Physical Layer Wireless Security Features
There are a number of physical layer wireless security features as well as many higher-layer
security features. The following sections describe the main physical layer security features.
Antenna Pattern/Signal Strength
Although not immediately obvious, antenna directivity provides a certain measure of
security. Unauthorized wireless users must physically position themselves in an area where
a usable signal exists. This is another reason to carefully consider where you radiate your
signal. Rather than broadcasting it everywhere, use directional antennas to radiate only into
the areas where your end users are located.
Modulation Type
Like antenna directivity, modulation type is a not-so-obvious security feature. If a wireless
network uses DSSS, a hacker must use the same DSSS modulation type. Likewise, if a
network uses FHSS, a hacker must use FHSS. If a network uses another proprietary
modulation type, an unauthorized user must use the same proprietary modulation type.
Therefore, proprietary modulation types provide a higher level of physical layer security
than 802.11b, for example.
Network ID (SSID, ESSID)
Several different logical networks can exist in the same physical space. Wireless packets
contain a service set identifier (SSID), extended service set identifier (ESSID), or network
ID to specify the logical network that a wireless station belongs to. The ESSID is a basic
network security feature. If a wireless station does not possess the correct ESSID (or
network ID), it cannot connect to a wireless network.
Miscellaneous Wireless Features
This section describes miscellaneous transmit and receive features. Although these features
cannot be neatly classified into a specific section, their presence or absence can play a
significant role in the performance of your wireless network operation; evaluate them
carefully.
Miscellaneous Transmit Features
The following miscellaneous transmitter features can affect the design and performance of
your wireless WAN:
Transmitter output power — Most license-free wireless equipment is limited by
Federal Communications Commission (FCC) regulations to one watt (+30 dBm) of
transmitter output power. Available transmitter output power levels typically vary
from 1 watt (1W) down to 200 mW, 100mW, 50 mW, and 30 mW.
TIP: The role of transmitter power in the successful operation of a wireless network is often
misunderstood. Many people believe that more power is always better; however, this is not
true in many cases. Your best approach is to transmit with only the amount of power that
you need to cover your desired service area. Transmitting with too much power results in a
transmitting range that is larger than your receiving range. This causes unnecessary
interference to other networks. The owner of the other networks might then feel the need to
retaliate with excessive transmitter power, which can lead to a cycle of escalation in which
everyone loses.
Configurable transmitter power control — A few models of wireless equipment
allow you to configure the transmitter output power; however, for most wireless
equipment, the power output is not configurable. Only one or two equipment models
exist where the AP automatically configures the transmitter power of the end user
nodes. The purpose of automatic power control is to use only the power needed for a
reliable link. Avoiding the use of excessive power minimizes interference between the
end user nodes.
Miscellaneous Receive Features
The following receive features affect the performance of your wireless WAN in many ways:
Receiver threshold — A receiver starts working (receiving and decoding an incoming
signal) when the signal reaches the receiver threshold level. Signals below the threshold
are either not received or are received with numerous errors. Signals above the
threshold are received with a low error rate. The low error rate allows the wireless link
to deliver maximum throughput. If you are comparing two different receiver thresholds,
the receiver with the lower threshold receives over a longer distance. For example, a
receiver with a –85 dBm threshold is better than a receiver with a –80 dBm threshold.
NOTE: When comparing receiver thresholds, compare the threshold values at the same data rate. Comparisons at different data rates are invalid because as the data rate goes up, a receiver’s threshold goes up. Stated another way, as the data rate goes up, the receiver becomes less sensitive.
Noise figure — Receivers create noise in their circuitry. Noise figure refers to internal
noise or the relative lack of internal noise created by the receiver. The lower the
internal noise, the better a weak signal is received. A 3-dB noise figure is better than
a 6-dB noise figure, for example.
Miscellaneous Transmit/Receive Features
The following features, when present, apply on both transmit and receive:
AP and bridge — Some wireless APs can be used either as an AP (connecting to many
end users) or as a bridge. An AP with bridging capability provides you with more
network flexibility than an AP without the capability to work as a bridge.
AP and repeater — Most APs can serve both as an AP and as a repeater at the same time.
