Table of contents

Introduction

The information technology evolution has changed the human life in all spheres, making information one of the most valuable resources. Same as other resources, information is valuable for its owner and can cause disputes and conflicts. That's why, the information security should be taken seriously into account. The information systems development and the large amounts of data accumulation require an integrated approach in ensuring the security of the technical systems.

This document describes the information security methods used in networks comprised of Infinet Wireless devices. Each wireless device family has its own capabilities of application security tools, so at the end of a document's section you will find links to the technical documentation of each described tool.

Terminology

Information Characteristics

Information security measures should be applied in accordance with the company's IS policy. The IS policy should take into account the following information characteristics:

An information security policy should include measures to ensure each of the basic information characteristics. If the described information characteristics aren't respected, it may lead to financial, reputation and other loses. Remember that the IS policy implementation is an endless process that requires periodic review of the measures and of their implementation.

The IS organization should be multilevel and not only realized with technical solutions. In addition to technical measures, legislative, administrative and procedural measures should be provided.

Scenarios for Infinet equipment 

The measures to ensure the IS are determined not only by the Infinet device family, but also by the scenario of their use (Figure 1a-d). Let's look at several scenarios in which wireless devices connect network segments belonging to different responsibility areas, each area being characterized by a certain set of threats:

The security measures should correspond to existing risks, the IS architecture should not be redundant. For example, filtering of external connections should be performed at the interface on border with a third-party telecom operator, not on all the intermediate nodes of the network.

The requirements for physical safety and security in the radio link are the same for all the scenarios below and are described in detail in the relevant sections. In order to configure the devices, let's specify the following general requirements for information security:

Joining of the internal network segments

The simplest scenario is joining two network segments located in the same responsibility zone (Figure 1a). The devices are used as a bridge using a simple connector in the LAN structure, therefore, the main information security tools are located at the boundaries of the left and right segments.

Figure 1a - Radio link joining two internal network segments

Connection of internal and external network segments

In the scenario of connecting two networks located in different responsibility areas, the information security measures are implemented on a radio device located at the border of the two segments. A special example of the external network segment is the client’s network, which is provided with a data transmission service. In such scenarios, both inbound and outbound traffic should be filtered.

Figure 1b - Radio link connecting internal and external network segments

Figure 1c - Radio link connecting internal and external network segments

Internal network segments connected with the Internet

The scenario where a wireless device is located at the border of the internal segment and the Internet is a special case of the previous scenario's external network. The difference is in a low security on the device from the side of the Internet connection, that causes a large number of risks.

Figure 1d - Radio link connecting internal network segments and the Internet

Information security measures in various scenarios

The IS realization is achieved by the implementation of the measures described in the sections and in the subsections of the IS:

IS sectionIS subsectionApplication
Physical securityAll

Radio SecurityAll




Device management

Authentication

Access method

Management interface

Firewall

Access recovery


Data transmission

General recommendations

Data transmission settings

Network protocol settings


Infrastructure

Monitoring

History storage

Technical Accounting

Physical security

The physical layer is the foundation of information security, so the devices physical security has a priority over company technical policy. Physical security should be comprehensive and include several components:

The communication node (including wireless devices) consists of three main elements (Figure 2):

Figure 2 - Communication node block diagram

Site selection for equipment installation

The site for the equipment placement must meet the requirements of the company technical policy and make possible the future communication node development. Following aspects should be taken into account while choosing a site:

Organization of auxiliary facility infrastructure

An important factor of a site choosing is the ability to install auxiliary infrastructure elements, which will increase the availability of the communication system. Video surveillance and alarm systems are examples of auxiliary infrastructure. An alarm allows quickly detect an unauthorized access to the object, and a video surveillance system will be useful in investigating incidents.

Equipment installation

Installation work on the site should be guided by the general requirements and company technical policy. Improperly executed installation can cause a violation of the entire network facility availability, the restoration of which may require large time and financial resources.

In order to ensure physical security, make the following settings for the wireless device:

Facility operation

Installation work quality control is carried out at the stage of object acceptance into service. The acceptance procedure should be performed in accordance with the company technical policy.

