امنیت شبکه توری بی سیم: رویکرد مدیریت مهندسی ترافیک

The wireless mesh network (WMN) is an emerging multihop, heterogeneous, easily scalable and low cost network. The architecture of the WMN is a connectionless-oriented, mobile and dynamic traffic of routed packets. The mesh infrastructure environment easily forms multiple chains of wireless LANs (WLAN) coupled with the simultaneous multihop transmission of data packets from peripherals via mobile gateways to the wireless cloud. WMN operates as an access network to other communication technologies. This exposes the WMN to numerous security challenges not only in the mesh transmission operation security but also in the overall security against foreign attacks. We surveyed and identified the security vulnerabilities in Internet Protocol (IP) broadband networks, the security challenges in the routing layer of the WMN and explored new concepts to solving security challenges in WMN using traffic engineering (TE) security resolution mechanisms. We analyzed the advantages, comparative strengths and weakness in the use of traffic engineering based on simulation results and evaluations.

The WMN (Akyildiz et al., 2005, Jun and Sichitiu, 2008, Bruno et al., 2005 and Chen et al., 2008) as shown in Fig. 1 comprises the mesh routers, mesh clients and the mesh backbone infrastructure. The mesh clients are mobile and dynamic while the mesh router has static or minimal mobility. These mesh routers form the backbone infrastructure of the WMN, while the mesh clients form two level of nodes operation: at the peripherals and on the access points (AP).The WMN is similar in operation to the Mobile ad hoc network (MANET) and it employs a multihop routing mechanism from source node to destination node. However, unlike the MANET, WMN uses multiple interfaces and multiple radio frequencies. Furthermore, it uses high speed back-haul network and gateways to optimize network performance and integration with other wireless networks. The mesh routers can also be gateway nodes to the exterior internet cloud or to other networking technologies. These mesh routers operate as bridging points in inter-network and integration with other wireless devices. The AP is a node interface for hosting and retransmission; it provides integration between the mesh client and the mesh backbone infrastructure in WMN. The WMN is self-configuring, self-organizing and self-healing. These qualities make the WMN an excellent wireless access technology for multimedia and community broadband (IEEE 802.16) (Johnston and Walker, 2004). WMN is an IEEE 802.11s standard (Hiertz et al., 2007) with extensive work being done by workgroups on achieving a standard for its different challenges and protocols. The modifications and adaptations of the ad hoc networks are mostly on the security and routing protocol of WMN. This has led to the adoption of wireless local access network (WLAN, IEEE 802.11i) security and WI-FI protected access (WPA) (Malekzadeh et al., 2005) for WMN. However, improvements by the standardization forums have seen enhancement in the authentication, encryption and integrity of WMN security. Moreover, as most wireless networks are now mostly seen as access-networks to internet or internet service providers (ISP), the Internet Protocol (IP) are easily configurable in achieving a better comprehensive security in the WMN architecture. The WMN unlike the ad hoc networks has commercial qualities, such as it is easily scalable, mobile and dynamic; but these characteristics also create security lapses in the WMN routing operations and MAC layer of the WMN protocol. In 2004, IEEE 802.11i formed a task group (TG) (IEEE Standards, 2004) to prepare and improve the standardization of the WMN. TG was to ratify and prepare the standard amendment to meet the targeted requirement for WMN (IEEE 802.11s). The use of WMN as gateway access to community broadband internet has created an increasing requirement for secure wireless communication operations. In response to the high commercial demand for multimedia and broadband network operation, due to its low cost and easy operation, highly sensitive application created a necessity for an effective and comprehensive security mechanism in WMN. WMN operates as access underlying network for broadband. The broadband are dependable and appropriate for many important communication operation and application like voice, data and multimedia services. WMN access for broadband communication networks is both interoperable and easily complementary. Many wireless network applications utilize the broadband network for connection to the internet. WMN, similar to other network applications, makes use of IP addressing and configuration. Most of the transceiver-IP nodes in the WMN are mesh clients and routers with gateway functions operating as access to the internet. Furthermore, the mesh routers act as backbone network, while the mesh clients use medium access control (MAC) addresses for frame transmission among neighborhood network nodes. The IP addresses are enabled by configuration and are either dynamically or statically assigned in the network routing protocol layer. Other layers of the WMN like the transport and session layer protocols transmit routed packets after encapsulation of the data traffics in IP datagram—user datagram protocol (UDP) or transmission control protocol (TCP). WMN provides a good potential commercial access for community broadband and multimedia networks. The broadband networks are increasingly popular due to the upsurge in internet applications and electronic commerce (e-commerce). WMN is easily scalable over increasing network sizes and provides a low cost and low battery consumption network. It also has an added ease of integration with other wireless and wired networks. The architecture and operation show a hierarchal transmission of traffic and network notification packets through the peripheral (client) nodes through the AP nodes to the backbone wireless mesh router nodes via router gateways to the wireless clouds (internet). The routing operation of these data traffic over wireless mesh architecture network creates a vulnerable security system caused by the multihop traffic transmission and loose node-to-node data exchange during inter-node authentication mechanism, while routing neighborhood nodes information and exchanging new nodes updates. In addition, the multihop behavioral characteristics of the WMN create challenges on the security of the traffic operations while in transmission through the gateway to the wireless cloud. The dynamic topology updates further expose the whole network security to persistent and corruptible attacks. The reliability and authentication (Khan and Akbar, 2006) of data traffic in WMN during neighborhood nodes exchanges through link state and in routing operations are loose and very insecure. The ease in WMN integration with other wireless nodes and communication networks, like in broadband and multimedia, has also established the necessity for an unyielding privacy protection and security mechanism (Zheng et al., 2005, Salem and Hubaux, 2006 and Milanovic et al., 2004). The distributed-sequenced mechanism in the network’s MAC channel frames also creates susceptibility t o attacks while the mobile mesh client nodes and its consequent dynamic topology in the wireless mesh infrastructure also establish the need for more effective, resilient and comprehensive security system in WMN. The constraint in WMN security creates the challenge of possible attacks by invasive worms and viruses, when on attack through simple dynamism of mesh become distributed in the architecture. These attacks compromise the confidentiality and integrity and violate the privacy of the network users. Furthermore, the nodes can also be compromised by the operation of traffic transmission, unverified router information exchange traffic and network notification infiltration. Finally, there are other attacks on the WMN, from physical vandalism to external physical destruction of the hardware. All these consist of possible constraint on the security of the WMN. There is still a requirement for a comprehensive security mechanism to prevent attacks and counter-attacks in all the different protocol layers and usage of WMN. The WLAN, which is a subset of WMN security mechanisms, employ the Wi-Fi protected access (WPA2/IEEE 802.11i) (Kuhlman et al., 2007) to provide standard authentication, access control and encryption between wireless nodes and AP in the WMN. There are several WMN architectures and their security varies with the variation in infrastructure. In addition, these existing security mechanisms may work perfectly in ad hoc networks, but however in Mobile Ad hoc Networks (MANET) and WMN, which use mobile node clients and either mobile or static mesh routers, there is a requirement to develop a mesh-managed security mechanism to adapt the WMN transmission traffic operations and dynamic architecture. The Wi-Fi Protected Access (WPA) was supposed to be the solution to several weaknesses noticed in the previous wireless networks with wired equivalent privacy (WEP) (Lashkari et al., 2009). WPA implements most of the IEEE 802.11i standard and was a transitional measure in place of WEP while the standard was being prepared. WPA works with all wireless network interface cards; however, it is not compatible with first generation wireless access points. WPA2 implements the full standard and offers better security. WPA uses a less secure “pre-shared key” (PSK) (Bulbul et al.) mode mechanism on IEEE 802.1X authentication servers, which distributes different keys to each user in the network. The routing protocol of the WMN carries out most of the routing and transmission of data. The mechanisms of routing are diverse and depend on the dynamic topology and traffic existing in the network. The IP enabled nodes and mesh routers in the WMN architecture are mostly internet gateway nodes. These IP nodes Mesh clients (IP nodes) connect to the wireless cloud through IP enabled addressing, configuration and logical TE through secured interface routing. In TE, the Multi-Protocol LAN Switching (MPLS) (Sen, 2009) uses the label switching mechanism technique to forward traffic data through the network from source to the destination using segregated best paths. It provides packet encapsulation, which creates secure paths for data traffic transmission too. This mechanism also offers a secured and reliable alternate path for routed packets in the network. The TE (Suri et al., 2003) mechanism is a concept using data traffic management rules (configuration and access-list) to address internet and gateway protocols data transmission and routing best path determination. This technique also addresses the security, route selection, best path and the consequent effect of bandwidth optimization through these processes. In the remaining parts of this paper, Section 2 will discuss the different security challenges and threats in the WMN while the existing security solution mechanism will be evaluated with a bias to traffic engineering security resolutions in WMN. The different Multi-protocol TE techniques to resolve the different security challenges in WMN will be discussed in Section 3. In Section 4, technical design, metric formulation and security scenario testing, evaluation and analysis using TE management technique model in WMN security will be discussed. Section 5 will be the summary.

