15.5. Framework for Wireless Network Survivability and Security
In light of the limitations indicated by the current literature, we have developed a framework for the comprehensive treatment of the problems of IA in hybrid wireless access networks. To facilitate the work, a hybrid wireless access network survivability/security framework [5] is developed similar to the approaches of Zolfaghari and Kaudel [33] for wired backbone networks. The wireless access network is viewed as having radio, sensor, access, and intelligent layers, as shown in Figure 15.1, with survivability/security strategies possible at each layer as detailed in Shin et al. [26], Krishnamurthy et al. [5], and Tipper et al. [4]. The components and functions supported at each layer are listed in Table 15.1. The radio network subsystem (RNS) includes the APs, BSs, BSC/RNC, and radio resource management schemes. The sensor subsystem (SenS) consists of a sensor network of sensor nodes with a base station connected to the Internet. The access network subsystem (ANS) supports packet switching, connection management, call management, and mobility management functions using the wired interconnection of APs, BSs, BSC, and MSC. The MSC, HLR, and VLR at the transport layer use the signaling network and services provided by service data management functions, implemented at the intelligent layer, to support connection and mobility management. The intelligent network subsystem (INS) supports security, location, service data and mobility management functions.
| Subsystem | Components | Communication Links | Function |
|---|---|---|---|
| RNS | MS, BS, ad hoc clusters, WLAN AP, and BSC | Digital radio channels with TDMA, FDMA, or CDMA, wireline links, and/or terrestrial microwave | Define physical interface for radio communication, BS cluster management, radio channel management, and MAC signaling |
| ANS | BS, BSC, MSC, WAP, SGSN, GGSN, and signaling network | Wireline links and/or terrestrial microwave | Connection management and mobility management |
| INS | MSC, HLR, VLR, EIR, AuC, mobile IP signaling, and RADIUS | Wireline links and/or terrestrial microwave | Service management, security, location services and mobility management |
| SenS | Sensor nodes and BS | Wireless multihop links on the uplink and broadcast wireless downlink | Deliver sensed data to BS and broadcast control messages for network operation to sensor nodes |
Given the framework above to conduct a survivability analysis, performance-oriented survivability metrics along with techniques for evaluating the metrics over various modes of operation are identified. The modes of operation include normal, single-failure, and multiple-failure/attack/disaster modes. Table 15.2 lists examples of possible survivability metrics and failure conditions at each layer in the framework, as well as some of the potential impacts of a failure in terms of the area affected and network service disruption. The survivability of a particular network is based on the ability of the network to meet performance goals stated in terms of service thresholds for each survivability metric, over each operational mode. For example, a performance goal with respect to packet delivery may be 1% packet loss for all cells during normal operation and 2% steady-state packet loss for cells adjacent to or near a failed cell with a maximum transient peak of 10% packet loss. While many of the survivability metrics listed in Table 15.2 have target mean and 0.95 percentile values recommended by ITU [34] for voice, no corresponding values exist for data.
| Subsystem | Failure Scenario | Potential Impact | Possible Metrics |
|---|---|---|---|
| RNS | Loss of AP or BS/Node B | Partial/full-service loss in cell and increased traffic in cells adjacent to failure. Increased signaling | Packet loss rate, TCP session timeout, connection blocking probability, forced connection termination probability, throughput, and handover request rate |
| ANS | Loss of BSC-MSC or AP link | Partial/full-service loss in a cell or cluster of cells and increased traffic in cells adjacent to failure. Increased signaling | Packet loss rate, TCP session timeout, connection blocking probability, forced connection termination probability, connection setup/release delay, and paging/location update/registration delays |
| INS | Loss of VLR | Loss of roaming service in a coverage area or network/subnetwork | Lost user load (Erlangs or packets), database access delay, and information accuracy probability |
| SenS | Failure of sensor nodes or links | Partitioning of network leading to more energy consumption for data delivery, or congestion | Network lifetime, throughput, delay, packet delivery ratio, and energy efficiency |
For a network to be fault tolerant, alternate routes must exist between the network components or spare components must be provisioned (e.g., spare link between the BS-BSC with automatic protection switching at the end points). At the ANS and INS levels, traditional survivability strategies such as a mesh-type architecture (at least two connected) are feasible. For example, all of the base stations in a cluster together with their associated BSC could be connected with a self-healing ring.
