atic dhs wifi security project - ieee · atic dhs wifi security project ... atic dhs wifi security...

WIFI SECURITY for First Responders –Border area Grant U.S. Department of Homeland Security Award #2004-GR-T4-K002

ATIC DHS WiFi Security Project

ITEP Final Report

June 28, 2006

Submitted by: Arizona Telecommunications and Information Council (ATIC) PO Box 1119 Tempe, AZ 85280-1119 Voice & Fax 602.254.5887 Email [email protected]

mailto:[email protected]�

ATIC DHS WiFi Security Project ITEP Final Report

June 28, 2006 of 40

Table of Contents

Table of Contents........................................................................................................................ 2

Introduction ................................................................................................................................. 3

1. Barriers Addressed by the Project .......................................................................................... 3

2. Project Approach..................................................................................................................... 5

3. Project Outcomes.................................................................................................................. 12

4. Outcome Evaluation Metrics...............................................................................................25

5. Project Innovation. ................................................................................................................ 27

6. Actual Costs and Schedule. ..................................................................................................32

7. Project Stakeholder Involvement. ......................................................................................... 33

8. Replication of Project Outcomes........................................................................................... 34

9. Next Steps. ......................................................................................................................... 36

10. National Strategy Benefits................................................................................................... 38

11. Key Project Participants. ..................................................................................................... 38

Selected List of Project Document References......................................................................... 40


June 28, 2006 of 40

Introduction

In May and June of 2004 members of the Arizona Telecommunications and Information Council (ATIC) responded to a Grant request issued by the Information Technology and Evaluation Program (ITEP) within the United States Department of Homeland Security (DHS). On June 23, 2004, the ATIC submitted the “WIFI SECURITY for First Responders – Border area Grant” application to the ITEP program. The award was made on September 17, 2004. The Grantee was the Arizona Division of Emergency Management and the designated implementer was the ATIC.

This report provides an overview of the WiFi Security Project by addressing the 11 topics requested by DHS to be included in the final report. These topics are:

1. Barriers Addressed by the Project: Barriers to technology-to-technology integration and insertion and to information sharing and integration addressed by the project.

2. Project Approach: The approach to overcome these barriers. 3. Project Outcomes: Accomplishments, Lessons Learned, and Benefits. 4. Outcome Evaluation Metrics: Metrics used to measure project accomplishments. 5. Project Innovation: Innovative uses of existing “state-of-the-market” information

technology. 6. Actual Costs and Schedule: Actual costs of the project and a schedule showing planned

milestones versus the actual results achieved. 7. Project Stakeholder Involvement: The involvement of public safety communities,

governmental jurisdictions and the private sector in the project. 8. Replication of Project Outcomes: Steps and procedures required for other organizations

to replicate the project’s accomplishments. 9. Next Steps for the WiFi Security Project: Recommendations for transitioning the project to

an ongoing program. 10. National Strategy Benefits: Description of the value and benefits of the project to the

National Strategy for Homeland Security. 11. Key Project Participants: Key participants in the project, along with their contact

information. Once this report has been reviewed and accepted by the Department of Homeland Security, it will be posted to the ATIC website for public viewing for a minimum period of 12 months.

1. Barriers Addressed by the Project The CANAMEX Corridor, envisioned to be the primary means of connecting the western states with Mexico and Canada, is a road system that passes through many rural areas of Arizona, Nevada, Utah, Idaho and Montana, interacting minimally with those rural areas. The Arizona portion of the CANAMEX Corridor stretches from Nogales, Arizona, in the south to Hoover Dam at Arizona’s border with Nevada.

Inadequate Broadband Connectivity

For many miles along the corridor in Arizona, emergency and first responders lack broadband connectivity and the security applications enabled by broadband. Even worse, for long stretches of the corridor, no landline or cellular service is available. This barrier is primarily due to geography and economics because the corridor passes through very sparsely populated rural areas that provide little or no cost-effective incentive for the provision of broadband services. The current


June 28, 2006 of 40

situation negatively impacts the abilities of Arizona’s first responders to adequately perform their assigned tasks, either along the border with Mexico or within other areas along the corridor.

Perceptions of Inadequate Security

Though wireless connectivity is an obvious solution to some of the geographic barriers, as well as some of the economic issues, the most prevalent implementations of wireless, WiFi or WIMAX infrastructure, carried with them perceptions of poor security, which also had to be dispelled, or answered satisfactorily if first responders were to adopt the technology.

Inadequate Communication across Agencies

The various first responder agencies are severely limited in the degree of inter-communication capabilities among different agencies. This is a result of units operating under different jurisdictions (e.g., municipal, county, state, federal, private, etc.) as well as the use of incompatible technologies among the separate first responder agencies (e.g., differing radio frequencies, satellite technology, etc.). This barrier results from a combination of organizational policies and the use of technologies that are incompatible with one another. This negatively impacts the transmission of critical information as well as response times in the event of a hazardous situation requiring multi-agency response.

Criminal Justice Information System (CJIS) Certification

Criminal Justice Information System (CJIS) certification for wireless networks to be used by first responders is a formidable barrier due to the overall complexity of the process with federal, state and local coordination and the newness of WiFi communications. In Arizona, a certification process is required before individual law enforcement officers are allowed connection. It takes significant time to familiarize local participants with the requirements and get the cooperation of the certifying agency in Arizona, the Department of Public Safety (DPS).

Vertical Access Required for Placement of Wireless Nodes

As the implementing vendor WI-VOD performed their detailed engineering surveys and assessments along the target corridor, it became clear that the region’s geography and curving highway path would require the placement of more wireless nodes than originally anticipated. A large number of existing vertical assets and their ownership were identified, such as communications towers, building rooftops, billboards, highway signage, light and utility poles, etc. However, when engaging the relevant vertical asset owners, the vendor experienced significant delays and difficulties in clarifying owners’ interest in leasing vertical asset access, understanding requisite internal processes and submittal requirements, discerning the various legal restrictions and obligations, and getting organizational commitments to proceed in good faith and in a timely manner.

