By Matt Kapko
Alcatel-Lucent and Dominican Republic-based operator Onemax announced that they’ve completed the world’s first mobile handoffs on a commercial WiMAX 802.16e-2005 network in the 3.5 gigahertz spectrum band just one day after the companies officially launched the network.
Onemax executives, customers, local celebrities and government dignitaries were all on hand to view video telephony, high-definition streaming video, mobile broadband Internet access and Voice over Internet Protocl services in Santo Domingo, the nation’s capital. The services, which were supported with an IP Multimedia Subsystem (IMS) core, were delivered over the Onemax network to users traveling in a van.
“This achievement highlights the readiness of our network today, to offer a whole new range of compelling broadband services to residents of the Dominican Republic as well as visitors,” said Raoul Fontanez, Onemax’s CEO. “This collaboration with Alcatel-Lucent’s also is enabling us to give our customers and other distinguished guests a taste of some of the more advanced multimedia services that we will be able to introduce in the future.”
Onemax is the first service provider in the country to offer full nationwide wireless high-speed broadband Internet, multimedia and VoIP services, the company added. Alcatel-Lucent’s WiMAX Rev-e solution provides wireless broadband access in fixed, nomadic and mobile environments, the companies said.
“These achievements show that WiMAX is here today and poised to play an increasingly critical role in the delivery of mobile broadband services worldwide,” said Oliver Picard, president of Alcatel-Lucent’s activities in Europe and the South America.
Wednesday, October 31, 2007
Infrastructure awards wrap-up: Colubris, Nokia Siemens Networks, BelAir Networks and more
By Kristen Beckman
The following list details this week's infrastructure awards for the cellular, Wi-Fi, and WiMAX industries. The contracts are broken down by transmission technology, country and vendor. The value of the contract is included when available.
Wi-Fi
--France: Colubris Networks said it has been chosen by Alcatel-Lucent and French operator SFR to provide Wi-Fi equipment for a municipal Wi-Fi network in Paris.
Miscellaneous
--China: Nokia Siemens Networks said it won a convergent charging deal with Guangdong Telecom to provide its charge@once convergent online charging solution for prepaid and postpaid online charging for future mobile and data subscribers. Nokia Siemens Networks also announced a deal calling for it to enhance railway communications for the Hefei-Nanjing line with GSM-R technology.
--Europe: Deutsche Telekom awarded a contract to Nokia Siemens Networks for managed services and next-generation network modernization.
--United States: BelAir Networks said it has been selected by RedMoon Inc. to provide its wireless broadband mesh equipment to cover the town of Addison, Texas. Also in the United States, Cellular South awarded a contract to Alcatel-Lucent to upgrade the carrier’s network in Memphis and Jackson, Miss. The deal is valued at up to $55 million.
The following list details this week's infrastructure awards for the cellular, Wi-Fi, and WiMAX industries. The contracts are broken down by transmission technology, country and vendor. The value of the contract is included when available.
Wi-Fi
--France: Colubris Networks said it has been chosen by Alcatel-Lucent and French operator SFR to provide Wi-Fi equipment for a municipal Wi-Fi network in Paris.
Miscellaneous
--China: Nokia Siemens Networks said it won a convergent charging deal with Guangdong Telecom to provide its charge@once convergent online charging solution for prepaid and postpaid online charging for future mobile and data subscribers. Nokia Siemens Networks also announced a deal calling for it to enhance railway communications for the Hefei-Nanjing line with GSM-R technology.
--Europe: Deutsche Telekom awarded a contract to Nokia Siemens Networks for managed services and next-generation network modernization.
--United States: BelAir Networks said it has been selected by RedMoon Inc. to provide its wireless broadband mesh equipment to cover the town of Addison, Texas. Also in the United States, Cellular South awarded a contract to Alcatel-Lucent to upgrade the carrier’s network in Memphis and Jackson, Miss. The deal is valued at up to $55 million.
Tuesday, October 23, 2007
Designing Cableless Devices with the Bluetooth Specification
There is an overwhelming desire to clear up the clutter of too many wires at work and at home. Bluetooth is the technology that will enable this type of wireless communication. Before this wireless utopia can be achieved, many issues, including interoperability, must be addressed.
By BurkGehring and Stelios Koutroubinas
Bluetooth is an open global standard intended to replace all kinds of cables using short-range radio technology. Originally conceived by Ericsson, IBM, Intel, Nokia, and Toshiba to develop an open specification for short-range wireless connectivity between laptop computers and cellular telephones, the Bluetooth Special Interest Group (SIG) has expanded to over 1,000 members. Since the market for Bluetooth devices is estimated to be as large as $3 billion by 2005, many designers will be incorporating Bluetooth connectivity into their designs. 1
Bluetooth devices will replace RS-232, parallel, Universal Serial Bus (USB), and other types of cables with a single, standard wireless connection. Thus, any Bluetooth-certified device will be able to communicate with any other Bluetooth-certified device. For example, a Bluetooth-certified personal digital assistant (PDA) or cellular phone will work with any personal computer equipped with a Bluetooth-certified card.
The earliest applications are expected to include cable replacement for laptops, PDAs, mobile phones, and digital cameras, to name a few. Bluetooth supports voice as well as data transmission, so headsets used in the office or home could also become wireless.
Because Bluetooth is a global standard that uses a universally-available unlicensed portion of the radio frequency spectrum, Bluetooth-certified devices will interact in the same way in any part of the world.
How does it work?
--------------------------------------------------------------------------------
Any Bluetooth system has four basic parts: a radio (RF section) that receives and transmits data and voice; a baseband or link control unit that processes the transmitted or received data; link management software that manages the transmission; and supporting application software.
Bluetooth radio. The Bluetooth radio is a short-distance, low-power radio that operates in the unlicensed spectrum of 2.4 GHz, using a nominal antenna power of 0 dBm. At 0 dBm, the range is 10 meters, meaning equipment must be within 10 meters of each other (about 33 feet) to communicate using the Bluetooth standard. Optionally, a range of 100 meters (about 328 feet) may be achieved by using an antenna power of 20 dBm. Data is transmitted at a maximum gross rate of up to 1 Mbps. Communication protocol overhead limits the practical data rate to a little over 721 kbps. Interference or being out of range may increase the bit error rate (BER) and require packets to be re-sent, further decreasing the achievable data rate.
The 2.4-GHz frequency is shared by other types of equipment: microwave ovens; LANs; and industrial, security, and medical applications. As a result, interference with Bluetooth devices seems inevitable. The Bluetooth specification addresses this issue by employing frequency-hopping spread-spectrum techniques. Bluetooth uses seventy-nine hop frequencies spaced 1 MHz apart in the frequency range of 2.402 to 2.480 GHz. The hop rate is 1,600 hops per second (625-�s dwell time, at each frequency). If the transmission encounters interference, it waits for the next frequency hop and re-transmits on a new frequency.
Baseband . In wireless communications, the baseband is the hardware that turns received radio signals into a digital form, which can be processed by the host application. It also converts digital or voice data into a form that can be transmitted using a radio signal.
Each packet contains information about where it is coming from, what frequency it is using, and where it is going. Packets also contain information on how the data was compressed, the order in which the packets were transmitted, and information used to verify the effectiveness of the transmission. When the data is received it is checked for accuracy, extracted from the packet, reassembled, decompressed, and possibly filtered.
The baseband processor handles all the tasks just described. It takes care of converting data from one form to another (such as from voice to digital data), compressing it, putting it into packets, taking it out of packets, assigning identifiers and error correction information, and then reversing the entire process for data that is received. In Bluetooth, the baseband function is called the link controller.
Links. The Bluetooth link is the method of data transmission to be used. The Bluetooth standard supports two link types – synchronous connection-oriented (SCO) links, used primarily for voice communications, and asynchronous connectionless (ACL) links for packet data. Each link type supports sixteen different packet types that are used, depending on the application. Any two devices in a Bluetooth system may use either link type and may change link types during a transmission.
Link management. The link manager software runs on a microprocessor and manages the communication between Bluetooth devices. Each Bluetooth device has its own link manager, which discovers other remote link managers, and communicates with them to handle link setup, negotiate features, authenticate QoS, and to encrypt and adjust data rate on link, dynamically.
Link controller. The link controller is a supervisory function that handles all of the Bluetooth baseband functions and supports the link manager. It sends and receives data, identifies the sending device, performs authentication and ciphering functions, determines what type of frame to use on a slot-by-slot basis, directs how devices will listen for transmissions from other devices, or puts devices into various power-save modes according to Bluetooth-specified procedures. Each packet uses a single 625-�s timeslot, but can be extended to cover up to five slots. Bluetooth supports an asynchronous data channel, three synchronous voice channels at 64 kbps, or simultaneous asynchronous data and synchronous voice channels. The asynchronous channel can support an asymmetric link of 721 kbps in either direction and 57.6 kbps in the return direction, or a 432.6-kbps symmetric link.
Application software. The application software is embedded in the device that operates an application over the Bluetooth protocol stack. This software allows the PDA, mobile phone, or keyboard to do its job. All Bluetooth devices must have compatible sections in their Bluetooth stack, so that all Bluetooth devices will be able to interoperate with each other.
All Bluetooth-certified devices must have the components described above, to be in accordance with the Bluetooth standard. The standard and certification procedures guarantee global interoperability between devices.
Designing Bluetooth applications
--------------------------------------------------------------------------------
All Bluetooth designs require a transceiver and a baseband controller that meet the Bluetooth specification. An antenna and a microcontroller (MCU) to run the link control, link manager, and host controller interface (HCI) and/or logical link control and adaptation protocol (L2CAP) firmware are also needed. Alternatively, developers can choose to implement protocols up to, and including, HCI on the microcontroller, and to implement a counterpart of HCI (the HCI driver) and L2CAP on a machine that hosts the Bluetooth chip-set (such as a PC or a second microcontroller on the same or attached printed circuit board).
Quite a few choices for the Bluetooth hardware are available. Several vendors plan to offer Bluetooth baseband ICs, transceiver ICs, or both. Others are offering integrated solutions that include the baseband, radio, microcontroller, and memory. The Bluetooth SIG has a target for a fully-integrated Bluetooth solution priced at $5 or less by the year 2001. In this type of solution, developing the firmware and meeting timing constraints will be a major challenge.
Processor selection
--------------------------------------------------------------------------------
The Bluetooth baseband has rigorous timing requirements, so the chosen processor must be able to deliver sufficient throughput, consume minimal power, and be cost effective. One of the key design issues is whether to use dedicated hardware for the link controller or to implement link control in the chipset's microcontroller. The Bluetooth spec follows little endian convention, so the microcontroller should also support little endian operation. Since the microcontroller should be able to handle multibyte vectors, a 32-bit device is preferable. This is particularly true if security features are to be implemented. The MCU compiler will have to provide dense and highly-optimized object code because program space and/or timing requirements are critical.
Baseband timing constraints
--------------------------------------------------------------------------------
The granularity of the processing in the baseband layer will need to be one-half of a Bluetooth slot (312.5 �s) because some access procedures produce two packets per slot and because FHSS inquiry response packets may start at a half-slot boundary.
The transceiver is heavily restricted by Tvco and Tpower_up. Although there are procedures that the firmware can execute during Tvco and Tpower_up, it is vital that the firmware has decided what should be done with the next slot in the time duration 321.5 �s minus all the previously-described time periods (Tvco+Tpower_up+ Tuncertainty_window+Taccess_code). Thus, the link control functionality should be implemented as a finite-state machine that runs in interrupt mode, and the execution of the link control code should be synchronized with the slot boundaries.
Hardware/software partitioning
--------------------------------------------------------------------------------
Due to the rigid timing constraints on the Bluetooth baseband, designers should consider replacing some of the Bluetooth firmware blocks with dedicated hardware. This is particularly true for time-consuming and/or time-critical procedures such as LSFRs (header error correction, forward error correction [FEC], cyclical redundancy check, data whitening, and testing the bit sequence). Each packet type and each packet field requires different bit transformations (such as FEC or data whitening). By implementing these functions in the hardware, the packet type and current field can be traced during receive/transmit to quickly decide which transformations should be enabled or disabled.
