Empire of the Air

Imagine a datacenter without wires. The first of this three-part series lays the groundwork toward a wireless infrastructure.

Some technologies get deployed only after a lot of design debates, roundtable meetings, signature cycles and budget discussions—Active Directory and Exchange are examples. But some technologies sneak in, get established, then grow and grow until you can’t possibly ignore them. That’s the way wireless networks get introduced into many organizations. After all, the benefits of a wireless infrastructure are inviting in a world of highly mobile workers. With wireless networking, roaming users with a wide variety of hardware can access the corporate network no matter where they go.

This benefit statement is also the major problem for wireless networks. Giving highly flexible mobile access to your data raises significant concerns about data integrity and perimeter security. Imagine your CEO at a wireless laptop e-mailing next quarter’s financials to the board chairman while a 16-year-old kid named “Bomberz” sits in the company parking lot with a wireless handheld that records every frame.

Designing a secure wireless infrastructure can become complex fairly quickly. After all, you’re sending Ethernet transmissions over what amounts to miniature walkie-talkies. You can only protect the transmission by using the latest in certificate-based authentication and streaming encryption. Not exactly a recipe for simplicity.

In a three-part series, I’ll discuss how to deploy and secure a wireless infrastructure using Windows servers and desktops. The first installment takes a look at the underlying wireless standards and their operation. Next month’s column covers Wired Equivalent Privacy (WEP) and takes a detailed look at how Transport Layer Security (TLS) is used to protect wireless authentication and key transfers. The final installment examines how to use Windows servers to support the advanced wireless protection schemes currently emerging as standards.

Ethernet and Radios
A computer equipped with a wireless network card is called a station. Stations can transmit to each other (ad hoc mode) or can transmit to one or more access points (infrastructure mode).

Standard Ethernet uses Carrier Sense-Multiple Access/Collision Detect (CSMA/CD) to manage traffic. CSMA/CD works like a blind cat crossing a busy street: A network adapter listens for traffic, quickly streaks out a message when it gets the opportunity, then checks itself at the curb afterward to make sure nothing got run over.

Collision Detection is unsuitable for wireless communication because two wireless stations may not be able to hear each other’s transmissions and could therefore transmit to the same access point at the same time, seriously degrading performance. 802.11 solves this hidden node problem using a mechanism called Collision Avoidance (yielding a full acronym of CSMA/CA).

In CSMA/CA, a wireless station first transmits a Ready To Send (RTS) message that contains the amount of data in the frame and the transmission speed. The access point replies with a Clear To Send (CTS), and the station sends an ACK and begins transmitting. All other stations in the broadcast range of the access point refrain from transmitting long enough for the station to send the specified frame at the specified speed.

Spectrum Utilization
The special physical and media access requirements of wireless networking equipment are addressed in IEEE 802.11. Several daughter standards expand the base standard, the most common of which is 802.11b, which defines spread-spectrum radio operation in the 2.4GHz band between 2.400GHz and 2.483GHz —the so-called Industry, Science and Medical (ISM) band. The 802.11g extension to the 802.11 standard also uses the ISM band.

In the U.S., the ISM band is divided into 11 channels of 5MHz apiece. An 802.11 wireless network adapter utilizes 22MHz of bandwidth due to signal spreading, so a station operating at one channel will overlap onto adjacent channels. If you’ve ever tried listening to a small alternative radio station that sits on the dial close to a huge adult contemporary advertising machine, you’ll appreciate how channel overlap can cause unacceptable signal distortion. To avoid overlap, use only channels 1, 6 and 11.

The new 802.11a standard defines operation at two ranges in the 5GHz band: 5.15GHz to 5.35GHz and 5.725GHz to 5.825GHz. These ranges contain a total of eight channels of 20MHz apiece, wide enough so they don’t overlap. Also, there isn’t as much competition from other devices in the 5GHz range. The bad news is that 5GHz signals don’t have the penetration power of 2.4GHz, especially at higher data transmission rates, so you’ll need more access points to cover the same area.

When you lay out your access points, you can encounter another form of distortion if two transmitters on the same channel get too close to each other. It’s something like tuning in a station at night and getting crop reports from Ohio, country music from Texas and a sermon from Alabama. You can avoid this Co-Channel Interference (CCI) by laying out your access points so that adjacent access points use different channels. Use distance and antenna shaping to keep access points on the same channel away from each other’s signals. A single access point can transmit as far as 1,000 feet, but anything containing water (including trees), sources of electrical noise such as microwave ovens, and architectural features such as ductwork can disrupt or modify the antenna pattern.

