Wireless networking has been working its way into the mainstream corporate environment for several years. A variety of technologies have been tried out by the market, with several being kicked to the curb. (Does anybody remember HomeRF?) To date, the three technologies still in production are 802.11a, 802.11b, and 802.11g.
While 802.11a is slowly fading into obsolescence, there are a lot of similarities between 802.11g and 802.11b, which should not be a surprise since they're intended to be compatible. However, each technology has vastly different security implementations, which should make security-conscious network administrators take notice. This article will point out some of the similarities of each technology and then describe how insecure the older 802.11b can be.
Table A shows you the broadcast specifications of 802.11b and 802.11g.
As you can see, they're nearly identical. I highlighted channels 1, 6, and 11 because using them is the only way to get three access points in the same vicinity without having signal overlap, which is why they are considered "the" non-overlapping channels. Now let's move on to the differences as shown in Table B.
802.11b uses direct-sequence spread spectrum (DSSS) transmissions that send data out redundantly over a wider frequency band than necessary, along with a chipping code that is used to reconstruct any data that gets lost in translation. It basically spreads data out over a wider signal to provide redundancy in a kind of reverse compression. The 802.11b signals are modulated using complementary code keying (CCK) to compress data using a series of compression keys broadcast during the preamble portion of each transmission. (For convenience, CCK will be used from here out to refer to the combination of DSSS and CCK.)
Orthogonal frequency division modulation (OFDM) breaks data into multiple sections and sends it simultaneously down a series of subcarrier frequencies. It is also known as discrete multi-tone modulation (DMT) because it uses multiple discrete tones, each modulated to carry information. OFDM is used on ADSL and 802.11a, so it's already a mature technology.
OFDM has a distinct advantage over CCK because it adapts to interference in specific frequency ranges by disabling or reducing the data rate of the subcarriers affected. The amount of bandwidth allocated to send or receive can be varied by reallocating the subcarriers according to the current need, making it more flexible. The OFDM system also includes features to help minimize the effect of signal reflection.
Furthermore, CCK requires more network overhead than OFDM to provide the decompression keys. Enabling 802.11b on an 802.11g network will cause a general performance drop. For purposes of backwards compatibility, all initial 802.11g network transmissions are sent using CCK. Additional bits of information are used to let the 802.11g devices know if they can switch to OFDM.
Wireless security concerns
802.11b is secured through the wireless equivalent privacy (WEP) on the transmission level, failing to broadcast the service set identifier (or SSID) beacon. It also limited access to clients with only known unique media access control (MAC) addresses on the access points.
MAC address filtering was at best a half-measure of security. The most it could do was prevent attackers from invading your network, since it had no impact on their ability to listen in. MAC filtering quickly becomes ineffective because a multitude of products had the capability to change MAC addresses with software dynamically. Known as MAC address cloning, it's a feature on many products sold today because the majority of broadband service providers use MAC address filtering, and it's easier to clone the old MAC than to get the service provider to update its system.
The "security through obscurity" approach of disabling the SSID broadcast proved to be no more than a speed bump to the casual sniffer. While many of the original drivers would only identify a network by the SSID beacons, it was a simple matter to identify nearby networks because the unencrypted portion of all data packets transmitted includes the destination SSID. There are many tools available that will pull the SSIDs from any transmissions nearby so only a completely inactive network will remain hidden, and what's the point of a wireless network that isn't being used?
Finally we come to the primary defense, WEP. The 802.11b spec allowed for two tiers of WEP encryption, and many early products only had the lower one. This "standard security" WEP had 40-bit keys using RC4 encryption, which was at the time considered weak. Then products advertising 64-bit WEP showed up; however, this was marketing-speak for 40 bits of encrypted data plus 24 bits of unencrypted data, which is still only 40-bit encryption. The high security 128-bit WEP encryption that is widely in use today is only 104 bits of encrypted data and still 16 million times easier to break than a real 128-bit encryption. Thus, anyone with a reasonably powerful computer can crack the keys in a few hours with brute force.
But that is all moot because defeating WEP doesn't require computation power, just an inexpensive hard drive. WEP reused pads, or the numbers used in the encryption sequence. By gathering enough data, about 15 GB worth, one will possess every pad in use and can decrypt any and all transmissions at will. Depending on network activity, this could take as little as an hour to get your pad dictionary assembled.
Here's a little bedtime reading on the security of WEP. However, if your network relies solely on WEP, you might not get a good night's sleep after you read these:
Future security now
802.11g was supposed to incorporate the 802.1i wireless security protocol, but 802.1i has been, is being, and will be debated for months to come. The 802.11g specification requires future upgrades to include 802.1i when it finally appears. Several interim security tools have been incorporated into 802.11g and, through the magic of revised standards, 802.11b. The IEEE has extended the 802.11b standard to incorporate these present and future security tools wherever possible.
