Chapter 5: Cellular Networks

5.1. Principles of Cellular Networks

A cellular network is a radio network distributed over land through cells where each cell includes a fixed location
transceiver known as a base station. These cells together provide radio coverage over larger geographical areas.
The user equipment (UE), such as mobile phones, is therefore able to communicate even if the equipment is
moving through cells during transmission. Cellular networks give subscribers advanced features over alternative
solutions, including increased capacity, small battery power usage, a larger geographical coverage area and
reduced interference from other signals. Popular cellular technologies include the Global System for Mobile
Communication (GSM), general packet radio service (GPRS) and code division multiple access CDMA).

Radio fundamentals for cellular networks: Cellular networks enable devices such as smartphones and Internet
of things (IoT) devices to communicate wirelessly. Cellular technologies have advanced from first-generation
(1G) analog technologies to advanced high-performance fourth-generation (4G) and fifth-generation (5G)
systems in just about four decades.

Throughout the development of each wireless generation, these cellular networks have shared a number of
common core attributes. Many of the protocol-based communications exchanges between the device and the base
station follow a similar philosophy of identifying a potential cell, registering and authenticating with the core
network and support for mobility through handover signaling. These principles are highly likely to be
incorporated into 6G systems, whatever that standard turns out to be in the future. Certainly, the implementation
of these underlying principles will vary from one standard to another and sometimes even within revisions of a
given standard.

The Basics

Though the exact network architecture differs from one generation to another, a typical cellular network consists
of a radio access network (RAN), a core network (CN) and a services network. The RAN contains base stations
(BS) that communicate with the wireless devices using radio frequency (RF) signals, and it is this interface
between the base station and the devices. The RAN allocates radio resources to the devices to make wireless
communications a reality. The CN performs functions such as user authentication, service authorization, security
activation, IP address allocation and setup of suitable links to facilitate the transfer of user traffic such as voice
and video. The services network includes operator-specific servers and IP multimedia subsystem (IMS) to offer
a variety of services to the wireless subscriber, including voice calls, text messages (SMS) and video calls.

Transmitters

• The first common principle of cellular networks is the use of much lower power (100 W or less), smaller
transmitters with narrower coverage areas instead of a single, powerful transmitter with a wider coverage
area. These transmitters are housed on base stations, better known as cellular towers. Base stations also
house receivers and additional control units.
Cells
• Coverage areas are divided into cells, each served by its own antenna (transmitter). A frequency band is
allocated to the transmitter/receiver depending on the network carrier. Cells are arranged so that antennas
in a coverage area are in a hexagonal pattern. This is because it requires fewer cells to represent a hexagon
compared to a triangle or square – meaning network carriers can cover a wider area with fewer base
stations. Another advantage of a hexagonal cellular system is that frequency reuse is possible using this
shape.

Frequency Reuse
• The second common core design principle of cellular networks is frequency reuse. Frequency reuse is the
process of using the same radio frequencies on base stations and other radio transmitter sites within a
geographic area. These sites are separated by a sufficient distance to cause minimal interference with each
other. By using geographically small, low-power cells, frequencies can be reused by non-adjacent cells.
The reason for frequency reuse is the limited number of carriers allocated frequencies set by the regulator
bodies.

Cell Splitting
• Cell splitting is the process of subdividing a congested cell into smaller cells such that each smaller cell
has its own base station. These smaller cells feature antennas with reduced height and transmitter power.
The two smaller cells increase the capacity of a cellular network since the number of times channels are
reused increases. In a popular cellular network configuration, one base station controls three geographic
regions called sectors (or cells), where each sector covers 120° region. Three sectors together provide 3
× 120° = 360° coverage around the base station.

Cellular Handover
• As a mobile device moves around in a given area, it crosses cell boundaries. Handover is a process where
the dedicated radio connection between the device and the radio access network is switched from one cell
to another. Cellular handover ensures that the device has a dedicated radio connection with the best
possible communications link. In addition, handover may be used to balance the load among serving base
stations and among carrier frequencies available in a cell or sector.
• The handover takes place when the system perceives the current cell signal strength system to be weaker
than a cell the user is approaching. Different cellular generation architecture uses different terminology
for the device which detects the signal strength and provides the handoff capability. Cell handover is
under the central control of a mobile telephone switching office (MTSO), which is also known as a mobile
switching office (MSO) or the mobile switching center (MSC). When the call is handed off to the second
cell, the user should not be aware of the handoff and hear nothing.

5.2. First Generation (1G) Cellular and Paging Networks

• 1G refers to the first generation of wireless telephone technology, mobile telecommunications. These are
the analog telecommunications standards that were introduced in the 1980s and continued until being
replaced by 2G digital telecommunications. The main difference between two succeeding mobile
telephone systems, 1G and 2G, is that the radio signals that 1G networks use are analog, while 2G
networks are digital. Although both systems use digital signaling to connect the radio towers (which listen
to the handsets) to the rest of the telephone system, the voice itself during a call is encoded to digital
signals in 2G whereas 1G is only modulated to a higher frequency, typically 150 MHz and up.

• Mobile radio telephones were used for military communications in the early 20th century. Car-based
telephones were first introduced in the mid-1940s. In fact, the first car-based telephone system was tested
in Saint Louis in 1946. This system used a single large transmitter on top of a tall building. A single
channel was used for sending and receiving. To talk, the user pushed a button that enabled transmission
and disabled reception. Due to this, these became known as “push-to-talk” systems in the 1950s. Although
these systems are quite old, taxis and police cars use this technology. To allow users to talk and listen at
the same time, IMTS (Improved Mobile Telephone System) was introduced in the 1960s. It used two
channels (one for sending, one for receiving – thus there was no need for push-to-talk). IMTS used 23
channels from 150 MHz to 450 MHz.
 • First-generation cellular networks were introduced in the 1980s. This started with the Advanced Mobile
Phone Service (AMPS) which was invented at Bell Labs and first installed in 1982. AMPS has also been
used in England (called TACS) and Japan (called MCS-L1). The key idea of 1G cellular networks is that
the geographical area is divided into cells (typically 10-25km), each served by a “base station.” Cells are
small so that frequency reuse can be exploited in nearby (but not adjacent) cells. This allows many more
users to be supported in a given area. For example, as compared to IMTS, AMPS can support 5 to 10
times more users in the same 100-mile area by dividing the area into 20 smaller cells that reuse the same
frequency ranges. In addition, smaller cells also require less powerful and cheaper, smaller devices to
transmit and receive information.

• Actually, the first-generation wireless mobile communication system is not digital technology, but an
analog cellular telephone system that was used for voice service only during the early 1980s. This
Advanced Mobile Phone System (AMPS) was a frequency-modulated analog mobile radio system using
Frequency Division Multiple Access (FDMA) with 30kHz channels occupying the 824MHz − 894MHz
frequency band and the first commercial cellular system deployed until the early 1990’s.

• The first commercially automated cellular network (the 1G generation) was launched in Japan by NTT
(Nippon Telegraph and Telephone) in 1979, initially in the metropolitan area of Tokyo. Within five years,
the NTT network had been expanded to cover the whole population of Japan and became the first
nationwide 1G network.

• In 1981, this was followed by the simultaneous launch of the Nordic Mobile Telephone (NMT) system in
Denmark, Finland, Norway and Sweden. NMT was the first mobile phone network featuring international
roaming. The first 1G network launched in the USA was Chicago based Ameritech in 1983 using the
Motorola DynaTAC mobile phone. Several countries then followed in the early-to-mid 1980s including
the UK, Mexico and Canada.

• 1G cellular networks are based primarily on analog communications. In North America, two 25 MHz
bands are allocated to AMPS – one for transmission from base to mobile unit and one for transmission
from mobile unit to base. Each phone has a 32-bit serial number and 10-digit phone number in its PROM
(Programmable Read-only Memory). When a phone is turned on, it scans for control signals from base
stations. It sends this information to the BS with strongest control signal and the BS passes this
information to MTS (Master Switching Station) as a packet. The subscriber initiates a call by keying in a
phone number and pressing the send key. The MTS verifies the number and authorizes the user. MTS
issues a message to the user’s cell phone indicating send and receive traffic channels. MTS sends a ringing
signal to the called party. Party answers; MTS establishes the circuit and initiates billing information.
Either party hangs up; MTS releases the circuit, frees the channels, and completes billing.

