Not your fathers WiFi

WiFi is the most secure and the least secure network technology there is. Or is it that WiFi is the easiest to implement and the hardest to implement? Or perhaps that WiFi is the most user-friendly and the least user-friendly network technology?

In my opinion, all of the statements above are true. If implemented correctly, WiFi is the most secure network technology there is (well, let us compare it to common WWAN networks such as cellular, WiMAX, etc and 802.3 wired networks). A discussion on this topic could fill up a book, so we will just take it for granted ☺.

However, there is a price to pay for security. The most secure, 802.11 WPA2-Enterprise (802.1X port based security) offers the highest level of security. It requires managing and easy access to both infrastructure as well as end client devices to work, though. It requires appropriate network infrastructure. And it requires time and qualified personnel for implementation and maintenance.

On the other hand, there is an option of an open (in the full sense of the word) network with WiFi. An end user just clicks on the available open network and gets connected. Even “better”, most operating systems will kindly offer the option to remember the network, so when the end user connects again (turns the PC back on) he will be connected to the network automagicaly.

There is also an option of using WPA2-PSK (I will not cover WEP and WPA security protocol in this blog entry) with TKIP and AES encryption. While AES encryption is preferable and “more” secure, 128 bit TKIP (RC4 based) has not yet been broken. From the encryption standpoint WPA2-PSK can only be broken by dictionary attacks (short, simple passphrases). When using strong passphrase, WPA2-PSK is unbreakable to date. The problem with WPA2-PSK is that anybody that wants to connect to the network has to have the passphrase. This is okay for SOHO networks, but presents a big challenge to enterprise networks (has to be changed regularly, difficult to prevent passphrase leaking, etc.). Once potential attackers get hold of the passphrase, all they have to do is to capture the 4 way handshake and they can begin decrypting data in real time).

If we apply this to the verticals we can see that the WPA2-PSK is good for SOHO verticals, WPA2-enterprise for big government, enterprise networks and open and unprotected access is good for nothing (this authors humble opinion). Do not confuse captive portal in combination with open access a security feature because it is not. Note that with 802.1X another problem occurs. The ability to maintain connectivity when roaming gets compromised, especially maintaining real time applications such as VoIP. While with normal WPA2-PSK a client roams within 50ms the roaming with 802.1X is much longer.

So what about schools, hotels (the whole hospitality sector), smaller hot-spot operators, restaurants, bars, and even small to middle sized business? Implementing 802.1X to these verticals is both pricy and impractical. Providing WPA2-PSK is not enough. What about secure fast roaming?

Enter the WPA2-PPSK.

PPSK stands for Personal Pre-Shared Key or Private Pre-Shared Key. This technology is implemented by two vendors, Ruckus Wireless (as Dynamic-PSK™) and Aerohive Networks (Private Pre-Shared Key™).

So what it does is combine the security of 802.1X (not quite but close enough) and the simplicity and performance of WPA2-PSK. If WPA2-PSK had to be shared among everybody in the network and thus creating a single point of attack, the PPSK allows for a unique passphrase of every end client (device and/or user) in the network. Therefore, if the passphrase is compromised, attackers have to locate the end user/client (first difficulty) and capture correct 4-way handshake to be able to decrypt the data payload. But they do so only for this unique client.

PPSK, while based on the standard, is a proprietary (different) implementation of two companies, Aerohive Networks and Ruckus Wireless and have some similarities and differences. A little birdy told me that because the PPSK (in generic term) has been patented that there could be some legal battle between the two concerning PPSK. If it turns out to be true, this would be a shame.

www.ruckuswireless.com

Ruckus Wireless implements its Dynamic PSK in combination with their Zero IT technology. First time users connect to a wired port and authenticates via captive portal with their unique login credentials. The credentials are checked against ZoneDirector (controller) or AAA server. Once authenticated, the user downloads the temporary applet to their PC, Mac, iPhone, etc. Dynamic PSK creates a 63 byte encryption key (unique for each user) while Zero IT application configures the client device for the WLAN network. Once finished, the end client device is tied with this unique key and ZoneDirector (Dynamic PSK authenticates user machine and not the user. If user authentication is mandatory, there is a second step available, the Web Authentication). The beauty of ZeroIT method is that the end user is unaware of the passphrase and cannot compromise it by conventional methods.

