ISPadmin
June, 2002
Public Internet Access
Introduction
In this edition of ISPadmin, methods of providing public Internet access
are covered. The first area examined is the wired access one might see at
hotels, Internet cafes and similar venues. Next, 802.11b fixed public access
wireless points are covered. Finally, miscellaneous topics such as access
point manufacturers, community networks and software will be considered.
What exactly is public Internet access? As the name implies, it is
allowing Internet access in public or quasi-public locations. Some examples
of this would be building lobbies (hotels, airports) hotel rooms, Internet
cafes, libraries and similar locations. It can take the form of wired access
(usually indoor locations, such as Internet cafes and hotel rooms) or wireless
access (any indoor or outdoor area). The most common form of this type of
wireless access is based upon the IEEE 802.11b specification, though other
methods/protocols exist.
Public Access (Wired)
Figure one contains a diagram which illustrates how a provider could deploy
a wired public access net in a hotel, for example. The boxes to the left
represent subscriber client machines, which could be located in hotel rooms
or Internet cafes. These machines would connect to switches (or other aggregation
equipment), marked "Switch" via 10 or 100 Mb ethernet links. These switches
would in turn be connected via ethernet to a firewall. This firewall would
house the appropriate authentication and billing interface to enable access
to the Internet, after the subscriber has provided the "go ahead" and/or
entered credit card billing information.
Figure one
802.11x Background
802.11b is a wireless access standard adopted by the IEEE in 1999. It utilizes
the 2.4 GHz spread spectrum (unlicensed) to offer 11 megabits per second
(Mb/s) of bandwidth between two end points. The wireless access point
(WAP) will have at least one upstream "wired" port (usually 100 Mb/s ethernet)
so data not destined for a machine on the WAP network can be delivered. As
usual for any evolving technology, WAP's are being integrated into similar
products (as well as their price dropping). For example, one can purchase
a WAP with integrated firewall and 4-port switch from Linksys for around
$150, among other vendors.
There seems to be a lot of confusion between 802.11b and another wireless
LAN standard called Bluetooth. Figure two illustrates the differences between
the two similar technologies. The basic difference between the to is 802.11b
is designed for high speed Internet access with higher radio power and longer
distances. Bluetooth, on the other hand, is designed for communication between
small devices (cell phone, etc.) with low radio power and shorter distances.
The References contain several URLs for additional information on Bluetooth.
|
802.11b
|
Bluetooth
|
Power Consumption
|
high
|
low
|
Effective Range
|
high
|
low
|
Cost
|
high
|
low
|
Highest ISO layer
|
2
|
5
|
Figure 2
ISO layer 2 means protocol requires higher level s/w (for example, TCP/IP
stack)
ISO layer 5 means most functions implemented in protocol
802.11b wireless access can be used anywhere, indoors or outdoors. However,
public access points have been largely deployed up to now in high population
density areas (i.e., cities). It is costly to deploy a wireless technology
such as 802.11b in remote areas, until such time as usage/demand increases
to cover deployment costs. As deployment costs decline, it will become more
cost effective for providers to enable more thorough coverage.
It is used for point to point as well as point to multipoint networks.
(In this article, WAP will always refer to point to multi point.) The big
advantage (and, alternatively, problem) with deploying 802.11b versus other
licensed spectrum products is the fact 802.11b uses unlicensed spectrum.
Of course, the use of unlicensed spectrum may also cause interference problems
(microwave ovens, Bluetooth devices and wireless phones, among others) that
have to be corrected.
There are other wireless standards and products arriving. One is 802.11a,
which supports data rates up to 54 Mb/s in the 5 GHz range. An issue with
802.11a is the fact that it uses a frequency 5 GHz rather than the existing
2.4 GHz 802.11b utilizes. Of course, this means much less interference, as
the 5 GHz spectrum doesn't have nearly the uses the 2.4 GHz band does. 802.11a
equipment started hitting the market about January, 2002.
