Documente Academic
Documente Profesional
Documente Cultură
40
as a function of distance (the AP is located indoors
30 wall
outside building at x = −10). The curve uses two path loss models;
20
a higher α = 3 value is used indoors (x ∈ [−10, 0])
10
5 while lower attenuation is assumed outside the build-
-10 0 10 20 30 40 50 60 70 80
ing (α = 2 or 2.5). We use 10 dB of attenuation to
attacker distance (m)
model the external wall, with agrees with published
measurements [6]. Notice that clients within the in-
Figure 3: SNR outside the building. tended range (indoors) achieve SNR≥30 dB, a conse-
quence of the power control mechanism. However, even
free-space, signal strength decays as a function of the assuming free-space propagation outside the building
square of the distance; translating from Watts to a loga- (α = 2), the SNR drops below 5 dB 40 meters from the
rithmic scale (e.g. dBm) yields the so-called log-distance external wall. In this case, an attacker would need at
model [6]: least 20-25 dBi of gain to have a chance to complete the
handshake (25 dBi would give him SNR= 30 dB).
P r(d) = P t − L0 − 10αlog(d) (1) Most antennas in the market provide gain below
where P r is the received power (in dBm), d is the dis- 15 dBi. Antennas with higher gains are usually not
tance in meters, P t is the transmission power (dBm), L0 portable, precluding a “stealth” approach to the SA.
is the total signal attenuation 1 meter from the trans- A fast online product search performed by the au-
mitter (dB), and α is known as the path loss exponent. thors yielded a grid antenna with 23.5 dBi (weight=9lb,
Free-space propagation is equivalent to using equation size=32”), a yagi antenna with 18 dBi (w=8lb, sz=40”),
1 with α = 2. and a parabolic antenna providing 24 dBi (sz=35”). To
This model has been successfully used to model prop- make attacks even more complicated, these antennas
agation within buildings [6, 5], with α values being only provide such high gain over narrow angles (5-10◦),
strongly environment dependent and usually found em- meaning an external receiver needs to point its antenna
pirically. In a KIWI installation, the high number of exactly to the transmitting AP.
APs allows the system to autonomously find the best
fit for α. 2.4 Robust localization
Authentication in close range. As a consequence Objective. The input to the localization system is a
of the transmission power control, clients within the in- set of signal strength values for a given client, as esti-
tended range enjoy high SNR levels (≥ 30 dB) and low mated by the APs in the environment. The system has
probability of failing authentication. Let perr denote two main objectives. First, as it can be used in access
the probability of receiving an error frame; at 30 dB of control decisions, it aims at verifying whether or not
SNR, figure 2 yields perr = 0.0142. If the WA sends the client in question is geographically located inside
40 KB of random data divided into 20 frames, and if the intended service area. Second, clients inside the
we assume uniformly distributed frame losses, a client SA should be located accurately, enabling the infras-
completes the handshake successfully with probability tructure to react to high rates of invalid authentication
higher than 0.75 when provided with SNR=30 dB. Sim- requests, other forms of DoS attacks, or remove rogue
ilarly, the probability of two consecutive failures lies access points.
below 0.07. Formally, the input to the system is a set of tuples of
the form (xi , yi , P ri ), where (xi , yi ) is the location of the
Demands on attackers. In order to cope with the
ith access point and P ri is the signal strength detected
weaker signal strength perceived outside the building,
for the client being located. The objective is to estimate
attackers have to increase their gain towards the access
the location and transmission power level used by the
point broadcasting nonce messages. The lack of CRCs
client (transmitter): (xT , yT , P t). The search occurs
provides no information on whether the frames have
over a tridimensional space S: the location (xT , yT ) is
been received correctly, so the attacker (as any other
limited to the service area and Pt is limited to a range of
receiver) relies on the detected SNR values to decide
transmission power representative of off-the-shelf wire-
whether to complete the handshake. The most cost-
less cards (e.g. 15-20 dBm).
effective way for a receiver to increase SNR is to use an
antenna with gain Gr > 0. For example, if provided Preconditions. Before a location is estimated, the
with a SNR of 20 dB an attacker could use an antenna system performs a set of sanity checks on the input
with 10 dBi of gain to achieve SNR=30 dB and properly vector. If any of these checks fails, the input is re-
receive nonce messages. jected and an unknown location is attributed to the
client (which could be denied access to the network). AUTH KIWI
Our current system employs two checks that take ad- CAPEX
vantage of the higher density of access points provided Access points 400.00 3,200.00
by KIWI. First, the algorithm checks whether the input RADIUS server/WA 5,000.00 8,000.00
vector contains a minimum number of entries, Q (min- OPEX
imum quorum). Given that most available off-the-shelf AP installation 1,200.00 4,800.00
wireless cards are provisioned with omni-directional an- AP config. 280.00 -
tennas, intended clients located within the SA should Site survey 4,000.00 -
not have problems satisfying this condition. As of at- Yearly maitenance 3,640.00 -
tackers, this precondition eliminates the cases in which
TCO $14,520.00 $16,000.00
the system would estimate an incorrect location as a
consequence of the use of few access points. Table 1: Estimated TCO for both architectures.