If the end device is not supported by the ZeroIT (Linux, terminal devices, etc), the dynamic keys can be created in batches and stored to a spreadsheet for manual configuration. Dynamic keys have a configurable life time. When they expire, the whole process must be repeated.

In my experience, ZeroIT is more suitable for enterprise and education as initial configuration still has to be performed. With batch key creating, the key can be given to the end customer on receipt (bars, restaurants…) or on a coupon (hospitality sector).

www.aerohive.com

Aerohive implementation of PPSK is similar. While they do not have the automatic provisioning available they do have few features unavailable with Ruckus Wireless: manual setting of expiration of individual PSK, automatic mailing of generated keys to single user or bulk users, role based PSK (dynamic VLAN, Firewall, Tunneling and QoS policies).

Which is better? I do not know. Each has its advantages but both are unique in WLAN world and are a great option for authentication when 802.1X and WPA2-PSK just don’t cut. Here is the comparison chart of WPA2-PPSK for convenience:

I had an interesting discussion yesterday with a potential client. He was curious why I had not used any omni antennas in the proposed design, but rather opted for sector antennas with higher gain.

“The power level (EIRP) is the same. You have to set it up on 200 mW (U-NII-1 power limit in my country). I understand noise considerations for using sector antennas in 2,4 GHz but this is a 5 GHz channel. You will get no noise on 5GHz! Omni antennas are much cheaper and will surely be enough here.”

Let me rephrase the dilemma. Is using 100 mW power on a radio with 3 dBi antenna the same as using 20 mW power on a radio with 10 dBi antenna? In both cases you have the same EIRP – 200 mW (I have disregarded the loss from the cables and connectors for the sake of better understanding. I am also using arbitrary numbers.)

Short answer? NO!

So let’s do a little math here, shall we?

Let us set up two nodes (AP) 200m apart in outdoor environment. There is a clear RF line of sight available. In the first scenario we use 3 dBi antennas with 100mW power on both radios and in the second scenario we use 10 dBi antennas with 20 mW power on both radios. In both cases, the EIRP is 200 mW.

If we calculate the free space loss (on the 5150 MHz) the expected Signal Strength value at the point of receiving antenna would be close to -70dBm. In both cases.

I said the antennas make a difference, haven’t I? Here is where the “secret” ingredient comes in. Antenna gain works both ways! Yes, it increases the magnitude of the output power, but- more importantly- it also increases the signal presented to the receiving radio. Therefore, the receiving radio will get a stronger signal if a higher gain antenna is used.

Lets look at our calculations again. We have calculated the Signal Strength Value at 100m will be around -70 dBm. Now lets see how the 3dBi and 10dBi antennas affect this value and what gets presented to the radio.

By using 3dBi antenna at the 200m we present the Rcv signal strength value of -66.8 dBm to the radio while 10 dBi antenna gives us -59.8 dBm Rcv signal strength value.

Let me go even further. If I wanted to get the same Rcv signal strength using the 3dBi antennas, I would have to place the two nodes closer than 100m. Or, if the -66.8 dBm strength was my goal using 10 dBi antennas, then I could separate the nodes by more than 500m.

So there is the difference! If you can, spend more money on higher gain antennas. It is always better, especially in outdoor deployments, as you get a greater budget link available.

There are also negative issues with using higher gain antennas, though. The radio will be presented with the stronger signal, but noise will also be stronger. Here is where the proper design is very important. But that is a topic for another blog post.

Luxul has a wide range of antenna products available, but I almost exclusively use flat panel sector antennas for backhaul and X-WAV Hemispeherical omni antennas for the client access. Obviously, I use different gain and different patterns dependent on the need and location.