5.2.1 Security issues with 1G:

Analog cellular phones are insecure. Anyone with an all-band radio receiver can listen in to the
conversation. Many scandals have been reported in this area. There are also thefts of airtime. Basically, a thief
uses an all-band radio receiver that is connected to a computer. This computer can record the 32-bit serial numbers
and phone numbers of subscribers when calling (recall that this information is sent as a packet). The thieves can
collect a large database by driving around and can then go into business by reprogramming stolen phones and
reselling them.

5.2 .2 Paging Networks:

Paging networks are one of the oldest wireless technologies. They support one-way and two-way
alphanumeric messages between callers and pagers (beepers). The callers typically call a beeper company and
leave a phone number and possibly a short message. Paging networks are being integrated with PDAs (personal
digital assistants) like Palm Pilots. An example of paging networks is the BellSouth Clamshell Pager with
keyboard.
5.2.3 Characteristics of Paging Networks:
➢ Common applications are personal numeric messaging for call-back, alphanumeric messaging
(dispatching and service), and two-way messaging (call dispatching with confirmation).
➢ Capacity and speed include 1200 bps for older and 6400 bps for newer systems. The paging networks are
slower but have different design criteria for delivering the message within specific time periods.
➢ Frequency bands used include 800 MHz for older paging networks and 901-941 MHz, with gaps, for
newer networks.
➢ Components of a paging network are a personal paging device, a paging computer/server at the paging
operator’s site, and a paging transmitter. These networks may also use satellites for national coverage.
➢ Coverage is 95% of the US, thanks to many local, regional and national paging network providers.
➢ Communications protocols supported include FLEX and ReFLEX developed by Motorola for two-way
paging.
➢ Security is low and has not been considered a high priority.
The advantages of paging networks are:
➢ Very inexpensive
➢ Easy to operate for sender (from any telephone) and receiver
➢ Many options for users (numeric, alphanumeric, two-way, message storage)
➢ Wide coverage at local, regional, national, and international levels
➢ Good building penetration
The limitations of paging networks are as follows:
➢ Slow data transfer rate (1200 bps)
➢ No acknowledgment (two-way paging costs extra)
➢ Some of the available paging networks are overloaded, causing delays.

5.3. Second Generation (2G) Cellular Networks

Second Generation (2G) cellular networks, introduced in the late 1980s, are based on digital transmission.
Digital transmissions offer several benefits over analog. Different approaches to 2G have been developed in the
US and Europe. In the US, divergence happened because only one player (AMPS) existed in 1G. Because of this,
several players emerged to compete in 2G. Although many players emerged, the following two have survived in
the US:
➢ IS-54 and IS-135: backward-compatible with AMPS frequency allocation (dual mode–analog and digital)
➢ IS-95: uses spread spectrum

In Europe, exactly the reverse happened – there was a convergence because there were many (more than
5) incompatible 1G systems with no clear winner. This caused a major problem for the users (you could not use
your telephones while traveling from England to France). European PTT (Post, Telephone and Telegraphic)
sponsored the development of the now very popular GSM that uses new frequency ranges and complete digital
communication.

2G is short for second-generation wireless telephone technology. Second generation 2G cellular telecom
networks were commercially launched on the GSM standard in Finland by Radiolinja (now part of Elisa Oyj) in
1991. Three primary benefits of 2G networks over their predecessors were that phone conversations were
digitally encrypted; 2G systems were significantly more efficient on the spectrum allowing for far greater mobile
phone penetration levels; and 2G introduced data services for mobile, starting with SMS text messages.

After 2G was launched, the previous mobile telephone systems were retrospectively dubbed 1G. While
radio signals on 1G networks are analog, radio signals on 2G networks are digital. Both systems use digital
signaling to connect the radio towers (which listen to the handsets) to the rest of the telephone system. 2G has
been superseded by newer technologies such as 2.5G, 2.75G, 3G and 4G. however, 2G networks are still used in
many parts of the world.
The primary differences between first and second-generation cellular networks are:
 ➢ Digital traffic channels: first-generation systems are almost purely analog; second-generation systems are
digital.
➢ Encryption: all second-generation systems provide encryption to prevent eavesdropping.
➢ Error detection and correction: second-generation digital traffic allows for detection and correction, giving
clear voice reception.
➢ Channel access: second-generation systems allow channels to be dynamically shared by a number of
users.
5.3.1 Advantages and Disadvantages of 2G
Advantages:
➢ The lower power emissions helped address health concerns.
➢ Going all-digital allowed for the introduction of digital data services, such as SMS and email.
➢ Greatly reduced fraud: With analog systems, it was possible to have two or more "cloned" handsets
that had the same phone number.
➢ Enhanced privacy: A key digital advantage not often mentioned is that digital cellular calls are much
harder to eavesdrop on by the use of radio scanners. While the security algorithms used have proved not
to be as secure as initially advertised, 2G phones are immensely more private than 1G phones, which have
no protection against eavesdropping.
Disadvantages:
➢ In less populous areas, the weaker digital signal may not be sufficient to reach a cell tower. This tends to
be a particular problem on 2G systems deployed on higher frequencies, but is mostly not a problem on
2G systems deployed on lower frequencies. National regulations differ greatly among countries which
dictate where 2G can be deployed.
➢ Analog has a smooth decay curve, digital a jagged steppy one. This can be both an advantage and a
disadvantage. Under good conditions, digital will sound better. Under slightly worse conditions, analog
will experience static, while digital has occasional dropouts. As conditions worsen, though, digital will
start to completely fail, by dropping calls or being unintelligible, while analog slowly gets worse,
generally holding a call longer and allowing at least a few words to get through.
➢ While digital calls tend to be free of static and background noise, the lossy compression used by the
codecs takes a toll; the range of sound that they convey is reduced. You will hear less of the tonality of
someone's voice talking on a digital cell phone, but you will hear it more clearly.

5.3.2 GSM (Global System for Mobile Communications)–The Popular 2G System:

Although there are many competing technologies in the 2G cellular network landscape, GSM by far
dominates the world today, with over 200 million users in over a hundred countries. GSM is very popular in
Europe and is now gaining popularity in the US also. These networks operate at 9.6 Kbps and are based on
international standards defined by the European Telecommunications Standards Institute (ETSI). Due to the
popularity of GSM, let us look at GSM somewhat closely.
GSM is completely designed from scratch (there is no backward compatibility with 1G systems such as
AMPS). It can deliver data rate up to 9.6 Kbps by using 124 channels per cell; each channel can support 8 users
through TDMA (maximum 992 users per cell, in practice about 500). Some GSM channels are used for control
signals for mobile units to locate the nearest base stations.
In addition to voice, GSM phones provide data services for wireless users; i.e., you connect your GSM
phone to your PC and it acts as a modem for email, fax, Internet browsing, etc. GSM also permits roaming
between North American countries and European countries. To make it work, because of the frequency
differences, you have to remove the user-specific SIM card from inside the American network’s phone and place
it into a European network’s phone, or vice-versa.
GSM’s air interface is based on narrowband TDMA technology, where available frequency bands are
divided into time slots, with each user having access to one time slot at regular intervals. Narrowband TDMA
allows eight simultaneous communications on a single radio multiplexer and is designed to support 16 half-rate
channels.
5.3.3 2G CDMA:
GSM uses TDMA, but who uses CDMA in 2G? While some systems have appeared, IS-95 is the best-
known example of 2G with CDMA. Recall that in the case of CDMA, each user is assigned a unique code that
differentiates one user from others. This is in contrast to TDMA where each user is assigned a time slot. Why use
CDMA for cellular? Although the debate between CDMA versus TDMA has been raging for a while (see Section
8.5.5), there are several advantages of CDMA for cellular networks. The main advantage of CDMA is that many
more users (up to 10 times more) can be supported as compared to TDMA. Although this leads to some
complications, the advantage of supporting more users far outweighs the disadvantage of added complexity.
The IS-95 cellular system has different structures for its forward (base station to mobile station) and
backward links. The forward link consists of up to 64 logical CDMA channels, each occupying the same 1228
kHz bandwidth. The forward channel supports different types of channels:
➢ Traffic channels (channels 8 to 31 and 33 to 63) – these 55 channels are used to carry the user traffic
(originally at 9.6 Kbps, revised at 14.4 Kbps).
➢ Pilot (Channel 0) – used for signal strength comparison, among other things, to determine handoffs
➢ Synchronization (Channel 32) – a 1200 bps channel used to identify the cellular system (system time,
protocol revision, etc.).
➢ Paging (channels 1 to 7) – messages for mobile stations
All these channels use the same frequency band – the chipping code (a 64-bit code) is used to distinguish
between users. Thus 64 users can theoretically use the same band by using different codes. This is in contrast to
TDMA where the band has to be divided into slots – one slot per user. The voice and data traffic is encoded,
assigned a chipping code, modulated and sent to its destination. The data in the reverse travels on the IS-95
reverse links. The reverse links consist of up to 94 logical CDMA channels, each occupying the 1228 kHz
bandwidth. The reverse link supports up to 32 access channels and up to 62 traffic channels. The reverse links
support many mobile unit-specific features to initiate calls, and to update location during handoffs.

