Print Article Rate Comment Reprint Information

A Wi-Fi Primer: Mobile Computing

Written by Tim Dees

You have probably seen a poster or other ad indicating the availability of a “Wi-Fi Hotspot” in an airport, or even a McDonald’s or Starbucks, but it didn’t mean a lot to you. Wi-Fi technology has been around for a couple of years, but it has only recently become so commonplace that it has attracted the notice of people who don’t eat, live and breathe computers. This technology has the capacity to impact not only the way that law enforcement and other public administrations wire their offices, but can also be deployed as a vehicle for a wireless mobile network that does not involve recurring costs.

Wi-Fi, also known as 802.11x (pronounced “eight-oh-two-dot-eleven” with an “a,” “b” or “g” on the end) is a networking protocol that allows computers and other devices (printers, handheld PDAs, monitors, etc.) to communicate with one another. In its simplest and most common form, a hardwired connection to the Internet, via a telephone dial-up connection, cable modem or DSL line, is wired to a Wi-Fi access point (AP).

The access point is a transmitter- receiver that broadcasts a signal in the 2.4 or 5 GHz band to computers equipped with a wireless local access network (WLAN) card. This WLAN card is itself a tiny transceiver, capable of sending and receiving signals from the access point. The result is that the AP and WLAN cards replace the need to string Category 5 (CAT5) networking cables between computers in order to allow them to network.

802.11a is not especially common, but is the fastest wireless LAN presently available; 802.11b is by far the most common; and 802.11g is the in between model in terms of speed and appearance on the market. 802.11g gear is backward-compatible with 802.11b, because they both use the 2.4 GHz band. 801.11a uses the 5 GHz band. Each of these funny-sounding numbers represents a standard developed by the Institute of Electrical and Electronics Engineer (IEEE).

Why is networking valuable? Networking allows devices on the network to share resources. Resources include the connection to the Internet, files that reside on one machine but not others, printers, and servers that handle tasks such as routing and delivery of email. Most computer networks are hardwired with CAT5 or fiber-optic cabling, and the person using the network is only as mobile as the tether of the cable allows him to be.

These networks are usually based on the Ethernet protocol, a group of standards that allow these different manufacturers’ products to work with one another. An even simpler “network” called “sneakernet” involves copying files to a floppy disk, then running down the hall with them to a coworker’s computer. Without a network, every user who needs e-mail has to have his own direct Internet connection, and everyone who needs to print files needs their own printer, or is forced to use the sneakernet protocol.

Wireless networking involves the purchase of specialized hardware, but it is often cheaper than the cost of buying cabling and stringing it through the crawlspaces and ventilation ducts of a building. Older buildings may have asbestos or heavy wall construction that precludes this, anyway. There is also the advantage of not having to rewire the office when people change desks or the arrangement of the room is otherwise revised.

Further, when workers have notebook computers as their primary work machine, they can bring their computers to meetings and still have the full capabilities of the network resources, so long as they remain in range of the signal from the access point. If one access point is not sufficient to serve an entire building, additional devices can be installed, and the WLAN cards in each notebook will lock onto the strongest signal with no intervention from the user.

The typical office-grade access point has only 100 milliwatts of transmitter power, as it is not designed to have a range of more than a few hundred feet. But because the 2.4GHz band is unlicensed, it is possible to boost the power of these transmitters to as much as one watt, which expands the range of the APs from hundreds of feet to tens of miles. (Wi-Fi signals have been transmitted over distances of more than 60 miles under ideal conditions and using special directional antennas.)

When the APs are placed strategically, they can cover an entire community with few or no dead spots. This allows users in the field to have the same access to network resources that they would have if they were sitting in front of a computer in the police station. Small communities that are beyond the reach of commercial mobile data networks or previously regarded themselves as too tiny to have mobile data can get into the big leagues with a Wi-Fi network for their cars and individual officers.

This is what has been done in Hermiston, OR, a town of 13,000 served by a 25-officer department (see sidebar). Hermiston is adjacent to the Umatilla Chemical Weapons Depot, an Army facility that stockpiles tons of nerve and mustard gas agents that are earmarked for destruction. The Chemical Stockpile Emergency Preparedness Program (CSEPP) recognized the need for public safety agencies to be able to communicate with one another and with the Army authorities in the event of a release of a chemical agent. After exploring several methodologies, Wi-Fi was selected as the optimal technology that offered the best balance of capability and cost.

 

Equipment

 

To set up a Wi-Fi network, you need at least one AP for the network, and a WLAN card for each computer that is to be connected. The APs are widely available at electronics stores, and usually cost less than $125. The AP is connected to the Internet source (a T-1, cable, DSL or dial-up line) by a standard CAT5 networking cable, and usually also has a hardwired connection to a server computer. Many APs also include a standard two- or four-port network router for this purpose, so another piece of equipment is unnecessary.