Ensuring information security is a continuous process that requires monitoring and response to identified and emerging threats, therefore, it is necessary to carry out preventive maintenance of communication facilities. Depending on the requirements established in the company and the specifics of the network node, the list of preventive measures may vary. A common set of regular jobs includes:

Physical security measures

Event / InterfaceInfiLINK 2x2 and InfiMAN 2x2InfiLINK XG and InfiLINK XG 1000Quanta 5
WebCLIWebCLIWeb
Mounting devicesInfiNet Wireless R5000 installationInstallation ProcedureInstallation
LED indication management
-General Commands-General Commands-
Interface Status managementNetwork SettingsIfconfig commandSwitchIfconfig commandSwitch Settings
PoE-out managementNetwork SettingsIfconfig command---
Heater control-Other commands---

Security in radio

Wireless data transmission is performed in a shared environment, which brings a lot of possibilities for attackers. The security measures described below should be applied in a comprehensive manner, since measures protecting from one threat may not be effective against another.

Frequency configuration

The frequency resource is limited, so the frequencies distributing process between wireless systems should be taken comprehensively. Third-party wireless systems operating at the same or adjacent frequencies can affect the link (Figure 3). Usually, such an influence is not malicious, but it should be considered as a threat, since it leads to the link operation failure. Our task is to search and select a frequency channel free of interference. Keep in mind that interference may not be present at the installation stage, but may appear during the wireless system operation.

Following actions can reduce the risks associated with this threat:

Figure 3 - An example of a threat in the frequency channel

Even if a frequency channels distribution is coordinated, the problem of mutual interference may persist. That happens due to an out-of-band radiation: a radiation spectrum is not an ideal rectangle. It has side bands that affect adjacent frequency channels. Below are the spectra of communication systems (Figure 4 a-b) which using adjacent frequency channels: in the first case (Figure 4a) the radiation power of the systems is equal and the threat source influence is lower than the communication system sensitivity, in the second case (Figure 4b) the radiation power of the threat source is higher than communication system and the out-of-band level is higher than sensitivity, it will affect the communication system in the interference form.

The automatic transmit power control (ATPC) function can help to reduce the influence of a third-party communication system on the used frequency channels. In case of interference, devices with active ATPC will increase the radiation power and keep the link performance.

The link budget depends also on the used modulation-coding scheme: higher MCS require higher link parameters, therefore, they are impossible to use with a low signal level and a high level of interference. Thus, the modulation-code scheme selection is a compromise between the link performance and reliability. The automatic modulation control (AMC) function allows to select a modulation-coding scheme in accordance with the current parameters of the radio and change it in accordance with the situation. This allows to increase the reliability and availability of information, by keeping the link operability even in strong interference conditions.

For more information about signals frequency characteristics proceed to the online course "Wireless Networking Fundamentals".

Figure 4a - An example of an adjacent frequency channel influence on a communication system

Figure 4b - An example of an adjacent frequency channel influence on a communication system

Authentication Settings

Popular scenarios of the information confidentiality and integrity violation in a radio channel are attacks of the Man-In-The-Middle type (MITM). Let's look at the examples of such attack:

Figure 5a - Data interception

Figure 5b - Data relay

Figure 5c - Data spoofing

Also scenarios of obtaining unauthorized access to resources through a connection to a radio network are possible. Let's look at the examples of such attack:


Figure 6 - Connection to an enterprise network


Figure 7a - Connection of the CPE station to the enterprise base station sector

Figure 7b - Connection of the CPE station to the attacker base station sector

Infinet devices use their own radio frame format, it makes impossible to organize a communication between devices operating according to the 802.11 family standards and Infinet devices. This complicates the attacker's plans, as he will be forced to use Infinet devices.

To counter such attacks, the following options should be used:

Radio link safety measures

MeasuresInfiLINK 2x2 and InfiMAN 2x2InfiLINK XG and InfiLINK XG 1000Quanta 5
WebCLIWebCLIWeb
Spectrum analysisSpectrum AnalyzerMuffer commandSpectrum Analyzer⁣Command for spectrum scanningSpectrum Analyzer⁣
Radio ScannerDevice statusMuffer command---
DFS technology supportLink Settingsdfs (Dynamic Frequency Selection)Radio settingsCommands for modem configurationRadio settings
Instant DFS technology supportLink Settings

mint command in MINT version

mint command in TDMA version
Radio settingsCommands for modem configuration-
DFS/Instant DFS work resultsDFS menu-Instant DFSCommands for modem configuration-
Automatic transmission power controlLink Settings