Telecom Provider Sustainability

There was a need for the managing organization to directly and vigorously engage not only the first responder agencies but also a broad range of community stakeholders, along with the selected telecom provider to help ensure establishment of common interests and the self-sustainability and viability of the project for the post-grant period. Economic justification of the project by a vendor would be difficult if the only target and customer was a set of first responders.


June 28, 2006 of 40

ATIC as a long standing statewide non-profit and perceived “do-gooder” had the credibility and connections at the regional and state level to bring stakeholders and resources to the table as well as establish specific needed lines of communications and act as an intermediary or follow up on stakeholder commitments and issues as needed.

Competitive Resistance

This barrier manifested itself in a number of ways. Because one of the end-goals of the project was a commercial acceptance by the local marketplace of the additional network and vendor, existing providers resisted the competition and tried to raise doubts regarding the project, using the issues of unlicensed spectrum security and the viability of a new “outsider” vendor as arguments.

These concerns cascaded into related concerns by the target first responder community about investing time and effort in the project if, at the expiration of the grant period, they would become the sole users of an economically unsustainable network.

2. Project Approach. This Proof of Concept project initiated Phase I of securing Broadband Wireless Fidelity (WiFi) along a short 30 mile segment of Arizona’s 487 mile CANAMEX Corridor. It would utilize existing and new “state of the market” 802.11 public spectrum access points, strategically placed for rural users, including law enforcement, first responders and civilians, to obtain broadband connectivity within this segment of the corridor.

A unique aspect of this approach was that, unlike other 802.11 users, these corridor users could have access while mobile. Such connectivity requires a high level of power and focused dispersion and collection of the 802.11 signal, as well as a sound security envelope around the connection. If successful in the pilot, these project characteristics would eventually benefit the entire U. S. Corridor, from Mexico to Canada.

A stretch of the CANAMEX Corridor near Mexico would be “secured” as a first responder WiFi “hot spot.” A sufficient number of access points would be deployed to enable in-vehicle “WiFi ready” devices moving into and through the area to have mobile access to the Internet or Internet based Virtual Private Networks (VPNs). Such a transport layer should allow for various applications at broadband speeds, defined here to mean 1 Megabit per second (Mbps) or higher. The use of this unlicensed spectrum would facilitate intercommunication among the various and disparate government agencies participating in the pilot.

Numerous first responder communities should be equipped to take advantage of this mobile “hot spot.” Participating agencies include the Arizona Department of Public Safety (DPS); the Arizona Department of Transportation (ADOT); the Arizona Office of Homeland Security (OHS); the Arizona Government Information Technology Agency (GITA); the Santa Cruz County Sheriff’s Office (SCCSO); U.S. Customs and Border Protection (CBP); the Tubac, Rio Rico and Green Valley fire districts; the University of Arizona Telemedicine Project and other first responders.

Public and private enterprises and especially schools should also have access to this “hot spot.”

Combining access for public and private interests would allow post-Grant “sustainability” of the project as well as replication of processes by others. Optimizing network coverage and redundancy maximizes the ability of a single system to support public and private initiatives speedily and with minimal impact on the community of users, both public and private. As shown in the following graphic, the network is configured to provide cost competitive services to the following entities:


June 28, 2006 of 40

• Private Business • Residents • Government Agencies at Various Levels • Educational Institutions and School Boards • Private Public Safety and Security Organizations • Community Organizations and Agencies • Other Organizations of Economic Development

Strategic deployment and utilization of network nodes provides for a focused dispersion of the signal as well as a sound security envelope around the connection for mission critical end-users. The diagram above shows how end-users can be grouped, prioritized and serviced while sharing a common wireless support system. This facilitates the introduction of cost-effective broadband services for the larger rural community along the corridor.

Non-Residents (Mobile

Professionals, Tourists, other

visitors)

Local Residents & Community Initiatives/

Organizations

Local

Business & Economic

Development

Non-Governmental Public Safety Agencies &

Organizations

Boards of Education

& Other School

Agencies

Government

Administration & Agencies

(Federal, State, Local)

Mobile First

Responders (Police, Fire, EMS, Border

Patrol)

Common Wireless

Infrastructure (Voice &

Data)


June 28, 2006 of 40

Security Considerations for the Network

The project leadership was aware of a number of 802.11 based networks already being used in the State of Arizona and elsewhere across the country. Project leadership was also very sensitive to perceptions extant about WiFi networks being highly susceptible to malevolent invasion or access by unauthorized persons. Such perceptions needed a realistic adjustment; especially since the network resource (bandwidth and connection to the Internet) was to be shared by first responders and the public at large. Various types of users would require various levels of connection security, with law enforcement requiring the highest security. Project leadership consulted with Arizona’s Government Information Technology Agency (GITA) regarding some of the security issues inherent in dealing with first responders. GITA maintains the standards and best practices to which state agencies are required to adhere. From that discussion, an extensive checklist was developed for the project participants to aid their efforts in integrating security levels into their connections. Because it was anticipated that first responders would utilize a specific Mobile Access Point or MAP (in this case a combination antenna and “smart” bridge device) provided to them as part of the Grant, and at no cost, the security checklist was included as part of the “User Guide” distributed with each MAP. In addition, the “User Guide” contained instructions regarding installing, configuring, activating, and utilizing the project’s broadband mobile wireless capabilities in their vehicles. Below is a matrix, included in the “User Guide,” devoted to security considerations. Note that it provides a scalable approach so that users themselves can decide their security requirements.