Table 15.3 lists examples of the types of survivable network design strategies that can be implemented. In addition, specific network controls (e.g., routing) are required to support the restoration of service to connections disrupted by a failure/attack, while maintaining network performance goals. This should enable a network to provide service continuity if possible, while minimizing network congestion. Table 15.3 also lists examples of the type of restoration technique for a given redundancy approach at a particular layer. As an example, a self-healing ring (SHR) at the ANS layer is shown in Figure 15.2. The SHR can provide full restoration capability against a single cable cut and equipment failure. Each node in the SHR uses one add/drop multiplexer (ADM) to access either the primary (outer) ring or the secondary (inner) ring. In normal operation, the system uses the primary ring for both transmitting and receiving data, and the secondary ring is served as a protection system. In the ANS, the SHR could be used to connect a BS and a BSC, BSC and an MSC, or multiple MSCs as a ring topology. Figure 15.2 illustrates an example of employing SHR between an MSC and multiple BSCs in a mobile cellular network. The SHR is simple, fast, and provides full-capacity restoration. However, it can protect a system from failures that occur only in its physical rings and ADMs. Also, it is expensive to implement.
| Subsystem | Robustness and Redundancy | Traffic Restoration |
|---|---|---|
| RNS | Spare RF components, NICs, overlapping/scaleable cells, corner excited overlapping cells, ad hoc relays, spare BS-BSC links, dual-homing APs, multihoming BS to BSCs, and ring topology for BS-BSC interconnect | Load-sharing protocols, dynamic channel allocation, adaptive channel quality protocols, MANET routing protocols, automatic protection switching, dynamic rerouting protocols, and self-healing rings |
| ANS | Spare BSC-MSC link, ring topology for BSC-MSC interconnect, multihoming BSC to MSCs, and dual-homing APs | Automatic protection switching, self-healing rings, dynamic rerouting, call gapping/selective packet dropping |
| INS | Physical diversity in signal networking links and physical database diversity | Dynamic routing and checkpoint protocols |
| SenS | Spare sensor nodes with alternating sleep and waking schedules and multipath routing | Creating new routes upon failure and control messaging from BS for restoring routes and time synchronization |
Figure 15.2. Ring architecture for ANS diversity.
Thus far we have considered failure conditions, in Table 15.4 we look at the layers of Table 15.1 from a security standpoint. At each layer, the messages and protocols are identified that have security implications and the types of security attacks that are possible at each layer. Currently in WLANs, the only repository of the shared key is the AP (or Authentication Server) and the MS. In cellular networks, different entities have possession of different secrets. The subscriber identity is kept in the HLR, MS, and SGSN. For random nonces used in session key generation, the challenge messages are known to the HLR, SGSN, BSC, MS, and BS. Only the MS and AuC know the master key. The AuC maintains a different master key for each MS that belongs to its network. This master key is utilized for securely generating session keys for encrypting voice calls. Table 15.5 shows examples of security breaches at each level and the impact on a network. In a hybrid wireless access network, several security features will have to be in place to prevent or quickly detect security attacks such as those listed in Table 15.5. Table 15.6 provides some typical security features and mechanisms (and network entities that need to share secret information) that can prevent or detect the attacks in Table 15.5.
| Subsystem | Network Components | Secret Information | Messages | Information to be Secured |
|---|---|---|---|---|
| RNS | MS, BS, ad hoc clusters WLAN AP, and BSC | Subscriber identity, shared secret master key, session key(s), random nonces | Signaling messages (RRM, MM), challenge, response voice/data traffic | Beacon needs to be checked for integrity; challenge, response, nonces to be authenticated; and voice/data traffic confidentiality |
| ANS | BS, BSC, MSC, WAP, SGSN, GGSN, and signaling network | Shared keys between entities for each session, and random nonces | Signaling messages, voice/data traffic | All traffic needs authentication especially nonces and RRM and MM messages |
| INS | MSC, HLR, VLR, EIR, AuC, mobileIP signaling, and RADIUS | Certificates, shared secret master key, subscriber ID, session keys, and nonces | Challenge, response, session key, and nonces | Session key to be confidential, challenge, response, and nonces need to be tested for integrity and authentication |
| SenS | Sensor nodes and BS | Predistributed secret keys and public keys | Sensed/fused/data, routing control data, and broadcast control messages | Authenticity and confidentiality of different types of information (control and data) |
| Subsystem | Attack Scenario | Potential Impact |
|---|---|---|
| RNS | Modify beacon or BCCH to falsify information | Loss of access, changed sleep times, and false signal strength measurements |
| ANS | Replay nonce | Creation of wrong session key, exposure of session key, and failure to detect replayed data |
| INS | Man-in-the-middle attack for session key generation | Interception of traffic on-air link and modification of traffic on-air link |
| SenS | Eavesdropping and jamming, fabricated messages | Loss of confidential information, partition of network, lifetime reduction, delivered data are unreliable, data delivery impacted, and network operations fail |
| Subsystem | Attack Scenario | Entities Involved | Security Feature/Mechanism | Required Shared Secret |
|---|---|---|---|---|
| RNS | Modify beacon or BCCH to falsify information | MS and BS | Message authentication code, encryption algorithm/hash, and digital signature | Shared secret key > 80 bits, known algorithm like AES and nonce, and authenticated public key of BS/network through certificate |
| ANS | Replay nonce | BSC and BS | Message authentication code and encryption algorithm/hash | Shared secret key > 80 bits |
| INS | Man-in-the-middle attack | AuC, BSC/BS, AuC, and AP | Authenticated and secure key establishment | Public key certificates at both ends (not secret) |
| SenS | Eavesdropping or jamming fabrication | Sensor nodes and BS | Encryption, obfuscation, broadcast and unicast authentication | Secret keys between sensor node pairs and sensor nodes-BS pairs |