Wireless networking in security

September 2012 IT infrastructure

Wireless transmission of data is becoming more of a norm in all areas of public, business and consumer life. Even the limited bandwidth available in cellular connectivity is growing rapidly. It is no surprise then that wireless networking is finding its way into the security market.

When most people think of wireless networking, they automatically think of WiFi connectivity we use in our homes, small businesses or coffee shops. Naturally, this idea leaves most people nervous when it comes to trusting wireless solutions to mission critical business technology as well as the demands of video surveillance.

When faced with the option of using wireless connectivity to transport video feeds from surveillance cameras, caution is the natural response. The fact is that WiFi (802.11) is useful for running a surveillance camera or three, but not much more. It offers no quality of service guarantees and very little ability to manage the transmissions unless you buy additional products on top of the basics most people purchase – which pushes the cost up. WiFi also has short transmission distances, which automatically limits it to home or small business installations.

When it comes to wireless networking that needs to function efficiently all the time and transmit images over large distances, with guaranteed quality and performance, vanilla WiFi can be but seldom is, the solution.

To say that wireless networking is a complex topic that is only starting to be seriously considered in the security market is an understatement. To try to unravel the complexity, Hi-Tech Security Solutions asked a few wireless experts for their views on the applicability of wireless technology for the security industry, as well as areas in which it may be the preferred technology.

Hi-Tech Security Solutions: Is wireless networking a realistic option for security projects, such as surveillance, building management, access control etc?

Peter Turvey, Radwin SA: The short answer is yes. In some cases it is the only alternative available due to lack of wire line solutions. However, it depends on the underlying core wireless technology. Some wireless technologies have difficulty guaranteeing the delivery of data, this is typically the low end/cheaper wireless products which are mostly, if not all, WiFi based. Contrary to this, there are other wireless technologies that have been used as a primary backhaul and access technology in the cellular industry since the inception of this vertical in the late ‘80s, early ‘90s. The telco industry stipulates 99,999% uptime in a given year (which equates to about 4 minutes or downtime) for wireless connectivity, which allowed for vendors to market their products as ‘Telco Grade’ technologies.

Peter Turvey
Peter Turvey

So, if one is using ‘Telco Grade’ wireless with a proven track record, then it is quite easy to state that it is realistic to use wireless as an option for security projects.

Quentin Daffarn, UC-Wireless: The short answer is that if the wireless infrastructure deployed has the right fundamental capability on a technical level, then it is up to the job, but do not try these applications with what most average people consider to be WiFi. Your off the shelf, standalone access point (AP) is not going to cut it. Additionally, even some of the enterprise solutions do not include some of the key underlying engineering design that makes them robust and reliable.

Some important features to look for include:

* Beam forming (the ability of the AP to dynamically adapt its antenna gain pattern in real-time to increase by 6 to 9 dBi toward an active network client – such as a phone or laptop, scanner, IP camera, even one that may be moving on a vehicle etc.). This is equivalent to the signal strength you get by being two to three times closer to a normal AP, but with beam forming the range is increased.

* Interference rejection. Probably one of the most salient results from the independent Toms Hardware tests is that of performance under severe wireless spectrum congestion by the presence of many hundreds of wireless networks and other sources of non-networking interference. The capability of modifying the antennae patterns in an AP are also used to great effect to reject interference by up to -15 dBi, thus in environments where almost all other WiFi technologies fail, there is still at least one that is robust enough to handle these and still deliver a fast reliable connection to the clients on the network.

* Automated Quality of Service (QoS). Products such as Ruckus have in-built ability to manage QoS over WiFi and this means that one can reliably run multiple applications over the same infrastructure and still get the best performance for each. Smart Mesh is a technology that deploys wireless 5 GHz mesh networking between APs allowing them to link to one another and have the mesh managed by the controller and self-heal as situations change. (Perhaps an object like a truck blocked the link between two APs, Smart Mesh can then automatically reconnect by modifying the mesh to restore connectivity.)

