ECOSOC YOUTH FORUM 2024 - Side Events Schedule -17 April.
Emergency Support Function 18 Wireless Plan (802.11 capabilities)
1. Wireless Mobility Guide
for the support of
The Apple Gate Fire Staging Area
Author:
Dave Sweigert, CISA, CISSP, EMT-B, HCISPP, PMP, SEC+
Wireless Security, CNT 67
2,525 words
dsweigert@itrdc.net
2. DISCLAIMERS
This work is a copyright protected product and not an open source freeware
work. Credit must be given to the author if any portion of this document is
referenced by a third party. This document does not constitute an
endorsement (implied and/or expressed) by the institutions and/or
organizations described herein; Las Positas College and/or Information
Technology Disaster Resource Center, etc. This work is part of a non-profit
scholarly research and education project and all opinions expressed herein
are those of the author (unless otherwise cited). No warranty or liability is
provided with this document. Persons relying on the information contained
herein do so at their own risk. All places, persons, scenarios described are
fictional and provided for the sole purpose of scholarly research.
3. ABBREVIATIONS USED IN THIS DOCUMENT
802.11 Wireless networking standard
Access Point An entry point into a wireless LAN
BYOD Bring Your Own Device
CalFIRE California Department of Forestry & Fire Protection
CalOES California Office of Emergency Services
COML Communications Unit Leader
CST Civil Support Team
DHCP Dynamic Host Configuration Protocol
EOC Emergency Operations Center
Ghz Gigahertz
Gbps Giga bits per second
IEEE Institute of Electronic and Electrical Engineers
IP Internet Protocol
ITRDC Information Technology Disaster Resource Center
LAN Local Area Network
MAC Media Access Controller
Mbps Mega bits per second
Mhz Megahertz
OSI Open Systems Interconnect (Reference Model)
POP3 Post Office Protocol (version 3)
PDA Personal Digital Assistant
5. INTRODUCTION:
This paper serves two purposes: (1) to fulfill the requirements for the Las
Positas College Wireless Security technology course (CNT 67) and (2) to
leverage the subject matter into a document that may be used for discussion
purposes by the Information Technology Disaster Resource Center (ITDRC)
(who has no participated in the development of this document).
This document will follow the best industry practices proposed by
government response agencies and the technology sector for the timely,
efficient, secure and robust deployment of temporary core Information
Technology (I.T.) infrastructure to support a Type 3, multi-jurisdiction,
multi-agency composite All Hazards Incident Management Team (AHIMT).
6. Current State Assessment
A 10,000 acre wildland fire (the Apple Gate Fire) has engulfed parts of Los
Angeles County, Kern County, the Angeles National Forest, the cities of
Palmdale, Lancaster and is threatening Wildwood, California. Dozens of fire
apparatus are arriving hourly at a staging area located near the Agua Dulce
executive airport (see Annex; Exh. 1). A preliminary base camp has been
established at the airport that will need to accommodate 300 – 500 incident
personnel overnight. Local resources have been exceeded and an
emergency call has gone out to the Region IX ITRDC to provide
supplemental wireless capability (WiFi) The present AHIMT
Communications Unit Leader (COML) has informed ITRDC that they should
have their capability operational within six (6) hours to accommodate shift
changes occurring at approximately 1800 hours (6 pm) that evening. The
COML has made the request under the newly created Emergency Support
Function (ESF 18) – Cyber Security.
Essential requirements:
Shall not interference with aviation services or communications
Shall provide morale, health and welfare text messages and e-mail
Shall not allow uploading of imagery, videos, graphics files, etc.
Shall provide connection limit of ten (10) minutes before disconnection
Shall accommodate e-mail (POP3) Bring Your Own Devices (BYOD)
7. The area requiring wireless connectivity is seen in the figure below (see red
perimeter marked “Staging”).
An Incident Radio Communications Plan (Incident Command System (ICS)
form 205) has been provided to the team. 116 – 125 Mhz, 140 -150 Mhz,
220 – 225 Mhz and 3.5 to 3.7 Mhz are primary radio channels in use.
8. The California National Guard Civil Support Team will have a Unified
Command Suite available to accommodate a telephone grade (14.4 Kbps)
satellite uplink for the morale, health and welfare WiFi segment (see Annex;
Exh. 2 & 3). The air side of the downlink will be routed to the U.S. Army
satellite ground earth station that will establish a Virtual private Network
(VPN) with the State Emergency Operations Center at Mather, California,
operated by the Governor’s Office for Emergency Services (CalOES).
Site Survey
Physical Security: Entrance to the staging area is controlled by law
enforcement at the outer perimeter.
RF Sweep: RF sweep of the vacant area where coverage is needed
revealed:
Frequency Signal strength
118 – 125 Mhz -30 to -45 db
140 – 150 Mhz -40 to -55 db
220 – 230 Mhz -20 to – 35 db
3.5 to 3.9 Mhz - 45 to – 60 db
NOTE: 123.975 is Air Attack frequency (see Annex; Exh. 6)
9. No other wireless local area networks (LANs) were seen in the Institute of
Electronic and Electrical Engineers (IEEE) 802.11 spectrum. The airport
does not maintain Ground Approach Control (GCA) RADAR.
