Technology

Radio LANs or Wireless LANs (WLANs), based on the standard IEEE 802.11, which was defined by the Institute of Electrical and Electronics Engineers (IEEE), offer the possibility of building wireless local networks with little effort or expanding existing wire-dependent networks.

Because of their easy-made installation, wireless LANs are also used for temporarily installed nets (at exhibitions e.g.). Furthermore, it is possible for companies to offer network access points, so called hot spots, in public places like airports or train stations. This allows mobile users connections to the internet or their home-offices. However, since mid-year 2001 already, security holes have been known in this standard. These security holes could result in enormous security problems. An accurate planning and protection of the WLAN is therefore extremely important already in the run-up. It should be calculated well, in which areas WLAN can be received and who is able to "listen in".

The majority of the available wireless LAN systems at present are based on the enhancement of the 802.11 standard that was defined by the IEEE in 1999, namely 802.11b. The producer association WIFI-alliance (earlier WECA) documents the compatibility to the 802.11b standard by the awarding of its WIFI-certificate. Starting with the year 2003 frequencies in the 5-GHz-area are being released, and so also systems of 802.11a and 802.11h standards are being employed. The IEEE 802.11g standard has been adopted too – this standard allows a connection with broader bandwidth in the 2.4-GHz-area.

Wireless LANs can be operated in two different architectures:

In the Ad-hoc-mode two or more mobile terminals, which are provided with a wireless LAN card (clients), communicate with each other directly.

In most cases, however, WLAN is operated in an infrastructure mode. That means that the communication of the clients is carried out by a central wireless bridge, the so-called access point. Also the connection to cable dependent LAN-segments is carried out over the access point (see illustration below).

The infrastructure mode allows various application alternatives:

  • Using several access points, overlapping (radio)cells can be installed. By this, the wireless radio contact can be kept up at the change from one client to the next cell ("roaming"). Thus area-wide covering is possible. The range of one single cell is extremely dependent on the environmental conditions and adds up from about 10 to 150 meters.
  • Two access points can be deployed as bridge between two grid-bound LANs. The application of an access point as relais station (repeater) is possible in order to enhance the range of coverage.
  • By using appropriate components (beam antennas) together with the access point, a wireless LAN can also be used for the connection of different areas.

According to manufacturers' instructions, kilometer-wide ranged scopes can be reached as well (with appropriate beam antennas). The access points can be deployed as repeaters or as bridge. The standard uses the terms Independent Basic Service Set (IBSS) for wireless networks in the ad-hoc-mode and Basic Service BSS for configurations in the infrastructure mode with just one access point. Several coupled BSS are denominated as Extended Service Set (ESS), the coupling network is called Distribution System (DS).

The wireless LAN systems following 802.11 and 802.11b are permitted in almost all European countries. The use of the ISM frequency band (Industrial-Scientific-Medical) between 2.4 and 2.48 GHz, is for free and possible without any further authorization. The transmitting power is restricted to 100 mW EIRP (Effective Isotropic Radiated Power) max. Systems of the 802.11 standard transmit the data with a rate of 1 or 2 Mbit/s using spread spectrum system, either through Frequency Hopping (FHSS) or Direct Sequence (DSSS). For the sake of completeness should be mentioned, that 802.11 also defines infrared transmission, which remained quite meaningless yet, though.

In the 2.6 GHz frequency area, 13 frequency channels with a frequency gap of 5 Mhz for wireless transmission following the 802.11 standard, are available. But even with a bandwidth of about 22 MHz, at most 3 channels can be used at the same time without overlapping each other. (e.g. the channels 2, 7 and 12.)

Apart from the 802.11g systems, nowadays also 02.11a and 802.11g systems are available and even more standards (like the 802.11h) are near their completion. All those 3 standards define different physical transmission techniques than 802.11b in order to realize higher transmission rates of up to 54 Mbit/s.

802.11g systems work in the same frequency area as 802.11b, and they make 13 nominal channels available. With the radio signal's bandwidth of 20 or 22 MHz, at most 4 channels can be operated at the same time without disturbing or overlapping each other.

802.11a and future 802.11h systems work in the 5 GHz area. In the frequency area that reaches from 5.15 to 5.35 GHz and from 5.47 to 5.725 GHz, all in all 19 channels are usable in a distance of 20 MHz. With a channel bandwidth of 20 MHz even the directly neighboring channels are not disturbed.