5.4 Third Generation Network (3G) – Internet System:

3G or 3rd generation mobile telecommunications is a generation of standards for mobile phones
and mobile telecommunication services fulfilling the International Mobile Telecommunications-2000 (IMT-
2000) specifications by the International Telecommunication Union. Application services include wide-area
wireless voice telephone, mobile Internet access, video calls and mobile TV, all in a mobile environment.
The third-generation (3G) vision is to create a unified global set of standards requirements that could lead
to the commercial deployment of advanced multimedia wireless communications. The goal of 3G systems is to
enable wireless service providers to offer services found on today’s wireline networks.
3G is not one standard; it is a family of standards which can all work together. This is the main reason
why there are too many terms and standards in the 3G space. The International Telecommunications Union (ITU)
is coordinating this international harmonization of 3G standards under the overall umbrella of International
Mobile Telecommunication 2000 (IMT 2000). See the sidebar “ITU’s View of 3G” for the requirements that are
driving 3G developments.
The goal of 3G wireless systems was to provide wireless data service with data rates of 144kbps to
384kbps in wide coverage areas, and 2Mbps in local coverage areas. Possible applications included wireless web-
based access, E-mail, as well as video teleconferencing and multimedia services consisting of mixed voice and
data streams. After ten years of development, IMT-2000 (International Mobile Telecommunications-2000) has
accepted a new 3G standard from China, i.e TD-SCDMA. Thus, there are new three 3G cellular network
standards. They are CDMA2000 from America, WCDMA from Europe and TD-SCDMA from China.
The best known example of 3G is the UMTS (Universal Mobile Telecommunications System) – an
acronym used to describe a 3G system that originated in Europe and is being used elsewhere. In fact, several
analysts claim that UMTS-3G. The overall idea is that UMTS users will be able to use 3G technology all over
the world under different banners. This roaming ability to use devices on different networks will be made possible
by satellite and land-based networks. UMTS provides a consistent service environment even when roaming via
“Virtual Home Environment” (VHE). A person roaming from his network to other UMTS operators experiences
a consistent set of services, independent of the location or access mode (satellite or terrestrial).
 Whatever the name, 3G is designed to raise the data rate to 2 megabits per second (2 Mbps) – a much
higher rate than 2G and 2.5G. Specifically, 3G systems offer between 144 Kbps to 384 Kbps for high-mobility
and high coverage, and 2 Mbps for low-mobility and low coverage applications. In other words, 3G systems
mandate data rates of 144 Kbps at driving speeds, 384 Kbps for outside stationary use or walking speeds, and 2
Mbps indoors. However, the indoor rate of 2 Mbps from 3G competes with high-speed 802.11 wireless LANs
that offer data rates of 11 to 54 Mbps. The main attraction of 3G is the 384 Kbps data rate for outdoor use as an
IP-based packet-switching service over wide areas. This service can support wireless Internet access over very
wide geographical areas.

3G systems are based on packet switching instead of the older circuit-switching systems used in 2G. What
does this mean? In 2G cellular networks, most data communication, apart from the Short Message Service (SMS),
requires a circuit-switched connection in which a user must connect to a server to check email, for example. The
main limitation of this approach is that the users have to be online even when they are not sending data, so they
pay higher costs and network capacity is wasted.

3G networks use a connectionless (packet-switched) communications mechanism. Data are split into
packets to which an address uniquely identifying the destination is appended. This mode of transmission, in which
communication is broken into packets, allows the same data path to be shared among many users in the network.
By breaking data into smaller packets that travel in parallel on different channels, the data rate can be increased
significantly.

For example, splitting a message into 6 packets can theoretically increase data rate six times (e.g. from
9.6 Kbps to 56 Kbps, roughly). In addition, users can stay online throughout and yet not be charged for the time
spent online. Rather, they only pay for the amount of data that they retrieve. This is in contrast to a circuit-
switched network like the regular voice telephone network where the communication path is dedicated to the
callers, thus blocking that path to other users for that period of time. This means that although a 3G handset is, in
effect, permanently connected to the network, it only uses bandwidth when needed.

3G has evolved from 2G and is built on the success of GSM (GSM, GSM1800 and GSM1900). Dual-
mode terminals ease migration from 2G to 3G. Although many options for 3G exist, the radio technology in 3G
will likely be Wideband CDMA (Collision detect multiple access). This is similar to local area network
technologies such as Ethernet. In the US, CDMA2000 will be used (this is similar to Wideband CDMA but
backward compatible with IS-95).

Advantages of 3G:

• Overcrowding is relieved in existing systems with radio spectrum

• Bandwidth, security and reliability are more
• Provides interoperability among service providers
• Availability of fixed and variable rates
• Support to devices with backward compatibility with existing networks
• Always online devices – 3G uses IP connectivity which is packet based
• Rich multimedia services are available
Disadvantages of 3G:

• The cost of cellular infrastructure, and upgrading base stations is very high.
• Needs different handsets.
• Roaming and data/voice work together has not yet been implemented.
• Power consumption is high.
• Requires closer base stations and are expensive.
• Spectrum-license costs, network deployment costs and handset subsidies subscribers are
tremendous.
5.5. Fourth Generation (4G) Cellular Networks: Integration System:

In telecommunications, 4G is the fourth generation of cellular wireless standards. It is a successor to

the 3G and 2G families of standards. In 2009, the ITU-R organization specified the IMT-Advanced
(International Mobile Telecommunications Advanced) requirements for 4G standards, setting peak speed
requirements for 4G service at 100 Mbit/sec for high mobility communication (such as from trains and cars) and
1 Gbit/sec for low mobility communication (such as pedestrians and stationary users).
The world's first publicly available LTE service was opened in the two Scandinavian capitals Stockholm
(Ericsson and Nokia Siemens Networks systems) and Oslo (a Huawei system) on 14 December 2009. One of the
key technologies for 4G and beyond is called Open Wireless Architecture (OWA), supporting multiple wireless
air interfaces in an open architecture platform.
A 4G system is expected to provide a comprehensive and secure all-IP based mobile broadband solution
to laptop, computer wireless modems, smartphones, and other mobile devices. Facilities such as ultra-
broadband Internet access, IP telephony, gaming services, and streamed multimedia may be provided to users.
In mid 1990s, the ITU-R organization specified the IMT-2000 specifications for what standards that
should be considered 3G systems. However, the cell phone market brands only some of the IMT-2000 standards
as 3G (e.g. WCDMA and CDMA2000), not all (3GPP EDGE, DECT and mobile-WiMAX all fulfil the IMT-
2000 requirements and are formally accepted as 3G standards, but are typically not branded as 3G). In 2008, ITU-
R specified the IMT-Advanced (International Mobile Telecommunications Advanced) requirements for 4G
systems.
IMT-Advanced compliant versions of LTE and WiMAX are under development and called "LTE
Advanced" and "WirelessMAN-Advanced" respectively. ITU has decided that LTE Advanced and
WirelessMAN-Advanced should be accorded the official designation of IMT-Advanced. On December 6, 2010,
ITU recognized that current versions of LTE, WiMax and other evolved 3G technologies that do not fulfill "IMT-
Advanced" requirements could nevertheless be considered "4G", provided they represent forerunners to IMT-
Advanced and "a substantial level of improvement in performance and capabilities with respect to the initial third
generation systems now deployed."
The 4G mobile system is an all IP-based network system. The features of 4G may be summarized with
one word- integration. 4G technology should integrate different current existing and future wireless network
technologies (e.g. OFDM, MC-CDMA, LAS-CDMA and Network-LMDS) to ensure freedom of movement and
seamless roaming from one technology to another. These will provide multimedia applications to mobile users
by accessing different technologies in a continuous and always best connection possible.

