Certified WiMax-4G Professional Security


Security is the degree of protection to safeguard a nation, union of nations, persons or person against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition.

Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Types of Attacks

Networks are subject to attacks from malicious sources. Attacks can be from two categories: "Passive" when a network intruder intercepts data traveling through the network, and "Active" in which an intruder initiates commands to disrupt the network's normal operation.

Types of attacks include:

WiMAX security issues


A fundamental principle in 802.16 networks is that each subscriber station (SS) must have a X.509 certificate that will uniquely identify the subscriber. The use of X.509 certificates makes it difficult for an attacker to spoof the identity of legitimate subscribers, providing ample protection against theft of service. A fundamental flaw in the authentication mechanism used by WiMAX's privacy and key management (PKM) protocol is the lack of base station (BS) or service provider authentication. This makes WiMAX networks susceptible to man-in-the-middle attacks, exposing subscribers to various confidentiality and availability attacks. The 802.16e amendment added support for the Extensible Authentication Protocol (EAP) to WiMAX networks. Support for EAP protocols is currently optional for service providers.


With the 802.16e amendment, support for the AES cipher is available, providing strong support for confidentiality of data traffic. Like the 802.11 specification, management frames are not encrypted, allowing an attacker to collect information about subscribers in the area and other potentially sensitive network characteristics.


WiMAX deployments will use licensed RF spectrum, giving them some measure of protection from unintentional interference. It is reasonably simple, however, for an attacker to use readily available tools to jam the spectrum for all planned WiMAX deployments. In addition to physical layer denial of service attacks, an attacker can use legacy management frames to forcibly disconnect legitimate stations. This is similar to the deauthenticate flood attacks used against 802.11 networks.

WiMAX Threats

Despite good intentions for WiMAX security, there are several potential attacks open to adversaries, including:

Rogue Base Stations

DoS Attacks

Man-in-the-Middle Attacks

Network manipulation with spoofed management frames

The real test of WiMAX security will come when providers begin wide-scale network deployments, and researchers and attackers have access to commodity CPE equipment. Other attacks including WiMAX protocol fuzzing may enable attackers to further manipulate BSs or SSs. Until then, the security of WiMAX is limited to speculation.


Essential Elements of WiMAX Security

With the advent of WiMAX, the security toolsets available to broadband wireless service providers have reached all time highs of functionality. Today's WiMAX networks can be secured more effectively than ever before. However, as important as securing the WiMAX network is, there are additional considerations that carriers should evaluate as part of a thorough security implementation. In fact there are five primary aspects of WiMAX security that should be considered when designing a security plan for your WiMAX network. These range from mitigation techniques at the physical layer to improved wireless authentication and encryption to intrusion protection and data transport security.

At each level, choices in implementation and security levels can be made; although in the case of the physical layer options are limited. Let's start by looking at some of the attacks that can be delivered along with some of the enhanced tools that WiMAX, particularly 802.16e WiMAX, offers.

Physical Layer Security

There are two basic types of attacks that can affect the physical layer of WiMAX. One is jamming and the other is packet scrambling. The first is relatively straightforward, and is sometimes the result of interference rather than an attack. Jamming consists of a stronger signal than the WiMAX network overwhelming network data feeds either in intermittent bursts or with sustained carrier waves.

Since most WiMAX network services are delivered over licensed bands (currently 3.5 GHz internationally and 2.5 GHz both internationally and in the US), this offers spectrum relatively quiet from accidental interference. Accidental interference in licensed spectrum cannot always be completely discounted as there is a possibility of what are called second and third harmonic interference waves, for example, from much lower frequency signals if those are in close proximity to the WiMAX antenna systems or that cross them with signal close enough in physical proximity to locally overload the WiMAX signal. Harmonics are an integer function. What this means is that a signal at 850 MHz, for example, has a second (and much weaker) harmonic at two times this frequency or 1700 MHz (which could eventually impact some AWS spectrum potentially in this example) and a third harmonic (weaker still) at 2550 MHz. In practice this is fairly rare.

Also sometimes, leaks from other carrier's equipment occasionally occur within equipment rooms at the tower. These can usually be detected in planning sweeps with a spectrum analyzer before installation and notch filters or band-pass filters of some type on the specific equipment can usually clear these issues up promptly. Constant jamming, whether malicious or otherwise can usually be found pretty quickly using a spectrum analyzer and directional antennas to triangulate the signal. Intermittent jamming or interference can be more maddening to find the location of, but is also less intrusive to the network, resulting in some packet retransmission and slowdowns but less often in blanket outages. A good spectrum analysis conducted prior to deployment and intermittently thereafter (to detect newly installed gear) can go a long way to defeating this problem. At some point most WiMAX service providers will face some type of interference or jamming problem.

