensed signals. Some BPL products use an Orthogonal Frequency Division Multiplexing (OFDM) modulation technique which allows the products to transmit at a very low energy level over a few selected MHz of the 1.7 to 30MHz spectrum. This low energy level allows products to meet all FCC Part 15 regulations.

The communication speed of BPL is comparable with DSL or cable with some BPL service providers claiming up to three Mbps. The only equipment an end user needs is a special modem plugged into an electrical receptacle. Technically, combining power and data in the same wire is nothing new. Phone companies have been powering telephones for decades with central office switch over the same wires that carry voice. The IEEE 802.3af PoE (power over Ethernet) standard has made it possible to provide more power across LAN wiring VoIP phones and WAPs (Qiu 2007).

Security concern. In the wake of the September 11 terrorist attacks, government officials and security experts have identified the need for the United States to possess communications network redundancy. By providing a third broadband technology, the nation would gain some of that needed redundancy.   (“Broadband Over Power Lines A White Paper”). Additionally, under the Mission Essential Voluntary Assets (MEVA) guidelines, utilities are responsible for ensuring secure infrastructure power for federal facilities, including military bases, and state, city and local government. BPL will also enhance security and enable other security applications such as video surveillance consistent with the MEVA guidelines.

BPL most likely will always be a rural niche solution, by 2011; it will have no more than 2.5 million subscribers. BPL alone cannot support these low-density areas because the equipment to carry the service there costs too much. It can extend the reach of DSL and back-haul WiMAX base stations, and expand broadband to rural areas. In areas already served by other broadband providers, BPL will increase competition, which in turn will bring better service and lower prices for consumers, as indicated by this chart (“Broadband Over Power Lines A White Paper”).


Please click here to continue reading.....

Developing a Secure Wireless Infrastructure - Pt. 2

Wireless Broadband Delivery Systems

Municipal Wi-Fi.  A number of cities (Boston, Chicago, St. Louis, San Francisco, et al.) have attempted to implement municipal Wi-Fi, using 802.11g/n WAPs. However due to cost and logistics, most have not been able to implement it citywide. For instance in the city of New York, city sponsored Wi-Fi is limited to areas around a few public libraries, parks, and areas that tourists are apt to frequent.

Shown below is a municipal wireless antenna:                                 


 At the onset of setting up muni wireless, some cities had the well-intentioned goal of closing the digital divide. Until fairly recently, a significant percentage of inner city citizen did not have computers, or the adequate training in their usage. Now with the price of computers going down and the convergence of information technology devices this gap has narrowed. However, there is still a divide, as many people cannot afford Internet, and are unable to seek information, send out resumes, et cetera.

It is apparent that the way to connect the citizens of a city is via wireless, as wiring every house on city revenue would be cost prohibitive. However, here again we have a digital divide with the “bandwidth haves, and the bandwidth have-nots”. This is due to the fact that currently wireless throughput is not at the same speed as wired throughput, thus citizen who rely on city sponsored Internet will most likely not be able to avail themselves of bandwidth intensive content.

This begs the question, “What is the most effective wireless technology to deploy to ensure city-wide coverage”? In the city of Boston, the city has deployed 802.11n WAPs with repeaters; however, there are many dead zones. Given that, Wi-Fi networks require 24 to 40 access points per square mile for urban areas; this may not be the most cost-efficient way to proceed. For a further discussion of muni-wireless, click here.

WiMAX. The 802.16 protocol, WiMAX, is an option that has been deployed by a number of cities to turn an entire city into a Wireless Access Zone (WAZ). Its spectrum range is 2 GHz range through the 66 GHz range, though the WiMAX Forum has published three licensed spectrum profiles: 2.3 GHz, 2.5 GHz and 3.5 GHz. WiMAX networks require access points roughly every two square miles for urban areas, and one every six square miles for rural areas. The maximum theoretical throughput is 75 Mbps per channel, though real world performance will be considerably lower at 45 Mbps, and average end-user, lower still. WiMAX uses orthogonal frequency-division multiple (OFDM) as a method of encoding digital data on multiple carrier frequencies.  OFDM is used by 802.11a/g/n, ADSL, BPL, 4G and LTE cellular technology, for digital television and audio broadcasting.

