Developing a Secure Wireless Infrastructure - Pt. 2

Wireless Broadband Delivery Systems

Municipal Wi-Fi.  A number of cities (Boston, Chicago, St. Louis, San Francisco, et al.) have attempted to implement municipal Wi-Fi, using 802.11g/n WAPs. However due to cost and logistics, most have not been able to implement it citywide. For instance in the city of New York, city sponsored Wi-Fi is limited to areas around a few public libraries, parks, and areas that tourists are apt to frequent.

Shown below is a municipal wireless antenna:                                 

                                  

 At the onset of setting up muni wireless, some cities had the well-intentioned goal of closing the digital divide. Until fairly recently, a significant percentage of inner city citizen did not have computers, or the adequate training in their usage. Now with the price of computers going down and the convergence of information technology devices this gap has narrowed. However, there is still a divide, as many people cannot afford Internet, and are unable to seek information, send out resumes, et cetera.

It is apparent that the way to connect the citizens of a city is via wireless, as wiring every house on city revenue would be cost prohibitive. However, here again we have a digital divide with the “bandwidth haves, and the bandwidth have-nots”. This is due to the fact that currently wireless throughput is not at the same speed as wired throughput, thus citizen who rely on city sponsored Internet will most likely not be able to avail themselves of bandwidth intensive content.

This begs the question, “What is the most effective wireless technology to deploy to ensure city-wide coverage”? In the city of Boston, the city has deployed 802.11n WAPs with repeaters; however, there are many dead zones. Given that, Wi-Fi networks require 24 to 40 access points per square mile for urban areas; this may not be the most cost-efficient way to proceed. For a further discussion of muni-wireless, click here.

WiMAX. The 802.16 protocol, WiMAX, is an option that has been deployed by a number of cities to turn an entire city into a Wireless Access Zone (WAZ). Its spectrum range is 2 GHz range through the 66 GHz range, though the WiMAX Forum has published three licensed spectrum profiles: 2.3 GHz, 2.5 GHz and 3.5 GHz. WiMAX networks require access points roughly every two square miles for urban areas, and one every six square miles for rural areas. The maximum theoretical throughput is 75 Mbps per channel, though real world performance will be considerably lower at 45 Mbps, and average end-user, lower still. WiMAX uses orthogonal frequency-division multiple (OFDM) as a method of encoding digital data on multiple carrier frequencies.  OFDM is used by 802.11a/g/n, ADSL, BPL, 4G and LTE cellular technology, for digital television and audio broadcasting.

Why has not WiMAX seen widespread deployment? One reason is computer hardware with embedded WiMAX capabilities largely has not yet reached the market. By comparison, virtually all laptops and other mobile devices feature Wi-Fi capability. Another is one that I have seen with clients of mine, who are early adopters, is that there are also significant pockets of dead zones with WiMAX in some areas.

WiMAX security issues. There are also security concerns in the form of rogue base stations, dos attacks, man-in-the-middle attacks, network manipulation with spoofed management frames. A key principle in 802.16 networks is that each subscriber station (SS) must have a X.509 certificate that will uniquely identify the subscriber. The use of X.509 certificates makes it difficult for an attacker to spoof the identity of legitimate subscribers, providing ample protection against theft of service.

WiMax implements a unidirectional authentication mechanism using X.509 certificates from subscriber to base station, but there is no provision for base station to subscriber authentication in return. This opens a potential vulnerability for rogue base stations to attempt the impersonation of legitimate devices. Attackers can intercept subscriber initiation requests and spoof responses, authorizing them to use the rogue access point Hasan 2010). The 802.16e amendment, added support for the Extensible Authentication Protocol (EAP) to WiMAX networks, though its implementation is optional for service providers.

Another concern is that management frames are not encrypted allowing an attacker to collect information about subscribers in the area, and then executing a replay attack to flood a network with rogue management frames, effectively creating a denial of service. Similarly, an attacker could jam the entire WiMAX spectrum, for all planned deployments. In addition to physical layer denial of service attacks, an attacker can use legacy management frames to disconnect legitimate stations.

High Speed Downlink Packet Access (HSPA).  A report, states that Mobile broadband has been a runaway success, with subscriber numbers increasing from zero to more than 500 million in just a few years, driven by consumers armed with smartphones and connected laptops ("Capacity? HSPA Has Plenty").

