Skip to content Skip to navigation

Whitepaper: A Low Cost Solution for Scalable Authenticated Wireless Network

Written by
Charles McGrew
Laboratory for Computer Science Research - Division of Computer and Information Sciences,
Rutgers, The State University of New Jersey


Copyrights2001: Rutgers University, Laboratory for Computer Science Research

  Aug 14, 2001

Introduction

Dr. Stanley Moon, AI researcher from Berkeley is on his way to Rutgers to do collaborative work. His carry-on bag contains his wireless-capable laptop. He dreads the bureaucratic gobbligook he will have to go through to get networking at Rutgers; MAC addresses, routing, see this sysadmin for this permission, that network admin to get that permission, 'round and 'round for days. "But what else can you do?" he thinks to himself. He's looks again at the brief instructions he's been given. Yeah, right, he thinks - that's the way it works if it already works; it's never really this easy.

Ensconced in his office the next day, Dr. Moon stares at his sure-to-be useless laptop. Worse, he's just realized his latest version of his research notes are on his Berkeley machine. What a mess, he thinks. He opens his web browser, and tries to get to his Berkeley home page. Total failure. "Just as I thought," he thinks, "time to find the 15 admins I have to find." Before he calls his faculty sponsor to see what sysadmin to try first, he decides to try those instructions he was given, just so he can wave them at all those admins when he goes on his long trek to get his laptop networked. He points his browser at "wireless.rutgers.edu/login". Much to his surprise, he gets a login window. He types in "moon@berkeley.edu" and his Berkeley kerberos password as instructed. Suddenly, everything works! He can browse anywhere, and is able to FTP his latest lecture notes, send mail, the works. He takes the laptop to a lecture in another building, and wonder of wonders, it still works. Dr. Moon blissfully continues his stay at Rutgers, completely unaware of the fascinating people he hasn't met on the systems and networking staff.

Archipelago Wireless

Part 1 - Purpose

The "Archipelago Wireless" project is a prototype environment that provides secure, easy-to-use roaming wireless access to existing network resources from wireless-capable computers. Using low-cost wireless base stations, and firewalls; existing routing and authentication techniques, and industry-standard encryption, we are able to provide high-speed wireless access while maintaining strong user authentication and secure communication channels. The environment allows administrators to customize service characteristics of the environement and to maintain and update services with a minimum intervention.

Each "Archipelago Wireless" installation consists of one or more wireless base stations, a firewall, a mechanism to assign valid network addresses to authenticated machines, and a mechanism to authenticate machines (by the user of the machine -- we presume a one-user per wireless device model.) Multiple "Archipelago Wireless" can exist; for instance in various buildings on a campus, or any other geographic location (an airport, a baseball stadium, a New Jersey Turnpike rest stop, etc.). "Archipelago Wireless" can be affiliated (see "external authentication", below), or independent from each other.

Part 2 - Mechanisms

The "Archipelago Wireless's" basic service device is the wireless base station, which handles radio communications between wireless devices and the network. The base station device may or may not encrypt the radio communications (see "Security" below) directly, but it is the device wireless transceivers that users' wireless devices talk to.

The one or more base stations are all on the same subnet, which ideally should be exclusively for this purpose. To connect the "wireless subnet" to the rest of the network, a firewall device is used. This device ensures that 'rogue' wireless devices that 'bind' to a base station device cannot access the rest of the network, or indeed any other wireless devices also bound to it. (This 'piggybacking' of rogue wireless users is a common problem with wireless networking, which many wireless networking installations deal with by ignoring it. We felt it was irresponsible to allow potentially malicious network users access to the wider network world.)

The firewall device, which can (as it is, in our case) be something as simple as a linux machine with two ethernet interfaces and "iptables" enabled, or any firewall device that can dynamically alter its allowed/not-allowed network traffic behavior (to allow authenticated machines to access the net, an non-authenticated to be blocked) is there to police access. It keeps track of what machines are authenticated, 'ages out' old authentication, and generally regulates who can get 'out' (or 'in', in very restricted ways, see below.) The firewall has to have a trusted authenticator (which could be local, or - as in our case - remote).

The key to access is the authenticator. Newly "arrived" (onto the wireless network) hosts can only access the authentication site - via a web browser (using secure socket encryption). If they successfully authenticate (we use the "Kerberos" protocol that is in general use at Rutgers for user authentication -- username and password) then they are assigned an IP address (via DHCP, a generally-used protocol by every known wireless device to obtain IP addresses), and the firewall is notified to allow traffic from this newly-authenticated machine to pass through to the wider network.

One very handy 'fall out' of this scheme is that so long as an authenticated mobile wireless device stays within range of any of the wireless base stations of a given "Island", it will maintain its IP address, and network connectivity (e.g. "telnet") even if it 'binds' to a different base station as it moves. (In wireless communications, bandwidth is related to signal strength; mobile wireless devices try to talk to the best base station -- as one moves, the 'best base station' may change.) This means that it is now possible to provide location, or path-based services, since the mobile device can remain in constant connectivity -- so long as it doesn't get out of range of the entire "Island". Another "fall out" is that rather than having to enforce connectivity restrictions on each wireless base station (which may require individual updates, or worse reboots, to make changes), the restrictions are centrally handled, and so much more likely to be up-to-date and working.

Part 3 - Security

There are three basic issues of security in our scheme: wireless (radio) traffic security, LAN security (on either side of the firewall) and incoming traffic security.