Data Encoding
In a standard radio broadcast, the relatively low-frequency tones of an Eminem ditty are used to modulate a much higher frequency carrier signal. The modulated carrier is then transmitted to a receiver where the carrier is removed, leaving the original sounds. The commercial audio region of the radio spectrum uses two modulation techniques: Amplitude Modulation (AM) and Frequency Modulation (FM). Digital transmissions from 802.11b devices use a technique called Phase Shift Keying (PSK). In PSK, each bit in the digital signal produces a phase shift in the carrier. The original 802.11 standard used a 180-degree shift to represent a bit for low-speed (1Mbps) operation and four rotational phase shifts for high-speed (2 Mbps) operation. 802.11a and 802.11g devices use PSK for bit rates of 18Mbps and below and Quadrature Amplitude Modulation (QAM) for higher bit rates.

If a modulated carrier signal gets distorted, the original frequencies may be lost or damaged. In analog radio, this could make Eminem sound like Madonna. In digital transmissions, even slight distortion can turn a file into a mangled, useless mess. For this reason, data bits are encoded prior to using them to modulate a carrier so that distortion can be identified and corrected, if possible.

A binary data stream consists of uneven sequences of high and low voltages. The 802.11b standard uses Digital Sequence Spread Spectrum (DSSS) as the encoding technique. Spread Spectrum is a way of dividing a digital signal across little slices of the available carrier channel to decrease the statistical likelihood that two signals of the same frequency would occupy the same broadcast airspace at the same instant. Signal spreading is why 802.11b signals require 22MHz even though the bit rate is much lower.

DSSS converts each bit in the digital stream into a sequence of bits more suitable for error detection. The original 802.11 standard (1Mbps and 2Mbps) uses a Barker sequence of 11 bits (10110111000) to represent a digital 1 and its inverse (01001000111) to represent a digital 0. Each encoded bit is called a chip. The chips are applied to the carrier using PSK.

To increase the bit rate even further, 802.11b uses a second type of encoding mechanism called Complementary Code Keying (CCK), consisting of a series of 64-bit sequences that can encode multiple bits from the original data stream into a single chip, thus increasing the overall throughput.

802.11b also defines a second encoding method called Packet Binary Convolutional Code (PBCC) that significantly improves a signal’s resistance to multipath distortion, an effect that occurs when echoes of the same transmission arrive at slightly different times. (This is what causes ghost images in a broadcast television signal.) Last year, Texas Instruments introduced a PBCC-based chip and took advantage of the superior resistance to multipath distortion by doubling the standard bit rate, up to 22Mbps. The faster bit rates are not part of 802.11b, but this hasn’t deterred vendors from offering access points and NICs based on the new chip. These devices often carry the moniker 802.11b+ or 802.11b(PBCC).

802.11a devices achieve higher speeds by using Orthogonal Frequency Division Multiplexing (OFDM), a technique that supports bit rates up to 54Mbps. In addition to its higher bit rates, 802.11a is also attractive because of the eight non-overlapping channels available in the 5GHz band. You can deploy 802.11a in parallel with 802.11b by purchasing dual-head access points.

802.11g devices (the specification is currently near final approval) use the same 2.4GHz band as 802.11b while incorporating OFDM for fast bit rates. An 802.11g device will fall back to 802.11b modulation for backward compatibility. (802.11g includes 22Mbps PBCC in a nod to Texas Instruments.) Because 802.11g uses the same transmitters as 802.11b, some vendors may provide simple firmware upgrades. The disadvantages of 802.11g include limited effective high-speed range and contention with Bluetooth and 2.4GHz phones. Also, because 802.11g uses the ISM band, it has only three available channels, making deployment much more difficult, especially considering that high-speed operation is only available with clear, strong signals.

802.11 Architecture
A group of wireless devices that communicate with each other is called a Service Set. There are three types of service sets: Independent Basic, Basic and Extended.

Wireless stations communicating directly with each other using ad hoc networking form an Independent Basic Service Set (IBSS). An IBSS is suitable only for very small offices due to congestion and the low power of the adapters. It also represents a security vulnerability because each station becomes a potential path onto the network.

Wireless configurations that use an access point to aggregate transmissions from stations come in two flavors:

 A single WAP and a group of stations is called a Basic Service Set (BSS).