The client computers on the network need a WLAN card. About 60% of the new notebook computers presently for sale have this as a standard feature or an option, and there are advantages to having the WLAN electronics installed internally. Most add-on WLAN cards are a little larger than a credit card, and are installed in the computer’s PCMCIA slot. The card is fairly well protected there, but the antenna for the card usually sticks out in the form of some external nub or stub that can be damaged if the notebook is handled roughly or placed into a case that hasn’t been configured to allow for the antenna.

The WLAN cards that are installed internally often use an antenna wired into the display, so there are no stubs or nubs to catch on anything, and will also have an on-off switch somewhere on the computer. If you can buy your computers pre-wired with the WLAN cards, it is by far the more preferable option.

Desktop machines usually communicate with the wireless network by the use of a PC card that plugs in the innards of the computer, much like a video or sound card, and will have an external antenna poking out the back. There are also USB (Universal System Bus) attachments that plug into a USB port on the computer, and work from a pack of card-size unit that sits on the physical desktop.

Whichever mix of APs and WLAN devices you use, it is a good idea to try to procure them from a single manufacturer. In theory, and usually in practice, one company’s wireless gear will work with another’s. However, setting up the network is often a tedious and challenging job, and if you need to call the technical support line for assistance, the support folks may refuse to help if there is another manufacturer’s product in the mix. Technical support people like to assume that it’s the other guy’s stuff, rather than theirs, that isn’t working, and will just tell you to straighten out the problem with Brand X’s gear before you call them back.

Will you need assistance in setting up the network? Maybe yes, maybe no. Windows XP Professional includes a “Zero Configuration Wizard” that, ideally, will configure every machine on the network for you and get them all to talk to each other. My personal experience with the Zero Configuration Wizard is that I had to disable it and set all of the options in Windows XP manually for each machine on the network.

If you are not comfortable with messing with internal Windows settings, this will confound you. Computer publications have rated Microsoft’s wireless hardware as being much easier to configure than APs and WLAN cards from other manufacturers such as Belkin, Linksys and D-Link. A major computer magazine recently rated Linksys as having “good” technical support service, with Belkin and D-Link not doing so well.

 

Wide-Area Networks

 

Networks deployed over a large area are called Wide-Area Networks or WANs as opposed to Local Area Networks, or LANs. The best reason for using Wi-Fi to create a wide-area mobile data network is cost. The hardware is much cheaper than the typical radio modem options, and there are no recurring costs, as there will be if you go with a commercial wireless provider like Sprint or AT&T.

If your intention is to use Wi-Fi to establish a wireless mobile data network, the setup process is more or less the same as the WLAN process, but your client computers will probably be using the Internet to communicate with the databases and other network resources that you connect with directly in the station. In a few cases, you might be able to engineer a direct connection between the AP in the field and the server in the station, but this often requires the use of costly leased telephone data lines that eat up the savings the WAN was supposed to create in the first place.

The remote access point can be placed anywhere that it is going to command a line-of-sight connection with units in the field. Most cities have water towers, utility poles, or other structures that can be used to establish the “high ground” foundation for the access point, or a private building owner may agree to allow the installation.

Wireless access points typically broadcast in an omnidirectional mode, which may not be desirable. If the access point is on the perimeter of the service area, some of the signal output of the access point will be wasted. A directional antenna, sometimes called a yagi antenna, can not only boost the signal, but confine it to the area where it will be of greatest use. There are certainly commercial antennas available for purchase, but a person who is handy with radio hardware may be able to rig one for little or no cost. One directional antenna used for “war driving” (more about this later) expeditions is constructed on the foundation of a Pringles potato chip can and aluminum foil.

A typical wide-area wireless network might be set up this way: the connection to internal and criminal justice databases is made via a hardwired connection at the police station. The server that handles the database connection has a wireless access point connected to it, so users within range of the access point in the station can use the databases and other network resources without having to be tethered to an Ethernet CAT5 cable, while others use a conventional hardwired connection.

In the field, officers with WLAN cards in their car-mounted computers or handheld computers link up with the network via a wireless access point mounted on a high building. The AP has a hardwired connection to the Internet via a cable modem or DSL line. Communication between the field units and the server at headquarters is via the Internet, encrypted and protected from intrusion and/or interception by a firewall that will allow messages from the field units, but reject others.

It might be necessary to create multiple access points around the operational area, depending on the size and the geography of the area. While the signals between the access points and client computers aren’t stopped completely by obstacles, they don’t penetrate them as readily as lower-frequency signals (such as those in conventional police radio) do.

Higher radio frequencies tend to be absorbed by geographical features like dirt and rocks, and the frequencies used in Wi-Fi are in the 2.4 GHz and 5 GHz bands, three to six times the frequency of the 800 MHz bands that are usually the highest used in public safety communications. Each access point will need its own connection to the Internet, so it’s important to take these costs into consideration in your planning.

 

Security

 

Security is a factor in any police communications system, but it’s even more important with wireless networks. With a conventional hardwired network, you can physically inspect the cabling and other connections between the client and server computers and see if there has been any unauthorized taps into the wiring. With wireless systems, you are broadcasting your data into the ether that is beyond your control, and if it is not properly protected, it can be intercepted, or a hacker may be able to access your system and explore it for his own purposes.

