Empire of the Air
Imagine a datacenter without wires. The first of this three-part series lays the groundwork toward a wireless infrastructure.
Some technologies get deployed only after a lot of design debates, roundtable
meetings, signature cycles and budget discussions—Active Directory and
Exchange are examples. But some technologies sneak in, get established,
then grow and grow until you can’t possibly ignore them. That’s the way
wireless networks get introduced into many organizations. After all, the
benefits of a wireless infrastructure are inviting in a world of highly
mobile workers. With wireless networking, roaming users with a wide variety
of hardware can access the corporate network no matter where they go.
This benefit statement is also the major problem for wireless networks.
Giving highly flexible mobile access to your data raises significant concerns
about data integrity and perimeter security. Imagine your CEO at a wireless
laptop e-mailing next quarter’s financials to the board chairman while
a 16-year-old kid named “Bomberz” sits in the company parking lot with
a wireless handheld that records every frame.
Designing a secure wireless infrastructure can become complex fairly
quickly. After all, you’re sending Ethernet transmissions over what amounts
to miniature walkie-talkies. You can only protect the transmission by
using the latest in certificate-based authentication and streaming encryption.
Not exactly a recipe for simplicity.
In a three-part series, I’ll discuss how to deploy and secure a wireless
infrastructure using Windows servers and desktops. The first installment
takes a look at the underlying wireless standards and their operation.
Next month’s column covers Wired Equivalent Privacy (WEP) and takes a
detailed look at how Transport Layer Security (TLS) is used to protect
wireless authentication and key transfers. The final installment examines
how to use Windows servers to support the advanced wireless protection
schemes currently emerging as standards.
Ethernet and Radios
A computer equipped with a wireless network card is called a station.
Stations can transmit to each other (ad hoc mode) or can transmit to one
or more access points (infrastructure mode).
Standard Ethernet uses Carrier Sense-Multiple Access/Collision Detect
(CSMA/CD) to manage traffic. CSMA/CD works like a blind cat crossing a
busy street: A network adapter listens for traffic, quickly streaks out
a message when it gets the opportunity, then checks itself at the curb
afterward to make sure nothing got run over.
Collision Detection is unsuitable for wireless communication because
two wireless stations may not be able to hear each other’s transmissions
and could therefore transmit to the same access point at the same time,
seriously degrading performance. 802.11 solves this hidden node problem
using a mechanism called Collision Avoidance (yielding a full acronym
In CSMA/CA, a wireless station first transmits a Ready To Send (RTS)
message that contains the amount of data in the frame and the transmission
speed. The access point replies with a Clear To Send (CTS), and the station
sends an ACK and begins transmitting. All other stations in the broadcast
range of the access point refrain from transmitting long enough for the
station to send the specified frame at the specified speed.
The special physical and media access requirements of wireless networking
equipment are addressed in IEEE 802.11. Several daughter standards expand
the base standard, the most common of which is 802.11b, which defines
spread-spectrum radio operation in the 2.4GHz band between 2.400GHz and
2.483GHz —the so-called Industry, Science and Medical (ISM) band. The
802.11g extension to the 802.11 standard also uses the ISM band.
In the U.S., the ISM band is divided into 11 channels of 5MHz apiece.
An 802.11 wireless network adapter utilizes 22MHz of bandwidth due to
signal spreading, so a station operating at one channel will overlap onto
adjacent channels. If you’ve ever tried listening to a small alternative
radio station that sits on the dial close to a huge adult contemporary
advertising machine, you’ll appreciate how channel overlap can cause unacceptable
signal distortion. To avoid overlap, use only channels 1, 6 and 11.
The new 802.11a standard defines operation at two ranges in the 5GHz
band: 5.15GHz to 5.35GHz and 5.725GHz to 5.825GHz. These ranges contain
a total of eight channels of 20MHz apiece, wide enough so they don’t overlap.
Also, there isn’t as much competition from other devices in the 5GHz range.
The bad news is that 5GHz signals don’t have the penetration power of
2.4GHz, especially at higher data transmission rates, so you’ll need more
access points to cover the same area.
When you lay out your access points, you can encounter another form of
distortion if two transmitters on the same channel get too close to each
other. It’s something like tuning in a station at night and getting crop
reports from Ohio, country music from Texas and a sermon from Alabama.
