Lan Security
Local Area Networking has grown to the point where it is no longer
a novelty but a necessity. LANs are used to provide ready access to information
on which our businesses, research centers, hospitals, and military make
important decisions. The LAN extends from the company's financial departments
to shipping to receiving, from the factory floor to the designer’s desk.
All require the constant unimpeded flow of data in and out. It has in essence
become the blood veins of the company. A small glitch in the communications
can cause tremendous stress. A clogged artery can bring the company to
its knees.
The protection of this information is of great concern, not just to the military but now to the corporate community where the protection of company classified information is viewed as a necessity. With the advent of wireless LAN communications the security question is obvious. This document twill attempt to answer these questions with respect to the Direct Network Services Wireless Ethernet LAN System.
The Wire Myth - How Secure is Your Network?
The common misconception is that if one has a wired LAN, the bits stay
on the wire. However if one is using a wireless LAN, the bits are flying
all over the place. Get your A.M. radio out, tune it to 802.3 and listen
to the top 10 megabits.
The reality of the situation is that wire, particularly unshielded twisted pair (UTP), is an unintentionally designed radio LAN. UTP acts as an antenna array which radiates baseband signals. This radiation is easy to detect and decode with relatively simple technology.
Spread Spectrum
Brief Background
Spread Spectrum Technology (SST) has been used for more than 40 years,
mostly for covert military communications. The earliest patent construed
by the U.S. patent office as being spread spectrum was filed in 1924 by
Alfred N.Goldsmith. Robert Scholt who wrote "The Origins of Spread Spectrum
Communications" states that one of the earliest applications of spread
spectrum was the communications link between Roosevelt and Churchill during
W.W.II. (at the time, the technique was not known as spread spectrum)1.
The actress Hedy Lamarr also has a patent for a spread spectrum radio system
used to guide torpedoes so that the radio guidance signal could not be
detected or jammed by the target ship.
The U.S. Army began using spread spectrum in the 1950’s for Electronic Counter Countermeasures (ECCM). Its characteristics of Low Probability of Interference (LPI), Low Probability of Detection (LPD), and Antijam (AJ) capability proved immensely valuable in electronic warfare (EW).
"Spread Spectrum signals are designed to provide negligible interference to the communication of other existing users and indeed, it is difficult to determine if a spread spectrum signal is actually present. We call characteristics of this type Low Probability of Intercept (LPI) and Low Probability of Detection (LPD); they are requirements for successful military communications. It is these LPI and LPD features of spread spectrum that will allow transmission between users of a spread spectrum network without the existing users experiencing significant interference." Shilling, Milstein, Pickholtz, Kullback and Miller; Spread Spectrum For Commercial Communications, IEEE Communications, April 1991.
The implementation of spread spectrum was not without its difficult times. Synchronization and multipath problems were laboriously solved with extremely complex engineering designs, and for this reason was almost exclusively used in military applications until the early 1980’s.
In the past ten years or so, it has been utilized in a few, special non-military applications. The NASA space shuttle S-Band communications links implemented spread spectrum for interference avoidance. The tracking and Data Relay Satellite System (TDRSS) program was used for multiple access purposes in which several users simultaneously share the same satellite repeater power and bandwidth.3
The cost of the technology required have kept spread spectrum communications development from entering the commercial markets until just recently.
Spread Spectrum Basics
For those readers who are interested in learning the technical details
on spread spectrum, the reference list at the end of this article is a
good starting point. For the rest of you what follows is the Reader’s Digest
version.
The basic idea of SST is to widen the bandwidth of a given signal prior to transmission by a multiple that is many times its original bandwidth as shown in figure 1.
The purpose of spectrum spreading varies with the application but is usually connected with security in someway.
Low Power = Less Detectable
The two main spread spectrum techniques are direct-sequence spectrum
spreading and frequency hopping. Both techniques spread the transmitted
power over a wide frequency band so that the power per unit bandwidth (watts
per hertz) is very small; then at the receiver the signal is compressed
into its original narrow band. For example, a 1-watt, 100 - Kilohertz-
bandwidth signal might be spread over a band that measures 100 megahertz
at the transmitter. The signal’s effective interfering power would then
be one-thousandth its original power, or 1 milliwatt to a conventional
(non spread spectrum) receiver occupying a 100kHz band.
"The decreased power per unit bandwidth makes the signal less detectable. With a sufficiently high spreading factor, the presence of the SST signal may be completely undetectable by any receiver except one possessing the proper knowledge (code) to despread the signal". Zenko, Breakthrough in Radio Technology Offers New Application Options, IEEE Communications 1989.
Pseudorandom Encoder
Before the signal is spread is must be passed through a pseudorandom
encoder. The modulated signal’s amplitude changes continually between two
states, high and low or+1 and -1 respectively. A logic chip alternates
the amplitude so that the signals seem to be random. Over a long enough
period, the numbers or +1’s and -1’s are about equal. The encoding is required
to prevent consecutive 1’s or 0’s from interrupting signal tracking.
"Cryptographic capabilities result when the data modulation cannot be distinguished from the carrier modulation, and the carrier modulation is effectively random to an unwanted observer. In this case the SS carrier modulation takes on the role of a key in a cipher system. A system using indistinguishable data and SS carrier modulations is a form of privacy system" R. Schmaltz, The Origins of Spread Spectrum Communications, IEEE Transactions On Communications, Vol.COM-30, NO. 5, May 1982.
