Wireless networking has been working its way into the
mainstream corporate environment for several years. A variety of technologies
have been tried out by the market, with several being kicked to the curb. (Does
anybody remember HomeRF?) To date, the three technologies still in production
are 802.11a, 802.11b, and 802.11g.

While 802.11a is slowly fading into obsolescence, there are
a lot of similarities between 802.11g and 802.11b, which should not be a
surprise since they’re intended to be compatible. However, each technology has
vastly different security implementations, which should make security-conscious
network administrators take notice. This article will point out some of the
similarities of each technology and then describe how insecure the older 802.11b
can be.

Broadcast specifications

Table A shows you
the broadcast specifications of 802.11b and 802.11g.

Table A

Channel
Number
Notes
Frequency
(MHz)

Maximum
Power
Level with Antenna
Gain of:

Lower
Upper
0-13.5
dBi
21
dBi
1 indoor 2401 2423 100 20
2 indoor 2406 2428 100 20
3 indoor 2411 2433 100 20
4 indoor 2416 2438 100 20
5 indoor 2424 2443 100 20
6 indoor 2426 2448 100 20
7 indoor 2431 2453 100 20
8 indoor 2436 2458 100 20
9 indoor 2441 2463 100 20
10 indoor 2446 2468 100 20
11 indoor 2451 2473 100 20
N/A   2456 2478    
N/A   2461 2483    
N/A   2473 2495    
     N/A:
Not used in the US
Green Highlight: Non-overlapping channels

As you can see, they’re nearly identical. I highlighted
channels 1, 6, and 11 because using them is the only way to get three access
points in the same vicinity without having signal overlap, which is why they
are considered “the” non-overlapping channels. Now let’s move on to
the differences as shown in Table B.

Table B

  Transmission/
Modulation
Speeds
Supported
Security
802.11b DSSS/CCK 1, 2,
5.5, 11
WEP,
MAC filtering,
SSID hiding
802.11g DSSS/CCK, DSSS/OFDM 1, 2,
5.5, 11,
6, 9, 12, 18, 24, 36, 48, 54
WPA,
WEP, MAC
filtering, EAP

802.11b uses direct-sequence spread spectrum (DSSS) transmissions
that send data out redundantly over a wider frequency band than necessary, along
with a chipping code that is used to reconstruct any data that gets lost in
translation. It basically spreads data out over a wider signal to provide
redundancy in a kind of reverse compression. The 802.11b signals are modulated
using complementary code keying (CCK) to compress data using a series of
compression keys broadcast during the preamble portion of each transmission.
(For convenience, CCK will be used from here out to refer to the combination of
DSSS and CCK.)

Orthogonal frequency division modulation (OFDM) breaks data
into multiple sections and sends it simultaneously down a series of subcarrier
frequencies. It is also known as discrete multi-tone modulation (DMT) because
it uses multiple discrete tones, each modulated to carry information. OFDM is
used on ADSL and 802.11a, so it’s already a mature technology.

OFDM has a distinct advantage over CCK because it adapts to
interference in specific frequency ranges by disabling or reducing the data
rate of the subcarriers affected. The amount of bandwidth allocated to send or
receive can be varied by reallocating the subcarriers according to the
current need, making it more flexible. The OFDM system also includes features to
help minimize the effect of signal reflection.

Furthermore, CCK requires more network overhead than OFDM to
provide the decompression keys. Enabling 802.11b on an 802.11g network will
cause a general performance drop. For purposes of backwards compatibility, all
initial 802.11g network transmissions are sent using CCK. Additional bits of
information are used to let the 802.11g devices know if they can switch to
OFDM.

Wireless security concerns

802.11b is secured through the wireless equivalent privacy
(WEP) on the transmission level, failing to broadcast the service set
identifier (or SSID) beacon. It also limited access to clients with only known
unique media access control (MAC) addresses on the access points.

MAC address filtering was at best a half-measure of
security. The most it could do was prevent attackers from invading your network,
since it had no impact on their ability to listen in. MAC filtering quickly
becomes ineffective because a multitude of products had the capability to change
MAC addresses with software dynamically. Known as MAC address cloning, it’s a
feature on many products sold today because the majority of broadband service
providers use MAC address filtering, and it’s easier to clone the old MAC than
to get the service provider to update its system.

The “security through obscurity” approach of
disabling the SSID broadcast proved to be no more than a speed bump to the
casual sniffer. While many of the original drivers would only identify a
network by the SSID beacons, it was a simple matter to identify nearby networks
because the unencrypted portion of all data packets transmitted includes the
destination SSID. There are many tools available that will pull the SSIDs from
any transmissions nearby so only a completely inactive network will remain
hidden, and what’s the point of a wireless network that isn’t being used?

Finally we come to the primary defense, WEP. The 802.11b
spec allowed for two tiers of WEP encryption, and many early products only had
the lower one. This “standard security” WEP had 40-bit keys using RC4
encryption, which was at the time considered weak. Then products advertising
64-bit WEP showed up; however, this was marketing-speak for 40 bits of
encrypted data plus 24 bits of unencrypted data, which is still only 40-bit
encryption. The high security 128-bit WEP encryption that is widely in use
today is only 104 bits of encrypted data and still 16 million times easier to
break than a real 128-bit encryption. Thus, anyone with a reasonably powerful computer
can crack the keys in a few hours with brute force.

