Friday, August 12, 2011

Turn down that NOISE!!!

Here is a fun experiment if you have a 2 laptops (or 1 laptop and some other WiFi enabled device), a WLAN analyzer like AirMagnet WiFi Analyzer (or something similar such as wireshark) and a microwave oven.

We all know that microwave ovens function in the 2.4Ghz range but how much "noise" is it generating.

Go to your kitchen. Get the device without an analyzer on it and start a really long file transfer via WiFi. Make sure your AP is already on either channel 11. Now Fire up your analyzer and measure the signal, noise and the signal to noise ratio (SnR is signal minus noise) on channel 11. Get an average reading and write it down. Do it several times so you are sure you have a good sample set. Now, restart your file transfer, put a pyrex (or other microwave safe) measuring cup full of water in your microwave and set it for a few minutes on high. Re-measure your signal, noise and SnR. What did you get? Try a few different WiFi adapters with the analyzer. any difference?

Here is what I saw when I did it with the AirMagnet WiFi Analyzer. First is the image of the channel screen on channel 11 with no microwave turned on. Notice the stats.

Signal:      -51dBm
Throughput:  ~34Mb/s
Utilization: 68%
Noise:       -88dBm
SnR:         37 (-51) - (-88) = 37

Here is the important part. Notice that the noise level is completely flat at -88dBm.

Now lets turn the microwave on and do it again, here is what I saw.

Signal:      -47dBm
Throughput:  ~16Mb/s
Utilization: 39%
Noise:       -88dBm
SnR:         41 (-47) - (-88) = 41

Notice anything? Well first off throughput went down and I checked the capture later and packet loss went up. Seems appropriate with a 1200watt device slamming my connection from 2 feet away. Secondly, the signal strength and the SnR INCREASED? Why is that? Well after looking deeper into the frames and looking at the AP configuration, it looks like 802.11N beamforming in action! The AP senses packet loss and pushes harder (no-tech speak for adjusts the phase shift of the signal to focus the waves on top of the client so it gets the benefit of wave addition). Next thing you notice is the increase in SnR from 37 to 41. This is due to two issues. The first we just mentioned. Increased signal strength. The second is the trouble spot. The noise level stayed the same.


You heard right, the noise level did not change. I can hear you yelling at me through the intertubes from here. But I thought microwave oven caused noise? Well. they do and they do not. Here I am about to get pretty picky.

You see we at AirMagnet call noise one thing and interference another and WiFi interference a third. Confusing but true. And with good reason. You see, noise readings are fiction. They are falsehood, fabrication, fib. It is a lie. There. I said it. Noise readings (except from a very small number of cards - namely only one kind that I know of) are made up on the spot by each WiFi adapter. They cannot give you a noise reading, they can only give you bits (e.i. 1s and 0s) about things they see and WiFi adpaters only see WiFi modulation. Period. Almost all wifi adapters throw away all other non-WiFi signal long before it ever gets to the the driver. Non-wifi modulation, such as the modulation you get from cordless phone, wireless headsets, video camers etc are thrown away by the radio long before they can be converted to bits. The radios are only tuned for the type of modulation and coding they understand. So a normal 802.11a adapter will only ever pass OFDM modulation. Never QPSK, or FHSS or any other signal that is not OFDM. Thus how can the driver tell us about a microwave oven, or a cordless phone, wireless camera etc? They can't. So we call interference from other modulation types in the same frequency band by a different name, we call it non-802.11 interference.

Then there is WLAN interference, which Tom's Hardware calls "congestion", but could also be thought of as WLAN contention and is sometimes referred to as co-channel interference or even adjacent channel interference. Tom's has a very good article on it here. It is where too many WLAN devices are all trying to use the same medium simutaneously. In 802.11 terms, only one device can talk in an area at one time. Too many devices means collisions and contention in a collision avoidance network that wishes to remain contention free.

So that still leaves us with noise. What is going here? When I open a WLAN analyzer I see a noise reading. You showed me one right there (see images above). Where does that come from?