4G networks can integrate several radio access networks with fixed internet networks as the backbone. A
core interface sits in between core network and radio access networks, and a collection of radio interfaces is used
for communication between the radio access networks and mobile users. This kind of integration combines
multiple radio access interfaces into a single network to provide seamless roaming/handoff and the best connected
services.

The wireless telecommunications industry as a whole has early assumed the term 4G as a shorthand way
to describe those advanced cellular technologies that, among other things, are based on or employ wide channel
OFDMA and SC-FDE technologies, MIMO transmission and an all-IP based architecture. Mobile-WiMAX, first
release LTE, IEEE 802.20 as well as Flash-OFDM meets these early assumptions, and have been considered as
4G candidate systems, but do not yet meet the more recent ITU-R IMT-Advanced requirements.
Advantages of a 4G network:
• Better spectral efficiency.
• High speed, capacity and bandwidth.
• Tight network security.
• High usability: anytime, anywhere
and any with technology.
• Support for multimedia services low
transmission cost.
• Low cost per bit.
• A seamless network of multiple protocols
and air interface.
• Affordable communication system.
• Have easier access to services and
applications.
• Increases the level of use of synchronization
• Machine to machine communication
provided.
• Global access, service portability, and a
variety of quality of services provided.

Disadvantages of a 4G network:
• The battery uses are more.
• Hard to implement.
• Need complicated hardware.
• It needed to avail services of 4G
technology.
• The equipment required for a next-
generation network is still very
expensive.
• The network has more problem has
security issues.
• Not many areas of 4G services yet.
• Network protocol and standardization have
not to be defined.
• High data prize for consumers.
• Need different handsets.
• Power consumption is high.
• Roaming and data or voice work together has
not yet been implemented.
• Require closer base station and are
expensive.

5.6. Overview of Fifth Generation (5G) Cellular Networks- Real Wireless World System:

5G (5th generation mobile networks or 5th generation wireless systems) is a name used in some
research papers and projects to denote the next major phase of mobile telecommunications standards beyond
the 4G/IMT-Advanced standards effective since 2011. At present, 5G is not a term officially used for any
particular specification or in any official document yet made public by telecommunication companies or
standardization bodies such as 3GPP, WiMAX Forum, or ITU-R. New standard releases beyond 4G are in
progress by standardization bodies, but are at this time not considered as new mobile generations but under the
4G umbrella.
The problem is that 5G is designed for World Wide Wireless Web (WWWW) to mobile users based on
network access management, but IPv6 assigns any IP address to any mobile node based on location management.
This will cause 5G wireless network resources waste and the IPv6 is difficult to work on the World-Wide Wireless
Web (WWWW). In order to solve this problem, we have proposed the bandwidth optimization control protocol
and the mix-bandwidth data path for future 5G real wireless world. The bandwidth optimization control protocol
(BOCP) is implemented in between MAC layer and TCP/IP layer, which is used to establish the mix-bandwidth.

Were a 5G family of standards to be implemented, it would likely be around the year 2020, according to
some sources. A new mobile generation has appeared every 10th year since the first 1G system (NMT) was
introduced in 1981, including the 2G (GSM) system that started to roll out in 1992, 3G (W-CDMA/FOMA),
which appeared in 2001, and "real" 4G standards fulfilling the IMT-Advanced requirements, that were ratified in
2011 and products expected in 2012-2013. Predecessor technologies have occurred on the market a few years
before the new mobile generation, for example the pre-3G system CdmaOne/IS95 in 1995, and the pre-4G
systems Mobile WiMAX and LTE in 2005 and 2009 respectively.
Advantages of 5G technology

• Higher Download Speed: The 5G network will have the capacity to increase download speeds by up to
20 times (from 200 Mbps (4G) to 10 Gbps (5G)) and decreasing latency (response time between
devices). These speeds will maximize the browsing experience by facilitating processes that, although
possible today, still present difficulties.
• Hyperconnectivity: The 5G network promises the possibility of having a hyper-interconnected
environment to reach the point of having the much desired “smart cities”. The correct performance of
these new dynamics will depend on the bandwidth of 5G and the Internet of Things (IoT).
• Process optimization: It is also expected to revolutionize areas such as medicine (remote operations, for
example), and traffic management and autonomous vehicles, as well as its implementation in the
construction sector to optimize resources and reduce risks.
Disadvantages of 5G technology

• Immediate Obsolescence: The transition to the 5G network will require devices that can support it;
current 4G devices do not have this capability and will become immediately obsolete.
• Technological exclusion: The implementation of the 5G network also implies a lack of immediate
accessibility for average pockets, combined with a delay in its implementation due to a lack of means for
its use.
• Insufficient Infrastructure: For the 5G network to function properly will require a whole
ambitious investment in infrastructure to increase bandwidth and expand coverage, and this is not
cheap. This situation will necessarily lead to delays in its implementation due to the high costs that
governments will have to cover for 5G to function properly
• Risks in security and proper data handling: All of this requires optimal data management, and this is
where the most conflictive part of the advantages versus disadvantages lies. And the fact is that, in the
management of all this information, both from companies and individuals and even governments, not only
issues such as Big Data techniques are involved in its study.

Generation Definition Through Technology Time Features

(1G,2G,3G, put/ period
4G,5G) Speed

1G Analog 14.4 AMPS,NM 1970-1980 During 1G Wireless phones are used

Kbps T,TACS for voice only.
(peak)
2G Digital 9.6/14.4 TDMA,CD 1990-2000 2G capabilities are achieved by
Narrow band Kbps MA allowing multiple users on a single
circuit data channel via multiplexing. During 2G
Cellular phones are used for data also
along with voice.
2.5G Packet Data 171.2 GPRS 2001-2004 In 2.5G the internet becomes popular
Kbps(pe and data becomes more relevant.2.5G
ak) Multimedia services and streaming
20-40 starts to show growth. Phones start
Kbps supporting web browsing though
limited and very few phones have that.
3G Digital 3.1 Mbps CDMA 2004-2005 3G has Multimedia services support
Broadband (peak) 2000 along with streaming are more popular.
Packet Data 500-700 (1xRTT, In 3G, Universal access and
Kbps EVDO) portability across different device
UMTS, types are made possible. (Telephones,
EDGE PDA’s, etc.)
3.5G Packet Data 14.4 HSPA 2006-2010 3.5G supports higher throughput and
Mbps speeds to support higher data needs of
(peak) the consumers.
1-3
Mbps
4G Digital 100-300 WiMax Now Speeds for 4G are further increased to
Broadband Mbps LTE (Transitio keep up with data access demand used
Packet (peak) Wi-Fi ning to by various services. High-definition
All IP 3-5 4G) streaming is now supported in 4G. New
Very high Mbps phones with HD capabilities surface. It
throughput 100 gets pretty cool. In 4G, Portability is
Mbps increased further. World-wide
(Wi-Fi) roaming is not a distant dream.
5G Not Yet Probably Not Yet Soon Currently there is no 5G technology
gigabits (probably deployed. When this becomes available
2020) it will provide very high speeds to the
consumers. It would also provide
efficient use of available bandwidth as
has been seen through development of
each new technology.

Figure: A Journey From 1G to 5G.

