For the PDF version of this article, click here.

Networking equipment makers have touted 2005 as the year for initial WiMAX deployments and 2007 for the standard to come to fruition. As Intel takes charge with its technology platform in the form of its PRO/Wireless 5116 broadband interface, it has generated a great deal of momentum for networking OEMs to develop a series of concept and reference products based on its standard. Several influential OEMs have in turn tossed their hats into the WiMAX ring, publicly committing themselves to providing solutions more robust than their WiFi solutions, but in a relatively shorter timeframe.

Slated as the next phase in the evolution of wireless communications, WiMAX promises to address the shortcomings of WiFi's incongruous standards, providing a truly standardized protocol to deliver higher transfer speeds at exponentially longer distances. While an 802.11g access point (AP) could in theory transmit radio signals throughout a radius of 300 feet, a single WiMAX base station could broadcast signals throughout a radius upward of 30 miles, providing enough of a coverage spread to deliver subscription-based content at broadband speeds to entire cities (Figure 3).

As the first ratified WiMAX standard, or 802.16a, begins to transition into a market-stage technology, networking and communications OEMs are beginning to develop equipment that is compliant with the new broadband wireless standard. This year will mark the introduction of a handful of municipal WiMAX deployments using the 802.16a standard. Several companies have already ventured into strategic partnerships to prepare for the upcoming 802.16e mobile WiMAX standard, aimed at providing access to hand-helds and mobiles.

Additionally, building on the exploits and flaws found in the 802.11 protocol, the WiMAX standard was drafted with security in mind, offering more robust protection in the form of certificate-based encryption. But regardless of the inherently stronger and more robust authentication measures in the 802.16a protocol, there remains a battery of implications that OEMs face in developing their networking devices with this new access technology; each as multifaceted as the next, but none too unfamiliar to the seasoned developer.

To fully understand the specifics involved, one must undertake a technical understanding of the standard and how it relates to WiFi on the data link and application layers.

In a typical WiFi installation, a digital subscriber line (DSL) feeds a “packetized” bitstream into a modem/AP (e.g., router or gateway situated at the network edge), which in turn broadcasts a radio signal — often encrypted — to WiFi-enabled clients that depacket this data into information. In a WiMAX installation, a fixed wireless base station, similar in concept to a cell phone tower, serves an “always-on” radio signal directly accessible by WiMAX-enabled clients, with no need for leased lines or an intermediate AP.

Similar to 802.11, the 802.16 media access control (MAC) protocol, a sub-layer of the data link layer, governs the client's access to the physical layer. However, the scheduling algorithm within the 802.16 MAC protocol offers optimal prioritization of this traffic based on first-in first-out (FIFO) scheduling, in which clients seeking access to the base station are assigned bandwidth upon time of initial access, instead of random queue assignment based on order of MAC address (as in 802.11). Furthermore, the 802.16 MAC protocol ensures optimal quality of service (QoS) over its WiFi predecessor, allocating bandwidth effectively by balancing clients' needs instead of “best-effort service” — that is, equal distribution of what remains after allocation to other clients.

Additionally, rather than encrypt the radio signal using WEP, WPA/PSK, or any other existing Layer 2 WLAN security protocol, 802.16a's baseline authentication architecture, by default, employs X.509-based PKI (public key infrastructure) certificate authorization, in which the base station validates the client's digital certificate before permitting access to the physical layer.

But given the expanded coverage spread and the resulting potential for an increased number of hackers to reside within the same network, OEMs must integrate multiple levels of additional security in protecting the transmission link between base station and client, irrespective of WiMAX's underlying PKI-based security architecture. Software-based threat management and secure access solutions will be as integral as ever, with a typical security infrastructure comprising components such as firewalls, virtual private networking (VPN), Internet key exchange (IKE) tunneling, and intrusion prevention systems (IPS), each of which reside at the application layer (Figure 2).