Why has not WiMAX seen widespread deployment? One reason is computer hardware with embedded WiMAX capabilities largely has not yet reached the market. By comparison, virtually all laptops and other mobile devices feature Wi-Fi capability. Another is one that I have seen with clients of mine, who are early adopters, is that there are also significant pockets of dead zones with WiMAX in some areas.

WiMAX security issues. There are also security concerns in the form of rogue base stations, dos attacks, man-in-the-middle attacks, network manipulation with spoofed management frames. A key principle in 802.16 networks is that each subscriber station (SS) must have a X.509 certificate that will uniquely identify the subscriber. The use of X.509 certificates makes it difficult for an attacker to spoof the identity of legitimate subscribers, providing ample protection against theft of service.

WiMax implements a unidirectional authentication mechanism using X.509 certificates from subscriber to base station, but there is no provision for base station to subscriber authentication in return. This opens a potential vulnerability for rogue base stations to attempt the impersonation of legitimate devices. Attackers can intercept subscriber initiation requests and spoof responses, authorizing them to use the rogue access point Hasan 2010). The 802.16e amendment, added support for the Extensible Authentication Protocol (EAP) to WiMAX networks, though its implementation is optional for service providers.

Another concern is that management frames are not encrypted allowing an attacker to collect information about subscribers in the area, and then executing a replay attack to flood a network with rogue management frames, effectively creating a denial of service. Similarly, an attacker could jam the entire WiMAX spectrum, for all planned deployments. In addition to physical layer denial of service attacks, an attacker can use legacy management frames to disconnect legitimate stations.

High Speed Downlink Packet Access (HSPA).  A report, states that Mobile broadband has been a runaway success, with subscriber numbers increasing from zero to more than 500 million in just a few years, driven by consumers armed with smartphones and connected laptops ("Capacity? HSPA Has Plenty").

Security concerns. Is there authentication protection for HSDPA, one cite says “Yes. For UMTS/HSDPA connections, AT&T uses UMTS Encryption Algorithm1 (UEA1), which is based on a mode of operation of a block cipher called Kasumi, and employs a 128-bit key. Authentication is similar to the authentication used in GSM/GPRS/EDGE, and is based on the credentials in the SIM card” (Are there any security enhancements for UMTS/HSDPA).

However (Schoonemann  2009) states that(HSDPA) “Does not provide any additional security next to SIM authentication. The data encoding done by the CDMA standard is quite safe, it works better than any cryptographic algorithm, but not in the case that an intruder is in a base station or somehow gets the channel codes”.  Moreover, goes on to state “WiMax does support additional security techniques, such as cryptographic algorithms, which comes as an additional security besides the encoding”.

Satellite. Satellite broadband service is useful in rural areas where wired service would be difficult to install. Satellite service is generally more expensive than other means, and does experience problems with latency, which can affect speed. Weather conditions can also affect the delivery of service and connection speeds. However, speeds are often much higher than those with dial-up access, and satellite is sometimes the only way to deliver broadband to extremely remote areas.

Wireless and the 802.11 Protocol


The IEEE 802.11 is a wireless LAN industry standard, and the objective of IEEE 802.11 is to make sure that different manufactures' wireless LAN devices can communicate to each other. 802.11 provide one or two Mbps transmission in the 2.4 GHz ISM band using either FHSS or DSSS.

802.11a Uses OFDM and is able to obtain speeds of up to 54Mbps and runs on the 5GHz band. Higher data rates are possible by combining channels. Due to higher frequency, range is less than lower frequency systems (i.e., 802.11b and 802.11g) and can increase the cost of a deployment, because a greater number of access points may be required. However, 802.11a is not directly compatible with 802.11b or 802.11g networks.