To understand what the adapter manufacturers are doing requires that we first understand what noise is. Noise can be thought of as the level at which all radio signal become indistinguishable from one another. Wikipedia describes the noise floor as, "the measure of the signal created from the sum of all the noise sources and unwanted signals within a measurement system." You can create an analogy of this as follows: Imagine five people in a room, each yelling in a different language. You could probably figure out what each language was even if you couldn't have a conversation in there, you might even be able to work out what they are talking about. That example would be considered interference to you if you were trying to yell in English. Now imagine a room with 500 people in it all talking at the same time. in that instance you proabaly could not tell what any of the languages were or what anyone was talking about at all. That is noise. Again, the Tom's Hardware article is a great reference for this, especially slide 9.

 Adapter manufacturers were asked many times for a noise reading so the person conducting the WLAN site survey could determine the signal to noise ratio, or SnR. This helps determine if there is enough signal to be heard above the RF noise floor. So under this presure they created algorythims that can fake the noise reading. I have no idea what the algorythims are but I can assume from tests we have done at AirMagnet that they include measurements of retry rates, CRC errors, channel utilization, average throughput and, mostimportantly, number of devices active in range (as determined by RSSI). The reason I can know this is because at AIrMagnet we have an RF isolation chamber - or Faraday Cage. If I take a noise reading in that chamber with one AP and no STAs (WLAN client adapters) I get a zero reading with many adapters. But if I add STAs the noise floor rises. even if the STAs are mostly dormant.

Here is another catch, aside from the fact that different manufactureres create this value differently, some adapters only give noise readings on a channel by channel basis, others frame by frame and still others give no reading at all. Symbol devices fit this last group and when asked about why they gave no noise reading they replied, "that would be lying". Does that mean that you cannot use that value to create the much sought after SnR? No, I would still use it, but I would be wary if tehre were very few STAs nearby. Or many for that matter.

I hope this helps understand what noise is, what interference is and what co-channel interference or WLAN contention is.

Wednesday, August 10, 2011

BlackHat 2011 and Defcon 19

The scene in Las Vegas last week on the wireless security front was quiet and reserved. There was a veritable dearth of WLAN issues to report on at either BlackHat or Defcon. Sure there was the Wi-Fi hacking UAV and Vivek Ramachandran's normal Wi-Fi security and hacking class, also the wireless water meter 900mhz hack and 1 or 2 new WEP attacks (like WEP needs any more attacks against it, isn't complete penetration in under 5 minutes fast enough?) but nothing really new and interesting. Most of the talks were about making your PSKs long and secure to shield you from, "Sniff now, Crack Later" (using Rainbow Tables found here and here) and talks reminding everyone to monitor their WPA2-EAP implementations against Honeypot Radius WPE (the WPE is not a typo, it stands for, "Wireless Pwnage Edition" and info may be found here and here). This last one is an old vulnerability but many people still have not been keeping an eye on it especially if your organization uses server certificates only in their EAP implementation.

So what does this absence of new WLAN vulnerabilities mean? Are the hackers bored with the ability to enter a company’s WLAN from 125 miles away? Do not bet on it. Has the IEEE, Wi-Fi alliance and FCC finally secured Wi-Fi so that no new vulnerabilities will be forthcoming? I sincerely doubt it. So what is the deal?

My opinion is that people are sitting on some of the latest vulnerabilities and making use of them. Wikipedia states that, “Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop a counter to that threat.”  Meaning that a hacker can only execute the exploit before it becomes common knowledge. Once the vendor and security community find out about it, then everyone races to plug the hole. In the past, plugging the hole took several months for most major WIPS and WLAN vendors and then several more months before most customers implemented the new release (this was due to the fact that it required a system-wide upgrade). But the world is much more agile now and the ability to dynamically plug a security hole quickly just got a big boost when we at Fluke Networks released our AirMagnet Enterprise version 9.0. The version 9.0 solution has the ability to dynamically update the WLAN Intrusion Prevention System against threats as they become known. We  also broke out the alarm code and implemented a much easier, non-programmatic method for creating the signature and anomaly alarms that make up the system.  This means that from the time a zero-day is known to the time it is implemented can be as little as a day or two. This is a huge benefit for customers but a real drag for hackers. They will now have even more reason to hang on new vulnerabilities. It is also a clarion call to WLAN security researchers to step up their game and look for more fuzzed approaches to WLAN threats and try more anomaly-based alarms. I know our team is so ready here at Fluke Networks so bring it on!