Indoors, the distance (or rather the lack of it) does not really lead to any significant difference in performance when comparing horizontal, vertical, circular or slant polarization. Outdoors, when close to AP, the performance is similar. However, an increase in distance from the AP results in a significant decrease of performance when using vertical polarized antenna (in comparison to a circular one).

Below is a real world example- I have tested Pacific Wireless Omni antenna vs. Luxul Wireless circular antenna. In both cases EIRP was set to 400 mW (I did the test on 100 mW EIRP also, but I can’t find results ☺. The performance difference was similar, though).

There was a discussion on Twitter last week amongst WLAN professionals about different kinds of antennas. It all started with an exchange of opinions about Ruckus wireless patented beam-forming antenna system, later merged with a discussion about antenna polarization and the impact of MRC when penetrating walls and different obstacles.

Devin Akin argued that the polarization loses are negligible in indoor deployments and “if SNR is low at AP, then client is too far away from AP or there are RF obstacles. Bad design?”

I mostly agree with this. While not always easy or simple, a good design for an indoor network can be achieved even if using APs with simple rubber duck omni antennas for whatever design goal needed (I would still rather use Ruckus beam forming, though).

What about outdoor WLAN networks?

In my opinion, there are no good designs in outdoor networks, especially if we are talking about WMAN or WWAN network supporting multiple applications (like VoIP/RFID applications). There are only best effort designs (my attempt at WLAN g33k humor).

The biggest difference between planning/designing indoor or outdoor network is the locations available for mounting wireless nodes. The most common places used are public lighting poles. In this post, I will not go into detail about all the troubles connected with lighting poles, but 24/7 electricity, mounting consoles and wire to the core also limit the number of appropriate locations available.

So how do we make a bad design a better design? I do it by using multi radio nodes and directional antennas with circular and/or 45 degree cross polarization. As for power output, I always make compromises. The goal is to bring down the power as much as possible and try to equate it to the weakest client device. With laptops or smartphones that is around 30 mW. At the same time, I have to have coverage (Keith, coverage is not easy ☺). So I tune power up accordingly.

Hopefully, by now you understand what I mean by best effort design.

So how do I make the design better? I use “better” antennas. The antennas I use the most (80% of my deployments) are Luxul wireless antennas.

Luxul wireless antennas use circular polarization for better (optimal) RF performance. For those interested to learn more about physics behind circular polarization, Wikipedia has a really good article about it: http://en.wikipedia.org/wiki/Circular_polarization

Source: www.wikipedia.org

As you can see, even though the signal strength was better when using Pacific Wireless vertical omni antenna, the Iperf tests show much better performance using circular polarized antennas at greater distances.

Moreover, it is not just the distance. When doing wireless mesh, I must be careful about backhaul connection, as well. While most of the time I am able to achieve clear line of sight (or rather RF line of site) there are often obstacles like trees or buildings. Circular polarization makes my job much easier.

I also have a couple of hotels covered by “outside in” method. Mind you that this is not conventional, but if the performance meets the demand, you will cover the hotel rooms much easier (and be much more cost effective) that way. By using circular polarization I get enough signal penetration, so I can provide a good service for hotel guests (internet access, 95% DL). The number of AP used in this case is much smaller in comparison to installation of indoor APs.

I have had little experience with MIMO outdoor antennas, but hopefully by next week I will receive the new 2x2 MIMO antennas from Luxul for testing. What they did is that they combined two flat panel antennas, one with left hand circular polarization and the other with right hand circular polarization.

I must also add that the installation of Luxul wireless antennas is very easy and that they are quite forgoing if you sometimes make a shortcut and install them not strictly by the book.

What antennas are you using for the outdoor deployments? If you have any good results or maybe even comparison between different vendors, please do share.

Everyone has a tool case of some sort at home. Every once in a while I need to tighten up a screw, cut something in half or just smash something. And I do not use one tool to do all of the tasks. I would not choose a hammer to cut something in half, for example. While some might use a knife to cut a paper I would probably choose scissors for the job, right?

