802.11 and 802.11b

In 1997, the Institute of Electrical and Electronics Engineers (IEEE) published the first world-recognized standard for wireless networks, 802.11. About two years later, the IEEE published 802.11b, also known as 802.11 High Rate, which specifies the standards for building wireless systems that operate with data speeds of up to 11Mbps. The intention of this standard is to give wireless networks the same robustness as that of wired Ethernet networks. One declared benefit of 802.11b is that administrators who design wireless systems to be seamlessly compatible with existing wired standards can follow the specifications of 802.11 with the assurance that the 802.11b standard will be backward compatible.

The basic features of 802.11b are defined by the existing 802.11 standards for architecture and services. The design paradigms are similar, and the components find parallels to the wired equivalent of 802.11b. The 802.11 standards provide specifications for the lower two levels of the Open System Interconnection (OSI) network reference model: the physical layer and the data link layer (see Figure 3.1). Any current application, network operating system, or protocol that exists in compliance with the 802.11 standards should be compatible with the wireless standards. These components reside in layers above the physical and media access control layers. Their operation is not affected by differences in the lower layers. To understand 802.11b, you must understand the building blocks of the 802.11 standard.

Figure 3.1. The OSI model

graphics/03fig01.gif

802.11 System Components

The 802.11 regulation sets definitions for two categories of equipment: a station and an access point (see Figures 3.2, 3.3, and 3.4). The wireless station is any standard PC that has a Network Interface Card (NIC) that supports wireless communication. The station has access to the wireless medium and radio contact to an access point. The access point is the equipment that allows the wireless system to interact appropriately with a wired one; in other words, the access point performs an important function called bridging. A typical access point comprises a radio, a wired network interface, and bridging software conforming to the IEEE bridging standard. The access point can be pictured as a base station for the wireless system. Communication for many wireless stations is funneled to the access point and directed to the wired network.

Figure 3.2. The BSS infrastructure mode

graphics/03fig02.gif

Figure 3.3. The ESS infrastructure mode

graphics/03fig03.gif

Figure 3.4. The BSS ad hoc mode

graphics/03fig04.gif

802.11 Architecture Modes

The wireless stations and access points are configured in two modes as defined by the specifications: infrastructure mode and ad hoc mode. In infrastructure mode, all stations in a system connect to an access point, not directly to one another. In ad hoc mode, the stations interconnect directly, without communicating through an access point.

Infrastructure mode comprises access points and stations in the same radio coverage that form a basic service set (BSS), illustrated in Figure 3.2. Several basic service sets connected form a distribution system, creating one larger network and extending the wireless coverage area. This distribution system is called an extended service set (ESS). The 802.11 specification does not further detail the architecture of a distribution system. The individual implementations are left up to system architects. Decisions about how to interconnect BSSs are based on design requirements, types of stations or devices, and business considerations. If interconnection with wired systems was a requirement in building a wireless system, infrastructure mode specifications would provide direction for a viable system. Handoffs can occur between BSSs to extend network capabilities. Alternatively, the access points in several BSSs can be connected to a wired LAN, further extending its capabilities.

An architecture in ad hoc mode is a set of stations that communicate without an access point (see Figure 3.4). This on-the-fly mode does not require connection with a wired network and is easily assembled and disassembled. Each node communicates with the others directly. In ad hoc networks, however, possibilities for interconnecting with other wired or wireless networks are limited in that there is no master/slave relationship and each station maintains its own independence. As in infrastructure mode, interconnected stations form BSSs. 802.11 does not specify routing paradigms, data forwarding, or exchanging topology information among BSSs.

802.11b Physical Layer

One of the most valuable additions the 802.11b standard provides is the standardization for the physical layer support of two new speeds, 5.5Mbps and 11Mbps. The 802.11 standard specifies two signaling methods, with data rates of 2Mbps and 11Mbps and operation in the 2.4 2.4835GHz frequency band: frequency-hopping spread spectrum (FHSS) or direct-sequence spread spectrum (DSSS). The two are not interoperable. In FHSS, the band is divided into many subchannels. The receiver and sender, with the intent of minimizing the chance that two senders will simultaneously use the same subchannel, decide on a hopping pattern. Subchannel bandwidth cannot be greater than 1MHz, as regulated by the FCC. These regulations restrict the maximum usage and lead to high hopping costs. At the same time, however, 802.11b is less susceptible to multipath propagation interference than 802.11.

