Email Delivery

Receive new posts as email.

Email address

Syndicate this site

RSS | Atom

Contact

About This Site
Contact Us
Privacy Policy

Search


November 2010
Sun Mon Tues Wed Thurs Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Stories by Category

Basics :: Basics
Casting :: Casting Listen In Podcasts Videocasts
Culture :: Culture Hacking
Deals :: Deals
FAQ :: FAQ
Future :: Future
Hardware :: Hardware Adapters Appliances Chips Consumer Electronics Gaming Home Entertainment Music Photography Video Gadgets Mesh Monitoring and Testing PDAs Phones Smartphones
Industry :: Industry Conferences Financial Free Health Legal Research Vendor analysis
International :: International
Media :: Media Locally cached Streaming
Metro-Scale Networks :: Metro-Scale Networks Community Networking Municipal
Network Types :: Network Types Broadband Wireless Cellular 2.5G and 3G 4G Power Line Satellite
News :: News Mainstream Media
Politics :: Politics Regulation Sock Puppets
Schedules :: Schedules
Security :: Security 802.1X
Site Specific :: Site Specific Administrative Detail April Fool's Blogging Book review Cluelessness Guest Commentary History Humor Self-Promotion Unique Wee-Fi Who's Hot Today?
Software :: Software Open Source
Spectrum :: Spectrum 60 GHz
Standards :: Standards 802.11a 802.11ac 802.11ad 802.11e 802.11g 802.11n 802.20 Bluetooth MIMO UWB WiGig WiMAX ZigBee
Transportation and Lodging :: Transportation and Lodging Air Travel Aquatic Commuting Hotels Rails
Unclassified :: Unclassified
Vertical Markets :: Vertical Markets Academia Enterprise WLAN Switches Home Hot Spot Aggregators Hot Spot Advertising Road Warrior Roaming Libraries Location Medical Public Safety Residential Rural SOHO Small-Medium Sized Business Universities Utilities wISP
Voice :: Voice

Archives

November 2010 | October 2010 | September 2010 | August 2010 | July 2010 | June 2010 | May 2010 | April 2010 | March 2010 | February 2010 | January 2010 | December 2009 | November 2009 | October 2009 | September 2009 | August 2009 | July 2009 | June 2009 | May 2009 | April 2009 | March 2009 | February 2009 | January 2009 | December 2008 | November 2008 | October 2008 | September 2008 | August 2008 | July 2008 | June 2008 | May 2008 | April 2008 | March 2008 | February 2008 | January 2008 | December 2007 | November 2007 | October 2007 | September 2007 | August 2007 | July 2007 | June 2007 | May 2007 | April 2007 | March 2007 | February 2007 | January 2007 | December 2006 | November 2006 | October 2006 | September 2006 | August 2006 | July 2006 | June 2006 | May 2006 | April 2006 | March 2006 | February 2006 | January 2006 | December 2005 | November 2005 | October 2005 | September 2005 | August 2005 | July 2005 | June 2005 | May 2005 | April 2005 | March 2005 | February 2005 | January 2005 | December 2004 | November 2004 | October 2004 | September 2004 | August 2004 | July 2004 | June 2004 | May 2004 | April 2004 | March 2004 | February 2004 | January 2004 | December 2003 | November 2003 | October 2003 | September 2003 | August 2003 | July 2003 | June 2003 | May 2003 | April 2003 | March 2003 | February 2003 | January 2003 | December 2002 | November 2002 | October 2002 | September 2002 | August 2002 | July 2002 | June 2002 | May 2002 | April 2002 | March 2002 | February 2002 | January 2002 | December 2001 | November 2001 | October 2001 | September 2001 | August 2001 | July 2001 | June 2001 | May 2001 | April 2001 |

Recent Entries

In-Flight Wi-Fi and In-Flight Bombs
Can WPA Protect against Firesheep on Same Network?
Southwest Sets In-Flight Wi-Fi at $5
Eye-Fi Adds a View for Web Access
Firesheep Makes Sidejacking Easy
Wi-Fi Direct Certification Starts
Decaf on the Starbucks Digital Network
Google Did Snag Passwords
WiMax and LTE Not Technically 4G by ITU Standards
AT&T Wi-Fi Connections Keep High Growth with Free Service

Site Philosophy

This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator. Part of the FM Tech advertising network.