802.11g includes WEP for backwards compatibility with older 802.11b networks, but recommends Wi-Fi Protected Access (WPA). WPA is based on the 802.1X network authentication protocols, supports the advanced encryption standard (AES), has a message integrity code (MIC, or Michael to some) to verify packets, and a new temporal key integrity protocol (TKIP) to manage WEP keys.
802.1X provides the extensible authentication protocol (EAP) to manage client access to networks. EAP is not a security system itself, but is a framework of authentication schemas using remote authentication dial-in user services (RADIUS) protocols to authenticate clients and distribute keys. Some variants of EAP are:
- LEAP – Username/password-based authentication developed by Cisco.
- TLS – Authentication via an X.509 certificate.
- TTLS – A variant of TLS using a server certificate and a client username/password.
- PEAP – Protected EAP secures the user authentication phrases but requires server certificates.
- SPEKE – This also protects user identity but does not require server certificates.
- PSK – Small networks without a RADIUS server can use pre-shared keys, analogous to standard WEP configurations.
The most common implementations of EAP are LEAP and PSK. PSK is the typical home network solution, with LEAP for the enterprise. A variant of LEAP is available on some access points that have the ability to store users and passwords, which is an excellent solution for smaller offices that cannot justify the expense of a RADIUS server, but want more flexibility and security than pre-shared keys.
TKIP rotates the security pads with each packet to prevent an attacker from building a dictionary of the encryption keys, but it requires more processing power from the client. Additionally, the pad used to create the initial key was increased from 24-bits to 48-bits, increasing the number of keys by a factor of more than 16 million.
AES is a much more secure encryption algorithm than RC4. Unfortunately, adding support for AES is not possible through a firmware upgrade, so it cannot be added to older 802.11b devices. To enable it, you'll need all your devices to support it, which will alienate older hardware.
Michael is a simple checksum that verifies the data received is the data transmitted by making sure a certain portion of data in each packet matches a certain mathematical formula. It is an old but effective technique useful in an unreliable network.
Potential 802.11b/g wireless problems
There are problems in wireless land despite the designed compatibility between 802.11b and 802.11g. Some problems are temporary, but some are configuration issues you should be prepared to encounter.
A potential source of irritation is that the 802.11 specification allows for a long 128-bit preamble and a short 56-bit preamble. While the 802.11g spec requires all devices to support both, the 802.11b makes support for the short preamble optional. If an 802.11g base station uses short preambles to cut down network overhead and increase bandwidth, but still lets a non-compliant 802.11b client associate, you end up with a case of the 802.11b client unable to communicate and jamming the network for the 802.11g users.
Another backwards compatibility snag is security. 802.11b clients more than a few months old are not likely to have WPA. Some 802.11b clients support WPA with a firmware upgrade, but not all manufacturers or models have the upgrades available.
802.11b WPA firmware driver upgrades:
Then there are the problems caused by the devices that hit the market six months before the 802.11g specification was ratified. There are differences in the network control messages (a.k.a. RTS, CTS, ACK, etc.) and signal timings between the draft specifications and the final specification—meaning that draft devices on a final network can create interference, reducing the overall network performance if they work at all.
Some of the 802.11g transfer rates are optional. This wouldn't be a problem except that depending on the draft revision, the mechanism used by clients to set the speed changed. This means that some of the draft devices may not operate at all speeds. While it has little impact on other devices, it means the draft device may operate slower than it could.
Additionally, there are some access points that do not always broadcast their RTS and CTS signals using CCK and instead use the much faster OFDM once an 802.11g client appears. This ends up being a double whammy because it not only disconnects the 802.11b client from the network, but as the 802.11b client keeps trying to connect, it creates interference for the 802.11g clients.
The short answer is that you should make sure every 802.11g device you purchase supports the final, ratified June 2003 version of the 802.11g specification; your access points are in proper compatibility mode with long preambles if you intend to have 802.11b clients; and you upgrade or replace 802.11b clients that do not support WPA.
Wireless networks fill a distinct void in the networking world, and that is mobility. Network speed is really a secondary concern compared to the convenience and flexibility that comes in breaking the Ethernet cable. Optimize your network as best you can, but I recommend erring on the side of convenience. Squeezing out an extra megabit of bandwidth isn't worth creating a barrier to access. The goal is to have connection in hard-to-reach places, not making a wireless connection hard to reach. Now go forth and network.