Checklist Wireless Security Recommendations Highly

Recommended Practices

Should

Consider

Actual Status

Management Recommendations 1 Develop an agency security policy that

addresses the use of wireless technology, including 802.11.

Yes

2 Ensure that users on the network are fully trained in computer security awareness and the risks associated with wireless technology.

Yes

3 Perform a risk assessment to understand the value of the assets in the agency that need protection.

Yes

4 Ensure that your client PC network Interface Cards (NICs) support firmware upgrade so that security patches may be deployed as they become available.

Yes

5 Perform comprehensive security assessments at regular and random intervals to fully understand the wireless network security posture.

Yes


June 28, 2006 of 40



Should

Consider

Actual Status

6 Take a complete inventory of all 802.11 wireless devices. Yes

7 Ensure that wireless networks are not used until they comply with the agency’s security policy. Yes

Technical Recommendations 8 Disable the broadcast SSID feature so that the

client SSID will match that of the AP. Yes

9 Validate that the SSID character string does not reflect the agency’s name (division, department, street, etc.) or products.

Yes

10 Understand and make sure that all default parameters are changed. Yes

11 Enable all security features of the WLAN product, including the cryptographic authentication and WEP privacy feature.

Yes

12 Ensure that encryption key sizes are at least 128-bits or as large as possible. Yes

13 Make sure that default shared keys are periodically replaced by more secure unique keys.

Yes

14 Install a properly configured firewall between the wired infrastructure and the wireless network (This is likely to be via the Internet firewall).

Yes

15 Install antivirus software on all wireless clients. Yes 16 Install personal firewall software on all wireless

clients. Yes

17 Disable file sharing on wireless clients (especially in untrusted environments). Yes

18 Deploy MAC access control lists. Yes 19 Deploy IPsec-based Virtual Private Network

(VPN) technology for wireless communications. Yes

20 Ensure that encryption being used is sufficient given the sensitivity of the data on the network and the processor speeds of the computers.

Yes

21 Fully test and deploy software patches and upgrades on a regular basis. Yes

22 Ensure that all passwords are being changed regularly. Yes

23 Deploy user authentication such as biometrics, Yes


June 28, 2006 of 40



Should

Consider

Actual Status

smart cards, two-factor authentication, or PKI. 24 Ensure that the “ad hoc mode” for 802.11 has

been disabled unless the environment is such that the risk is tolerable.

Yes

25 Use static IP addressing on the network. Yes 26 Disable DHCP for the wireless clients. Yes Operational Recommendations 27 Consider other forms of authentication for the

wireless network such as RADIUS and Kerberos.

Yes Yes

28 Deploy intrusion detection agents on the wireless part of the network to detect suspicious behavior or unauthorized access and activity.

Yes

29 Deploy auditing technology to analyze the records produced by RADIUS for suspicious activity.

Yes Yes

30 Deploy an 802.11 security product that offers other security features such as enhanced cryptographic protection or user authorization features.

Yes

31 Enable utilization of key-mapping keys (802.1X) rather than default keys so that sessions use distinct WEP keys.

Yes

32 Fully understand the impacts of deploying any security feature or product prior to deployment. Yes

33 Designate an individual to track the progress of 802.11 security products and standards (IETF, IEEE, etc.) and the threats and vulnerabilities with the technology.

Yes

34 WPA, WiFi Protected Access Yes 35 WPA2, WiFi Protected Access 2, based on the

final IEEE 802.11i amendment to the 802.11 standard (eligible for FIPS 140-2 compliance)

Yes

Participants were instructed that, besides the “User Guide” they could receive installation, configuration, and operational support by calling the support line of the vendor WI-VOD at 866-802-6060 x3302, visiting their web site (http://www.wi-vod.com/) or via e-mail at [email protected] as needed.

http://www.wi-vod.com/�


June 28, 2006 of 40

Additional support was available through the Arizona Telecommunications and Information Council (ATIC - http://atic.researchedge.com/) by contacting Oris Friesen, ATIC Vice Chair & Project Coordinator at phone: 602-992-4504, mobile: 602-689-1084 or e-mail: [email protected] if needed. ATIC maintains a DHS WiFi Project for first responders web presence and links to related resources at http://atic.researchedge.com/wireless/ for project stakeholders and the public. An end-user survey form is currently available online at http://atic.researchedge.com/wireless/survey.php and all end-users are encouraged to submit test data and feedback frequently.

Criminal Justice Information System (CJIS) Certification

A nationwide law enforcement database is maintained by the Federal Bureau of Investigation (FBI). Connection to this database is highly secure. In Arizona, a certification process is required before individual law enforcement officers are allowed connection. Because it was desirable for officers to have remote access to the database while in the field (away from their desks with wired connections), inquiry was made to the certifying agency in Arizona, the Department of Public Safety (DPS). Consequently an analysis was provided by the Santa Cruz County Information Technology (IT) department that included a description of the requisite configuration and components for extending access to the CJIS database maintained by DPS. The analysis covered such requirements as 3DES encryption, authentication methods, etc From the project perspective, in accordance with requirements defined by the stakeholders, layered and scaled security and advanced applications were added to the wireless environments. Vertical Access Required for Placement of Wireless Nodes

Regional first responder agencies were the most cooperative in granting access to existing vertical assets such as communication towers or working with the vendor to install and make available new towers to be leased directly or offered for use under in-kind arrangements. Private sector property owners near the highway such as restaurants, stores, and billboards had the simplest procedural processes and were often the easiest and fastest means to acquiring vertical asset rights where applicable. There was a general lack of written procedures regarding the utility company’s conformance requirements for antenna co-location on utility poles as well as the supplemental permitting process that applicants needed to complete as a result of modifying previously permitted locations leading to delays and significant engineering efforts and costs in eventually gaining access to a series of critical utility vertical assets.

