The largest metro-scale Wi-Fi service providers are engaged in safe behavior: Over the last three years, I have heard the bugbear of metro-scale network security raised a number of times. People used to broadband or dial-up connections would fail to take the proper precautions--or be totally unaware of them--and shoot their personal data hither and yon, allowing sniffers and crackers to take advantage of their poor protection. (Update: This article was updated April 11 with new information provided by Kite Networks.)
Of special concern were the link from a user to a nearby Wi-Fi node, and among Wi-Fi nodes that might aggregate hundreds of users' data.
That's a generalized set of fears, and AirDefense, a firm that specializes in providing Wi-Fi monitoring and protection against rogues, crackers, and careless employees, provided me with a more specific list. Richard Rushing, the firm's chief security officer, said that he was concerned that the headlong rush into metro-scale networks without specific security requirements baked into the requests for proposals (RFPs) issued by cities, counties, and other entities might lead to security holes that could be readily exploited.
Rushing said that the edge of the network, the individual Wi-Fi node to which users connect, could be particularly vulnerable to a host of well-known attacks, including DNS (domain name system) poisoning, DHCP poisoning, evil twins, cross-VLAN sniffing, and denial of service (DoS). (Those attacks are, respectively, pushing out bad DNS information to redirect users to malicious sites, pushing out bad addresses to take control of some parts of IP networking, putting up fake access points named the same as the legitimate network, breaking the virtual LAN information segregation to see data that was intended to be private, and flooding or otherwise damaging radio frequency or network space to prevent legitimate use of a network.)
I should emphasize that Rushing wasn't engaged in fear-mongering. He's not engaged in a campaign to bad mouth metro-scale networks, nor does AirDefense (yet) have a specific product that would target the service operators in that field. In fact, most of the hardware vendors have various tools already built into their management systems that provide some monitoring of various kinds--nothing as extensive as AirDefense or its competitors, of course, and we'll see an increasing number of partnerships as large-scale networks are built. (AirDefense has partnerships with Motorola and Nortel, for instance.)
These are all reasonable concerns, and I asked the three most extensively deployed domestic metro-scale service providers for information on their architecture and how they cope and plan to cope with these problems. EarthLink and MetroFi agreed to talk; Kite Networks (the current name for NeoReach's municipal efforts in Arizona and elsewhere) didn't respond to a request, but later provided details of their network operations. (This article was updated to include that information from Kite.)
Rushing said, "You can't guarantee security unless you backhaul it all the way back," meaning that if the edge of a network has any ability for communicate among devices at the edge, then there's risk. It turns out that EarthLink and MetroFi agree with this philosophy: there's little risk at the edge in their view because the edge barely exists.
There are a few different issues involved, and let me walk through each of them in turn.
More after the jump...
The Local Link
The local link is the connection that runs from a computer or other device to a network hub. With Wi-Fi, that's a link between the Wi-Fi radio in a computer or handheld or phone, and the Wi-Fi access point to which the device associates and exchanges data.
The local link can be secured with some form of baked-in Wi-Fi encryption. These days, that means WPA/WPA2 Enterprise, which allow users to log into a network, and which allows the system to assign a uniquely generated encryption key for the user's device. With WPA/WPA2 Enterprise, the wireless layer isn't exposed to hacking because there's no good way for a cracker to sniff traffic in the air. (This flavor is a subset of 802.1X, a method of port-based authentication that restricts network access until approval is given by an authentication server on the private side of the access point or Ethernet switch.)
EarthLink is using this standard to secure its network for all users (with some exceptions I'll note). MetroFi will offer it for premium users, those paying for service, but doesn't plan to include it in their free, ad-supported version at the moment. Kite plans to offer 802.1X as an add-on in the future.
In EarthLink's case, customers can use existing client software--what's called a supplicant--using any of the several popular flavors and combinations of WPA/WPA2 Enterprise. Jeb Linton, EarthLink Municipal Networks's chief architect said that the company offers "a supplicant available for download for anyone." They pay a licensing fee to distribute what's known as an EAP-TTLS client. They support the more popular PEAP client built into Windows XP and other Windows platforms. Mac OS X offers both (and other) flavors since version 10.3. Linton said that EarthLink's downloadable software would be simpler to configure than either operating systems' built-in support, however.
Walk-up customers to EarthLink's networks can use a standard gateway page that doesn't encrypt the local link, but they can also opt to install the supplicant.
The next step for EarthLink is ensuring that bridges and non-computing devices can authenticate easily, too. The company has spoken with many device makers about this. "We've had conversations about making it a smooth, easy user setup experience," Linton said. All the bridges (CPEs or customer premises equipment) that EarthLink resells includes a supplicant. The PepLink bridge they offer uses a simple configuration wizard in which your network user name and password are entered, and the bridge handles the rest.
He expects more devices within a period of months to a year "that can connect in the secure mode without requiring the user to really jump through a lot of hoops." MetroFi's CEO Chuck Haas said, "It's a lot easier today than it was three years ago. Mere mortals can get it working, and have gotten it working." Kite has chosen to preconfigure its CPEs with a WPA2 Personal encryption key that requires no configuration by the user.
Haas said that MetroFi doesn't emphasize this layer of security because the company deployed it quite early in 2003 and 2004 in Santa Clara and Cupertino, their two early networks. "The feedback we got from customers was that it was too hard to access. And they wanted an open network that was easy to access," Haas said. For MetroFi's free users, too, the company wants the technical support calls to be few to keep the cost structure working.
