Security was a key failing of older broadband wireless systems of the past. The why of it is easy to comprehend---any network that transmits its data across wireless signals rather than wires is inherently more open to interference, intrusion or assault. This doesn't mean solid broadband wireless security is impossible, just much more difficult.
Happily, as broadband wireless networks have matured security features have improved. Even the tried-and-true Wi-Fi and proprietary networks widely deployed have improved their security protocols.
With the advent of WiMAX, the security toolsets available to broadband wireless service providers have reached all time highs of functionality. Today's WiMAX networks can be secured more effectively than ever before. However, as important as securing the WiMAX network is, there are additional considerations that carriers should evaluate as part of a thorough security implementation. In fact there are five primary aspects of WiMAX security that should be considered when designing a security plan for your WiMAX network. These range from mitigation techniques at the physical layer to improved wireless authentication and encryption to intrusion protection and data transport security.
At each level, choices in implementation and security levels can be made; although in the case of the physical layer options are limited. Let's start by looking at some of the attacks that can be delivered along with some of the enhanced tools that WiMAX, particularly 802.16e WiMAX, offers.
Physical Layer Security
There are two basic types of attacks that can affect the physical layer of WiMAX. One is jamming and the other is packet scrambling. The first is relatively straightforward, and is sometimes the result of interference rather than an attack. Jamming consists of a stronger signal than the WiMAX network overwhelming network data feeds either in intermittent bursts or with sustained carrier waves.
Since most WiMAX network services are delivered over licensed bands (currently 3.5 GHz internationally and 2.5 GHz both internationally and in the US), this offers spectrum relatively quiet from accidental interference. Accidental interference in licensed spectrum cannot always be completely discounted as there is a possibility of what are called second and third harmonic interference waves, for example, from much lower frequency signals if those are in close proximity to the WiMAX antenna systems or that cross them with signal close enough in physical proximity to locally overload the WiMAX signal. Harmonics are an integer function. What this means is that a signal at 850 MHz, for example, has a second (and much weaker) harmonic at two times this frequency or 1700 MHz (which could eventually impact some AWS spectrum potentially in this example) and a third harmonic (weaker still) at 2550 MHz. In practice this is fairly rare.
Also sometimes, leaks from other carrier's equipment occasionally occur within equipment rooms at the tower. These can usually be detected in planning sweeps with a spectrum analyzer before installation and notch filters or band-pass filters of some type on the specific equipment can usually clear these issues up promptly. Constant jamming, whether malicious or otherwise can usually be found pretty quickly using a spectrum analyzer and directional antennas to triangulate the signal. Intermittent jamming or interference can be more maddening to find the location of, but is also less intrusive to the network, resulting in some packet retransmission and slowdowns but less often in blanket outages. A good spectrum analysis conducted prior to deployment and intermittently thereafter (to detect newly installed gear) can go a long way to defeating this problem. At some point most WiMAX service providers will face some type of interference or jamming problem.
Packet scrambling is an attack that occurs when control packets in the respective downlink and uplink subframes are sniffed then scrambled and returned to the network. This attack is much harder to mount than a jamming attack.
"Since most WiMAX networks today use time division duplexing (TDD), wherein signals are sliced via time slots an attacker can parse this timing sequence and capture control data, the preamble and map, scramble them and send them back with correct timing to interrupt legitimate signal, resulting in slowdowns and effectively lowered bandwidth," said Andrew Useckas, chief technology officer for NetSieben Technologies.
Intercepted and scrambled packets are possible with frequency division duplexing (FDD) as well which transmits both the uplink and downlink simultaneously, but it is even harder to exploit this attack than with TDD systems.
While it may seem the physical layer is inherently most vulnerable as the security elements of WiMAX are located at higher layers, the fact is hackers can often find lower hanging fruit in terms of useful exploits higher in the stack, because as WiMAX supports multiple selections on what service providers can choose to implement in terms of authentication, sometimes the door can be left open for them by the choices made.
Authenticating Wireless Transmissions
At the media access control (MAC) layer of WiMAX the control or MAC header portion of transmissions is not encrypted. This is deliberate in order to facilitate the working of the MAC layer. Not to fear, this does not mean WiMAX is insecure. But it does present some choices for the carrier.
Traditionally the first level of security authentication for older broadband wireless technologies has been MAC authentication and WiMAX supports this, although hopefully providers don't settle for this method. This technique allowed service providers to log permitted MAC device addresses and allow only those addresses to access the network. Hackers long ago figured out how to spoof these. A second, newer and much better choice is the built in support for X.509 device certificates. Lastly the extensible authentication protocol---transport layer security (EAP-TLS) method, added with the 802.16e standard, adds an additional layer of authentication security to the mix. So what does this mean in real-world terms? It is helpful to look at some of the potential exploits at this level to illustrate the value of better authentication systems.
"If a base station is not set up with adequate authentication measures, an attacker can capture control packets and pose as a legitimate subscriber even with older MAC device authentication enabled," added Useckas.
However the X.509 certificate makes it very hard for an intruder to impersonate a subscriber. The X.509 certificate is embedded in WiMAX subscriber units and incorporates a public key authentication encryption. This effectively means that a WiMAX base station can detect legitimate subscriber stations quickly and easily. Unfortunately, this is a one-way protocol.
"The X.509 protocol is very good," said Useckas. "However there is no way to verify if a base station is authentic with subscriber side X.509."
Useckas added that if an interloper ratchets up the power on their rogue base station; captures control packets from a legitimate base station transmission then spoofs the timing sequence of the TDD signal that the subscriber unit expects to receive; it is very possible to hijack subscriber traffic.
