The wireless mesh network is a new breed of Wi-Fi network with enhanced functionalities and capabilities that expand Wi-Fi well beyond the borders of home and office networks. In the third quarter of 2006, vendors shipped 34,000 outdoor wireless mesh access nodes, and this number is expected to grow annually by 130 percent. However, this popular new Wi-Fi architecture brings new security challenges.
An outdoor wireless mesh network has two components: the access network and the inter-node network. Security for the access network is similar to that for the well-known office Wi-Fi network, although the larger number of users accessing the wireless mesh network creates unique challenges.
However, having to provide security for an inter-node network composed of multiple Mesh Access Points (MAPs) connected via wireless links is new to the wireless industry. Third-generation MAPs with multiple radios per MAP can create a mesh network composed of 20 or more MAPs per hard-wired connection. Not only must the subscriber's data be kept private across these multiple wireless links, but also the security and privacy of management and control-plane traffic must be ensured.
The inter-node network also presents other security challenges not seen in the usual office network with a single Access Point (AP). MAPs are typically installed in public areas where physical security is low, so the opportunities for rogue APs and intruders to access the network is far greater than in a closed, private office space. Authentication and monitoring of Wi-Fi APs is required to ensure any network's security, but the need is especially acute for MAPs placed in public areas. In addition, standards bodies such as the IEEE (IEEE 802.11s) are working on the issue of inter-node network security and will have recommendations in a few years.
Governments feel so strongly about the need for wireless security (encryption) that the State of California created a law, AB 2415, that requires all wireless devices sold after October 2007 to include educational literature instructing the user on how to create a secure wireless connection. Another well-known government security initiative applies to the health care industry--the Health Insurance Portability and Accountability Act (HIPAA). All the tools described in this paper will help IT managers create HIPAA-compliant security policies and meet the requirements of AB 2415.
Given the importance of security in the wireless mesh network, what can an IT manager do today? Are there any security tools or features available now?
Access Network Security
Which encryption algorithm to use
In 2004, the IEEE 802.11i task group responsible for Wi-Fi security for the WLAN provided a series of recommendations to fix known problems with Wireless Equivalent Privacy (WEP). Its recommendations included using encryption techniques known as Advanced Encryption Standard Counter-Mode Cipher Block Chaining (AES-CCMP) or AES for short.
AES is not the end of the story, as the industry had a problem when it moved from WEP to AES. What could be done, for example, about legacy devices that could not support the upgrade to AES? The IEEE 802.11i task group recommended using the Temporal Key Integrity Protocol (TKIP). As a patch, TKIP is not as secure as AES, but it protects against all currently known attacks.
The urgent need to fix WEP caused the Wi-Fi Alliance to develop security patch recommendations for Wi-Fi Protected Access (WPA) before the IEEE finalized standards. WPA was drawn from an early draft of the IEEE 802.11i standard, and there are significant differences between WPA and TKIP. What is similar is that neither the WPA patch for WEP nor the TKIP patch is as secure as
AES.
The Wi-Fi Alliance later came out with a new security recommendation--WPA, version 2 (WPA2)--to make WPA consistent with IEEE 802.11i standards. One improvement to WPA2 was the recommendation to use AES-CCMP encryption mode. WPA2 has thus become synonymous with
AES.
The table below summarizes the different encryption algorithms used for WLAN privacy.
|
WLAN
Encryption Options |
|
Most secure |
AES-CCMP/WPA2 |
They are resistant to all known
crypto-analysis |
|
Believed secure |
TKIP and WPA patch
to WEP |
They offer defense against
currently known attacks |
|
Weak security |
WEP |
They can be cracked by analyzing a
sufficient amount of data transmission. |
Using the IEEE 802.11i standard creates a robust and secure solution for the access part of a wireless mesh network. But for interoperability with legacy 802.11b, WPA, and TKIP solutions, MAPs must have the flexibility interoperate with multiple security standards.
Since all MAP security solutions use up bandwidth, IT managers need to ensure that they MAPs they deploy use encryption hardware accelerators to ensure that security policies do not degrade service performance.
Authentication options
Encryption is only part of the security solution; authentication is required to complete the access-network security plan. The 2004 802.11i specification uses the 802.1x framework for user authentication. The two most popular 802.1x authentication protocols are Extensible Authentication Protocol (EAP) and Protected EAP (PEAP).
EAP and PEAP both require the use of RADIUS or a Network Access Controller (NAC). EAP requires digital certificates at both the client and the RADIUS server, while PEAP requires a digital certificate only at the RADIUS or NAC server. After a PEAP client authenticates the RADIUS server, a secure tunnel is set up through which the server authenticates the client.
When a RADIUS or NAC server is not available, WPA specifies a Pre-Shared Key (WPA-PSK) mechanism. To use WPA-PSK, the IT manager enters a pass phrase into the MAPs and the clients. Once a client is authorized, the MAPs provide it with a regularly refreshed session key. IT managers need to develop a secure process, individualized to fit the organization's processes, for entering the pass phrase into clients and keeping the phrase private.
To provide compatibility with WEP and yet boost security, IT managers can provide 802.1x remote authentication in conjunction with WEP encryption. This mode of operation is used by many Wi-Fi voice-enabled devices that employ Unlicensed Mobile Access (UMA) technology.
Security for the Public Safety Access Network
Public safety organizations such as police and fire departments are important users of wireless mesh networks. AES encryption and 802.1x authorization is recommended for these users, but another security tool is also available--the 4.9 GHz frequency band.