MetroFi recommends people keep virus software up-to-date, run at least Windows firewall, and make sure to only use SSL/TLS protected Web sites when passing personal or financial information, which is sound advice on any network. I'd add to that that people could consider a personal VPN (virtual private network) connection offered on a subscription basis by several firms, including JiWire and WiTopia. (Disclosure: I have an exceedingly small stake in JiWire.)
So far, EarthLink, MetroFi, and Kite have no plans to offer a personal VPN. "Users that have more secure applications or are more security sensitivity, we help them and guide them through that process," said Haas. Linton said that its retail ISP partners that resell access might offer VPN services for niche audiences. Bobby Lloyd, Kite's vice president in charge of operations wrote via email that "we try to offer differing levels of security so that each subscriber can weigh their needs against complexity and price."
Linton noted that he would like to see open networks disappear entirely, but that doesn't mean he wants all networks to require a fee or be hard to access. Rather, he'd like to take advantage of a subtle part of WPA/WPA2 Enterprise. Every user of an open network could connect with the same credentials or login information--leaving the network "open"--while still providing each user with a unique encryption key. It's a neat idea, but it requires the supplicant configuration process to become simpler in operating systems, perhaps with some measure of automatic configuration.
The Edge Node
All three service providers avoid the trap of local attacks by not allowing any broadcast traffic among Wi-Fi devices attached to the edge nodes. They also disable any peer-to-peer connections. EarthLink says that they use intrusion-detection monitoring to watch for denial of service and other edge problems. Data goes from the edge to the network operation center where it heads back out to the Internet or another part of the metro network.
They also monitor edge behavior. "Once we characterize things, we have a set of people that sort of watch the traffic and see how it gets characterized by the DPI [deep packet inspection] system so they can determine whether people are abusing the network," EarthLink's Linton said. "Frankly, to date, there's been virtually nothing that alarms us."
MetroFi's Haas said, "We have Cisco gear that detects viruses and other standard core Cisco networking security--denial of service attacks, those kind of security problems that are coming from the Internet." They can also detect if a machine has "a virus and is spewing port scans, or whatever--we can detect that on a MAC address [unique adapter identifier] basis and turn that user off, and send them a notification that they have a problem." Like EarthLink, Haas said, "It hasn't been a big problem for us." Kite filters edge traffic by routing it back to their network core to omit "malicious behavior" before routing it back out to the network edge.
Unauthorized jumping among VLANs isn't possible in EarthLink system, Linton said, because they deploy different credentials, authentication servers, and IP ranges for each virtual network. Users can't simply change an IP address, because the addresses are associated with the VLAN and rejected unless the user has authenticated to the correct network. MetroFi's VLAN separation employs similar methods to ensure that data is encrypted on each municipal VLAN and segregated.
One problem with eliminating local traffic on an edge node is that bandwidth is restricted to half the greatest available throughput on that edge for traffic among peers: two people sitting side by side wanting to exchange a file over the municipal network might see as little as 512 Kbps on a network that could achieve 1 Mbps on that edge node, half coming and half going. (In some cases, each would see 1 Mbps if throttling were in place on a per client basis instead of a limitation in real network throughput at that edge node.) Even Bluetooth 2.0 would be faster!
In that "edge" case, users might be advised to create a Wi-Fi ad hoc network to exchange the file, or use a Wi-Fi bridge to create a local WLAN among themselves that backhauls Internet traffic to the edge node. A separate Wi-Fi card coupled with built-in Wi-Fi in a laptop can provide that option, too.
This edge restriction also prevents the full wireless LAN speed from being employed for media servers or other devices that could be tied in for large downloads or streaming services. However, MetroFi's Haas thinks it's unlikely that WLAN servers would be in demand compared to edge-to-Internet streaming. "With this bandwidth and the move to richer content, the direction I see is more of streaming real-time video content using this bandwidth rather than trying to guess what content people are going to want and store at the edge," he said. "To me, multicast and following some of the proof points that exist today--which is radio and TV--on these high-bandwidth local networks seems to me to be a logical direction to take."
Linton noted that some edge WLAN traffic could be possible if policies could be pushed to the edge, something that's common in enterprises in which information technology managers can control the entire set of devices and users.
MetroFi, Kite, and EarthLink all stated succinctly that intra-node traffic is secured using strong encryption. Node-to-node encryption is a standard part of all metro-scale hardware. MetroFi's SkyPilot gear uses AES-128 among nodes. "That part of the data path is totally secure," Haas said. Likewise, the Tropos gear used by EarthLink does the same on the mesh Wi-Fi part of the network. Kite's Strix routers encrypt node to node but also authenticate themselves to other nodes and to the backbone network. (EarthLink backhauls mesh clusters via broadband wireless equipment from Motorola that's got its own set of protocols and security.)
The Conclusion: Surprisingly Safe
Given that EarthLink plans no free access of its own--Google will purchase EarthLink bandwidth to give away in San Francisco--both EarthLink and MetroFi are pursuing a similar course for paid customers. Because all three firms have municipal customers, they all have to employ strong VLAN protection and distinct separate virtual Wi-Fi networks with separate and strong encryption.
In the short run, I don't see any smoking guns of security, but it's always reassuring to know that the first networks that are being rolled out in bigger cities have an architecture designed to support the most robust forms of Wi-Fi encryption, and the option or requirement to deploy them.
EarthLink is perfectly happy that the issue of security is being raised, perhaps because they have the strongest baseline measures in place of any company I'm aware of. "I'm really glad that this is getting the attention that it deserves," said EarthLink's Linton.