****************
 Chapter 6: Mobile Network Layer (4hr)
6.1. Introduction to Mobile IP

This is an IETF (Internet Engineering Task Force) standard communications protocol designed to allow
mobile devices (such as laptops, PDAs, mobile phones, etc.) users to move from one network to another while
maintaining their permanent IP (Internet Protocol) address.

Defined in RFC (Request for Comments) 2002, mobile IP is an enhancement of the internet protocol (IP) that
adds mechanisms for forwarding internet traffic to mobile devices (known as mobile nodes) when they are
connecting through other than their home network.

The following case shows how a datagram moves from one point to another within the Mobile IP framework.

• First of all, the internet host sends a datagram to the mobile node using the mobile node's home address
(normal IP routing process).
• If the mobile node (MN) is on its home network, the datagram is delivered through the normal IP (Internet
Protocol) process to the mobile node. Otherwise, the home agent picks up the datagram.
• If the mobile node (MN) is on foreign network, the home agent (HA) forwards the datagram to the foreign
agent.
• The foreign agent (FA) delivers the datagram to the mobile node.
• Datagrams from the MN to the Internet host are sent using normal IP routing procedures. If the mobile
node is on a foreign network, the packets are delivered to the foreign agent. The FA forwards the datagram
to the Internet host.

In the case of wireless communications, the above illustrations depict the use of wireless transceivers to transmit
the datagrams to the mobile node. Also, all datagrams between the Internet host and the MN use the mobile node's
home address regardless of whether the mobile node is on a home or foreign network. The care-of address (COA)
is used only for communication with mobility agents and is never seen by the Internet host.

6.1.1. Components of Mobile IP (Mobile IP entities and Terminologies)

The mobile IP has following seven components as follows:

1. Mobile Node (MN)

The mobile node is an end system or devices such as a cell phone, PDA (Personal Digital Assistant), or laptop
whose software enables network roaming capabilities.
2. Home Agent (HA)

The home agent provides several services for the mobile node and is located in the home network. The tunnel for
packets towards the mobile node starts at home agent. The home agent maintains a location registry, i.e. it is
informed of the mobile node's location by the current COA (care of address). Following alternatives for the
implementation of an HA exist.

• Home agent can be implemented on a router that is responsible for the home network. This is obviously
the best position, because without optimization to mobile IP, all packets for the MN have to go through
the router anyway.
• If changing the router's software is not possible, the home agent could also be implemented on
an arbitrary node in the subset. One biggest disadvantage of this solution is the double-crossing of the
router by the packet if the MN is in a foreign network. A packet for the mobile node comes in via the
router; the HA sends it through the tunnel which again crosses the router.

3. Foreign Agent (FA)

The foreign agent can provide several services to the mobile node during its visit to the foreign network. The FA
can have the COA (care or address) acting as a tunnel endpoint and forwarding packets to the MN. The foreign
agent can be the default router for the MN.

The foreign agent can also provide security services because they belong to the foreign network as opposed to
the MN which is only visiting.

In short, FA is a router that may function as the point of attachment for the mobile node when it roams to a foreign
network and delivers packets from the home agent to the mobile node.

4. Care of Address (COA)

The Care- of- address defines the current location of the mobile node from an IP point of view. All IP packets
sent to the MN are delivered to the COA, not directly to the IP address of the MN. Packet delivery toward the
mobile node is done using a tunnel. To be more precise, the COA marks the endpoint of the tunnel, i.e. the address
where packets exit on the tunnel.

There are two different possibilities for the location of the care of address:

1. Foreign Agent COA: The COA could be located at the foreign agent, i.e. the COA is an IP address of
the foreign agent. The foreign agent is the tunnel endpoint and forwards packets to the MN. Many MN
using the FA can share this COA as common COA.
2. Co-located COA: The COA is co-located if the MN temporarily acquired an additional IP address which
acts as a COA. This address is now topologically correct, and the tunnel endpoint is at the mobile node.
Co-located address can be acquired using services such as DHCP. One problem associated with this
approach is need for additional addresses if MNs request a COA. This is not always a good idea
considering the scarcity of IPv4 addresses.

5. Correspondent Node (CN)

At least one partner is needed for communication. The correspondent node represents this partner for the MN.
The correspondent node can be a fixed or mobile node.
6. Home Network (HN)

The home network is the subset the MN belongs to with respect to its IP address. No mobile IP support is needed
within this network.

7. Foreign Network (FN)

The foreign network is the current subset of the MN visits and which is not the home network.

6.1.2. Mobile IP packet delivery

The mobile movement of MN from one location to another has to be hidden as per the requirement of mobile IP.
CN may not know the exact location of MN.

STEP 1: CN sends the packet as usual to the IP address of MN. With Source address as CN and Destination
address as MN. The internet, which does not have any information of the current location of MN, routes the
packet to the router responsible for the home network of MN. This is done using the standard routing mechanisms
of the internet.
STEP 2: The HA now diverts the packet, knowing that MN is currently not in its home network. The packet is
not forwarded into the subnet as usual, but encapsulated and tunnelled to the COA. A new header is put in front
of the old IP header showing the COA as the new destination and HA as the source of the encapsulated packet.
STEP 3: The foreign agent (FA) now decapsulates the packet, i.e., removes the additional header (newly added
as COA as destination and HA as source), and forwards the original packet with CN as the source and MN as a
destination to the MN. Again, for the MN mobility is not visible. Finally, the MN receives the packet with the
Source address as CN and Destination address as MN.
STEP 4: The MN sends the packet MN as Source Address and CN as Destination Address. The router with the
FA acts as a default router and forwards the packet in the same way as it would do for any other node in the
foreign network. A simple mechanism works if CN is Fixed at a location if it has got mobility then the above
Steps 1 to 3 are to be followed to deliver the packet from MN to CN.

6.1.3. Process or Phases of Mobile IP

The mobile IP process has following three main phases, which are:

1. Agent Discovery

During the agent discovery phase the HA and FA advertise their services on the network by using the ICMP
router discovery protocol (IROP).
Mobile IP defines two methods: agent advertisement and agent solicitation which are in fact router discovery
methods plus extensions.

• Agent advertisement: For the first method, FA and HA advertise their presence periodically using
special agent advertisement messages. These messages advertisement can be seen as a beacon broadcast
into the subnet. For this advertisement internet control message protocol (ICMP) messages according to
RFC 1256, are used with some mobility extensions.
• Agent solicitation: If no agent advertisements are present or the inter arrival time is too high, and an MN
has not received a COA, the mobile node must send agent solicitations. These solicitations are again bases
on RFC 1256 for router solicitations.

2. Registration

The main purpose of the registration is to inform the home agent of the current location for the correct forwarding
of packets.

Registration can be done in two ways depending on the location of the COA.

• If the COA is at the FA, the MN sends its registration request containing the COA to the FA which is
forwarding the request to the HA. The HA now set up a mobility binding containing the mobile node's
home IP address and the current COA.

Additionally, the mobility biding contains the lifetime of the registration which is negotiated during the
registration process. Registration expires automatically after the lifetime and is deleted; so a mobile node should
register before expiration. After setting up the mobility binding, the HA send a reply message back to the FA
which forwards it to the MN.

• If the COA is co-located, registration can be very simpler. The mobile node may send the request directly
to the HA and vice versa. This by the way is also the registration procedure for MNs returning to their
home network.

3. Tunnelling

A tunnel is used to establish a virtual pipe for the packets available between a tunnel entry and an endpoint. It is
the process of sending a packet via a tunnel and it is achieved by a mechanism called encapsulation. It takes place
to forward an IP datagram from the home agent to the care-of-address.
Tunneling is often used in virtual private networks (VPNs). It can also set up efficient and secure connections
between networks, enable the usage of unsupported network protocols, and in some cases allow users to bypass
firewalls.

Tunneling is also known as "port forwarding" is the transmission and data intended for use only within a private,
usually corporate network through a public network.

