Isolating subscriber's nets?

Can someone explain how multiple subscribers on one access point are
isolated? I.E. preventing them from seeing each other's network.

I am thinking of using Trango or Motorola Canopy.

Thanks,
-
Robert

They are not isolated. Wifi is completely analogous to old-fashioned
Ethernet, with multiple subscribers tapped into a single coax cable, or
connected by twisted pair to a shared-bandwidth hub. The shared radio
channel is the analog of the coax cable or the hub's backplane. Everyone can
intercept everyone else's traffic (without being detected), and any attempt
to transmit might result in a collision that could cause everyone to back
off. The main protocol difference is that 802.11 is collision-avoidance
rather than simply collision detect - there is an atempt to share timing
information to reduce the likelihood of transmit collisions. There is also
an optional protocol to reserve bandwidth (RTS/CTS).

If WEP or WPA are used to encrypt user data between clients and AP, than (in
principle) everyone's data is isolated because (in principle) different
users can use different keys. In practice, WEP limits the system to 4 active
keys, so if you have more than 4 users, some pair of users are encrypting
with the same key. WPA solves that problem. At a typical public hotspot, no
form of encryption is used, and you should assume that everyone at the
hotspot could read everything you send or receive, if they have the right
kind of software.

There are also bridging routers that support VLAN-style network segmenting,
but this isn't so much for security as for performance. If you want to
ensure that your data is private, you need to use VPN, SSH, or some other
endpoint-endpoint security method.

"RZ" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Can someone explain how multiple subscribers on one access point are
> isolated? I.E. preventing them from seeing each other's network.
>
> I am thinking of using Trango or Motorola Canopy.
>
> Thanks,
> -
> Robert
>
>
>

Aren't proffessional access points like Trango layer two devices?
According to Trango's user's manual, pg 56, each subscriber can
be assigned a SU to SU group ID. Only those users in the same
group can ping or access each other.
http://www.trangobroadband.com/pdfs/...UserManual.pdf
"gary" <(E-Mail Removed)> wrote in message
news:bAocc.13447$(E-Mail Removed). com...
> They are not isolated. Wifi is completely analogous to old-fashioned
> Ethernet, with multiple subscribers tapped into a single coax cable, or
> connected by twisted pair to a shared-bandwidth hub. The shared radio
> channel is the analog of the coax cable or the hub's backplane. Everyone
> can
> intercept everyone else's traffic (without being detected), and any
> attempt
> to transmit might result in a collision that could cause everyone to back
> off. The main protocol difference is that 802.11 is collision-avoidance
> rather than simply collision detect - there is an atempt to share timing
> information to reduce the likelihood of transmit collisions. There is also
> an optional protocol to reserve bandwidth (RTS/CTS).
>
> If WEP or WPA are used to encrypt user data between clients and AP, than
> (in
> principle) everyone's data is isolated because (in principle) different
> users can use different keys. In practice, WEP limits the system to 4
> active
> keys, so if you have more than 4 users, some pair of users are encrypting
> with the same key. WPA solves that problem. At a typical public hotspot,
> no
> form of encryption is used, and you should assume that everyone at the
> hotspot could read everything you send or receive, if they have the right
> kind of software.
>
> There are also bridging routers that support VLAN-style network
> segmenting,
> but this isn't so much for security as for performance. If you want to
> ensure that your data is private, you need to use VPN, SSH, or some other
> endpoint-endpoint security method.
>
> "RZ" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Can someone explain how multiple subscribers on one access point are
>> isolated? I.E. preventing them from seeing each other's network.
>>
>> I am thinking of using Trango or Motorola Canopy.
>>
>> Thanks,
>> -
>> Robert
>>
>>
>>
>
>

I obviously didn't read the last sentence of your original post. Trango and
Canopy are not 802.11 systems, so what I said doesn't apply. As soon as I
saw the phrase "access point", I assumed you were referring to 802.11, since
that is the topic of this newsgroup.

Both of these systems are proprietary (not 802.11-compliant) radio designs.
I think they both use some form of TDM (time-division multiplexing) to
guarantee collision-free full duplex and QOS (quality of service) for things
like voice over IP. The Trango manual says:

Authentication of SUs is performed using a secure,proprietary method at the
MAC level, and thus all forms of Ethernet traffic and unlimited IP addresses
will pass seamlessly over the system.

so good luck getting information about the details. I imagine per-user
encryption of some kind is at least an option, and even if it isn't, using
TDM makes it easy to keep the users separate. Each user unit gets its own
set of timeslots for transmit and receive, which are probably assigned by
the AP during network association. There's probably no obvious way for a
user to program his unit to snoop someone else's slots, and no cheap
equipment a hacker could get hold of to receive and decode in promiscuous
mode.

That's just my guess, could be completely off base.