Copyright

Entire site and all contents except otherwise noted © Copyright 2001-2010 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.

Powered by
Movable Type

« EarthLink Unveils Beta Metro-Scale Wi-Fi VoIP Phone | Main | Skyhook Not Violating Your Privacy, Stealing Sheep, Eating Your Young »

March 20, 2007

Metro-Scale Neworks Seem to Have Security Act Together

The largest metro-scale Wi-Fi service providers are engaged in safe behavior: Over the last three years, I have heard the bugbear of metro-scale network security raised a number of times. People used to broadband or dial-up connections would fail to take the proper precautions--or be totally unaware of them--and shoot their personal data hither and yon, allowing sniffers and crackers to take advantage of their poor protection. (Update: This article was updated April 11 with new information provided by Kite Networks.)

Of special concern were the link from a user to a nearby Wi-Fi node, and among Wi-Fi nodes that might aggregate hundreds of users' data.

That's a generalized set of fears, and AirDefense, a firm that specializes in providing Wi-Fi monitoring and protection against rogues, crackers, and careless employees, provided me with a more specific list. Richard Rushing, the firm's chief security officer, said that he was concerned that the headlong rush into metro-scale networks without specific security requirements baked into the requests for proposals (RFPs) issued by cities, counties, and other entities might lead to security holes that could be readily exploited.

Rushing said that the edge of the network, the individual Wi-Fi node to which users connect, could be particularly vulnerable to a host of well-known attacks, including DNS (domain name system) poisoning, DHCP poisoning, evil twins, cross-VLAN sniffing, and denial of service (DoS). (Those attacks are, respectively, pushing out bad DNS information to redirect users to malicious sites, pushing out bad addresses to take control of some parts of IP networking, putting up fake access points named the same as the legitimate network, breaking the virtual LAN information segregation to see data that was intended to be private, and flooding or otherwise damaging radio frequency or network space to prevent legitimate use of a network.)

I should emphasize that Rushing wasn't engaged in fear-mongering. He's not engaged in a campaign to bad mouth metro-scale networks, nor does AirDefense (yet) have a specific product that would target the service operators in that field. In fact, most of the hardware vendors have various tools already built into their management systems that provide some monitoring of various kinds--nothing as extensive as AirDefense or its competitors, of course, and we'll see an increasing number of partnerships as large-scale networks are built. (AirDefense has partnerships with Motorola and Nortel, for instance.)

These are all reasonable concerns, and I asked the three most extensively deployed domestic metro-scale service providers for information on their architecture and how they cope and plan to cope with these problems. EarthLink and MetroFi agreed to talk; Kite Networks (the current name for NeoReach's municipal efforts in Arizona and elsewhere) didn't respond to a request, but later provided details of their network operations. (This article was updated to include that information from Kite.)

Rushing said, "You can't guarantee security unless you backhaul it all the way back," meaning that if the edge of a network has any ability for communicate among devices at the edge, then there's risk. It turns out that EarthLink and MetroFi agree with this philosophy: there's little risk at the edge in their view because the edge barely exists.

There are a few different issues involved, and let me walk through each of them in turn.

More after the jump...

The Local Link

The local link is the connection that runs from a computer or other device to a network hub. With Wi-Fi, that's a link between the Wi-Fi radio in a computer or handheld or phone, and the Wi-Fi access point to which the device associates and exchanges data.

The local link can be secured with some form of baked-in Wi-Fi encryption. These days, that means WPA/WPA2 Enterprise, which allow users to log into a network, and which allows the system to assign a uniquely generated encryption key for the user's device. With WPA/WPA2 Enterprise, the wireless layer isn't exposed to hacking because there's no good way for a cracker to sniff traffic in the air. (This flavor is a subset of 802.1X, a method of port-based authentication that restricts network access until approval is given by an authentication server on the private side of the access point or Ethernet switch.)

EarthLink is using this standard to secure its network for all users (with some exceptions I'll note). MetroFi will offer it for premium users, those paying for service, but doesn't plan to include it in their free, ad-supported version at the moment. Kite plans to offer 802.1X as an add-on in the future.