You can avoid this Co-Channel Interference (CCI) by laying out your access
points so that adjacent access points use different channels. Use distance
and antenna shaping to keep access points on the same channel away from
each other’s signals. A single access point can transmit as far as 1,000
feet, but anything containing water (including trees), sources of electrical
noise such as microwave ovens, and architectural features such as ductwork
can disrupt or modify the antenna pattern.
In a standard radio broadcast, the relatively low-frequency tones of an
Eminem ditty are used to modulate a much higher frequency carrier signal.
The modulated carrier is then transmitted to a receiver where the carrier
is removed, leaving the original sounds. The commercial audio region of
the radio spectrum uses two modulation techniques: Amplitude Modulation
(AM) and Frequency Modulation (FM). Digital transmissions from 802.11b
devices use a technique called Phase Shift Keying (PSK). In PSK, each
bit in the digital signal produces a phase shift in the carrier. The original
802.11 standard used a 180-degree shift to represent a bit for low-speed
(1Mbps) operation and four rotational phase shifts for high-speed (2 Mbps)
operation. 802.11a and 802.11g devices use PSK for bit rates of 18Mbps
and below and Quadrature Amplitude Modulation (QAM) for higher bit rates.
If a modulated carrier signal gets distorted, the original frequencies
may be lost or damaged. In analog radio, this could make Eminem sound
like Madonna. In digital transmissions, even slight distortion can turn
a file into a mangled, useless mess. For this reason, data bits are encoded
prior to using them to modulate a carrier so that distortion can be identified
and corrected, if possible.
A binary data stream consists of uneven sequences of high and low voltages.
The 802.11b standard uses Digital Sequence Spread Spectrum (DSSS) as the
encoding technique. Spread Spectrum is a way of dividing a digital signal
across little slices of the available carrier channel to decrease the
statistical likelihood that two signals of the same frequency would occupy
the same broadcast airspace at the same instant. Signal spreading is why
802.11b signals require 22MHz even though the bit rate is much lower.
DSSS converts each bit in the digital stream into a sequence of bits
more suitable for error detection. The original 802.11 standard (1Mbps
and 2Mbps) uses a Barker sequence of 11 bits (10110111000) to represent
a digital 1 and its inverse (01001000111) to represent a digital 0. Each
encoded bit is called a chip. The chips are applied to the carrier using
To increase the bit rate even further, 802.11b uses a second type of
encoding mechanism called Complementary Code Keying (CCK), consisting
of a series of 64-bit sequences that can encode multiple bits from the
original data stream into a single chip, thus increasing the overall throughput.
802.11b also defines a second encoding method called Packet Binary Convolutional
Code (PBCC) that significantly improves a signal’s resistance to multipath
distortion, an effect that occurs when echoes of the same transmission
arrive at slightly different times. (This is what causes ghost images
in a broadcast television signal.) Last year, Texas Instruments introduced
a PBCC-based chip and took advantage of the superior resistance to multipath
distortion by doubling the standard bit rate, up to 22Mbps. The faster
bit rates are not part of 802.11b, but this hasn’t deterred vendors from
offering access points and NICs based on the new chip. These devices often
carry the moniker 802.11b+ or 802.11b(PBCC).
802.11a devices achieve higher speeds by using Orthogonal Frequency Division
Multiplexing (OFDM), a technique that supports bit rates up to 54Mbps.
In addition to its higher bit rates, 802.11a is also attractive because
of the eight non-overlapping channels available in the 5GHz band. You
can deploy 802.11a in parallel with 802.11b by purchasing dual-head access
802.11g devices (the specification is currently near final approval)
use the same 2.4GHz band as 802.11b while incorporating OFDM for fast
bit rates. An 802.11g device will fall back to 802.11b modulation for
backward compatibility. (802.11g includes 22Mbps PBCC in a nod to Texas
Instruments.) Because 802.11g uses the same transmitters as 802.11b, some
vendors may provide simple firmware upgrades. The disadvantages of 802.11g
include limited effective high-speed range and contention with Bluetooth
and 2.4GHz phones. Also, because 802.11g uses the ISM band, it has only
three available channels, making deployment much more difficult, especially
considering that high-speed operation is only available with clear, strong
A group of wireless devices that communicate with each other is called
a Service Set. There are three types of service sets: Independent Basic,
Basic and Extended.
Wireless stations communicating directly with each other using ad hoc
networking form an Independent Basic Service Set (IBSS). An IBSS is suitable
only for very small offices due to congestion and the low power of the
adapters. It also represents a security vulnerability because each station
becomes a potential path onto the network.