802.11b known as Wi-Fi or High Rate 802.11, uses DSSS and applies to wireless LANs. It is used for home use; it provides an 11 Mbps transmission rate in the 2.4GHz ISM band and has a fallback rate of 5.5, 2 and 1 Mbps. The IEEE 802.11b standard has a nominal speed of 11 megabits per second Mbps.

802.11g provides a 20+ Mbps transmission rate, with a 54 Mbps max data rate. It utilizes the 2.4 GHz radio spectrum and OFDM modulation. 802.11g is an extension of 802.11b, and allows communication with 802.11b, albeit at a lower rate of 11 Mbps.

The IEEE 802.11n wireless network standard increases transmission speeds to 300 Mbps and beyond. Because 802.11n works in both the 2.4 GHz and 5 GHz frequency bands, it is compatible with legacy 11a and 11b/g deployments.

Modes. The 802.11 wireless networks operate in two basic modes: infrastructure and ad-hoc. Infrastructure mode is the most common operation mode in which we could find wireless networks. In this operation mode, each wireless client connects directly to a central device called Access Point; there is no direct connection between others wireless clients.

An Access Point acts as a wireless hub that connects the wired LAN backbone with the wireless clients and handles the connections between them. This device is also the main responsible for handling the clients’ authentication, authorization and link-level data security, such as access control and enabling data traffic encryption.

In ad-hoc mode, wireless networks consist of a number of stations without access points, or connection to a wired network. The ad-hoc mode is less common, although it often used in the deployment of WPANs.  In this mode, each wireless client connects directly with each other. There is no central device managing the connections, and each node must maintain its proper authentication list

Beacon signal. A beacon is a small broadcast data packet that reports the qualities of the wireless network, supported data rates, encryption state, Access Point MAC address, SSID, et cetera. The SSID (Service Set Identification) identifies a particular wireless network.

A client that wants to join a wireless network must set the same SSID as the one in that particular Access Point In infrastructure mode, the Access Point generates this signal; in ad-hoc mode, one random station assumes the responsibility.

In addition, hiding the SSID is not a guaranteed security measure, as network analyzers wireless network analyzer tool such as InSSider, or Kismet can passively sniff the hidden SSID.


Developing a Secure Wireless Infrastructure - Pt. 3

Wireless Network Exploits

Common Tactics

War-driving. This exploit entails driving around in a vehicle with a laptop, a high gain antenna attached to an 802.11 wireless network interface card (NIC). War-drivers will set the NIC on promiscuous mode, which will allow the NIC to receive packets regardless of protocol type or destination, and is used in conjunction with packet sniffing.

Packets are also known as: frames, segments, blocks or cells, and is the method by which data such as a web page, email, or other types of data is sent from one machine to another. Packets are broken into three parts, header, payload, and trailer. The header has information about the length, the source and destination of the packet, the protocol type, and synchronization information. The payload is the body of the packet i.e. the data that is being sent to the destination. The trailer, which also known as the footer in contrast to the header, signifies to the receiving device that this is the end of the message, as well as in some instances having a mechanism for error checking.

Active scanning.  An active scanner sends out probe request packets on a periodic basis. These probes could be targeted as in “Network X are you available”, or they can be of a broadcast nature, and ask “are any networks available.”  Every tenth of a second, packet are sent from access points, and these packets have information such as the name, address, and other information about the wireless network. Active scanners can detect the afore-mentioned probe requests and beacons, but they do not see other network traffic that would be useful.

Passive scanning is a far more efficient way of gathering information about packets on a network. Moreover, unlike active scanners, passive scanners do not send out packets but rather they analyze the on-going traffic.

Rogue AP. This attack is unique in that rather than attempting to break into the network, an attacker sets up a rogue AP with the same SSID that the client usually would log into and then capture their information and is able to access the legitimate network.  Thus, while when I am travelling, and become intrigued by the many unsecured networks with an SSID of “Linksys”, or “Netgear”, I stay away.