Telecom Provider Sustainability

With first responder agencies identified as an anchor tenant, the selected telecom vendor was able to make the substantial required investments in engineering a complex wireless network, licensing vertical assets, purchasing and installing wireless nodes, leasing broadband backhaul capacity, and partnering with local support and service companies.

Because the anticipated revenue solely from a first responder community was insufficient to fully support such a commercial operation, economic realities forced an expansion of the customer base to include commercial broadband services to other government agencies at various levels, educational institutions and school boards, community organizations and agencies, private

http://atic.researchedge.com/�

http://atic.researchedge.com/wireless/�

http://atic.researchedge.com/wireless/survey.php�


June 28, 2006 of 40

business, and residents. Even with delays of full network deployment and activation of the first responder stakeholders, THE VENDOR was able to selectively market their services where available to other end users and gain a significant revenue stream from government, business, and residential users, fulfilling the sustainability requirement.

ATIC developed extensive contact lists to clearly identify relevant participants, their organizational roles, and contact vectors to aid in team and stakeholder communications.

Competitive Resistance

Through some aggressive communication by key stakeholders and by project leadership, doubts raised by the existing local provider community (including the security of unlicensed spectrum and the viability of a new “outsider” vendor) were put to rest. They were overcome through an acknowledgement that the prospective benefits of additional broadband in the area far outweighed any other concern. Proponents also noted that spectrum security would either be shown to be adequate or not via testing throughout the project. The vendor also publicized to first responders the burgeoning commercial and end-user acceptance of the spectrum, diminishing fears of non-sustainability.

A side benefit coming from the “project” was that previously promised but delayed upgrades to existing wired infrastructure by local providers also began to take place, substantially increasing overall broadband availability to deficit areas along the corridor. The very threat of a “new” competitor taking market share moved existing providers to redefine their own priorities and take action.

Project Coverage

The following graphic shows the approximately 30 mile segment of Interstate 19 (I-19) covered by this Project. The blue circles designate extended antenna coverage from particular nodes, while the orange circles represent more focused antenna coverage.


June 28, 2006 of 40

3. Project Outcomes. Accomplishments: The total scope of the project was completed. This included the following accomplishments:

• The appropriate end-user IT personnel were engaged to allow for use of encryption, whitelisting,1 creation of Virtual Private Networks (VPNs) and to provide for interagency communication.

• 20 antenna nodes were placed along the corridor and are operational covering approximately 30 miles. (Two additional nodes were placed near the Rio Rico fire halls for special applications.)

• More than 70 Mobile Access Points (MAPs) were distributed to 9 different agencies for installation in vehicles and some stationary sites.

• 5 cameras are operational and in use by the University of Arizona Telemedicine Program, Santa Cruz County Hazardous Materials (Hazmat) teams and Fire Departments. An additional 4 cameras are being planned for use by U.S. Customs and Border Protection (CBP) and by the Santa Cruz County license plate recognition program.

• Mobile units are getting up to 6 Mbps transfer speeds. As more traffic is added to the network transfer speeds are leveling out at 2-4 Mbps.

• The network is operational and fully supports stationary coverage throughout the corridor. Mobile or roaming coverage in certain areas along the corridor is currently conditioned by

1 "A list of Media Access Control (MAC) addresses that have been pre-approved to be configured as part of the network."


June 28, 2006 of 40

the inability of specific nodes to sustain adequate signal to noise ratio to all end-user devices. Those areas of the network are in the process of being reconfigured with alternate antenna arrays to limit the impact of extraneous radio noise.

• The Spillman Computer Aided Dispatch (CAD) System has been deployed by the Santa Cruz County Sheriff’s Office and is being used in test data mode in conjunction with the WiFi Network.

During the project implementation, conceptual designs were developed for providing wireless “hot spot” availability at designated locations between Green Valley and Rio Rico in southern Arizona with mobile access for first responders. This task included initial activities related to siting and making operational the antennas necessary to provide a wireless corridor targeted to be up to one mile wide.

ATIC helped to verify the design, assign participants, establish evaluation metrics and implement reporting and management processes with various stakeholders (e.g., state agencies, first responders and others). ATIC also engaged community stakeholders to help ensure self-sustainability and viability of the project for the post-grant period.

WiFi connections from the roadside fixed access points, providing Internet access to the vehicular Mobile Access Points (MAPs) were implemented. Included were activities required to identify, make operational and deploy the vehicles to be used as mobile access points.

Specific accomplishments defined by the applications that this WiFi network has enabled include the following:

University of Arizona Telemedicine Program

• The challenge for the Arizona Telemedicine program is to provide healthcare to locations in rural Arizona that previously had no practical access to economical, high quality, specialized patient care. This was accomplished by provisioning a high speed and simultaneous transmission of voice, video and vital statistics from a temporary telemedicine facility in Amado, Arizona, to the University of Arizona Medical Center in Tucson, Arizona.

A number of concerns were addressed in the implementation process. Besides the basic concerns of positioning the antenna, providing internal connection inside the trailer and connecting to the University of Arizona Medical Center Wide Area network (WAN), other concerns were also addressed. These included compliance with HIPAA regulations2 (handled by telemedicine staff), throttling the connection to optimize for voice, video streaming and data transmission, and applying Static IP (Internet Protocol) addressing policies to both the corridor network and the specific requirements of the telemedicine network. With a successful install, the telemedicine specialists simply show up, deploy their radio and the external antenna, and then establish their VPN connection to the Tucson offices. Once the VPN has been connected over the wireless broadband connection, they hold videoconferences between the medical staff attending to patients in the trailer and the supporting doctors back at the University's offices in Tucson.

2 Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA).