Additional baseband functions which can be implemented in the hardware include low-level security functions such as cipher stream generation and authentication SAFER algorithms. Implementing these tasks in the hardware relieves the MCU of having to perform them, thereby speeding up firmware execution. It also reduces the required amount of system SRAM and Flash memory. Using an off-the-shelf RTOS that supports the multithreading and scheduling requirements of the Bluetooth specification is another option. The RTOS should be able to implement context switching and service interrupts quickly, in order to meet the Tfirmware constraints, and should also have an acceptable memory footprint – especially for a fully-integrated Bluetooth solution.
Bluetooth Radio
--------------------------------------------------------------------------------
Several members of the Bluetooth SIG are developing single-chip Bluetooth radios. The Bluetooth standard requires a receive sensitivity of -70 dBm, so any Bluetooth certified radio will have been tested to meet this standard. However, increasing the receive sensitivity gives the designer the freedom to implement designs that have a longer range than the 10 meters in the Bluetooth specification. At -80 dBm, the Bluetooth application could have a range of 100 meters, an advantage that could be extremely useful in some applications. Since the BER is largely dependent on the maximum distance between the two Bluetooth devices, a transceiver IC with a higher rating will also have a smaller BER, which allows the Bluetooth device to achieve a higher data rate.
GSM phones have a maximum output power in the range of 1 to 3W, and receive and transmit frequencies ranging from 890 to 1,990 MHz, while Bluetooth transceivers are designed to work with signals as low as 10pW. Noise from the phone's transmitter may interfere with the Bluetooth signal. A trap can be placed at the output of the transmitter to attenuate any energy radiated in the 2.4 GHz band.
In most RF systems the transmit data modulates the VCO by switching the charge pump in tri-state while the phase-locked loop (PLL) is in open-loop mode. This causes frequency drift that can result in transmission errors. Frequency drift can be controlled by using I&Q modulation in which I&Q signals are transmitted by the baseband to the RF section during the mixer stage to stabilize the frequency. This requires additional firmware in the baseband, as well as off-chip passive filters. Another approach is to use a modulation compensation circuit (MCC) that keeps the VCO frequency stable while the PLL is in closed-loop mode. This latter approach to demodulation eliminates the need for any external filters. It also allows the collocation of several time slots, increasing the effective data rate. Since closed-loop modulation is insensitive to tolerances and noise influences, it results in better performance.
All superheterodyne radios tend to receive two frequencies – the signal frequency and the image frequency. An unwanted signal at the image frequency must be suppressed to avoid interference with the desired signal. One means of doing this is to use an off-chip passive filter. The external filter will increase system size and add cost, which are drawbacks in portable applications. Another approach is to include the image rejection as part of the mixer on the transceiver. The image rejection mixer converts the frequency down to 111 MHz, a frequency that conserves power and for which many low-cost filters are available.
Power consumption
--------------------------------------------------------------------------------
Virtually all Bluetooth applications will be battery operated, making power consumption a significant consideration. Implementing some of the baseband functions in hardware allows the MCU clock to be slowed, reducing power drain. Gating the clock to the MCU and the other hardware blocks also helps to minimize power consumption. Processing power varies with time, so it is preferable to drive the MCU with a relatively high-speed clock and to gate the MCU clock when the Bluetooth subsystem is in sleep mode. Using the image rejection mixer to convert the frequency down to 111 MHz, as previously described, also conserves power.
Firmware considerations – HCI
--------------------------------------------------------------------------------
The HCI protocol structure is described quite clearly in the Bluetooth specification. However, from an implementation point of view, the boundaries between HCI, link manager (LM), and link controller (LC) are not clear from the beginning. So, these layers should be designed carefully and, if possible, developed in parallel in order to integrate the system data structures as much as possible and to avoid data and code redundancy.
The HCI packet structures (Command, Event, ACL, and SCO packets) must be wrapped with additional information relating to the transport layer above HCI that runs on top of the physical link between the Bluetooth device and its host. The dataflow infrastructure must be carefully developed because individual HCI commands do not require the same amount of processing, nor do they remain in the system memory for the same duration. For example, processing the command Read_Local_Version_Information is straightforward when compared to processing the command Create_Connection.
Firmware considerations – L2CAP
--------------------------------------------------------------------------------
L2CAP is used for protocol multiplexing above the basic Bluetooth layers, for packet segmentation and reassembly, and to convey QoS information. The system designer must first decide whether to embed L2CAP with the rest of the layers or have it running as part of the host OS. Making this decision depends on the usage model and the device that will contain the Bluetooth design. A mobile phone will have to maintain L2CAP in an embedded nonvolatile memory, while a laptop computer will not.
If L2CAP is to be embedded, the designer must take into account the amount of information the Bluetooth subsystem can hold in its receive buffers on the host side before it can fragment them into smaller chunks according to Bluetooth packet sizes. The maximum packet size that L2CAP accepts from a protocol running on top of it is 64 kbytes.
Although the Bluetooth standard specifies which transport layers a Bluetooth device can use to communicate with the host to exchange HCI packets over various physical links (UART, USB), it does not specify any of them for an embedded L2CAP over the same links. Designers will have to consider how this interface is to be realized. If L2CAP is built on the host side, there is always a problem of integrating this layer into the host's OS in a way that ensures protocol multiplexing can take place above it with minimal alterations to the host's driver stack. A host-side L2CAP also poses the problem of interfacing the lower part of the L2CAP with a host-side HCI driver or with another proprietary driver. In the first case, the stack may run slower. In the second case, more programming effort will be needed to achieve interoperability requirements.
---------------------------------------------------------------------------
Stelios Koutroubinas is managing director, vice president, and CEO of the board of directors of Atmel Hellas S.A. He holds an engineering degree and a PhD in electrical engineering from the University of Patras, Patras, Greece. He can be reached at steliosk@atmel.gr .
Burkhard Gehring is the technical project leader for Temic Semiconductor's Bluetooth radio IC group. He received the Diplom Ingenieur degree from the Technical University of Dresden, Germany. He can be reached at burkhard.gehring@temic_semi.com
By BurkGehring and Stelios Koutroubinas
Bluetooth is an open global standard intended to replace all kinds of cables using short-range radio technology. Originally conceived by Ericsson, IBM, Intel, Nokia, and Toshiba to develop an open specification for short-range wireless connectivity between laptop computers and cellular telephones, the Bluetooth Special Interest Group (SIG) has expanded to over 1,000 members. Since the market for Bluetooth devices is estimated to be as large as $3 billion by 2005, many designers will be incorporating Bluetooth connectivity into their designs. 1
Bluetooth devices will replace RS-232, parallel, Universal Serial Bus (USB), and other types of cables with a single, standard wireless connection. Thus, any Bluetooth-certified device will be able to communicate with any other Bluetooth-certified device. For example, a Bluetooth-certified personal digital assistant (PDA) or cellular phone will work with any personal computer equipped with a Bluetooth-certified card.
The earliest applications are expected to include cable replacement for laptops, PDAs, mobile phones, and digital cameras, to name a few. Bluetooth supports voice as well as data transmission, so headsets used in the office or home could also become wireless.
Because Bluetooth is a global standard that uses a universally-available unlicensed portion of the radio frequency spectrum, Bluetooth-certified devices will interact in the same way in any part of the world.
How does it work?
--------------------------------------------------------------------------------
Any Bluetooth system has four basic parts: a radio (RF section) that receives and transmits data and voice; a baseband or link control unit that processes the transmitted or received data; link management software that manages the transmission; and supporting application software.
Bluetooth radio. The Bluetooth radio is a short-distance, low-power radio that operates in the unlicensed spectrum of 2.4 GHz, using a nominal antenna power of 0 dBm. At 0 dBm, the range is 10 meters, meaning equipment must be within 10 meters of each other (about 33 feet) to communicate using the Bluetooth standard. Optionally, a range of 100 meters (about 328 feet) may be achieved by using an antenna power of 20 dBm. Data is transmitted at a maximum gross rate of up to 1 Mbps. Communication protocol overhead limits the practical data rate to a little over 721 kbps. Interference or being out of range may increase the bit error rate (BER) and require packets to be re-sent, further decreasing the achievable data rate.
The 2.4-GHz frequency is shared by other types of equipment: microwave ovens; LANs; and industrial, security, and medical applications. As a result, interference with Bluetooth devices seems inevitable. The Bluetooth specification addresses this issue by employing frequency-hopping spread-spectrum techniques. Bluetooth uses seventy-nine hop frequencies spaced 1 MHz apart in the frequency range of 2.402 to 2.480 GHz. The hop rate is 1,600 hops per second (625-�s dwell time, at each frequency). If the transmission encounters interference, it waits for the next frequency hop and re-transmits on a new frequency.
Baseband . In wireless communications, the baseband is the hardware that turns received radio signals into a digital form, which can be processed by the host application. It also converts digital or voice data into a form that can be transmitted using a radio signal.
Each packet contains information about where it is coming from, what frequency it is using, and where it is going. Packets also contain information on how the data was compressed, the order in which the packets were transmitted, and information used to verify the effectiveness of the transmission. When the data is received it is checked for accuracy, extracted from the packet, reassembled, decompressed, and possibly filtered.
The baseband processor handles all the tasks just described. It takes care of converting data from one form to another (such as from voice to digital data), compressing it, putting it into packets, taking it out of packets, assigning identifiers and error correction information, and then reversing the entire process for data that is received. In Bluetooth, the baseband function is called the link controller.
Links. The Bluetooth link is the method of data transmission to be used. The Bluetooth standard supports two link types – synchronous connection-oriented (SCO) links, used primarily for voice communications, and asynchronous connectionless (ACL) links for packet data. Each link type supports sixteen different packet types that are used, depending on the application. Any two devices in a Bluetooth system may use either link type and may change link types during a transmission.
Link management. The link manager software runs on a microprocessor and manages the communication between Bluetooth devices. Each Bluetooth device has its own link manager, which discovers other remote link managers, and communicates with them to handle link setup, negotiate features, authenticate QoS, and to encrypt and adjust data rate on link, dynamically.
Link controller. The link controller is a supervisory function that handles all of the Bluetooth baseband functions and supports the link manager. It sends and receives data, identifies the sending device, performs authentication and ciphering functions, determines what type of frame to use on a slot-by-slot basis, directs how devices will listen for transmissions from other devices, or puts devices into various power-save modes according to Bluetooth-specified procedures. Each packet uses a single 625-�s timeslot, but can be extended to cover up to five slots. Bluetooth supports an asynchronous data channel, three synchronous voice channels at 64 kbps, or simultaneous asynchronous data and synchronous voice channels. The asynchronous channel can support an asymmetric link of 721 kbps in either direction and 57.6 kbps in the return direction, or a 432.6-kbps symmetric link.
Application software. The application software is embedded in the device that operates an application over the Bluetooth protocol stack. This software allows the PDA, mobile phone, or keyboard to do its job. All Bluetooth devices must have compatible sections in their Bluetooth stack, so that all Bluetooth devices will be able to interoperate with each other.
All Bluetooth-certified devices must have the components described above, to be in accordance with the Bluetooth standard. The standard and certification procedures guarantee global interoperability between devices.
Designing Bluetooth applications
--------------------------------------------------------------------------------
All Bluetooth designs require a transceiver and a baseband controller that meet the Bluetooth specification. An antenna and a microcontroller (MCU) to run the link control, link manager, and host controller interface (HCI) and/or logical link control and adaptation protocol (L2CAP) firmware are also needed. Alternatively, developers can choose to implement protocols up to, and including, HCI on the microcontroller, and to implement a counterpart of HCI (the HCI driver) and L2CAP on a machine that hosts the Bluetooth chip-set (such as a PC or a second microcontroller on the same or attached printed circuit board).
Quite a few choices for the Bluetooth hardware are available. Several vendors plan to offer Bluetooth baseband ICs, transceiver ICs, or both. Others are offering integrated solutions that include the baseband, radio, microcontroller, and memory. The Bluetooth SIG has a target for a fully-integrated Bluetooth solution priced at $5 or less by the year 2001. In this type of solution, developing the firmware and meeting timing constraints will be a major challenge.
Processor selection
--------------------------------------------------------------------------------
The Bluetooth baseband has rigorous timing requirements, so the chosen processor must be able to deliver sufficient throughput, consume minimal power, and be cost effective. One of the key design issues is whether to use dedicated hardware for the link controller or to implement link control in the chipset's microcontroller. The Bluetooth spec follows little endian convention, so the microcontroller should also support little endian operation. Since the microcontroller should be able to handle multibyte vectors, a 32-bit device is preferable. This is particularly true if security features are to be implemented. The MCU compiler will have to provide dense and highly-optimized object code because program space and/or timing requirements are critical.