Dr Stephen Michelson, UC-Wireless: The trade-off is ‘cost-per-metre’ and TCO (total cost of ownership) to deploy a wired solution (fibre or Ethernet) versus the cost to deploy, support and maintain a wireless network. If one considers inter-building and inter-site distances (say 500 metres and more) between locations needing connectivity, it is clear that wireless has distinct advantages. For wireless, the criteria for consideration include: knowing which applications will run over the wireless links, their aggregate bandwidth and the individual application QoS requirements.

* For example, access control and building management services (BMS) will use far less bandwidth than high definition video surveillance feeds. Wireless networking (in the last mile) is already being used internationally and within Africa for all of the aforementioned applications.

Warren Phillips, Miro Distribution: Most certainly yes, it can be successfully deployed when necessary. Wireless networking is the only option in a number of situations. The majority of wireless applications are outdoor, however, interconnecting buildings or key areas where cable/fibre trenching is not practical financially or physically. Wireless networking should be embraced, not avoided as most modern security systems require TCP/IP networking in some form. The flexibility that wireless networks offers you creates greater opportunities. Additionally, a wireless installation is typically faster to deploy than trenched/cabled one.

Warren Phillips
Warren Phillips

Aadil Hassim, Cisco South Africa: It is advised that in the case of business critical infrastructure, risk must be assessed in making the determination to integrate access control and building systems specifically, onto a wireless network. If a robust wireless infrastructure is deployed as a backhaul system, most of these risks can be mitigated.

Aadil Hassim
Aadil Hassim

Andy Robb, Duxbury Networking: Absolutely. Wireless networking is the ideal option for these projects because of its fast time to deploy and ease of use.

HSS: When using wireless networking effectively, should companies look at WiFi (802.11) or what other protocols are there to consider?

Turvey: WiFi type technology falls into the category of last mile access for WiFi enabled devices, such as smartphones, PCs, Macs, etc. While some WiFi vendors have brought point-to-point (PTP) solutions that support longer distances, their underlying technology is still limited to CSMA/CA Media Access Control (MAC) mechanisms and therefore when compared with Telco Grade vendors utilising other MAC mechanisms, they are well and truly outperformed.

However, 802.11 type technologies were not designed for time deterministic type applications eg, VOIP, video surveillance, etc, where dedicated bandwidth must be available at all times to ensure a good quality of delivery. One should rather look at wireless technologies that ensure QoS and stable capacity rather than best effort performance which is offered by 802.11. These technologies support sophisticated MAC protocols rather than 802.11 type CSMA/CA. In addition, there are companies who use patented air interface that allows for continuous transfer of time sensitive traffic.

The main difference between protocols and technologies previously mentioned is that one can ensure delivery and a very high level of QoS, which is a requirement time for deterministic applications like video surveillance.

Phillips: The WiFi standard has come a long way since its humble beginnings in the late ‘90s. The original 802.11 standard offered just 1 to 2 Mbps transfer rates. These days you can buy gigabit 802.11ac radios that offer airspeeds of up to 1300 Mbps. While there is nothing wrong with standard, WiFi radios have inherent limitations due to the standard itself and the interoperability they aim to achieve.

A number of brands offer radios that still work in the ISM bands (licence free), but use proprietary technologies for improved performance. Understandably this restricts you to using one brand within the wireless network, which is not always ideal. These proprietary technologies can be disabled for backwards compatibility.

Standard Wi-Fi radios use CSMA (Carrier Sense Multiple Access) which does not perform well in a residential or estate situation. A CSMA node (a radio wanting to video data from an IP camera) tries to detect the presence of data/wireless traffic before transmitting its own. The CSMA protocol can be summarised to ‘sense before transmit’ or ‘listen before talk’. One limitation with CSMA is that your network will suffer from what is known as the hidden node effect. This occurs when two nodes (radios waiting to send video data) that are part of the same wireless network cannot ‘see/hear’ each other and both transmit at the same time. Of course a collision occurs, none of the data is successfully transmitted to the sector/access point and has to be sent again. This is similar to an Ethernet network using an old hub.

These collisions occur over and over again which decreases throughput and increases latency. This inefficiency has a direct impact to the quality of the video data streaming to the servers, it results in lost frames and jittery playback. Another limitation of the CSMA protocol is that its ability to send data works on a contention basis where one radio can hog the sector/access point at the expense of the others. He who shouts loudest gets the most attention, it is an unstructured environment within this wireless network. This is why WiFi does not work well in busy environments.