Electrical power: Steady 110 VAC will be provided at 60 AMPs to the ITRDC
mobile communications van (see Annex; Exh. 4). The communications van
has a self-contained 50 AMP generator back-up.
Vehicle congestion: The staging area (Annex; Exh. 5) will most likely
accommodate nearly 100 public safety vehicles. Many of the fire apparatus
vehicles extend 10 – 12 feet in height, are made of metal and have
communications equipment. BYOD WiFi should accommodate this
environment.
Planned System Requirements
Requirement Higher Limit Lower Limit
Simultaneous users 250 50
Hourly throughput 10 Gbps 100 Mbps
Text message length 10 Kbytes 100 bytes
Client fingerprinting iPad, iPhone, Android Laptop WiFi
Video / voice Blocked Blocked
802.11 dual band with
band steering
(Annex, Exh. 8)
a/b/g/n N (2.4 Ghz)
10. System Plan
As time is of the essence, a brief market survey was conducted concerning
commercial off the shelf (COTS) exterior (outdoor) access points.
Drone Access Points (AP): There shall be one (1) core access point to
Internet connectivity at a centralized location near the communications
command van. The core of this AP will be the Meraki MR58 described below
operating at 802.11 n/g. Two (2) “drone repeater” APs (with no Internet
access at drone site (Annex, Exh. 9)) will receive 2.4 Ghz 802.11/g WiFi
(Channel 6 and Channel 11 respectively) signals and rebroadcast them
(cross-band) on 5 Ghz to the core AP (Meraki MR58). The drone APs will
rely on two (2) NETGEAR Wireless Router - N600 Dual Band Gigabit
(WNDR3700) (with two (2) spares as back-up). These routers will be configured
with the DD-WRT software to facilitate routing (DD-WRT, 2014)(Annex, Exh. 10)
Back Channel: It is anticipated that a through-put of 150 Mbps can be
achieved between the two (2) drone repeaters (converting 2.4 Ghz to 5 Ghz
for back channel relay) and the AP (Meraki MR58) that has connectivity to
the Internet core infrastructure.
Root Node AP: The Meraki MR58 (Annex, Exh. 7) has two paddle shaped 5
Ghz antennas can be paired to act as a collection point back-bone for two
remote access points (AP) operating at 2.4 Ghz (see figure below) (Cisco,
2009).
11. NOTE: There are three radios in the MR58. One (R3) always operates in a
2.4 Ghz (802.11 a/b/g/n) channel (pictured in blue circle). The other two
(R1 and R2) always operate in different 5 Ghz (802.11 n) channels (pictured
in green cones). (Cisco, 2010)
Restated each individual N600 “drone” is operating as two APs (2.4 Ghz / 5
Ghz) to form a MAC repeater link. Thus, two drones create four APs (two
MAC repeater links). The two “D[d]ual radio devices that do an access point
12. on 2.4GHz and backhaul that traffic via 5.8GHz to a wired root node” (SNB
Forum, 2011).
The two “paddle” antennas (shown as green above) will create a cone RF
coverage area (5 Ghz) in line extending Southwest to Northeast.
As seen above the drone repeaters (2.4 Ghz conversion to 5 Ghz relay) are
within the directional green cone of radio frequency (RF) coverage.
Operational parameters of N600 (WNDR3700):
Up to 130 Mbps at 2.4 Ghz and 300 Mbps at 5 Ghz
Default I.P. address: http://192.168.1.1
Default SSID: NETGEAR < change
DHCP should be turned off (for drone repeaters)
NOTE: For the drone option the N600 routers should have “Access Point”
disabled; quoting NETGEAR:
“There is a new feature on new routers that lets you easily configure the
router as a wireless access point. Once a router becomes an AP or an access
point, it will lose all of its router functions such as port forwarding, DHCP
server and many more. It will act as a simple wireless gateway and its sole
purpose is to provide wireless connection.” (NETGEAR, 2013)
See “Enable Bridge Mode (use as MAC repeater)” (NETGEAR, 2012).
13. NOTE: “Important Trick: I temporarily plugged the new Netgear's yellow
"external network" directly into the FIOs ActionTec so the Netgear could
update its firmware the first time and get the initial setup wizard would stop
nagging me. The router expects to be hooked up in this way at least initially,
so you need to satisfy its setup” [emphasis added] (Hanselman, 2011)
In essence, a large area network relaying Open Systems Interconnect (OSI)
layer two (2) (Logical Data Link Layer (DLL)) has been created by the
foregoing network descriptions. This means that higher level functions
(Networking layer – Layer three (3)) will be the responsibility of the wired
root node (center of network, with wired Internet access).