"RZ" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Aren't proffessional access points like Trango layer two devices?
> According to Trango's user's manual, pg 56, each subscriber can
> be assigned a SU to SU group ID. Only those users in the same
> group can ping or access each other.
> http://www.trangobroadband.com/pdfs/...UserManual.pdf
> "gary" <(E-Mail Removed)> wrote in message
> news:bAocc.13447$(E-Mail Removed). com...
> > They are not isolated. Wifi is completely analogous to old-fashioned
> > Ethernet, with multiple subscribers tapped into a single coax cable, or
> > connected by twisted pair to a shared-bandwidth hub. The shared radio
> > channel is the analog of the coax cable or the hub's backplane. Everyone
> > can
> > intercept everyone else's traffic (without being detected), and any
> > attempt
> > to transmit might result in a collision that could cause everyone to
back
> > off. The main protocol difference is that 802.11 is collision-avoidance
> > rather than simply collision detect - there is an atempt to share timing
> > information to reduce the likelihood of transmit collisions. There is
also
> > an optional protocol to reserve bandwidth (RTS/CTS).
> >
> > If WEP or WPA are used to encrypt user data between clients and AP, than
> > (in
> > principle) everyone's data is isolated because (in principle) different
> > users can use different keys. In practice, WEP limits the system to 4
> > active
> > keys, so if you have more than 4 users, some pair of users are
encrypting
> > with the same key. WPA solves that problem. At a typical public hotspot,
> > no
> > form of encryption is used, and you should assume that everyone at the
> > hotspot could read everything you send or receive, if they have the
right
> > kind of software.
> >
> > There are also bridging routers that support VLAN-style network
> > segmenting,
> > but this isn't so much for security as for performance. If you want to
> > ensure that your data is private, you need to use VPN, SSH, or some
other
> > endpoint-endpoint security method.
> >
> > "RZ" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Can someone explain how multiple subscribers on one access point are
> >> isolated? I.E. preventing them from seeing each other's network.
> >>
> >> I am thinking of using Trango or Motorola Canopy.
> >>
> >> Thanks,
> >> -
> >> Robert
> >>
> >>
> >>
> >
> >
>
>

gary wrote:

> If WEP or WPA are used to encrypt user data between clients and AP, than
> (in principle) everyone's data is isolated because (in principle)
> different users can use different keys. In practice, WEP limits the system
> to 4 active keys, so if you have more than 4 users, some pair of users are
> encrypting with the same key.

If they're all on the same access point or network, using different keys
will not make any difference. The WEP keys protect only the radio part of
the connection.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Gary,

Thanks for the great clarification! I selected this newsgroup because
I Googled newsgroups for Canopy and Trango, got many hits for
alt.internet.wireless.
Wonder if there's a more apropos group?

Regards,
-
Robert

"gary" <(E-Mail Removed)> wrote in message
news:ghtcc.13501$(E-Mail Removed). com...
>I obviously didn't read the last sentence of your original post. Tango and
> Canopy are not 802.11 systems, so what I said doesn't apply. As soon as I
> saw the phrase "access point", I assumed you were referring to 802.11,
> since
> that is the topic of this newsgroup.
>
> Both of these systems are proprietary (not 802.11-compliant) radio
> designs.
> I think they both use some form of TDM (time-division multiplexing) to
> guarantee collision-free full duplex and QOS (quality of service) for
> things
> like voice over IP. The Trango manual says:
>
> Authentication of SUs is performed using a secure,proprietary method at
> the
> MAC level, and thus all forms of Ethernet traffic and unlimited IP
> addresses
> will pass seamlessly over the system.
>
> so good luck getting information about the details. I imagine per-user
> encryption of some kind is at least an option, and even if it isn't, using
> TDM makes it easy to keep the users separate. Each user unit gets its own
> set of timeslots for transmit and receive, which are probably assigned by
> the AP during network association. There's probably no obvious way for a
> user to program his unit to snoop someone else's slots, and no cheap
> equipment a hacker could get hold of to receive and decode in promiscuous
> mode.
>
> That's just my guess, could be completely off base.
>
>
> "RZ" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Aren't proffessional access points like Trango layer two devices?
>> According to Trango's user's manual, pg 56, each subscriber can
>> be assigned a SU to SU group ID. Only those users in the same
>> group can ping or access each other.
>> http://www.trangobroadband.com/pdfs/...UserManual.pdf
>> "gary" <(E-Mail Removed)> wrote in message
>> news:bAocc.13447$(E-Mail Removed). com...
>> > They are not isolated. Wifi is completely analogous to old-fashioned
>> > Ethernet, with multiple subscribers tapped into a single coax cable, or
>> > connected by twisted pair to a shared-bandwidth hub. The shared radio
>> > channel is the analog of the coax cable or the hub's backplane.
>> > Everyone
>> > can
>> > intercept everyone else's traffic (without being detected), and any
>> > attempt
>> > to transmit might result in a collision that could cause everyone to
> back
>> > off. The main protocol difference is that 802.11 is collision-avoidance
>> > rather than simply collision detect - there is an atempt to share
>> > timing
>> > information to reduce the likelihood of transmit collisions. There is
> also
>> > an optional protocol to reserve bandwidth (RTS/CTS).
>> >
>> > If WEP or WPA are used to encrypt user data between clients and AP,
>> > than
>> > (in
>> > principle) everyone's data is isolated because (in principle) different
>> > users can use different keys. In practice, WEP limits the system to 4
>> > active
>> > keys, so if you have more than 4 users, some pair of users are
> encrypting
>> > with the same key. WPA solves that problem. At a typical public
>> > hotspot,
>> > no
>> > form of encryption is used, and you should assume that everyone at the
>> > hotspot could read everything you send or receive, if they have the
> right
>> > kind of software.
>> >
>> > There are also bridging routers that support VLAN-style network
>> > segmenting,
>> > but this isn't so much for security as for performance. If you want to
>> > ensure that your data is private, you need to use VPN, SSH, or some
> other
>> > endpoint-endpoint security method.
>> >
>> > "RZ" <(E-Mail Removed)> wrote in message
>> > news:(E-Mail Removed)...
>> >> Can someone explain how multiple subscribers on one access point are
>> >> isolated? I.E. preventing them from seeing each other's network.
>> >>
>> >> I am thinking of using Trango or Motorola Canopy.
>> >>
>> >> Thanks,
>> >> -
>> >> Robert
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