The DSSS technique, however, allows for most subchannels to overlap slightly. Data is sent over channels without hopping. A technique called chipping is used instead. Much like file compression, this technique allows bits of user data to be converted into a series of redundant bit patterns, called chips. The redundancy and spread of chips across the entire channel facilitate error checking and correction. Retransmission is rarely necessary, even if part of the signal is damaged.

The value added by the institution of the 802.11b standard is realized in the standardization for the physical layer support of the two new higher speeds, 5.5Mbps and 11Mbps. In the 802.11b specifications, DSSS is the sole signaling method supported. FHSS is eliminated in this new standard because it cannot support higher speeds without violating FCC regulations. The intention for 802.11b DSSS use is that it interoperate with existing 1Mbps and 2Mbps 802.11 DSSS systems but not with 802.11 FHSS systems.

To increase the data rate in 802.11b, advanced coding techniques are described. In the previous standard, 11-bit Barker sequences (an 11-bit chipping) encode all data sent over the air. Each Barker sequence is converted to a waveform and sent over the air. The waveforms, called symbols, are transmitted at 1MSps (a million symbols per second) in a 1Mbps DSSS system and are doubled in the 2Mbps systems. In the 802.11b standard, rather than use the 11-bit Barker sequences, a Complementary Code Keyring (CCK) is specified. This CCK enables the symbol rate to be increased to 1.375MSps.

802.11b uses dynamic rate shifting to achieve the maximum data rate, even in cluttered environments. Data rates are automatically adjusted to make the best use of the 11Mbps rate. When high interference is present or a wireless device is moved outside the best range for 11Mbps, the rate is shifted to a slower speed (5.5Mbps, 2Mbps, or 1Mbps). The dynamic rate shifting automatically bumps to a higher speed when moved back into appropriate 11Mbps range or when the interference sufficiently subsides.

802.11 Media Access Control Layer

The 802.11 Media Access Control (MAC) layer is designed to support multiple users on a shared medium by having the sender detect and gather information about the medium before accessing it. The 802.3 Ethernet-based (wired) LAN specification is also designed to support multiple users on a shared medium and specifies methods for the sender's sensing the medium, however the protocol employed (Carrier Sense Multiple Access with Collision Detection [CSMA/CD]) details collision handling and redirection. In 802.11, collision detection is not possible because stations cannot listen and transmit at the same time; the radio transmission prevents the station from sensing a collision. The protocol specified is slightly different from that in 802.3; it is termed Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). CSMA/CA involves sending extra packets to confirm receipt of transmitted packets, called explicit packet acknowledgment (ACK).

In a proper CSMA/CA transmission, the sender senses the medium, and if no collisions are detected, it waits a randomly defined period of time and, if the medium is still free, transmits to the intended recipient. When the recipient has received the sender's entire transmission, it returns an ACK frame. The process is successfully complete when the sending station receives the ACK frame. If the ACK frame is not received by the sending station, either because the original transmission was not received or because the ACK frame was unable to transmit successfully, a collision is assumed, and the data packet is retransmitted after another randomly defined period of time.

CSMA/CA effectively handles transmission and collision problems associated with radio communication. It does not provide for minimization of overhead, however, and renders 802.11 communication slower than that of 802.3 by necessity. Simply put, wireless communications are slower than wired communications.

Another protocol defined at the MAC layer is an optional Request to Send/Clear to Send (RTS/CTS) protocol.

Unfortunately, accompanying each benefit is a caution. The 802.11b standard was developed to be seamlessly compatible with the existing IEEE wired standards but has been criticized as being too compatible. Because the standard's security requirements are compatible with a wide range of devices, networks, and other technologies, the standard in its basic form leaves potential systems wide open.

The standards dictate what should be possible that the application layer and network protocol layer not be affected by these differences at a data link or physical layer but they do not operate seamlessly without risk.

802.11b Security and Wired Equivalent Privacy (WEP)

The goal of securing wireless network traffic is to approach as closely as possible the security offered in wired networks. The 802.11b standard affords this possibility by way of the Wired Equivalent Privacy (WEP) protocol. WEP offers communication encryption and physical device authentication capabilities to wireless communications while balancing users' needs for privacy with ease of use. WEP is available in 64-bit and 128-bit strength. In wired LANs, stealing network traffic is considered difficult because an attacker needs to be in close physical proximity to the network to gain access. The attacker has to be close enough to a network cable to use listening equipment to intercept waves emitted as data flows though the network. In wireless networks, however, the same attacker does not need to be physically close to a cable but can simply be in a parking lot adjacent to the building where the wireless LAN is installed.