Another standard is 802.11g, which is currently a draft standard and has
been the subject of much heated debate. It is 54 Mb/s (like 802.11a) but
is backwards compatible with 802.11b (utilizes the 2.4 GHz spectrum) while
having 30% greater range than 802.11a. Time will tell which standard "wins",
but for now, 802.11b is way ahead of the others simply because it has been
around longer and therefore has a much larger installed base. 802.11g chipsets
are in the process of being developed, with large scale shipments scheduled
for the third quarter, 2002 (according to 80211-planet.com announcement)
by Intersil, a wireless chipset manufacturer.
802.11b Technical Details
The range of 802.11b WAP varies greatly depending upon a number of factors.
These factors include: transmitter power, antenna type and what is between
the WAP and client station. Of the listed attributes above, the most important
is transmitter power: the higher the power, the greater the range. The greatest
range at full power and clear line of sight with an omnidirectional (point
to multipoint links) is in the neighborhood of 300 meters. The directional
antennas (point to point links) at full power can exceed 32 km (20 miles).
There are several parameters that can be changed on most WAP models. These
include: service set identifier (SSID) which associates a WAP with a client.
If it is set incorrectly, the WAP will ignore the client packets. Setting
this parameter on most client adapters is a manual process, although several
aggregators are designing client software to make this transparent to the
wireless roamer. Also, the channel (frequency) as well as transmit power
and encryption (among others) can be adjusted to suit the needs of the WAP
owner.
Types of 802.11b Networks
The lines between 802.11b network operators are rapidly blurring. For the
purposes of this article, wireless networks can be broken down into three
types of operators:
· Public
· Private
· Co-operative/community
Public networks are those installed by service providers for the express
intent of reselling/providing access to the public (or quasi-public) user.
Private networks are those operators who run networks for a private entity
and whose primary intent is to not provide public access. Finally, the co-operative
networks are those operators who build networks in a non-profit mode (for
example, Seattle Wireless and NYC Wireless).
==>Public Access Wireless Network
A public access network could be designed like Figure three. Attributes of
public wireless 802.11b networks usually take the form of the following:
· Firewall
· RADIUS (Remote Authentication Dial In User Services)
back end authentication
· No encryption
As one might notice, this diagram is very similar to Figure one. The only
two differences are the wired aggregation points (switches) are replaced
with wireless access points and the billing system is replaced with a RADIUS
server. Other than that, the functions of the other pieces remain the same.
Figure 3
==>Private Wireless Networks
It is difficult to generalize private 802.11b networks. These networks reflect
the needs of the owner/operators. They may or may not utilize firewalls and
access control methods. They may or may not participate in a co-operative
(such as Sputnik or Joltage). They may or may not utilize encryption. They
might use back end authentication (such as Mysql or RADIUS) and they might
use MAC address restrictions. Then again, they might not.
Discovering open wireless networks seems to be the hobby of choice lately
(check out Netstumbler and bitshift.org to name two starting points for this
activity). To this day, many "private" wireless network owners protect their
networks with authentication of some sort (for example, allowing access from
certain MAC addresses or authenticating via a database) or with encryption.
Also, many opportunities exist for the casual 802.11b network owner to barter/resell
access. Two examples of this type of activity are Joltage and Sputnik.
==>Co-operative Wireless Networks
As with private networks, co-operative (co-op) or community wireless networks
are very difficult to simplify. There are many co-op wireless networks in
operation. Two of the larger and better known ones are Seattle Wireless and
NY Wireless. They focus primarily on point to point, but have some point
to multipoint (public) access as well.
In fact, the NoCatNet co-op group based in Sonoma Counta, CA has written
one of the few (if only) open source wireless authentication packages available.
This code has been modified by Sputnik for use in their hybrid service. More
on the topic of software in the section titled "Software".
802.11b Wireless Access Point Vendors
There are a number of 802.11b wireless access point manufacturers at this
point in time. The Network Computing Buyers Guide (dated November 12, 2001)
in the References section lists no less than 32 WAP models! They range in
price from the mid $100 range for a Linksys to several thousand dollars for
models with integrated management and firewall, among other features. An
ISP will likely purchase a less expensive model and attempt to add firewall
and management features in a separate firewall box rather than paying for
such functionality in a multi function access point.
