Enhanced coding, encryption and authorization features make Pixelgate much tougher against breaches than standard wireless security. Skyriver's multi-tiered SkySecureSM solution is driven by a "software-designed" radio. When coupled with physical security at our sites, encryption of key data, and routing at the edge of the network, SkySecure puts a virtual padlock on your business information. Additional SkySecure features enable us to support VPNs, remote access and firewalls.
I. SPREAD SPECTRUM TECHNOLOGY
SkySecureSM utilizes a form of Spread Spectrum radio transmission scrambling called Direct Sequencing Spread Spectrum (DSSS.) Spread spectrum technology was first introduced about 50 years ago by the military with the objective of improving both message integrity and security. Spread-spectrum systems are designed to be resistant to noise, interference, jamming, and unauthorized intrusion. A typical radio signal contains both the data itself (which is the useful content) and a carrier frequency, which is modulated or blended with the data signal in order to "carry" the transmission across the operating range of the channel. Therefore, the first tier in security that our customers are protected by is a transmission within a frequency that would require an unauthorized user to know which channel(s) a specific customer is utilizing.
II. PSEUDO-NOISE CODE SEQUENCING
In SkyRiver’s DSSS transmissions, another element is introduced called a Pseudo-Noise (P/N) Code Sequence. This is a binary (and therefore digital) coding. When modulated with the carrier frequency and original content, the P/N Code causes the signal to spread across a broader range of spectrum. By dissipating the signal intensity, the shrouded signal becomes indistinguishable from random white noise. In a process known as "correlation,” a similar P/N Code Sequence, matching the one used by the transmitter, is generated to "decode" the transmission on the receiver end. Without knowledge of this code and decode sequence, the signal is useless to any intruder. P/N Code Sequencing is a security-enhancing feature of DSSS transmissions employed by SkySecureSM. Since DSSS transmissions are more difficult to detect, there is a lower probability of interception. Since SkySecureSM employs binary code sequencing to "encrypt" the transmitted data, it makes it difficult for unauthorized parties to "listen in", or to spoof or imitate network members.
III. NETWORK PASS CODE
The SkySecureSM Network Pass Code is a network identifier that provides similar functionality to the IEEE 802.11 Extended Service Set Identifier (ESSID.) This is a security mechanism for establishing connections between the Customer Premise Equipment (CPE) and the SkyRiver Base Station. The SkySecureSM Pass Code is a string of characters used to authenticate all SkyRiver customer connections. When establishing a connection, the Pass Code is always encrypted in a one-way transmission to prevent eavesdropping on the wireless link. The SkySecureSM Pass Code prevents unwanted connections at both the SkyRiver Base Station and customer locations. Both the Base Station and CPE will refuse connections from unauthorized stations that do not have the correct system access coding. For an unauthorized user to compromise a SkyRiver client connection, they would now need to know the Network Pass Code, the correct P/N Code Sequencing, and which channels are being used within the DSSS transmission.
IV. MAC ADDRESS AUTHENTICATION
In a wireless networking card, the Media Access Control (MAC) is a radio controller protocol. Within a wireless network, a MAC Address is an individual subscriber radio unique hardware number. It is similar to an Ethernet address on an Ethernet LAN. When a node is connected to the Internet, a corresponding table correlates that station’s IP Address to a specific MAC Address on the wireless network. Each SkyRiver CPE has a unique MAC Address built into it. In addition, unique sector-specific MAC Address control lists are stored in every sector of every SkyRiver Base Station. At radio connection time, the SkyRiver Base Station and customer CPE determine whether to accept connections to each other using the SkySecureSM Pass Code: the SkyRiver Base Station queries the CPE’s unique hardware MAC Address to see if the station should be allowed a connection. The SkyRiver Base Station forms a reply based on the MAC address and other configuration information stored in its database. The SkyRiver Base Station either accepts or kills the connection depending on the reply.
V. STATION AUTHENTICATION
Through an authentication management function, SkySecureSM has the ability to specifically authorize or exclude individual wireless stations. Therefore, an individual wireless user can be included in a network, or (at any time) locked out. Wireless station authentication by MAC Addressing can be used in conjunction with other authentication mechanisms, including user authentication with username and password. This advanced feature of SkySecureSM technology provides RADIUS server authentication at the SkyRiver Base Station that extends beyond the MAC Address Authentication security. This feature of SkySecureSM allows for a greater degree of security and can support future value-added services such as virtual private networking, remote access, and firewall features.
VI. INTELLIGENT POLLING
SkySecureSM centralizes control of the wireless network at the SkyRiver Base Station. SkySecureSM utilizes a highly optimized polling technique to tell remote wireless stations when they can transmit. Each station's polling interval is determined by a number of independent factors, including the remote station's recent usage history. The total number of currently connected systems (among other variables) is used to determine maximum and minimum polling intervals. As customers transmit less frequently (i.e. they do not have a packet to transmit when a SkyRiver Base Station polls them), they then get polled less frequently. For example: a customer link that remains dormant for several minutes may not be polled for a longer period of time. Stations that have data ready to transmit when polled become polled more often. This enables SkySecureSM to make optimum use of the SkyRiver network, while still maintaining a high level of "fairness" between wireless clients. To avoid problems associated with pure polling schemes, SkySecureSM also employs a "free for all" period to enable stations that have data available but are low in the polling queue to transmit without much delay. The "free for all" period allows a station that may not have transmitted for an extended period of time to begin transmitting once again and move to a higher priority in the polling scheme. The determination of Intelligent Polling intervals is based on a complex combination of calculated factors. Intelligent Polling and the associated "free for all" period, combined with super-packet aggregation, allow the “running” customer networks to perform at the highest bandwidth rate possible.
VII. IP ADDRESSING
An IP Address is a 32-bit number that identifies each sender or receiver of information that is sent across the Internet. An IP Address has two essential parts: the identifier of a particular network on the Internet and an identifier of the particular device (which can be a server or a workstation) within that network. SkyRiver’s network is an entirely routed IP network (specifically, IP over Ethernet.) As with most private networks, an unauthorized user would be required to know the sub-network addressing scheme in order to compromise or “back door” a network. The SkyRiver network is comparable to any other carrier-grade network between the customer Network Access Point (NAP) and the Internet.
VIII. PHYSICAL & NETWORK SECURITY
SkyRiver’s network elements are in secure locations with environmental controls (including but not limited to remotely monitored intrusion alarms.) These equipment rooms require specific authorization for access. Moreover, since the access points used in a wireless network function as routers, individual SkyRiver wireless subscribers are isolated from the majority of network traffic. Network subscribers are unable to gain IP access to any network elements, again limiting the possibility of network penetration or access to raw network packets.