June 28, 2006 of 40

The result is better healthcare for Arizona’s citizens in and around Amado, at lower costs. This project has provided the underlying wireless broadband communication technology that enables telemedicine program applications to deliver high quality health care to one of the state’s more remote locations. The telemedicine program specialists are better able to carry out their mission of health care delivery to medically underserved populations using telemedicine technologies. In particular, they are enabled to increase access to medical specialty services while decreasing health care costs. An additional connection has been activated at the nearby elementary school, which acts as a central location to provide both adult and children infectious disease monitoring (measles, chicken pox, etc.). The school will utilize this Internet access link for their daily needs, in addition to the weekly Telenutrition Diabetes Education class. With high-speed connection in place, the telemedicine program can save considerable time in their diagnosis and intervention with this rural population. The extension of this program to Amado is an excellent example of how technology can be utilized to improve public health in rural communities.

Arizona Department of Public Safety (DPS)

• The challenge was to provide a secondary method of communication among different state and local agencies, including highway patrol officers and other DPS employees.

After the network took shape, new ideas were identified for its use. Specifically, two applications are being evaluated. The first is to enhance the speed of connection for DPS officers charged with managing commercial transportation (trucking) violations in Arizona. Eight DPS officers are assigned to this task in the southern Arizona area. Five are deployed at or near the border. The others cover about 100 miles of highway from the border to near Casa Grande. The database of transportation violations is maintained and updated by many states via the Internet. Currently, access to this Internet database in Arizona is limited to cellular data and satellite connections. Connectivity via these methods is much slower than the proposed WiFi connectivity along the I-19/I-10 Corridor. A current impediment to fully utilizing the high-speed connection is its relatively short (30 mile) footprint, forcing the continued use of multiple methods of connectivity. The second application concerns auto-theft interdiction. DPS is investigating the utilization of cameras along with Advanced License Plate Recognition (ALPR) software along the 1-10 or I-19 Corridor. This high-speed conversion of pictures of license plate numbers into an Optical Character Recognition (OCR) text field (and capturing pictures of the cars to which they are attached), enables a quick indexing of that license plate number against the Stolen Car database maintained by DPS. The key to the program’s success is a high-speed connection to the database and then an alert sent out to law enforcement agencies in time to interdict the vehicle before it reaches the international border with Mexico. Placement of the high speed cameras across south-bound traffic lanes at the north end of the WiFi Grant area provides about 40 minutes of lead time for a stolen car to be intercepted prior to its reaching the international border. Currently, the only comprehensive interdiction opportunity is at the border, which is risky, and interferes with normal border operations.


June 28, 2006 of 40

Santa Cruz County, using a separate source for the cameras and ALPR Software, anticipates deploying both stationary (lane based) cameras and mobile cameras. Both methods require high-speed connectivity to the Stolen Car database repository of stolen cars. Motorola is in discussion with Santa Cruz County and with the Project Management team (ATIC, GITA, and Wi-VOD) to use the WiFi transport and nodes that are in proximity to the chosen interdiction site for this access as it works with Santa Cruz County. It is hoped that this project can be initiated before Arizona’s fiscal year end (June 2006).

Santa Cruz County and Santa Cruz County Sheriff’s Office (SCCSO)

• The challenges in Santa Cruz County are manifold. Seventy-five percent of the county population resides within the area enclosed within this grant corridor, providing a testbed for project activities. The county seat is Nogales, which sits adjacent to the border with Mexico. Because of the issues implicit with its locale, uses and applications germane to Homeland Security quickly became evident as part of the Grant activities.

The challenge to SCCSO was to provide for improved dispatching facilities within the department and better enable communication between dispatch and sheriff deputies. Motivated by Santa Cruz County’s first responders’ involvement in this project, the county sought and qualified for other grants, including grants to acquire computers and additional licenses to the Spillman3 Computer Aided Dispatch (CAD) system. Substantial efforts were made to coordinate the Spillman CAD system with the communication capabilities provided by the WiFi Project.

Spillman mobile solutions empower users to access and share information anytime, anywhere. Initially the SCCSO will utilize the Spillman CAD for communications that do not require Criminal Justice Information System (CJIS) certification. Fully integrated communications with SCCSO’s CAD systems will be allowed after the CJIS certification of the wireless network. Until CJIS certification is granted the wireless transport network provides for email, instant messaging, and transfer of large graphical files such as maps and pictures. This level of functionality provides faster response and reduced radio traffic and enables mobile patrol vehicles to maintain safe and silent contact with base operations. Applications such as instant messaging prevent criminals and hobby enthusiasts from monitoring law enforcement activities with a radio scanner (this is also the case in Graham County, Arizona, with its four year old, mature private wireless network). Using today's wireless technology, voiceless dispatch also frees up the radio channels for emergencies and ensures the element of surprise, or inhibits curious bystanders from arriving at an emergency scene. After CJIS certification for wireless connectivity, SCCSO personnel can leverage the Spillman system for the following additional benefits:

“Instead of competing with other units for radio time to perform routine license plate checks, SCCSO officers will perform their own checks and quickly get results. Additionally, with Spillman’s integrated system and Involvements™ feature, they will

3 Spillman Technologies, Salt Lake City, UT


June 28, 2006 of 40

automatically be notified if a pulled over vehicle is associated with any outstanding warrants, history of violence with law enforcement, or other dangers so they can proceed with the proper amount of caution. Whether making a traffic stop or conducting an interview, queries can be sent to the SCCSO’s Spillman database, as well as to state and national databases, directly from a patrol unit. This convenient option frees radio airtime and enables officers to receive information about people, vehicles, and wanted persons without requiring dispatch assistance.” 4

Other benefits also accrue after CJIS certification, including the following: • Voiceless dispatch ensures officer safety by sending silent updates. • Field reporting saves time by allowing data entry and transmission directly from a

mobile computer. • Mobile messaging enhances officer communication with the ability to send and receive

instant message and e-mail from anyone using the Spillman system. • Access to local, state, and national databases provides thorough information on

names, vehicles, property, and wanted persons. • System alerts improve officer safety and promote faster response times.