One option is to build your own access point. NoCat has a package called
WRP (Wireless Router Project, based upon the Linux Router Project). According
to the NoCat page, it is "a linux distribution-on-a-floppy that provides
wireless support". It appears to be an easy way to reuse old, slow, Pentium
based hardware as a combined wireless access point and chokepoint firewall.
Firewalls
Almost any configurable firewall can be utilized as a public access chokepoint
for providers. Most firewalls do not ship with authentication software built
in, so this must be developed or perhaps modified if something like NoCatAuth
is utilized. If the site requires multiple WAP's or hard wired networks,
all traffic is brought back to a single chokepoint firewall to reduce cost
and operational headache. A relatively small box (Pentium 133 class machine)
can easily handle the traffic from several active access points. Of course,
for very large deployments the traffic would need to be partitioned but this
would not normally be required for a typical rollout involving up to about
250 subscribers.
There are too many firewall vendors to list here, both open source and commercial.
An open source firewall can also be used, and is what most service providers
would use to reduce cost and give the ability to customize functionality.
802.11b Authentication/Authorization Methods and Software
As mentioned previously, NoCatAuth is a software package that allows wireless
operators to control who access their network(s). It is meant for community/co-operative
type networks, but can be adapted for use in a service provider environment.
Its backend authentication mechanism (as written) can be either text file
or a Mysql database. Most service providers require RADIUS authentication
for the back end, as that is how existing retail customers usually authenticate.
In order for a provider to use NoCatAuth with their existing RADIUS server(s),
it must be modified to allow RADIUS authentication. Leveraging existing infrastructure
is extremely important these days, with service providers going out of business
every week it seems!
NoCatAuth works in conjunction with a firewall to block outside access (via
allowing/disallowing MAC addresses through) until the user authenticates.
Prior to authentication, "walled garden" access may be granted which would
give the wireless user access to a certain limited set of services. For example,
a hotel might allow access to their web site prior to authentication, but
all other access is disallowed.
A version of the NoCatAuth software has been deployed by Sputnik for access
to their wireless hot spots (network). See the Sputnik site for more information.
This author is not aware of any commercial off the shelf software for deploying
WAP authentication mechanisms. However, some WAP manufacturers include authentication/firewall
functionality in firmware as an integral part of their access point. This
does increase the cost and complexity of the access points, in addition to
potentially causing interoperability problems with a provider's infrastructure.
Billing
For wired public access, the customer will usually pay up front or be redirected
to a web page which authorizes charges to a hotel room , credit card or other
similar entity. This functionality can be implemented with most firewalls
and an interface (albeit, expensive) to a hotel or credit card billing system.
For 802.11b public access, if RADIUS is utilized as the back end authentication
mechanism, all of the data required for billing should be contained in the
RADIUS accounting data. The providers existing billing system should easily
be able to handle these records, once appropriate record filters and billing
plans are created. If RADIUS is not utilized, then the process is more difficult
and a customized process may be required.
802.11b Aggregators
The state of 802.11b wireless access is very similar to wholesale dial up
at the start of its large scale deployment a few years ago. Wireless only
aggregators (such as Boingo and hereUare) are joining existing dial aggregators
(such as GRiC and IPASS) in this arena. (In fact, the founder of Earthlink,
one of the first aggregators of dial-up, is also a founder of Boingo.) Two
other aggregators, Sputnik and Joltage, don't seem to fit easily into either
category.
Traditional ISP aggregators utilize a settlement process where ISPA tallies
up the amount of usage on ISPA's network by ISPB, and ISPB adds up usage
on ISPB's network by ISPA. The appropriate rate(s) are applied to usage,
and whoever ever ends up owing the other money sends a check. GRiC and IPASS
are essentially commercial, third party implementations of that process.
