April 2002 Column

[ Site Index] [ Linux Index] [ Feedback ]

802.11b Considered Harmless?

Wireless is a curious word; it went out of fashion in the 1950's with the advent of the transistor radio. But it seems to be back in fashion again these days, with the advent of the ISO 802.11 standards family which sets a specification for ethernet-without-wires.

Linux has had a long association with radio data communications. Back in the early 1990's some of the first people to start hacking Linux for their own purposes were the radio amateur community. The AX.25 protocol which you might have noticed in your kernel is a throwback to that time; AX.25 is similar to the old OSI X.25 packet-switched networking protocol, and is used for carrying TCP/IP (and other) packets across the air, typically via packet radio.

802.11 networking (aka "Wi-Fi", according to Microsoft) is nothing to do with AX.25. Packet radio services run on frequencies allocated to radio amateurs. In contrast, WiFi uses a frequency band (2.4Ghz) that was allocated originally for non-communicating devices such as microwave ovens. AX.25 packet radio systems are long range, typically up to several hundred miles. WiFi transcievers in contrast are very short range -- you need a booster station to carry the signal for more than about a hundred feet. AX.25 is a peculiar protocol that you tunnel TCP/IP packets over, but WiFi transcievers look very similar to regular ethernet cards to your computer. And AX.25 applications are typically low baud rate (2400 baud is not unusual) while 802.11 ... well, they wouldn't call it wireless ethernet if it wasn't measured in megabits per second, would they?

The ideal of 802.11 networking is this; suppose you work in an 802.11-savvy office. All the computers in this office have a wireless ethernet card. The cards are very compact spread-spectrum radio transcievers, and although they're short-range, the bandwidth available is large -- 802.11b, the current standard, provides 11mpbs (comparable with 10BaseT ethernet) while forthcoming developments may drive this up to around 1gbps (in the same league as gigabit ethernet). Every couple of rooms contains an access point -- basically a base station that's wired into the ethernet backbone and, by way of a router, to the public internet. Where you work is irrelevant because there's a cloud of ethernet service all around you; you can pick up your laptop and walk from the zone covered by one access point to another and you won't notice any problems any more than you'll notice that you're moving between cells as you roam around yacking on your mobile phone.

Wireless ethernet is great, in theory: you need very few wires, and they're only used to connect routers and access points. (If you've ever had to help wire up an office with even ten PC's in it, _anything_ that reduces wiring complexity is worth selling your soul to Satan.) But there are a few drawbacks, and we need to know what these are before we start looking at how you use WiFi with Linux.

The first limitation on wireless ethernet is line of sight; there needs to be a clear path between wireless cards, or between your wireless card and the access point's aerial. The signal drops off very rapidly round corners and through thin wooden doors; stone walls block it almost completely unless you're using a (probably illegal) amplifier.

The second limitation is hardware compatability. A number of different vendors produced early systems that are only semi-compatible with the final ISO standard, so you need to ensure that all your PCMCIA cards, and access points, are compatible -- ideally by using the same vendor. (One particular chipset designed by Lucent Technologies and originally marketed as WaveLan 1 and WaveLan II, then renamed Orinoco -- see www.orinoco.net -- is particularly widely used; this chipset is at the heart of Apple AirPort cards as well as many cheap 802.11b cards such as the NetGear MA401, and it's mostly well- supported under Linux.) Watch out for -- and preferably avoid -- 1800MHz or 6.4GHz cards such as the Siemens Radio Modem or RadioLan kit; these aren't compatible and (in the case of RadioLan) aren't supported under Linux. There's a HOWTO containing a fairly up-to-date list of supported vendors.

These limitations should be fairly obvious (use compatible equipment, make sure it's connected up or within radio range), but there's a third issue to consider, which is 802.11 itself. The ISO standard defines several different types of network types (that is, ways for wireless ethernet systems to inform each other of their presence and transfer packets), and there are issues surrounding routing, and authentication and privacy. When you plug a 10BaseT cable into a hub, and thence to another computer, your ethernet card is able to send and receive ethernet packets to other computers sharing the LAN. Send a TCP/IP packet out to a host identified by IP address or name, and your system first uses ARP (another IP protocol, Address Resolution Protocol) to broadcast a request -- wrapped up in ethernet packets -- for the host with the specified IP address to report its ethernet address, so that the high-level packets (TCP/IP) can be packaged up using the lower-level protocol (ethernet) and sent to the right machine. Wireless, however, has to deal with the possibility that you are working on a laptop and might move from a cell served by one access point to another (if you're walking around).

