Skip to content Skip to navigation
A Low Cost Solution for Scalable Authenticated Wireless Network
Written by Hanz Makmur {makmur@cs.rutgers.edu}
Edited by Charles McGrew {mcgrew@cs.rutgers.edu}
Laboratory for Computer Science Research - Department of Computer Science,
Rutgers, The State University of New Jersey
Copyrights2001: Rutgers University, Laboratory for Computer Science Research

September 2001

Last Modified: Feb 28, 2002

Introduction

The arrival of the 802.11b (a.k.a Wi-Fi) based wireless networking technology introduces some conveniences that you will eventually find hard to live without. When Apple started shipping the first notebook computer - the iBook - with built-in wireless networking, it also shipped the first affordable wireless access points - called the Airport Base Station. At $299, the Airport Base Station sold fast not only because of its price, but because it was the first access point that worked for both Macintosh Notebooks, PC Laptops, and other Wi-Fi compatible devices.

Unfortunately the low cost access point, which is targeted for small office and home use - also has many limitations. It lacks central authentication and is not very scalable. The Airport and similar access points in the $100-$300 price range have limited features. Implementing a wireless network with even a handful of these access points requires a lot of system administration. For example: for secure access, each wireless card hardware address must be added to each access point before it can access the network. If a user has 3 wireless cards, each card must be registered on each access point. A reboot is also require after each change. The lack of scalability and authentication features of the low cost access points made it not very attractive for organizations or educational institutions with a limited budget - until now.

At LCSR, the Laboratory for Computer Science Research, part of the Department of Computer Science at Rutgers, The State University of New Jersey, a solution for a low cost and scalable authenticated wireless network has been found. The wireless network here was first assembled in November 2000. The LAWN (Local Area Wireless Network) system was conceived in Spring 2001, the final system was put to test in Summer 2001 and publicly announced in August 2001. The total hardware cost of the system which consists of 12 access points placed strategically in Hill Center floor (first, second and third floors) and CoRE Building (first, second and third floor) was less than $5000. This initial placement was to provide wireless coverage for the entire Department. Further LAWN allows anyone with a Rutgers computer account - and located within the wireless coverage area for the Department - to access the local network and Internet wirelessly. Once authenticated, users can move between floors and buildings without any re-authentication. This scalable zero-intervention administration system was easy to deploy and expandable to other trusted organizations or institutions.

Objectives

As with every system, ease of use, scalability and cost are among first the first considerations. With LAWN, every one of these issues are met.

The design of LAWN is driven by the lack of central authentication and the need for scalability. With over 50,000 faculty, staff and students at Rutgers University, it would be impossible to manage all of the hardware addresses of wireless client machines on the hundreds access points that will need to be installed for university-wide coverage. The geographic layout of Rutgers University - which consists of 7 campuses spread over 4 townships with students that move from campus to campus makes scalability an important issue to address. The requirement that every network access be traceable to a person (for security auditing) makes a wireless network even harder to implement.

1-Ease of Use

LAWN is designed with ease of use in mind. For anyone to access the wireless network, a Rutgers computer account is required. At Rutgers, every student, faculty or staff has, or can obtain, a computer account on one of the central computer services. LAWN uses this account to authenticate the user to the wireless network. Because the LAWN system is designed to authenticate a user instead of the hardware, any time a user changes hardware, there is nothing new the user has to do.

The authentication process is very easy and simple. A user with a wireless device simply has to run a web browser, and try and load any web page. If the user is not authenticated, the browser is automatically forwarded to a login screen where user is asked to authenticate themselves as a valid Rutgers user. Once authenticated, access to the wireless network is granted (see Figure 1) until the user manually logs out or auto-logout is imposed - when no answer is heard from the user's device after a defined amount of time (our test system uses 30 minutes.)

2-Scalability

LAWN was designed as a top-down infrastructure which made it very easy to deployed securely. To be part of the LAWN system, a department simply need to implement the firewall part of LAWN (see below, "Firewall Components"). Since authentication is handled centrally, departments can simply use that, rather than having to "roll their own" authentication scheme.

To deploy the LAWN system, a dual ethernet interface Linux system is required for the firewall. The firewall software is available from DCIS/LCSR via an RPM file. One ethernet interface on the firewall should be connected to outside world and the other to a HUB and/or Switch which is in turn connected to the wireless access points. See Figure 3 below for infrastructure details.

In the event that a need for the full LAWN system installation arises - including "in-house" authentication, a trust relationship can be implemented between the multiple authenticators. In the trust system, the LAWN system will behave as if it is one system. One authenticator will consult other trusted peer authenticators to see if a user has already been authenticated.

