www.airfibre.ie

Security Note Introduction - Mesh network configuration versus direct connectivity to ISP Core

Wireless Internet Service Providers (WISPs) have installed meshed wireless networks to facilitate connectivity by introducing more points of presence. Whilst meshed networks offer alternate paths for communications and improve resilience in the face of individual radio failure, there is an issue that individual customer’s data is being exposed to other customers that are part of the mesh.

High site points of presence (PoP) are an essential component of a WISP’s Wide Area Network and require a substantial investment in acquisition (rental, Health & Safety Compliance, Insurances, Legal fees, etc.). Meshed networks afford ISPs an opportunity to use an end user customer’s premises (unknown to the customer) as a PoP site; so in contrast to receiving revenue for occupancy, customers are actually paying the ISP and giving free of charge access to their rooftops.

This likely presents a General Data Protection Regulation (GDPR) threat to the host site and subscribers within the meshed network.

The scope for fines for GDPR breaches is up to €20 million or 4% of turnover.

Whether you knowingly or inadvertently participate in a meshed network you may be in breach of GDPR.

Identifying whether or not you are at risk

There are myriad meshed wireless network solutions. This note focuses upon WAN solutions from Ubiquiti and Cambium Networks as these systems are known to be prevalent in Irish WISP networks. Other radio solutions may well present the same risks when deployed in meshed networks.

To the author’s knowledge, there is nothing illegal or improper about the solutions manufactured by Ubiquiti or Cambium Networks. The question that is posed in this report is the appropriateness of these systems in meshed implementations in a public ISP context and the associated potential exposure in light of contemporary data protection legislation.

Meshed wireless networks are useful but must be implemented safely as discussed later in this report.

The intention here is to warn against inappropriate use of the meshed technologies by WISPs and the knock on risks to customers of those networks.

This paper explains how meshed networks are designed and operated and provides photographic illustration of what the rogue high-sites look like.

Airfibreenabling Business AI

Meshed network configuration

Figure 1 illustrates the concept whereby each radio in the network has the ability to select from two or more paths through the WAN en route to the ISP’s core network. The radios self select the most efficient route from time to time thereby improving resilience and arguably optimising available bandwidth utilisation by balancing traffic across multiple links.

Note that traffic from the same data stream can pass through different routes (with different latencies) through the network and that this is likely to result in packets being delivered to the remote end of the connection in a different sequence to that received.

Whilst this presents a negligible problem for generic data transmission (error correcting protocols will re-establish the correct order) it is destructive to VOIP traffic (latency sensitive application) that does not support error correction as packets delivered out of sequence are assembled out of sequence and therefore result in intelligible and poor quality audio reproduction.

This paper focuses on security, where the lack of an integral LAN switch in the radios being deployed by some WISPs means that traffic traversing the mesh is visible to third parties within the mesh.

Figure 2 demonstrates that without a switch all traffic passing through the radio will be passed to the Ethernet port that is presented to the customer. Any encryption and password protection operate on the phy wireless layer between the two radios with data presented to third parties as input to the network when presented at the radio’s Ethernet port.

Unless data is subject to AES end-to-end encryption there is an exposure but this is impractical businesses primarily use the Internet to exchange data with third parties that will not be party to a common AES encryption implementation. Email, for example, is sent open text (along with Personal Information) in order that it might be received by and read by the recipient.

ISP Core

Figure 1

ISP Core

Figure 2

Even if the WISP were to add a separate switch or router (CPE) that had the ability to forward only appropriate data, the CPE is easily by passed and third party data read or hacked. Regardless of what you do, access to the radio’s Ethernet port presents a security breach whereby you have access to someone else’s data or someone else can see your data.

A Firewall (Figure 3), which whilst guarding the LAN from potential malicious breach, cannot prevent the mesh from being tapped, as it merely requires the Firewall to be bypassed or a tap to be placed between the Firewall and the ISP radio termination.

Customers should question whether their organisation’s Internet service operates through a mesh, for if it does there may have no means of guaranteeing that data is not visible to another party within the mesh. Even if your radio is at a tail end with a single radio path to the ISP’s WAN you still need to know if you are joining a mesh as your data will be visible along the path.

Technical testing to see if you can see third party data may in itself be a GDPR breach as questions may be raised with regards to you becoming a Data Processor with the associated GDPR responsibilities.

Direct connectivity of Customers to ISP Network Core (recommended)

Some WISPs employ military grade radio equipment to deliver Internet Leased Line circuits.

Radios that typically cost 5 to 7 times the equivalent prices charged for Ubiquiti and Cambium equivalents.

There are many reasons for this price premium including processing power (to accommodate latency sensitive applications) and interference mitigation

properties.

Research for this paper was triggered by a third party report of a meshed network connection where it was possible to see third party IP addresses which shows that direct connectivity has further benefits in terms of protecting customers’ data: in contrast to low cost mesh radio designs that introduce third party exposure.

Airfibre’s radio networks are delivered in a Point to Multi-Point topology with each element having an integral switch that only transmits data to a customer that is intended for that customer. As illustrated in Figure 4, each customer’s data stream is separated.

A further advantage of Airfibre’s approach is the presentation of the service to individual customers using a Cisco router and a RIPE registered public IP address.

ISP Core

Figure 3

Airfibre Core

Figure 4

Thus, only data that is intended for a specific customer will cross that individual radio path. Any attempt to bypass the router and connect to the radio’s Ethernet port will be pointless as removal of the router eliminates User data from traversing the link. Attempting to hack into 3rd party data by tapping the line between the router and the radio is equally pointless, as you will only see data that is legitimately intended for you.

What does it look like?

Here we examine four examples of what physical installations look like.

The first is the simplest and most common, whereby two low cost radios have been installed at a customer site – almost certainly in the guise of offering diverse back up connectivity.

In the second, both radios could be operating within the mesh; however with both facing in the same direction it is likely that one is providing backhaul connectivity to the core and the second is operating as a base station for multiple additional unsuspecting customers.

The third comprises two radios.

The first is a microwave providing backhaul and the second is a base station servicing multiple customers or participating within a mesh.

The fourth is very cheeky!

The arrow points to a backhaul microwave radio that is servicing the building’s occupier and any number of additional unwitting customers (the Landlord too is almost certainly blind to what is going on in respect to security breaches).

The radio mounted to the left of the stack is providing connectivity for any number of subscribers and the radio to the right is delivering point-to-point connectivity for a next-door neighbour.

In all cases the supplementary radios are employed to provide coverage for customers that would otherwise be blind to the operator’s network.

Setting aside the security exposure, the going rate for installing radios of this nature is upwards of €750 per annum.

Can meshed networks be secure?

Yes they can and where they are built securely they can improve resilience and realise reduced costs for the WISP, savings that can be passed on to customers.

The key to safe implementation is that the radios deployed must have an integral switch. This is a key attribute of the higher quality radio solutions.

Summary

Meshed networks are not in themselves bad. Where you are the Data Processor for the whole mesh you can do much to maintain GDPR compliance by not allowing unknown third party access to your infrastructure. In the same way as you would not allow unauthorised access to your LAN switches in order to install a tap, you have to protect your mesh infrastructure.

If you are operating in a shared mesh infrastructure that is not under your control you would be wise to question the security of the data on this network in light of best practice, data security and GDPR compliance.