When setting up a Wireless LAN (WLAN), you've got a choice of channel -- you can select a radio channel for your network to run on: different channels run on different frequency offsets from the main 2.4GHz channel allocated to 802.11. Multiple WLANs on different channels can coexist without mutually interfering -- use channels where you might use a netmask on a TCP/IP network. You've also got a choice of network type -- AdHoc mode or Infrastructure mode. An AdHoc mode network is one where all the wireless- equipped computers act as peers; each card has a BSS (Basic Service Set) identifier, and there's no central access point.

Infrastructure mode is more common; it's intended for situations where an existing wired LAN has an access point plugged into it to provide connectivity for mobile users. This allows the mobile systems to attach to the LAN via the access point, which acts as a bridge, and also to send and receive packets to destinations on the wider internet (by way of a router or gateway on the LAN, and a leased line or modem or similar connection). At its simplest, you plug your access point into the wired LAN (via its ethernet port -- all access points have one, by definition), set a BSS on it, and set the same BSS on the mobile clients. If you want to link a whole gang of WLANs with different BSSs into a big network you can do so by setting an ESS (Extended Service Set) identifier on each access point.

Wireless is, well, wireless. As with all radio broadcasts, your ethernet packets can be intercepted. Wired ethernet networks are vulnerable if a stranger can plug a computer in, set its ethernet card into promiscuous mode (so that it looks at all passing ethernet packets, not just ones destined for itself), and runs a program such as ngrep or snort to monitor the traffic. By the same token, wireless networks are vulnerable to passers-by with portable computers, wireless cards, and tools that allow the cards to sniff for radio traffic; the main tool for doing this is airsnort. AirSnort is a wireless LAN tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. There's also wepcrack, which does what its name implies. The basic problem is, unless you live and work inside a Faraday cage you are much more vulnerable to wireless sniffing than you are to to strangers plugging laptops into your wired LAN. There's even a gadget called the Locust that combines an 802.11b sniffer with a GPS receiver and a CF card slot -- so you can wander around surruptitiously building a map of local WLANs. It's really targeted at network engineers, but it has cracking uses as well.

Security is important. There's a fad in San Francisco for "drive by hacking", where hackers with laptops drive along a road with lots of offices, looking for unsecured WLANs that have active DHCP servers running on them; the DHCP server will happily give them an IP address and they're actively on the office's LAN. If the office has a leased line, this is a boon to spammers or denial-of-service attackers -- they can launch an attack using stolen bandwidth and be over the hills and far away without leaving any physical evidence. What happens in the tech world in San Francisco tends to happen here eighteen months later, so don't say I didn't warn you.

There's a flipside to security. Some coffee shops in the bay area have taken to providing free access points and unmetered net bandwidth: executives who stop by with a laptop and can work tend to buy more coffee. And as WLAN coverage can be booster up to 60Km by line of sight with suitable amplifiers and antennae, a cottage industry has sprung up using WLAN technology to provide broadband internet access in isolated areas -- it's much easier to broadcast a radio signal than it is to dig a trench along 20 Km of rural roads and lay a cable.

Access points (and 802.11b cards in general) support weak encryption using the WEP protocol. WEP provides 64-bit RC-4 encryption -- but in practice, the first 24 bits of the key are fixed vendor-assigned numbers, weakening this to 40-bit encryption, which is crackable in real time using the right software. There's a hideously technical paper on Weaknesses in the Key Scheduling Algorithm of RC4 that explains what this means if you need the gory details. Newer cards are becoming available with 128-bit keys, but these are not widespread yet. Moreover, almost all WLAN cards and access points are sold with WEP disabled, as they come out of the box -- setting up WEP is another hurdle to overcome when establishing a WLAN. In fact, if you are wiring up an access point to a company's internal network, you would be strongly advised to treat the WLAN as being part of the public internet -- keep it outside your firewall because it is far easier to attack than your company's internal workstations.

Two strategies to consider are: multiple firewalls, and a virtual private network. In a multiple firewall scenario, you have a leased line or broadband connection coming in to your LAN; this has a firewall between it and and your core systems. When you add an access point, put a second firewall in series with the first one -- that goes to your broadband connection -- and put the access point between the two firewalls, effectively on a network spur. This ensures that external attacks (coming in from the internet via broadband) can be filtered before they reach your wireless clients, but it also (importantly) ensures that drive-by wireless attackers are kept out of your core systems.

The VPN strategy is harder to set up but makes better use of equipment (no extra firewall machines, for starters). Basically, you rely on WEP- encrypted WLAN for transporting packets -- but you establish a virtual private network using an encrypted tunnel (ssh for small stuff, IPsec if you're really serious about it) between your wireless devices and the insides of your network. The firewall can be set to block all non-secured conection attempts coming from the access point into your network. With this sort of defense in place you be reasonably sure that only legitimate wireless users have access to your systems -- and that your wireless machines are defended, too.