Using wireless devices invites use of radio scanners to listen in on traffic; exactly like a "network sniffer" - but of the radio signals. There are two mechanisms that can be used to better secure the radio signal: hardware encryption and Virtual Private Networks.

Hardware encryption is typically done in the wireless transmission card on the user's wireless machine and the wireless base station. This makes it harder for interloping 'listeners' to easily read the radio traffic directly. The drawback to this is twofold - encryption keys may not be as secure as might be hoped (or worse, for the individual user, forgotten), and that most generally-available wireless hardware loses significant bandwidth (up to 40%, in some tests) when encrypting traffic in hardware.

Virtual Private Networks perform the encryption in software and with greater actual security without compromising network bandwidth. Using a well-supported, high-confidence VPN solution also frees the "Archipelago Wireless" service providers from becoming locked in to one wireless technology -- especially in the fast-changing wireless digital communications field. Using VPNs also enhances general connection security once packets leave the wireless subnet and travel whereever they are going.

Finally, the firewall used to keep the bad guys out of your wireless network from the wireless side, also keeps them out from the network side. If the firewall is easily 'tweakable', authenticated wireless machines may even become servers -- using port-forwarding (where a specific port connecting to the firewall is forwarded to the same (or another) port on a authenticated wireless machine). This sort of thing would require negotiation between the intending wireless-machine service provider and the wireless network provider administrator, of course. In the near future, we can't see a lot of need for 'incoming' wireless services, but the capability is certainly there (indeed, in our own network, we allow this to some of our wireless researchers.)

Part 3 - Extensibility of Authentication - "trusted external authentication"

Part of the current research effort for "Archipelago Wireless" is to expand the range of authentication sources that can be allowed to add a machine to the authenticated wireless network. If two entities 'trust' one another - that is, if one entity believes that an authentication from the other entity is as good as its own - it should be possible to query that other entity's authenticator (whatever it is) and add a machine so 'blessed' to the local authenticated wireless network. Research being done within Rutgers DCIS is bent on creating and implimenting the protocols necessary to allow this. For example, we beleive it will be possible for a researcher at UC Berkeley to add his wireless machine to our authenticated wireless network as easily as a Rutgers researcher could, and with equal confidence in the validity of the user. This will not require any specific intervention by network administrators to add such a Berkeley-based machine; once the Berkeley authenticator is declared 'trusted', it will just happen; conversely, a Rutgers researcher at Berkeley would have similar ease of connection.

Part 4 - Expandibility of Service - Scalability

Expanding beyond one "Archipelago Wireless" for a service provider is pretty easy. One or more authenticators are already present; a dhcp-based address assignment protocol is already present; VPN creation is already enabled; a firewall and associated base stations is all that is required. (Presumably the firewall software can be reused.) An advantage of this distributed provision scheme is that the selection of authenticators can vary per firewall-base-station group; individual wireless service providers can select some or all of the authenticators available, or create their own for their own user base. However, if a wireless service provider wishes to have the same authenticators and/or IP-address allocators for all its "islands" (for instance to provide wireless service across an entire campus), the same authenticator/IP-address allocator can be used for all the "islands. Further, the size of an individual "island" (in terms of wireless coverage) is flexible -- install as few or many wireless base stations as you need; you only need the one firewall machine.

Note: It is possible to have an "Island" in widely separate geographic locations; so long as all the base stations are all one the same subnet, connected to one firewall -- that's an "Island". At first look, however, it would appear that the costs of networking things that way would be higher than a close-geography set of base stations with an associated firewall.

Part 5 - Expandibility to other venues - k12, business

Since "Islands" are simple, self-contained, based on well-known and widely available hardware and software, and flexible in authentication, their use in other venues would seem promising. In a K-12 setting, for instance, the firewall could be enhanced to do URL, web page, or connection filtering based on well-known schemes to keep the wider network from being accessed intentionally or unintentionally in ways not desired -- since the firewall is already there, there's no reason not to tailor the firewalling scheme to the user populaton.

In business venues, "Islands" offer significant security in wireless communications, along with the ability to add new or replacement devices with only an authentication to perform; the firewall also protects the wireless devices from outside attack.


GLOSSARY

Terms: unauthenticated wireless device - a newly 'bound' wireless device before authentication (or if authentication fails) These devices cannot talk to any other network service than then authentication web page.

authenticated wireless device - the user of the machine has successfully authenticated by a trusted authenticator. These devices can access the network as if they were directly connected to it (it is assigned an IP address, given routing information, etc.)

trusted authenticator - any authentication technique (and source) that is believed to be 'true' by the firewall and IP-address allocator.


 

Design/Concept by:

Hanz Makmur, Charles McGrew, Kenneth Harris Jr.
{Laboratory for Computer Science Research Computing Facility}
Dr. Badrinath
{Division of Computer and Information Sciences}

Programmed by:
Hanz Makmur and George Armhold
{Laboratory for Computer Science Research Computing Facility}

Network Infrastructure by:

Charles McGrew, Douglass Motto, Rick Crispin, Robert Tuck, Kenneth Harris Jr
{Laboratory for Computer Science Research Computing Facility}

Beta Test by:

Rob Toth, Don Watrous
{Laboratory for Computer Science Research Computing Facility}
Faculty and Students
{Division of Computer and Information Sciences - Rutgers University}