Emergency Support Function 18 Wireless Plan (802.11 capabilities)
1 like660 views
This document provides a plan for establishing a temporary wireless network to support communications at a fire staging area. The network would provide WiFi access for up to 250 users to send emails and messages. Two remote access points would collect WiFi signals and relay them through 5GHz backhaul to a central access point connected to the internet via a satellite uplink. The network would use WEP encryption and block video uploads to prioritize messaging. Installation and testing are planned over 6 hours to activate before a shift change. Ongoing monitoring and an after action review are also part of the management plan.
![NOTE: There are three radios in the MR58. One (R3) always operates in a
2.4 Ghz (802.11 a/b/g/n) channel (pictured in blue circle). The other two
(R1 and R2) always operate in different 5 Ghz (802.11 n) channels (pictured
in green cones). (Cisco, 2010)
Restated each individual N600 “drone” is operating as two APs (2.4 Ghz / 5
Ghz) to form a MAC repeater link. Thus, two drones create four APs (two
MAC repeater links). The two “D[d]ual radio devices that do an access point](https://image.slidesharecdn.com/sweigertcnt67final-150529235855-lva1-app6892/85/Emergency-Support-Function-18-Wireless-Plan-802-11-capabilities-11-320.jpg)
![NOTE: “Important Trick: I temporarily plugged the new Netgear's yellow
"external network" directly into the FIOs ActionTec so the Netgear could
update its firmware the first time and get the initial setup wizard would stop
nagging me. The router expects to be hooked up in this way at least initially,
so you need to satisfy its setup” [emphasis added] (Hanselman, 2011)
In essence, a large area network relaying Open Systems Interconnect (OSI)
layer two (2) (Logical Data Link Layer (DLL)) has been created by the
foregoing network descriptions. This means that higher level functions
(Networking layer – Layer three (3)) will be the responsibility of the wired
root node (center of network, with wired Internet access).
NOTE: The IEEE P802,11 Task Group has been working on standards to
specify how such a “mesh” type of MAC repeater wireless network should
operate. But, standards are not yet available from the “mesh networking”
task group. (IEEE, 2014)
Security
Security. The drone repeaters configured with the Netgear N600 will be
limited to 128-bit Wired Equivalent Privacy (WEP) encryption due to
limitations in the DD-WRT router software. Due to the remoteness of the
staging area and the difficulty in “cracking” the WEP encryption, it was
deemed an appropriate risk to rely on WEP as opposed to more advanced](https://image.slidesharecdn.com/sweigertcnt67final-150529235855-lva1-app6892/85/Emergency-Support-Function-18-Wireless-Plan-802-11-capabilities-13-320.jpg)
Emergency Support Function 18 Wireless Plan (802.11 capabilities)
- 1. Wireless Mobility Guide for the support of The Apple Gate Fire Staging Area Author: Dave Sweigert, CISA, CISSP, EMT-B, HCISPP, PMP, SEC+ Wireless Security, CNT 67 2,525 words dsweigert@itrdc.net
- 2. DISCLAIMERS This work is a copyright protected product and not an open source freeware work. Credit must be given to the author if any portion of this document is referenced by a third party. This document does not constitute an endorsement (implied and/or expressed) by the institutions and/or organizations described herein; Las Positas College and/or Information Technology Disaster Resource Center, etc. This work is part of a non-profit scholarly research and education project and all opinions expressed herein are those of the author (unless otherwise cited). No warranty or liability is provided with this document. Persons relying on the information contained herein do so at their own risk. All places, persons, scenarios described are fictional and provided for the sole purpose of scholarly research.