In EarthLink's case, customers can use existing client software--what's called a supplicant--using any of the several popular flavors and combinations of WPA/WPA2 Enterprise. Jeb Linton, EarthLink Municipal Networks's chief architect said that the company offers "a supplicant available for download for anyone." They pay a licensing fee to distribute what's known as an EAP-TTLS client. They support the more popular PEAP client built into Windows XP and other Windows platforms. Mac OS X offers both (and other) flavors since version 10.3. Linton said that EarthLink's downloadable software would be simpler to configure than either operating systems' built-in support, however.

Walk-up customers to EarthLink's networks can use a standard gateway page that doesn't encrypt the local link, but they can also opt to install the supplicant.

The next step for EarthLink is ensuring that bridges and non-computing devices can authenticate easily, too. The company has spoken with many device makers about this. "We've had conversations about making it a smooth, easy user setup experience," Linton said. All the bridges (CPEs or customer premises equipment) that EarthLink resells includes a supplicant. The PepLink bridge they offer uses a simple configuration wizard in which your network user name and password are entered, and the bridge handles the rest.

He expects more devices within a period of months to a year "that can connect in the secure mode without requiring the user to really jump through a lot of hoops." MetroFi's CEO Chuck Haas said, "It's a lot easier today than it was three years ago. Mere mortals can get it working, and have gotten it working." Kite has chosen to preconfigure its CPEs with a WPA2 Personal encryption key that requires no configuration by the user.

Haas said that MetroFi doesn't emphasize this layer of security because the company deployed it quite early in 2003 and 2004 in Santa Clara and Cupertino, their two early networks. "The feedback we got from customers was that it was too hard to access. And they wanted an open network that was easy to access," Haas said. For MetroFi's free users, too, the company wants the technical support calls to be few to keep the cost structure working.

MetroFi recommends people keep virus software up-to-date, run at least Windows firewall, and make sure to only use SSL/TLS protected Web sites when passing personal or financial information, which is sound advice on any network. I'd add to that that people could consider a personal VPN (virtual private network) connection offered on a subscription basis by several firms, including JiWire and WiTopia. (Disclosure: I have an exceedingly small stake in JiWire.)

So far, EarthLink, MetroFi, and Kite have no plans to offer a personal VPN. "Users that have more secure applications or are more security sensitivity, we help them and guide them through that process," said Haas. Linton said that its retail ISP partners that resell access might offer VPN services for niche audiences. Bobby Lloyd, Kite's vice president in charge of operations wrote via email that "we try to offer differing levels of security so that each subscriber can weigh their needs against complexity and price."

Linton noted that he would like to see open networks disappear entirely, but that doesn't mean he wants all networks to require a fee or be hard to access. Rather, he'd like to take advantage of a subtle part of WPA/WPA2 Enterprise. Every user of an open network could connect with the same credentials or login information--leaving the network "open"--while still providing each user with a unique encryption key. It's a neat idea, but it requires the supplicant configuration process to become simpler in operating systems, perhaps with some measure of automatic configuration.

The Edge Node

All three service providers avoid the trap of local attacks by not allowing any broadcast traffic among Wi-Fi devices attached to the edge nodes. They also disable any peer-to-peer connections. EarthLink says that they use intrusion-detection monitoring to watch for denial of service and other edge problems. Data goes from the edge to the network operation center where it heads back out to the Internet or another part of the metro network.

They also monitor edge behavior. "Once we characterize things, we have a set of people that sort of watch the traffic and see how it gets characterized by the DPI [deep packet inspection] system so they can determine whether people are abusing the network," EarthLink's Linton said. "Frankly, to date, there's been virtually nothing that alarms us."

MetroFi's Haas said, "We have Cisco gear that detects viruses and other standard core Cisco networking security--denial of service attacks, those kind of security problems that are coming from the Internet." They can also detect if a machine has "a virus and is spewing port scans, or whatever--we can detect that on a MAC address [unique adapter identifier] basis and turn that user off, and send them a notification that they have a problem." Like EarthLink, Haas said, "It hasn't been a big problem for us." Kite filters edge traffic by routing it back to their network core to omit "malicious behavior" before routing it back out to the network edge.

Unauthorized jumping among VLANs isn't possible in EarthLink system, Linton said, because they deploy different credentials, authentication servers, and IP ranges for each virtual network. Users can't simply change an IP address, because the addresses are associated with the VLAN and rejected unless the user has authenticated to the correct network. MetroFi's VLAN separation employs similar methods to ensure that data is encrypted on each municipal VLAN and segregated.