Border Patrol (also referred to as Customs and Border Protection)

• The challenge was to provide a secondary method of communication among Border Patrol sites, especially in the dissemination of graphical information along with connectivity between outposts and home base. Communications with local first responders was also needed. Border Patrol representatives have attended most of the coordination meetings held in conjunction with implementation and uses of the WiFi Network.

One objective is to demonstrate to the United States Customs and Border Protection (CBP) that a successful IP video surveillance system can be installed, maintained and operated over the public Internet with Wi-VOD technology and received through a B wireless card in the CBP administration offices at the Mariposa Ranch Road site. The success of this achievement will be the attainment of monitoring capability of the selected video surveillance sites. One of the video surveillance test sites is the WI-VOD antenna node location known as “Hilltop House” on I-19 approximately 2km north of Ruby Road. A second location is to be determined.

A potential plan also includes a communication node at the Border Patrol’s office in Rio Rico and access point equipment provided at the mobile highway inspection sites set up by Border Patrol along I-19.

Fire Districts and Stations

• The challenge was to provide another method of communication between E911, sheriff personnel and other first responders in the area. Fire Departments are responsible for most public safety incidents not directly under the jurisdiction of law enforcement (Hazmat, fires, emergency medical, etc). Faster communication, especially data and graphical, as well as voice and video communications enhance the ability to effectively respond to such incidents. Initial alerts of such incidents typically come through a county- or city-based E911 dispatch

4 Based on Spillman System marketing materials (see www.spillman.com).


June 28, 2006 of 40

system. The desired outcome for the Wireless project is to provide fire departments earlier alerts of such 911 emergency incidents through a faster communications means.

Emergency Medical Transportation

• The challenge was to provide a comprehensive method of communication between emergency medical transportation and emergency room or hospital personnel during the first “Golden Hour” window of medical intervention, which is so important for saving lives and preventing long-term damage because of trauma. Here the solution is to implement voice, video, and data wireless transport in a mobile environment all along the I-19 corridor.

Cameras and their Usage

• The challenge was to provide WiFi access to camera-based applications via Internet Protocol (IP) connections that would allow for still picture or video transmission. To this end a number of cameras were installed and several more are in the process of being deployed. The cameras support and improve surveillance and communication capabilities of the Santa Cruz County Sheriff’s Office, the Border Patrol, the University of Arizona Telemedicine facility, various fire districts and emergency medical transportation units. Cameras that have been deployed, which are remotely controllable and accessible by authorized personnel via the Internet, include:

1. A University of Arizona Telemedicine Sony non-NEMA (National Electrical Manufacturers Association) enclosed IP camera, which is not publicly viewable due to the sensitive nature of the transmission. Camera transmission is protected by a secure VPN.

2. Three Santa Cruz County Hazardous Materials (Hazmat) truck cameras - one Sony NEMA enclosed IP camera on telescopic pole and 2 non-NEMA enclosed IP cameras.

3. Santa Cruz County Landfill - 6 NEMA enclosed IP cameras accessible via an IP switch. This counts as only one camera position since only one is viewable via the IP switch at any given time.

Cameras that are planned to be deployed in the near-term include:

1. The installation at the Agua Linda overpass of I-19 will have a total of 6 cameras. Two infra-red cameras and a "color" camera will be required for each of the two lanes for the Santa Cruz County ALPR system.

2. Three outdoor NEMA enclosed IP cameras, which are not publicly viewable due to the sensitive nature of the transmission, will be installed for the Border Patrol. The camera transmission is protected with a secure VPN.

Sustainability

• Historically a major barrier to broadband implementation has been finding an initial anchor tenant to justify the build out of middle-mile telecommunication resources. The WiFi Security for First Responders Project potentially alleviates this problem by creating a new type of anchor tenant, a traveler through a highway based “hot spot” connecting end-users while they are mobile. Revenue from such travelers lowers the threshold normally identified as the point where a broadband project is economical. The potential customer base also becomes much larger, giving competitors a larger pie for which to compete. Adding wireless customers also changes the ratio of revenue to infrastructure costs (wiring, trenching, brick and mortar) in the area, making it easier to expand the coverage area and lower end-user


June 28, 2006 of 40

costs. Such a “hot spot” has the dual potential to enhance public acceptance of broadband applications through usage and familiarity and to create a seminal network from which one or more anchor tenants can build out horizontally along the corridor. Providers of such a build-out can focus on providing economical broadband services to customers other than first responders. These include private citizens, local businesses, real estate developers, government agencies other than first responders, schools and libraries. A viable business model is easily developed for each around such services. Such broadband development also spawns new public-private partnerships that invigorate economic development. Partnerships, evolving through their separate use of broadband infrastructure, and involving various combinations of colleges, private sector firms, and local, state, and federal governments, have the potential to increase the value of each of the partners' portfolios, and to systemically mobilize innovative solutions. For example, private sector firms gain access to new knowledge and a workforce that can capitalize on it; educational institutions gain financial support, an expanded student base, the ability to capitalize on intellectual property, and access to real-world problems for field training; and local and state governments gain sustainable regional and local economic development activities. Broadband services developed as a result of this grant will generate the entrance of other telecom companies in the area. Demand creates supply, which creates more demand as users become educated about telecommunications and demand more services – increasing the number of users and the amount of services provided. This leads to more people entering the marketplace to satisfy the expanded demand. Such activities contribute to a sustainability model that leverages the possibilities of expanding broadband capabilities in Santa Cruz County and making them self sufficient.

