Although data theft is far easier and more common on a wired network, mention to anyone that you transmit your data on a wireless network and you conjure up images of an amateur radio enthusiast in his basement with a scanner, stealing your sensitive information. As an operator of a Broadband Wireless network you must be clear on the risks, myths, and solutions to security issues concerning transmission of your customer's data in the wireless domain.

This paper will cover the technologies and medium involved once your data is ready to leave the wired network. We will assume that you have addressed security on the wired network in preparation for deploying wireless. We will also assume that data on the wireless network is either destined for or offloaded from the wireless network. As we will see later, properly securing your provisioning data and your pools of operating equipment destined for line use or spares pools, can reasonably assure that your wireless network is as secure as your wired network and maybe in some cases, more so.

Modems, radios and antennas are the essential elements responsible for preparing, packaging and delivering data over the air. The antenna has no bearing on data security in a broadband wireless network so the focus here will be on the contributions of the modems and radios. It should be noted, however, that attention to the physical security of your antenna elements reduces the risk of another security attack, denial of service through equipment damage or deliberate sabotage.

Let's start with a look at the completely non-secure transmission/modulation scheme of a typical AM radio station. Mixing the unaltered audio of the source content with a carrier signal produces a third signal that is transmitted at high power (50+ kW) in a broadcast, or omni-directional pattern. This signal radiates outward in all directions gradually losing strength until it is indiscernible from the ambient noise in the air around us. If you are inside the coverage area your antenna couples the radiated energy to a demodulator that simply strips away the carrier signal and passes on the audio content for your listening pleasure. The content, which could be talk or music, can be considered the "data" in the AM radio network. The signal in the AM radio network contains clear non-encrypted audio used to modulate the carrier by very simple means and is intended for reception by everyone in possession of the equally simple demodulator, or tuner (your AM radio).

This is basically similar in function to the radios in the broadband wireless network. There are major differences in how the signals are presented to the radios in these two networks. In the broadband wireless network the signal can be compressed, encrypted, fragmented and a mixture of the data intended for many users. The modulation schemes are infinitely more complex and the radios transmit at under 10 Watts, requiring sensitive receivers and more sophisticated demodulators.

The frequencies used in the AM network are published, even advertised on billboards making it easy for anyone to tune in and receive the data. The frequencies in the broadband wireless network are a matter of public record as well, but require a little more effort and research to find them. In the broadband wireless network the radios are more sophisticated and more sensitive but this doesn't add up to increased security. So how do we address data security with broadband wireless? Everything revolves around the modems and provisioning of the connections joining the wired networks to the wireless networks. With that, let's identify the risks and address each one in turn.

There are three areas of risk concerning theft of data in the broadband wireless network. They are: 1) Outright snooping of the airwaves and sophisticated decoding of the signal to extract the data. 2) Stolen broadband wireless transmission equipment used to snoop natively. 3) Inter-nodal snooping with registered broadband wireless network nodes.
The Outright Snoop
With a spectrum analyzer you can observe the signals of almost any transmitting radio. There is plenty of information there that can tell you the frequency and bandwidth characteristics of the signal being transmitted. This doesn't give you the ability to steal the signal but it does give you a place to start looking for it in an attempt to capture it. The tools needed to capture it and demodulate it and then decode it are very complicated and make it an almost impossible task. Almost impossible does not make everyone comfortable so we will assume that you have stolen the signal and managed to demodulate it and decode it. If you are listening to the headend transmitted signal you are getting traffic destined for many users. It is also just a stream of binary coded bits. You have to figure out where the RF domain packet boundaries are and then fragment and reassemble the bit streams back into wired network packets, and figure out which packets are destined for the data stream you are intending to steal. The downstream signal is the traffic destined for many users and you are looking to steal one of them. Oh yes, it's probably encrypted as well.

In the return path your task would not be any simpler just because you know the traffic is destined for the headend. It is actually destined for another network, and chances are good that the upstream signal is made up of traffic for many destinations as well. Theft of the signal is possible, theft of the data in the signal is nearly impossible with off the shelf snooping tools. The bottom line is this: You would need to have at your disposal a CIA-style room full of snooping equipment, a means of re-assembling the signal into network packets, and the ability to emulate the processing that the network protocol stack and the applications perform on the bit stream. It is far easier to break into the wired side of the network and snoop there.
Stolen Equipment Used to Snoop
This requires a brief explanation of the broadband wireless equipment involved. The role of the headend modems in most well designed systems is to be traffic cop, determining which subscriber modems get to talk, when, and for how long on the shared medium (the airwaves). Subscriber modems are provisioned and registered by communicating with the headend modems. Each and every modem carries a globally unique address that is registered by the operator in a database located at the headend facilities. This database is kept under lock and key in a secure room. Access to the database is limited to those with a need for it.