The second condition makes sure that the client is de-
tected by at least one access point above a pre-defined distance model fitted to the environment [6]. Our error
signal strength threshold T ; i.e., the algorithm contin- function is the sum of the squares of such differences,
ues only if ∃i|P ri ≥ T . A positive answer to this test which explains the use of the chi-square distribution.
is taken by the system as an indication of the client’s
proximity to the network. The exact value of T is cal- Accuracy and false negatives. The high number
culated based on the power levels used by off-the-shelf of APs enables autonomous calibration (determination
cards, the path loss model calculated for the environ- of the path loss model) while allowing our system to
ment, and the number and location of access points. achieve accuracy comparable to previously published
With more access points, the smaller the average range systems [7, 4]. For instance, when using a log-distance
to the closest AP, and the higher the network can set model with deviations following a normal distribution
the threshold T . with standard deviation of 7 dB, the simulation of an
office building with one AP every 10 meters yielded an
Location estimation. If all preconditions are satis- average error of 2.55m (75th percentile of 4.15m). The
fied, the system estimates the location for the trans- rate of false negatives (system unable to locate clients
0 0 0 0
P solution s0 =2 (xT , yT , P t ), its
mitter. For a tentative inside the SA) was found to be low; for the same simula-
error is defined as i (P ri − P r(di )) . This formula is tion scenario and discarding solutions with error above
simply the square of the difference between the value re- E90 , false negatives occurred with probability inferior
ported by each AP (P ri ) and the value predicted by the to 0.05.
path loss model fitted to the environment(P r), which
is a function of the Euclidean distance between s0 and False positives. Even when facing attackers with un-
each AP (d0i ). This phase thus is reduced to finding the bounded transmission power, the false-positives rate
best solution s ∈ S s.t. error(s) ≤ error(s0 ), ∀s0 ∈ S, was found to be low. An attacker needs to increase
and various minimization methods can be used. transmission power in order to satisfy the threshold pre-
condition, which enables the system to more easily dif-
Confidence test. A confidence test is used by the ferentiate his signal pattern from the one expected from
system to reject improbable signal patterns and the clients within the SA. With one AP every 10 meters,
corresponding solutions yielded by the location estima- attackers more than 40 meters from the external walls
tion step. The mechanism just described always finds were blocked with probability higher than 0.95, even
a “best” solution s ∈ S, but provides no confidence with unbounded power. Clients with bounded power
regarding the value found. For example, s could have (e.g. with regular cards) are rapidly rejected by the
too high an error, which could yield a false positive (an system, mostly due to failing the threshold precondi-
external transmitter is wrongly considered to be inside tion.
the SA).
We test the confidence on an estimated location by
modeling the distribution of the error function and per- 3. COST ANALYSIS
forming an statistical test. Let E denote the cumulative Despite the increased number of APs, we show that
distribution of our error function and Ep denote its pth the costs associated with a KIWI installation are com-
percentile. For instance, we say a solution s can be parable to standard networks. We derive back-of-the-
rejected with 95% confidence if error(s) > E95 . We envelope total cost of ownership (TCO) estimates to
model E with a chi-square distribution, which arises as provision our test scenario following two architectures:
the sum of the squares of independent standard nor- KIWI and a standard installation using fewer access
mal variables. Other researchers have successfully used points and a back-end server for authentication (termed
normal variables to model the difference between ex- AUTH). In the AUTH installation, we provision the
perimental values and the mean predicted by the log- network with 8 access points and a RADIUS server used
for authentication. In the KIWI installation, we use 64 showed that our architecture is viable; for instance, we
access points (one every 10 meters, forming a grid) con- found similar total cost of ownership estimates for a
trolled by a wireless appliance. We focus on capital standard installation with 8 access points and a KIWI
expenses (CAPEX) and simplified operational expenses installation with 64 lightweight APs.