The WEP protocol algorithm is designed on five premises:

1. Reasonably strong. Takes a reasonably long time to crack the encryption.

2. Self-synchronizing. Resynchronizes connection among devices when communication is inadvertently terminated.

3. Computationally efficient. Is not too taxing on battery power.

4. Exportable. Can be moved among media when necessary.

5. Optional. Can be turned on and off at a user's discretion.

The protection provided by the WEP algorithm is all some mobile users require. It automatically synchronizes itself between the device and the access point. This is helpful because wireless stations frequently drop communications or vacillate in and out of service, depending on their distance from an access point and the strength of the signal. The algorithm is efficient and can therefore be implemented in software or hardware. It can be exported under current U.S. government regulations and is optional in an 802.11 system.

The process is as follows (see Figure 3.5):

Figure 3.5. The WEP authentication sequence

graphics/03fig05.gif

1. A requesting station sends an Authentication frame to the access point (AP).

2. When the AP receives the initial Authentication frame, it replies with an Authentication frame containing 128 bytes of random challenge text generated by the WEP engine in standard form.

3. The requesting station copies the challenge text into an Authentication frame, encrypts it with a shared key, and sends the frame to the responding AP.

4. The receiving AP decrypts the value of the challenge text, using the same shared key, and compares it to the challenge text sent earlier. If a match occurs, the responding station replies with an authentication indicating a successful authentication. If not, the responding AP sends a negative authentication.

Most businesses that choose to use 802.11b wireless LANs, however, should not rely on WEP alone. In spring 2001, WEP encryption was determined breakable by researchers at the University of California, Berkeley and at the University of Maryland. The papers produced by these two groups of researchers outlined the weaknesses inherent in the creation of keys used in the encryption algorithm for encrypting traffic traversing the wireless network. Throughout the rest of the year, different groups implemented the attack with collections of WEP data, and some released tools to facilitate the encryption break.

The encryption algorithm itself is not the problem. The vulnerability lies in the keys used in the encryption algorithm, which render it relatively easy to break. The mechanism used to generate the keys creates keys that are too closely related to one another. With enough wireless data packets captured, you can easily determine keys to use to crack encryption. With the ability to crack the encryption code, all data passed on a wireless network becomes viewable, and you have successfully pried the network wide open.

Often, the wireless access point installed in an office is placed inside the corporate firewall, opening the entire network to attack. Wireless network attacking is very difficult to detect because the attacker needs only to conduct a passive attack to gain access to the system. Merely by listening to packets as they fly through the air, an attacker can execute her break. Two applications that can be used to break into a wireless network, AirSnort and WEPCrack, can be used to implement the findings published by the California and Maryland researchers. These applications boast being capable of resolving a network's WEP keys within seconds of listening to network traffic. With the introduction of these applications, any high school student with a laptop and a wireless network card, regardless of her knowledge of technical details, can break in to wireless systems.

The weakness of the WEP encryption implementation is not the only one in 802.11b. There is another concern, which should garner more attention than it does. Most wireless access points and networks are being deployed without the limited defense of WEP encryption being enabled.

Wireless networks configured merely by plopping an access point into an existing secure wired network should be deemed insecure. Wireless access points should be used only with the knowledge that they introduce gaping holes into a system by nature. They can be used, but only after certain precautions are taken. In December 2001, an IEEE committee approved an interim patch for WEP that thwarts the success of applications like AirSnort or WEPCrack and other homegrown varieties of WEP encryption breakers. It is more prudent, however, to consider WEP a weak protection against attack. Access points should be treated like Internet traffic with great caution. They should be placed outside firewalls and routed through Virtual Private Network (VPN) solutions in all cases. Basically, networks should not rely on the security provisions that come with 802.11b out of the box. Firewalls and VPN solutions protect the problems described here just as they protect wired systems.

In late 2001, RSA released a solution to the weakness present in WEP, the Fast Packet Keying solution, which uses a technique that rapidly generates a unique key for each wireless data packet. The IEEE committee approved this fix in early 2002. Although it quells the war-driving experiments of many, it does not solve wireless LAN security problems indefinitely. Claims were made that this solution solved the weakness inherent in wireless communication using WEP. These claims are valid, but many wireless security proponents now believe that a more advanced encryption mechanism and key generation scheme should be used.

Until subsequent versions of 802.11 and WEP are secure, external security measures are absolutely critical. Almost no security is offered at the data link layer. It is safe to assume that if any wireless access points are placed inside a firewall on a corporate network, anyone within physical range of your wireless network can act as a legitimate user on that network. Although 802.11 is the most popular technology, there are other competing and complementary technologies, such as Bluetooth.