Security concerns. Is there authentication protection for HSDPA, one cite says “Yes. For UMTS/HSDPA connections, AT&T uses UMTS Encryption Algorithm1 (UEA1), which is based on a mode of operation of a block cipher called Kasumi, and employs a 128-bit key. Authentication is similar to the authentication used in GSM/GPRS/EDGE, and is based on the credentials in the SIM card” (Are there any security enhancements for UMTS/HSDPA).

However (Schoonemann  2009) states that(HSDPA) “Does not provide any additional security next to SIM authentication. The data encoding done by the CDMA standard is quite safe, it works better than any cryptographic algorithm, but not in the case that an intruder is in a base station or somehow gets the channel codes”.  Moreover, goes on to state “WiMax does support additional security techniques, such as cryptographic algorithms, which comes as an additional security besides the encoding”.

Satellite. Satellite broadband service is useful in rural areas where wired service would be difficult to install. Satellite service is generally more expensive than other means, and does experience problems with latency, which can affect speed. Weather conditions can also affect the delivery of service and connection speeds. However, speeds are often much higher than those with dial-up access, and satellite is sometimes the only way to deliver broadband to extremely remote areas.

Wireless and the 802.11 Protocol

Overview

The IEEE 802.11 is a wireless LAN industry standard, and the objective of IEEE 802.11 is to make sure that different manufactures' wireless LAN devices can communicate to each other. 802.11 provide one or two Mbps transmission in the 2.4 GHz ISM band using either FHSS or DSSS.

802.11a Uses OFDM and is able to obtain speeds of up to 54Mbps and runs on the 5GHz band. Higher data rates are possible by combining channels. Due to higher frequency, range is less than lower frequency systems (i.e., 802.11b and 802.11g) and can increase the cost of a deployment, because a greater number of access points may be required. However, 802.11a is not directly compatible with 802.11b or 802.11g networks.

802.11b known as Wi-Fi or High Rate 802.11, uses DSSS and applies to wireless LANs. It is used for home use; it provides an 11 Mbps transmission rate in the 2.4GHz ISM band and has a fallback rate of 5.5, 2 and 1 Mbps. The IEEE 802.11b standard has a nominal speed of 11 megabits per second Mbps.

802.11g provides a 20+ Mbps transmission rate, with a 54 Mbps max data rate. It utilizes the 2.4 GHz radio spectrum and OFDM modulation. 802.11g is an extension of 802.11b, and allows communication with 802.11b, albeit at a lower rate of 11 Mbps.

The IEEE 802.11n wireless network standard increases transmission speeds to 300 Mbps and beyond. Because 802.11n works in both the 2.4 GHz and 5 GHz frequency bands, it is compatible with legacy 11a and 11b/g deployments.

Modes. The 802.11 wireless networks operate in two basic modes: infrastructure and ad-hoc. Infrastructure mode is the most common operation mode in which we could find wireless networks. In this operation mode, each wireless client connects directly to a central device called Access Point; there is no direct connection between others wireless clients.

An Access Point acts as a wireless hub that connects the wired LAN backbone with the wireless clients and handles the connections between them. This device is also the main responsible for handling the clients’ authentication, authorization and link-level data security, such as access control and enabling data traffic encryption.

In ad-hoc mode, wireless networks consist of a number of stations without access points, or connection to a wired network. The ad-hoc mode is less common, although it often used in the deployment of WPANs.  In this mode, each wireless client connects directly with each other. There is no central device managing the connections, and each node must maintain its proper authentication list

Beacon signal. A beacon is a small broadcast data packet that reports the qualities of the wireless network, supported data rates, encryption state, Access Point MAC address, SSID, et cetera. The SSID (Service Set Identification) identifies a particular wireless network.

A client that wants to join a wireless network must set the same SSID as the one in that particular Access Point In infrastructure mode, the Access Point generates this signal; in ad-hoc mode, one random station assumes the responsibility.

In addition, hiding the SSID is not a guaranteed security measure, as network analyzers wireless network analyzer tool such as InSSider, or Kismet can passively sniff the hidden SSID.