rfconfig command in MINT version

rfconfig command in TDMA version
Radio settingsCommands for modem configurationRadio settings
Automatic MCS controlLink Settings

rfconfig command in MINT version
rfconfig command in TDMA version

Radio settingsCommands for modem configurationRadio settings
Link IDLink Settings

rfconfig command in MINT version
rfconfig command in TDMA version

Radio settingsCommands for modem configurationGeneral settings
Link security keyLink Settings

mint command in MINT version
mint command in TDMA version

Radio settingsCommands for modem configurationSecurity settings
Authentication mode configurationLink Settings

mint command in MINT version
mint command in TDMA version

---
Lists for static authentication modeStatic Links

mint command in MINT version
mint command in TDMA version

---
Lists for remote authentication mode-

mint command in MINT version
mint command in TDMA version

---
Maximum number of subscriber stationsLink Settings

mint command in MINT version
mint command in TDMA version

---
Scrambling technologyLink Settings

mint command in MINT version
mint command in TDMA version

---
Frequency grid configurationLink Settings

rfconfig command in MINT version
rfconfig command in TDMA version

Radio settingsCommands for modem configurationRadio settings
Central frequency configuration (for Master device)Link Settings

mint command in MINT version
mint command in TDMA version

rfconfig command in MINT version
rfconfig command in TDMA version

Radio settingsCommands for modem configurationRadio settings
Central frequency configuration (for Slave device)Link Settings

mint command in MINT version
mint command in TDMA version

rfconfig command in MINT version
rfconfig command in TDMA version

Radio settingsCommands for modem configurationRadio settings
Regulatory domain----General settings
Global function-

mint command in MINT version
mint command in TDMA version

---

Device management

Unauthorized access to the device management interface is a serious threat that can lead to a violation of all the basic data properties, measures to ensure information security and reduce potential risks should be elaborated carefully.

Authentication and Authorization

By default, one user is added to the configuration with administrative rights and the following login values:

  • login: any nonempty string;
  • password: any nonempty string.

Since the default authentication settings allows a high probability of unauthorized access, change the username and password during initial setup.

A company can have several lines of technical support: in such scheme, some problems that do not require wireless devices reconfiguration can be solved by the first line of technical support. Thus trivial tasks can be solved without qualified employees of the second and third lines of technical support. To implement this scenario, a guest account can be added to the device configuration. A user which has access to the management interface using a guest account can use the utilities and view interface statistics, but he is not allowed to make configuration changes.

It is recommended to use centralized account storage for networks with a large number of devices. This allows to avoid errors when blocking accounts, provide a single password policy and have a single interface for accounts management. Infinet devices support the RADIUS protocol, which is intended for centralized authentication, authorization and account management in networks. Depending on the capabilities and scale of the network, the database for RADIUS operation can be deployed on a separate device, or combined with other network elements.

The algorithm for a RADIUS server usage is following (Figure 8):

  1. Request to access the device management interface: the user tries to access the device management interface using one of the protocols (see below), by forming a request with username and password.
  2. Forming a request to RADIUS server: the device receives a request from the user and generates a request to the server in accordance with the RADIUS protocol.
  3. RADIUS server reply: the RADIUS server receives the request and checks for the presence and rights allocated to the user whose credentials are passed in the request. The server can answer in two ways:
    1. Access is allowed: the account is present in the database and it is allowed access to the Slave device management interface (Figure 8a).
    2. Access is denied: the account is absent in the database, or access to the Slave management interface is denied for this user (Figure 8b).
  4. Device decision making: the device receives a response from the RADIUS server and makes a decisions about the user authorization. In case of successful authorization, the user will go further to the device management interface (Figure 8a), otherwise, the user connection is reset and an information message is displayed.

Figure 8a - An example of successful RADIUS authentication

Figure 8b - An example of unsuccessful RADIUS authentication

Access methods

Infinet devices can be configured using the Web GUI or the command line interface (CLI). Some parameters can only be configured via CLI. Access to different interfaces is carried out using various network protocols. It is recommended to disable unused protocols, to reduce the possibility of unauthorized access to the device management interface.