In the paper we explored the security threats in WMN over a broadband network. Determination and investigation of the security solution using traffic engineering mechanism were explored. We tested the influence of security mechanisms over increased traffic loads and hop-count. For multi-layer comparative analysis with the traditional 802.11i we conducted a test for the observation of the influence of node mobility in a multihop scenario. Further evaluation was done on the network load influence, end-to-end traffic delays and delivery ratio in attack simulated scenarios. Observations of the technical advantages using a derived and adapted technique in traffic engineering were carried out. The proposed VPN-IPsec solution applied to the WMN security challenges and weakness showed enhanced overall performance. Severe security threats such as DDoS also showed comparatively more effective security resolution in WMN. The proposed management model security technique demonstrated that a distributed security failure caused by traffic flooding, greyhole and blackhole DDoS in WMN security can be prevented and resolved using VPN-IPsec. The security model showed efficient performance in intrusion detection and prevention mechanism too. Analysis of our investigation showed high performance in the different metrics used. In our analysis, we noticed that it will be very hard to provide an effective security for multi-hopped wireless mesh network because of its inherent architectural weakness. However, we propose a mutual combination and use of cooperative IP communication security mechanisms in the prevention and defense of security threats and attacks in the WMN as shown by the IPsec and MPLS-VPN technique. The VPN-IPsec through authentication, encryption, cryptography and tunneling and IP security configuration and operational mechanisms of the MPLS-TE lowers the overhead and processing of the WMN. The improved VPN-IPsec integrates most the security measures needed to comprehensively secure both the data traffic and the infrastructure wireless mesh network.