 A combination of more than one BSS is called an Extended Service Set (ESS).

Figure 1 shows examples.

Basic Service Set and Extended Service Set
Figure 1. A Basic Service Set includes a single access point and its wireless stations. An Extended Service Set connects multiple Basic Service Sets that share a common Extended Service Set ID (ESSID).

Service sets act as management and data transmission boundaries. A Basic Service Set is defined by the presence of a single access point, so the MAC address of the access point is used as a Basic Service Set Identifier (BSSID). The header of each transmission to and from an access point includes its BSSID.

Members of an extended service set identify themselves with an Extended Service Set Identifier (ESSID). The ESSID is often simply called the SSID or, sometimes, the Preferred Network. The ESSID is case sensitive and can be no longer than 32 characters. It isn’t encrypted or otherwise obscured and isn’t intended for use as a security mechanism.

Always change the default ESSID on any access point. These ESSIDs are well known, as are the default access points admin credentials. Change them as well. By default, an access point broadcasts its ESSID to aid clients in finding the service set. You can turn off ESSID broadcasts, but this can sometimes interfere with client operation. Be sure you have station adapters that support it.

Access Point Operation
An access point periodically transmits a management frame called a beacon, which announces its BSSID, its ESSID and its capabilities, including whether the access point is pollable, WEP-enabled, uses a short transmission preamble, supports PBCC, or supports Channel Agility (frequency hop scheduling to avoid congested side channels). The beacon interval is controlled by the access point configuration and is sent generally every 0.1 second.

When a wireless station first comes up, it transmits a probe request on each channel unless it’s been configured to use a specific channel. The probe request includes the station’s ESSID and the supported data rates. If the station hasn’t been configured with a specific ESSID, it looks for beacons and displays any ESSIDs it finds.

When an access point receives a probe request that matches its ESSID, it replies with a probe response that contains synchronization information and access point loading. As seen in Figure 2, if a station receives multiple probe responses, it selects the access point with the strongest signal strength and lowest loading.

A newly started wireless station
Figure 2. A newly started wireless station broadcasts a probe request and listens for responses from access points that share its ESSID. It selects a probe response from the closest AP (based on signal strength) that isn't heavily loaded (based on information included in the probe response).

The station then transmits an Authentication Request. The default configuration of most access points is open authentication, meaning that there’s no restriction on which stations can connect. This is obviously a poor security selection. The 802.11 standard includes a second authentication mechanism that uses a shared key and a challenge-response transaction as follows:

 The station sends an authentication request.

 The access point returns a random number (challenge).

 The station encrypts the challenge using the shared key and returns the result to the access point.

 The access point encrypts the challenge using the same shared key and compares the result to the challenge response. If they match, the access point permits the station to associate.

The shared key used in this transaction is the same as that used for WEP, covered in the last installment of this series.

Using a shared key for authentication has several serious deficiencies, not the least of which is the danger of key compromise. If a laptop should fall into the wrong hands, the thief now knows the secret keys to every access point. This information can be sold to interested parties or used by the thief to mount an attack.

Many vendors include an additional authentication mechanism, not specified in 802.11, that limits access by MAC address. An administrator must manually enter MAC addresses into every access point in an ESS. Beware, though: MAC address authentication isn’t perfect. It’s relatively trivial to obtain a wireless NIC that permits the administrator to enter a different MAC address. Also, a laptop thief can still gain access.

Once the station’s been authenticated, it transmits an Association Request that asks the access point to create a port for the station to use. Once the station has been associated, any traffic from it is bridged by the access points onto the distribution system (Ethernet).

If a roaming mobile station comes across an access point beacon that indicates the new access point is closer (stronger signal) or not as heavily loaded, the station can send a Reassociation Request to the new access point, as shown in Figure 3. The new access point contacts the old access point to obtain association information, including frames currently buffered at the old access point. This permits a user to move seamlessly through an ESS. Note that reassociation doesn’t involve re-authentication.

Mobile wireless station moving from one BSS to another
Figure 3. When a mobile wireless station moves from one BSS to another, it reassociates to a new access point as soon as the AP's signal strength indicates that it's closer to the station. The new AP obtains the station's status information from the old AP so the user sees a seamless transition.

That takes care of the basics of 802.11 wireless operation. Next month, I’ll discuss how WEP operates and how to incorporate Transport Layer Security (TLS) to improve security.

Featured