Baseband timing constraints
--------------------------------------------------------------------------------
The granularity of the processing in the baseband layer will need to be one-half of a Bluetooth slot (312.5 �s) because some access procedures produce two packets per slot and because FHSS inquiry response packets may start at a half-slot boundary.
The transceiver is heavily restricted by Tvco and Tpower_up. Although there are procedures that the firmware can execute during Tvco and Tpower_up, it is vital that the firmware has decided what should be done with the next slot in the time duration 321.5 �s minus all the previously-described time periods (Tvco+Tpower_up+ Tuncertainty_window+Taccess_code). Thus, the link control functionality should be implemented as a finite-state machine that runs in interrupt mode, and the execution of the link control code should be synchronized with the slot boundaries.
Hardware/software partitioning
--------------------------------------------------------------------------------
Due to the rigid timing constraints on the Bluetooth baseband, designers should consider replacing some of the Bluetooth firmware blocks with dedicated hardware. This is particularly true for time-consuming and/or time-critical procedures such as LSFRs (header error correction, forward error correction [FEC], cyclical redundancy check, data whitening, and testing the bit sequence). Each packet type and each packet field requires different bit transformations (such as FEC or data whitening). By implementing these functions in the hardware, the packet type and current field can be traced during receive/transmit to quickly decide which transformations should be enabled or disabled.
Additional baseband functions which can be implemented in the hardware include low-level security functions such as cipher stream generation and authentication SAFER algorithms. Implementing these tasks in the hardware relieves the MCU of having to perform them, thereby speeding up firmware execution. It also reduces the required amount of system SRAM and Flash memory. Using an off-the-shelf RTOS that supports the multithreading and scheduling requirements of the Bluetooth specification is another option. The RTOS should be able to implement context switching and service interrupts quickly, in order to meet the Tfirmware constraints, and should also have an acceptable memory footprint – especially for a fully-integrated Bluetooth solution.
Bluetooth Radio
--------------------------------------------------------------------------------
Several members of the Bluetooth SIG are developing single-chip Bluetooth radios. The Bluetooth standard requires a receive sensitivity of -70 dBm, so any Bluetooth certified radio will have been tested to meet this standard. However, increasing the receive sensitivity gives the designer the freedom to implement designs that have a longer range than the 10 meters in the Bluetooth specification. At -80 dBm, the Bluetooth application could have a range of 100 meters, an advantage that could be extremely useful in some applications. Since the BER is largely dependent on the maximum distance between the two Bluetooth devices, a transceiver IC with a higher rating will also have a smaller BER, which allows the Bluetooth device to achieve a higher data rate.
GSM phones have a maximum output power in the range of 1 to 3W, and receive and transmit frequencies ranging from 890 to 1,990 MHz, while Bluetooth transceivers are designed to work with signals as low as 10pW. Noise from the phone's transmitter may interfere with the Bluetooth signal. A trap can be placed at the output of the transmitter to attenuate any energy radiated in the 2.4 GHz band.
In most RF systems the transmit data modulates the VCO by switching the charge pump in tri-state while the phase-locked loop (PLL) is in open-loop mode. This causes frequency drift that can result in transmission errors. Frequency drift can be controlled by using I&Q modulation in which I&Q signals are transmitted by the baseband to the RF section during the mixer stage to stabilize the frequency. This requires additional firmware in the baseband, as well as off-chip passive filters. Another approach is to use a modulation compensation circuit (MCC) that keeps the VCO frequency stable while the PLL is in closed-loop mode. This latter approach to demodulation eliminates the need for any external filters. It also allows the collocation of several time slots, increasing the effective data rate. Since closed-loop modulation is insensitive to tolerances and noise influences, it results in better performance.
All superheterodyne radios tend to receive two frequencies – the signal frequency and the image frequency. An unwanted signal at the image frequency must be suppressed to avoid interference with the desired signal. One means of doing this is to use an off-chip passive filter. The external filter will increase system size and add cost, which are drawbacks in portable applications. Another approach is to include the image rejection as part of the mixer on the transceiver. The image rejection mixer converts the frequency down to 111 MHz, a frequency that conserves power and for which many low-cost filters are available.
Power consumption
--------------------------------------------------------------------------------
Virtually all Bluetooth applications will be battery operated, making power consumption a significant consideration. Implementing some of the baseband functions in hardware allows the MCU clock to be slowed, reducing power drain. Gating the clock to the MCU and the other hardware blocks also helps to minimize power consumption. Processing power varies with time, so it is preferable to drive the MCU with a relatively high-speed clock and to gate the MCU clock when the Bluetooth subsystem is in sleep mode. Using the image rejection mixer to convert the frequency down to 111 MHz, as previously described, also conserves power.
Firmware considerations – HCI
--------------------------------------------------------------------------------
The HCI protocol structure is described quite clearly in the Bluetooth specification. However, from an implementation point of view, the boundaries between HCI, link manager (LM), and link controller (LC) are not clear from the beginning. So, these layers should be designed carefully and, if possible, developed in parallel in order to integrate the system data structures as much as possible and to avoid data and code redundancy.
The HCI packet structures (Command, Event, ACL, and SCO packets) must be wrapped with additional information relating to the transport layer above HCI that runs on top of the physical link between the Bluetooth device and its host. The dataflow infrastructure must be carefully developed because individual HCI commands do not require the same amount of processing, nor do they remain in the system memory for the same duration. For example, processing the command Read_Local_Version_Information is straightforward when compared to processing the command Create_Connection.
Firmware considerations – L2CAP
--------------------------------------------------------------------------------
L2CAP is used for protocol multiplexing above the basic Bluetooth layers, for packet segmentation and reassembly, and to convey QoS information. The system designer must first decide whether to embed L2CAP with the rest of the layers or have it running as part of the host OS. Making this decision depends on the usage model and the device that will contain the Bluetooth design. A mobile phone will have to maintain L2CAP in an embedded nonvolatile memory, while a laptop computer will not.
If L2CAP is to be embedded, the designer must take into account the amount of information the Bluetooth subsystem can hold in its receive buffers on the host side before it can fragment them into smaller chunks according to Bluetooth packet sizes. The maximum packet size that L2CAP accepts from a protocol running on top of it is 64 kbytes.
Although the Bluetooth standard specifies which transport layers a Bluetooth device can use to communicate with the host to exchange HCI packets over various physical links (UART, USB), it does not specify any of them for an embedded L2CAP over the same links. Designers will have to consider how this interface is to be realized. If L2CAP is built on the host side, there is always a problem of integrating this layer into the host's OS in a way that ensures protocol multiplexing can take place above it with minimal alterations to the host's driver stack. A host-side L2CAP also poses the problem of interfacing the lower part of the L2CAP with a host-side HCI driver or with another proprietary driver. In the first case, the stack may run slower. In the second case, more programming effort will be needed to achieve interoperability requirements.
---------------------------------------------------------------------------
Stelios Koutroubinas is managing director, vice president, and CEO of the board of directors of Atmel Hellas S.A. He holds an engineering degree and a PhD in electrical engineering from the University of Patras, Patras, Greece. He can be reached at steliosk@atmel.gr .
Burkhard Gehring is the technical project leader for Temic Semiconductor's Bluetooth radio IC group. He received the Diplom Ingenieur degree from the Technical University of Dresden, Germany. He can be reached at burkhard.gehring@temic_semi.com
802.11 vs. 3G
Once upon a time, you could hardly open a business magazine without finding a feature that praised third generation (AKA 3G) (define) wireless telephony as the answer to mobile Internet needs. That was venture capital then. This is fiscally strapped now.
In theory, 3G wireless networks are capable of throughput up to 384Kbps, which still puts them at the bottom end of 802.11b's range. In practice, though, 3G isn't available in the United States at all except in experimental deployments.
Instead, we have telecomms using the "3G" name for what's actually, at best, 2.5G. This is a middle step between what we currently have, 2G, basic digital service, and the science fiction speeds of 3G. With 2.5G networks, you can transfer data at rates of up to 114Kbps generally using General Packet Radio Service (GPRS) (define).
So how good is GPRS, really? David Ferris, CEO and analyst for Ferris Research, has "been testing out GPRS connections with mobile phones in major metropolitan areas in the UK and US. These are now being brought on-stream by a wide variety of mobile carriers. In a nutshell, GPRS provides an always-on connection to the Internet. To be precise, GPRS enables per-handset data rates of 9.05-107.2 Kbit/sec depending upon the coding scheme employed and time slots (from 1-8) allocated to a data packet. In practice, we're finding that transfer speeds of 400 to 1000 bytes/sec are the norm."
Translated, what this means is that 2.5G is is in no way competition for 802.11 for moving data. As Ferris explains, performance like this "means that communications need to be kept short, and that, in turn, means most of them will be text-based. E-mails with attachments will usually take much too long to transfer."
Still, he thinks, that "applications like instant messaging, or distributing appointment information, can be run successfully." However, instant messaging or Web browsing on 2.5G or 3G phones isn't what 802.11-enabled laptops users think of as IM or the Web.
On digital phones you must use Short Messaging Service (SMS) (define) or Multimedia Messaging Service (MMS) (define). Without a special gateway between the SMS/MMS servers and consumer IM clients like AOL Instant Messenger (AIM), or business-class IM clients such as Lotus Sametime or NetLert, you can't send messages from IM to someone using MMS or SMS on a digital phone.
On the Web side, for a Web page to be viewed effectively on a digital phone, the signal must be sent in Wireless Application Protocol (WAP) (define) and the page should be written, not in the usual HyperText Makrup Language (HTML) (define) used for most Web pages , but in Wireless Markup Language (WML) (define). In short, viewing Web pages with on 2.5G and 3G is inherently more problematic.
3G is also much more troublesome for telecom carriers to install. To deploy it you must overhaul your wireless infrastructure and replace it. Of course, you must do the same thing with 802.11 hotspots, but while hotspots have far less range, a business class hotspot with advanced antennas also can be deployed for about $1500, while all but the smallest (pico range) 3G base stations start around six figures and move up from there. Anyone can set up a hotspot; only a telephone carrier or corporation can afford 3G base station.
Expert Opinion
What do the analysts think? It depends. Everyone acknowledges that there was a 22% decline in wireless and mobile network infrastructure spending in 2002. Research house IDC, for one, in its Worldwide Wireless and Mobile Network Infrastructure Forecast and Analysis, 2002-2007 study, says that the demand for 2.5 and 3G remains strong. Indeed, IDC expects annual spending on 2.5 and 3G network infrastructure to grow from $38.3 billion in 2002 to nearly $49 billion in 2007. Wireless phone infrastructure providers like Ericsson, Nokia, and Nortel no doubt hope that IDC is right.
"The essential rationale for deployment of 3G networks -- gaining spectrum efficiencies, easing network capacity constraints, lowering operating costs, and expanding revenue opportunities through provisioning of data services -- remains intact," says Dr. Shiv K. Bakhshi, research manager for the IDC's Wireless and Mobile Network Infrastructure program. He believes that the rising popularity of MMS and picture messaging will "legitimize the culture of data consumption in a mobile environment and spur deployment of network infrastructure." But, he notes, it's not just 3G driving these developments; "public WLANs and hotspots" will also help in this development.
"The WLAN industry will continue to experience stellar growth as deployments in several key markets take place," predicts Allied Business Intelligence (ABI) analyst John W. Chang, senior analyst, and some of that growth will come at 3G's expense.
ABI reports in its Worldwide Deployments, Drivers, Players and Forecasts for 802.11x, that "Some of the leading wireless carriers worldwide, including T-Mobile, AT&T, and Verizon, have made announcements of deploying WLAN services as their 3G plans are delayed. WLAN is easier to install and costs far less than setting up a 3G network. In addition, 3G's data rate of 144 kbps, a portable data rate of 384 kbps, and an in-building fixed rate of 2 Mbps are slow, compared to that of WLAN. As WLAN moves toward 54 Mbps, it is apparent that 3G cannot compete with the data rate of WLAN. Though 3G will be deployed worldwide due to its voice capacity benefits, telecom carriers are seeing WLAN hotspots as the immediate revenue generator for data services."
This view is not just that of an analyst looking at plans. On January 29, British Telecomm (BT) announced that it would be deploying 802.11b--and 802.11a soon--hotspots with three business partners. BT plans to have 4,000 hotspots in place by the summer of 2005.