The physical-layer security of 4.9 GHz makes it harder for an intruder to access the wireless mesh network because it requires that a client operate in a licensed frequency band. However, the use of this band does not guarantee security. The IT manager of a public safety network thus needs to have a complete security checklist that includes encryption algorithms and authentication as well as 4.9 GHz and inter-node security.
Multiple Security Policies on the Same Network - VLANs
Because multiple classes of users typically access the services of a wireless mesh network, the IT manager will need to create multiple security policies. Using 802.1Q VLANs to segregate traffic provides the best flexibility and ease of use. In a wireless mesh network a VLAN can be assigned to a unique Secure Socket ID (SSID). Each VLAN/SSID may have a unique security policy with a restricted set of clients. For a closed user group, for example, the IT manager should block any broadcast of the SSID to reduce the number of casual snoopers. A service designed for the general public's use, however, would broadcast the SSID. Merging Ethernet VLAN security policies with wireless network security policies gives the IT manager the tools to converge and manage wired and wireless network security policies as one entity. This convergence strengthens the overall security of the whole network.
Another security tool is the Access Control List (ACL). An ACL can be created to grant only specified Media Access Control (MAC) access to an SSID/VLAN. Or conversely, the IT manager can create a blocking list that prevents known offenders from associating with a given SSID/VLAN. (MAC) spoofing is a well-known technique of hackers, so the 802.1x process is the best line of defense. But ACLs have their value, as they are easy to use to create a barrier for the casual hacker.
Inter-node Security
Privacy and integrity of the wireless inter-node data
Wireless mesh networks differ from traditional Wi-Fi setups because they have an inter-node network composed of as many as 20 wireless MAPs per hard-wired connection. Ensuring security among MAPs involves ensuring the integrity of the MAPs and the privacy of the data traversing the wireless links between the MAPs. Not only must the subscriber's data be kept secure and private across these multiple wireless links, but also security for management and control-plane traffic must be ensured. Using AES encryption with a secret key installed at time of manufacture is the best-in-class method for obtaining link security.
See the image full-size
Authentication of the MAP
To ease the use of a large wireless mesh network, self-discovery and fast protection switching are essential features. But with these features come security dangers. How does one MAP know that it is sending data to another trusted MAP?
Authentication of network elements must be under the IT manager's strict control and must be continually audited. Maintaining this security management requires a well designed Network Management System (NMS). If node authentication/authorization is part of the network provisioning process, only authorized nodes become part of the network. Secure inventory and provisioning by an administrator ensures that rogue APs are not able to hack into a wireless mesh network, yet allows the advanced features of self-discovery and fast protection switching to operate.
Restricting user data
If a user sends data to another user on the same wireless mesh, it is most efficient to have that traffic stay on the wireless mesh. But this efficient networking can create security risks. For example, a potential intruder could subscribe to the wireless network as an authorized user. If this person then sends (or intercepts) traffic that does not exit the wireless network, this traffic will bypass firewalls and other security elements in the wired network. To eliminate this security risk, the IT manager must be able to create a security policy that forces a user's data to exit the wireless network before being delivered to another client on the wireless network.
Network monitoring and security auditing
Once all of the security policies for a wireless mesh network are in place, the IT manager must then turn to auditing of security policies. Rouge APs and intruders are a fact of a wireless network's life, and the IT manager needs tools to detect and react to those threats. The high probability of physical security threats to MAPs in public areas means they must be monitored, and unique monitoring attributes are required. For example, the MAP must be able to alert the IT manager whenever its chassis is opened or its environmental status has changed. An unauthorized intrusion into the MAP chassis can compromise the whole network's security, as encryption and other key security attributes are now exposed. Network monitoring of all potential threats is key to securing the network.
The wireless mesh network faces a number of unique security threats, but they can be mitigated with the right security policies and tools capable of supporting those policies.
About
the Author
|
|
Kirby
Russell has over 20 years of experience in the networking business. At Strix
Systems, Russell's role as Director of Product Marketing enables him
to effectively engage in all aspects of product development, marketing
and sales, working with Strix highly skilled team to introduce new,
high performance, resilient architectures to the market and assist in
the successful deployments of wireless mesh networks for municipal,
metro, state and country-wide wireless mesh networks. Prior to his time
at Sstrix, Russell worked for Lucent, Ascend Communications, Cisco
Systems and Advanced Computer Communications.
|
About Strix
Systems
|
|
Strix
Systems was founded in 2000 by an
industry-leading management and engineers. Strix Systems entered the
wireless network industry committed to design and manufacture the
industry's most technically capable, resilient and future-proof
carrier and enterprise class architectures supporting 100% reach-ability
and 100% mobility.
Strix Access/One family of products, protected by 10 U.S. and international patents, delivers the highest performance wireless mesh network products on the market. Having garnered industry-respected installations and accolades, Strix Outdoor Wireless System (OWS) provides the industry's only in-field modular and future-proof architecture supporting multi-radio, multi-channel, and multi-RF mesh networking technologies. Strix OWS provides significant advantage when presented with the challenges of the outdoor environment including obstructions, interference, distance and climate and has been implemented over a broad number of applications both outdoor, indoor, for metro, public safety, government, energy, transportation, hospitality, education, enterprise, residential and carrier access markets and providing total coverage for countries, cities, large rural areas, hot-zones, and enterprise environments.
|