FakeAP.  This program from Black Alchemy is a unique application for the Linux platform.  It will create thousands of fake APs, which could confuse a war driver, or create a “honeypot.” A honeypot is a server or AP that lures people in and can be used as a security management tool to see who is attempting entry to your network, or it can be used to obtain information about the device that is attempting entry, such as its credentials..

Deauthentication flood attacks. Deauthentication attacks will inject packets that will force a legitimate user off of the network, which then in turn will cause them to transmit re-association  request packets to the AP. From those packets information can be gleaned that will aid an unauthorized user in gaining access. Aireplay for Linux, Kismac for OSX, and CommView for Windows are programs that will aid in this.

Conversely, during the authentication flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication/association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connection to the wireless network.

Exploit Mitigation

Active scanning mitigation. To protect against active scanning the access point of the corporate networks should be configured to ignore probe requests that are directed to its broadcast SSID that do not contain the valid SSID. Requests with the correct SSID would typically be from legitimate clients that are attempting to connect to the access point and are allowed. Alternatively, the network may cloak the access point, and the networks will not respond to probe requests.

Passive scanning mitigation. To defend against passive scanning there are a number of techniques that the enterprise can employ, such as disabling “mixed mode “ transmission on the access point and transmit at 801.11g, or 802.11n, and not at 802.11b. Also, do not broadcast the SSID. (Service Set Identifier) which is is the name of the wireless network that you wish to join. Even though the passive scanner will know that a network is operational, it will not know the SSID. The SSID can be ascertained by other methods, but this would have added another layer to the network’s security.

Mitigation by antenna placement.  Network and InfoSec administrators should give considerable thought to their antenna placement – think through which would be more efficacious, an omni or uni- directional antenna. An AP with high-grade antennas that produce strong yet tight signals will allow focused connectivity for your users, however the narrow focus is less likely to spill out into the street, where a war driver can capture and exploit it.

Additionally consider whether a decrease in the transmission strength could be advantageous.. additionally, consider switching to the 802.11a band which operates at 5GHZ  instead of the 2.4GHz of the other bands, as most war-drivers, piggy-backers, and whackers  will usually only attempt to access a 2.4 GHz network.

Mitigation by authentication. In terms of protecting the network’s wireless communication from eavesdropping, best practice dictates that we do not use (Wired Equivalent Privacy) WEPs. WEP is a security mechanism defined within the 802.11 standard and designed to make the security of the wireless medium equivalent to that of a wired connection.

WEP allows the administrator to define a set of respective "keys" for each wireless network user based on a "key string" passed through the WEP encryption algorithm, with access being denied to anyone without an assigned key. WEP has flaws in its key generation, which can be defeated by brute force, dictionary, or the use of known algorithms attacks. Brute force attacks utilize all possible key combinations, and these and other methods can defeat WEPs 40/64-bit and 128-bit encryption key lengths relatively quickly.

 An effective defense against a dictionary attack is to not use common dictionary words, rather it is far more advisable to use alphanumeric passphrases,  interspersed with  characters such as:  “@ % $ * ) # =“. Related to this is security administrators should not use the default SSID that come with devices, such as “Linksys, Netgear, Belkin”, thus it is imperative to use a unique SSID.

 WPA networks are not impervious to penetration, to attack a WPA-PSK protected network, one technique is a dictionary attack. Utilities that are useful for this are “Cowpatty” on the Linux platform and airdecap, which is part of the aircrack suite for the Windows platform.

Wi-Fi Protected Access (WPA) is a security enhancement for current-generation WLAN hardware. WPA products can interoperate with the older WEP products.  WPA uses dynamic key encryption, which means the key is constantly changing and makes breaking into a wireless network more difficult than WEP.

Newer devices offer WPA2 security, which is backwards compatible with WPA, but provides a higher level of security. Within the WPA standards, there are two versions that utilize different processes for authentication; one is the Temporal Key Integrity Protocol (TKIP).  It utilizes dynamic key encryption and mutual authentication. The main difference between the original WPA and WPA2,  is WPA2 requires Advanced Encryption Standard (AES) for encryption of data, while the WPA uses TKIP.