Choosing the Wi-Fi equipment is similar.

As an independent WLAN professional, I have the opportunity to choose the best Wi-Fi equipment for the job at hand. I have hands-on experience with limited professional Wi-Fi equipment, therefore, please free to comment. So here is my “tool box” (in no particular order):

Ruckus wireless:

Ruckus has made great steps in terms of making deployments easy and fuss-free. Their biggest advantage over other vendors is utilizing beam forming on the antenna side. They implement a number of vertically and horizontally polarized antennas in an AP casing (the number of antennas and thus antenna patterns varies in different models). Once the client is connected to AP, the AP chooses the best possible pattern by activating three antennas and directing the RF to the client. The rest of the antennas form the RF shield by blocking RF noise in the opposite direction of the client.

Together with the optimized RF Ruckus uses great multicast to unicast translation method so you can stream up to two full HD streams through wireless in somewhat polluted RF environment. Very easy and efficient for IPTV via wireless!

I mostly choose Ruckus for hotel environments, libraries, public hotspots and similar because they are really easy to set up and manage at affordable price.

Ruckus is the OLFA blade in my tool case. Affordable, precise tool. Easy to work with and easy to manage.

Xirrus:

Xirrus products integrate up to 16 APs (twelve a/n radios and four a/b/g/n) into one single enclosure. For a layman this sounds nothing special, but for more RF literate professionals this is amazing. Stacking more Wi-Fi chipsets close to each other is an accident waiting to happen. Xirrus manages to bypass the laws of physics by utilizing a combination of great material, great design and not least, a proprietary SW that controls all of the integrated APs. This way, Xirrus nodes can provide access to a great number of clients in a small space. Integrated directional antennas also provide an extended reach.

I have very little experience with Xirrus nodes, but this will be my tool of choice for seminars, large gatherings, fairs and similar.

Xirrus is the sledgehammer in my tool case. It brings a punch when I need it.

Cisco systems:

Now, there is a name that every network professional is familiar with. Cisco uses good HW components, familiar management and (important!) the best documentation in the business. They are also making progress in development. One of my favorite new features is their utilization of the RF analyzer. Along with the Wi-Fi chipset of choice they use a dedicated HW for constant monitoring of the RF range the AP is operating in. If the budget allows for it, Cisco is (almost) always a good choice.

I use Cisco in enterprise environments, especially if there is VoIP or RFID involved.

With Cisco, the person wielding the tool is as important as the tool itself. Once it gets tough, it is extremely easy to get support from experienced Cisco wireless professionals. 

Strix Systems:

Definitely one of my favorite wireless vendors. Strix Systems is the only product for big outdoor mesh (proper, layer 2, low latency) deployments I currently know of. They do not use WDS, but a proprietary L2 protocol for mesh connections while using up to 6 radios to keep the throughput high and latency low trough multiple hops (10 hops is no problem for Strix Systems network). They also have a product that allows fast roaming (up to 120 km/h in city environments and more than 300 km/h with trains) while maintaining the performance. There are only a handful of other vendors that successfully use multiple radios for mesh, but Strix is by far the most robust, easy to manage and even easier to scale solution.

Strix Systems is the scaffold in my tool box (yes, I carry a big tool box). Robust, scalable and up in no time. 

Mikrotik:

Now, here is an interesting product. Mikrotik produces its own RouterOS installed on a series ofRouterBoards. RouterOS is a full blown router with some additional features like a captive portal and accounting while RouterBoards are a series of HW products preloaded with RouterOS. You can build yourself a router, wireless router or an AP to suit your exact need. And the best thing is they are dirty cheap. If the project is not to big (demanding) but you still need a full range of functionality, Mikrotik is a good choice.

Mikrotik is also a good choice for hospitality sector, especially small to medium sized businesses with limited budget. Added feature captive portal and accounting integrated helps, too.

Mikrotik is a Letterman tool in my toolbox. I can do practically anything with it, but I would not count on it for heavy lifting.

So what is in your tool box? Please share, comment.