Beyond Security – Integrity
NOON -- Another interesting discussion I had at the recent municipal wireless symposium in Massachusetts dealt with what was originally mentioned as WiFi network security.
To me, anyway, security has two core components: encryption to thwart eavesdroppers, and authentication to keep the unauthorized off the network. In a public access setting, I've always recommended multiple tiers of service, with appropriate levels of security on each. Basic public access isn't secure at all, just like on the Internet. Municipal services would be secured via a VPN and 802.1x, with these optionally being available in a distinct service tier requiring pre-registration before use.
But what a number of municipal officials meant by security was really integrity, or making sure that the network continues to operate given a wide variety of potential threats, from traditional network-layer hackers to physical damage. WiFi meshes have a high degree of integrity already, because they can continue to operate via automatic reconfiguration in the event one or more nodes are damaged or otherwise become inoperative.
Traditional upper-layer threats to integrity can be addressed via the usual means, whether virus and anti-spam protection or the latest patches from Microsoft. But PHY-layer attacks on the radio environment, such as broadband jammers, involve a more radio-specific solution. Believe it or not, it's easy to build a pocket-sized jammer that can effectively disable one or more Wi-Fi channels within a fairly large radius. The defense against this is a separate network of APs, which act as sensors, and some application logic that fingerprints and localizes the threat. This technique is already used in enterprise deployments using both centralized WLAN systems and specialized products built just for this purpose. Unfortunately, there's no automatic way to deal with this kind of mischief. But the localization function can be used to narrow the location of the interferer, allowing someone in authority to step in deal with the miscreant and his toy.
— Craig Mathias is Principal Analyst at the Farpoint Group , an advisory firm specializing in wireless communications and mobile computing. Special to Unstrung
To me, anyway, security has two core components: encryption to thwart eavesdroppers, and authentication to keep the unauthorized off the network. In a public access setting, I've always recommended multiple tiers of service, with appropriate levels of security on each. Basic public access isn't secure at all, just like on the Internet. Municipal services would be secured via a VPN and 802.1x, with these optionally being available in a distinct service tier requiring pre-registration before use.
But what a number of municipal officials meant by security was really integrity, or making sure that the network continues to operate given a wide variety of potential threats, from traditional network-layer hackers to physical damage. WiFi meshes have a high degree of integrity already, because they can continue to operate via automatic reconfiguration in the event one or more nodes are damaged or otherwise become inoperative.
Traditional upper-layer threats to integrity can be addressed via the usual means, whether virus and anti-spam protection or the latest patches from Microsoft. But PHY-layer attacks on the radio environment, such as broadband jammers, involve a more radio-specific solution. Believe it or not, it's easy to build a pocket-sized jammer that can effectively disable one or more Wi-Fi channels within a fairly large radius. The defense against this is a separate network of APs, which act as sensors, and some application logic that fingerprints and localizes the threat. This technique is already used in enterprise deployments using both centralized WLAN systems and specialized products built just for this purpose. Unfortunately, there's no automatic way to deal with this kind of mischief. But the localization function can be used to narrow the location of the interferer, allowing someone in authority to step in deal with the miscreant and his toy.
— Craig Mathias is Principal Analyst at the Farpoint Group , an advisory firm specializing in wireless communications and mobile computing. Special to Unstrung