 Click here for Part 4

Developing a Secure Wireless Infrastructure - Pt. 4

 Extensible Authentication Protocol

EAP. This protocol is used for message exchange during the authentication process. It utilizes 802.1x Server Technology to authenticate users via a RADIUS server (Remote Authentication Dial-In User Service). Enterprise authentication via EAP Transport Layer Security (EAP-TLS), Lightweight EAP (LEAP), Protected EAP (PEAP), or EAP Tunneled TLS (EAP-TTLS) is advised. EAP is a standard authentication framework, of which there are about 40 different methods, such as the afore-mentioned. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. It works from the link layer without requiring IP and therefore includes its own support for delivery and retransmission.

  • Cisco's Lightweight EAP (LEAP) uses mutual password authentication between the station and AP, however LEAP’s challenge/response is not encrypted, thus it is vulnerable to offline dictionary attacks.
  • EAP-TLS requires mutual certificate authentication between stations and servers. EAP is protected from eavesdropping by a TLS tunnel.
  • EAP-TTLS and Protected EAP (PEAP) authenticate servers by certificate and stations by passwords, made safe by tunneling over TLS.


Enable MAC filtering. The Media Access Control (MAC) address is a unique identifying number assigned to each network device. Enabling MAC filtering in your AP improves your network's security by accepting transmissions only from PCs with specific MAC addresses. You can also prevent certain MAC addresses from accessing the network.

To obtain the MAC address of the machine that you are sitting at, you may execute “getmac” in the command line. To ascertain the MAC addresses of other computers on your network, you would execute “arp –a”.

However, be mindful that it may be possible for an attacker to do the same, and once they have those MAC addresses they may use a third party utility, such as SMAC, SpoofMac, XArp, QuickSpoof, Mac Makeup, MacIP Change, et cetera. Additionally, some NICs will allow you to change the physical address in the advanced properties section, or in the Registry.

To change your MAC address in Linux takes two easy to script commands:

    ifconfig eth0 down hw ether 00:00:00:00:00:01

    ifconfig eth0 up

These two commands would set your eth0 interface to use the MAC 00:00:00:00:00:01. Plug in the NIC you want to set and the MAC address you want to use into the commands above and you are done.

To change MACs in the Cisco IOS:

show mac-address-table - reveal the MAC table

mac-address xxxx.xxxx.xxxx - change the MAC address

Wireless Usage

Remote Access

There are a number of methods for the mobile worker to communicate with the home office. There are applications such as LogMeIn, Teamviewer, products from Citrix, and the RDP utility built-in to the Windows OS.

Mobile workers using guest WLANs and hot spots should use VPNs to protect themselves, no matter what local measures are employed by the visited network.  A tunnel controls access to the visitor's own network; 802.1X controls access to the guest WLAN. A tunnel prevents eavesdropping from end to end; WPA/TKIP prevents eavesdropping on the air link only.

We are also seeing enterprises using the cloud for mobile workers, a concern with this are that if the cloud is not owned and under the direct control of the business entity, there is the risk that the data may be lost, corrupted, or open to interception.

 Wireless personal area network (WPAN). WPANs are very useful to the mobile worker, and we are seeing its implementation more frequently. A WPAN is a personal area network, for interconnecting devices centered on an individual person's workspace, in which the connections are wireless. Typically, a WPAN uses some technology that permits communication from a few inches to within about 10 meters (33 feet).  A few of the common technologies are Wi-Fi, Bluetooth, and ZigBee. These technologies operate in the unlicensed 2.4 GHz band, known as the industrial, scientific and medical ISM band.

WPAN issues. While wireless networks are exposed to many of the same risks as wired networks, they are vulnerable to additional risks as well. Wireless networks transmit data through radio frequencies, and are open to intruders unless protected. Intruders have exploited this openness to access systems, destroy or steal data, and launch attacks that tie up network bandwidth and deny service to authorized users. Another risk is the theft of the small and portable devices themselves.