Number of wireless ports — Most wireless equipment has one wireless port. Some
equipment has more than one wireless port. Multiport equipment can operate
simultaneously on more than one frequency or more than one band. One example is
an AP that has one 2.4-GHz and one 5-GHz wireless port.
External antenna connector — Wireless WAN equipment must always be connected
to an antenna that has LOS paths to the end users. Except in the case of CPE that has
the radio integrated with the antenna, this means that the wireless equipment must
have a connector for an external antenna. Equipment that is designed to be used
indoors often lacks a connector for an external antenna.
Split (indoor/outdoor) hardware architecture — Indoor/outdoor architecture splits
the wireless hardware. The microwave part of the equipment is placed outdoors, near
the antenna. The low-frequency part of the equipment is placed indoors. The two
halves of the radio are connected with either coax or fiber. With a split architecture,
coax cable losses between the microwave section and the antenna are almost
eliminated, consequently improving the wireless performance.
Integrated antenna/radio — With increasing frequency, wireless equipment
(especially 802.11b) equipment is becoming available with the radio physically
located inside the antenna. Integrated equipment has the same advantage as split-architecture
equipment — eliminating transmission line losses to improve wireless
performance. The connection from the antenna/radio to the end user network is made
with Ethernet cable. Power-over-Ethernet (PoE) to the antenna and radio is provided
using the nondata conductors in the Ethernet cable.
Multifrequency management commonality — A few equipment vendors now offer
a wireless equipment family that operates on different frequency bands but can be
managed from a common management platform. This equipment provides management
economies for those wireless ISPs that need to deploy wireless systems on different
bands.
Antenna alignment aids — Some equipment, especially split architecture or integrated
antenna and radio equipment, provides visual or aural antenna alignment aids. These
aids, typically a series of LEDs or an audible tone, help the installer align the antenna
for the highest signal level without leaving the antenna location.
Availability of FCC-certified antenna systems — Most equipment vendors provide
at least one antenna system that is FCC-certified for use with the equipment. Some
vendors provide a number of certified antenna systems. The more vendor-certified
antenna systems are available, the more flexibility you have to use an antenna system
that provides the service-area coverage that you need.
DATA LINK LAYER FEATURES
The sections that follow describe features that operate at the data link layer.
Bridging Features
Bridging takes place at the data link layer and is based on the MAC addresses of the end
user equipment. The typical wireless bridge contains a table of MAC addresses and bridge
ports. Packets are forwarded to the correct bridge port based on the MAC address table
information. Your data link layer feature evaluation includes the following features.
MAC Address Table Size
The MAC address table of a wireless bridge is finite in size. The table might be large
enough to contain one or two thousand MAC addresses or small enough to contain only
one. In most cases, the MAC address table size is larger than the number of simultaneous
end user connections.
Number of Simultaneous Connections
Each wireless AP or bridge is designed to connect to only a specific number of end users at
the same time. In general, the more simultaneous users it supports, the higher the cost of
the wireless bridge or AP.
TIP: Sometimes, an equipment vendor’s advertising confuses the MAC address table size with
the number of simultaneous end user connections. For example, an advertisement might
state that one AP can support up to 1000 users. The ad might fail to mention that only 128
of the users can be connected at the same time. This type of error can be caused by an error
on the part of the person preparing the advertisement. This person might be unclear about
MAC address table size versus the number of simultaneous connections. If you see claims
like this that appear to be excessive or too good to be true, ask the vendor to con.rm that
the advertised information is correct.
A wireless bridge is designed to support many wireless users, typically from 50 to several
hundred. One special type of wireless bridge is called an Ethernet converter. Originally, an
Ethernet converter was designed to bridge between one Ethernet port (on one computer)
and a wireless WAN. Currently, Ethernet converters are available that support bridging
between up to eight computers and the wireless WAN. This expanded Ethernet converter is
called a super Ethernet converter (SEC).
Spanning Tree Protocol
Most wireless point-to-point bridges implement the 802.3 Spanning Tree Protocol. In
bridged networks, it is important to avoid routing loops (more than one simultaneous path).
The 802.3 Spanning Tree Protocol senses the presence of routing loops and disables one
route to avoid looping.