Wireless configurations that use an access point to aggregate transmissions
from stations come in two flavors:
A single WAP and a group of stations is called a Basic Service Set (BSS).
A combination of more than one BSS is called an Extended Service Set (ESS).
Figure 1 shows examples.
|Figure 1. A Basic Service Set includes a single
access point and its wireless stations. An Extended Service Set connects
multiple Basic Service Sets that share a common Extended Service Set
Service sets act as management and data transmission boundaries. A Basic
Service Set is defined by the presence of a single access point, so the
MAC address of the access point is used as a Basic Service Set Identifier
(BSSID). The header of each transmission to and from an access point includes
Members of an extended service set identify themselves with an Extended
Service Set Identifier (ESSID). The ESSID is often simply called the SSID
or, sometimes, the Preferred Network. The ESSID is case sensitive and
can be no longer than 32 characters. It isn’t encrypted or otherwise obscured
and isn’t intended for use as a security mechanism.
Always change the default ESSID on any access point. These ESSIDs are
well known, as are the default access points admin credentials. Change
them as well. By default, an access point broadcasts its ESSID to aid
clients in finding the service set. You can turn off ESSID broadcasts,
but this can sometimes interfere with client operation. Be sure you have
station adapters that support it.
Access Point Operation
An access point periodically transmits a management frame called a beacon,
which announces its BSSID, its ESSID and its capabilities, including whether
the access point is pollable, WEP-enabled, uses a short transmission preamble,
supports PBCC, or supports Channel Agility (frequency hop scheduling to
avoid congested side channels). The beacon interval is controlled by the
access point configuration and is sent generally every 0.1 second.
When a wireless station first comes up, it transmits a probe request
on each channel unless it’s been configured to use a specific channel.
The probe request includes the station’s ESSID and the supported data
rates. If the station hasn’t been configured with a specific ESSID, it
looks for beacons and displays any ESSIDs it finds.
When an access point receives a probe request that matches its ESSID,
it replies with a probe response that contains synchronization information
and access point loading. As seen in Figure 2, if a station receives multiple
probe responses, it selects the access point with the strongest signal
strength and lowest loading.
|Figure 2. A newly started wireless station broadcasts
a probe request and listens for responses from access points that
share its ESSID. It selects a probe response from the closest AP (based
on signal strength) that isn't heavily loaded (based on information
included in the probe response).
The station then transmits an Authentication Request. The default configuration
of most access points is open authentication, meaning that there’s no
restriction on which stations can connect. This is obviously a poor security
selection. The 802.11 standard includes a second authentication mechanism
that uses a shared key and a challenge-response transaction as follows:
The station sends an authentication request.
The access point returns a random number (challenge).
The station encrypts the challenge using the shared key and returns the
result to the access point.
The access point encrypts the challenge using the same shared key and
compares the result to the challenge response. If they match, the access
point permits the station to associate.
The shared key used in this transaction is the same as that used for
WEP, covered in the last installment of this series.
Using a shared key for authentication has several serious deficiencies,
not the least of which is the danger of key compromise. If a laptop should
fall into the wrong hands, the thief now knows the secret keys to every
access point. This information can be sold to interested parties or used
by the thief to mount an attack.
Many vendors include an additional authentication mechanism, not specified
in 802.11, that limits access by MAC address. An administrator must manually
enter MAC addresses into every access point in an ESS. Beware, though:
MAC address authentication isn’t perfect. It’s relatively trivial to obtain
a wireless NIC that permits the administrator to enter a different MAC
address. Also, a laptop thief can still gain access.
Once the station’s been authenticated, it transmits an Association Request
that asks the access point to create a port for the station to use. Once
the station has been associated, any traffic from it is bridged by the
access points onto the distribution system (Ethernet).
If a roaming mobile station comes across an access point beacon that
indicates the new access point is closer (stronger signal) or not as heavily
loaded, the station can send a Reassociation Request to the new access
point, as shown in Figure 3. The new access point contacts the old access
point to obtain association information, including frames currently buffered
at the old access point. This permits a user to move seamlessly through
an ESS. Note that reassociation doesn’t involve re-authentication.
|Figure 3. When a mobile wireless station moves
from one BSS to another, it reassociates to a new access point as
soon as the AP's signal strength indicates that it's closer to the
station. The new AP obtains the station's status information from
the old AP so the user sees a seamless transition.
That takes care of the basics of 802.11 wireless operation. Next month,
I’ll discuss how WEP operates and how to incorporate Transport Layer Security
(TLS) to improve security.