Honestly, I can't figure out how this is going to work without impacting your own internal traffic. Antenna directionality is not perfect - there's all kinds of funky lobes in the radiation pattern. On top of that, the difference in gain front-to-back on a 180 degree antenna is just a few dB.

In additon to the problem of directional antenna patterns, one must also consider that a single RF barrier AP can't handle multiple channels conncurrently. It could time slice between channels but then it wouldn't exactly block every packet now would it?

This product is essentially a source of interference.

I second both comments above and add that this feature will probably cause more harm than good. While I commend Meru in their innovation and thinking outside the box, you have to be VERY careful about placing this AP and shielding it. More customers are going to fail in their implementation of this than ones that don't.

I'm not concerned about running enterprise protocols like WPA/WPA2 with 802.1X-PEAP-MS-CHAPv2. You would really have to be protecting something seriously top secret to not trust a properly implemented WPA2 Enterprise system. Then, if you were, perhaps a L3 encryption mechanism is indeed in order because you want the wire protected once it hits the DS, too.

Cool factor = 9. Implementation factor = 0.

I had an entire rant ready in my head but I'll keep it simple for now. What security vulnerabilities do Wi-Fi networks have that this will prevent?

DoS? No.

Connecting to a properly implemented EAP network without proper credentials? No.

Cracking AES (not that we have to worry about that)? No.

The first thing that came to mind was... well I'll just have to get a rogue AP/capture device in the building now. Trust me, this system (along with every WIDS on the planet) won't prevent that.

Ok, I did rant. :)

GTHill

Skeptical - True, though I wonder if they even try to timeslice. They push single-channel architecture heavily and may have skipped implementing that since it wouldn't be required with SCA.... Until you run out of bandwidth and have to add more channel layers.

Devin - I hope you didn't intended it that way, but your comment seems to imply that anything contributed to the conversation by somebody who is not a CWNE (whom you know) is not worth taking seriously.

Hello all,

Thanks for your questions and comments. I'll take them one at a time.

1) RF Barrier works well with Meru's architecture precisely because of the ability to run on the minimum number of channels. If a deployment has a single channel, then RF Barrier needs to be deployed only on that one channel. Microcell architectures do not lend themselves as well to RF Barrier because of this.

2) RF Barrier uses a special directional antenna designed specifically to not leak back the signal into the building. We removed the funky lobes (it actually is possible to do so). Customers have deployed it very successfully, with no leakage.

3) There is no reason to think that AES is vulnerable. However, that is not the end of the story. Many devices--especially those used in retail and medicine--can only do preshared keys, or are incredibly difficult to set up with EAP. Preshared key leakage is a major concern in that case, because once the key is leaked, then every WPA2 connection ever made or ever will be made with that preshared key is instantly decryptable.

Furthermore, although the algorithms used are often very strong, they are designed by people, and thus are not always as strong as we'd like. LEAP is an excellent example, where many enterprises were told that a strong EAP method would prevent any problems with security, but then LEAP was broken. Even if the algorithms used are not attacked, the implementations may still be attacked for vulnerabilities in the software. RF Barrier provides zero-day protection by preventing the traffic from leaving the building and reaching the attacker in the first place.

4) EAP TLS, which uses certificates and is the foundation of FIPS (government) networks, transmits those certificates, necessarily, in the clear. This won't cause the keys to be leaked, but it will cause the identities or whatever other information that the certificate authority chose to add into the certificate to be leaked. Preventing identity leakage, which can be later used in blended or social engineering attacks, is therefore important.

Network administrators have the tough chore of maximizing security with the devices they have, while at the same time often passing tough regulatory requirements that want strong, multiple-layer security to prevent holes in any one from causing a leak. RF Barrier provides the perimeter defense that can secure the network when the other techniques reach their limitations.

Joe - thanks for dropping by so quickly and giving us more detail on the product. Can you give us some more information on the antenna themselves? Specifically the degree of directionality as well as any radiation patterns you can point us at? Also, have you seen any issues with signal reflections, like from cars parked close to the building?

Out of all the scenarios you outline retail seems to be the most interesting, though it's kind of a "security through obscurity" play. You're still running an insecure network, you're just hiding that outside of the building.

I'm not sure I buy into the EAP-TLS argument. It's hardly ever used, you can control the CA used to generate the certs (and thus the data exposed), and there are easier/cheaper ways of securing the data on the public cert (TTLS or PEAP wrapping w/ anonymous outer identities for example).

Joe, thanks a lot for taking the time to help us with the technology.

I noticed that you said it wouldn't work on microcell technology because it uses multiple channels. What about Meru's own multichannel system? How well does it work on that?