According to David Hughes, BT director of mobility, its BT Openzone hotspot customers will pay 10% of the price to download 1MB of data compared to a 3G user at four times the speed. In short, he declares, "At the moment, it looks like Wi-Fi is one-tenth of the price of 3G, and four times as fast." Even with 3G's much better range, which would you rather have?
Some analysts, like ABI's director of automotive electronics Frank Viquez, think that, "802.11 promises to have the most potential, given its minimum raw bandwidth of 10 Mbps and dramatic growth outside the vehicle industry," even when a wireless data user is traveling at speed.
Can the two technologies get along? Some experts think they can, but given the stalled economy and 802.11's lower price, deployment costs alone may cause 3G to flounder. Who knows? Instead of 3G laptops in 2007, perhaps we'll have 802.11 mobile phones.
In theory, 3G wireless networks are capable of throughput up to 384Kbps, which still puts them at the bottom end of 802.11b's range. In practice, though, 3G isn't available in the United States at all except in experimental deployments.
Instead, we have telecomms using the "3G" name for what's actually, at best, 2.5G. This is a middle step between what we currently have, 2G, basic digital service, and the science fiction speeds of 3G. With 2.5G networks, you can transfer data at rates of up to 114Kbps generally using General Packet Radio Service (GPRS) (define).
So how good is GPRS, really? David Ferris, CEO and analyst for Ferris Research, has "been testing out GPRS connections with mobile phones in major metropolitan areas in the UK and US. These are now being brought on-stream by a wide variety of mobile carriers. In a nutshell, GPRS provides an always-on connection to the Internet. To be precise, GPRS enables per-handset data rates of 9.05-107.2 Kbit/sec depending upon the coding scheme employed and time slots (from 1-8) allocated to a data packet. In practice, we're finding that transfer speeds of 400 to 1000 bytes/sec are the norm."
Translated, what this means is that 2.5G is is in no way competition for 802.11 for moving data. As Ferris explains, performance like this "means that communications need to be kept short, and that, in turn, means most of them will be text-based. E-mails with attachments will usually take much too long to transfer."
Still, he thinks, that "applications like instant messaging, or distributing appointment information, can be run successfully." However, instant messaging or Web browsing on 2.5G or 3G phones isn't what 802.11-enabled laptops users think of as IM or the Web.
On digital phones you must use Short Messaging Service (SMS) (define) or Multimedia Messaging Service (MMS) (define). Without a special gateway between the SMS/MMS servers and consumer IM clients like AOL Instant Messenger (AIM), or business-class IM clients such as Lotus Sametime or NetLert, you can't send messages from IM to someone using MMS or SMS on a digital phone.
On the Web side, for a Web page to be viewed effectively on a digital phone, the signal must be sent in Wireless Application Protocol (WAP) (define) and the page should be written, not in the usual HyperText Makrup Language (HTML) (define) used for most Web pages , but in Wireless Markup Language (WML) (define). In short, viewing Web pages with on 2.5G and 3G is inherently more problematic.
3G is also much more troublesome for telecom carriers to install. To deploy it you must overhaul your wireless infrastructure and replace it. Of course, you must do the same thing with 802.11 hotspots, but while hotspots have far less range, a business class hotspot with advanced antennas also can be deployed for about $1500, while all but the smallest (pico range) 3G base stations start around six figures and move up from there. Anyone can set up a hotspot; only a telephone carrier or corporation can afford 3G base station.
Expert Opinion
What do the analysts think? It depends. Everyone acknowledges that there was a 22% decline in wireless and mobile network infrastructure spending in 2002. Research house IDC, for one, in its Worldwide Wireless and Mobile Network Infrastructure Forecast and Analysis, 2002-2007 study, says that the demand for 2.5 and 3G remains strong. Indeed, IDC expects annual spending on 2.5 and 3G network infrastructure to grow from $38.3 billion in 2002 to nearly $49 billion in 2007. Wireless phone infrastructure providers like Ericsson, Nokia, and Nortel no doubt hope that IDC is right.
"The essential rationale for deployment of 3G networks -- gaining spectrum efficiencies, easing network capacity constraints, lowering operating costs, and expanding revenue opportunities through provisioning of data services -- remains intact," says Dr. Shiv K. Bakhshi, research manager for the IDC's Wireless and Mobile Network Infrastructure program. He believes that the rising popularity of MMS and picture messaging will "legitimize the culture of data consumption in a mobile environment and spur deployment of network infrastructure." But, he notes, it's not just 3G driving these developments; "public WLANs and hotspots" will also help in this development.
"The WLAN industry will continue to experience stellar growth as deployments in several key markets take place," predicts Allied Business Intelligence (ABI) analyst John W. Chang, senior analyst, and some of that growth will come at 3G's expense.
ABI reports in its Worldwide Deployments, Drivers, Players and Forecasts for 802.11x, that "Some of the leading wireless carriers worldwide, including T-Mobile, AT&T, and Verizon, have made announcements of deploying WLAN services as their 3G plans are delayed. WLAN is easier to install and costs far less than setting up a 3G network. In addition, 3G's data rate of 144 kbps, a portable data rate of 384 kbps, and an in-building fixed rate of 2 Mbps are slow, compared to that of WLAN. As WLAN moves toward 54 Mbps, it is apparent that 3G cannot compete with the data rate of WLAN. Though 3G will be deployed worldwide due to its voice capacity benefits, telecom carriers are seeing WLAN hotspots as the immediate revenue generator for data services."
This view is not just that of an analyst looking at plans. On January 29, British Telecomm (BT) announced that it would be deploying 802.11b--and 802.11a soon--hotspots with three business partners. BT plans to have 4,000 hotspots in place by the summer of 2005.
According to David Hughes, BT director of mobility, its BT Openzone hotspot customers will pay 10% of the price to download 1MB of data compared to a 3G user at four times the speed. In short, he declares, "At the moment, it looks like Wi-Fi is one-tenth of the price of 3G, and four times as fast." Even with 3G's much better range, which would you rather have?
Some analysts, like ABI's director of automotive electronics Frank Viquez, think that, "802.11 promises to have the most potential, given its minimum raw bandwidth of 10 Mbps and dramatic growth outside the vehicle industry," even when a wireless data user is traveling at speed.
Can the two technologies get along? Some experts think they can, but given the stalled economy and 802.11's lower price, deployment costs alone may cause 3G to flounder. Who knows? Instead of 3G laptops in 2007, perhaps we'll have 802.11 mobile phones.
Friday, October 19, 2007
3G Wireless Technology Quick Guide
Practical 3G wireless technology information extracted from many books.
A comprehensive and clear architecture map of mobile wireless network of both UMTS and CDMA2000.
A portable tool for you to carry, insert into a folder or put on your desk.
Laminaed and folded in size 8.5 x 11in.
A comprehensive 3G wireless technology guide for network and telecom professionals.
An easy to use training reference for telecom and wireless technology students to get an overall picture of 3G Mobile technologies.
UMTS and CDMA2000 network architectures
Detailed CDMA2000 and UMTS communication interfaces between systems and protocol stacks.
Graphic illustration of the evolution path and roadmaps of mobile wireless standards for both GSM/GPRS/WCDMA and cdmaOne/CDMA2000 networks.
Radio Access Network (RAN) features and characters for both UMTS and CDMA2000.
Clear channel mapping charts for both WCDMA and CDMA2000 systems.
Up-to-date illustration of the 3GPP IMS and 3GPP2 MMD.
Designed by experts with decades of experience in wireless, data and tele- communication industries.
Designed for mobile wireless technology engineers and network admins, wireless communication technology educators and students, this 3G mobile wireless technology quick guide covers all major 3G wireless technologies: UMTS and CDMA2000 architectures, Wireless Radio Access Network(RAN) technologies, WCDMA and CDMA2000 channels, CDMA and UMTS interfaces and protocols, 3GPP IP Multimedia Subsystem (IMS) and 3GPP2 Multimedia Domain (MMD) and the evolution path and roadmap for both the GSM/GPRS/UMTS and CDMA/CDMA2000 neworks.
Wireless hardware, software and service vendors may purchase it as a marketing or sales tool in trade shows, seminars and web/email leads generation programs. Networking and telecom IT training organizations can use it as a supplementary educational tool or a motivational gift for students and trainees. We have special product customization
A comprehensive and clear architecture map of mobile wireless network of both UMTS and CDMA2000.
A portable tool for you to carry, insert into a folder or put on your desk.
Laminaed and folded in size 8.5 x 11in.
A comprehensive 3G wireless technology guide for network and telecom professionals.
An easy to use training reference for telecom and wireless technology students to get an overall picture of 3G Mobile technologies.
UMTS and CDMA2000 network architectures
Detailed CDMA2000 and UMTS communication interfaces between systems and protocol stacks.
Graphic illustration of the evolution path and roadmaps of mobile wireless standards for both GSM/GPRS/WCDMA and cdmaOne/CDMA2000 networks.
Radio Access Network (RAN) features and characters for both UMTS and CDMA2000.
Clear channel mapping charts for both WCDMA and CDMA2000 systems.
Up-to-date illustration of the 3GPP IMS and 3GPP2 MMD.
Designed by experts with decades of experience in wireless, data and tele- communication industries.
Designed for mobile wireless technology engineers and network admins, wireless communication technology educators and students, this 3G mobile wireless technology quick guide covers all major 3G wireless technologies: UMTS and CDMA2000 architectures, Wireless Radio Access Network(RAN) technologies, WCDMA and CDMA2000 channels, CDMA and UMTS interfaces and protocols, 3GPP IP Multimedia Subsystem (IMS) and 3GPP2 Multimedia Domain (MMD) and the evolution path and roadmap for both the GSM/GPRS/UMTS and CDMA/CDMA2000 neworks.
Wireless hardware, software and service vendors may purchase it as a marketing or sales tool in trade shows, seminars and web/email leads generation programs. Networking and telecom IT training organizations can use it as a supplementary educational tool or a motivational gift for students and trainees. We have special product customization
Wireless Digital Camera Guide
| by Photo-John | |||||||
| What's a Wireless Digital Camera? What does WiFi have to do with digital cameras, you ask? Wireless digital cameras allow you to connect to a wireless network without using any cables. This makes it possible to download photos, save photos directly to a computer while you shoot, or print wirelessly. You can even connect to a cellular network and share photos, just as you would with a camera phone.
| |||||||
Beginner's Guide to Wireless Auditing
by: David Maynor
Figure 1. Like poker, but with a different kind of chips!
Figure 2. Netgreat WPN511 card used for this article.
Figure 3. Verifying required components are installed.
Figure 4. Verifying patched driver is working.
Figure 5. Using ifconfig and iwlist to test the card.
Figure 6. Loading scapy for packet manipulation.
Figure 7. Using Wireshark after several iterations of our test script.
Figure 8. Using Wireshark to look at fuzzing packets.
Introduction
Since our talks at Black Hat Vegas and DEFCON, Jon Ellch and I have been peppered with questions regarding how to find vulnerabilities in wireless device drivers and the specific techniques that were employed. Rather than answer these questions one at a time, an article seemed a better course of action. In this first article, we will discuss how to build an auditing environment, how to construct fuzzing tools and, finally, how to interpret the results.
Although our previous talks have focused primarily on 802.11-based protocols, these same auditing methods can be applied to almost any type of device, including Bluetooth and infrared, with successful results. This article is designed as a beginner's guide to fuzzing wireless device drivers. To get the most out of it you should already be familiar with exploit development and debugging, as the article does not cover either of those topics in depth.
Figure 1. Like poker, but with a different kind of chips!
Building an environment for Wifi auditing
Our Black Hat presentation [ref 1] was entitled "Device Drivers: Don't Build a House on a Shaky Foundation." This concept is true for more than just device drivers, it is true for wireless auditing platforms as well. The most important part of auditing is in first building a good, robust platform to launch attacks from. The underlying operating system is up to you, but I chose to use Fedora Core 3 (while FC5 is out now, I really don't need to do more than wifi auditing). I installed a stock FC3 image. The only additional packages that were installed were done usingyum. These involved upgrading the kernel to the latest version and installing a package called sharutils. This was achieved by issuing the following commands.
[root:~]$yum upgrade kernel[root:~]$yum install sharutils
Although this was done on a Dell Latitude D610, the internal wireless card of the machine was not used. In order to do the raw WiFi packet injection needed for fuzzing, a combination of third-party code and hardware was used. The main component of this is a library called LORCON (Loss Of Radio CONnectivity).