3-Low cost

Because all networking related issues such as access restrictions, dynamic configuration and name services are handled in the firewall; there is no need to purchase wireless access points with lots of features. The only consideration for wireless access points are reliability and cost.

The firewall machine is also built from low cost hardware and software. A PC with Pentium II 300Mhz, 256Mb memory and 10GB Hard disk and the free Linux operating system are more than satisfactory. Such PCs should cost less than $200 each as of Nov 1,2001.

4-Secure

Security is a very important part of the LAWN system. (If authenticated access to the Internet is not an issue, there would be no need for the LAWN system, just hook up and go, and good luck convincing your network administrators that it's a good idea.) With LAWN, every access to the network is traceable to a person who can can be identified to answer for unauthorized usage.

There are two issues of security that is part of LAWN. The first issue is access to the wireless network itself. Anyone who needs access to LAWN will need to be authenticated. The username and password of users are verified against one of central password servers, or another trusted authenticators before access to LAWN is granted. The authentication is done on a authentication server via a web browser using the HTTPS protocol which ensures that username and password data are notn transmitted in the clear.

The second issue is the security of data transmitted over the air waves. This is the harder part to solve. The 802.11b protocol (Wi-Fi), the basis of current wireless networking technology has a built in data encryption technology called Wired Equivalent Privacy (WEP). The WEP technology is designed to address the data transmission security. However, in recent months, WEP encryption has proven to be weak and can be cracked in a matter of minutes. (See: Overview of 802.11b WEP Weaknesses http://www.mesongroup.com/users/mhamrick/80211over.html)

An alternative to WEP technology is LEAP (Lightweight Extensible Authentication Protocol.) LEAP is a Cisco proprietary technology. Currently LEAP is supported only in the Cisco 802.11b wireless card and the Apple Airport card (version 2.x firmware) and Cisco Access Points. This means if you purchase other brands 802.11b cards or non-Cisco Acccess Points, you can not take advantage of LEAP.

In light of the weaknesses of WEP, LAWN was designed without it. This was intentional to make sure that users are aware of security issues and aren't blinded by a false sense of security. To address the security of transmitted data in the air, LAWN system includes an optional Virtual Private Network (VPN) server as part of the design.

A VPN gives users a secure private network between the user's computer and the VPN server. By encrypting all data transmitted, no matter what the medium is, users can be sure that no one will be able to eavesdrop on any data they send. Unlike LEAP, which only works with expensive Cisco Access Points and Cisco brand 802.11b cards, users with or without a 802.11b wireless card - or even from home - can also take advantage of the VPN connection using any low cost access point and be secure.

(See VPN Frequently Asked Questions for info- http://www.internetweek.com/VPN/faq.htm)

To use VPN and LAWN, users will have to login twice. First, user must login to gain access to LAWN as described above. Second, the user must login using a specific VPN client to the VPN server to use the VPN encryption service.

What to do?

By leaving the VPN option as a choice, we suspect that many users won't be using VPN at all (for cost, or perceived 'ease of use' reasons, for instance.) As a result, users' data will left open and can be eavesdropped on the wireless network. One alternative is to use already existing encrypted services, to encrypt all network traffic. For example, a user may use Secured Shell (SSH) rather than Telnet, IMAP with Secure Socket Layer (SSL) or POP with SSL rather than plain IMAP or POP for reading email, and SMTP with SSL for sending email. These tools are freely available on the Internet for every computing platform.

In the mean time, all wireless user anywhere should be aware that the security of WEP is very weak and should not be relied upon. The best solution is to use secure services and aim for using a VPN as the ultimate security.

5-Other LAWN Usage

The LAWN system was designed for wireless network. However the design is applicable for a wired network as well. (See figure 3 for infrastructure details.) By applying the LAWN concept on wired networks in public labs or public computers, wired users will be required to authenticate to the firewall first before the user can access the network (the wired network would be connected to the firewall just as the wireless base stations are.) Such implementation makes it possible to know who uses what computer at anytime. No special authentication program is required and no changes are needed in the user's machine's operating system.

Implementation

The LAWN system is designed like a workgroup. Each workgroup consists of a LinuxOS based dynamic firewall computer, network hub and/or switch and wireless access points. One interface is connected to the outside world and the other interface is connected to the wireless world. The firewall decides who can access the outside world by adding access to a specific hardware address in its access list, based on authentication. If a wireless client has been authenticated, it is added to the access list. If not, or an authenticated machine has been logged out, it is not in the access list.