This reminds me a bit of Air Defense's Anti WEP technology (not sure the official name) where it would transmit bad WEP frames to mess up some decryption programs. I commend the idea and effort, but in my never humble opinion, features / products like these are excellent for sales calls and brochures, but I just can't see any widespread implementation.

Yes, PEAP may get cracked, but I wouldn't really feel all that much better with this product in hand. First, this isn't worth much at all in any location where the public can walk in (i.e. Hospitals, retail, etc.). So, that limits it to locations that already have somewhat of a physical security presence.

If the location has strong physical security, is running WPA-PSK for authentication, and is using a single channel architecture, then, dare I say it, maybe it is worth it?

I have re-read the original post, and I saw this quote: Beacons in properly implemented networks don't take up a considerable amount of time on the RF medium, and RF Barrier takes up only the same amount of time that is used by the beacons. We are only transmitting directly over the top of the beacons to corrupt them.

You are corrupting all of the traffic right? Of course, beacons only is a waste and won't prevent the PSK cracking discussed earlier. For that matter, I think it would be possible to write a simple program to defeat this. I would write it so a client would connect if it received a proper Probe Response, then it would just continue with the authentication and association process.

I look forward to your responses!

GTHill

P.S. I really like Meru's technology and gear. :)

Thanks for the questions.

1) The antennas are 180-degree antennas.

2) Security through obscurity is attempting to hide the presence of something that can still be accessed if you know it is there. Beacons that do not transmit their SSIDs are an example of that. RF Barrier, on the other hand, prevents access whether the attacker knows it is there or not. In fact, RF Barrier is designed to protect environments where WLAN is expected to be present. A better analogy would be to a firewall, which the prevents traffic of its choosing from passing. The attacker is welcome to expect that the firewall is present, because the firewall's efficacy is not related to knowing whether it exists. The same applies for RF Barrier.

3) It is not reasonable to expect that every--or even many--deployments that need strong physical wireless security can dictate the EAP type used. Sadly, most of the devices that are used in installations with the highest requirement for securing identities--such as healthcare, retail, and financial, with the heaviest regulatory requirements--support some of the narrowest array of security options. Again, many mobile devices are limited to PSK.

4) RF Barrier can be intelligently placed to cover the lobby as well. The customer has flexibility here.

5) RF Barrier does block the beacons, because it blocks every frame. The attacker will not see beacons, probe responses, authentication frames, association frames, data frames, etc.

6) There are many reasons to want to block every frame, even if the installation uses the best security methods known. One could argue that there is no need to secure management frames, for example, because they carry no data; however, we and others have worked on 802.11w to provide just such a protection. There's never really enough security, because we can never really guess what is useful. The advantage of RF Barrier is that, by using physical-layer security means, it blocks all traffic from the network. Sure, with TTLS and 802.11w and such, installations can get close to this level of protection, but that is still only an approximation at higher layers. Going directly to the physical layer to solve the problem is more effective.

One thing to keep in mind is that there are a surprising number of installations where they want this sort of physical wireless security, but have been told that all they need to do is turn down the power level or use directional antennas indoors to point away from the parking lot. Of course, neither of those actually provide any security, but this is a common enough myth that it shows the need for an effective physical-layer wireless security solution.

1) Got any radiation patterns? I'm most interested in how effectively you reduced back and side lobes.

2) I disagree... You have not actually secured the wireless network, all you've done is make it harder to access. If you know they are using the RF-Barrier then you just need to change your physical location to overcome it, and/or use a directional antenna. I figure concave building would be the most vulnerable since you'd have to be careful to avoid self-interference. Barring that, physical penetration is still a problem (lobby, restrooms, cafeteria, demo area, roof, neighbor in same building, etc...).

3) If you are in Healthcare or Retail, then this is DEFINITELY security through obscurity since you can't control physical access to the building and continue operating your business. See #2 above. For financial institutions, I'd bet they would forgo a mobile device before allowing PSK on the premises, RF-Barrier or not...


It's an interesting idea (kind of like noise-canceling headphones for digital signals), but I'm very doubtful of it's effectiveness and longevity. PSK and WEP devices are going to be phasing out in the next few years (especially in healthcare and retail) if for no other reason than lawsuits. If you don't have that perceived hole to fill, the product ends up fighting against the most compelling reason to have wireless in the first place: mobility.

I noticed a comment that 128 bit AES cracking needs no concern. There is new commercial software available that uses the GPU on NVIDIA cards to get a factor of 100 speed increase on WPA cracking, compared with using a CPU. They didn't give any actual figures, but this looks a change to the dollar/bit cracking ratio.

On antenna patterns - it's pretty common for people to use RF absorbing material to clean up sidelobes. If you put it too close to the antenna it messes up the SWR, but it isn't hard to get about 20 dB attenuation in certain directions.