4. Encapsulation
Encapsulation is the mechanism of taking a packet consisting of packet header and data and putting it into the
data part of a new packet. The reverse operation, taking a packet out of the data part of another packet, is called
decapsulation. Encapsulation and decapsulation are the operations typically performed when a packet is
transferred from a higher protocol layer to a lower layer or from a lower to a higher layer respectively. The HA
takes the original packet with the MN as a destination, puts it into the data part of a new packet, and sets the new
IP header so that the packet is routed to the COA. The new header is called the outer header.
Types of Encapsulations
Three types of encapsulation protocols are specified for Mobile IP:

1. IP-in-IP encapsulation: required to be supported. Full IP header added to the original IP packet. The
new header contains the HA address as the source and Care-of Address as the destination.
2. Minimal encapsulation: optional. Requires less overhead but requires changes to the original header.
The destination address is changed to Care-of Address and the source IP address is maintained as it is.
3. Generic Routing Encapsulation (GRE): optional. Allows packets of a different protocol suite to be
encapsulated by another protocol suite.

6.1.4. Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to dynamically assign an
IP address to any device, or node, on a network so they can communicate using IP (Internet Protocol). DHCP
automates and centrally manages these configurations. There is no need to manually assign IP addresses to new
devices. Therefore, there is no requirement for any user configuration to connect to a DHCP based network.

DHCP can be implemented on local networks as well as large enterprise networks. DHCP is the default protocol
used by the most routers and networking equipment. DHCP is also called RFC (Request for comments) 2131.
DHCP does the following:

• DHCP manages the provision of all the nodes or devices added or dropped from the network.
• DHCP maintains the unique IP address of the host using a DHCP server.
• It sends a request to the DHCP server whenever a client/node/device, which is configured to work with
DHCP, connects to a network. The server acknowledges by providing an IP address to the
client/node/device.

DHCP is also used to configure the proper subnet mask, default gateway and DNS server information on the node
or device. There are many versions of DCHP are available for use in IPV4 (Internet Protocol Version 4) and IPV6
(Internet Protocol Version 6).

How DHCP works

DHCP runs at the application layer of the TCP/IP protocol stack to dynamically assign IP addresses to DHCP
clients/nodes and to allocate TCP/IP configuration information to the DHCP clients. Information includes subnet
mask information, default gateway, IP addresses and domain name system addresses. DHCP is based on client-
server protocol in which servers manage a pool of unique IP addresses, as well as information about client
configuration parameters, and assign addresses out of those address pools.
The DHCP lease process works as follows:

• First of all, a client (network device) must be connected to the internet.

• DHCP clients request an IP address. Typically, client broadcasts a query for this information.
• DHCP server responds to the client request by providing IP server address and other configuration
information. This configuration information also includes time period, called a lease, for which the
allocation is valid.
• When refreshing an assignment, a DHCP clients request the same parameters, but the DHCP server may
assign a new IP address. This is based on the policies set by the administrator.

Components of DHCP

When working with DHCP, it is important to understand all of the components. Following are the list of
components:

• DHCP Server: DHCP server is a networked device running the DCHP service that holds IP addresses
and related configuration information. This is typically a server or a router but could be anything that acts
as a host, such as an SD-WAN appliance.
• DHCP client: DHCP client is the endpoint that receives configuration information from a DHCP server.
This can be any device like computer, laptop, IoT endpoint or anything else that requires connectivity to
the network. Most of the devices are configured to receive DHCP information by default.
• IP address pool: IP address pool is the range of addresses that are available to DHCP clients. IP addresses
are typically handed out sequentially from lowest to the highest.
• Subnet: Subnet is the partitioned segments of the IP networks. Subnet is used to keep networks
manageable.
• Lease: Lease is the length of time for which a DHCP client holds the IP address information. When a
lease expires, the client has to renew it.
• DHCP relay: A host or router that listens for client messages being broadcast on that network and then
forwards them to a configured server. The server then sends responses back to the relay agent that passes
them along to the client. DHCP relay can be used to centralize DHCP servers instead of having a server
on each subnet.

Benefits of DHCP

There are following benefits of DHCP:

Centralized administration of IP configuration: DHCP IP configuration information can be stored in a single

location and enables that administrator to centrally manage all IP address configuration information.

Dynamic host configuration: DHCP automates the host configuration process and eliminates the need to
manually configure individual host. When TCP/IP (Transmission control protocol/Internet protocol) is first
deployed or when IP infrastructure changes are required.

Seamless IP host configuration: The use of DHCP ensures that DHCP clients get accurate and timely IP
configuration IP configuration parameter such as IP address, subnet mask, default gateway, IP address of DND
server and so on without user intervention.
Flexibility and scalability: Using DHCP gives the administrator increased flexibility, allowing the administrator
to move easily and change IP configuration when the infrastructure changes.

6.2 Mobile Ad-hoc Network (MANET)

• A MANET consists of a number of mobile devices that come together to form a network as needed,
without any support from any existing internet infrastructure or any other kind of fixed stations.
• A MANET can be defined as an autonomous system of nodes or MSs(also serving as routers) connected
by wireless links, the union of which forms a communication network modeled in the form of an arbitrary
communication graph.
• This is in contrast to the well-known single-hop cellular network model that supports the need for wireless
communication between two mobile nodes relies on the wired backbone and fixed base stations.
• In a MANET, no such infrastructure exists and network topology may be changed dynamically in an
unpredictable manner since nodes are free to move and each node has limiting transmitting power,
restricting access to the node only in the neighboring range.
• MANETs are basically peer-to-peer, multi-hop wireless networks in which information packets are
transmitted in a store and forward manner from a source to an arbitrary destination, via intermediate nodes
as given in the figure:

• As nodes move, the connectivity may change based on relative locations of other nodes. The resulting
change in the network topology known at the local level must be passed on to other nodes so that old
topology information can be updated.
• For example, as MS2 in the figure changes its point of attachment from MS3 to MS4, other nodes that are
part of the network should use this new route to forward packets to MS2. In the figure, we assume that it
is not possible to have all nodes within each other's radio range. In case all nodes are closed by within
each other's radio range, there are no routing issues to be addressed.
• In figures raise another issue, that of symmetric and asymmetric (bidirectional) and asymmetric
(unidirectional) links. Consider symmetric links with associative radio range; for example, if MS1 is
within the radio range of MS3, then MS3 is also within the radio range of MS1. The communication links
are symmetric. This assumption is not always valid because of differences in transmitting power levels
and the terrain. Routing in asymmetric networks is a relatively hard task. In certain cases, it is possible to
find routes that exclude asymmetric links, since it is cumbersome to find the return path. The issue of
efficiency is one of the several challenges encountered in a MANET.
• The other issue is varying the mobility patterns of different nodes. Some other nodes are highly mobile,
while others are primarily stationary. It is difficult to predict a node's movement and direction of
movement and numerous studies have been performed to evaluate their performance using different
simulators.
6.2.1. Characteristics of MANET

Some characteristics of an ad-hoc network are as follows:

• Dynamic topologies: Nodes are free to move arbitrarily; thus the network topology may be changed
randomly and unpredictably and primarily consists of bidirectional links. In some cases where the
transmission power of two nodes is different, a unidirectional link may exist.
• Bandwidth-constrained and variable capacity links: wireless links continue to have significantly lower
capacity than infrastructure networks.
• Energy-constrained operation: some or all of the MSs in a MANET may rely on batteries or other
exhaustible means for their energy. For these nodes or devices, the most important system design
optimization criteria may be energy conservation.
• Limited physical security: MANETs are generally more prone to physical security threats than wireline
networks. The increased possibility of eavesdropping, spoofing, and denial of services (DoS) attacks
should be considered carefully. To reduce security threats, many existing link security techniques are
often applied within wireless networks.

6.2.2. Applications of MANET

Some specific applications of ad hoc networks include industrial and commercial applications involving
cooperative mobile data exchange. There are many existing and future military networking requirements for
robust, IP-compliant data services within mobile wireless communication networks, with many of these networks
consisting of highly-dynamic autonomous topology segments. Advanced features of Mobile ad hoc networks,
including data rates compatible with multimedia applications global roaming capability, and coordination with
other network structures are enabling new applications.

