Skip to content Skip to navigation

 

Accessible, Accountable, Affordable, and Scalable Wireless Network
by Peter Chen and Hanz Makmur
Laboratory for Computer Science Research
Division of Computer and Information Sciences - Rutgers The State University of New Jersey
Copyrights 2001: Rutgers University, Laboratory for Computer Science Research

Nov 1 2001

Last Modified March 1, 2002

I. Abstract

AAAS WiN (pronounced "ace win") stands for "Accessible, Accountable, Affordable, and Scalable Wireless Network." It's a design to provide ubiquitous wireless network access. The first such implementation is LAWN (Local Area Wireless Network), which has been in service at Rutgers University since August 2001. This document explains AAAS WiN's objectives, conception, and architecture. It also includes a brief description of its first implementation.

II. Introduction

The advent of 802.11b based wireless network technology has propelled the definition of accessiblity to a new plane. Since Apple first introduced iBook, the first notebook with built-in wireless networking in 1999, various vendors has released competing products that brings lower prices and more choices to the consumers. It seems that 802.11b is now poised to bring ubiquitous access to the masses.

Unfortunately, large scale wide spread deployments are hampered by the limitations of these consumer oriented devices, such as the access points. An access point is the interface between wireless devices and the wired network. The first access point was Airport Base Station, introduced along with iBook. Targeted at homes and small offices, these access points carry an affordable price tag of $100-$300. However, this also means that they have limited features, and many deficiencies for large scale deployment.

For example, to account for each wireless client, individual hardware addresses must be registered with each access point. It also lacks facilities for centralized authentication. The alternative is more function-rich but also much pricier access points.

These limitations seem to doom their wide spread usage in more budget conscious organizations ... until now.

At LCSR, a research arm of Division of Computer and Information Sciences at Rutgers, a group of developers stepped up to meet this challenge with an innovative design, AAAS WiN (Accessible, Accountable, Affordable, and Scalable Wireless Network). LAWN (Local Area Wireless Network) is the first implementaiton. LAWN was assembled in spring 2001, put in beta test that summer, and released to the public in August. The system has been operating flawlessly since.

The purpose of this document is to elaborate on the objectives, conception, and architecture of AAAS WiN. Its first implementation, LAWN, is detailed in a separete document. It's the author's hope that AAAS WiN will be widely adopted and bring ubiquitous wireless network access to the masses.

III. Objectives

The primary objectives of AAAS WiN are accessibility, accountability, affordability, and scalability.

III.A. Accessibility

Accesbility means ease of use. To achieve ubiquity, AAAS must be easy to use. For example the authentication process which grants users access should be straight forward and error proof. It should also provide mobility. When a user moves from one access point to the next, he should not constantly be required to relogin again.

III.B. Accountability

Accountability means that every access to the nework is traceable to a user account. The ability to identify unauthorized accesses and possible security breaches is paramount for the security of any organization.

III.C. Affordability.

AAAS must be cost effective, in other words, "cheap." AAAS will be widely adopted only if it's affordable. This entails that the hardware and software required must be low cost and easily available. Preferably, off the shelf non-vendor specific components can be used. This way individual organizations may bargain shop for the best prices.

III.D. Scalability

AAAS must be easily expandable. This means the incremental cost of supporting more users is relatively low. Ideally, AAAS should exhibit an economy of scale. As the user base grows, the per user operating cost should decrease. For example, to enable access in an additional building should not require a drastic upgrade in the current infrastructure.. On that note, AAAS needs to accomodate expansions into geographically diverse area. It is possible that as AAAS users roam from one access points to the next, they may in fact physically move across states or even continents.

IV. Design

At the top level, AAAS is a star configuration with worksgroups connecting to a central authentication server. The authentication server is located on the public network, while each workgroup contains its own private network. The link from a workgroup to the public network is controlled. Wireless clients connect to access points within a workgroup and must first login. The central authentication server examines the credential (for example, a pair of username and password) from a client in a workgroup and responds to the workgroup whether the client is to be granted access.

This is a deliberate separation between the access control mechanism and the authentication authority. In order to satisfy accessibility requirement, AAAS needs to appear as one system. This means that once the user is authenticated and granted access from one access point, he should retain his access as he roams to another access point. In general, the appearance as one system usually entails some degree of centralization.

