Layer 1 Wireless Security Basics

written by: Hazrul Aaron; article published: year 2007, month 05;


In: Categories » Electronics and communication » Network security » Layer 1 Wireless Security Basics

Let's build on the more technical aspects of the discussed policy considerations. We'll start from physical layer security. The physical layer security of wireless networks encompasses avoiding a signal leaking beyond the defined network boundaries and eliminating all intentional and unintentional sources of interference. Here we concentrate on coverage zone spread containment. Limiting the wireless network spread is a rare example of security through obscurity that works (to some extent).

There are two ways of preventing the signal spread beyond the area you want to be accessible for the legitimate users. The first way is limiting the signal strength. In the UNIX world, less is more. The same principle applies to physical layer wireless security. The EIRP should be sufficient to provide a decent quality link to users in the planned coverage zone and not a Decibel more. Pushing the EIRP up to the legal FCC limit is often unnecessary and makes your WLAN a beacon for all war-drivers in the area and a discussion topic for a local 2600 group meeting. There are several points at which you can regulate the emission power:

  • Access point (all higher-end APs should support regulated power output)

  • Variable output amplifier

  • Appropriate antenna gain selection

In extreme cases you might have to deploy an attenuator device.

The second way is shaping the coverage zone via appropriate antenna selection and positioning. There are several tips we can provide:

  • Employ omnidirectional antennas only when absolutely necessary. In many cases sectored or panel antennas with the same gain can be used instead to limit the signal spread.

  • If no outdoor wireless access is needed, position your indoor omnis in the center of the networked building.

  • If deploying a wireless network inside a tall building, use ground plane omnis to make your LAN less detectable from the lower floors and surrounding streets.

  • If omnidirectional coverage is not required, but irreplaceable omnidirectional antennas are all you can have, deploy parabolic reflectors to control signal spread. The reflectors reshape your wireless system's irradiation pattern, effectively turning your omnidirectional antenna coverage zone into an area resembling the irradiation pattern zone of semidirectionals. Of course, this will also increase the signal gain. A typical case when you should consider using reflectors is setting up an access point without an external antenna connector or a possibility to replace the standard "rubber duck" access point omnis with more appropriate antennas. All that a reflector should have is a properly sized, flat metal surface. You can thus make your very own reflector out of nearly anything ranging from wire screens to tin roofing material. A detailed article describing building custom reflectors is available at http://www.freeantennas.com/projects/template/index.html. We also suggest consulting Rob Flickenger's Wireless Hacks (O'Reilly, 2003, ISBN: 0596005598) hack number 70.

  • If deploying a wireless link down a long corridor connecting multiple offices, use two patch or panel antennas on the opposite ends rather than a whole array of omnis along the corridor. Alternatively, you can experiment with a string of unshielded wire plugged into the AP antenna connector and stretched all the way along the corridor length. If properly constructed, such an improvised "no-gain omni" can provide the connectivity in the corridor and in a close space around it without leaking the signal to hostile streets.

  • If your client devices have horizontal antenna polarization, use a horizontal polarization antenna at the access point. The wardrivers' all-time favorite, the magnetic mount omnidirectional is always positioned vertically using the car as a ground plane. If all your antennas have horizontal polarization, the possibility of wardrivers picking up your signal with the magnetic mount omni is dramatically decreased.

Sidebar The RF Foundations. Antenna Polarization

A radio wave consists of two fields: electric and magnetic. These two fields are spread via perpendicular planes. The actual electromagnetic field is a sum of the electrical and magnetic fields between which the emitted energy oscillates. The electric plane parallel to the antenna element is referred to as the E-plane, and the perpendicular magnetic plane is designated as the H-plane. The position of the E-plane referenced to the Earth's surface determines the antenna polarization (horizontal when the E-plane is parallel and vertical when it is perpendicular to the ground). The majority of access points come with vertically polarized antennas, whereas laptop PCMCIA card built-in antennas are mostly horizontally polarized. On the contrary, built-in CF cards' antennas are polarized vertically. Use your favorite signal or link quality tool to see how aligning the antenna polarization influences the link properties. You will find that when antennas are polarized in an opposite way, the link quality is dramatically decreased. The usual way of sorting out the incorrect polarization problem is by changing the access point antenna direction, but there are vertically positioned omnidirectionals that are, nevertheless, horizontally polarized. These antennas are rare and tend to be expensive.


Do not expect that positioning your antennas correctly will bring a perfect, desirable network coverage zone shape. First of all, there is always a small backward coverage area created by the majority of semidirectional and even directional antennas. Yagis have side and back lobes that can stretch quite far when the EIRP is significant. Thus, a wardriver can discover the network by accidentally passing behind the emitting antenna, and a cracker does not have to position himself or herself right in front of the antenna where the security personnel would expect a cracker to be.

Besides, short of building a proper TEMPEST (well, EMSEC) bunker, radio emission containment is a hard task. Due to the signal reflection, refraction, and scattering, the wireless network can be detected by chance from positions one would never imagine it reaching. This underlines the importance of removing all interesting data from the beacon frames. If a wardriver catches a single beacon showing enabled WEP and closed ESSID, he or she is likely to give such a network a miss when there are so many unprotected networks around. Whereas, if the beacon shows the absence of WEP and the ESSID is "Microsoft_Headquarters_ WLAN," the reaction could be entirely different.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. PDAs Versus Laptops
The first question that beginners ask before assembling their kit is whether a laptop or a PDA should be used for wireless penetration testing of any kind. Our answer is to use both if you can. The main advantage of PDAs (apart from size) is decreased power consumption, letting you cover a significant territory while surveying the site. The main disadvantage is the limited resources, primarily nonvolatile memory. The CPU horsepower is not that important here as we are not cracking AES. Other disadvantages are the limited amount...

2. Cryptographic Hash Functions
Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication? The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function i...

3. 802.11i Wireless Security Standard and WPA
Thus, the main hope of the international 802.11 community and network administrators lies with the 802.11i standard development. Sometimes 802.11i is referred to as the Robust Security Network (RSN) as compared to traditional security network (TSN). The "i" IEEE task group was supposed to produce a new wireless security standard that should have completely replaced legacy WEP by the end of 2003. In the meantime, some bits and pieces of the incoming 802.11i standard have been implemented by wireless equipment and software vendor...

4. Proprietary Improvements to WEP and WEP Usage
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...

5. Penetration Testing as Your First Line of Defense
It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteris...

6. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...

7. Examples and Analysis of Common Wireless Attack Signatures
The best way of knowing these signatures is trying out the tools in question and sniffing out their output: "Attack through defending, defend through attacking" (Dr. Mudge). The best source on wireless network intrusion tool detection and attack signatures we are aware of is Joshua Wright's "Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection" and "Detecting Wireless LAN MAC Address Spoofing" papers. A large part of this tutorial is inspired by these brilliant articles and our experience of analyzing WLAN tr...

8. Deploying a Wireless IDS Solution for Your WLAN
How many IDS solutions that implement the recommendations and follow the guidelines we have already discussed are present on the modern wireless market? The answer is none. There are many wireless IDS solutions that look for illicit MAC addresses and ESSIDs on the monitored WLAN. Some of these solutions are even implemented as specialized hardware devices. Although something is better than nothing, in our opinion such "solutions" are a waste of both money and time. They might also give you a false sense of security. Let's...