Packet scrambling is an attack that occurs when control packets in the respective downlink and uplink subframes are sniffed then scrambled and returned to the network. This attack is much harder to mount than a jamming attack.

"Since most WiMAX networks today use time division duplexing (TDD), wherein signals are sliced via time slots an attacker can parse this timing sequence and capture control data, the preamble and map, scramble them and send them back with correct timing to interrupt legitimate signal, resulting in slowdowns and effectively lowered bandwidth," said Andrew Useckas, chief technology officer for NetSieben Technologies.

Intercepted and scrambled packets are possible with frequency division duplexing (FDD) as well which transmits both the uplink and downlink simultaneously, but it is even harder to exploit this attack than with TDD systems.

While it may seem the physical layer is inherently most vulnerable as the security elements of WiMAX are located at higher layers, the fact is hackers can often find lower hanging fruit in terms of useful exploits higher in the stack, because as WiMAX supports multiple selections on what service providers can choose to implement in terms of authentication, sometimes the door can be left open for them by the choices made.

Authenticating Wireless Transmissions

At the media access control (MAC) layer of WiMAX the control or MAC header portion of transmissions is not encrypted. This is deliberate in order to facilitate the working of the MAC layer. Not to fear, this does not mean WiMAX is insecure. But it does present some choices for the carrier.

Traditionally the first level of security authentication for older broadband wireless technologies has been MAC authentication and WiMAX supports this, although hopefully providers don't settle for this method. This technique allowed service providers to log permitted MAC device addresses and allow only those addresses to access the network. Hackers long ago figured out how to spoof these. A second, newer and much better choice is the built in support for X.509 device certificates. Lastly the extensible authentication protocol---transport layer security (EAP-TLS) method, added with the 802.16e standard, adds an additional layer of authentication security to the mix. So what does this mean in real-world terms? It is helpful to look at some of the potential exploits at this level to illustrate the value of better authentication systems.

"If a base station is not set up with adequate authentication measures, an attacker can capture control packets and pose as a legitimate subscriber even with older MAC device authentication enabled," added Useckas.

However the X.509 certificate makes it very hard for an intruder to impersonate a subscriber. The X.509 certificate is embedded in WiMAX subscriber units and incorporates a public key authentication encryption. This effectively means that a WiMAX base station can detect legitimate subscriber stations quickly and easily. Unfortunately, this is a one-way protocol.

"The X.509 protocol is very good," said Useckas. "However there is no way to verify if a base station is authentic with subscriber side X.509."

Useckas added that if an interloper ratchets up the power on their rogue base station; captures control packets from a legitimate base station transmission then spoofs the timing sequence of the TDD signal that the subscriber unit expects to receive; it is very possible to hijack subscriber traffic.

Enter the EAP-TLS authentication method. This technique, added with the 802.16e standard, allows both the subscriber and the base station to authenticate each other using an X.509 method for both. We previously discussed that MAC control headers are never encrypted in WiMAX, however with EAP carriers can choose to authenticate them (but they don't necessarily have to). This approach is called hashed message authentication code (HMAC) and uses a form of encrypted private key.

"The hash appends at the end of the message itself," said Useckas. "When messages are received the base station generates its own hash to compare to the one received from the subscriber using its private key to compare them."

This adds an additional layer of authentication confirmation. The downside to this Useckas adds is that all of this requires processor cycles. So a clever hacker could send thousands of HMAC attached messages forcing the base station to run processor cycles comparing them---effectively resulting in a denial of service attack.

This points up a conundrum for WiMAX broadband wireless carriers; namely that even positive security choices can carry consequences. So while WiMAX has better tools than ever and supports MAC management header authentication onboard the radio, carriers may elect to shift some of the processor burden for authentication and data encryption to central office (CO) servers perhaps. We will discuss this more in the next section.


Clearly the first layer of defense for WiMAX operators is to authenticate a legitimate user on its network. However, WiMAX, with its 802.16e ratification, offers top line tools for encryption of data. Older wireless iterations used the data encryption standard (DES) which relied on a 56-bit key for encryption. This is largely considered obsolete. WiMAX 802.16e certainly supports DES (3DES) but it also adds support for the Advanced Encryption Standard (AES) which supports, 128-bit, 192-bit or 256-bit encryption keys. Also AES meets the Federal Information Processing Standard (FIPS) 140-2 specification, required by numerous governmental branches. This technology which requires dedicated processors on board base stations is robust and highly effective. But once again, the question is should carriers depend largely on onboard processing or shift to server based third party solutions (some of whom offer additional EAP authentications that are widely used in the enterprise---making interface easier) that provide more options in encryption. The former is almost certainly cheaper; the latter could offer additional advantages.