Lessons Learned

• Arizona Telecommunications and Information Council (ATIC) Lessons Learned ATIC held a special strategic planning session in December 2005 for its Board and stakeholders. Part of the meeting focused on ATIC’s participation in this project, what lessons were learned, and what interest ATIC had in future Arizona telecommunication network projects. The ATIC DHS WiFi Security Project for First Responders was universally viewed as a successful project and model. With the overview and deliverables available on the ATIC site (http://atic.researchedge.com/wireless/), attendees felt we should market and promote ATIC and other project opportunities based on its success. There was strong interest in ATIC owning, managing and/or enabling additional telecommunication projects going forward, with ATIC acting as a change agent and catalyst, not an operational agency. Thus ATIC should prove technology and methods, advance policy agenda, and move on, limiting its primary activities to a pilot stage and allow full implementation to follow, driven and supported by other entities. There was concern that as a volunteer-driven non-profit with organizational bandwidth limitations, there might be a lack of sufficient volunteer resources, along with a possible loss of focus. Project funding should likely yield a modest share to ATIC for overhead and some organizational support in most cases. A proposed Broadband Development Authority (BDA) could serve to create a pool of



June 28, 2006 of 40

funds for telecom projects and should continue to be pursued under ATIC’s policy agenda. It was felt that ATIC could potentially play a consultative role with multiple communities and stakeholders and should partner with a few specific communities, not every community. We should seek out communities that are set up for success and have supportive local organizations and champions. ATIC should always drive recognition and planning for continuity and sustainability while ensuring that useful metrics and good accountability/governance are in place. The Strategic Planning group recommended that ATIC should put additional projects and funding opportunities in the grant pipeline and seek out government and community stakeholders to partner on additional selected Arizona telecom projects.

Some other lessons learned relative to the barriers described earlier are listed below:

• Success of the Overall Approach

Probably the most important lesson learned was that it is possible to use a grant such as this, which focuses on a select user community such as first responders, to jump-start a commercially sustainable project that relies on future returns on investment and the acceptance of a new provider.

• Culture of Resistance to Innovation

The degree and level of socialization required to gain local acceptance was conditioned by the understanding possessed by local community members regarding the impact of this project. Concerns focused on the potential impact of network equipment in changing the aesthetics of the local environment and the general lack of knowledge concerning the technology, its security and its access.

The stakeholders need to be solicited and made to see the value of their role in the project at the very earliest stages. One way to accomplish this is to have a “champion” for the project who is capable of “selling” the project to all the stakeholders.

• Complexity of Right-of-Way Permitting Process

The complexity surrounding the permitting process, in general, is one of inconsistency and partial solutions. Counties have varying requirements that are determined by local authorities, making a template configuration for a statewide deployment of network equipment problematic. Furthermore, the number of agencies required for approval or that might impact the ability for deploying network equipment can also vary dramatically based on the location of the equipment. When moving from county to county this can prove to be a very confusing process when multiple agencies are required to approve a single deployment. In cases where existing, permitted infrastructure is being used, new permits may still have to be granted even though no major structural change or encroachment results from the network equipment being deployed. It is difficult to define an effective solution to the above problem other than initially factoring in and planning for what would seem to be an inordinate amount of lead-time. An important element of any solution is to identify all potential Right-of-Way holders at the very earliest stages of the project. After they have been identified, engagement on the part of all players is vital.

• Vertical Access Required for Placement of Wireless Nodes


June 28, 2006 of 40

There was considerable delay due to the various vertical asset owners. For example, there was a general lack of written procedures regarding the utility company’s conformance requirements for antenna co-location on utility poles as well as the supplemental permitting process that applicants needed to complete as a result of modifying previously permitted locations.

The process of acquiring access to such a mix of vertical assets proved quite frustrating, time consuming, and expensive to both ATIC as project manager and WI-VOD, the telecom vendor. While it delayed full coverage along the target corridor and the launch of service availability to first responders in this project, it yielded a better understanding of the role various vertical assets owners can and should play, what processes and costs should be anticipated, and what are best practices for stakeholder selection and engagement, as well as optimum models for use in similar future projects.

Although it may seem obvious, it is important to secure written agreements for all conformance requirements. This can be difficult to achieve when the company assumes everyone is familiar with the process.

• Perceptions of WiFi and security

The perception that WiFi lacks security was more profound than expected.

The lesson learned here is that this needs to be mitigated with a robust “education” program by providing a high level of IT support and education and by effective “selling” of the project to the stakeholders.

• Criminal Justice Information System (CJIS) Certification The process to secure CJIS certification was more complex and time consuming than anticipated. The process should be begun earlier in future projects and initiatives. CJIS certification experts should be brought in to educate stakeholders, and the project leaders need to monitor and facilitate more closely inter-agency communication and resources to assure timely and more readily achieved CJIS certification for regional first responder agencies and applications.

• Telecom Provider Sustainability Sustainability issues need to be addressed aggressively at the initiation of the project. It has become clear that the provision of wireless broadband services to the targeted first responder stakeholders should proceed fully in parallel with offering broadband services commercially, yielding the telecom provider a more diverse and substantial cash flow, better assurance of continued viability, synergistic network deployment and support, as well as more community visibility and presence. We have begun to see that broadband services developed and deployed as a result of this grant has led to sustainable revenue supporting WI-VOD’s business case. As anticipated, the availability of new broadband options has helped generate an expansion of broadband service provision from incumbent providers, as well as the entrance of other telecom companies into the area.

• Technical Implementation Issues


June 28, 2006 of 40

The extreme fluctuations in temperatures, as experienced in certain seasons in a desert environment, can cause radio frequencies to experience bandwidth variations unexpectedly. Similar to the “sun-spotting” effects on satellite transmissions, radio frequencies traveling over long distances can actually have waves changing shape. Consequently, bandwidth can be constricted by a wave format that is modified by extreme temperature fluctuations over a very short period of time.