The management protocols supported by Infinet devices correspond to the management interfaces in a following way:

Network management interface

The network management interface (mgmt), which used to access the device is organized differently in different device families:

In addition to selecting the the management interface, it is also  possible to control the connectivity between the management interface and other network interfaces. This mechanism allows to restrict access to the device via wired or wireless interfaces, depending on the scenario.

Figure 1 demonstrates the scenarios for Infinet devices usage. Let's look at the device management configuration for each scenario. To do this, we have added the PCs connected to different network segments to perform the devices management (Figure 9a-c):

Figure 9a - Radio link joining internal network segments

Figure 9b - Radio link connecting internal and external network segments

Figure 9c - Radio link connecting internal network segment with Internet

We recommend to use the following principles of management configuration:

Access limitation

InfiLINK 2x2, InfiMAN 2x2 and Quanta 5 family devices allows to create white access lists. In this case only network nodes which IP addresses mentioned in the list will be permitted to access the management interface.

Access recovery

ERConsole utility is used to restore an access to all Infinet devices (see the  "ERConsole" screencast). The utility can be used for the following purposes:

Security measures for device management

MeasuresInfiLINK 2x2 and InfiMAN 2x2InfiLINK XG and InfiLINK XG 1000Quanta 5
WebCLIWebCLIWeb
Change account settingsSystem SettingsGeneral Purpose Command SetGeneral settingsGeneral Purpose Command SetSecurity settings
Create a guest account-General Purpose Command SetGeneral settingsGeneral Purpose Command Set-
Authentication via RADIUS Server-

General Purpose Command Set

RADIUS authentication for admin users

-General Purpose Command SetSecurity settings
Management protocol configurationMaintenance menu

td command (Telnet daemon)

General Purpose Command Set

General settings

td command (Telnet daemon)

General Purpose Command Set

Security settings
Adding management IPNetwork SettingsIfconfig command (interfaces configuration)Network AccessIfconfig command (interfaces configuration)Network settings⁣
Device access limitationIP Firewall

General Purpose Command Set

ipfw command (IP Firewall)

--Security settings
Device access recovery
Emergency Repair Console

General Purpose Command SetEmergency Repair Console

Troubleshooting⁣⁣⁣

Data transmission

Data transmission is the main function of any network equipment. In addition to user data, devices exchange service messages of auxiliary protocols such as SNMP, LLDP, etc. The described functions implementation contains potential threats that an attacker can use, and requires accurate configuration of all wireless devices subsystems.

General recommendations

Wireless systems are hardware and software systems. Therefore, one of the most important requirements is the timely software updating. It is recommended to use stable software versions and monitor the release of updates. Used software version can be checked directly on the device.

When making changes to the devices configuration, keep in mind that the mechanism for applying the settings depends on management interface used:

In some cases, errors made during the device configuration process can lead to access loss to the device and the device may need to be reset to factory settings (see "Access recovery"). To reduce the risk of this scenario, it is recommended to use a delayed device reboot. In this case, after applying the new configuration, a device availability check will be performed. If the device is unavailable, the previous version of the configuration will be restored.

Service traffic

By default, switching on the device is configured to pass data between the wired and wireless interfaces without filtration. Such scheme is vulnerable to a large amount of spurious traffic, which can take up all the available throughput and the link will actually become inaccessible for the transmission of useful traffic. An example of spurious traffic is a broadcast storm, which can cause errors in devices switching. Measures to protect the network infrastructure from such attacks are:

Network Protocol Configuration

In addition to user data, devices exchange service messages of auxiliary protocols. The security should take into account that any available service is a potential attacker's target.

DHCP

Infinet devices can be configured as a DHCP client, DHCP server and DHCP relay. Keep in mind that the DHCP protocol supports not only the IP address allocation, but also the network settings transmission.

Let's look at the example of the attack using the DHCP (Figure 10): there is link between the Master and Slave, a DHCP client is activated on the Slave device radio interface and the DHCP server is installed on the corporate network. In this example the attacker managed to connect the network device on which the DHCP server is configured to the corporate network. After the Master-Slave link has been established, the Slave device sends a broadcast request to the network to receive network settings from the DHCP server. DHCP servers located on the network respond to a request from Slave. If the response from the attacker server is received first, the Slave device will assign to the network interface the proposed address and network settings that are transmitted in this request. Thus, an attacker can set his device as the default router and gain access to the traffic transmitted by the Slave device.