NOTE: The IEEE P802,11 Task Group has been working on standards to
specify how such a “mesh” type of MAC repeater wireless network should
operate. But, standards are not yet available from the “mesh networking”
task group. (IEEE, 2014)
Security
Security. The drone repeaters configured with the Netgear N600 will be
limited to 128-bit Wired Equivalent Privacy (WEP) encryption due to
limitations in the DD-WRT router software. Due to the remoteness of the
staging area and the difficulty in “cracking” the WEP encryption, it was
deemed an appropriate risk to rely on WEP as opposed to more advanced
14. encryption. A complex password will be used in conjunction with the WEP
WiFi:
PASSWORD EXAMPLE: f1r3_$T@G1NG
To reduce the need for password resets, a phrase is relied upon “FIRE
STAGING” with substitution characters for similar alphanumeric shape
patterns.
SSID Broadcast. Although some believe that an SSID broadcast is a security
risk (advertising the presence of a WiFi capability), this risk has been
mitigated due to the remoteness of the staging area. Therefore, SSID will
be turned on:
SSID: STAGING-MHW (Morale, Health & Welfare)
The drone router (N600) is shipped with a default username and password
(admin/password) which shall be changed prior to operation (ANNEX, Exh.
11).
Simultaneous Connections: Industry sources report that the N600 can
accommodate up to 600 simultaneous connections. Optimal for this
application is consider 50-75; however, if possible a 100 connection limit will
be configured (NeatGear Forum, 2010). The 100 connection limit is not
considered mandatory.
15. Caveat: The link for the DD-WRT image that can be “flashed” to the N600
can be found in the Reference portion of this document (FLASH,
2014)(ANNEX, Exh. 12). The operational manual link is also in the
references (NETGEAR, 2010).
WiFi Router Positioning: The drone WiFi routers will be positioned atop a 25
foot fiberglass emergency public safety tower (ANNEX, Exh. 13).
Solar Panels and Battery Back-up: Considered and deemed not necessary.
There will be 120 VAC 30 AMP power provided to the location of the portable
tower.
Wired Root Node: The “wired root node” (Meraki MR58) will have firewall
operations based upon the pfSense application (see photo below) (pfSENSE,
2014).
pfSense will provide the following:
Web filtering and block certain downloads (streaming videos)
Blocking countries and certain I.P. ranges
Act as DHCP server to assign addresses to end-points (BYOD)
Caveat: Civil Support Team communications van uplink will distribute data to
the State Emergency Operations Center at Mather, California. Therefore,
this will be considered a point-to-point link (staging area to EOC/Mather).
16.
17. Management
Responsibility matrix
Job Function General Duties
COML The Communications Unit Leader is the “buck
stops here” point of contact for the escalation
of important matters. Overseas entire
incident communications and electronics.
COMT Communications Technician is the chief
technical advisor to the COML on issues of
telephones, fax machines, data gateways, etc.
Ass’t COMT It is highly likely that the task leader for the
establishment of this functional (described in
this booklet) may be appointed as a deputy
COMT or Ass’t COMT. (Annex, Exh. 14)
Installer Installer shall take direction from any of the
above individuals to locate appropriate
resources and to install the physical
components of this system; to includes wires,
masts, computer stations, Ethernet cables,
modems, etc.
Network Engineer Network Engineer shall configure the technical
details of the equipment described in this
booklet. To include the DD-WRT WiFi enabled
modems, other ancillary 802.11 equipment,
pfSense firewall, management desktop
workstation, etc.
SAFETY NOTE: The incident Safety Officer, of Assistant Safety Officer, can
terminate the operations of this system for any reason at their discretion.
Observations of unsafe behavior, unsafe practices, horseplay, sloppy cabling,
etc. can lead to complete termination of this capability. Individuals called
out by the safety officer can be asked to leave the incident site and have a
18. follow-up communication with their home unit concerning observable areas
of behavior.
All personnel supporting this installation must receive a safety briefing
concerning electrical hazards, trip hazards, night time operations, inclement
weather, etc. Guy wires shall have flagging tape placed on them. Electrical
cables shall be placed as to not form a trip hazard.
COMMUNICATIONS NOTE: Team communications shall take place on a non-
command channel radio frequency to be assigned by the COML.
Network – Documentation
Installation Plan
Major activities
Activity Description Duration
Preliminary
site survey
Identification of location of clone repeater
antenna masts.
Prepare management laptop console physical
placement (and wired root access point)
2 hours
Cabling Lay electrical cables, power cables, Internet
cables (remember safety)
2 hours
Configuration Most equipment will be pre-configured per this
booklet. Change admin passwords and
defaults, establish connectivity with Mather
EOC
2 hours
End-to-end
comm testing
Check ability to (a) obtain BYOD signal, (b)
draft email message, (c) connect with remote
POP3 mail server, (d) transmit email to self, €
receive e-mail
4 hours
19. Testing
On-going testing will be executed during the planned operational period by
roving field personnel that will conduct Quality of Service (QoS) checks with
their individual BYODs.
Re-assessment
Following the deployment of this capability an After Action Review (AAR) and
Improvement Plan (IP) (AAR/IP) will be conducted. A “lessons learned”
collection document will catalogue feedback from end-point subscribers,
command staff, technical staff and other relevant third parties that have
input.
Update Plan
This plan has been developed for a one-time event. It can be reviewed and
updated for future event.