An additional concern is that MACs are sent via plaintext in the air. A wireless access point such as a router will be given a unique MAC address, as will Wi-Fi equipped laptops, mobile phones and even printers. An important and necessary feature of the MAC address, for the proper functioning of a wireless communications network, is that it be visible in communicated data frames, whether or not the wireless network is encrypted (“Wi-Fi Positioning Systems: Beware of Unintended Consequences 2011”).

Via Wi-Fi Positioning Systems (WPS), the MAC address for a Wi-Fi access point becomes an index for a geo-location reference point.  Companies known as location aggregators are building and/or maintaining databases of the MAC addresses of these Wi-Fi access points for commercial purposes, and provide access to third parties interested in location-based applications and advertising. Since the MAC address was designed to be persistent and unique over the lifetime of a Wi-Fi device, in a WPS, it identifies Wi-Fi devices that are closely associated with individuals – not only stationary routers, but also personal laptops and mobile phones.

For all of the afore-mentioned, we should have policies that clearly state which forms of dual connections are prohibited for WLAN client devices, and enforce these policies through the appropriate security controls. If an attacker gains unauthorized wireless access to a dual-connected client device, the attacker could then use it to access or attack resources on the wired network. Organizations should consider the risks posed not only by the traditional form of dual connections, but also by other forms involving multiple wireless networks. It is common today for client devices to connect to multiple wireless networks simultaneously, such as cell phone, WiMAX, Bluetooth, and WLAN networks. (“Guidelines for Securing Wireless Local Area Networks", 2012).

Armed Forces

As regards the military, enemy forces could eavesdrop on, or jam communication, by scanning the frequency spectrum and monitoring for “spikes” in the spectrum, which are indicative of a carrier signal. Once that is determined, they may set their receiver to same carrier frequency, listen in on communications, intercept, or pretend to be part of friendly forces

Mitigation. One technique to mitigate against this is by using (FHSS) frequency-hopping spread spectrum. FHSS is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudo-random sequence known to both transmitter and receiver.

These radios constantly switch from one frequency to another during the transmission, and they automatically synchronize between radios. If you were trying to listen in, and monitored any single frequency during the discussion, as a scanner would, all that would be heard is a microsecond blip of noise. In addition, spread-spectrum signals are highly resistant to deliberate jamming, unless the adversary has knowledge of the sequencing algorithms. This is reminiscent of the capture of the Enigma, German code ciphering machine, with that in hand the Allies were privy to the Axis power communications.

While FHSS is very useful, its traffic is not encrypted, and there are methods to determine the algorithm in use for the sequencing of frequencies. Thus in conjunction with FHSS for added security and encryption, the military has used: NSA-supplied sequence generators with HAVE QUICK, SINCGARS (Skinner).  Other encryption devices that the NSA has deployed for the US government are; the KY-5 (Vinson, n.d.), and in 2012 it deployed “Fishbowl”, a secure VOIP phone (Best, n.d.).


Hand–held transceivers, and vehicular computer-based communication systems, allows law enforcement to communicate with each other and to any necessary databases, and aids them in making life or death decisions in an instant. One such example is a system offered by Cisco (“Mobile communication brings the office to the patrol car”).

The basis for the mobile communication system is a local IP network in the patrol vehicles with a mobile IP router as the core. The terminal and peripheral devices are linked via Ethernet connections. In addition to pre-installed car PCs or laptops in the vehicles, other possible devices may include IP video cameras, scanners, printers or VOIP phones. Communication with the police central servers is via HSDPA, which offers an average 500 kbit/s bandwidth for downloads and 250 to 350 kbit for uplinks. If the police vehicle finds itself out of HSDPA range, then transmissions will rollover to Edge GSM technology automatically.

Fire and Emergency Personnel

The communication needs of fire and emergency personnel are unique. Fire fighters face a wide variety of environmental challenges: temperature extremes, wet and humid atmospheres, they may be under or above ground, loud noise from apparatus, warning devices, tools and the fire itself. Some of the newer features that increase firefighter safety are:

· Portable Radio Selection and Use Voice channel announcement — This feature uses prerecorded voice prompts to notify the firefighter what channel the radio is on as the channel select knob is moved.