- 3. ABBREVIATIONS USED IN THIS DOCUMENT 802.11 Wireless networking standard Access Point An entry point into a wireless LAN BYOD Bring Your Own Device CalFIRE California Department of Forestry & Fire Protection CalOES California Office of Emergency Services COML Communications Unit Leader CST Civil Support Team DHCP Dynamic Host Configuration Protocol EOC Emergency Operations Center Ghz Gigahertz Gbps Giga bits per second IEEE Institute of Electronic and Electrical Engineers IP Internet Protocol ITRDC Information Technology Disaster Resource Center LAN Local Area Network MAC Media Access Controller Mbps Mega bits per second Mhz Megahertz OSI Open Systems Interconnect (Reference Model) POP3 Post Office Protocol (version 3) PDA Personal Digital Assistant
- 4. RF Radio Frequency SSID Service Set identification WEP Wired Equivalent Privacy
- 5. INTRODUCTION: This paper serves two purposes: (1) to fulfill the requirements for the Las Positas College Wireless Security technology course (CNT 67) and (2) to leverage the subject matter into a document that may be used for discussion purposes by the Information Technology Disaster Resource Center (ITDRC) (who has no participated in the development of this document). This document will follow the best industry practices proposed by government response agencies and the technology sector for the timely, efficient, secure and robust deployment of temporary core Information Technology (I.T.) infrastructure to support a Type 3, multi-jurisdiction, multi-agency composite All Hazards Incident Management Team (AHIMT).
- 6. Current State Assessment A 10,000 acre wildland fire (the Apple Gate Fire) has engulfed parts of Los Angeles County, Kern County, the Angeles National Forest, the cities of Palmdale, Lancaster and is threatening Wildwood, California. Dozens of fire apparatus are arriving hourly at a staging area located near the Agua Dulce executive airport (see Annex; Exh. 1). A preliminary base camp has been established at the airport that will need to accommodate 300 – 500 incident personnel overnight. Local resources have been exceeded and an emergency call has gone out to the Region IX ITRDC to provide supplemental wireless capability (WiFi) The present AHIMT Communications Unit Leader (COML) has informed ITRDC that they should have their capability operational within six (6) hours to accommodate shift changes occurring at approximately 1800 hours (6 pm) that evening. The COML has made the request under the newly created Emergency Support Function (ESF 18) – Cyber Security. Essential requirements: Shall not interference with aviation services or communications Shall provide morale, health and welfare text messages and e-mail Shall not allow uploading of imagery, videos, graphics files, etc. Shall provide connection limit of ten (10) minutes before disconnection Shall accommodate e-mail (POP3) Bring Your Own Devices (BYOD)
- 7. The area requiring wireless connectivity is seen in the figure below (see red perimeter marked “Staging”). An Incident Radio Communications Plan (Incident Command System (ICS) form 205) has been provided to the team. 116 – 125 Mhz, 140 -150 Mhz, 220 – 225 Mhz and 3.5 to 3.7 Mhz are primary radio channels in use.
- 8. The California National Guard Civil Support Team will have a Unified Command Suite available to accommodate a telephone grade (14.4 Kbps) satellite uplink for the morale, health and welfare WiFi segment (see Annex; Exh. 2 & 3). The air side of the downlink will be routed to the U.S. Army satellite ground earth station that will establish a Virtual private Network (VPN) with the State Emergency Operations Center at Mather, California, operated by the Governor’s Office for Emergency Services (CalOES). Site Survey Physical Security: Entrance to the staging area is controlled by law enforcement at the outer perimeter. RF Sweep: RF sweep of the vacant area where coverage is needed revealed: Frequency Signal strength 118 – 125 Mhz -30 to -45 db 140 – 150 Mhz -40 to -55 db 220 – 230 Mhz -20 to – 35 db 3.5 to 3.9 Mhz - 45 to – 60 db NOTE: 123.975 is Air Attack frequency (see Annex; Exh. 6)