• Defense applications: Many defense applications require on the fly communications set-up, and ad
hoc/sensor networks are excellent candidates for use in battlefield management.
• Crisis management applications: These arise, for example, as a result of natural disasters in which the
entire communication infrastructure is in disarray. Restoring communications quickly is essential.
• Telemedicine: The paramedic assisting the victim of a traffic accident in a remote location must access
medical records (e.g. X-rays) and may need video conference assistance from a surgeon for an emergency
intervention. In fact, the paramedic may need to instantaneously relay back to the hospital the victim's X-
rays and other diagnostic tests from the site of the accident.
• Tele-geoprocessing application: The combination of GPS, GIS (Geographical Information Systems),
and high-capacity wireless mobile systems enables a new type of application referred to as tele-
geoprocessing.
• Virtual Navigation: A remote database contains the graphical representation of the building, streets, and
physical characteristics of a large metropolis. They may also "virtually" see the internal layout of
buildings, including an emergency rescue plan, or find possible points of interest.
• Education via the Internet: Educational opportunities are available on the internet or in remote areas
because of the economic infeasibility of providing expensive last-mile wireline internet access in these
areas to all subscribers.
• Vehicular Area Network (VAN): This is a growing and very useful application of ad-hoc networks in
providing emergency services and other information. This is equally effective in both urban and rural
setups. The basic exchange of necessary data that is beneficial in a given situation.

***************
 Chapter 7: Wireless network security (4hr)
7.1. Introduction to wireless security

7.1.1 Definition and need for wireless security

Wireless network security is the process of designing, implementing and ensuring security on a wireless
computer network. It is a subset of network security that adds protection to a wireless computer network.

Wireless network security is also known as wireless security.

Wireless network security primarily protects a wireless network from unauthorized and malicious access
attempts. Typically, wireless network security is delivered through wireless devices (usually a wireless
router/switch) that encrypt and secure all wireless communication by default. Even if the wireless network
security is compromised, the hacker is not able to view the content of the traffic/packet in transit. Moreover,
wireless intrusion detection and prevention systems also enable the protection of a wireless network by alerting
the wireless network administrator in case of a security breach.

Some of the common algorithms and standards to ensure wireless network security are Wired Equivalent Policy
(WEP) and Wireless Protected Access (WPA).

7.1.2. Types of Protocols used in wireless security

There are four wireless security protocols currently available:
Wired Equivalent Privacy (WEP): Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless
Fidelity (Wi-Fi) standard, 802.11b. That standard is designed to provide a wireless local area network (WLAN) with a level
of security and privacy comparable to what is usually expected of a wired LAN.

How WEP Works

WEP uses a data encryption scheme that is based on a combination of user- and system-generated key values.
The original implementations of WEP supported encryption keys of 40 bits plus 24 additional bits of system-
generated data, leading to keys of 64 bits in total length. To increase protection, these encryption methods
were later extended to support longer keys, including 104-bit (128 bits of total data), 128-bit (152 bits total),
and 232-bit (256 bits total) variations.

When deployed over a Wi-Fi connection, WEP encrypts the data stream using these keys so that it is no
longer human-readable but can be processed by receiving devices. The keys are not sent over the network but
are stored on the wireless network adapter or in the Windows registry.

Wi-Fi Protected Access (WPA): Wi-Fi Protected Access (WPA) is a security standard for computing devices
equipped with wireless internet connections. WPA was developed by the Wi-Fi Alliance to provide more
sophisticated data encryption and better user authentication than Wired Equivalent Privacy (WEP), the original
Wi-Fi security standard.
WPA was initially released in 2003. The Wi-Fi Alliance defined WPA as a response to serious weaknesses found
in the WEP protocol. A more secure version, WPA2, was released in 2004. In 2018, the Wi-Fi Alliance announced
the release of WPA's third and current version, WPA3.
WPA works using discrete modes for enterprise and personal use. The most recent enterprise mode, WPA-EAP,
uses a stringent 802.1x authentication. The latest personal mode, WPA-PSK, uses Simultaneous Authentication
of Equals (SAE) to create a secure handshake.
The enterprise mode requires an authentication server, with which clients communicate before sending login
credentials.
Wi-Fi Protected Access 2 (WPA 2): WPA2 superseded WPA in 2004. WPA2 uses the Counter Mode Cipher
Block Chaining Message Authentication Code Protocol (CCMP). The CCMP protocol is based on the Advanced
Encryption Standard (AES) algorithm, which provides message authenticity and integrity verification. CCMP is
stronger and more reliable than WPA's original Temporal Key Integrity Protocol (TKIP).
WPA2 still has vulnerabilities, however. Primary among those vulnerabilities is the potential for unauthorized
access to the enterprise wireless network. This happens when there is an invasion of an attack vector on certain
Wi-Fi Protected Setup (WPS) access points. It is recommended the WPS be disabled for each attack vector access
point in WPA2 to discourage such threats. Other vulnerabilities exist in WPA2 as well, such as in Transport Layer
Security, which threat actors can target using downgrade attacks.
Though these threats have traditionally been directed at enterprise wireless systems, home wireless systems with
simple passwords or default passwords can be threatened as well. Privileged accounts, such as administrator
accounts, should always be supported by stronger, longer passwords, and all passwords should be changed
frequently.
Wi-Fi Protected Access 3 (WPA 3): Wi-Fi Protected Access 3, or WPA3, superseded WPA2 in 2018. WPA3 is
the latest, updated implementation of WPA. The Wi-Fi Alliance began to certify WPA3-approved products in
2018. WPA3 support is not automatically added to every device. Users who wish to use WPA3-approved devices,
such as wireless routers, must either buy new routers that support WPA3 or have the device updated by the
manufacturer.
New updates and features of WPA3 include:
• 256-bit Galois/Counter Mode Protocol encryption (GCMP-256)
• 384-bit Hashed Message Authentication Mode (HMAC)
• 256-bit Broadcast/Multicast Integrity Protocol (BIP-GMAC-256)
• an equivalent 192-bit cryptographic strength (in WPA3-EAP enterprise mode)
• SAE exchange and
• Wi-Fi Device Provisioning Protocol (DPP)

7.2. Understanding WLAN security models

Wireless networking enables computing devices with wireless capabilities to use computing resources
without being physically connected to a network. The devices simply need to be within a certain distance (known
as the range) of the wireless network infrastructure. Wireless local area networks (WLANs) are groups of wireless
networking devices within a limited geographic area, such as an office building, that are capable of exchanging
data through radio communications. WLANs are usually implemented as extensions to existing wired local area
networks (LANs) to provide enhanced user mobility and network access. WLAN technologies are based on the
IEEE 802.11 standard and its amendments. The WLAN security model has the following phases.
1. Configuration Design: Organizations should have standardized security configurations for their common
WLAN components, such as client devices and APs. A standardized configuration provides a base level of
security, reducing vulnerabilities and lessening the impact of successful attacks.

Need Gathering: Before designing a WLAN security architecture or WLAN component security
configurations, an organization should gather information on needs, particularly operational and security-
related ones. This should include identifying relevant WLAN security requirements from applicable laws,
policies, regulations, etc.
 WLAN Architecture: When planning WLAN security, configuration designers should consider the
security not only of the WLAN itself but also how it may affect other networks that are accessible through
it, such as internal wired networks reachable from the WLAN. An important principle of WLAN security
is to separate WLANs with different security profiles.

2. Configuration Implementation, Evaluation, and Maintenance: After designing a WLAN security

configuration, an organization should determine how the configuration will be implemented, evaluate the
effectiveness of the implementation, deploy the implementation to the appropriate devices, and maintain the
configuration and its implementation throughout the devices’ lifecycles. Organizations should ensure that their
WLAN client devices and APs have configurations at all times that are compliant with the organization’s WLAN
policies.

Organizations should standardize, automate, and centralize as much of their WLAN security configuration
implementation and maintenance as practical, particularly for their WLAN client devices and access points. This
allows organizations to implement consistent WLAN security throughout the enterprise, to detect and correct
unauthorized changes to configurations, and to react quickly when newly identified vulnerabilities or recent
incidents indicate a need to change the WLAN’s security configuration.