On the other hand, for affordability, AAAS needs to be as light as possible in the center. If the centralized elements are overtly resource intensive, the startup cost for a minimal implimentation will be too high.

To satisfy these constraints, we distilled the centralized elements down to the bare essentials, the access control. We further recognized that access control actually consists of two components, the access control mechanism and an authentication server or a gatekeeper and a keymaster. The gatekeeper guards the door to the public network, and opens the door when a correct "key" is given. The keymaster holds all the keys. When a wireless client encounters a gatekeeper, he announces himself to the keymaster, and asks for a key. The keymaster examines the client's credentials, and grants him a key if the credentials are valid. In this scenario, it's clear that the "gatekeepers" do not need to be centralized, as long as the keys come from the same key master. In other words, only the authentication server needs to be centralized.

IV.A. Authentication Server

The authentication server is the center piece of AAAS. As previously described, it is the one and only centralized component. Its function is to verify a client's credentials and inform the workgroup whether the client is to be granted access.

While AAAS does not mandate the authentication mechanism (e.g., PAM, Kerberos, SMB, IMAP, POP3, RADIUS etc) or the communication protocol between the authentication server and a workgroup, we do recommend the implementations to be secure. If the authentication is not done locally on the authentication server, and an external source is used, the transmission of the credentials from the authentication to the external source should be secure. The transmission may be based on protocols that use SSL, such as HTTPS, SFTP, or IMAP+SSL, etc. Similarly, the communication between the keymaster (authentication server) and the gatekeepers should be secure, so it's not vulnerable to exploits such as man-in-the-middle attacks.

IV.B A Workgroup
A workgroup is a self-contained private network. This is where the action takes place. At its center is a switch or a hub where all the access points, wall outlets, the firewall, and IDS (Intrusion Detection System) are connected. One may think of a workgroup as a village, and the switch is the town square. The access points and wall outlets are roads leading to the town square. The firewall is the wall surrounding the village. The IDS is the big brother that watches the traffic.

IV.B.1 Firewall
The firewall shields the private network from the public network. This is where the magic occurs, where network access is controlled. In order for a client to connect to the public network, it will need to login, or to present its credential (usually a username and password pair) to the firewall and have it verified some how. At which point, the firewall will open access for that particular client.

This is a critical step both in terms of accessibility and accountability. If the login process is overtly cumbersome, it will inhibit accessibility. On the flip side, the access must be restricted to those who are authorized, and an audit trail is logged. It's possible to accomplish both goals seamlessly. Even though this is a design document, I shall outline a possible implementation to illustrate this point.

The action begins when a wireless client comes into range of a wireless access point. First, the wireless client must have be configured to use DHCP for its wireless network interface. The DHCP request is relayed through the wireless access point to the DHCP server which happens to run on the firewall host. The DHCP server responds with the IP address, netmask, gateway address, and DNS settings. The IP address is a private network address (10.0.0.0/8, 192.168.0.0/12, or 172.16.0.0/16 -based on RFC1918) The gateway and the DNS server are the firewall host. The wireless client configures its wireless network interface accordingly, and becomes part of the private network.

At this point, even though the wireless has become part of the private network, it still has not gained access to the public network. This requires a login. Since the gateway is the firewall host, all network traffic is routed there. The firewall rules are set up so that all access going outside of the workgroup are denied by default unless explicitly granted. The firewall rules also route all HTTP (port 80) traffic to the firewall's Apache HTTP server. This is where the login page is presented.

The user will then submit his/her credentials to be verified. The firewall host relays this credential securely to the authentication server on the public network. Upon a positive response, the firewall host then alters its firewall rule to allow this wireless clients to access the public network based on either its IP address or its MAC address. The firewall also performs network translation, so all wireless clients' private IP addresses are translated into the firewall host's public IP address.

This may not sound exciting. However, it's quite impressive in action. Prior to the login, as soon as a wireless user attempts to access any web site, he is immediately presented with the login page. The user does not need to remember any special URL for login. It's so intuitive that it requires almost no training on the user.

IV.B.2 Hub/Switch

The switch or the hub is the center piece of a workgroup that ties all other pieces together. On a tight budget, a hub will certain suffice. However, for security, a switch is preferred since network traffic will not be visible from one port to another. This cuts down on the potential of malicious clients sniffing network traffic.

