White Paper: How To Make Ethernet Devices Wireless
Table of Contents
Introduction
Current State of the Art
Security
Making a Wired Ethernet Device Wireless
Site Survey
Choosing Hardware
Making it Work
Scenario 1: Standard Access Point
Scenario 2: Bridging two Networks
Real World Application Example
Other Resources
Glossary
Until the advent of Wireless Ethernet, reaching certain locations with wired network connections could be difficult and expensive. Today, Wireless Ethernet can usually link the most hostile installations and locations with ease. This paper will discuss the methods, theories, and pitfalls of converting a standard Ethernet device to a wireless one.
To date, 802.11b is the most popular WiFi® technology in use. It is cheap, widespread, and supported. It provides a large coverage footprint and good bandwidth.
The 802.11g standard is expected to overtake 802.11b in popularity within five years. Prices are falling rapidly, it runs almost five times faster, and it provides almost the same coverage footprint as 802.11b. The most compelling argument for upgrading an infrastructure from 802.11b to 802.11g is the fact that 802.11g is backwards compatible with 802.11b and can still provide the high speed 802.11g service.
802.11a, while not nearly as popular as 802.11b/g and unfortunately adopted a little late to catch the market tide, presently has one excellent feature over 802.11b/g: 5.8GHz. The UNII (5.8GHz) band, at the time of this writing, is not nearly as cluttered with cordless telephones, BlueTooth® devices, the limited channel set of 802.11b/g systems, and other ISM devices. Also, given that it operates on the UNII band, the devices, in theory, can “burst” up to 108Mbits of bandwidth. Since 802.11a operates at 5.8GHz, the coverage footprint is roughly half that of ISM devices at the same power output and dBi level.
802.11 is the original standard and is no longer being manufactured from a mass market perspective. Therefore, it is not recommended for new installation.
Currently, wireless Ethernet implementations are weak in comparison to wired solutions with respect to security. Most access points (APs) do not feature any form of security enabled by default and are an immense security risk for any company or individual installing a wireless network. Since radio wave propagation can often times be unpredictable and may extend further than an integrator is expecting, an attacker could be positioned far enough away to prevent suspicion. This puts the security measures available in most retail APs that include WEP and MAC filtering/access control, into the category of inadequate since both WEP and MAC filtering can be beaten with a little patience.
If an attacker had enough time to capture enough data encrypted using a specific WEP key, he could determine the encryption key and the network would be compromised. The number of packets that need to be captured is variable and depends largely on what type of network traffic exists on the wireless network. The amount of data that needs to be captured is typically between 400 million and 2 billion bytes. The only way to mitigate this type of attack is to change the WEP key often, but this is usually not practical since it requires frequently changing multiple APs as well as numerous clients. There are vendor specific methods for rolling the WEP keys but they force users to use only their hardware.
MAC filtering is another method of security and is nothing more than denying access to MAC addresses that have not been approved by a network administrator. This is typically done directly on the AP, or via a RADIUS server. Unfortunately, this method can also be bypassed by the capability of many client radios that allow reprogramming of the MAC address. This method, while detectable with good countermeasures, is still a significant factor when designing a wireless network.
802.1x is a new authentication system that provides capabilities for rolling WEP keys that are kept in-band with existing WiFi® traffic and would appear to be the solution to the insecurities of WEP. 802.1x is just now rolling out into the mainstream markets, so be sure to choose hardware carefully when searching for a solution if 802.1x is a requirement. A RADIUS server or the Microsoft® Windows Server operating systems “Internet Authentication Service” is typically used for authenticating the clients when using 802.1x. Most newer server operating systems have at least limited support for 802.1x client authentication through APs that support 802.1x.
Placing the AP in front of a firewall is an excellent method of mitigating attack and many integrators have taken to implementing a firewall and forcing clients to connect to a VPN server to attach to the main network. While this is a strong security method, there are drawbacks. Many network attached devices do not have VPN protocols or other strong encryption protocols available, and forcing users to establish a second connection manually can cause a multitude of help desk problems.
Making a Wired Ethernet Device Wireless
The first step in deciding on a wireless implementation is a site survey. Most APs and client radios only have about 1200ft coverage footprint without obstruction. Indoors with the potential of RF noise, this number falls rapidly. As noise and distance increases, the radios will downshift their bandwidth to compensate and maintain a connection before outright dropping the connection. The only real way to definitively ascertain noise levels and signal propagation is the use of a spectrum analyzer and other prohibitively expensive hardware. A cheaper alternative is to spend $100 USD on a home WiFI® starter kit and just walk around with a laptop until limits can be determined. Keep in mind what the client density will be for a given area around an AP and if that number exceeds 30 clients, more powerful APs and/or increasing the number of APs servicing an area may be needed. If multiple APs will be used, there are a couple of different methods for handling their interaction. Certain vendors have implemented a “hand-off” protocol that can very efficiently pass a client between access points while the client is moving around. There are open standard “hand-off” protocols on the drawing board, but nothing solid yet. Be careful about choosing the channel that multiple APs use. Only channels 1, 6, and 11 do not overlap each other and by having two APs on the same or near the same channel, APs fighting each other for a client may or signal degradation may occur in the absence of higher-level “hand-off” protocols.