Figure 10 - An example of the attack using the DHCP

An attacker’s device can also act as a DHCP client (Figure 11): the functions of network DHCP server are implemented on Infinet device,  an attacker’s device is connected to the network. In a situation where the DHCP server configuration protocol does not provide security measures, the attacker will generate a request and the server will provide the device with network details. Thus, an attacker will gain access to data transmitted over the network.

Figure 11 - An example of the attack using the DHCP

In order to increase the security of using DHCP in the corporate network, it is recommended to implement the following measures:

ARP

Ethernet and IP protocols belong to different levels of the network interaction model, to bind the addresses of devices used in each of the protocols a special tool is needed. ARP protocol and the address mapping table that it fills are used for this purpose. The table contains entries where the MAC address of the interface is mapped to the IP address, that is used when transmitting IP packets encapsulated in Ethernet frames.

Let's look at the example of an attack with IP address spoofing: two clients (Client 1 and Client 2) have an access to the Internet via the Master-Slave radio link. An IP address assigned to the client is an identifier for the appointment of a tariff plan. The client with the IP address 192.168.0.1 is provided with a throughput of 10 Mbit/s, the client with the address 192.168.0.2 - with 2 Mbit/s (Figure 12a). At some point Client 1 turns off the PC and does not use the provider services, at the same time Client 2 replaces its IP address with the 192.168.0.1 address assigned to Client 1 (Figure 12b). In this case Client 2 will gain access to the Internet with greater throughput, and Client 1 after switching on, will have problems with access to the network.

Figure 12a - An example of the attack using IP spoofing

Figure 12b - An example of the attack using IP spoofing

This type of attacks with IP address spoofing can be prevented by adding a static record to the ARP protocol address mapping table. In this case Client 2 data will not be transmitted after changing the IP address, because the address 192.168.0.1 will be assigned the MAC address of Client 1.

LLDP

The LLDP protocol is designed to exchange service information about a device with directly connected devices. The service information is the VLAN ID, MAC address, device name, IP address of the management interface, etc. If an attacker will gain physical access to the device, then by launching the LLDP service on his PC, he will be able to get service information about the device by exchanging service messages (Figure 13). This information can help to get unauthorized access to the device.

To prevent this type of attack, follow the guidelines:

Figure 13 - An example of the attack using LLDP

SNMP

SNMP was created as a unified protocol for managing network devices and collecting data on their state. The protocol provides for two types of requests: a request to GET some parameter value and a request to SET the parameter specified value. Thus, devices that support SNMP can operate in read mode (only GET requests) and write mode (SET and GET requests). SNMP server activation is necessary for centralized device management by a monitoring system. But an attacker could take his chance if the SNMP server is not configured properly. In this case, he can not only get information about the network structure, but also change the configuration of the device (Figure 14).

To prevent unauthorized access follow the guidelines:

Figure 14 - An example of the attack using SNMP

MINT

MINT is the proprietary Infinet protocol, whose operation can be organized in the wired and wireless segments. An attacker, gaining access to the MINT domain, can compromise all network devices related to this domain, therefore, pay special attention while configure the MINT protocol.

Let's look at the example of an attack using the MINT protocol: two wireless links Master 1 - Slave 1 and Master 2 - Slave 2 are joined into the MINT area using PRF interfaces (Figure 15a). The attacker get physical access to the enterprise network using the InfiMUX switch, on which the PRF interface is created (Figure 15b). PRF interfaces will establish communication channels between each other and all devices will be combined into a MINT area, so an attacker will receive information about devices in this area and will be able to execute remote commands on them using MINT tools.