For his part, Useckas is firmly in the third party camp.

"I think it is better to push encryption to either a firewall server on the base station or central office side or to an operating system than to rely on the radio systems exclusively," asserted Useckas.

It behooves WiMAX carriers to look at various scenarios for their security needs and put a migration plan in place, if such appears needed, before deployment begins.

"In the past for example many cellular carriers focused on authentication and mostly ignored encryption," said Useckas. "Whether that will change as mobile service providers ramp up more broadband applications is an open question."

Through this point we have looked at the physical layer of WiMAX security as well as the authentication options at the MAC layer and the additional top line AES data encryption that WiMAX now supports. Let's briefly examine the last two elements of a well-considered WiMAX security solution.

Third Party Intrusion Protection

In many ways examining WiMAX security options is like peeling an onion. It almost seems as if a new layer is revealed or required each time you delve deeper into it.

We have looked at techniques to mitigate physical layer issues such as jamming and corrupted packets. We examined WiMAX authentication schemes, which are a major component of a secure network. And we also spoke of data encryption (which we will examine more in the last segment). WiMAX possesses solid tools already built in.

But there are considerations beyond just good security that can drive a migration to third party intrusion detection and protection tools---namely business case elements. Intrusion protection is however, not data protection. These are two different classes of solution. Certainly good third party intrusion protection can monitor and secure a network's authentication. However many solutions also offer worm protection, Trojan horse protection, defenses against viruses, backdoor exploits and denial of service attacks to name a few. Some of these elements are almost a business necessity for a wireless service provider and may justify the cost of an additional security suite initially. For other companies, a migration strategy to enhanced tools makes the most cost effective sense.

A good place to start is examining market and service scenarios. If your customer base is highly sensitive to data integrity (financial sector or hospital customers) third party intrusion prevention systems can help segment customers from each other better as well as secure them from outside attack.

Or in another example, a mobile network that offers just internet access and voice may wish to abrogate responsibility for data encryption and relay on session initiation protocol (SIP) signaling for its VoIP and WiMAX native authentication tools.

This is just a couple of scenarios with limited data encryption needs. But what if your business model demands more?

Third Party Data Transport Security

Clearly an AES supported data encryption system gives WiMAX excellent security in this regard. However, additional solutions that meet customer needs such as virtual private networks require different approaches. And Useckas for his part believes data transport security and authentication with third party tools can be a lot easier than most realize and convey a lot of advantages.

"If you force everybody to install a small piece of client software you can enforce EAP based authentication across your entire network for example," explained Useckas. "This also allows for an IPSec AES-based data encryption solution that supports tunneling and encapsulation of data."

Useckas added that these techniques are likely to become increasingly important to enterprise customers whose employees travel with laptops that need to access highly sensitive databases via VPN products.


WiMAX - Security Functions

Security is handled by a privacy sublayer within the WiMAX MAC. The key aspects of WiMAX security are as follow:

Support for privacy:

User data is encrypted using cryptographic schemes of proven robustness to provide privacy. Both AES (Advanced Encryption Standard) and 3DES (Triple Data Encryption Standard) are supported.

The 128-bit or 256-bit key used for deriving the cipher is generated during the authentication phase and is periodically refreshed for additional protection.

Device/user authentication:

WiMAX provides a flexible means for authenticating subscriber stations and users to prevent unauthorized use. The authentication framework is based on the Internet Engineering Task Force (IETF) EAP, which supports a variety of credentials, such as username/password, digital certificates, and smart cards.

WiMAX terminal devices come with built-in X.509 digital certificates that contain their public key and MAC address. WiMAX operators can use the certificates for device authentication and use a username/password or smart card authentication on top of it for user authentication.

Flexible key-management protocol:

The Privacy and Key Management Protocol Version 2 (PKMv2) is used for securely transferring keying material from the base station to the mobile station, periodically reauthorizing and refreshing the keys.

Protection of control messages:

The integrity of over-the-air control messages is protected by using message digest schemes, such as AES-based CMAC or MD5-based HMAC.

Support for fast handover:

To support fast handovers, WiMAX allows the MS to use preauthentication with a particular target BS to facilitate accelerated reentry.

A three-way handshake scheme is supported to optimize the reauthentication mechanisms for supporting fast handovers, while simultaneously preventing any man-in-the-middle attacks.

It involves the following topics

 For Support