LORCON [ref 2] is a library that gives a programmer the ability craft a WiFi packet from scratch. LORCON is built by patching the third-party madwifi driver [ref 3] for cards based on the Atheros chipset. In order to have the best results, you should pick a card that is well supported by madwifi. For the purpose of this article, I chose the Netgear WPN511. It's a good card that supports almost every feature needed and is well supported by madwifi. It's also not hard to find.
Figure 2. Netgreat WPN511 card used for this article.
Once you have a good environment with all the necessary packages, patch madwifi with LORCON and install it. After the patch process, it should be as simple as issuing the "make" command for most systems. If there is a problem here, refer to the madwifi documentation available on the project site [ref 3]. After the build is complete you need to install the drivers with the "make install" command. You can verify the components are installed by looking in the /lib/modules/ directory for the existence of the wlan and ath kernel modules, as shown below in Figure 3.
Figure 3. Verifying required components are installed.
Now that you have the drivers, place the card in the PCMCIA slot and you should get a message similar to the one below in Figure 4:
Figure 4. Verifying patched driver is working.
The first step is to bring the card up to a working state. You do this with 'ifconfig ath0 up'. The usability can be checked by running the ifconfig command again. The card can be tested by issuing a few commands like 'iwlist ath0 scan' and so on.
Figure 5. Using ifconfig and iwlist to test the card.
I wrote a shellscript to automate this task. It's useful for not having to repeat the same command over and over again. Mine looks like this:
#!/bin/bashifconfig ath0 upifconfig ath0 192.168.1.1iwconfig essid "wifiaudit"iwconfig ath0 mode Masteriwpriv ath0 mode 2iwconfig ath0 channel 1
Now that the environment is set up, it's time to actually build packets to inject - which means you have to write code. All the fuzzers I have developed are written in C and use the LORCON API to develop and the inject packets. If you don't know C or you don't want to spend a lot of time hand developing packet structures, I strongly suggest taking a look at an excellent tool called scapy [ref 4].
Scapy is a packet creation tool written in Python by a programmer named Philippe Biondi. The combination of Python with the way the tool is designed means that, with very little knowledge of networking, you can write a pretty powerful fuzzer quickly. Fortunately, scapy is WiFi aware. Download a copy of it a run it. Don't worry about seeing any errors as they won't affect the basic sending and receiving of packets. Run scapy and do a ls(). This will show you all the different layers available to you.
Figure 6. Loading scapy for packet manipulation.
The types of packets that will be most interesting with WiFi fuzzing will be the Dot11 series for packet construction. It is pretty easy to create a simple Python script that will inject anything you want. A test script to get started could be something as simple as what is shown below. All this little script will do is generate a simple frame and inject it. The script is as follows:
#!/bin/env pythonimport sysfrom scapy import *victim=sys.argv[1]attacker=sys.argv[2]conf.iface="ath0raw"frame=Dot11(subtype=1, type=0, addr1=victim, addr2=attacker, addr3=attacker)sendp(frame)
If you run Wireshark (formerly known as Ethereal) on the box and sniff ath0raw you will see the packets injected. The subtype of 1 sets the packet to be an association response. The command line used while running the test script is very simple:
./wifi.py 11:22:33:44:55:66 66:55:44:33:22:11
The result of several runs of the script can bee seen in Wireshark. Wireshark is useful in constructing and debugging a fuzzer, as it helps when fine tuning exactly what fields you want to exercise.
Figure 7. Using Wireshark after several iterations of our test script.
Looking at the other fields that scapy supports, it is now as easy as stacking them together. If you are unsure of what arguments are passed to a field, you can just do an ls() for it. For instance doing a ls(Dot11) will yield the following result:
>>> ls(Dot11)subtype : BitField = (0)type : BitEnumField = (0)proto : BitField = (0)FCfield : FlagsField = (0)ID : ShortField = (0)addr1 : MACField = ('00:00:00:00:00:00')addr2 : Dot11Addr2MACField = ('00:00:00:00:00:00')addr3 : Dot11Addr3MACField = ('00:00:00:00:00:00')SC : Dot11SCField = (0)addr4 : Dot11Addr4MACField = ('00:00:00:00:00:00')>>>
In order to stack the fields, they are separated by a slash. You will create a general control frame followed by a field of a certain subtype. This would look as follows:
frame=Dot11()/Dot11AssoResp()
One of the nicest features about scapy is its fuzz function. You can wrap any of these elements in fuzz() and in a loop it will generate values for anything you didn't supply. You can see the results of this with a simple modification to the test script used earlier:
#!/bin/env pythonimport sysfrom scapy import *victim=sys.argv[1]attacker=sys.argv[2]conf.iface="ath0raw"frame=fuzz(Dot11(addr1=victim, addr2=attacker, addr3=attacker))sendp(frame, loop=1)
A run with the same command line options as previously used will produce a different packet for each injection. The only thing that will stay static across the packets is addr1, addr2, and addr3. This is a quick and simple way to generate fuzzing packets. There are a couple of different ways to go about fuzzing for best results.
Figure 8. Using Wireshark to look at fuzzing packets.
A beginner's guide to effective fuzzing
Now that your environment is setup and working, the first step is to fuzz the target cards in different states. The state can be Associated, Unassociated, Ad-Hoc, scanning, and so on. The different states are important because many of the code paths you want to exercise can only be reached in certain states. Most drivers are intelligent enough to reject packets for a state they are not currently in. An example of this would be a laptop in an associated state with an access point and the fuzzer generating ad-hoc packets. In most drivers these packets will just be silently ignored.
The second thing to increase your chances of a successful fuzzing run is to use a kernel debugger. When a machine becomes unresponsive, you should be able to save the recent packets sent. Tracking down a vulnerability can be hard, especially since the crash can occur in a variety of different places. A minor overwrite in memory can lead to a mild memory corruption that may not be evident until a different driver attempts to access the same corrupted memory. Tracking down the exact cause of the vulnerability can be a difficult task.
On Windows, tools like Softice [ref 5] or Windbg [ref 6] can be used to set breakpoints on certain calls that would be beneficial in tracking down the corruption. On Apple's OS X it's a little more difficult to do this as kernel debugging requires two machines.
If Windows is your target, using the Windows DDK [ref 7] will be most helpful as a tool called DriverVerfier can help you quickly track down any memory corruption. Either way, it will become very important that you become familiar with Windbg for its analysis of crash dumps. After a crash dump is loaded, the command '!analyze –v' is useful for generating a detailed analysis. The stack backtrace may not be that reliable as there is a good chance you have overwritten parts of it.
For best success, you should automate the process of status checking on the victim. For instance, on OS X there is an airport command which can be used to manipulate most of the wireless options without the need for going through the GUI. As malformed traffic is generated and spewed at the target, the machine may disassociate from the network and search for a better network. You can script the airport command to check the current state so that if it's not what is desired, it can be changed automatically. The –I argument passed to airport will give the current status. You can disassociate from a network, join a network or even force the airport to do any action repeatedly with the –r option. The same type of action can be done in Linux and in Windows with their respective tools. Normally a fuzzer run may take a long time to complete and it can be a horrible feeling when you discover that your target was in an incorrect state for the majority of that time.
Fuzzer runs are generally much more useful if they are directed toward areas a researcher thinks may be weak. This is best done through reverse engineering. Drivers generally aren't very large and will not take long to disassemble. The interesting thing about drivers is that you will find code normally extinct in other areas of the operating system that are still in abundance in drivers. This includes unchecked memcpy, string operations and loops that write to arrays without good terminating conditions. Looking through the disassembled code, you can generally tell what a code segment is responsible for by the debug messages they generate. If you find heavy use of memcpy, sprintf or strcpy, concentrate your fuzzer on those areas.
Going forward and next steps
Although this article was designed as a beginner's guide to auditing WiFi, these same types of techniques can be ported to other wireless protocols like Bluetooth. Although the fuzzers we used for our Black Hat presentation were written in C, it's hard to ignore how useful something like the Python based scapy is for quick and relatively easy fuzzing. In addition to the Dot11 packets it can generate, scapy can also generate L2 packets for Bluetooth use as well. The fuzz() function applies to these just like the Dot11 interface.
Bluetooth is a target-rich environment, even more so than WiFi. The range of Bluetooth is much less, but it's designed to be more open. Bluetooth supports features like SAR (Segmentation and Reassembly) and different kinds of encryption and compression, which are often ripe for auditors to pick apart. Simple things like oversized packets and requesting services, event though a device isn't paired, will cause certain Bluetooth stacks and mobile devices to crash.
The purpose of our recent talks and this introductory article was to show how easy building a wireless auditing platform is - and how these types of techniques can be incorporated into a QA testing plan. Fuzzers are useful for finding vulnerabilities, mostly the low-hanging fruit, but there is no replacement for time spent reverse engineering binaries. Taking the reverse engineering route, much more subtle bugs can be found that would take a fuzzer a very long time to discover. A future article will look at fuzzing WiFi drivers in more detail.
References
[ref 1] "Device Drivers: Don't Build a House on a Shaky Foundation" by David Maynor and Jon Ellch. Black Hat 2006, Las Vegas. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Cache.pdf
[ref 2] LORCON (Loss Of Radio CONnectivity) library. http://802.11ninja.net/code/lorcon-current.tgz
[ref 3] Madwifi multiband Atheros driver for Wifi. http://madwifi.org/
[ref 4] Scapy packet manipulation program. http://www.secdev.org/projects/scapy/
[ref 5] Softice application debugger, acquired by CompuWare. download from Softpedia.com
[ref 6] Microsoft Windbg application debugger. http://www.microsoft.com/whdc/devtools/debugging/default.mspx
[ref 7] Windows DDK (Driver Development Kit). http://www.microsoft.com/whdc/devtools/ddk/default.mspx
About the author
David Maynor is a Senior Researcher with SecureWorks. His previous roles include reverse engineering and researching new evasion techniques with the ISS Xforce R&D team, application development at the Georgia Institute of Technology, as well as security consulting, penetration testing and contracting with a wide range of organizations.
Thursday, October 18, 2007
Wireless LAN best practices
Aberdeen Group survey of wireless LAN deployments outlines best practices
By John Cox
A study of corporate wireless LAN deployments reveals that the most successful ones are based on a set of practices that can dramatically improve employee flexibility and collaboration.
The survey compares practices and results of companies represented by 315 IT respondents. Best-in-class companies reported consistently higher results in performance measures compared with “industry average” companies and “laggards” in the study, by Aberdeen Group.
The results detailed in “Measuring the Real Value of Wireless LAN Deployments,” released in June, show that the best-in-class companies on average reported:
• A 27% increase in “flexibility of the workforce” (the ability to move anywhere in a building or campus and still access corporate data), which these companies attributed to the WLAN. This was 50% higher than all other respondents, Aberdeen says.
• A 26% increase in “collaboration of the workforce” (being able to work together anywhere, anytime) due to the wireless network, over two times as high as the industry average.
• A 29% increase in the “quality of meetings,” again attributable to having wireless access for laptops and other collaboration technologies. This is nearly three times the increase reported by the other respondents, according to Aberdeen.
The middle group of industry average companies and the bottom 30% of respondents (the “laggards) also reported increases in all three categories, because of their WLAN deployments. But these increases were all less, sometimes far less, than the top 20% of the respondents.
The top performers all were far more likely (67%) to have and enforce policies for centralized WLAN management, twice as likely to assign trained IT professionals to specifically manage the wireless network, and 25% more likely to allow guest WLAN access for customers and business partners, according to Philippe Winthrop, Aberdeen’s director of research for wireless and mobility, and the report’s author.
WLAN details pay off
In general, the best-in-class deployments reflected thoroughness in following through on network details, an approach dictated by a firm commitment to make employees more productive in a highly competitive business environment.
For example, 88% of best-in-class companies had policies for centralized WLAN management, compared to 58% of the average companies and 52% of the laggards. Having IT staff that know WLAN technology was the practice of 53% of the top scorers, but just 30% of the average scorers, and only 17% of the low scorers. Nearly all of the best-in-class performers had manual procedures in place for RF site surveys, compared with 65% of middle scorers and 58% of low scorers.
In addition, 44% of the top performers monitor the overall wireless network at least monthly, compared with 33% of the average performers and 25% of the lowest performers.
This attention to detail had some startling results, according to Winthrop.