One problem with eliminating local traffic on an edge node is that bandwidth is restricted to half the greatest available throughput on that edge for traffic among peers: two people sitting side by side wanting to exchange a file over the municipal network might see as little as 512 Kbps on a network that could achieve 1 Mbps on that edge node, half coming and half going. (In some cases, each would see 1 Mbps if throttling were in place on a per client basis instead of a limitation in real network throughput at that edge node.) Even Bluetooth 2.0 would be faster!

In that "edge" case, users might be advised to create a Wi-Fi ad hoc network to exchange the file, or use a Wi-Fi bridge to create a local WLAN among themselves that backhauls Internet traffic to the edge node. A separate Wi-Fi card coupled with built-in Wi-Fi in a laptop can provide that option, too.

This edge restriction also prevents the full wireless LAN speed from being employed for media servers or other devices that could be tied in for large downloads or streaming services. However, MetroFi's Haas thinks it's unlikely that WLAN servers would be in demand compared to edge-to-Internet streaming. "With this bandwidth and the move to richer content, the direction I see is more of streaming real-time video content using this bandwidth rather than trying to guess what content people are going to want and store at the edge," he said. "To me, multicast and following some of the proof points that exist today--which is radio and TV--on these high-bandwidth local networks seems to me to be a logical direction to take."

Linton noted that some edge WLAN traffic could be possible if policies could be pushed to the edge, something that's common in enterprises in which information technology managers can control the entire set of devices and users.

Node-to-Node

MetroFi, Kite, and EarthLink all stated succinctly that intra-node traffic is secured using strong encryption. Node-to-node encryption is a standard part of all metro-scale hardware. MetroFi's SkyPilot gear uses AES-128 among nodes. "That part of the data path is totally secure," Haas said. Likewise, the Tropos gear used by EarthLink does the same on the mesh Wi-Fi part of the network. Kite's Strix routers encrypt node to node but also authenticate themselves to other nodes and to the backbone network. (EarthLink backhauls mesh clusters via broadband wireless equipment from Motorola that's got its own set of protocols and security.)

The Conclusion: Surprisingly Safe

Given that EarthLink plans no free access of its own--Google will purchase EarthLink bandwidth to give away in San Francisco--both EarthLink and MetroFi are pursuing a similar course for paid customers. Because all three firms have municipal customers, they all have to employ strong VLAN protection and distinct separate virtual Wi-Fi networks with separate and strong encryption.

In the short run, I don't see any smoking guns of security, but it's always reassuring to know that the first networks that are being rolled out in bigger cities have an architecture designed to support the most robust forms of Wi-Fi encryption, and the option or requirement to deploy them.

EarthLink is perfectly happy that the issue of security is being raised, perhaps because they have the strongest baseline measures in place of any company I'm aware of. "I'm really glad that this is getting the attention that it deserves," said EarthLink's Linton.

2 Comments

According to this story, the local link for MetroFi is unencrypted for free (ad-supported) users and there is no plan to change. I would imagine most of these users will not be using personal VPN software, so much of their Internet activity will be available for sniffing, enabling another local person to be reading their email, etc. I understand there are ways for the user to prevent this, but again most people will either not know about them or will not bother figuring out the details. I guess this is considered a privacy issue and not a security issue?

[Editor's note: MetroFi is offering some education, and when you use SSL/TLS-protected sites, like a bank or ecommerce site, you don't need additional encryption, typically. (There are lots of provisos to that statement.)

I would hope that more ISPs would offer SSL/TLS email connections, as almost all email software can now use SSL/TLS for an encryption connection when the user checks a box and optionally has to fill in a port number. Securing email would secure most of the potential privacy and security risk.-gf]

Brian,
Maybe he most misleading aspect of this wireless "security" is that the people should address it as "privacy" instead. In fact, WPA stands for "Wi-Fi Protected Access", which can be interpreted as something that can protect your privacy or to protect you from security treats... misleading indeed.
An average Joe does not care about the security. He believes security is something related to banks and credit cards. But ask him if he cares about privacy and he will tell you that he wants it.
That's the idea IMO that has to be advertised.