Security mechanisms of all 802.11-compliant systems are defined in the 802.11 standard. The enhancements a, b, g and h do not offer additional security mechanisms. Enhancement 802.11i is the first to define new mechanisms. Security mechanisms which are defined in the 802.11 standard just work for the security of the transmission path/radio link between the clients and the access point. But the standard also offers the possibility and space for proprietary enhancements.

All the security mechanisms of the 802.11 standard, that are going to be introduced in the following, are conquerable and do not offer reliable protection for sensitive information:

  • Network Name (SSID)

    The standard offers the possibility of assigning a network name, ESSID or SSID ([Extended] Service Set Identity). Here two different operating modes can be found – if the user denounces the identification "any", the wireless LAN component accepts any SSIDs. In the other case, the entered name gets checked and only users with the same SSID are able to participate in the network. With the transmission of two neighboring (radio) cells the SSID helps to find the nearest access point. The SSID is sent over the net as plain text. That's why a potential offender is easily able to find it out. Some access points offer the possibility to cut off the sending of the SSID in broadcast. But this kind of blanking of the SSID is not standard-compliant. Networks with blanked SSID are often also called "closed networks". avalaris urgently suggests that you use this option if it is available for the planned network.

  • MAC-address

    Every network interface card has a clearly defined hardware address, the so-called MAC-address. (Media Access Control Address). In principle it is possible to define MAC-addresses that are allowed to communicate with an access point, in a wireless LAN. The address lists for that, however, have to be maintained manually, which of course causes quite a lot of additional effort. In a lot of application scenarios this is not possible. The screening of MAC-addresses is not contained in the standard. On the other hand the screening of MAC-addresses is standard-compliant, because it doesn't influence the compatibility of the clients.

    The use of a radius server may produce relief. A lot of access points already support the use of radio servers which centrally administrate the MAC-addresses.

  • User Authentication

    The radius server is also able to administrate the user data of authentication. Every user gets access to the wireless LAN, but only to the web site on which the user finally has to authenticate himself. Combined with the registration of MAC-addresses this variant guarantees the best protection from unauthorized access to the WLAN. One standard on this solution is the 802.11x standard that has been passed by the WiFi-alliance. This is a fetch-ahead on the coming security standard for wireless LANs: 802.11i

  • WEP-encryption, integrity protection and authentication

    Confidentiality, integrity and authenticity in wireless LANs should be secured by the "Wired Equivalent Privacy"-Protocol (WEP). The WEP-protocol is based on the stream-cipher RC4. With this RC4, clear data can be converted into cipher-data in packets, dependent on a key and an initialization vector (IV). The key is built of a string of optionally 40 or 104 Bit and has to be available in advance for the clients as well as for the access point. For the whole wireless LAN a common key is used. The IV is chosen by the user and should be different for every transferred data packet. The IV is prepended to the encrypted data packet and transmitted over the wireless LAN. The confidentiality and integrity of the transmitted data should be secured over WEP. Besides, WEP has to carry out the authentication of the terminal (not the user!). The realization works as follows:

    • Confidentiality
      A pseudo random bit-stream is generated out of the key and the IV. The cipher-data arise from the conjunction of the clear data with the bit-stream XOR (= exclusive or). The recipient acquires the clear data again by conjuncting the cipher-data with the same XOR bit-stream.

    • Integrity
      For every transmitted data packet, a 32-Bit CRC-checksum is calculated. Afterwards, the data packet gets encrypted with the added checksum.

    • Authentication
      Regarding the WEP-encryption, one can choose between two different authentication modes: "open" (without any authentication) and "shared key". For the authentication in the shared key mode a so-called challenge response practice is carried out: The access point generates 128 random bytes and sends them decrypted with a data packet to a client (challenge). The client encrypts the data packet and sends it back to the access point (response). The client has successfully authenticated itself if the access point is able to decypher the response to the challenge. The authentication process is just one-sided – the access point doesn't have to authenticate itself in front of the clients. The same key is used for encrypting the use-date as is used for the authentication.

  • The WEP encryption has in the meantime been cracked several times already and doesn't offer (that much) security any more. Still, the activation of WEP is highly recommended – every door can be cracked, but still it is a good security measure to lock it! With a key length of 152 bit, as is offered in the meantime, and a regular change of the WEP key (once in a week, at least) quite an effort is necessary in order to break through "the door". And the regularly changed key requires those efforts every week anew.

top  Top