BEFORE we get
into this one, it’s worth recapping the sorts of wireless networks integrators
and security managers are going to find themselves involved with. The most
common RF designations include:

* 802.11: Applies
to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread
spectrum (DSSS).

* 802.11a: An
extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing
encoding scheme called COFDM, rather than FHSS or DSSS.

* 802.11b (also
referred to as 802.11 High Rate or Wi-Fi): An extension to 802.11 that applies
to wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2
and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999
ratification to the original 802.11 standard, allowing wireless functionality
comparable to Ethernet.

* 802.11g:
Applies to wireless LANs and provides 54Mbps in the 2.4 GHz band.

It’s worth noting
that you’ll often read about 802.11b/g in relation to a product. Essentially
the 2 are similar, with b offering 11Mbps and g giving 54Mbps and being
backwards compatible with legacy WiFi installations. Importantly, 802.11g
systems also benefit from the COFDM encoding scheme which makes their
resistance to interference significantly better.

Security managers
and installers should think about 802.11a LANs when they’re thinking about
networking CCTV solutions. Of all the options, 802.11a networks give best
performance and best resistance to interference. For performance-heavy
applications, 802.11b won’t be able to keep up unless you’re only supporting a
camera or 2 or it’s an access link you’re building. 

Very important to
take into account is that in most applications – especially in urban
environments – there’s significant RF interference present in the 2.4 GHz band.
Use of 2.4 GHz wireless phones and Bluetooth devices will fill the radio
spectrum within your building and it can significantly decrease the performance
of 802.11b wireless LANs. The use of 802.11a operating in the 5 GHz band will
avoid this interference.

Along with
802.11a take-up, multi-band solutions that are able to support 802.11a/b/g at
the same time are also something to seriously consider. Multi-band is popular
because its flexibility justifies the added cost of hardware and installation
but this extra cost can be as much as 30 per cent.

Lastly, wireless
LANs are going to depend on encryption for optimizing secure comms. We all know
what encryption does to a signal stream. The need for encryption means that
installers and security managers who think wireless is the way to go need to
think performance, performance, performance.

Security issues

Now we’ve brushed
up on the fundamentals of wireless LANs, security people should have no doubt
that commercial-grade wireless LANs are inherently insecure. This judgement
covers both reliability and the ability to guarantee secure comms in shared air
space. It’s this lack of security that underscores the 802.11a/b/g wireless
LAN’s unsuitability for security communications of any sort.

It would be silly
to suggest that Cat-5 LANs have vastly more security than wireless links but
there’s an important difference with air-based comms – it relates to signal
spill. Indoors, 802.11b is generally a point-to-multipoint set-up with a couple
of omni-directional aerials.

You’d expect
about 11Mbps at 30m and about 1Mbps at 90m, both in a field of 360 degrees.
With the other technologies you get similar performance or less range
(802.11a), along with a 54Mbps bandwidth.

If the site is
larger or more challenging in terms of interference, systems people might wick
up performance with high gain antennas. Using high gain gear, point-to-point and
outdoors it’s possible to get 8km out of plain old 802.11b systems. In some
line-of-sight applications 802.11b can support links of 120km.

The point of mentioning
this is that your RF signal does not stop at the dividing walls of your office,
nor at your perimeter fence. Cat-5 cables spill EMI in small amounts locally
but clever software tools can pin down attempts to passively tap copper cable.
With RF LANs, all you need is a wireless NIC and there’s no way to confirm an
unauthorized station is not listening to LAN traffic.

“It would be
silly to suggest that Cat-5 LANs have vastly more security than wireless links
but there’s an important difference with air-based comms – it relates to signal
spill”

Over the past
couple of years there have been attempts to secure wireless LANs, some more successful
than others. Early on, the Wired Equivalent Privacy standard was developed.
Despite the hopeful title, WEP was always flawed. How? Because the unique
identifiers the wireless LAN stations were exchanging were available for any
station to receive and retransmit.

The idea was that
WEP would authenticate any wireless station (NIC) looking to climb aboard the
LAN using RC4 encryption. Access points on wireless LANs and remote stations –
wireless NICs in workstations, DVRs/video servers, or access control machines –
would exchange a series of management frames that allowed them to identify with
each other.

The way it works
is that every so often, access points fire out a beacon frame incorporating a
BSS identifier. A NIC will pick up this beacon frame using a probe frame of its
own – these are designed to find access points. When a probe finds an access
point it requests a link and suggests a method of authentication. 

Making matters
tough for WEP is that Open System Authentication can’t really be described as
authentication at all because when a station requests connection to the BSS,
it’s always given connection. Think of it like this. A wireless station – a
local NIC or a hacker’s NIC in the next building – asks for association with
the BSS. The access point comes up with a standard 128-bit challenge and the
remote NIC is then required to comes back with a challenge of its own that’s
encrypted with a shared key that’s been encrypted into the NIC and the access
point during setup.

Once all this is
done, the access point uses a basic cyclic redundancy check, a hash function
used to produce a checksum in order to verify the integrity of a NIC’s
response. The original challenge and the response are compared and if they
match up then bingo, you’re in. This simple authentication process works both
ways, depending on who is talking to whom.