To support an IDS, one needs to raise the bar even further. In this case, the switch will need to be configurable so that one port can be configured to see all traffics from other ports. This most likely entails a higher end switch. We shall detail this further in the IDS section.

IV.B.3. Access points

"Wireless Access points" are well named. Think of them as wireless equivalents of wall outlets. Wireless access points are the interface between wireless clients and the central switch.

Together, wireless access points and wall outlets are where clients plug into the network. And "all roads lead to Roam." They are all connected to the central switch. Contrary to their wired counter part, access points have the additional ability to handle multiple wireless clients simultaneously.

IV.B.4. IDS

IDS (Intrusion Detection System) monitors for suspicious network traffic. These could entail break-in attempts, or attacks.

In order for the IDS to function, it must be connected to a port that sees all network traffic in the workgroup. A central hub may suffice. However, it's not the best choice. It will also allow clients in the workgroup to see each other's traffic. The better thing to do is to use a switch that can be configured on port by port basis. Some ports then can be configured to see traffics from others.

V. Validation

Before we reach a conclusion and begin to pat ourselves on the shoulder. Let's make sure that AAAS WiN has met all our requirements.

V.A. Accessibility

Is AAAS easy to access? Yes, it can be.

This of course is implementation dependent. AAAS itself does not specify how each clients becomes part of a workgroup. This is determined by individual workgroups. It is relatively easy to set up workgroups to be user friendly.

For example, as we previously described, the firewall host can also run DHCP, so the wireless client can automatically configured with the appropriate IP address, DNS servers, and gateway address. The gateway is set to the firewall and accepts all incoming traffic within the workgroup (but not going outside the workgroup). This gives a wireless client conductivity to the firewall host. As soon as any HTTP request is sent, it's forwarded by the firewall to the firewall host's Apache server, and the login then takes place.

The entire login process is intuitive and fool proof. Most users instinctively open up their web browsers as soon as they are connected to the workgroup.

V.B. Accountability

Accountability is accomplished by the firewall host. Once the client is authenticated, and public access through the firewall is granted, the firewall can log the network traffic. The log will contain the client's IP address in the private network. Combined the private IP address with the authentication log, we can trace every network access back to its user account. The level of details of logging can be tuned by the administrator as necessary.

V.C. Affordability

Is AAAS cheap? Yes, generally speaking the total cost of ownership is very low.

AAAS places minimal requirements on the hardware. It also requires relatively little administration. None of the access points, switches, firewalls, or IDS, or authentication servers are vendor specific. They can be bought right off the shelf from a wide range of vendors. Since all network facilities such as access control, dynamic host configuration, and name services are handled by the firewall, the access points need very few features. The only concerns will be the their reliabilities and cost.

The firewall host and the authentication server can be built from low cost hardware and software. A PC with Pentium II 300Mhz, 256M memory, and 10GB hard disk, installed with Linux (free) are more than enough. Such PC can cost as low as $200 each as of November 2001.

The administration required is concentrated on the firewall host in each workgroup, and the central authentication.

V.D. Scalability

AAAS has no inherent limits to its scalability. Each workgroup can have a large number of access points. In the simplest configuration with all access points directly connecting to a central switch, the limit is the number of ports available on the switch. One can easily extend this by cascading switches.

The authentication server can handle a large number of requests. If the workgroups are spread out geographically, and latency is an issue. One may even set up local authentication servers and trust relationships.

Both workgroups on the edge and authentication servers in the center may be scaled up rapidly.

VI. Conclusion

As show above, AAAS WiN is easy to use and cheap to build. One can log and audit all network access, and it can grow rapidly with no intrinsic limit. It satisfies our requirements for accessibility, accountability, affordability, and scalability.

VII .Future improvements

Expanding AAAS to other method of authentications is one part of the project that will always be on going. Additional authentication modules can always be added to the system anticipating newer technology.

Quality of Service (QoS) issue is one of the feature that will be added to throttle speed. Such QoS feature can be assigned to specific user or groups to make sure that no user can monopolise the bandwidth. QoS can also be used to prioritize bandwidth to specific users.

VIII. Acknowledgements

The concept AAAS WiN was borned after discussions amongst Dr. Badrinath, Dr. Donald Smith, Charles McGrew, Kenneth Harris Jr, Hanz Makmur and Peter Chen in October 2000. The result of this discussion is the implementation of DCIS/LCSR LAWN in May 2001.