Signal Modulation
After the signal spreads, it can then be modulated. There are many
ways to modulate a spread spectrum signal. In short, the modulation technique
converts the raw data bits into symbols representing two or more data bits.
Binary Phase Shift Keying (BPSK) is a standard method. Direct Network Services
uses a much more complicated 16 PSK trellis encoding method, exchanging
4 bits of data for one phase shifted symbol. This further reduces the odds
of decoding the signal while increasing the throughput and reliability.
The Bottom Line
In conclusion, the bottom line on the security of spread spectrum radio
systems is that they provide a formidable barrier to the interception and
disruption of data transmission.
"An expert in the field who went to the trouble and expense of building a spread spectrum receiver and finally determined the spectrum spreading pattern could pick up a spread spectrum signal - but it would not be easy. Certainly, a casual listener would not be able to intercept messages." Schilling, Pickholtz and Milstein, Spread Spectrum Goes Commercial, IEEE Spectrum, August 1990.
The Direct Network Services Wireless Ethernet LAN System employs features in addition to SST that further enhance both the reliability and security of the system. Each Wireless Transceiver must be manually registered with the Direct Network Services Wireless LAN Hub before it can receive and transmit data over the wireless network. The identification of these Wireless Transceivers are based on the unique serial number set at the time of manufacture. To add new Wireless Transceivers to the network would require physical access to the Wireless Hub or SNMP management which has an additional level of password protection.
The system operates in full duplex at two different frequencies: 2.4 GHz and 5.8 GHz using one for transmit and one for receive. With the established low probability of detection of a spread spectrum signal, the data would have to be decoded on separate frequencies. This further reduces the chance that an intruder may acquire data.
The System is designed around a hub architecture. The Wireless Transceivers cannot communicate directly with other Wireless Transceivers, they may only communicate through the Wireless Hub. This eliminates the possibility of an intruder tapping the network and acquiring radio protocol management of the network, a must if the intruder wants to enter the network.
Full SNMP management capability (MIBI and MIBII) as well as a proprietary radio MIB provides a Centralized Network Management System that can constantly monitor the network. Any changes in the Network can be seen immediately as well as reviewed from a log file.
LAN Security Standards
It is very important to realize that network security is not an issue
for just one media type. The network manager first needs to determine the
appropriate level of security needed for the data being sent on the network.
The next step is to insure this security level is maintained from point
of origin of the data to its final destination. This security must be provided
as the data moves over coaxial cable, twisted pair cable and wireless systems.
To address the global LAN security issue the IEEE Computer Society has formed the 802.10 LAN Security Working Group. The charter of this group is to develop a standard of Interoperable LAN Security.
The IEEE’s security panel, known as 802.10B, is working to produce a secure data exchange protocol for all LAN devices. When final, this protocol will specify the frame format and processing requirements necessary to encrypt and decrypt data within and 802 data frame at the logical link control (LLC) sublayer of the data link layer (layer 2 of the OSI basic reference model). The standard will also address the management of cryptographic keys at the application layer (layer 7). The 802.10B LAN Security Working Group’s proposed protocol is fully compatible with the Direct Network Services Wireless Ethernet LAN System. In fact any encryption system that supports 802.3 Ethernet connections will work transparently over Direct Network Services Wireless LAN’s.
The standard being developed by 802.10B LAN Security Working Group "will be independent of the particular encryption standards themselves," says Brian Schanning, a strategic product planner at UB and a member of the 802.10B committee. "It will be up to the user to decide what particular security algorithm to implement," he adds. "There are a lot of reasons why different companies use different security products, and the IEEE wants to leave that to the marketplace."
Is Direct Network Services Wireless LAN’s Secure?
The Direct Network Services Wireless Ethernet LAN System is clearly
more secure than conventional wired LAN technology because of Spread Spectrum
and the use of additional security features described in this paper. The
likelihood that someone would even attempt to design a receiver to de-spread,
de-code, de-modulate and de-cipher Direct Network Services Wireless LAN
transmissions is highly remote when the "air is alive with the sound of
baseband". After all, even corporate spies have their budgets.
Conventional wired LAN technology as it is today can be compromised with less difficulty than most data security persons would like to admit. The purpose of this paper is not to set off undue alarm regarding your wired LAN’s. Most corporate LAN security standards are reasonable enough to keep the average spy from exploiting electronic media via RF. The cost for such tactics are extremely high. However, the only truly secure network is one that encrypts data end-to-end and employs TEMPEST security standards.
1 R. Scholtz, "The Origins of Spread Spectrum Communications, IEEE Transactions On Communications, Vol. Com-30, No. 5, May 1982.
2 P.Sass, "Why Is The Army Interested In Spread Spectrum?", IEEE Communications Magazine, July 1983, pp 23-25
3 W. Zenko, "Breakthrough In Radio Technology Offers New Application Options", IEEE Communications 1989, CH2789-6/89/0000-0384
R. Dixon, "Spread Spectrum Systems", Second Edition, John Wiley and Sons, 1984
Home