Radios (ISM and licenced) that use the TDMA protocol do not suffer from these issues of collisions and high latency. Time Division Multiple Access (TDMA) creates a structured environment within that sector/access point whereby each node (a radio with data to transmit) is given a timeslot(s) to send and receive data. Each radio knows when it should transmit and thus collisions do not occur improving throughput. Additionally each radio works within its dynamically allocated timeslots and thus it cannot monopolise the time of the sector/access point. This reduces the overall latency throughout the wireless network.

To use an analogy imagine CSMA as parliament without a speaker-of-the-house/chairperson and TDMA with. Chaos vs. order.

Daffarn: WiFi is the wireless protocol of choice for compatibility with the widest range of devices. Any other protocols, such as WiMAX, are more carrier oriented. This is true when it comes to data and other applications over IP, like voice and video. When it comes to communications, there are more standards to consider, some of which are open standard but none are suited for data.

Michelson: The products using the IEEE 802.11 standard have the lowest costs based on IC production volumes. Prices of products using 802.11 based chipsets have dropped dramatically over the last decade. Chipset manufacturers are continually providing higher levels of integration and improved features that get incorporated into the IEEE802.11 specification over time. The IEEE802.11 set of standards is evolving, leading toward more efficient use of wireless spectrum, better management of quality and higher data throughput speeds.

An insight concerning radio modulation and radio transmission concepts helps to understand how to maximise data throughput and have the best possible data transfer quality: the higher the received power level, relative to other received radio signal levels (‘spurious interferers’), the higher the sustained data throughput speed, since the most efficient modulation schemes can then be used.

What is modulation and why use higher order modulation schemes? Instead of just sending individual bits of data in a serial manner, the bit stream to be sent is divided and a number of bits are combined into what are called ‘symbols’; these symbols, representing many data bits, are then sent over the link. So for the same symbol rate, the more bits per symbol, the higher the overall data throughput speed of a radio link. Higher order modulation methods send more bits per symbol. If the received power is consistently higher than other interferers using the same frequency spectrum, there will be a better quality of data transfer because higher order modulation methods can be used.

To maximise the received power level, the power sent from the transmitter can be maximised by using larger antennas at a transmitter and/or receiver. The larger the antenna, the narrower the beam (hence more focused) in the direction where you wish to send the radio’s energy (the benefit is that interference from outside the antenna beam’s capture area is reduced, thereby improving what is called the ‘Carrier-to-Interference’ ratio at the receiver.) For a point-to-multipoint (PtMP) environment, the antenna beam at the AP can be electronically steered towards the CPE (customer premises equipment); the result is that power is maximised at the receiver of both AP and CPE, and, interference arising from other radio sources is reduced.

Robert Krumm, Ruckus Wireless: 802.11 is the most widely supported standard with industry bodies such as the WiFi alliance, ensuring interoperability between WiFi equipment vendors and client devices. Choosing a specific vendor to supply your WiFi networking equipment comes down to which feature sets of each vendor are the most applicable to your needs as a business.

Hassim: Companies should consider a combination of wireless technologies dependant on the usage case. WiFi (802.11) functions in the unlicensed band, whereas other frequencies can be considered depending on the deployment scenario (distance and bandwidth considerations) and price sensitivity.

* 802.11 WiFi should be considered for general user and device access. These networks are typically unlicensed and are used on private networks.

* Microwave radio technology and licensed spectrum radio are most commonly used for long distance wireless backhaul, and usually requires licensing by the national authority, the Independent Communications Authority of South Africa (ICASA).

* 3G/4G Long Term Evolution (LTE) networks are wireless networks that are most commonly used on mobile handsets for seamless data roaming when using a handheld device.

Regardless of the wireless protocols determined to be best for the environment as transport, all protocols can effectively encapsulate Ethernet, which is the underlying requirement.