- 9. No other wireless local area networks (LANs) were seen in the Institute of Electronic and Electrical Engineers (IEEE) 802.11 spectrum. The airport does not maintain Ground Approach Control (GCA) RADAR. Electrical power: Steady 110 VAC will be provided at 60 AMPs to the ITRDC mobile communications van (see Annex; Exh. 4). The communications van has a self-contained 50 AMP generator back-up. Vehicle congestion: The staging area (Annex; Exh. 5) will most likely accommodate nearly 100 public safety vehicles. Many of the fire apparatus vehicles extend 10 – 12 feet in height, are made of metal and have communications equipment. BYOD WiFi should accommodate this environment. Planned System Requirements Requirement Higher Limit Lower Limit Simultaneous users 250 50 Hourly throughput 10 Gbps 100 Mbps Text message length 10 Kbytes 100 bytes Client fingerprinting iPad, iPhone, Android Laptop WiFi Video / voice Blocked Blocked 802.11 dual band with band steering (Annex, Exh. 8) a/b/g/n N (2.4 Ghz)
- 10. System Plan As time is of the essence, a brief market survey was conducted concerning commercial off the shelf (COTS) exterior (outdoor) access points. Drone Access Points (AP): There shall be one (1) core access point to Internet connectivity at a centralized location near the communications command van. The core of this AP will be the Meraki MR58 described below operating at 802.11 n/g. Two (2) “drone repeater” APs (with no Internet access at drone site (Annex, Exh. 9)) will receive 2.4 Ghz 802.11/g WiFi (Channel 6 and Channel 11 respectively) signals and rebroadcast them (cross-band) on 5 Ghz to the core AP (Meraki MR58). The drone APs will rely on two (2) NETGEAR Wireless Router - N600 Dual Band Gigabit (WNDR3700) (with two (2) spares as back-up). These routers will be configured with the DD-WRT software to facilitate routing (DD-WRT, 2014)(Annex, Exh. 10) Back Channel: It is anticipated that a through-put of 150 Mbps can be achieved between the two (2) drone repeaters (converting 2.4 Ghz to 5 Ghz for back channel relay) and the AP (Meraki MR58) that has connectivity to the Internet core infrastructure. Root Node AP: The Meraki MR58 (Annex, Exh. 7) has two paddle shaped 5 Ghz antennas can be paired to act as a collection point back-bone for two remote access points (AP) operating at 2.4 Ghz (see figure below) (Cisco, 2009).
- 11. NOTE: There are three radios in the MR58. One (R3) always operates in a 2.4 Ghz (802.11 a/b/g/n) channel (pictured in blue circle). The other two (R1 and R2) always operate in different 5 Ghz (802.11 n) channels (pictured in green cones). (Cisco, 2010) Restated each individual N600 “drone” is operating as two APs (2.4 Ghz / 5 Ghz) to form a MAC repeater link. Thus, two drones create four APs (two MAC repeater links). The two “D[d]ual radio devices that do an access point
- 12. on 2.4GHz and backhaul that traffic via 5.8GHz to a wired root node” (SNB Forum, 2011). The two “paddle” antennas (shown as green above) will create a cone RF coverage area (5 Ghz) in line extending Southwest to Northeast. As seen above the drone repeaters (2.4 Ghz conversion to 5 Ghz relay) are within the directional green cone of radio frequency (RF) coverage. Operational parameters of N600 (WNDR3700): Up to 130 Mbps at 2.4 Ghz and 300 Mbps at 5 Ghz Default I.P. address: http://192.168.1.1 Default SSID: NETGEAR < change DHCP should be turned off (for drone repeaters) NOTE: For the drone option the N600 routers should have “Access Point” disabled; quoting NETGEAR: “There is a new feature on new routers that lets you easily configure the router as a wireless access point. Once a router becomes an AP or an access point, it will lose all of its router functions such as port forwarding, DHCP server and many more. It will act as a simple wireless gateway and its sole purpose is to provide wireless connection.” (NETGEAR, 2013) See “Enable Bridge Mode (use as MAC repeater)” (NETGEAR, 2012).