But that is all moot because defeating WEP doesn’t require
computation power, just an inexpensive hard drive. WEP reused pads, or the
numbers used in the encryption sequence. By gathering enough data, about 15 GB
worth, one will possess every pad in use and can decrypt any and all
transmissions at will. Depending on network activity, this could take as little
as an hour to get your pad dictionary assembled.


WEP revealed

Here’s a little bedtime reading on the security of WEP.
However, if your network relies solely on WEP, you might not get a good night’s
sleep after you read these:


Future security now

802.11g was supposed to incorporate the 802.1i wireless
security protocol, but 802.1i has been, is being, and will be debated for
months to come. The 802.11g specification requires future upgrades to include
802.1i when it finally appears. Several interim security tools have been
incorporated into 802.11g and, through the magic of revised standards, 802.11b.
The IEEE has extended the 802.11b standard to incorporate these present and
future security tools wherever possible.

802.11g includes WEP for backwards compatibility with older
802.11b networks, but recommends Wi-Fi Protected Access (WPA). WPA is based on
the 802.1X network authentication protocols, supports the advanced encryption
standard (AES), has a message integrity code (MIC, or Michael to some) to
verify packets, and a new temporal key integrity protocol (TKIP) to manage WEP keys.

802.1X provides the extensible authentication protocol (EAP)
to manage client access to networks. EAP is not a security system itself, but
is a framework of authentication schemas using remote authentication dial-in
user services (RADIUS) protocols to authenticate clients and distribute keys.
Some variants of EAP are:

  • LEAP
    – Username/password-based authentication developed by Cisco.
  • TLS –
    Authentication via an X.509 certificate.
  • TTLS
    – A variant of TLS using a server certificate and a client username/password.
  • PEAP
    – Protected EAP secures the user authentication phrases but requires
    server certificates.
  • SPEKE
    – This also protects user identity but does not require server
    certificates.
  • PSK –
    Small networks without a RADIUS server can use pre-shared keys, analogous
    to standard WEP configurations.

The most common implementations of EAP are LEAP and PSK. PSK
is the typical home network solution, with LEAP for the enterprise. A variant
of LEAP is available on some access points that have the ability to store users
and passwords, which is an excellent solution for smaller offices that cannot
justify the expense of a RADIUS server, but want more flexibility and security
than pre-shared keys.

TKIP rotates the security pads with each packet to prevent
an attacker from building a dictionary of the encryption keys, but it requires
more processing power from the client. Additionally, the pad used to create the
initial key was increased from 24-bits to 48-bits, increasing the number of
keys by a factor of more than 16 million.

AES is a much more secure encryption algorithm than RC4.
Unfortunately, adding support for AES is not possible through a firmware
upgrade, so it cannot be added to older 802.11b devices. To enable it, you’ll need all your devices to support it, which will alienate older hardware.

Michael is a simple checksum that verifies the data received
is the data transmitted by making sure a certain portion of data in each packet
matches a certain mathematical formula. It is an old but effective technique
useful in an unreliable network.

Potential 802.11b/g wireless problems

There are problems in wireless land despite the designed
compatibility between 802.11b and 802.11g. Some problems are temporary, but
some are configuration issues you should be prepared to encounter.

A potential source of irritation is that the 802.11
specification allows for a long 128-bit preamble and a short 56-bit preamble.
While the 802.11g spec requires all devices to support both, the 802.11b makes
support for the short preamble optional. If an 802.11g base station uses short
preambles to cut down network overhead and increase bandwidth, but still lets a
non-compliant 802.11b client associate, you end up with a case of the 802.11b
client unable to communicate and jamming the network for the 802.11g users.

Another backwards compatibility snag is security. 802.11b
clients more than a few months old are not likely to have WPA. Some 802.11b
clients support WPA with a firmware upgrade, but not all manufacturers or
models have the upgrades available.


802.11b WPA firmware driver upgrades:


Then there are the problems caused by the devices that hit
the market six months before the 802.11g specification was ratified. There are
differences in the network control messages (a.k.a. RTS, CTS, ACK, etc.) and
signal timings between the draft specifications and the final specification—meaning
that draft devices on a final network can create interference, reducing the
overall network performance if they work at all.

Some of the 802.11g transfer rates are optional. This
wouldn’t be a problem except that depending on the draft revision, the mechanism
used by clients to set the speed changed. This means that some of the draft
devices may not operate at all speeds. While it has little impact on other
devices, it means the draft device may operate slower than it could.

Additionally, there are some access points that do not
always broadcast their RTS and CTS signals using CCK and instead use the much
faster OFDM once an 802.11g client appears. This ends up being a double whammy
because it not only disconnects the 802.11b client from the network, but as the
802.11b client keeps trying to connect, it creates interference for the 802.11g
clients.

The short answer is that you should make sure every 802.11g
device you purchase supports the final, ratified June 2003 version of the
802.11g specification; your access points are in proper compatibility mode with
long preambles if you intend to have 802.11b clients; and you upgrade or
replace 802.11b clients that do not support WPA.

Last words

Wireless networks fill a distinct void in the networking
world, and that is mobility. Network speed is really a secondary concern compared
to the convenience and flexibility that comes in breaking the Ethernet cable.
Optimize your network as best you can, but I recommend erring on the side of
convenience. Squeezing out an extra megabit of bandwidth isn’t worth creating a
barrier to access. The goal is to have connection in hard-to-reach places, not
making a wireless connection hard to reach. Now go forth and network.