After considering the above 802.11[x] protocols, features and failings, security vulnerabilities, methods of protecting networks, assessing general risk, and performing a site survey, a minimum of two purchases will need to be made.
First, an Access Point will need to be purchased or built. An off-the-shelf unit may be all that is needed for many installations. It is recommended to purchase one with, at a minimum, 128-bit WEP encryption. If a standard retail AP will not cover your security needs, a more expensive enterprise grade AP may be more appropriate, but be forewarned, these units and overall “solutions” can get very expensive, very quickly and you may depart from open standards. If you plan on building your own AP, there are a number of proprietary operating systems available that are designed for running on embedded PCs with wireless cards for producing very powerful APs. Linux also has a number of utilities for creating very versatile and equally, if not more powerful APs for the cost of hardware and time. Enterprise grade, and do-it-yourself APs typically have a wider range of features, security, antennas, and power output options that make them much more suited for campus and wide area networks.
Second, a Wireless Ethernet bridge will need to be purchased or built. These units can vary in price greatly and typically start at less than $100.00 USD. If using an AP that has 128-bit WEP then likewise purchase a wireless Ethernet bridge that also has 128-bit encryption. Building a wireless Ethernet bridge for a single device to be attached to it would be almost identical to building an AP, and is more-than-likely more expensive and time consuming than its worth, but the option still remains.
This section will give two examples of wireless networks and how a wired Ethernet device could fit into a wireless network. In doing so, we will make a few assumptions:
- DHCP (Dynamic Host Configuration Protocol) is not used. The reason for this assumption is because a typical network device that is not at the versatility level of a PC cannot easily indicate what its IP address is, and since network devices typically are the target of communication and not the initiator, having prior knowledge of its IP address makes life much easier. Even if DHCP is used, the AP must not use DHCP; it must have a static IP address. The clients may, but the AP must not.
- 128-bit WEP encryption is enabled. Having a minimal amount of security is at least marginally better than none. It will at least keep out the armchair attacker.
Scenario 1: Standard Access Point
In this scenario we assume a single pre-existing wired network that the integrator wishes to convert an attached wired device to wireless. These steps are required:
- Configure the AP to have an IP address that falls within the scope of the existing wired network.
- Configure a SSID. This is typically a word or combination of letters and numbers identifying the network. Ordinarily, using a companys name, or other personally identifying information is not advised unless you want everyone to know who this network belongs to.
- Configure a WEP encryption key. Depending on the type of AP, this may take 16 hexadecimal characters, or 13 alphanumeric characters to create (since its 128-bit security). Most APs give you a choice of which to use. It is strongly advised that these codes be protected from prying eyes since they are the keys to the network. These codes will be needed later for configuring the client(s) so write them down and put them somewhere secure. At this point, the wireless network is active and configured. Bear in mind that minimal security is in effect.
- Configure the wireless Ethernet bridge to have an IP address that falls within the scope of the wired network.
- Configure the wireless Ethernet bridge to use the same WEP encryption key as the AP.
- Commit the changes on the Ethernet bridge, and connect your existing wired Ethernet device to the Ethernet bridge.
- Restart both the Ethernet bridge and the wired Ethernet device.
The now wirelessly connected device can be access the network using the same methods as when wired.
Scenario 2: Bridging Two Networks
In this scenario it is desired to wirelessly link two pre-existing wired networks. In this case, higher end hardware or do-it-yourself hardware can be used in place of other security mitigation techniques since the only wireless devices communicating with each other would be the two APs. Vendor specific or self-designed security measures may be more cost effective to implement. It is also beneficial to use higher end hardware that has IP routing capabilities instead of layer 2 Ethernet bridging capabilities in order to reduce the amount of wasted traffic over the wireless link. Please note that when APs are selected for this example, APs that support Point-to-Point and/or Point-to-Multipoint connections are needed. This feature is necessary for bridging entire networks. This example will assume Ethernet bridging with no more than 20 hosts between the two networks.
- Configure AP 1 with an IP address falling within the scope of network A.
- Configure AP 1 with a SSID. This is typically a word or combination of letters and numbers identifying the network. Ordinarily, using a companys name, or other personally identifying information is not advised unless you want everyone to know who this network belongs to.
- Configure a WEP encryption key for AP 1. Depending on the type of AP, this may take 16 hexadecimal characters, or 13 alphanumeric characters to create (since its 128-bit security). Most APs give you a choice of which to use. It is strongly advised that these codes be protected from prying eyes since they are the keys to the network. These codes will be needed later for configuring the client(s) so write them down and put them somewhere secure. At this point, the wireless network is active and configured. Bear in mind that minimal security is in effect.