- 13. NOTE: “Important Trick: I temporarily plugged the new Netgear's yellow "external network" directly into the FIOs ActionTec so the Netgear could update its firmware the first time and get the initial setup wizard would stop nagging me. The router expects to be hooked up in this way at least initially, so you need to satisfy its setup” [emphasis added] (Hanselman, 2011) In essence, a large area network relaying Open Systems Interconnect (OSI) layer two (2) (Logical Data Link Layer (DLL)) has been created by the foregoing network descriptions. This means that higher level functions (Networking layer – Layer three (3)) will be the responsibility of the wired root node (center of network, with wired Internet access). NOTE: The IEEE P802,11 Task Group has been working on standards to specify how such a “mesh” type of MAC repeater wireless network should operate. But, standards are not yet available from the “mesh networking” task group. (IEEE, 2014) Security Security. The drone repeaters configured with the Netgear N600 will be limited to 128-bit Wired Equivalent Privacy (WEP) encryption due to limitations in the DD-WRT router software. Due to the remoteness of the staging area and the difficulty in “cracking” the WEP encryption, it was deemed an appropriate risk to rely on WEP as opposed to more advanced
- 14. encryption. A complex password will be used in conjunction with the WEP WiFi: PASSWORD EXAMPLE: f1r3_$T@G1NG To reduce the need for password resets, a phrase is relied upon “FIRE STAGING” with substitution characters for similar alphanumeric shape patterns. SSID Broadcast. Although some believe that an SSID broadcast is a security risk (advertising the presence of a WiFi capability), this risk has been mitigated due to the remoteness of the staging area. Therefore, SSID will be turned on: SSID: STAGING-MHW (Morale, Health & Welfare) The drone router (N600) is shipped with a default username and password (admin/password) which shall be changed prior to operation (ANNEX, Exh. 11). Simultaneous Connections: Industry sources report that the N600 can accommodate up to 600 simultaneous connections. Optimal for this application is consider 50-75; however, if possible a 100 connection limit will be configured (NeatGear Forum, 2010). The 100 connection limit is not considered mandatory.
- 15. Caveat: The link for the DD-WRT image that can be “flashed” to the N600 can be found in the Reference portion of this document (FLASH, 2014)(ANNEX, Exh. 12). The operational manual link is also in the references (NETGEAR, 2010). WiFi Router Positioning: The drone WiFi routers will be positioned atop a 25 foot fiberglass emergency public safety tower (ANNEX, Exh. 13). Solar Panels and Battery Back-up: Considered and deemed not necessary. There will be 120 VAC 30 AMP power provided to the location of the portable tower. Wired Root Node: The “wired root node” (Meraki MR58) will have firewall operations based upon the pfSense application (see photo below) (pfSENSE, 2014). pfSense will provide the following: Web filtering and block certain downloads (streaming videos) Blocking countries and certain I.P. ranges Act as DHCP server to assign addresses to end-points (BYOD) Caveat: Civil Support Team communications van uplink will distribute data to the State Emergency Operations Center at Mather, California. Therefore, this will be considered a point-to-point link (staging area to EOC/Mather).