Switching
Wireless APs occasionally contain a built-in switch. The switch allows Ethernet connectivity
from the AP to a number of Ethernet devices without needing to purchase an external
switch.
Support for VLAN Tagging
Virtual LAN (VLAN) tagging allows the definition of a VLAN, as opposed to a geographically
located LAN. Support for VLAN tagging allows the wireless device to support the
operation of a VLAN.
MAC Sublayer Features
The MAC layer is a sublayer of the data link layer (Layer 2) in the OSI reference model.
MAC features can be either standards-based or proprietary. In all cases, the primary
purpose of the MAC sublayer is to provide reliable data delivery over the inherently noisy
and collision-prone wireless medium. The MAC sublayer performs the following general
functions:
Error control — The MAC sublayer implements a frame-exchange protocol with an
acknowledgment procedure. This procedure maximizes the chance that every packet
is delivered error free across the wireless link.
Congestion management — The MAC sublayer works to minimize congestion on the
wireless medium. The MAC sublayer utilizes several methods to determine which
station is allowed to gain access to the wireless medium. The 802.11b MAC
specifications contain both a CSMA/CA contention-based access scheme and a
polling-based access scheme. Most 802.11b equipment does not implement the
polling feature.
Packet aggregation — The MAC sublayer can maximize throughput by aggregating
several small packets together into one larger packet. This reduces the number of
times the wireless equipment must switch back and forth between receive and
transmit (the switching time is also called the turnaround time), thereby making more
time available to pass data traffic.
Data protection — Encryption (in general) can take place at several different layers;
however, WEP encryption takes place at the MAC level. 64-bit and 128-bit WEP
encryption schemes are in common use.
Data Link Layer Security Features
The following sections analyze data link layer security features that might be offered by the
equipment that you are evaluating.
MAC Address Access Control Lists
When providing wireless Internet access, it is desirable to deny access to any end user
whose account is not current or who is not authorized to use your network. Most APs allow
you to configure an access control list (ACL). Unless the ACL contains the specific MAC
address of an end user, that end user will not be allowed to connect to the AP.
Protocol Filtering
Protocol filtering permits you to deny bridging based on the Layer 2 packet protocol.
Protocols such as IPX, NetBEUI, DECNet, or AppleTalk can be denied.
MAC Address Pair Filtering
In bridged networks, it is occasionally desirable to provide filtering for specific address
pairs. The filtering can either allow a connection between two specific MAC addresses, or
it can deny a connection between two specific MAC addresses.
Authentication
Authentication is the process that a network uses to determine if an end user is allowed to
connect to the network. Authentication schemes require an exchange of management
frames between the authenticator (the network) and the end user who is requesting network
access. Simple authentication schemes provide minimal security, whereas more complex
schemes provide higher levels of security.
Several network layers are typically involved in the authentication process; however,
because Layer 2 plays a prominent role, authentication is outlined here.
Open-system authentication is the least secure; it simply requires a station to identify itself
to an AP and request that it be granted authentication.
A more secure authentication system is shared-key authentication using WEP. The shared
key is distributed to all stations that are authorized to use the network. The stations use the
shared key to respond to challenge text sent to them by the AP. If a station responds to the
challenge text correctly, the AP grants network access.
A more secure authentication system is based on one of the 802.1x authentication types
defined in the Extensible Authentication Protocol (EAP). EAP is defined in RFC 2284 and
includes a number of different authentication methods. 802.1x requires using three entities:
A supplicant (the station requesting authentication)
The authenticator (typically the AP)
The authentication server (such as a Remote Authentication Dial-In User Service
[RADIUS] server)
EAP implementations typically allocate a new encryption key each time a wireless user
begins a new session. A number of wireless vendors provide proprietary authentication
features that are based on EAP and 802.1x. In the future, 802.11i wireless standards will
likely evolve out of the current 802.1x standards.
Encryption
Sending an unencrypted packet over the air increases the chances that an unauthorized
person could intercept and decode the packet. A variety of encryption schemes make it
harder for this to occur. In addition to WEP encryption (already described), other available
encryption schemes include the following:
Data Encryption Standard (DES) — A 64-bit encryption standard with a userselected
encryption key.