(OPEX), a summary of which is shown in table 1. We have also shown that KIWI provides enterprise en-
vironments with sufficient security. For instance, clients
CAPEX. Given the falling prices of IEEE 802.11 ac-
provided with off-the-shelf hardware within a service
cess points, we assume a cost of $50 per AP (there
area with one AP every 10 meters are located accu-
are SOHO APs already being sold at this price range).
rately (average error below 3 meters) and authenticate
For the wireless appliance we assume a cost of $8,000
successfully (probability of two consecutive failures be-
(so-called “wireless switches” have prices in the $5,000-
low 0.07).
12,000 range). While not dependent on a wireless ap-
We also showed that attackers located outside the in-
pliance per see, the AUTH configuration needs at least
tended coverage area need impractical amounts of an-
an authentication server to control the access to the
tenna gain. In the same scenario, an attacker needs
network. We attribute a cost of $5,000 for the authen-
at least 20 dBi of antenna gain when located farther
tication server, which includes both hardware and com-
than 40 meters from the external walls. Consequently,
mercial RADIUS software.
such attempts require sophisticated wireless reception
OPEX. The first component affects both architectures: equipment, making the costs of compromising wireless
the cost of physically installing the access points. We security comparable to other forms of attack, including
assume a cost of $150 per drop, with two access points those on the wired infrastructure.
sharing each connection to the wired infrastructure in In general, KIWI follows a direction of past success
the KIWI scenario. Other two factors affect instal- in computing, namely “throwing more resources” at the
lation costs in the AUTH architecture. First, access problem, access points in this case. In contrast, key
points need to be individually configured by the ad- management-based approaches introduce a whole level
ministrator; we assume this task to take approximately of complexity and operator involvement that did not
1 hour per AP, assuming labor of $35 per hour. The exist before, bringing in additional failures and com-
second term accounts for a site survey, for which we promises. Given that social engineering is recognized
assign a $4,000 cost. This estimate includes a 1-day as the most effective form of attack on corporate net-
visit of a specialized technician that manually “sam- works, the KIWI approach may not only reduce costs
ples” the wireless environment looking for interference by reducing operator overhead and costs of key man-
sources and the best AP locations. For simplicity, we agement systems, but also significantly increase actual
assume an equal amount of time to configure both the security by eliminating operator participation.
WAS and the authentication server; these terms were
left out of our analysis. 5. REFERENCES
Finally, assume that a network administrator needs
[1] LAN MAN Standards Committee of the IEEE Computer
on average 2 hour/week to manage the authentication Society. Wireless LAN Medium Access Control (MAC) and
infrastructure and perform tasks such as certificate dis- Physical Layer (PHY) Specifications. Technical Report 1999
tribution and revocation and AP management (channel Edition, IEEE Standard 802.11, 1999.
assignment, transmission power control, and other gen- [2] LAN MAN Standards Committee of the IEEE Computer
Society. Standard for Port based Network Access Control.
eral configurations). Assuming an hourly rate of $35, Technical Report Draft P802.1X/D11, IEEE Computer
these management tasks account for $3,640 just during Society, Mar. 2001.
the first year. [3] P. Calhoun, B. O’Hara, S. Kelly, R. Suri, D. Funato, and
M. Vakulenko. Light Weight Access Point Protocol
The estimated costs associated with both configura- (LWAPP). IETF Internet Draft, June 2003.
tions are comparable, with the KIWI scenario being [4] A. M. Ladd, K. E. Bekris, A. Rudys, G. Marceau, L. E.
approximately 10% more expensive than in the AUTH Kavraki, and D. S. Wallach. Robotics-Based Location
Sensing using Wireless Ethernet. In Proc. of the 8th Annual
case. Due to lower management costs, the KIWI sce- International Conference on Mobile Computing and
nario should be cheaper in the long run, while still pro- Networking (Mobicom’02), Atlanta, GA, USA, Sept. 2002.
viding higher capacity and robustness. Though raw, [5] D. Molkdar. Review on Radio Propagation Into and Within
these numbers show that a KIWI deployment is com- Buildings. IEE Proceedings-H, 138(1):61-73, Feb. 1991.
[6] T. S. Rappaport. Wireless Communications - Principles and
petitive in terms of costs while providing much higher Practice. Prentice Hall PTR, 1996.
capacity and robustness. [7] T. Roos, P. Myllymäki, H. Tirri, P. Misikangas, and
J. Sievänen. A Probabilistic Approach to WLAN User
4. CONCLUSION Location Estimation. International Journal of Wireless
Information Networks, 9(3):155-164, July 2002.
In this paper we have presented KIWI, an architec-
ture that takes advantage of overprovisioned WLANs
in order to geographically limit wireless coverage. We