- 17. Management Responsibility matrix Job Function General Duties COML The Communications Unit Leader is the “buck stops here” point of contact for the escalation of important matters. Overseas entire incident communications and electronics. COMT Communications Technician is the chief technical advisor to the COML on issues of telephones, fax machines, data gateways, etc. Ass’t COMT It is highly likely that the task leader for the establishment of this functional (described in this booklet) may be appointed as a deputy COMT or Ass’t COMT. (Annex, Exh. 14) Installer Installer shall take direction from any of the above individuals to locate appropriate resources and to install the physical components of this system; to includes wires, masts, computer stations, Ethernet cables, modems, etc. Network Engineer Network Engineer shall configure the technical details of the equipment described in this booklet. To include the DD-WRT WiFi enabled modems, other ancillary 802.11 equipment, pfSense firewall, management desktop workstation, etc. SAFETY NOTE: The incident Safety Officer, of Assistant Safety Officer, can terminate the operations of this system for any reason at their discretion. Observations of unsafe behavior, unsafe practices, horseplay, sloppy cabling, etc. can lead to complete termination of this capability. Individuals called out by the safety officer can be asked to leave the incident site and have a
- 18. follow-up communication with their home unit concerning observable areas of behavior. All personnel supporting this installation must receive a safety briefing concerning electrical hazards, trip hazards, night time operations, inclement weather, etc. Guy wires shall have flagging tape placed on them. Electrical cables shall be placed as to not form a trip hazard. COMMUNICATIONS NOTE: Team communications shall take place on a non- command channel radio frequency to be assigned by the COML. Network – Documentation Installation Plan Major activities Activity Description Duration Preliminary site survey Identification of location of clone repeater antenna masts. Prepare management laptop console physical placement (and wired root access point) 2 hours Cabling Lay electrical cables, power cables, Internet cables (remember safety) 2 hours Configuration Most equipment will be pre-configured per this booklet. Change admin passwords and defaults, establish connectivity with Mather EOC 2 hours End-to-end comm testing Check ability to (a) obtain BYOD signal, (b) draft email message, (c) connect with remote POP3 mail server, (d) transmit email to self, € receive e-mail 4 hours
- 19. Testing On-going testing will be executed during the planned operational period by roving field personnel that will conduct Quality of Service (QoS) checks with their individual BYODs. Re-assessment Following the deployment of this capability an After Action Review (AAR) and Improvement Plan (IP) (AAR/IP) will be conducted. A “lessons learned” collection document will catalogue feedback from end-point subscribers, command staff, technical staff and other relevant third parties that have input. Update Plan This plan has been developed for a one-time event. It can be reviewed and updated for future event.
- 20. ANNEX
- 21. References: (Cisco, 2009) https://meraki.cisco.com/blog/2009/09/the-myriad-uses-of- the-mr58-multi-radio-ruggedized-802-11n-access-point/ (Cisco, 2010) https://meraki.cisco.com/blog/tag/802-11n/ (DD-WRT, 2014) http://www.dd-wrt.com/site/index (FLASH, 2014) ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24- preSP2/2012/06-08-12-r19342/netgear-wndr3700v2/wndr3700v2- factory.img (Hanselman, 2011) http://www.hanselman.com/blog/AddingANetgearN600WirelessDualBandGig abitRouterWNDR3700ToAnExistingFIOSWirelessAPForImprovedWirelessCove rage.aspx (IEEE, 2014) http://grouper.ieee.org/groups/802/11/Reports/tgs_update.htm Information Technology Disaster Resource Center http://www.itdrc.org/about.html (NETGEAR, 2010) http://www.downloads.netgear.com/files/GDC/WNDR3700V1/WNDR3700_S M_04JUN2010.pdf
- 22. (NetGear Forum, 2010) http://forum1.netgear.com/showthread.php?t=46997 (NETGEAR, 2012) http://forum1.netgear.com/showthread.php?t=77468 (NETGEAR, 2013) http://kb.netgear.com/app/answers/detail/a_id/20927/~/how-to-manually- set-a-wireless-router-to-access-point-(ap)-mode (pfSENSE, 2014) https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox (SNB Forum, 2011) http://www.snbforums.com/threads/dual-band- repeaters.5465/ Unified Command Suite http://jacks.jpeocbd.army.mil/Public/FactSheetProvider.ashx?productId=322
- 23. Exhibit 1
- 24. Exhibit 2
- 25. Exhibit 3 Information Technology Disaster Resource Center (ITDRC) van Exhibit 4
- 27. Exhibit 6
- 28. Exhibit 7
- 31. Exhibit 11
- 32. Exhibit 12
- 33. Exhibit 13
- 34. Exhibit 14