8.1 Wireless WAN Security Issues

Securing wireless WANs poses problems that are unique in some ways, but essentially the same as those network administrators face when trying to secure landline connections. The security issues that surround wireless WANs are:

• Transmission

• Equipment

These are the same issues that have been faced throughout the book; the only difference is the medium. Because wireless transmissions are broadcast over airwaves, it is possible for anyone to monitor transmissions, without physical access to any part of your network. This is an important distinction. Up until this point, for an attacker to gain access to your data, he or she had to have physical access to either a machine on your network or a machine on the backbone of your ISP. That barrier no longer exists. An attacker with a wireless network card and some rudimentary knowledge of how a wireless system is deployed may be able to monitor all traffic traversing the network.

Before delving into fixed wireless Internet access, it is important to understand how the technology works. Most forms of fixed wireless Internet access use the radio frequency (RF) spectrum to communicate. The RF spectrum is actually a broad range of microwave frequencies, ranging from 500 KHz to 300 GHz. Some common devices that use RF spectrum are cellular phones, cordless phones, televisions , AM and FM radios, and microwave ovens.

Frequencies within the RF spectrum are licensed by the Federal Communications Commission (FCC) in the United States, and by the International Telecommunications Union (ITU) for the rest of the world. This disparity often leads to devices in the United States operating at different frequencies than the same devices in the rest of the world.

Not all frequencies within the RF spectrum require licensing. Some frequencies have been set aside as license free, the most common of which is the Industrial, Scientific, and Medical (ISM) band . ISM frequencies (Table 8.1) are the ones most commonly used by fixed wireless Internet access equipment.

The two most common forms of fixed wireless Internet access are Multichannel Multipoint Distribution Services (MMDS) and Local Multipoint Distribution Services (LMDS). MMDS and LMDS can both operate in the licensed or the unlicensed ISM frequencies, though most providers operate them in the unlicensed frequencies.

Table 8.1. ISM Frequency Bands

MMDS and LMDS fixed wireless Internet connections generally operate in the same way. An antenna is placed on the roof of an office, or on a pole outside of an office. That antenna is pointed to either a tower or the roof of a tall building, where the ISP has stored a WMTS. The WMTS forwards data to another WMTS on the roof of the ISP's building. The WMTS is connected to a router, which forwards traffic out to the Internet (Figure 8.1).

8.1.1 MMDS Technology

MMDS was originally developed in the 1980s as a way to serve wireless cable television customers. The first use of MMDS technology was in 1984, in Bessemer, Michigan. Wireless cable distribution never really took off in the United States; the total number of MMDS cable subscribers never surpassed much more than 250,000. MMDS television delivery has had more success in other countries .

The television roots of MMDS are important for understanding how the technology involved into Internet-access use. When MMDS was initially developed, the FCC allocated eight channels, distributed in blocks of four. This meant that a wireless cable company was only able to deliver four channels of programming to its subscribers. Because more is better in the cable TV industry, MMDS-based cable companies petitioned the FCC for more channel allocation, leading to the current frequency distribution, which can support up to 31 channels.

MMDS television was most popular in rural areas not served by cable television companies, which helps to explain why MMDS Internet access has its roots in rural areas. In 1996, when the Telecommunications Act passed, many companies began acquiring MMDS licenses to offer phone and data services in these rural areas. While MMDS still has not caught on as a phone service, it is becoming a predominant force in the fixed wireless industry with support from both WorldCom and Sprint.

MMDS operates in the 2.5 “2.7 GHz frequencies. The receivers are generally omni-directional , allowing connections from all sides, and because MMDS operates at a relatively low frequency, it is fairly resistant to atmospheric conditions and a single antenna can serve a large area ”up to a 35-mile radius.

The big drawback to MMDS technology is the bandwidth. MMDS is generally limited to 1.5 megabits of download, about the speed of a T1. MMDS is also asymmetrical , which means that the upload speeds are generally slower than the download speeds. While a company may get 1.5 megabits of download throughput, upload throughput is often capped at 128 kilobits ”the equivalent of a bonded ISDN line.

Companies support MMDS for a wireless system because it is relatively cheap to deploy. A single antenna, placed high enough, can serve a large area, minimizing the initial cost of deployment. MMDS antennas can also be linked. An ISP can route a connection through multiple antennas before sending it out on the Internet. This allows the ISP to save on bandwidth costs, by having a single backbone connection support several antennas. It also allows an ISP to set up redundant connectivity for its customers. A ring of wireless antennas can be created to serve an area, providing fault tolerance for the data transmission, and even multiple points of connectivity for the ISP's customers. Figure 8.2 demonstrates this ring.

8.1.2 LMDS Technology

Like MMDS, LMDS is a fixed wireless solution. This means that the two communicating devices ”the antennas ”are stationary, as opposed to a mobile wireless solution. Despite the fact that it is a fixed wireless solution, the technology behind LMDS is similar to cellular technology, though it also was originally designed for wireless cable television.

LMDS operates in the 28 “31 GHz frequencies and was originally licensed by the FCC in 1998 to companies that planned to use the spectrum to provide two-way communications, such as telephone, television, and Internet access.

LMDS has a smaller range than MMDS, offering only a five-mile radius of communication, and only about 2.5 miles of full bandwidth capabilities. It is also much more susceptible to weather and other disruptions than MMDS.

The advantages that LMDS provides over MMDS are generally a lower cost per access antenna to deploy and the higher frequencies allow a provider to offer more bandwidth per user . LMDS providers can offer 10 megabits of download and two megabits of upload throughput.

Because of the limited reach of LMDS, and strict line of sight requirements, LMDS tends to be deployed in urban, or business areas, where there is a high concentration of potential customers.

8.1.3 Wireless Encryption

By default, fixed wireless transmissions are secured using spread spectrum technology (SST). Spread spectrum technology, discussed in detail in the next section, has one serious limitation: It does not encrypt the data. Of course, the majority of Internet traffic is not encrypted over wire line connections.

The difference is that data over a wire line connection is transmitted over a closed connection. Assuming that your ISP has taken reasonable security steps ^[1] data should be secure while it transmits across the ISP's backbone. At the very least, it is relatively difficult for an attacker to gain access to an ISP's backbone and sniff traffic.

^[1] If it has not, you should find a different ISP.

A wireless connection, on the other hand, can be sniffed by anyone with an antenna. Because wireless connections are transmitted across a spectrum of frequencies, just like FM signals, it is possible for an attacker with an antenna and a similar network device to "tune in" to a site and sniff transmissions from a device to the WMTS.

The best way to enhance transmission security between a corporate site and the WMTS is to encrypt it. Fortunately, wireless manufacturers have developed a system based on the cable security standard Data Over Cable Service Interface Specification (DOCSIS), called DOCSIS+ or wireless DOCSIS.

Using DOCSIS+, an ISP can force encrypted traffic between the WMTS and the user's modem. DOCSIS+ supports several different types of key management encryption including X.509 digital certificates, RSA public key encryption, and 3-DES encryption. The WMTS sets the encryption policy; the end-user modems are forced to comply , or the WMTS will not the accept data. This serves two purposes: (1) it prevents attackers from being able to view data and (2) it prevents unauthorized users from attempting to use the WMTS to gain unauthorized access to the ISP's backbone.

The limitation of the DOCSIS+ protocol is that it is not currently interoperable between equipment. An Alvarion access point may not necessarily be able to send DOCSIS+ encrypted data to a Cisco WMTS. As the DOCSIS+ protocol becomes more developed, interoperability should improve.