Enter the EAP-TLS authentication method. This technique, added with the 802.16e standard, allows both the subscriber and the base station to authenticate each other using an X.509 method for both. We previously discussed that MAC control headers are never encrypted in WiMAX, however with EAP carriers can choose to authenticate them (but they don't necessarily have to). This approach is called hashed message authentication code (HMAC) and uses a form of encrypted private key.
"The hash appends at the end of the message itself," said Useckas. "When messages are received the base station generates its own hash to compare to the one received from the subscriber using its private key to compare them."
This adds an additional layer of authentication confirmation. The downside to this Useckas adds is that all of this requires processor cycles. So a clever hacker could send thousands of HMAC attached messages forcing the base station to run processor cycles comparing them---effectively resulting in a denial of service attack.
This points up a conundrum for WiMAX broadband wireless carriers; namely that even positive security choices can carry consequences. So while WiMAX has better tools than ever and supports MAC management header authentication onboard the radio, carriers may elect to shift some of the processor burden for authentication and data encryption to central office (CO) servers perhaps. We will discuss this more in the next section.
Encryption
Clearly the first layer of defense for WiMAX operators is to authenticate a legitimate user on its network. However, WiMAX, with its 802.16e ratification, offers top line tools for encryption of data. Older wireless iterations used the data encryption standard (DES) which relied on a 56-bit key for encryption. This is largely considered obsolete. WiMAX 802.16e certainly supports DES (3DES) but it also adds support for the Advanced Encryption Standard (AES) which supports, 128-bit, 192-bit or 256-bit encryption keys. Also AES meets the Federal Information Processing Standard (FIPS) 140-2 specification, required by numerous governmental branches. This technology which requires dedicated processors on board base stations is robust and highly effective. But once again, the question is should carriers depend largely on onboard processing or shift to server based third party solutions (some of whom offer additional EAP authentications that are widely used in the enterprise---making interface easier) that provide more options in encryption. The former is almost certainly cheaper; the latter could offer additional advantages.
For his part, Useckas is firmly in the third party camp.
"I think it is better to push encryption to either a firewall server on the base station or central office side or to an operating system than to rely on the radio systems exclusively," asserted Useckas.
It behooves WiMAX carriers to look at various scenarios for their security needs and put a migration plan in place, if such appears needed, before deployment begins.
"In the past for example many cellular carriers focused on authentication and mostly ignored encryption," said Useckas. "Whether that will change as mobile service providers ramp up more broadband applications is an open question."
Through this point we have looked at the physical layer of WiMAX security as well as the authentication options at the MAC layer and the additional top line AES data encryption that WiMAX now supports. Let's briefly examine the last two elements of a well-considered WiMAX security solution.
Third Party Intrusion Protection
In many ways examining WiMAX security options is like peeling an onion. It almost seems as if a new layer is revealed or required each time you delve deeper into it.
We have looked at techniques to mitigate physical layer issues such as jamming and corrupted packets. We examined WiMAX authentication schemes, which are a major component of a secure network. And we also spoke of data encryption (which we will examine more in the last segment). WiMAX possesses solid tools already built in.
But there are considerations beyond just good security that can drive a migration to third party intrusion detection and protection tools---namely business case elements. Intrusion protection is however, not data protection. These are two different classes of solution. Certainly good third party intrusion protection can monitor and secure a network's authentication. However many solutions also offer worm protection, Trojan horse protection, defenses against viruses, backdoor exploits and denial of service attacks to name a few. Some of these elements are almost a business necessity for a wireless service provider and may justify the cost of an additional security suite initially. For other companies, a migration strategy to enhanced tools makes the most cost effective sense.
A good place to start is examining market and service scenarios. If your customer base is highly sensitive to data integrity (financial sector or hospital customers) third party intrusion prevention systems can help segment customers from each other better as well as secure them from outside attack.
Or in another example, a mobile network that offers just internet access and voice may wish to abrogate responsibility for data encryption and relay on session initiation protocol (SIP) signaling for its VoIP and WiMAX native authentication tools.
This is just a couple of scenarios with limited data encryption needs. But what if your business model demands more?
Third Party Data Transport Security
Clearly an AES supported data encryption system gives WiMAX excellent security in this regard. However, additional solutions that meet customer needs such as virtual private networks require different approaches. And Useckas for his part believes data transport security and authentication with third party tools can be a lot easier than most realize and convey a lot of advantages.
"If you force everybody to install a small piece of client software you can enforce EAP based authentication across your entire network for example," explained Useckas. "This also allows for an IPSec AES-based data encryption solution that supports tunneling and encapsulation of data."
Useckas added that these techniques are likely to become increasingly important to enterprise customers whose employees travel with laptops that need to access highly sensitive databases via VPN products.
Conclusions
For WiMAX service providers the decisions on how much native authentication (intrusion prevention) or encryption to utilize on the radio side probably turns on several elements. One is certainly the cost of third party, intrusion protection or data transport security. Others are the type and level of service carriers wish to offer. For new deployments carriers might for example choose to use onboard WiMAX systems initially and then shift security loads to as the network scales in size, complexity and revenue. For other carriers onboard WiMAX security elements may be more than sufficient for years to come.
What ultimately works best for your organization deserves a solid thought process that results in clear plans for migrating network security settings to meet evolving needs and maximize carrier resources.
Tim Sanders is President of TheFinalMile, Inc., a broadband wireless consulting group. His experience came from running a multistate Wireless ISP. He can be reached at
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
or 828-505-0702.