For example, in an 802.16 mesh network deployment where routers or gateways will act as intermediaries, or “hot spots,” between client and base station, there is an increased potential of security vulnerabilities, as the intermediary routers that reside between base station and client are presentable and susceptible to attacks. Popular application level services, such as voice over Internet protocol (VoIP), could be exploited by hackers who can initiate the download of remote configuration settings and resynchronize clients' CPE settings to their specifications. Hackers may also replicate, or “spoof,” the address of the intermediary router or server and deceive other clients into believing their connection is secure, thus opening them up to malicious attack. These routers and gateways will require robust security measures to ensure that unprotected clients remain protected behind the intermediary AP.

Most commercially available routers will possess firewall components that provide application layer gateway (ALG) functionality for the signaling protocols that support and maintain multiple sessions. Any imperfections in the ALG functionality could result in diminished QoS for low-latency applications, such as VoIP and videoconferencing. OEMs must develop devices with ALGs that permit inward call requests to the devices only from the device registered with the server and endpoints, while dynamically allowing inward media packets only on call set up. These media sessions are to be disabled on termination of the connection.

VoIP is increasingly gaining traction among both consumers and enterprise users, offering an alternate, cost-effective means of communications against the traditional public switched telephone network (PSTN). Considering how WiMAX's enhanced MAC protocol offers higher QoS for low latency applications such as VoIP, it is expected that this service will comprise the bulk of bandwidth within the first few months of deployment.

However, just as within a WiFi environment, there remain several vulnerabilities with VoIP in a WiMAX ecosystem. A VoIP system uses protocols like H.323, MGCP, Megaco and session initiation protocols (SIP) for signaling, and RTP/RTCP for media transport and control. Servers like media gateways, call agents, media gateway controllers, gatekeepers and proxies enable calling between the VoIP clients. SIP signaling protocols are exceptionally popular for their ease of implementation, interpretation and stateful analysis, but when left alone, are equally notorious for their vulnerability. Security risks remain within the signaling servers themselves, with hackers employing one of several methods to obtain unauthorized access. OEMs must address each of these methods individually, and as a whole, when developing an effective security infrastructure that can thwart against hackers.

• Client impersonation: The SIP protocol can enable registration of multiple contacts for an individual user, with the “to” and “from” header fields unique per contact. By impersonating the client, a hacker can register his own contacts and make the incoming and voice mail notifications to the redirected contact addresses.

• Server impersonation: After a client registers with a credentialed server, hackers can intercept session initiation requests from the client and reply with a spoofed response that directs the request to a new server. The calls from the client will either fail or connect to the hacker's defined endpoints, either way exposing the client. Similarly, hackers can intercept session requests in the registration process itself, redirecting the register requests to a fake server and exposing the server's credentials.

• Message tampering: Considered as trusted intermediaries, proxy servers are often employed by clients to exchange session initiation requests and stream media. Hackers may implement spoofed proxy servers and unbeknownst to the clients, intercept their media session encryption methods and associated keys. With this vital information, they may redirect the media streams to their device and decrypt the information, or prevent the media stream from reaching its actual destination, allowing for wiretapping and eavesdropping.

• Session tampering/hijacking: After a call is established, messages are exchanged between the base station and CPE for session renewals and codec negotiations requests. However, during the call, it is possible for a hacker to tap into the stream and forge messages. When a client expects a session renewal message periodically, the session definition protocol (SDP) information is tampered with to divert the media stream, resulting in eavesdropped conversations.

• Signaling requests resulting in DoS attacks: Proxy servers process registration and session initiation requests over a standard port number, through which hackers can instigate a flood of similar requests by spoofing multiple source IP addresses. Simultaneously barraging the server with multiple session initiation requests will result in server overload and denial of service.

To protect against any of the aforementioned vulnerabilities, various 802.16-enabled devices within the WiMAX network, e.g. terminal adapters (TAs), integrated access devices (IADs), gateways, billing systems, voice mail servers and unified messaging systems, must be equipped with software that can detect and prevent external infrastructure attacks before they take fruition. The complexity of this software varies with the type of the device, its usage, application and importance within the network.

In addition to encrypting network traffic beyond the default PKI authentication, OEMs must implement several additional features within networking equipment to ensure against sniffing of the data packets originating from the signaling servers, which direct traffic to their destination. Several complimentary features are highlighted here in context of VoIP, each of which should be addressed by OEMs in developing a converged network platform (Figure 1).