This is NOT 802.11 equipment. I seriously doubt they use WEP or WPA.
Although all SUs transmit on the same frequency (for Trango, at least, the
same 5 Mhz UNI bands used by 802.11a), and in theory all stations can snoop
the band, in practice you would need a very expensive piece of equipment
designed to receive and decode a proprietary signal with a proprietary frame
structure, using a synchronized timing scheme assigned by the AP. None of
the SUs would have the ability to snoop all time slots. It would not be as
simple as putting together a Linux hack, because you would need a special
client adapter card and a driver written to a proprietary, black-box
interface not available to the general public.

"James Knott" <(E-Mail Removed)> wrote in message
news:MNvcc.987$(E-Mail Removed) ogers.com...
> gary wrote:
>
> > If WEP or WPA are used to encrypt user data between clients and AP, than
> > (in principle) everyone's data is isolated because (in principle)
> > different users can use different keys. In practice, WEP limits the
system
> > to 4 active keys, so if you have more than 4 users, some pair of users
are
> > encrypting with the same key.
>
> If they're all on the same access point or network, using different keys
> will not make any difference. The WEP keys protect only the radio part of
> the connection.
>
> --
>
> Fundamentalism is fundamentally wrong.
>
> To reply to this message, replace everything to the left of "@" with
> james.knott.

I'm not sure I understand the comment about only the radio portion of the
connection being protected. I think the original question was mainly about
the radio part. Obviously anyone who has physical access to wired
connections, hubs, or switches with mirror ports might be able to read the
data.

802.11 doesn't encrypt any of that, although obviously if you're using VPN,
SSH, etc. etc. your end-to-end datastreams are protected outside of the wifi
environment. For all I know, Trango and Canopy may internally encrypt the
data all the way to the ISP backhaul. I imagine these expensive systems come
with industrial strength firewalls and full VPN support.

"James Knott" <(E-Mail Removed)> wrote in message
news:MNvcc.987$(E-Mail Removed) ogers.com...
> gary wrote:
>
> > If WEP or WPA are used to encrypt user data between clients and AP, than
> > (in principle) everyone's data is isolated because (in principle)
> > different users can use different keys. In practice, WEP limits the
system
> > to 4 active keys, so if you have more than 4 users, some pair of users
are
> > encrypting with the same key.
>
> If they're all on the same access point or network, using different keys
> will not make any difference. The WEP keys protect only the radio part of
> the connection.
>
> --
>
> Fundamentalism is fundamentally wrong.
>
> To reply to this message, replace everything to the left of "@" with
> james.knott.

gary wrote:

> I'm not sure I understand the comment about only the radio portion of the
> connection being protected.

It means that WEP & WPA only protect the radio part of the connection from
snoopers. If there are two users, using different keys on the wireless
connection, they can't read each other's data directly from the wireless,
but may be able to, via the switch they pass through.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

"RZ" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Can someone explain how multiple subscribers on one access point are
> isolated? I.E. preventing them from seeing each other's network.
>
> I am thinking of using Trango or Motorola Canopy.

Every customer should have at least a SOHO router, Linksys, DLink, etc, and
not have your CPE plugged direct in to their network.

That being said, Trango has a feature that can be turned on and blocks
broadcast (except arps) and NetBIOS traffic. This would do the trick to
prevent them from "seeing" each other's networks.