One of the most interesting (and perhaps even possible) elements of the Star Trek franchise was the shield. A hostile ship appears, the captain barks "shields up!", and voilá, an energy barrier impervious to most everything appears. This is electromagnetic physical security at its best.
So wouldn't it be nice if such were possible in the wireless LAN world? We most certainly have excellent Layer-2-and-above security today, with a combination of WPA2 plus a VPN plus strong (ideally, two-factor) authentication plus IDS/IPS the basic gold standard. But, as I've noted before, when it comes to security, you're never done. The biggest threat to the security of a wired network is at Layer-1; someone gets access to the wire and all bets are off unless upper-layer security along the lines of what I outlined above is employed, and that's not all that common on wire.
Until today, Layer-1 security of WLANs was a good idea that no one had brought to market. I've worked on two such projects over the years; it's, um, difficult at best. But the idea of a shields-up approach to WLAN security - making a WLAN inside a building invisible outside the building - has now been realized by Meru Networks with their RF Barrier "AirFirewall" product, just announced today.
Meru didn't tell me exactly how their implementation works; there are patents in the works. But the basic idea is to install an outdoor antenna on each side of the building to be protected, and the remaining logic in the system (which is integrated with Meru's management console) jams "indoor" traffic when it tries to go outdoors. Someone outside the building would thus see nothing - no frames to sniff, no network to hack. Quite literally, this is a shield (or "cloak") that there's no getting around. Note this solution requires some installation, but it's basically hands-off in operation apart from checking the logs every now and then. It is, however, Meru-specific, at least at present, although it could conceivably be adapted to other architectures and implementations. But best of all, it's incredibly inexpensive - I would even call it cheap for what it does, with a starter kit running around US$4,000.
Meru has rapidly become one of the most visible and innovative WLAN suppliers. They got started, of course, with the idea of the "horizontal" allocation of WLAN channels, as opposed to the "vertical" cellular model used by all but one of their competitors. While the WLAN architecture wars will continue for some time, Meru has won a number of big deals. But what's really interesting about their strategy is the announcement of add-ons, like their "virtual reality" coverage analysis tool, and now the AirFirewall. This is smart marketing - as the WLAN market commoditizes (and such is inevitable as all suppliers have .11n and the rest of the basics, no matter as to specific channel allocations and such), differentiation will come from higher-level software, adjunct products that enhance the value of the basic required functionality, and having the right channels to move and support the gear. A little outside-the-box thinking and technological innovation can go a long way, and Meru can now claim the most comprehensive security solution available from any vendor.
I can wait to take this product out for a spin. In the meantime, I'm impressed - very impressed, and I don't say that often.
Advertisement: |
Mathias is a principal at Farpoint Group, a wireless advisory firm in Ashland, Mass.
The Leader in Network Knowledge
Legal
Details on this product are sketchy but I would have doubts about the legality of it in the UK at least. In the wrong hands such a product could create mayhem. I would be very interested to see what Ofcom have to say about this!
I don't think it "jams"
Hi Craig
The Meru release isn't very clear, but from emails with them, I don't think it "jams" the RF signal so it's not visible outside the building. It's more what you elsewhere call a "cloak".
My contact at explains that the system broadcasts a lot of extra 802.11 frames whenever there is real Wi-Fi traffic, using directional antenna to make sure they stay outside the building.
So outsiders don't see "no" Wi-Fi frames, they see too many to make any sense of them. It's sort of Wi-Fi chaff.
I think it only shoots out the spurious signals on the same channel and at the same time as the genuine traffic, so it won't disrupt signals in the neighbouring Starbucks.
This is a very interesting technology though. My query is whether they can be absolutely sure none of the spurious signals will bounce back into the building and spoil the real WLAN.
Peter Judge, Techworld
(my news story isn't live yet, but will be at Techworld
The Details are Missing
You could be right. I'm not sure how this specific product works, but I have, as I noted, looked into a number of techniques applicable here. As for the product in operation, like I said, I can't wait to try it!
Thanks for the note.
Craig.
FCC proposal could prevent such techniques
FCC proposal entitled "Etiquette Rules and Procedures for Unlicensed Bands" would require, if adopted, a "Listen Before Talk with Channel Wait Time (LBT-CWT)" protocol. In this case, the "cloaking" technique of broadcasting overlapping frames on a channel concurrent with legitimate traffic would be in violation.
Nice gimick, but hard to see any real value (anyone still using open networks)?
I don't think that applies here...
If you are refering to Docket 07-117, it appears that this only applies to the 902-928 MHz. band. Regardless, a spectrum etiquette technique was put in place for the unlicensed PCS bands, which are now largely ignored for just that reason. And how are you going to go back and retrofit equipment, still in use, that was manufactured a decade or more ago? I don't think there is much to worry about here.
And this concept has little to do with open or secured networks. Many potential customers will undoubtedly conclude that simply disabling SSID broadcast and turning on WPA or WPA2 with some form of upper-layer security is sufficient. This is, perhaps, a suspenders-and-a-belt approach, but one which many operators of critical services will no doubt appreciate.
Thank you for the note.
Craig.
Etiquette rules ...
I'm referring to
http://research.microsoft.com/users/bahl/Papers/Pdf/FCC_proposal_v12.pdf
which covers all unlicensed bands, but only new channels. It's true that legacy bands would not be covered, but why implement a solution that could leave some channels exposed?
"And this concept has little to do with open or secured networks."
I disagree. The only reason to cloak a transmission is to prevent it from being read by an unintended party. Secure transmissions can't be read, so why cloak them? Unless you believe WPA and WPA2 aren't secure.
Mostly just a marketing gimmick, in my opinion.
Well, if Microsoft Says So...
...then you must be correct! But I don't think so. Any solution only has to cover the channels in use. The rules won't change here. No worries. Sure, the regulations could change, but a wholesale change like this won't fly. IMHO.
And this is a suspenders-and-a-belt approach, as I noted. No security technique is 100% secure. Two less-than-100% solutions working together are, however, better than one. Whether this is a good idea in any given case is up to the organization involved, but this is not a gimmick.
Thx. Craig.
Why Cloak?
Why Cloak?
Simply because wireless data can be captured whether it is encrypted or not.
The security assumptions in WPA and WPA2 are (1) better credentialling of users before network access and (2)stronger encryption (where most faith in wireless data privacy is placed). Unfortunately, (1 ) is vulnerable to human error and mischief, not to say operationally expensive to effectively achieve, given the diversity of wireless devices; and, (2) is pretty much betting only against real-time decryption of captured data and ignores off-line processing. Thus if you can prevent the data itself from being captured you have solved the problem at its very root.
Root canal
"(2) is pretty much betting only against real-time decryption of captured data and ignores off-line processing."
Yes, given a large amount of time and computing power, strong cyphers can be broken in a short enough time that it still matters.
I think this is far less likely than such a sophisticated hacker just unplugging the cloaking AP (it's outdoors, right?).
(to save you the post, yes, I know you can enclose the AP in a titanium case, wrap the antennas with barbed-wire, etc. etc.)
Open Wireless
There are a bunch of reasons to use open networks, this would have a huge application in a Hotel Network, they have fully open networks because no one wants to tell granny that she needs to enter in the 12 letter case sensitive password.
Also combine the fact that Hotels are usually found next door to each other and you have a real value behind this product. I for one am looking forward to this wireless cloak, I think it will be fun to see how good it works.
Post new comment