Tuesday, August 2, 2011

Happy 802.11 day!

Today is 802.11 day, August 8th 2001 or 8/02/11. As a friend of mine noted in Google+, Hallmark probably does not make a card for that. In honor of this auspicious day I think now is a great time to reflect on this amazing technology that we use every day and almost take for granted.

This all started when, in 1985, the FCC decided to release several radio bands for unlicensed use. This meant that just about anyone could use these frequencies however they felt like provided they adhered to certain rules such as low power, spread spectrum, and ensuring that the devices were not intentionally jamming or eavesdropping. I refer to this in classes I teach as the FCC sandbox. Then, round about 1997 the IEEE decided to standardize the protocols and RF effects into the 802.11 standard and rapidly followed by the creation of the Wi-Fi alliance creating one the quickest adoption cycles in history. Suddenly our computers were free to communicate without wires. When I read about this I was stunned and had to try it myself. I remember demonstrating this amazing effect using a Lucent WaveLAN Silver card and the initial Apple Airport to several of my decidedly non-technical friends in 1999. They didn’t appear to get it. I was loading webpages on my PowerBook G3 and there was nary a wire in sight and these friends of mine were commenting that this was just another geeky gadgety gimmick of mine that had no practical application for people in the real world.

Later on in my career and while working at AirMagnet I recall presenting the benefits of WLAN technology (802.11g at the time) to a high level executive venture capitalist. I was mentioning how health care organizations, amongst other verticals, were adopting the technology a break neck speed. To this he replied that he hoped he would never have to stay at a hospital where this was true, for how could he trust his life to a technology that worked as badly as it did at his home.

This type of thinking is one of the sad realities of a bottom up adoption process. And the embracing of WLAN technology and 802.11 was decidedly that. Most companies started to implement WLAN technology not as a way to cut costs and deliver an amazing amount of increased mobility to their users but as a way to appease executives who were bringing in Linksys routers from home and plugging them in under their desks. Executives were stating, "well if I can set one of these up at home, how hard can it be?"

This disparity between the attitude of "how hard can it be?" and "I can’t trust your network because mine at home in unreliable" is huge. These arguments leave out a great deal. They ignore the value of WLAN professional planners, surveyors, architects, engineers and integrators. They dismiss the years of research and development companies like Cisco, Aruba, Motorola, Meru, Aerohive, Ruckus and others have invested. They discount the impact of hackers and all the other various security needs. Lastly, they oversimplify issues that, to them, appear trivial and unimportant. This oversimplification is a serious issue today as it lowers the value of the technology and the people that research, build and implement it. WLAN vendors are not helping in this area either by suggesting that prospective customers do not need to know anything about wireless. That the WLAN system will heal itself and defend itself without the customer having to worry about a thing. Since when have networks not needed any protocol expertise in the people who properly design and run them? Does your router fix itself when something goes wrong? This is an issue that we, as an industry need to get past before we can expect to see realistic views of WLAN technology and appreciation of our talent by lay people.

Wireless networks today are invaluable. Without them we would be lost. For example, WLANs are the absolute key to the supply chain. They are the enabling technology for just-in-time delivery and short term warehousing. Additionally. they promote collaboration in the Enterprise and reduce costs through the reduction in cable pulls and per port costs on networking equipment. WLANs allow hospitals to reliably move equipment in and out of operating theatres, patient rooms and clinics. They enable Voice over IP anywhere. WLAN technology is in every smart mobile device made today from Smartphones to refrigerators to automobiles. We’ve come a long way baby, but still have a long way to go.

With the recent release of the 802.11n standard we finally have a technology that supplies the range and speeds that enterprises can use and depend on. And this is just the beginning, 802.11ac, 802.11ad and 802.11ah are coming to go beyond the gigabit realm into mutigigabit speeds. But with these advances in speed and range comes complexity. When these technologies break who will be there to fix it? How will they do so? And who will supply them with the tools they need to get the job done? I think you know who I am thinking of…