The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Messiah offers real-time playback speed, which is a blessing to any animator. Without having to waste time on previews, animators can work quickly and efficiently to produce a higher quality of work in a shorter time.

Messiah supplies a no-nonsense user interface that is easy to navigate and customize, allowing the user to feel more comfortable within the 3D environment. A pleasant surprise is how many settings the user is allowed to change to suit their personal workflow.

Messiah 3.0 does not have it's own modeling tools, but allows you to import a model from a variety of 3D modeling programs, including Lightwave 5.x or 6.x objects (.lwo), Wavefront objects (.obj), 3DS (.3ds), BioVision Mocap Data (.bvh), DXF objects (.dxf), Messiah Motion (.fxm), Messiah Scene (.fxs), Motion Analysis Hierarchical Translation Rotation (.htr).

Once the model is imported the user can create an animation rig. You point and click to create the bone, and Messiah uses its own initiative and skins the bone for you. Creating an armature for a character can often be a frustrating, time-consuming affair, but with Messiah, the process is easy. Copying an armature from one character to another is easy, and requires only a small amount of time to adjust the rig to fit the new character.

Animating with a fully rigged character in Messiah is as easy as spreading butter on bread. Nothing holds you back and you can truly lose yourself in the joy of breathing life and personality into the character. Changing between the timeline and the dope sheet is a simple click away, and for someone like me who uses a pose to pose method to create the initial animation, easy access to the dope sheet is a must.

Editing and deleting keys is a quick, easy process, and Messiah offers a variety of on-screen tools and sliders that are great for facial deformations and phonemes.

The compose tab allows the user to create clips for the character, which are easy to insert anywhere on the timeline. This is especially useful and time-saving for adding walk sequences into a shot.

To render, one must bake out the character motion and then load the character in the software that they wish to render in. The Messiah plug-in then deforms the vertices of the character frame-by-frame. This process is a bit frustrating at first, but again, Messiah does all the hard work, which allows you to concentrate on other aspects of the production.

On the whole, PMG's Messiah 3.0 is a powerful piece of software, focusing specifically on the needs of character animators and rigging artists. It is affordable, straight-forward and offers plenty of long awaited animation tools. PMG's innovations with this software have caused a lot of excitement in the animation industry and I look forward to enjoying future upgrades of this software.

Bandwidth hogs and bandwidth thieves are two different animals. Firstly, let us deal with the bandwidth hog. The bandwidth hog is a legitimate user of a service; free or paid, that consumes a disproportionate amount of the available bandwidth to the detriment of other legitimate users.

The important criteria are that the bandwidth hog is a legitimate user and that they consume a disproportionate amount of the bandwidth that is available as a shared and finite resource for a given set of users.

The result is that other users cannot pursue their normal or expected activities without bearing encumbrance as a direct result of the activities and habits of the bandwidth hog. This can manifest itself in customers complaining about not being able to “get through”. It is not hard to see how this activity can adversely affect a company's profits.

Web sites have long had issues with this type of user when bulk “site-scavenging” is involved. Downloading an entire site consumes server side resources intended for other purposes. Many websites will automatically disconnect users who do this. Website owners claim it is effectively a Denial of Service (DoS) attack especially when a number or users are concurrently doing it.

Bandwidth theft on the other hand is the illegitimate or unauthorised use of bandwidth. The bandwidth thief connects to networks and uses their bandwidth for whatever purpose they desire without due consent or other permissions.

This is an illegal activity and the law does provide for punitive measures. For example, the perpetrator is liable to prosecution for theft, damages and even for malicious endeavor. The later instance is a form of Denial of Service attack (DoS).

Simply by consuming quantities of bandwidth resources to which you are not entitled resulting in legitimate users being unable to perform their normal activities is certainly denying them a service or in this case access to resources they are fully entitled and expect to be available on call.

Quality of Service (QoS)

The quality of service that one has come to expect is of great qualitative effect in the defined assessment of those services. A file that normally only takes a minute or two to download now takes “forever” is a major issue that rapidly results in calls to the help desk. The biggest problem of all fro support staff is when the caller is the GM.

Paying attention and doing something about what ever the GM is complaining is good for your long-term employment prospects. The GM's perception of quality of service is something that needs readdressing immediately. Having a plan that you can put into action instantaneously is a big plus for your employment prospects.

Always be prepared. “Yes I will check that out now.” This is what the GM likes to hear. Better still is “we are already on it”. Here at least you are indicating that you have already considered the GM. Anticipation of what the GM wants is the very reason that you are already on it. This is more “brownie points” for you and your team.

If you are “looping” at this point, you had better get your plan up and running immediately. GMs have a habit of calling back to check on progress with any issue that directly affect them.

The plan we will discuss shortly.

Research Indications

Well let us have a quick look at the findings of some prominent researchers in this area. Here you will be able to use the same data that the “big boys” i.e. the big Telco and ISPs have at their disposal.

According to data recently published by Internet Traffic Management Company Ellacoya a very small segment of Internet users, generate almost half of all Internet traffic.

During the period from August to December of 2006 Ellacoya monitored and analyzed the data from about two million users across a number of different networks. The findings were rather surprising.