No subscriber modem can function unless first being registered and acknowledged by the headend modem and the management server operating the provisioning software and subscriber configuration database. It must be provisioned in the database prior to startup. On startup the subscriber modem gets it's configuration file once registered at the headend network. Upstream time slices are reserved specifically to each subscriber modem. Without this coordinated assignment of transmit times modems would interfere with each other and the signal would be useless. A stolen modem without its configuration file and granted upstream transmission slots does not know how or where to receive the downstream signal. For this tactic to be successfully executed in an effort to steal broadband wireless data there would have to be someone on the inside provisioning the stolen equipment.
Inter-nodal snooping
Lets assume you are a registered user on the broadband wireless network or you have stolen the necessary equipment and have a mole on the inside provisioning you for access. Can you now steal data? We will take a look at the two major subcomponents of the modem to understand the risk.

Each modem is a device made up of two distinct halves or subsections. The first one is the RF modem. The word modem means literally MODulate/DEModulate. It modulates a carrier signal for transmission and demodulates received signals. The modem converts the data streams received from the other half of the device, the network interface, to RF packets as a sort of translator. The network data packets are sliced and diced and placed in RF envelopes that can be larger or smaller than the data packets, which are either concatenated together or broken into smaller pieces for delivery over the air. This half of the device gains permission to transmit over the air from the headend modem and will not transmit upstream without this permission. It also receives all traffic in the downstream and passes it to the network interface half of the device.

The network interface half is similar to the network interface card (NIC) in your workstation in that it will only process for delivery of those packets specifically labeled for it's globally unique address. The rest are filtered out and dropped. Data packets properly addressed are either processed as messages between network elements, such as maintenance traffic, or passed on to the subscriber network or node. To steal data intended for other users, traffic that is heard by the RF half of the device, one would have to reverse engineer the circuitry (usually high density chipsets) and force the network interface into promiscuous mode. In promiscuous mode the network interface would just repeat all traffic heard on the RF interface onto the subscriber node. This type of traffic would immediately bring down a subscriber's internal network so this would have to be done from a single attached node with a capture device enabled.
Summary
There are dozens of devices with which to sniff a wired network without detection. The devices range from simple inductive pickups to advanced hardware and software specialty products designed specifically as security analysis tools. There is, as of yet, no off the shelf commercially available device or easily effected method of stealing data in a properly designed broadband wireless domain. When you consider all of the barriers to broadband wireless data theft, you can see that as long as the provisioning database (resides on your wired network) and operating equipment pools are located in a managed area and tracked, broadband wireless networks are at least as secure as your wired network and probably more.

We have discussed the characteristic security of the broadband wireless technology as a whole. Each vendor layers on additional standard and proprietary software and hardware to enhance the security of their offerings. This entire dialog expressing security concerns in the broadband wireless network is healthy. Because it is a relatively new technology it has aroused critical curiosity from network planners and potential customers. The feedback from users and the industry in general has lead to early development of designs and practices that make this perhaps one of the safer data network technologies available today.

As an operator of a BWLL managed network, with proper planning you can offer and deliver secure services to your customers today. Many broadband wireless networks are deployed as strictly an Internet play. But there are many more that are deployed as banking and government data networks. Banks are understandably concerned and are second only to government agencies in regards to the emphasis placed on data security. If broadband wireless networks have passed muster with these two entities it is reasonable to think that your requirements will be met as well.

It is important to close this paper with a sort of disclaimer. Just like any other network technology, regardless of the security measures employed in your system, no network is absolutely secure. Security is a day-to-day management task. You should always encourage your customers to take their own precautions with regards to protecting their data. No amount of security is enough but with each notch you ratchet up security you also ratchet up the overhead involved with facilitating it.

About the authors
Michel Bouchard is Chief Technology Officer (michael.bouchard@third-rail.net), Michael Catizone (michael.catizone@third-rail.net) is Director of Systems Integration and Robert Cifelli (bob.cifelli@third-rail.net) is Senior Solutions Architect with Third Rail Americas, Inc.