Discovery Process

When a user's computer is in range of a wireless access point, the user's computer is automatically sent all the necessary network configurations (IP address , nameserver, gateway) via the Dynamic Host Configuration Protocol (DHCP) server running on the firewall machine. As soon as the user runs any software that requires access to the network, the firewall discovers the hardware address of the users computer. This address is then checked with the authentication server. If the user has not authenticated, network access is not granted. If the application that is executed is a web browser, the browser is re-directed to the authentication server and a login screen is presented (see Figure 1.) Once the user is authenticated, the authentication server directs the firewall to grant access for the hardware address of the user's computer. The firewall continues to monitor the user's network activity level. If the users computer does not answer network requests after a predetermined amount of time, or the user manually logs out, network access for this hardware address is removed from the firewall's routing tables.

Figure 1.

Roaming Process

When a user's machine leaves the LAWN or has not answered the firewall's "heartbeat signals" after predefined amount of time, the firewall removes network access for the computer and reports to the authentication server that the user's machine is missing. Upon receiving this notice, authentication server notes the user's machine as a "roaming computer" and keeps it in this state for a predetermined length of time. When a user is discovered again by a firewall, the discovery process described above is restarted. If a user is still roaming, the firewall will be authorized by the authentication server to re-open network access for this wireless device without the user having to re-authenticate. This is done as a convenience to the wireless users.

 

Authentication Process

The authentication server can be set up to use multiple methods of authenticate users. Such methods can include Kerberos, LDAP, SSL IMAP, Microsoft Active Directory etc. The front end for the authentication server is a Java Server Page (JSP) with a java servlet backend (see Figure 2.)

 

Figure 2.

During authentication, the servlet receives an encrypted username and password via the SSL protocol. It looks at a list of authentication methods, selects the appropriate one, and verifies the username and password against the password server. Once the user's credentials are verified, the servlet sets session cookies on the user's computer the servlet then contacts the firewall daemon and tell it to allow network access for the user's computer's IP address. The firewall daemon converts the IP address to a hardware address and requests the user's information from the authentication server daemon. Once this command is verified, the firewall opens access to the hardware address of the wireless device.

Figure 3.

There are 3 main components of the LAWN system. Two of the components, the firewall and the authentication component, are tied together to allow and disallow access to LAWN. The third is an optional component and is a network security monitor. This last component is an important part of LAWN even if it is optional. Without it, it would be more difficult to audit network traffic to find out about possible network attacks and user's abuse of the network.

A. Firewall Components

The firewall is run on a dual Ethernet computer. The firewall consists of an IPTable-based firewall, a DHCP Server, a Domain Name Server (DNS) forwarder, a pinger and a firewall daemon. All of these components are built into the RedHat Linux OS except for the pinger and the firewall daemon. These last 2 programs were created at LCSR.

1. IPTable -part of RedHat 7.1 LinuxOS.

The IPTable program is used to control access dynamically by the pinger and the firewall daemon. It is also used for the Network Address Translation (NAT) server. IPTable is the core component that blocks and unblocks access to the outside network. This IPTable is also configured as a masquerading server via NAT. NAT allows us to grow the number of hosts on the wireless side of the firewall without worrying about reserving a block of valuable IP addresses. With NAT, only a single "real" IP address is needed for all wireless devices connected behind the firewall. Because the authentication server is placed beyond the firewall, the IPTable default setting (for unauthenticated users) is set to allow access to http and https ports only of the authentication server.

2. DHCP server -part of RedHat 7.1 LinuxOS.

The DHCP server is used to provide dynamic configuration of the user's TCP/IP settings. This service sets TCP/IP settings automatically as a user comes into range of the wireless access point. The settings provided are an Internet Protocol (IP) Number, a Subnet Mask, a Gateway address, and a Domain Name Service (DNS) server address. Without this information, a user's computer will not be able to access the network. Because all of these settings are provided automatically, a user does not have to do anything to get the correct computer network settings. These settings renew themselves after a predetermined amount of time. All current microcomputer operating systems support DHCP for this purpose, so no change in the user's computer setup is needed to use DHCP in this environment.

3. DNS Forwarder -part of RedHat 7.1 LinuxOS.

Because all the wireless devices will be connected behind a firewall, no Domain Name Service (DNS) access will be granted past the firewall. DNS is needed to translate a computer's name into its IP address. To overcome this problem, a DNS forwarder is needed on the firewall machine. By installing a DNS forwarder on the firewall, all DNS request from the wireless side gets forwarded to an outside DNS server via the outside Ethernet Interface of the firewall.

4. Pinger -by Hanz Makmur-Laboratory for Computer Science Research, Rutgers University

This program was created to clean up user access as well as to provide access to authorized roaming users. The pinger program will "ping" all currently authorized user's computers periodically. If no response is received after a predetermined time, access to the network for this computer is removed by the firewall. Pinger is also used to check the authorization list for roaming users to see if the user has logged in before allowing access.