“One thing that really shocked me was the average cost of $93 to add a person to their wireless net by the best-in-class organizations, and that is less than one-quarter of the cost of adding someone to a wired Ethernet,” he says. It is also less than half the cost of wireless adds compared to the rest of the companies in the study.
A related statistic is that best-in-class organizations say it takes them 11% less time adding a person to their wireless network compared with their wired LAN, and reported 60% fewer WLAN-related help desk calls per user per month, compared with all other organizations in the study.
Upfront planning, communicating is key
Winthrop says one other critical factor seems to be the inclusion of line of business managers and staff in the planning process with the IT and network professionals. “You can create the greatest thing [in WLANs] since the toaster oven, but if no one needs it or wants it, what’s the point?” Winthrop says. “The best implementations can be spearheaded by the IT department, but they absolutely include feedback from the lines of business [staff].”
The best implementations seem more able, and willing, to leverage their WLAN investments. Fifty-five percent are using or testing VoIP on their WLAN, compared with 32% of the middle scorers and 25% of low scorers. Thirty-five percent of the top tier are using or testing smartphones that have a Wi-Fi adapter, compared with 19% of both the other two groups.
The top companies have a tighter grip on their wireless networks than the lower scoring companies: 33% have adopted a wireless intrusion-prevention system, 46% have centralized WLAN management software, and 83% have policies on WLAN security.
“These organizations are looking for ways to extend the value of their WLANs and thus increasing the flexibility and ultimate productivity of their workforce,” Winthrop writes in the report.
By John Cox
A study of corporate wireless LAN deployments reveals that the most successful ones are based on a set of practices that can dramatically improve employee flexibility and collaboration.
The survey compares practices and results of companies represented by 315 IT respondents. Best-in-class companies reported consistently higher results in performance measures compared with “industry average” companies and “laggards” in the study, by Aberdeen Group.
The results detailed in “Measuring the Real Value of Wireless LAN Deployments,” released in June, show that the best-in-class companies on average reported:
• A 27% increase in “flexibility of the workforce” (the ability to move anywhere in a building or campus and still access corporate data), which these companies attributed to the WLAN. This was 50% higher than all other respondents, Aberdeen says.
• A 26% increase in “collaboration of the workforce” (being able to work together anywhere, anytime) due to the wireless network, over two times as high as the industry average.
• A 29% increase in the “quality of meetings,” again attributable to having wireless access for laptops and other collaboration technologies. This is nearly three times the increase reported by the other respondents, according to Aberdeen.
The middle group of industry average companies and the bottom 30% of respondents (the “laggards) also reported increases in all three categories, because of their WLAN deployments. But these increases were all less, sometimes far less, than the top 20% of the respondents.
The top performers all were far more likely (67%) to have and enforce policies for centralized WLAN management, twice as likely to assign trained IT professionals to specifically manage the wireless network, and 25% more likely to allow guest WLAN access for customers and business partners, according to Philippe Winthrop, Aberdeen’s director of research for wireless and mobility, and the report’s author.
WLAN details pay off
In general, the best-in-class deployments reflected thoroughness in following through on network details, an approach dictated by a firm commitment to make employees more productive in a highly competitive business environment.
For example, 88% of best-in-class companies had policies for centralized WLAN management, compared to 58% of the average companies and 52% of the laggards. Having IT staff that know WLAN technology was the practice of 53% of the top scorers, but just 30% of the average scorers, and only 17% of the low scorers. Nearly all of the best-in-class performers had manual procedures in place for RF site surveys, compared with 65% of middle scorers and 58% of low scorers.
In addition, 44% of the top performers monitor the overall wireless network at least monthly, compared with 33% of the average performers and 25% of the lowest performers.
This attention to detail had some startling results, according to Winthrop.
“One thing that really shocked me was the average cost of $93 to add a person to their wireless net by the best-in-class organizations, and that is less than one-quarter of the cost of adding someone to a wired Ethernet,” he says. It is also less than half the cost of wireless adds compared to the rest of the companies in the study.
A related statistic is that best-in-class organizations say it takes them 11% less time adding a person to their wireless network compared with their wired LAN, and reported 60% fewer WLAN-related help desk calls per user per month, compared with all other organizations in the study.
Upfront planning, communicating is key
Winthrop says one other critical factor seems to be the inclusion of line of business managers and staff in the planning process with the IT and network professionals. “You can create the greatest thing [in WLANs] since the toaster oven, but if no one needs it or wants it, what’s the point?” Winthrop says. “The best implementations can be spearheaded by the IT department, but they absolutely include feedback from the lines of business [staff].”
The best implementations seem more able, and willing, to leverage their WLAN investments. Fifty-five percent are using or testing VoIP on their WLAN, compared with 32% of the middle scorers and 25% of low scorers. Thirty-five percent of the top tier are using or testing smartphones that have a Wi-Fi adapter, compared with 19% of both the other two groups.
The top companies have a tighter grip on their wireless networks than the lower scoring companies: 33% have adopted a wireless intrusion-prevention system, 46% have centralized WLAN management software, and 83% have policies on WLAN security.
“These organizations are looking for ways to extend the value of their WLANs and thus increasing the flexibility and ultimate productivity of their workforce,” Winthrop writes in the report.
Using PEAP for wireless authentication
PEAP is a common authentication option for wireless networks, and is widely adopted by Microsoft-centric organizations due to native client support in Windows XP and Vista. PEAP can be a strong authentication choice for wireless LAN environments, if organizations follow a few steps to ensure the integrity of the deployment.
Disable unused EAP types on the RADIUS server. If your organization is using PEAP as the sole authentication mechanism, ensure that PEAP is the only permitted EAP type.
Use a trusted certificate for authentication. The RADIUS server must be configured with a digital certificate that is signed by a trusted certificate authority (CA), using a private or a public CA.
Validate the server certificate on all clients. All PEAP clients must validate the server certificate for authentication. Failure to validate the server certificate compromises the integrity of the PEAP exchange.
Identify the issuing certificate authority on clients. By default, the Windows XP client trusts all the root certificate authorities in the certificate store. Workstations should be configured to select only the certificate authority that issued the server certificate.
Identify the authentication server hostname on clients. By default, the Windows XP PEAP supplicant will accept any trusted digital certificate for authentication, allowing an attacker to impersonate the legitimate RADIUS server if the signing authority is also trusted. To mitigate this vulnerability, configure the PEAP supplicant to identify the authorized RADIUS servers by selecting the "Connect to these servers" options. Supply the name of the RADIUS server that matches the hostname identified on the server certificate.
After successfully configuring these settings on the XP supplicant, the PEAP properties should appear as shown below.
Disable unused EAP types on the RADIUS server. If your organization is using PEAP as the sole authentication mechanism, ensure that PEAP is the only permitted EAP type.
Use a trusted certificate for authentication. The RADIUS server must be configured with a digital certificate that is signed by a trusted certificate authority (CA), using a private or a public CA.
Validate the server certificate on all clients. All PEAP clients must validate the server certificate for authentication. Failure to validate the server certificate compromises the integrity of the PEAP exchange.
Identify the issuing certificate authority on clients. By default, the Windows XP client trusts all the root certificate authorities in the certificate store. Workstations should be configured to select only the certificate authority that issued the server certificate.
Identify the authentication server hostname on clients. By default, the Windows XP PEAP supplicant will accept any trusted digital certificate for authentication, allowing an attacker to impersonate the legitimate RADIUS server if the signing authority is also trusted. To mitigate this vulnerability, configure the PEAP supplicant to identify the authorized RADIUS servers by selecting the "Connect to these servers" options. Supply the name of the RADIUS server that matches the hostname identified on the server certificate.
After successfully configuring these settings on the XP supplicant, the PEAP properties should appear as shown below.
Researchers crafting intelligent, scaleable WLAN defense
By John Cox
Protecting enterprise wireless networks from increasingly sophisticated attacks is the focus of a research project from the Dept. of Homeland Security Advanced Research Projects Agency (HSARPA), a pilot of which is just wrapping up at Dartmouth College.
Researchers from Dartmouth and Aruba Networks are developing a battery of algorithms and a software architecture running over radio frequency sensors to measure and analyze traffic and then react to wireless LAN (WLAN) attacks, especially to the spoofing and evasion that are ever more common today.
There are commercial wireless intrusion-detection systems (IDS) today from AirDefense, AirTight Networks, Network Chemistry, and Aruba itself. But Project MAP -- the acronym stands for measure, analyze and protect -- has two ambitious, distinguishing goals. First, it is an IDS that's far more intelligent in what and how it measures and analyzes wireless traffic. Second, it is an IDS that can handle not only the traffic from thousands of access points and clients, but also the flood of measurement data that its own RF sensors, or sniffers, will create.
Smarter is better
Smarter software is needed because attacks are becoming smarter and sneakier.
"The IDS [today] may not see certain frames, or the attacker may be doing radio frequency jamming, causing the attack to be invisible," says Josh Wright, senior security researcher with Aruba. "Attackers are using evasion techniques, and these are not being addressed by today's [IDS] products."
Scalability is essential to the project's design because the RF sensors will continuously track, collect, and combine a lot of real-time data about a site's entire radio environment.
Launched in summer of 2005, Project MAP is funded by the Department of Homeland Security through DARPA. The researchers are starting to analyze the results of a test MAP deployment at one building on the Dartmouth campus. Those results will guide changes, tweaks, and refinements to the software through the first half of 2007. By the end of 2007, researcher plan to have deployed a full-production MAP system over a major part of Dartmouth's sprawling wireless network.
The pilot consists of off-the-shelf Aruba RF sniffers, which basically are 802.11a/b/g access points that listen only for radio signals. The MAP software listens to the traffic on all channels, measuring a range of statistics, aggregates that information to create an accurate picture of what's happening in the air, and then scans for evidence of attacks, says David Kotz, a Dartmouth professor of computer science and one of the lead MAP researchers.
Lots of RF sniffers
Instead of trying to minimize the number of sniffers, MAP will do the opposite, deploying lots of them to provide effective coverage of all the access points, authorized clients, and attacking clients. "All three devices are involved in an attack," Kotz says. "An attacker may present itself as an access point and tell an authorized client to disassociate [from a legitimate access point]. You may need more than one sniffer to collect the needed data from all three of these parties, which may be separated by some considerable distance."
"We're trying to get as high a resolution 'snapshot' of the net as we can with lots of sniffers and data aggregation," Kotz says.
MAP is intended to be resilient enough to work successfully in the face of the numerous variables and glitches that exist in WLANs. "Sniffers might not be able to collect all the needed packets because of things like packet collisions, RF reflections, or misaligned antennas," says Tristan Henderson, assistant professor of computer science and a MAP researcher. "So we're building algorithms on the assumption that we won't be able to collect everything."
Higher-level stats, and accuracy
Some commercial IDS systems require that every single frame be checked to see if it matches known attack signatures, Henderson says. By contrast, MAP analyzes higher-level statistics. "We can look at statistics about the proportion of control traffic to data traffic in various type of attacks," he says, revealing a pattern that may signal malicious activity. "We can be more certain about an attack than other techniques that rely on capturing every frame."
MAP will also monitor aggressively all 802.11 channels for activity. "Most other products configure their sniffers to listen to only one channel all the time, or to rotate through all the channels, spending the same amount of time listening to each one," Kotz says. MAP adds intelligence; it cycles through all the channels, but spends more time on the busiest ones. In addition, the MAP sensors can be refocused quickly on a channel with suspicious activity. "The software says 'this client appears to be under attack' and it tells the MAP measurement system to get more information," Kotz says. "The measurement system [software] refocuses and spends more time listening to that client."
MAP is intended to be effective against denial-of-service attacks, as well as against a new category of attacks called "reduction of quality (RoQ)." An RoQ attack doesn't deny service completely. Instead, it degrades the quality of the connection or the available bandwidth, either to disrupt communications for others or to get better service for the attacker. A wireless VoIP call, for example, might stay connected but be so plagued with dropped packets or other problems as to be useless.
"It's hard to detect who's doing it, or even whether it's being done at all," Henderson says. "You need much more sophisticated techniques to detect these attacks."
Countering evasive tactics
A higher level of sophistication also is needed to counter the evasive techniques that attackers are starting to exploit, Aruba's Wright says. For example, an access point legitimately can direct a client to deauthenticate in certain cases, so deauthentication traffic is normal on a WLAN. The problem, Wright says, is that an attacker also can use deauthentication traffic to enable, and mask, a denial-of-service attack. More recently, he says, it's being used to trigger software flaws in WLAN driver code.