Triple DES (3DES) — Uses three 64-bit keys. The first key encrypts the data, the
second key decrypts the data, and the third key re-encrypts the data.
Advanced Encryption Standard (AES) — The most current U.S. Governmentapproved
encryption standard. It uses a Rijndael (pronounced "rain-doll") algorithm
with either a 128-bit, 192-bit, or 256-bit encryption key. AES requires a math
coprocessor; therefore, it might not be compatible with existing 802.11b hardware.
The upcoming 802.11i standard includes AES.
Data Link Layer Proprietary Security Features
Some currently available wireless products contain a combination of proprietary Layer 2
security features and industry-standard security. It is beyond the scope of this chapter to list
these product combinations here; however, they include combinations of encryption, persession
key exchange, and frame authentication to provide high levels of security.
NETWORK LAYER FEATURES
Routing takes place at the network layer. All wireless equipment currently available
performs bridging; however, some models of wireless equipment also perform routing. Just
as there is a wide range of routing features available with conventional (wired) routers,
there is also a wide range of features available with wireless routers.
NOTE: Later in this chapter, there is an additional discussion of the advantages and disadvantages
of selecting wireless equipment that includes routing.
Routing Features
The following sections contain descriptions of some of the routing protocols and features
that are often available in wireless routers.
Static IP Routing
Every wireless router includes static IP routing. Static routing enables you to configure
permanent IP routes.
Dynamic IP Routing
Some wireless routers include dynamic IP routing. These routers support one or more
dynamic routing protocols. The most common of these supported protocols include the
following:
Routing Information Protocol (RIP) v1 and v2 — RIP is an interior routing
protocol. It is a distance-vector metric protocol that routes packets based on the
number of routing hops needed to reach the destination. RIP is relatively easy to
implement, but it does not take into account the bandwidth of each hop.
Open Shortest Path First (OSPF) — OSPF is also an interior routing protocol. It is a
link-state metric protocol. OSPF routes packets based on the shortest distance, the
least delay, and the most bandwidth available to reach the destination.
Dynamic Host Configuration Protocol Server
A Dynamic Host Con.guration Protocol (DHCP) server allows the allocation and reuse of
IP addresses as end users need them. The DHCP server allocates an address when a DHCP
client logs on. When the client logs off, the IP address is returned to the address pool, ready
to be reused when another client logs on.
Network Address Translation
Like DHCP, Network Address Translation (NAT) expands the pool of usable IP addresses.
NAT allows the use of a pool of private nonroutable IP addresses within a network. When
IP traffic needs to be routed over the Internet, NAT translates the nonroutable addresses to
an Internet-routable address.
Point-to-Point Protocol over Ethernet
Point-to-Point Protocol over Ethernet (PPPoE) allows an ISP to authenticate end users.
Some wireless routers support PPPoE by passing PPPoE packets to the PPPoE server.
Bandwidth Management
Wireless equipment occasionally includes bandwidth management features. This allows
the bandwidth available to and from each MAC or IP address to be throttled or limited to a
specified level. This feature allows you to manage your total available bandwidth, to offer
different service levels to different groups of end users, and to serve more end users. Some
equipment allows end user bandwidth to be throttled at different speeds in different
(downstream and upstream) directions.
NOTE: Some wireless routers allow you to allocate bandwidth based on either the IP address of the
end user or the MAC address of the end user.
Quality of Service (QoS)
Quality of service functionality is not one, but a set of features that work together to prioritize
different service levels for different users. One use, for example, is to prioritize the
handling and thereby reduce the latency for voice over IP (VoIP) packets.
Roaming
Roaming is the ability of an end user to move from AP to AP within the same subnet while
maintaining a network connection. 802.11b APs usually include roaming capabilities. The
vast majority of wireless WANs provide service to fixed end user locations; therefore,
roaming is not used. If you need to design or deploy a wireless WAN that includes roaming,
you should evaluate the following:
Reassociation speed — The length of time it takes for an end user to be switched from
one AP to another.
Tunable parameters — Any other AP parameters that are designed specifically to
enable smooth roaming.
Compatibility issues — AP-to-AP communication standards are not specified in
802.11b. If you anticipate building a network that supports roaming, you should plan
to buy all of your APs from the same vendor.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