Protection against such attacks:

Figure 15a - Joining links in the MINT area

Figure 15b - An example of the attack using MINT protocol


Security measures implementation for data transfer 

MeasuresInfiLINK 2x2 and InfiMAN 2x2InfiLINK XG and InfiLINK XG 1000Quanta 5
WebCLIWebCLIWeb
Software UpdateMaintenanceGeneral Purpose Command SetMaintenanceGeneral Purpose Command SetMaintenance⁣
Delayed restartApply, Try and Preview buttons for the configurationGeneral Purpose Command SetApply and Try buttonsCommands for modem configuration-
Traffic filtration

IP Firewall

MAC Switch

IP Firewall

PCAP-filters

Switch command

Switch

VLAN Switching

Commands for switch configurationSwitch Settings
STP configurationMAC SwitchSwitch command---
Router mode enabling-

Static routes

arip command

OSPF command

ARDA (Aqua Router DAemon)

---
DHCP client configurationNetwork SettingsDHCP ClientNetwork AccessDHCP ClientNetwork settings⁣
DHCP server configuration-DHCP Server---
DHCP relay configuration-DHCP relay---
ARP configuration-

ARP protocol

Addresses mapping

-ARP protocol-
LLDP configuration-lldp command-lldp command-
SNMP configurationSNMP menuSNMP daemonSNMP sectionSNMP daemonSNMP settings
MINT configurationLink Settings

mint command (MINT version)

mint command (TDMA version)

---

Infrastructure

Infrastructure security is the important section of information security, which needs a special attention. Infrastructure character depends on the technical policy of the enterprise. The network should contain logging, monitoring and technical record-keeping.

Monitoring

A monitoring system is required for centralized device management and network operation monitoring. Also, the monitoring system sends notifications to engineers if the parameter values are outside the allowed range. Such notifications reduce the service personnel response time, thereby minimize the consequences of failures and possible attacks.

Monitoring systems can be integrated with alarm systems and video surveillance.

Infinet company provides its own system for monitoring Infinet wireless devices - InfiMONITOR. The monitoring system collects data in the following ways (Figure 16):

Figure 16 - Data exchange between devices and a monitoring system

Syslog storage

A detailed incident investigation requires an analysis of the system logs stored on the device. Infinet devices support logging, but the system log will be lost after a device reboot. In large networks it is useful to have a centralized repository of log files, such repository has an interface which allows to display all network devices logs used in incident investigation.

A Syslog server is allocated on the network for these purposes. All log entries are sent to the Syslog server simultaneously with writing to the system log (Figure 17). This allows to store the all network devices message history centrally without risk to lose all syslog data in case of device reboot or unauthorized access.

Figure 17 - Data exchange with the Syslog server

Technical record-keeping

Operational problems solving, to gain access to the facility, restore the configuration, add it to the monitoring system, etc requires a comprehensive information about devices. Such information includes both technical and administrative aspects. Special technical record-keeping systems can be used on the network to store the data and have access to it. Technical record-keeping systems contain the following information:

Infrastructure security measures

MeasuresInfiLINK 2x2 and InfiMAN 2x2InfiLINK XG and InfiLINK XG 1000Quanta 5
WebCLIWebCLIWeb
InfiMONITOR monitoring systemInfiMONITOR - Technical User Manual
SNMP configurationSNMP menuSNMP daemonSNMP sectionSNMP daemonSNMP settings
Traps configurationSNMP menuSNMP trapsSNMP sectionSNMP traps-
Syslog displayDevice Status menuGeneral Purpose Command SetMaintenanceGeneral Purpose Command SetMaintenance⁣
Incident history sending to a syslog server-General Purpose Command Set-General Purpose Command Set-
Text configuration managementMaintenance menuGeneral Purpose Command SetMaintenanceGeneral Purpose Command SetMaintenance⁣

Additional materials

Online courses

  1. InfiLINK 2x2 / InfiMAN 2x2: Initial Link Configuration and Installation.
  2. InfiLINK XG Family Product.
  3. Quanta 5: Installation and Configuration.
  4. Wireless Networking Fundamentals.
  5. InfiLINK 2x2 and InfiMAN 2x2: Switching.

White papers

  1. Link aggregation, balancing and redundancy.
  2. Connectivity with mobile objects.

  3. Dynamic Frequency Selection.

Webinars

  1. InfiNet Wireless equipment installation, grounding and lightning protection.
  2. Switching configuration using InfiNet Wireless devices - typical scenarios.
  3. Link diagnostics for the InfiLINK 2x2 and InfiMAN 2x2 product families.
  4. InfiNet Wireless solutions for mobile projects.

Screencast

  1. InfiNet Wireless Equipment - From Planning to Commissioning.
  2. ERConsole.

Other

  1. Acessories section on the infinetwireless.com
  2. FTP Infinet Wireless
  3. InfiMONITOR section on the infinetwireless.com