As part of developing this greater sophistication, MAP researchers are working to improve the accuracy of attack identification, thereby eliminating false alarms (false positives) as well as false negatives -- real attacks that the IDS doesn't recognize.
If successful, MAP could create the foundation of a dynamic WLAN security system that can monitor continuously for, and adapt to, constantly changing attacks.
Protecting enterprise wireless networks from increasingly sophisticated attacks is the focus of a research project from the Dept. of Homeland Security Advanced Research Projects Agency (HSARPA), a pilot of which is just wrapping up at Dartmouth College.
Researchers from Dartmouth and Aruba Networks are developing a battery of algorithms and a software architecture running over radio frequency sensors to measure and analyze traffic and then react to wireless LAN (WLAN) attacks, especially to the spoofing and evasion that are ever more common today.
There are commercial wireless intrusion-detection systems (IDS) today from AirDefense, AirTight Networks, Network Chemistry, and Aruba itself. But Project MAP -- the acronym stands for measure, analyze and protect -- has two ambitious, distinguishing goals. First, it is an IDS that's far more intelligent in what and how it measures and analyzes wireless traffic. Second, it is an IDS that can handle not only the traffic from thousands of access points and clients, but also the flood of measurement data that its own RF sensors, or sniffers, will create.
Smarter is better
Smarter software is needed because attacks are becoming smarter and sneakier.
"The IDS [today] may not see certain frames, or the attacker may be doing radio frequency jamming, causing the attack to be invisible," says Josh Wright, senior security researcher with Aruba. "Attackers are using evasion techniques, and these are not being addressed by today's [IDS] products."
Scalability is essential to the project's design because the RF sensors will continuously track, collect, and combine a lot of real-time data about a site's entire radio environment.
Launched in summer of 2005, Project MAP is funded by the Department of Homeland Security through DARPA. The researchers are starting to analyze the results of a test MAP deployment at one building on the Dartmouth campus. Those results will guide changes, tweaks, and refinements to the software through the first half of 2007. By the end of 2007, researcher plan to have deployed a full-production MAP system over a major part of Dartmouth's sprawling wireless network.
The pilot consists of off-the-shelf Aruba RF sniffers, which basically are 802.11a/b/g access points that listen only for radio signals. The MAP software listens to the traffic on all channels, measuring a range of statistics, aggregates that information to create an accurate picture of what's happening in the air, and then scans for evidence of attacks, says David Kotz, a Dartmouth professor of computer science and one of the lead MAP researchers.
Lots of RF sniffers
Instead of trying to minimize the number of sniffers, MAP will do the opposite, deploying lots of them to provide effective coverage of all the access points, authorized clients, and attacking clients. "All three devices are involved in an attack," Kotz says. "An attacker may present itself as an access point and tell an authorized client to disassociate [from a legitimate access point]. You may need more than one sniffer to collect the needed data from all three of these parties, which may be separated by some considerable distance."
"We're trying to get as high a resolution 'snapshot' of the net as we can with lots of sniffers and data aggregation," Kotz says.
MAP is intended to be resilient enough to work successfully in the face of the numerous variables and glitches that exist in WLANs. "Sniffers might not be able to collect all the needed packets because of things like packet collisions, RF reflections, or misaligned antennas," says Tristan Henderson, assistant professor of computer science and a MAP researcher. "So we're building algorithms on the assumption that we won't be able to collect everything."
Higher-level stats, and accuracy
Some commercial IDS systems require that every single frame be checked to see if it matches known attack signatures, Henderson says. By contrast, MAP analyzes higher-level statistics. "We can look at statistics about the proportion of control traffic to data traffic in various type of attacks," he says, revealing a pattern that may signal malicious activity. "We can be more certain about an attack than other techniques that rely on capturing every frame."
MAP will also monitor aggressively all 802.11 channels for activity. "Most other products configure their sniffers to listen to only one channel all the time, or to rotate through all the channels, spending the same amount of time listening to each one," Kotz says. MAP adds intelligence; it cycles through all the channels, but spends more time on the busiest ones. In addition, the MAP sensors can be refocused quickly on a channel with suspicious activity. "The software says 'this client appears to be under attack' and it tells the MAP measurement system to get more information," Kotz says. "The measurement system [software] refocuses and spends more time listening to that client."
MAP is intended to be effective against denial-of-service attacks, as well as against a new category of attacks called "reduction of quality (RoQ)." An RoQ attack doesn't deny service completely. Instead, it degrades the quality of the connection or the available bandwidth, either to disrupt communications for others or to get better service for the attacker. A wireless VoIP call, for example, might stay connected but be so plagued with dropped packets or other problems as to be useless.
"It's hard to detect who's doing it, or even whether it's being done at all," Henderson says. "You need much more sophisticated techniques to detect these attacks."
Countering evasive tactics
A higher level of sophistication also is needed to counter the evasive techniques that attackers are starting to exploit, Aruba's Wright says. For example, an access point legitimately can direct a client to deauthenticate in certain cases, so deauthentication traffic is normal on a WLAN. The problem, Wright says, is that an attacker also can use deauthentication traffic to enable, and mask, a denial-of-service attack. More recently, he says, it's being used to trigger software flaws in WLAN driver code.
As part of developing this greater sophistication, MAP researchers are working to improve the accuracy of attack identification, thereby eliminating false alarms (false positives) as well as false negatives -- real attacks that the IDS doesn't recognize.
If successful, MAP could create the foundation of a dynamic WLAN security system that can monitor continuously for, and adapt to, constantly changing attacks.
Aruba Networks Named Rising Star In Deloitte’s Technology Fast 50 Program for Silicon Valley
Award Acknowledges Fast-Growth and Technological Innovation of Aruba’s Wireless LAN and Secure Mobility Business
Aruba Networks, Inc. a global leader in user-centric networks and secure mobility solutions, today announced that it has been named a “Rising Star” in Deloitte & Touche USA LLP’s Technology Fast 50 program for Silicon Valley. The Rising Star award is a special designation for fast-growth companies that have been in business at least three years, but less than five, and is part of the Silicon Valley Technology Fast 50 program, which ranks the 50 fastest growing technology, media, telecommunications, and life sciences companies headquartered in Silicon Valley. Rankings are based on percentage revenue growth between 2004 and 2006. This year’s Silicon Valley Technology Fast 50 program is co-sponsored by Deloitte & Touche USA LLP and Silicon Valley Bank, Cooley Godward Kronish LLP, Korn/Ferry International, and Woodruff-Sawyer & Co.
“The Deloitte Silicon Valley Technology Fast 50 Rising Star companies have shown the strength, vision and tenacity to succeed despite a very challenging technology environment,” said Mark Jensen, partner and national director, Venture Capital Services, Deloitte & Touche LLP. “We applaud the successes of Aruba Networks and acknowledge its place as one of the few to accomplish such a fast growth rate over the past three years.”
To qualify for the Technology Fast 50 Rising Star program, companies must be incorporated a minimum of three years, have operating revenues of at least $50,000 in 2004 and $5,000,000 in 2006, be headquartered within the San Francisco Bay Area (subsidiaries or divisions are typically not eligible), and either devote a significant proportion of revenues to the research and development of technology or own proprietary intellectual property that contributes to a significant portion of the company's operating revenues. The use of another company’s technology or intellectual property in a unique way does not qualify for consideration.
"We are honored to be recognized by Deloitte for our strong growth, which is driven by our innovative, high performance wireless LAN products and unique user-centric architecture,” said Dominic Orr, president and chief executive officer of Aruba Networks. “Our ability to securely deliver enterprise networks to users wherever they work or roam is both a technological innovation and a clear competitive differentiator in a fast growing market. To capitalize on the demand for our products and services, we continue to invest in our industry-leading wireless LANs and network security technology, strengthen our strategic partnerships, and expand the sales and distribution channels for our products.”
Rising Star companies are automatically entered in Deloitte’s Technology Fast 500 Rising Star category. Deloitte’s Technology Fast 500 program ranks North America’s top 500 fastest growing technology, media, telecommunications, and life sciences companies based on percentage revenue growth from 2002 to 2006. Its Rising Star ranking is based on percentage revenue growth over the period from 2004 to 2006.
Aruba Networks, Inc. a global leader in user-centric networks and secure mobility solutions, today announced that it has been named a “Rising Star” in Deloitte & Touche USA LLP’s Technology Fast 50 program for Silicon Valley. The Rising Star award is a special designation for fast-growth companies that have been in business at least three years, but less than five, and is part of the Silicon Valley Technology Fast 50 program, which ranks the 50 fastest growing technology, media, telecommunications, and life sciences companies headquartered in Silicon Valley. Rankings are based on percentage revenue growth between 2004 and 2006. This year’s Silicon Valley Technology Fast 50 program is co-sponsored by Deloitte & Touche USA LLP and Silicon Valley Bank, Cooley Godward Kronish LLP, Korn/Ferry International, and Woodruff-Sawyer & Co.
“The Deloitte Silicon Valley Technology Fast 50 Rising Star companies have shown the strength, vision and tenacity to succeed despite a very challenging technology environment,” said Mark Jensen, partner and national director, Venture Capital Services, Deloitte & Touche LLP. “We applaud the successes of Aruba Networks and acknowledge its place as one of the few to accomplish such a fast growth rate over the past three years.”
To qualify for the Technology Fast 50 Rising Star program, companies must be incorporated a minimum of three years, have operating revenues of at least $50,000 in 2004 and $5,000,000 in 2006, be headquartered within the San Francisco Bay Area (subsidiaries or divisions are typically not eligible), and either devote a significant proportion of revenues to the research and development of technology or own proprietary intellectual property that contributes to a significant portion of the company's operating revenues. The use of another company’s technology or intellectual property in a unique way does not qualify for consideration.
"We are honored to be recognized by Deloitte for our strong growth, which is driven by our innovative, high performance wireless LAN products and unique user-centric architecture,” said Dominic Orr, president and chief executive officer of Aruba Networks. “Our ability to securely deliver enterprise networks to users wherever they work or roam is both a technological innovation and a clear competitive differentiator in a fast growing market. To capitalize on the demand for our products and services, we continue to invest in our industry-leading wireless LANs and network security technology, strengthen our strategic partnerships, and expand the sales and distribution channels for our products.”
Rising Star companies are automatically entered in Deloitte’s Technology Fast 500 Rising Star category. Deloitte’s Technology Fast 500 program ranks North America’s top 500 fastest growing technology, media, telecommunications, and life sciences companies based on percentage revenue growth from 2002 to 2006. Its Rising Star ranking is based on percentage revenue growth over the period from 2004 to 2006.
Wednesday, October 17, 2007
Do Not Auto-Connect to Open Wi-Fi Networks
By: Bradley Mitchell
Ensure system settings prevent automatic connections to unsecured access points
Connecting to an open Wi-Fi network such as a free wireless hotspot exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations with your (the user's) awareness.
To verify whether automatic connections to open Wi-Fi networks are allowed, check the computer's wireless configuration settings. For example, on Windows XP computers having Wi-Fi connections managed by the operating system, the setting is called "Automatically connect to non-preferred networks." To check this setting, follow these steps:
1. From the Start Menu, open Windows Control Panel
2. Inside Control Panel, click the "Network Connections" option if it exists, otherwise first click "Network and Internet Connections" and then click "Network Connections."
3. Right-click "Wireless Network Connection" and choose "Properties."
4. Click the "Wireless Networks" tab on the Properties page
5. Click the "Advanced" button in this tab
6. Find the "Automatically connect to non-preferred networks" setting. If checked, this setting is enabled, otherwise it is disabled.
While Windows XP does not enable automatic non-preferred connections by default, some users enable it in an attempt to simplify connecting to their own home network. Users should instead configure these as Windows XP Preferred networks which allows automatic connection to the home equipment yet still prevents auto-connection to other networks.
Ensure system settings prevent automatic connections to unsecured access points
Connecting to an open Wi-Fi network such as a free wireless hotspot exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations with your (the user's) awareness.
To verify whether automatic connections to open Wi-Fi networks are allowed, check the computer's wireless configuration settings. For example, on Windows XP computers having Wi-Fi connections managed by the operating system, the setting is called "Automatically connect to non-preferred networks." To check this setting, follow these steps:
1. From the Start Menu, open Windows Control Panel
2. Inside Control Panel, click the "Network Connections" option if it exists, otherwise first click "Network and Internet Connections" and then click "Network Connections."