I confess: I don't practice what I preach. My excuse is that I have a small home/office network in a building with foot-thick stone walls. I have an existing 10BaseT lan. Onto this, I added a NetGear ME102 access point, to provide connectivity for two WLAN-equipped laptops -- an Apple iBook with an AirPort card, and a Toshiba Portege with a NetGear MA401 PCMCIA card. This exercise in ad-hockery wasn't entirely satisfactory -- so what went wrong?

The first law of wireless networking seems to be "don't do things on the cheap". A NetGear MA401 is eminently cheap at GBP 65 +VAT, and it's a fine looking PCMCIA card with a little stubby aerial that sticks out the side of your laptop -- but it runs hot enough to fry an egg and it gobbles power: while there are various power saving settings to dink with using the wfconfig utility (in the Linux wireless ethernet utilities), nothing seems to cut consumption enough that it doesn't reduce my laptop's battery life by about 25-33%. (The Apple card, in contrast, is a gem -- no protruding bits, and no effect on battery life. Alas, it's not a true PCMCIA card and you can't install it in anything except an iBook. This is, however, good news for people who run Linux on an iBook, as I intend to do next month.)

The NetGear card and access point are commodity systems based on the Orinoco chipset, and provide true 802.11b compatability. And the access point was a snip at GBP 110 +VAT. But again, I'd have been better off spending an extra GBP 80 on an Apple AirPort. While Apple ship a configuration utility for MacOS with the AirPort, a third-party Java application that runs under Linux is available for it -- and configuring your access point correctly is essential, because you've got to assign a BSS to it, tell it to run in Infrastructure mode, set its channel, kick it into using WEP encryption, and so on and so forth. The ME102 access point comes with a Windows application only. There are two ways of talking to it; via ethernet (you can set a TCP/IP address for it, and it will obey commands issued via SNMP, Simple Network Management Protocol), or via USB and a Windows application. In practice, attempts to talk to it via SNMP failed -- it just sat on the LAN and sulked. In the end I had to borrow a Windows box in order to brainwash it into submission.

It's also worth noting that the NetGear accesspoint has some hideous security loopholes if you set it up as shipped. The ME102 is a rebadged Atmel VNET-B hub. Atmel's SNMP implementation (up to firmware version 1.3) was insecure: the MIB (management information block) includes sensitive information like the ESSID, WEP key, and MAC address for the Access Point itself. An attacker can in principle use this vulnerability for a Denial of Service attack (due to the fact that it will accept any community string to write to the MIB), or to gain control of the access point. As with so many other bits of hardware, you get what you pay for -- buy cheap and accept the risks, or pay a bit more and hopefully get something more useful.

So: Wireless networking -- is it worth it? If you use a laptop a lot, the answer is an unequivocal "yes". It'll cost you about seventy pounds more than an unequipped laptop, and give you complete freedom to work anywhere within range of a base station. It's an incredibly liberating feeling, especially if you need to move around your office and/or talk to other people, and hate having wires trailing everywhere. On a larger scale, it's an incredible time-saver for small to medium offices where the cabling problem is reduced to running 10BaseT out to each access point, one per office, from running 10BaseT out to every single desk. When the costs of cabling are taken into account -- having people climb around under false floors or install structured cabling runs in ceiling space -- wireless comes out much, much cheaper than the traditional alternative.

Situations where you don't want to use wireless are: extreme commercial confidentiality, exposure to neighbouring offices and passers-by, and when everyone has a permanent office and a permanent desk with a desktop PC on it. Desktop PCs don't really benefit from wireless networking (other than to save a single cable connection).

If you want to get started with 802.11b on Linux, the first place to look is in your documentation tree -- get the HOWTO. The second place to look is at Absolute Value Systems, an Australian company that is behind the linux-wlan package. Linux-wlan is a set of free WLAN drivers for Linux; here's the project FAQ.

Aother vital resource if you're getting started is Jean Tourrihes' website. He set up this site as an authoritative digest of all things wireless on Linux, with a special emphasis on 802.11, plus sections on Bluetooth and IrDA (which is wireless, if you stop to think about it). Highly recommended -- read this site before you spend money on an access point or a card! In particular, note that the HOWTO he maintains is not the same as the Wireless-HOWTO at tiscalinet.it; also note that he maintains links to the web pages of all the people who developed drivers for different cards, as well as notes on the drivers and their capabilities. Unfortunately nobody has yet collected all the information from all the HOWTOs in one place, and nobody's written (or completed) a Nutshell guide yet -- so you're doomed to do a round-robin of the web sites, collecting information and learning what system is best for you, before you buy.

[ Site Index] [ Linux Index] [ Feedback ]