Robb: It is a case of ‘horses for courses’. Companies should deploy the protocols most appropriate for the application. There are a number of wireless vendors’ own proprietary implementations within the 2,4 and 5 GHz ranges from which to choose. For example, some are better at interference mitigation (of the radio signal), others are better at integrating surveillance cameras into the network (coping with high bandwidth requirements), while some make the link to existing wireless infrastructures easier. In an out-door application, some protocols, meshed WiFi, for example, are more suited to coping with the distances involved in point-to-point and multipoint architectures. The WORP protocol from Proxim is a good example.

Decisions should be based on camera type/model, their resolution, the number of cameras and whether real time upstream and downstream transmissions are required.

HSS: What about security? Are wireless networks more/less/as secure as cabled networks?

Turvey: All security mechanisms/features available to wired/cabled networks can be implemented in wireless environments, however, wireless networks can be made to be more secure than wired networks. To connect to a wireless network one would typically need a radio or CPE from that specific vendor (unless the application is a hotspot type environment where the intention is that WiFi CPEs are connected over a short range to a WiFi access point).

Secondly, the radio or CPE would need to be configured to communicate with either a base station in PtMP) radio environments or another radio in a PtP configuration. Also one should choose a vendor that supports AES encryption mechanisms over wireless. Lastly, there are some vendors that offer technologies like link lock, whereby the MAC addresses of each of the two radios are locked down so that they can only speak to a specific radio and none other.

Phillips: If the radios are installed/configured appropriately then they are as secure as a wired network. In terms of physical security, it is difficult to ensure the safety of a trenched copper/fibre. The problem is that most thieves do not know the difference between fibre optic cables and copper ones until it is too late and the cable is cut. Obviously with wireless there are no cables to cut/steal/recycle.

I feel that a multi-layered approach is best to ensure that your network is secure. Use the latest encryption methods that are available on the hardware. For example:

* WEP (Wired Equivalency Protocol) is very easy to crack, rather use WPA2 (AES) for the encryption.

* Use alphanumeric passwords, use different passwords throughout the network.

* Change the passwords when a technician leaves the organisation.

* Hide the SSIDs (name of the wireless network).

* Use MAC address filtering to only allow the radios you want to connect.

* Disable DHCP (automatic IP address provisioning) on the wireless network.

* In the case of PtP wireless networks, use 30-bit subnets, this allows only two usable IP addresses on the wireless network. Should someone mange to connect to your network then there are no usable/open IP addresses to use in order to have a meaningful connection.

* Route through the wireless network, do not have a transparent bridge connection where it is on the same MAC layer as your LAN.

* Additionally, you can run the traffic through a VPN (a secure tunnel) inside the wireless link.

* Make use of proprietary technologies, should someone manage to connect to this network, they would have to have the same brand with the same configuration. Examples of the proprietary wireless network technologies: Radwin Link Lock, MikroTik Nstreame/V2, Ubiquiti Airmax.

* Lastly, you can still implement a firewall on both sides of the link.

After all that, should they manage to connect to your network via the wireless link, then they deserve to do so.

Krumm: WEP was the standard for wireless encryption until 2004. It was very easily broken and caused many people to dismiss Wi-Fi as an untrusted access technology. The 802.11i amendment (July 2004) superseded WEP and uses the 802.1X framework or preshared keys for network authentication as well as CCMP/AES encryption to create ‘Robust Security Network Associations’ (RSNA). The only recommended standard for security is now WPA2 with AES encryption. All other forms of authentication and encryption are included for the sake of backward compatibility with legacy devices.

Hassim: Enterprise wireless technology enforces the use of authentication and encryption, which in many cases could be more secure than cabled networks.

By providing consistent security policies, distributed access control and data confidentiality and integrity protection, enterprise customers can take full advantage of an identity-aware wireless network infrastructure, which will ensure the required security.

Robb: Security in wireless networks has improved in leaps and bounds over the past few years, particularly since the days of the WAP protocol (known for its many security holes). Today wireless networks are as secure as cabled environments. Security is no longer a valid argument against wireless, and there are enough successful implementations out there to support this.

HSS: What products are available for wireless networking (specifically for security projects)?