· Emergency indications — Radios on the fire-ground receive an indication of emergency activations on the assigned channel.

· Personnel accountability — In new systems there are more radio ID numbers available. This makes it possible for each radio to have an individual ID code enabling identification of the unit and specific position of the unit on an emergency activation. If tied to roster information in a computer-aided dispatch (CAD) system, identification of the individual firefighter is possible.

· Tones — Many radios use tones as an indication of trunked system access, out of range, repeater access, encrypted channel, and others. Use of tones may provide added awareness to the firefighter and, thus, increase safety. (“Voice Radio Communications Guide for the Fire Service”)

Radio Frequency Identification

Passports. There are the RFID tags on many everyday items. They are on items that we purchase, which assist in inventory control, and loss prevention, and are on our drivers’ licenses and passports. The Department of Homeland Security (DHS) announced in January 2006 the PASS System (People, Access Security Service), that would utilize vicinity radio frequency identification (RFID) technology at land border ports of entry. The credit card-sized passport card contained vicinity RFID, which will use a number to link to secure databases, allowing Customs and Border Protection (CBP) officers to determine a traveler’s citizenship and identity when entering the U.S. land and sea ports of entry.

However, researcher Chris Paget built a device at a cost of $250, which was able to sniff and then clone the RFIDs of passports. He says has read the tags at 217 feet, but he believes the same apparatus set up under better conditions could read them at 1,000 feet.

Paget's device consisted of a Symbol XR400 RFID reader, manufactured by Motorola. A Motorola AN400 patch antenna mounted to the side of his car, and a Dell 710m connected to the RFID reader by Ethernet cable. The laptop runs a Windows application Paget developed that continuously prompts the RFID reader to look for tags and logs the serial number each time once detected, he bought most of the gear via auctions listed on eBay.

Passive RFID chips turn on by power in radio waves sent to them, and they then use that power to respond with a signal picked up by a receiver associated with the transmitter. "The tag needs a burst of power to turn on, then drops down in power," he says.

The chips used in the Black Hat demo, responded by tuning the radio waves that they reflect, absorbing some of them to power the chip, which then determines how much of the signal to reflect back at the transmitter. The chips operate in the 900MHz (ISM) frequency band, in RFID applications; the maximum power used to transmit radio waves to the chips is 1 Watt (Koscher, 2008).


 Whatever the protocol, encryption or delivery method, consideration must be given to the key tenets of Confidentiality, Integrity and Availability. Where there are potentially millions of users on a network, the attendant risks rise exponentially. With such a large network, the results could be catastrophic if malware were to be introduced into the network, and disseminated to millions of end-users. Thus, great care must be taken to ensure that all data on the network remain confidential. One method of implementing this is via ACL, and file and volume encryption.

The same proviso holds true for the integrity of the data. The key to this component of the CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes, that the changes are not irreversible. To protect the integrity of the data, muni systems may find themselves backing up the data of the citizen, much like a web hosting company might. Here again, ACL, and file and volume encryption may be implemented. These issues influence network performance and availability to other end-users, and provide technical and legal conundrums that must be addressed.

Click here for references



Frequency-hopping-spread-spectrum (FHSS)

frequency wave

While direct-sequence spread spectrum (DSSS) can provide higher capacities than frequency-hopping-spread-spectrum (FHSS), it is easily impacted by environmental factors, particularly reflections. As such it is better suited for short point to multipoint implementations or when deployed for long distances, it should be implemented in point to point topologies.

Whereas, FHSS isn’t as easily impacted by RF signals and other environmental factors, and the entity is able to deploy greater numbers of simultaneously active systems in the same geographic area (collocated systems, as compared with DSSS systems.