 

5. Firewall daemon-by Hanz Makmur- Laboratory for Computer Science Research, Rutgers University

This daemon is used to listen for instruction by the authentication server. When a user is authenticated, the authentication server contacts the firewall daemon and instruct it to open access for the hardware address of a user's computer. The daemon verifies all instruction before allowing access to the hardware address of the wireless device.

 

B. Security Components (optional)

An optional second computer can be used for security monitor and as a log server. The second computer is used as an Intrusion Detection System (IDS) which monitor network traffics for network attacks and log all open connections. The log is used to keep track who is accessing what network resources. This part of the system is not needed to get LAWN system to work. However, the intrusion detection function of this component can alert systems administrator for any malicious attempt of network attacks and unwanted network activities. The logging function logs all open connections on the wireless end of the firewall. These logs can later be used to trace activities when the need arises or monitored in real-time to alert network administrators to intrusions or misuse. Because the wireless devices are connected behind the firewall, all access to the outside services appear to the outside world to come from the firewall machine. This is all the more reason for implementing this component.

1. SNORT :Open Source Intrusion Detection System - http://www.snort.org/

Snort is the main program used for intrusion detection. It functions as a listener that analyzes and logs suspected network activity based on predefine rules.

2. AccessLogScript :by Rob Tuck-Laboratory for Computer Science Research, Rutgers University

This script is a simple script that uses TCPDump software- part of LinuxOS-to log all open connections. The log is archived for when the need to investigate a network attack is needed.

3. IPAudit :Open Source Intrusion Detection System - http://ipaudit.sourceforge.net/ipaudit-web/

IPAudit is the main program used for usage collection . It functions as a data collector for all network connections on the wireless.

C. Authentication Server Components

An important part of the LAWN system is the authentication server. This server resides on the 'far side' of the firewall from wirelss machines. This server is contacted via World Wide Web (WWW) protocol known as Hyper Text Transfer Protocol (http) and Hyper Text Transfer Protocol Secured (https), when a user is trying to authenticate. All firewalls from multiple workgroups contact this authentication server to authenticate wireless users. One server can handle hundreds of workgroups and only one server is needed for one large organization. In the event of multiple authentication servers are wanted for redundancy or logistic issues, multiple the authentication servers can be run and be setup to trust each other. In the trust relationship, the current server will contact other, trusted, servers to verify if a user is already authenticated.

The main components of the authentication server are a Web server, Servlet+JSP Engine or Tomcat, an authentication servlet, and a daemon. Both webserver and Servlet+JSP engine are open source software projects which are freely available. The servlet and daemon were written by Laboratory for Computer Science Research, Rutgers University.

1.Apache Web Server:http://httpd.apache.org/

Apache Web Server is a very popular web server in the Unix world. It is a reliable, secure and fast web server engine.

2.Tomcat http://jakarta.apache.org/

Tomcat is servlet+JSP engine, a subproject of the Jakarta Project from Apache.org, Tomcat is used to execute the authentication servlet and JSP page for user authentication. Tomcat integrates nicely with the Apache Web server.

3.AuthServlet :by George Armhold-Laboratory for Computer Science Research, Rutgers University

This authentication servlet is created to centrally authenticate the users. With central authentication, the users can roam between workgroups and still continue to have access. This servlet is designed to be flexbile enough to allow authentication with multiple authentication methods such as Kerberos, radius, ldap, and Windows active directory, SSL IMAP etc.

3.AuthenticationDaemon :by Hanz Makmur-Laboratory for Computer Science Research, Rutgers University

This authentication daemon main purpose is to verify a request made by the firewall. During verification, this daemon checks to see if a specific hardware address is entered as authenticated. In the event that such an entry does not exist, it also tries to query trusted authenticators to see if this is "roaming" hardware. If it isn't authenticated locally, or by an external trusted authenticator, the authentication daemon tells the firewall to deny access to the network to the wireless client.

 

Design/Concept by:

Hanz Makmur, Charles McGrew, Kenneth Harris Jr.
{Laboratory for Computer Science Research Computing Facility}
Dr. Badrinath and Dr. Donald Smith
{Department of Computer Science}

Programmed by:
Hanz Makmur and George Armhold
{Laboratory for Computer Science Research Computing Facility}

Network Infrastructure by:

Charles McGrew, Douglass Motto, Rick Crispin, Robert Tuck, Kenneth Harris Jr
{Laboratory for Computer Science Research Computing Facility}

Beta Test by:

Rob Toth, Don Watrous
{Laboratory for Computer Science Research Computing Facility}
Faculty and Students
{Department of Computer Science-Rutgers University}