There are several methods of protecting a wireless network from intrusion, and in a public safety system, they should all be used. A favorite pastime of hackers is a technique called “war driving,” where potential invaders drive around office buildings and other areas where wireless nets are likely to be installed, “sniffing” the 2.4 GHz band for signals. This can be done with any laptop equipped with a WLAN card, as Windows XP will cause a pop-up message to appear when the card detects an active wireless network.

There is also now available a small device, about the size of a vehicle remote control, that will light up in the presence of a wireless network signal. It sells for less than $40. Many businesses and home users set up wireless networks without changing the default security settings, when there are any security features enabled at all. These are easy pickings for the hacker, who can then use the free Internet service for his own purpose, or start exploring the computers on the network to see what might be there.

Most of these intrusions are motivated by no more than the prospect of getting a broadband Internet connection to use for free, or simple curiosity in wandering around on someone else’s computer. However, the free broadband connection can be used to upload or otherwise traffic in illegal software, pornography, or other forbidden fruits, and if the source of these is traced back, someone on the victim’s network will appear to be the originator.

There are two basic methods for securing a wireless network. The older and more vulnerable of these techniques is called Wired Equivalent Privacy, or WEP. WEP requires the use of a passkey that can be up to 26 characters long, and must be installed on every computer on the network. The problem with WEP is that an intruder can monitor the traffic on the network, and once enough has been intercepted, the access key can be divined using software in wide use by hackers.

A successor to WEP, and one that provides considerably better security, is WPA, or Wi-Fi Protected Access. Most newer Wi-Fi equipment comes with WPA built in, and older models can often be updated by downloading a new version of firmware from the manufacturer’s Web site (firmware is a type of software that resides in a device’s non-volatile memory).

Most computers have BIOS or Basic Input/Output System firmware loaded into a chip on the device’s motherboard. WPA uses improved date encryption through the temporal key integrity protocol, where the encryption keys themselves are scrambled using a hashing algorithm and an integrity-checking routine that ensures that the keys haven’t been tampered with.

WPA also uses the MAC addresses of each device on the wireless network to ensure that the device is authorized to access the network. MAC (the acronym stands for Media Access Control) addresses are unique and assigned to each network device at the factory. By allowing only devices with registered and approved MAC addresses to access the network, “strangers” can be denied access. WPA encrypts the MAC address itself using Extensible Authentication Protocol (EAP), for a belt-and-suspenders approach to wireless network security.

Even if your wireless network is using WEP instead of WPA security, there are other methods of improving security on a wireless network. By default, wireless networks broadcast their presence to any receiver within range. Each network has a Service Set Identifier (SSID) that shows in a list of available networks. The default SSID of a network is often the name of the manufacturer that made the AP, e.g. “LINKSYS” or “BELKIN.” If one of these default names shows up in a list of networks available to an intruder, it is a near-dead giveaway that the network has been set up carelessly and does not have the various security protocols enabled.

There are two ways to close off this avenue of intrusion. One is to change the SSID to something other than the default, and even better, to something that doesn’t indicate the owner. Thus, rather than call your wireless network “ANYTOWNPD,” call it “X5000,” or “GREENBEANS” or something that doesn’t give a clue as to who owns it. Then, turn off broadcasting of the SSID entirely. A determined hacker with a signal detector will be able to tell that there is an active AP in the area, but won’t be able to ferret out the SSID (which is necessary to connect) without some more extensive effort. Authorized users who know the SSID and who have the proper network key will be able to connect easily.

The last method for securing your wireless network is the simplest, and yet the most-often ignored: enforce strong password usage. People generally choose passwords which are easy to guess and won’t survive a brute force attack with a dictionary trying every possible combination of known words. They also tend to write them down at obvious locations near or on their computers.

Strong passwords have at least eight characters, are a mix of uppercase, lowercase, numbers and punctuation, and are either random or form nonsense words that may or may not have meaning to the user. “7y&F#ag!@” is a strong password, “NUMBERONECOP” isn’t. By substituting some look-alike characters for letters in an easily remembered phrase, one can come up with a strong password that is also meaningful. For instance, “LAWANDORDER” can be transformed into “2aW&0rd3R” with a little imagination.

Your 26-character network key is a form of password, and is usually generated from a shorter passphrase. Make the passphrase a likewise meaningless string of characters, and change it once a month. Every user will need to change his network key at the same time to match the one at the access point, but that takes less time than auditing your network to see what damage an intruder may have done when he gained unauthorized access.

 

 

 

Tim Dees is a former officer who writes and consults about applications of technology in law enforcement. He can be reached at (509) 585-6704 or by e-mail at tim@timdees.com.


Published in Law and Order, Jun 2004

Rating : Not Yet Rated


Comments

Comment on This Article

No Comments


Related Companies

Belkin
 

Related Products

Wi-Fi
 
 
Close ...