• About 43.5% of the entire Internet traffic originated from just 5% of all users
• In contrast, over 40% of the users monitored contributed only 3.8% of the total traffic
• The remaining 55% of users generated the other 50% of traffic
• Of the “heavy usage” group 41.9% are using a Voice over Internet Protocol (VoIP)
• Internet Gaming - 81% to 95% of users in all categories partook in some form of Internet Gaming which made it the most widely adopted of all bandwidth consumption technologies

Cable Modems

Cable service provider Time Warner has just announced that it will soon be releasing the details of a new pricing structure. They have already said that the bandwidth hog will be paying more.

The exact details of Time Warner's new pricing structure are not yet available. Although is thought to be a system where users are allocated a monthly “quota”. Beyond this limit, they will have to start paying more.

The reasons behind this decision lie in part with the simple fact that bandwidth hogs cost cable companies money. It is simply a matter of economics and the implementation structure of the cable modem systems.

Cable Modem Infrastructure and Implementation

Most cable networks use a shared structure in which a number of homes and businesses share a common transmission media (access pipe). This is very similar to the infrastructure implementation that exists in Ethernet Local Area Networks (LAN).

The “pipe” has a finite amount of bandwidth for distribution among those sharing each common pipe. For example:

• If the pipe can manage 10MB/sec and there are 10 users sharing it
• In theory, at least each user should be able to access the media with a minimum of 1MB/sec being available to each user
• Whenever one user is using the “shared” transmission media to transfer large numbers of and/or large files the bandwidth needed can be “borrowed” from the unused bandwidth quota of other users
• If the bandwidth hog continues to consume these resources over an extended period of time all other authorised users will have less than their allocated bandwidth available for their use

Segmentation

In order to provide better Quality of Service (QoS) providers will subdivide that portion of their network. The result is considerable improvements in network performance. This is one of many benefits delivered by way of network segment subdivision.

Fewer users per segment equates to a greater share of the available transmission media's bandwidth.

On the downside however is the fact that in order to implement this additional network segment subdivision the cable service provider will need to install new equipment. This will translate to the length of time it takes before the installation commences.

Excessive Bandwidth Usage

Above “normal” network bandwidth, usage is deliberate or malicious. Hence, excessive bandwidth consumption does not always point to a bandwidth hog or Denial of Service (DoS) attack.

It is important to check the situation out thoroughly before pulling the plug. One additional point that I should introduce here is that bandwidth hogging is relative rather than absolute.

Email is yet another area of vulnerability used to execute a Denial of service (DoS) attack merely by sending a large number of large files.

File Size

Sending large files (30+ MB) via email is a sure-fire way of severely retarding any finely tuned network. Limiting the size and the amount of data users are able to send at one time is a tactic used by many companies to stop this type of bandwidth hogging.

Any system not designed to handle these large file transfers is easy to take down using these tactics. Email accounts do not support large files. Websites are easily to adversely affect them and many other network resources to boot.

Motives

Yet another motive for bandwidth hogging is not to interfere with other users but to make maximum use of the bandwidth for your own purposes legitimate or otherwise. The prospect of getting something free works for every topic on the Internet.

Combating Bandwidth Hogs

There are many tools at our disposal for me to detail them here. I will be addressing a number of counter measure tools, utilities, tactics and strategies in future issues. Here are a few:

• PacketShaper is a device built by Packeteer that is very useful in bandwidth consumption management

Simply install PacketShaper between your firewall and the remainder of your network.

You then configure a traffic class that prevents the bandwidth hog from doing so. You may want to go with the built-in default traffic class.

Packeteer provides technical support for this product.

• Quality of Service (QoS) - Many infrastructure devices include a Quality of Service (QoS) feature. The capability of these devices will vary from one unit to another as well as from one manufacturer to another.
• Network Traffic Shaping
• Packet Sniffers - Wireshark, Ethereal, Kismet
• Multi-Purpose Tools - Nessus, SolarWinds, Snort, Airsnort
• Bandwidth Usage Monitoring, Logging and Reporting
• Resource, User and Quota Allocation Management
• Slow Down or Terminating Features
• Monitoring, Listing, Auditing, Accounting and Logging Features
• Interface - Command Line and Graphical User Input (GUI)
• Router Management Software - Many ADSL Routers such as the D-Link 504 range come with a configurable router management interface

Here is where you can adjust the router's functionality. This includes a QoS feature that is easy to configure via a GUI. This feature focuses upon throttling back the bandwidth hogs such that they do not interfere with other users.

• Internet Service Provider (ISP) - It pays to ask your ISP for directions. They will no doubt have already encountered that majority of issues that you may face.

Bandwidth Hogging and Scam Baiting

One positive use of bandwidth hogging currently employed by scam baiters, who use the technique to shut down fake websites that are used for fraudulent activity, so that people being targeted by scammers cannot see the site.

Bandwidth Hogs Today

In most home and/or educational institution instances the primary role of a shared Internet connection is to surf the web, small file download, gaming and research. Downloading music and movies is also right up there.

Consider the following scenario: One user in particular persistantly downloads large quantities of large file sizes (music and movies). In this instance it is quite common and easy to associate this individual with their bandwidth hogging activities.

Install a packet sniffer and monitor your network. Now have a look at the traffic that you have just captured. It is quite easy now to check user identifiers by IP Address, MAC Address, device name etc. By the way most packet sniffers include filters that will assist you in monitoring and detecting bandwidth hogs.

It is not uncommon to find that some individuals are consuming in excess of 100 times that of the “ordinary” user. Once the perpetrator has been identified there are a number of steps that you can take to reduce the impact of the bandwidth hog.