3. Right-click "Wireless Network Connection" and choose "Properties."
4. Click the "Wireless Networks" tab on the Properties page
5. Click the "Advanced" button in this tab
6. Find the "Automatically connect to non-preferred networks" setting. If checked, this setting is enabled, otherwise it is disabled.
While Windows XP does not enable automatic non-preferred connections by default, some users enable it in an attempt to simplify connecting to their own home network. Users should instead configure these as Windows XP Preferred networks which allows automatic connection to the home equipment yet still prevents auto-connection to other networks.
10 Tips for Wireless Home Network Security
By: Bradley Mitchell
Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That's totally understandable. It's also quite risky as numerous security problems can result. Today's Wi-Fi networking products don't always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.
1. Change Default Administrator Passwords (and Usernames)
At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.
2. Turn on (Compatible) WPA / WEP Encryption
All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.
3. Change the Default SSID
Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.
4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.
5. Disable SSID Broadcast
In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.
7. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.
8. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.
9. Position the Router or Access Point Safely
Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.
10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down the network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.
Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That's totally understandable. It's also quite risky as numerous security problems can result. Today's Wi-Fi networking products don't always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.
1. Change Default Administrator Passwords (and Usernames)
At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.
2. Turn on (Compatible) WPA / WEP Encryption
All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.
3. Change the Default SSID
Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.
4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.
5. Disable SSID Broadcast
In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.
7. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.
8. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.
9. Position the Router or Access Point Safely
Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.
10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down the network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.
Maximize home network performance
Wireless routers (and access points) normally contain a built in WiFi antenna that radiates signal equally well in all directions. These antennas are sometimes called omnidirectional. An omnidirectional antenna makes router setup easier. When the router is installed in the center of a home and wireless clients are distributed throughout the rooms, an omnidirectional antenna helps ensure all corners of the house can be reached.
Sometimes, however, it is better to replace the router's built-in antenna with a different one. An omnidirectional antenna can have difficulty reaching a long distance because its signaling power must be expended in all directions.
To address this problem, some router manufacturers sell external omnidirectional antennas that are significanly stronger than the router's built in antenna. Installing a stronger omnidirectional antenna obviously allows far-away locations to be better reached. Because WiFi connections are distance-sensitive, a stronger connection also often leads to increased network performance.
A wireless antenna that is too strong, however, raises security concerns. Omnidirectional WiFi signals are more likely to bleed outside the house into neighboring areas where the signals can be snooped. Greater WiFi range can also be achieved with a high gain directional antenna that sends a strong signal in a particular direction. By focusing the signal, a high gain antenna allows the signal to be better controlled, literally aimed toward the area of the home where wireless devices are located.
In summary, consider replacing the wireless antenna on a router to improve wireless network reach and performance if possible. Many routers support an external antenna jack that allows connecting the new antenna. Consult the router product documentation for details.
Sometimes, however, it is better to replace the router's built-in antenna with a different one. An omnidirectional antenna can have difficulty reaching a long distance because its signaling power must be expended in all directions.
To address this problem, some router manufacturers sell external omnidirectional antennas that are significanly stronger than the router's built in antenna. Installing a stronger omnidirectional antenna obviously allows far-away locations to be better reached. Because WiFi connections are distance-sensitive, a stronger connection also often leads to increased network performance.
A wireless antenna that is too strong, however, raises security concerns. Omnidirectional WiFi signals are more likely to bleed outside the house into neighboring areas where the signals can be snooped. Greater WiFi range can also be achieved with a high gain directional antenna that sends a strong signal in a particular direction. By focusing the signal, a high gain antenna allows the signal to be better controlled, literally aimed toward the area of the home where wireless devices are located.
In summary, consider replacing the wireless antenna on a router to improve wireless network reach and performance if possible. Many routers support an external antenna jack that allows connecting the new antenna. Consult the router product documentation for details.
Top 7 Tips for Improving a Wireless Home Network
A basic Wi-Fi home network can be assembled fairly quickly. However, many homeowners aren't aware of all the options available for making their network better. Consider the below ideas for improving the capability, performance and security of your wireless home network.
1. Upgrade and Add the Right Equipment
Many homeowners have heard of basic Wi-Fi equipment like routers and wireless adapter cards. Many such products are available to choose from. The "best" choices are often unclear. Old equipment may need to be replaced with faster, more reliable or more compatible products. Folks also often fail to consider cool wireless gear like print servers, game adapters and video cameras. Before settling for a second-rate home network setup, do your research and acquire the right stuff at a good price.
2. Install the Wireless Router / Access Point Strategically
Some people quickly assemble their wireless home network only to find that it won't function in certain areas of the residence. Others enjoy a network functional at first but suffer quick disappointment later when it crashes as a microwave oven or cordless phone is turned on. Still others suffer from poor network performance but fear attempting to fix it. One easy way to address these common Wi-Fi networking problems is to move the wireless router (access point).
3. Change the Wi-Fi Channel Number
In the USA and most other countries, Wi-Fi equipment can transmit on any of several different "channels" similar to televisions. Most wireless routers ship with the same default channel number, and most homeowners never think about changing it. However, if a person experiences radio interference from a neighbor's router or some other piece of electronic equipment, changing the Wi-Fi channel just might be the best way to avoid it.
4. Upgrade Wireless Router (Access Point) Firmware
Wireless routers contain built-in programmable logic called firmware. A version of this firmware is installed on the router by the manufacturer, and this normally works well when first installing the device. However, many routers also offer a firmware upgrade capability that allows homeowners to install newer versions. Updated firmware can provide performance improvements, security enhancements or better reliability. As your router gets older, consider upgrading its firmware periodically.
5. Improve Signal Strength and Range of the Wi-Fi Router (Access Point)
No matter where in a residence a Wi-Fi router is installed, sometimes the wireless signal will simply not be strong enough. The likelihood of this problem increases with longer distances and with severe obstructions such as brick walls between the router and a Wi-Fi client. One way to solve this problem is to upgrade the Wi-Fi antenna installed on the router. Some routers do not support this option, but many do. The alternative involves installing an additional device called a wireless repeater.
6. Improve Signal Strength and Range of Wi-Fi clients
As with wireless routers, the signal strength of wireless clients can also be improved. Consider this option when faced with a Wi-Fi client that suffers from a very short range compared to the rest of the devices. This same technique can improve the ability of laptop computers to connect to Wi-Fi hotspots.
7. Improve Wireless Network Security
Many homeowners consider their wireless network a success when basic file and Internet connection sharing are functional. However, if proper security features are not in place, the work of network setup remains unfinished. Follow this checklist of essential steps for establishing and maintaining good Wi-Fi security on a home network.
1. Upgrade and Add the Right Equipment
Many homeowners have heard of basic Wi-Fi equipment like routers and wireless adapter cards. Many such products are available to choose from. The "best" choices are often unclear. Old equipment may need to be replaced with faster, more reliable or more compatible products. Folks also often fail to consider cool wireless gear like print servers, game adapters and video cameras. Before settling for a second-rate home network setup, do your research and acquire the right stuff at a good price.
2. Install the Wireless Router / Access Point Strategically
Some people quickly assemble their wireless home network only to find that it won't function in certain areas of the residence. Others enjoy a network functional at first but suffer quick disappointment later when it crashes as a microwave oven or cordless phone is turned on. Still others suffer from poor network performance but fear attempting to fix it. One easy way to address these common Wi-Fi networking problems is to move the wireless router (access point).
3. Change the Wi-Fi Channel Number
In the USA and most other countries, Wi-Fi equipment can transmit on any of several different "channels" similar to televisions. Most wireless routers ship with the same default channel number, and most homeowners never think about changing it. However, if a person experiences radio interference from a neighbor's router or some other piece of electronic equipment, changing the Wi-Fi channel just might be the best way to avoid it.
4. Upgrade Wireless Router (Access Point) Firmware
Wireless routers contain built-in programmable logic called firmware. A version of this firmware is installed on the router by the manufacturer, and this normally works well when first installing the device. However, many routers also offer a firmware upgrade capability that allows homeowners to install newer versions. Updated firmware can provide performance improvements, security enhancements or better reliability. As your router gets older, consider upgrading its firmware periodically.
5. Improve Signal Strength and Range of the Wi-Fi Router (Access Point)
No matter where in a residence a Wi-Fi router is installed, sometimes the wireless signal will simply not be strong enough. The likelihood of this problem increases with longer distances and with severe obstructions such as brick walls between the router and a Wi-Fi client. One way to solve this problem is to upgrade the Wi-Fi antenna installed on the router. Some routers do not support this option, but many do. The alternative involves installing an additional device called a wireless repeater.
6. Improve Signal Strength and Range of Wi-Fi clients
As with wireless routers, the signal strength of wireless clients can also be improved. Consider this option when faced with a Wi-Fi client that suffers from a very short range compared to the rest of the devices. This same technique can improve the ability of laptop computers to connect to Wi-Fi hotspots.
7. Improve Wireless Network Security
Many homeowners consider their wireless network a success when basic file and Internet connection sharing are functional. However, if proper security features are not in place, the work of network setup remains unfinished. Follow this checklist of essential steps for establishing and maintaining good Wi-Fi security on a home network.
Sunday, October 14, 2007
RFID security tool
Here is the list of tools and papers that can be used to test the security of RFID technology. | |||
RFID tools - tools relating to RFID technology. | |||
| RFDump | Local mirror | v1.3 | |
| Rfidtool | Local mirror | v0.01 | |
RFID security and related links - this section contains links to the projects/papers relating to security and hacking of RFID devices. | |||
| Analysis of TI DTS RFID | This site contains information on cracking RFID devices. Very interesting and educational | ||
| RFID Factfile | IEEE published paper on RFID technology | ||
| RFID Papers | A collection of papers relating to RFID. Some of the papers contain commercial and business perspectives. | ||
| RFID Security | A paper on RFID security issues. Published by Prof Heiko Knospe and Prof Hartmut Pohl | ||
| RFID Centre | An independent european RFID centre. Contains a lot of information on RFID technology | ||
| RSA RFID links | A collection of security related links from RSA | ||
Bluetooth security tools
Here is the list of tools that commonly use in security auditing of bluetooth devices and networks. As to the code, everything on our list is Open Source and is distributed under GPL, BSD or similar licenses. Close Source tools are not included on purpose, even though they may be mentioned in the book where appropriate. This work is not commercial, does not favour particular vendors, and has only became possible due to the work and collaboration within the Open Source community. We are profoundly grateful to the authors of the listed tools for the feats of wonder they performed to make "theoretical" wireless security practical. | |||
Bluetooth Network Discovery and related tools - the "classical" tools for discovering bluetooth networks and devices. | |||
| Blooover | Local mirror | v Unknown | |
| BlueAlert | Not mirrored | v Unknown | |
| BlueJacker | Local mirror | ||
| BluePrint | Local mirror | v0.1-3 | |
| BlueSnarfer | Local mirror | v0.1 | |
| BlueSpam | Local mirror | v Unknown | |
| Bluetest | Local mirror | v Unknown | |
| BTclass | Local mirror | v 0.1 beta | |
| BT Device Viewer | Local mirror | v 0.19a | |
| BT Device Viewer | Not Mirrored | ||
| BTfs | Local mirror | v 0.0.3 | |
| BT (JABWT) Browser | Local mirror | v Unknown | |
| BT Location Tracker | Not mirrored | v 015 | |
| BT Phone book dumper | Local mirror | v0.3 | |
| Btscanner | Local mirror | v2.1 | |
| BT_Audit | Local mirror | v0.1.1 | |
| CarWhisperer | Local mirror | v0.2 | |
| Gnome Bluetooth Subsystem | Not mirrored | v 0.4.1 | |
| GreenPlague | Local mirror | v2.2 | |
| Mobiluck | Not mirrored | ||
| Navizon | Not mirrored | ||
| PSM_Scan | Local mirror | v0.3 | |
| RedFang | Local mirror | v2.5 | |
| T-bear | Local mirror | v1.5 | |
Bluetooth drivers and stack - this section includes drivers for various bluetooth cards and bluetooth stacks. | |||
| BlueZ | not mirrored | ||
| Affix | not mirrored | ||
| Broadcom Bluetooth driver | not mirrored | ||
| OpenOBEX | not mirrored | ||
Subscribe to:
Comments (Atom)