Phillips: We stock backhaul radios and in-building/campus radios. The prices range from R300 to R30 000. With certain brands it is difficult to categorise the radios as they can perform multiple functions/modes depending on how you choose to configure them. While most of our radios work in the licence free bands some radios work above and below these bands (you need a licence to do so).

We do offer radios that work in the licensed bands specifically. For in building, campus applications we offer the following:

* EnGenius 2,4 GHz desktop/ceiling access points for internal coverage.

* EnGenius ENH210EXT & Wavion beam forming radios for outdoor Wi-Fi coverage.

For outdoor point-to-point links we have the following options:

* Low to mid-level: MikroTik, Ubiquiti Airmax 5 GHz radios.

* High-end: Radwin 2000 series and Ubiquiti Airfibre.

For outdoor point-to-multipoint links, we offer the following:

* Low to mid-level: MikroTik, Ubiquiti Airmax 5 GHz radios.

* High-end: Radwin 5000 series.

Turvey: The entire Radwin 2000 family of PtP radios, also the Radwin 5000 Family of PtMP products. In addition we have the Radwin 5000 supporting fixed and mobile security applications and also the Radwin 5800 Mobility Series supporting broadband connectivity in mobile vehicles and mobile security applications up to 200 km/h. This is very useful for vehicles that need video surveillance conveyed back to a central control centre, eg, trains or to security vehicles for border patrol, etc.

Daffarn: Certain products are suited to longer/shorter distances and the bandwidth required is also a factor. PtP backhaul links can be used cost effectively with devices such as our Sagittar MN range which has a TDM based mode (providing committed throughput vs CDMA Carrier Sense which randomly accesses the network and detects collision). MN radios can be used on-site and up to 15 km.

Hassim: Cisco offers a complete unified wireless infrastructure solution which includes Wireless LAN controllers, Aironet access points (unlicensed band), network management (Cisco Prime Infrastructure), authentication and policy management (Cisco Identity Services Engine) and mobility services (Mobility Services Engine).

The Unified Wireless Network solution developed by Cisco can be configured for various functions which include backhaul/backbone, access or mesh, and can be deployed in-building, on campus, as well as for outdoor environments. Resiliency can be designed into a solution using wireless mesh networks.

Robb: BridgeWave outdoor Gigabit wireless connectivity solutions are ideally suited to the network backhaul from aggregation points in large security projects – where a number of cameras connect to one point (eg, point-to-multipoint configuration). Proxim and Alvarion both offer a range of wireless solutions designed for surveillance applications.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Healthcare and the edge
Technews Publishing Healthcare (Industry)
With the proliferation of IoT devices in healthcare, more data is generated which drives the need to distribute it efficiently and keep it closer to the user.

ALM a key element of data security
IT infrastructure
ALM is core to any data security framework in the digital age and it is an element that no business can afford to be careless with.

Integrate, integrate, integrate
IT infrastructure
Security and speed will always war for dominance in DevOps but it’s time to integrate the two as the landscape becomes increasingly fractious and complex.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Do you know where your data is?
Technews Publishing Editor's Choice
Flow Security focuses on making sure companies manage their data security in real time through automated Data Security Posture Management (DSPM).

Two cases of cyber resilience
Technews Publishing Editor's Choice
Infinidat consolidates backups and cyber resilience for a cloud service provider in the healthcare environment, as well as an energy utility based in EMEA.

Are you below the security poverty line?
Technews Publishing Editor's Choice
While management may think their company is pulling its weight in terms of cybersecurity, the security team knows if it is operating below the security poverty line.

The benefits of Managed File Transfer
IT infrastructure Products
Blue Turtle Technologies looks into how a Managed File Transfer platform benefits businesses, as opposed to the usual FTP or SFTP suspects.

Accelerating your Zero Trust journey in manufacturing
IT infrastructure Cyber Security Industrial (Industry)
Francois van Hirtum, CTO of Obscure Technologies, advises manufacturers on a strategic approach to safeguarding their businesses against cyber breaches.

Cyber resilience is more than cybersecurity
Technews Publishing Editor's Choice Cyber Security Integrated Solutions IT infrastructure
Hi-Tech Security Solutions held a round-table discussion focusing on cyber resilience and found that while the resilience discipline includes cybersecurity, it also goes much further.