As clever techs
will have seen, the crushing disadvantage here is that anyone who receives the
signals from this exchange will pick up the plaintext, ciphertext and initialization
vector that will be used to convert the plaintext into ciphertext. Once you
have all this it’s possible to calculate the RC4 keystream and then generate
the necessary ciphertext to trick the access point into giving your NIC access
to the LAN.

802.11 wireless
LANs can use the MAC standards to increase security levels. MAC, which stands
for Media Access Control, relates to a sublayer of the OSI data link layer.
Don’t be scared off by the jargon – this is simply the interface between a
node’s logical link control and the physical layer of a network – copper or
wireless.

Among other
things, the MAC detects transmission errors, controls access to physical
transmission media. MAC can also be used to control which remote NICs are able
to use the LAN and which are unauthorized and must be denied. This sounds great
but it doesn’t really work because MAC addresses get sent in plaintext and a
half competent hacker can trick an access point into providing info enough to
break them.

Another attempt
to secure WLANs was implementation of SSIDs. Essentially, SSIDs are simply case
sensitive text strings – alphanumeric characters (letters or numbers) with a
maximum length of 32 characters. The idea with these is that a particular SSID
is associated with a LAN and all stations on the LAN must use this SSID to
communicate.

Network
administrators can set SSIDs manually or automatically – to do this the SSID is
just left blank. The latter is not a great idea and newer WLANs disable the
auto SSID feature to improve security levels. Why? You guessed it. SSIDs are
sent in plaintext on 802.11b and we all now know how easy it is for a slightly
skilled hacker to exploit plaintext.

A better idea all
round is a combination of local station authentication and user level authentication.
What this means is that the user is logging into the wireless network using a
password or a biometric that an access point can check against a RADIUS server.
Hitching station network access to a biometric is a nice idea, especially if
you’re lucky enough to have a strong network access authentication technology
in place.

Is secure RF
possible?

IF you’re
thinking there’s no reason to ever use basic wireless networking technology to
support physical security transmissions, you’re mostly right. But if you need
to use a wireless link and you have no choice but to go with an 802.11
technology then there are a number of things you can do to ensure maximum
possible network security.

First up you need
to change the access point’s default administrator password and secondly,
switch off SSID broadcasting. The system will also benefit from MAC filtering
and employ some form of wireless encryption. Yes, it will fatten up your signal
stream and reduce performance but it will be worth it. Don’t go for WEP – think
WPA.

Unveiled a few
years ago, WPA is a new security standard developed by the Institute of
Electrical and Electronics Engineers (IEEE) on the 802.11i wireless security
standard. WPA was intended to replace Wired Equivalent Privacy (WEP).

However, we
wouldn’t recommend V1 of the WPA wireless encryption standard, either. When it
was released, papers written by security experts condemned the then new WPA
security standard as a worse security option that WEP – which is no compliment.

In his paper
“Weakness in Passphrase Choice in WPA Interface,” Robert Moskowitz,
who was a senior technical director at ICSA Labs, described problems with the
WPA standard that included the fact it allowed attackers to “sniff”
critical information from wireless traffic and to discover the value of a
wireless network’s security key.

Instead you
should look at WPA2 (Wi-Fi Protected Access 2), which was released mid-2004 and
is reputed to be a major improvement on all that came before. WPA2 incorporates
Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys.
AES cryptography is based on the Rijndael (pronounced rain-dahl) algorithm,
created by Belgian cryptographers, Joan Daemen and Vincent Rijmen. It’s solid
stuff.

“WPA2 is
ideally suited for enterprises in both the public and private sectors,”
says Frank Hanzlik, Wi-Fi Alliance managing director. “Products that are
certified for WPA2 give IT managers the assurance that the technology meets
interoperability standards and in turn helps them manage support and deployment
costs.”

All components of
WPA2 are included in the 802.11i standard, which was developed by the Institute
for Electrical and Electronics Engineers (IEEE). Importantly, a Wi-Fi Alliance
spokesperson recently said WPA2 would be “the core from which other
security measures emanate” in the future. That’s nice confidence for
integrators and security managers looking to future proof their wireless
security networks. 

Along with
encryption, make sure any wireless network carrying security traffic is
supported by a user access control policy. Probably the best way to do this is
to build a wireless DMZ and keep it isolated from the copper LAN using a
firewall. The system is configured so that only traffic that passes through the
firewall is allowed access to the system.

Traversing the
firewall requires that users are authenticated by a remote access server and/or
a VPN. Going for a simpler option, you can just set the system up so the
wireless access point is disconnected when the system is not being used. Sounds
basic but it’s a very nice and low cost idea. This solution means that if a
remote manager or gatehouse only wants occasional access to a wireless
connected location, the attacker has to guess when that location might be
accessed in order to undertake a sniffing operation.

Another good
option is use of highly directional antennas. They might be more expensive but
they’ll ensure your signals do not spill into areas to don’t want them to go.
You can also use an 802.11a LAN and devices instead of b/g. You’ll get shorter
range but because the majority of systems are longer range b/g, most attacks
are perpetrated on that frequency, not on 5GHz. Another strong security feature
of 5GHz signals is that they’re highly attenuated by walls and buildings. Where
security is concerned, this is a very nice quality indeed, even if the short
range drives installation teams nuts.

“Another good
option is use of highly directional antennas. They might be more expensive but
they’ll ensure your signals do not spill into areas to don’t want them to go”