Organizations should evaluate all standardized WLAN security configuration implementations carefully
before deploying them throughout production environments. Even if the organization is confident that the
configuration is sound, it should still be evaluated carefully to ensure that its implementation meets the
organization’s particular security and operational requirements. Every operating environment has unique
characteristics that should be taken into account. It is particularly important to evaluate the strength of the
configuration and its potential impacts on performance and functionality.

3. WLAN Security Monitoring: This section discusses two types of security monitoring: assessments and
continuous monitoring. A security assessment is “the process of determining how effectively an entity being
assessed meets specific security objectives.” Security assessments are typically performed periodically, such as
annually or quarterly, and are often called periodic assessments. Continuous monitoring is defined in as
“maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational
risk management decisions.

3.1.1 Attack Monitoring: Organizations should continuously monitor their WLANs for both WLAN-specific
and general (wired network) attacks. The latter involves the same security controls as would be used for any
network-connected system in an organization. WLAN-specific attacks can typically be divided into two types:
passive and active. These attack classes, which are significant for monitoring purposes, are described below.

• Passive attack: an attack in which an unauthorized party only monitors WLAN communications; the attacker
does not generate, alter, or disrupt WLAN communications. There are two types of passive attacks:

1. Eavesdropping: The attacker monitors WLAN data transmissions for message content.

2. Traffic analysis (also known as traffic flow analysis): The attacker gains intelligence by monitoring the
transmissions for patterns of communication. A considerable amount of information is contained in the flow of
messages between communicating parties.

• Active attack: an attack in which an unauthorized party generates, alters, or disrupts WLAN communications.
Active attacks may take the form of one of the following types:

Masquerading: The attacker impersonates an authorized user to gain access to certain unauthorized privileges.
o Replay. The attacker monitors transmissions (passive attack) and retransmits messages posing as the legitimate
user.

Message modification: The attacker alters a legitimate message by deleting, adding to, changing, or reordering
the message.
 Denial of service (DoS): A DoS can occur inadvertently, such as other electronic devices causing interference,
or it can occur intentionally, such as an attacker sending large numbers of messages at a high rate to flood the
WLAN.

Misappropriation: The attacker steals or makes other unauthorized use of WLAN services. A form of active
attack that is particularly noteworthy is the deployment of rogue WLAN devices. For example, an attacker
deploys an AP that has been configured to appear as part of an organization’s WLAN infrastructure. This can
provide a backdoor into the wired network, bypassing perimeter security mechanisms, such as firewalls. In
addition, if client devices inadvertently connect to the rogue AP, the attacker can view and manipulate the client
devices’ communications (e.g., man-in-the-middle attacks), as well as potentially gaining access to the client
devices themselves.

3.2 Monitoring Tools: One of the primary tools for WLAN security monitoring is a wireless intrusion detection
and prevention system (WIDPS). A WIDPS has sensors placed at designated locations within an organization’s
facilities; these sensors monitor WLAN bands and channels to sample traffic, allowing them to identify WLAN
attacks and some WLAN vulnerabilities. WIDPS sensors are available in several forms:

• Dedicated: A dedicated sensor performs WIDPS functions but does not pass network traffic from source to
destination. Dedicated sensors are often completely passive, simply sniffing WLAN traffic. Some dedicated
sensors analyze the traffic they monitor, while other sensors forward the traffic to a management server for
analysis. The sensor is typically connected to a wired network. Dedicated sensors are usually designed for one of
two deployment types:

• Fixed: the sensor is deployed to a particular location. Fixed sensors usually depend on the organization’s
infrastructure for power, wired network access, and other resources.
• Mobile: the sensor is designed to be portable so it can be used from multiple locations or while in motion.
For example, a security administrator could use a mobile sensor while walking through an organization’s
buildings to find rogue APs.
• Bundled. Many APs and wireless switches offer some WIDPS capabilities as a secondary function

3.3 Continuous Monitoring Recommendations: Organizations with WLANs should implement continuous
monitoring solutions for their WLANs that provide all of the following detection capabilities:

• Unauthorized WLAN devices, including rogue APs and unauthorized client devices

• WLAN devices that are misconfigured or using weak WLAN protocols and protocol implementations

• Unusual WLAN usage patterns, such as extremely high numbers of client devices using a particular AP,
abnormally high volumes of WLAN traffic involving a particular client device, or many failed attempts to join
the WLAN in a short period of time

• The use of active WLAN scanners (e.g., war driving tools) that generate WLAN traffic. The use of passive
sensors cannot be detected through monitoring controls.

• DoS attacks and conditions (e.g., network interference). Many denials of service attacks are detected by
counting events during periods of time and alerting when threshold values are exceeded. For example, a large
number of events involving the termination of WLAN sessions can indicate a DoS attack.

• Impersonation and man-in-the-middle attacks. For example, some sensors can detect when a device is
attempting to spoof the identity of another device. Organizations with WLANs should also have the capability to
identify the physical location of a detected WLAN threat by using triangulation—estimating the threat’s
approximate distance from multiple sensors by the strength of the threat’s signal received by each sensor, then
calculating the physical location at which the threat would be the estimated distance from each sensor. This allows
an organization to send appropriate personnel, such as physical security staff, to the location to address the threat.
3.4 Periodic Assessment Recommendations: Organizations with WLANs should conduct regular periodic
technical WLAN security assessments. These assessments should be performed at least annually to evaluate the
overall security of the WLAN. In addition, organizations should perform periodic assessments at least quarterly
unless continuous monitoring of WLAN security is already collecting all of the information about WLAN attacks
and vulnerabilities needed for assessment purposes. For example, an organization that does not have
comprehensive WIDPS coverage of its facilities should use mobile WIDPS sensors, WLAN scanners, or other
tools with similar capabilities to search for rogue WLANs in areas outside the WIDPS’s range.

The following are additional factors that organizations should consider when planning the frequency and breadth
of periodic assessments:

• The location of the facility being scanned, because the physical proximity of a building to a public area (e.g.,
streets and public common areas) or its location in a busy metropolitan area may increase the risk of WLAN
threats

• The security level of the data to be transmitted on the WLAN

• How often WLAN client devices connect to and disconnect from the environment, and the typical traffic levels
for these devices (e.g., occasional activity or fairly constant activity)—this is because only active WLAN client
devices are discoverable during a WLAN scan

• Physical changes to the facilities, such as construction projects that could affect the strength and propagation
of WLAN signals

7.3 Wireless security policies

a wireless network security policy for an enterprise. Consider the following recommendations:

Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making
it inadequate for protecting networks containing information extremely valuable to others. There are some good
hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that
802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and
years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i
standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the
client device and the access point. That may be good enough if your wired network is physically secured from
hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more
protection.

Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access
to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end
encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re
connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good
security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to
the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside
the enterprise and VPNs for the likely fewer users who need access from hotspots.

Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x
port-based authentication systems. Choose one that meets the security requirements for your company. For
example, EAP-TLS may be a wise choice if you have Microsoft servers.

Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the
VLAN associated with the wireless network from having easy access to corporate servers located on different,
more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is
similar to a public network, except you can apply encryption and authentication mechanisms to the wireless
users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware
that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most
recent firmware releases.

Ensure only authorized people can reset the access points. Some access points will revert back to factory
default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done
this when performing penetration testing during security assessments to prove that this makes the access point a
fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical
security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount
the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to
reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting
the access point in this manner, be sure to disable the console port when initially configuring the access point.

Disable access points during non-usage periods. If possible, shut down the access points when users don’t need
them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak
interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point;
however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical
manner via centralized operational support tools.

Assign “strong” passwords to access points. Don’t use default passwords for access points because they are
also well known, making it easy for someone to change configuration parameters on the access point to their
advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over
the network.

Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the
SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically
sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not
include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a fool proof method
of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry
the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast
mechanism will limit access.

Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF
shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the
perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the
controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate
network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of
denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points
near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be
part of the wireless site survey.

Implement personal firewalls: If a hacker is able to associate with an access point, which is extremely probable
if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating
system) files on other users’ devices that are associated with an access point on the same wireless network. As a
result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls
are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.

Control the deployment of wireless LANs: Ensure that all employees and organizations within the company
coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of
unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify
appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that
you can use as the basis for identifying rogue access points.

***********