- Configure AP 2 with an IP address falling within the scope of network A.
- Configure AP 2 with the same SSID as AP 1.
- Configure AP 2 with the same WEP encryption key as AP 1.
- Configure the devices within network B to fall within the scope of network As IP address range.
Real World Application Example
Sealevel Systems family of SeaI/O devices offer control and monitoring of optically isolated inputs, Reed and Form C relay outputs, and TTL interface to industry standard solid-state relay racks. SeaI/O devices are available with several options for connecting to the host device, including Ethernet 10/100BaseT.
Using the steps listed in scenario 1 above, SeaI/O devices have been successfully connected to wireless networks through standard APs. The below figure shows a SeaI/O device configured to operate with a Netgear ProSafe 802.11b Wireless Access Point on the child network and an Orinoco/Proxim AP600 802.11b Access Point on the parent network.
Authors Note: If you run into problems getting things up and running with MAC filtering, Ive noticed that on a few canned EthernetWireless bridges, when they initialize, the MAC Address will shift from the Ethernet to Wireless bridges MAC address to the wired Ethernet devices MAC address. In doing so, the ARP entries will get corrupted and consequently MAC filtering/RADIUS servers will reject the connection while the changeover is occurring and the device will not be able to connect.
This document is meant as a beginners tutorial. If you are interested in designing advanced wireless networks, there are plenty of good resources available::
OReilly®
http://www.oreilly.com publishing has numerous excellent books on wireless technologies, security, advanced implementation, and hacks. Ask around.
Mikrotik
http://www.mikrotik.com and StarOS http://www.star-os.com are two embedded operating systems dedicated to building wireless routers and APs. There are plenty more out there.
Linux
http://www.linux.org Its configurable in ways people havent even thought of yet. You can build an extraordinarily powerful wireless system from Linux, but be prepared to spend a lot of time getting things “just right”.
- 802.11: Standardized in 1997 and provided 1-2 Mbps of bandwidth. Uses DSSS (2.4GHz ISM), FHSS (2.4GHz ISM), or infrared encoding. Most 802.11 radios are interoperable with 802.11b and 802.11g systems that also use DSSS. This is a standard that is no longer used.
- 802.11a: Standardized in 1999 and provides up to 54Mbps of bandwidth. Uses OFDM (5.8GHz UNII) encoding.
- 802.11b: Standardized in 1999 and provides up to 11Mbps of bandwidth. Uses DSSS (2.4GHz ISM) encoding.
- 802.11g: Standardized in 2003 and provides up to 54Mbps of bandwidth. Uses OFDM (2.4GHz ISM) encoding for high speed and is backwards compatible with
802.11b when using DSSS (2.4GHz ISM). - Ad-Hoc: Radio mode where the radio does not associate with an AP and is in a peer-to-peer type mode.
- DSSS (Direct Sequence Spread Spectrum): Physical layer encoding method.
- FHSS (Frequency Hopping Spread Spectrum): Physical layer encoding method (obsolete).
- ISM (Industrial Scientific Medical): FCC Approved spectra for unlicensed use: 902MHz-926MHz, 2.4GHz 2.5GHz, and 5.725GHz 5.875GHz
- MAC (Media Access Control): Typically referred to as MAC Address. 6 Byte unique hardware identifier on network devices.
- OFDM (Open Frequency Division Multiplexing): Physical layer encoding method.
- RADIUS (Remote Authentication Dial-In User Service): A user authentication method typically used for incoming users to dial into a corporate network via standard phone lines or a VPN (Virtual Private Network). This service has been is a useful method for authenticating client radio MAC addresses when connecting to an AP.
- SSID (Service Set Identifier): The SSID identifies unique wireless networks. This ID is set by the network administrator and is used to differentiate between multiple separate networks or identify one large network comprising of multiple APs.
- UNII (Unlicensed National Information Infrastructure): FCC Approved spectra for unlicensed use: 5.15GHz 5.35GHz and 5.725GHz – 5.825GHz.
- (W)AP/(Wireless) Access Point: Typically provides between one and eight standard 10/100BaseT Ethernet ports (hub or switched) and a WiFi® endpoint.
Also: Mode of operation on a radio where the radio is defined as being a point of entry to a wired network (many clients to one AP also called Infrastructure mode), bridged wireless network (many clients to one AP that bridges to another AP), or a wireless bridge (wired AP to another wired AP effectively bridging two wired networks). - WECA (Wireless Ethernet Compatibility Alliance): Non-profit standards body ensuring compatibility with the IEEE 802.11x standards.
- WEP (Wired Equivalency Privacy): Basic 56bit, 128bit, or 256bit packet encryption used for marginal security on wireless networks.
- WiFi® (Wireless Fidelity): Friendly term for any of the Wireless Ethernet