Wireless settlement works in the same manner.
Many of the commercial aggregators develop their own client wireless access
software. (In fact, GRiC's software can manage wireless as well as wired
and dial connections!) This software manages many of the attributes of the
card (SSID being the most relevant) transparently so the subscriber doesn't
have to deal with the changing them. As additional features are standardized
and added to wireless provider networks,, this software can be easily upgraded
by the subscriber.
Security Considerations
For the end subscriber, security should be of the utmost concern. The fact
that critical information (such as credit card data) is traversing open,
public access networks and/or radio waves should make one stop and think.
If a hard wired public access provider is utilizing hubs (and certain [misconfigured]
switches as well) then all ports receive all data destined for one port.
Needless to say, this could be hazardous to one's financial well being.
In a similar way, 802.11b access can be "sniffed" out of the air by rogue
wireless clients. The encryption standard associated with 802.11b has been
proven to be insecure (see extremetech.com reference for a full discussion
of security problems and possible solutions). Also, if appropriate access
controls aren't in place on each subscriber's machine, one subscriber can
hack any other subscriber's machine on the wireless network. This is identical
to a subscriber connected to a hard wired hub accessing other subscribers'
machines on the same hub, without ever going through the firewall.
Hopefully, future versions of wireless standards and implementations will
contain better security. Until then, tread carefully!
Closing
Next time anti-spam mechanisms from a server perspective will be examined
in detail. Until then, please send your questions and comments to me!
References
Rob Flickenger, _Building_Wireless_Community_Networks_, O'Reilly, 2001, ISBN
0-596-00204-1
802.11b Networking News: http://80211b.weblogger.com/
internet.com's 802.11 Planet: http://www.80211-planet.com/
O'Reilly's wireless starting point: http://www.oreillynet.com/wireless/
Bluetooth Weblog: http://bluetooth.weblogs.com/
Bluetooth Special Interest Group: http://www.bluetooth.com/
IEEE 802.11b standard: http://standards.ieee.org/reading/ieee/std/lanman/802.11b-1999.pdf
Linksys multi function WAP: http://www.linksys.com/Products/product.asp?grid=23&prid=173
802.11b vs Bluetooth comparison: http://www.imparttech.com/802.11-bluetooth.htm
Wireless Ethernet Compatibility Alliance: http://www.wirelessethernet.org/
Network Computing article on 802.11a: http://www.networkcomputing.com/1201/1201ws1.html
Intersil 802.11g chipset announcement: http://www.80211-planet.com/news/article/0,,1481_963341,00.html
Intersil: http://www.intersil.com/cda/home/
Webopedia page for 802.11: http://www.webopedia.com/TERM/8/802_11.html
Joltage: http://www.joltage.com/jsp/home/home.jsp
Seattle Wireless: http://www.seattlewireless.net
NYC Wireless: http://www.nycwireless.net/
Wireless Anarchy: http://wirelessanarchy.com/
NoCatAuth: http://nocat.net/
NoCat WRP: http://nocat.net/ezwrp.html
Netstumbler: http://www.netstumbler.com/
bitshift.org: http://www.bitshift.org/wardriving.shtml
Portland, OR co-op personaltelco.net: http://www.personaltelco.net/
Boingo: http://www.boingo.com/
hereUare: http://www.hereuare.com/
Sputnik: http://www.sputnik.com/
GRiC: http://www.gric.com/
IPASS: http://www.ipass.com/
Earthlink: http://www.earthlink.net/
Mysql: http://www.mysql.org/
Network Computing WAP Buyers Guide: http://www.networkcomputing.com/1223/1223buyers2.html
Network Computing WAP Buyers Guide chart: http://www.networkcomputing.com/ibg/Chart?guide_id=3484
RADIUS authentication/authorization standard: RFC2865
RADIUS accounting standard: RFC2866
Exploiting and Protecting 802.11b Wireless Networks: http://www.extremetech.com/article/0,3396,s%253D1024%2526a%253D13880,00.asp