• Firewall and NAT traversal, topology hiding: The firewall provides access to authorized devices for registering and making calls through VoIP servers, dynamically opening and closing multiple ports for signaling, while handling unsolicited incoming sessions. A NAT traversal enables both signaling and media streaming from devices with cloaked IP addresses.

• DoS and flood attack detection: The session border controller (SBC) shall detect the DoS attacks, UDP, ICMP and TCP flood attacks discussed above.

• Signaling and media security, theft of service prevention: Signaling security is based on MD-5 authentication and TLS/IPsec. Media security is based on secure RTP/IPsec. The type of security is negotiable through SIP signaling or through a provisioning process.

• Granular access control: Stateful with granular access control policies provides a facility for the administrator to create application-specific policies.

• Session admission control, rogue RTP detection, policing and shaping: The SBC shall allow the media traffic to go through valid sessions and apply traffic management rules and police the traffic to avoid excess traffic. Similarly, the SBC shall provide the desired QoS by shaping the traffic in the egress.

• Firewalls specially designed for application-specific gateways: These firewalls have higher capabilities over conventional firewalls because they are part of the VoIP gateways/ IP PBX systems. The firewall can provide security to these elements and detect frauds real-time in the distributed networks, which is not possible in legacy PSTN systems that adopt centralized fraud management systems.

• Intrusion detection and prevention systems: An intrusion detection system is vital in detecting signature-based attacks and intrusion. This system shall not pose delays and jitter in VoIP signaling and voice traffic flowing through the network.

To accelerate their product deployment cycles and maintain a competitive edge in terms of product innovation, OEMs will turn to third-party software original design manufacturers (ODMs) to incorporate comprehensive converged software platforms comprising support for the aforementioned security features. These platforms are:

• comprehensive enough to accommodate the demanding enterprise's convergence needs;

• thoroughly tested and approved by industry consortiums and security groups, enabling OEMs to bypass often rigorous certification standards; and

• fully interoperable with legacy (i.e. 802.11) and future (e.g. 802.16e) standards, assuring products remain future-proof.

Additionally, these software platforms are mature enough for turnkey integration into any WiMAX CPE device, enabling OEMs to design and deploy their solutions to market at a cost-benefit to the end-user or enterprise.

A handful of “pre-WiMAX” solutions using the Intel PRO/Wireless 5116 chipset exist, each showing promise. But the success of each is contingent on how well they fare in terms of reliability, features and protection. As with other disruptive technologies, expediency to market is key if OEMs wish to survive, let alone thrive, in the WiMAX space. But given the streamlined and standards-based nature of 802.16, networking and communications OEMs benefit greatly in terms of developing common platform WiMAX-enabled devices — at least relative to accommodating the almost innumerable standards of WiFi. OEMs will find themselves competing for first-to-market position not so much on the strength and impenetrability of their devices' security infrastructure, but on how well they integrate with innovative converged platforms providing support for enterprise applications like VoIP, video and management.

The battle for first-to-market will be met with anticipation from service providers, end-users, and, perhaps most important, enterprises, which stand to gain the most of what WiMAX has to offer. The recent spate of converged WLAN security appliances has created many innovative all-in-one solutions for collaboration and productivity, but which operate at the bottlecapped speed of the 802.11 standard. To realize the full potential of these products and what they promise for VoIP, VoD, and other low-latency applications, WiMAX-enabled equipment must be fully tested and certified by OEMs and standards' bodies alike.

Yet with the rush to deploy converged systems for the WiMAX ecosystem, OEMs stand to risk releasing products with beta, or premature, security components derived from WiFi specifications, leaving certainty as to the protection of the network — especially given the absence of learned lessons from trial deployments. What many consider to be the future-proof standard for wireless enterprise communication could be fatally flawed if OEMs don't exercise due diligence in developing robust software security infrastructure.

Ramana Mylavarapu is chief architect (VoIP/convergence products) at Intoto Inc., responsible for product development of network-centric secure VoIP gateways for consumer and business class applications. He comes with 22 years of experience in network planning and deployment of telecom equipment in large service provider networks. He can be reached at mrm@intoto.com.

RSS    Save to Del.icio.us  Digg This