As an aside, in military situation enemy forces could eavesdrop on, or jam communication, by scanning the frequency spectrum and monitoring for “spikes” in the spectrum, which are indicative of a carrier signal. Once that is determined, they may set their receiver to same carrier frequency, listen in on communications, intercept, or pretend to be part of friendly forces

One technique to mitigate against this is by using (FHSS) frequency-hopping spread spectrum. FHSS is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

These radios constantly switch from one frequency to another during the transmission, and they automatically synchronize between radios. If you were trying to listen in and monitored any single frequency during the discussion, as a scanner would, al that would be heard is a microsecond blip of noise. In addition, spread-spectrum signals are highly resistant to deliberate jamming, unless the adversary has knowledge of the sequencing algorithms. This is reminiscent of the capture of the Enigma, German code ciphering machine, with that in hand the Allies were privy to the Axis power communications.

While FHSS is very useful, its traffic is not encrypted, and there are methods to determine the algorithm in use for the sequencing of frequencies. Thus for added security and encryption, in conjunction with FHSS, the military has used: NSA-supplied sequence generators with HAVE QUICK, SINCGARS (Skinner, ).

The NSA was established in 1952 as a highly compartmented secret code-breaking effort undertaken by a handful of military officers and civilians, but the Agency has gradually become an acknowledged government agency responsible for signals intelligence (sigint) (Best). Other encryption devices that the NSA has deployed for the US government are:  KY-5 (Vinson), and in 2012 it deployed “Fishbowl”, a secure VOIP phone.

Finally, there have been many iterations of spread-spectrum; the German military inWW1, and CDMA in recent years. However, as a sinephile staff member pointed out, it was actress Hedy Lamarr and composer George Antheil that received a patent in 1942 for their "Secret Communications System". This early version of frequency hopping used a piano-roll to change among 88 frequencies, and was intended to make radio-guided torpedoes harder for enemies to detect or to jam.


Best, R., The National Security Agency: Issues for Congress. Retrieved From

Schwartz, S., Frequency Hopping Spread Spectrum (FHSS) vs. Direct Sequence Spread Spectrum (DSSS) in Broadband Wireless Access (BWA) and Wireless LAN (WLAN). Retrieved from

Skinner, J., An Introduction to Frequency--‐Hopping Spread--‐Spectrum (FHSS) Data Communication Techniques. Retrieved from




Municipal Wireless - State of the Industry

There definitely is a huge demand for wireless data access, however the models that we have seen to be successful were the business improvement districts (BID), and free Wi-Fi in restaurants, malls and the like.

We, at the Global Tech Consultants' Group perceive the impetus for municipal Wi-Fi is to bridge the digital divide, and to provide access for people doing casual surfing while going about their daily activities. A smaller subset of those demographics may be college students, desiring to get out of their dorm rooms - the types that we see frequenting Starbucks, and other coffee-shops. Then there may be tourists, visiting a city, who are in need of a temporary ISP. For the most part we get the sense that it would be an amenity, an extra that a venue might provide, but feel it is something geared to the casual user.

By having a goal of bridging the digital divide, muni Wi-Fi can go after federal and grant funding, however both of those revenue streams are drying up. Then too, broadband providers, telcos, and others are drastically cutting prices to be competitive as an ISP of choice. In addition we find people with their own WPANs (wireless personal area networks) via WiMAX or other means; also people are rooting their phones so they can tether their phone and use it as a modem for their laptop / netbooks, and unlimited data plans for smart phones and other devices.

Thus, unless muni Wi-Fi is able to develop a business model that will allow it to fund itself, and to be able to provide a comparable through-put to a paid ISP, then it may not be a viable endeavor, and people will continue to pay for an ISP.



TCP Three Way Handshake

To establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to and listen at a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs:

  1. SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
  2. SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
  3. ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.


At this point, both the client and server have received an acknowledgment of the connection. The steps 1, 2 establish the connection parameter (sequence number) for one direction and it is acknowledged. The steps 2, 3 establish the connection parameter (sequence number) for the other direction and it is acknowledged. With these, a full-duplex communication is established.