Technical issues such as these need to be solved as they are discovered. The key is to have technologically competent people on the project team,

• Technology and standards

Because mobile WiFi is a relatively new entry in the 802.11 public spectrum marketplace, there are few predefined standards for hardware implementation.

This means that considerable attention needs to be given to identifying and pre-qualifying different implementation techniques as early as possible.

Benefits

The more tangible benefits of this project include

• The University of Arizona Telemedicine Program uses the WiFi network to conveniently transmit voice, video and vital statistics between a mobile trailer at Amado, in Pima County, and the University Medical Center in Tucson, Arizona.

• The Santa Cruz County Sheriff’s Office uses the network to communicate with other officers and with the Computer Aided Dispatch System.

• The Various Fire Districts (Rio Rico and Tubac in Santa Cruz County and Green Valley Fire District in Pima County) use the network to communicate text and voice information between each other.

• The Santa Cruz County Hazmat teams use the network to transmit live video data via the Hazmat cameras.

The next set of graphics divide the corridor into six segments traveling north to south along I-19, identifying the nodes and coverage areas within each segment. In each of the following map graphics the blue circles designate the area of extended antenna coverage from particular nodes, while the orange circles represent more focused antenna coverage. The labeled rectangular balloons point to a location at which connectivity to the network was measured. The name of the dominant connecting node is identified in the rectangle.


June 28, 2006 of 40

From Pima County into Santa Cruz County

North and South of Agua Linda Road


June 28, 2006 of 40

Area near Tubac

South of Tubac


June 28, 2006 of 40

Peck Canyon Area

South to Ruby Road


June 28, 2006 of 40

4. Outcome Evaluation Metrics. The completed system includes the following elements:

• Twenty antenna nodes placed along the I-19 corridor. • The geographical coverage area along the corridor varies from 1 to 3 kilometers on either

side of the corridor. • More than fifty first-responder vehicles have been equipped with Mobile Access Points. • Five cameras have been deployed as part of the network, and four more are being planned. • A security umbrella is provided with a combination of MAC whitelisting and VPNs. • The cost savings compared with wireless deployment versus traditional wireline or fiber is

approximately 50% compared to the cost of T1 lines. • Data and video transmission rates vary from 500 kbps for uploads to 3 Mbps for downloads. • There is connectivity to the Internet from stationary points along the corridor, enabling

applications such as VoIP, streaming audio and streaming video. • Mobile or roaming coverage in certain areas along the corridor is currently conditioned by

the inability of specific nodes to sustain adequate signal to noise ratio to all end-user devices. Those areas of the network are in the process of being reconfigured with alternate antenna arrays to limit the impact of extraneous radio noise.

Report Submitted By: Test Data

Date Start Time: : End Time: :

Throughput: What was your average connection speed today? Select Speed... Fast Average Slow

Devices: What devices did you use today to access the network? PDA Laptop Other (indicate device below)

Network area availability: From where did you access the network today? Roadway corridor areas Stationary campus areas Frontage Road -- specify Nearest Kilometer Post #

Network Connectivity within Designated Corridor What is your level of access to the network? 100% - always accessible 76% - 99% 51% - 75% 26% - 50% 0% - 25%

Starting Kilometer Post #: Ending Kilometer Post #:

Transparent radio "hand-offs" How many times did you have to re-connect to the network? Enter number of reconnections. Specify approximate kilometer post #s below (separate multiple entries by commas).

Applications Used What applications have you used? Check as many as appropriate: Spillman Dispatch System Voice over IP (VoIP) Instant Messaging (IM) Email Cameras - location Other (please specify below)

Intercommunication: Whom did you communicate with today? Check as many as appropriate: SCC Deputies SCC Dispatcher DHS Rio Rico FD Tubac FD Green valley FD Other (please specify below)

Other Comments Add any additional comments.

Sample User Evaluation Questionnaire


June 28, 2006 of 40

Evaluation Methodology

The evaluation methodology incorporated formative techniques, such as user satisfaction questionnaires (see sample above), and summative assessments, such as an analysis performed by a team from the University of Advancing Technology (UAT) in Tempe, Arizona. Due to the delays in implementation, we are in the early stages of gathering the questionnaire data, and the final assessment remains qualitative. Since we will continue to monitor the usage and effectiveness for at least three additional months, we plan to develop a more quantitative assessment report later.

Traffic Monitoring by Users

The vendor has the ability in their back office equipment and Operations Support System (OSS) software to track network usage by the Media Access Control (MAC) address for authorized devices and generate usage reports by participating first responder agency and user. Delays in project deployment and some OSS issues have delayed the generation of such statistics and usage reports, but it is expected that THE VENDOR will start producing them for participating first responder agencies as they enter the sustainability phase after June 30, 2006. ATIC will collect and review this data as it is made available and continue to work with the provider and first responder participants to optimize usage and manage performance. First responder end users were provided a hard copy and alternative web survey form (http://atic.researchedge.com/wireless/) to help gather performance data and their operational experience. Due to the delays in implementation, we are in the early stages of gathering the questionnaire data, and the final assessment remains qualitative. Since we will continue to monitor the usage and effectiveness for three additional months until the end of June, we plan to develop a more quantitative assessment report at that time. An onsite performance analysis by a team of faculty and students from the University of Advancing Technology (UAT) confirmed the telecom vendor’s self evaluation of initial shortcomings and has contributed to better characterizing and optimizing the wireless network. A second onsite performance analysis by the UAT team is planned for the near future.

Target Metrics

An important target metric was to gain participation by a significant number of first responder vehicles. The goal was to have more than fifty participating vehicles at the completion of the project. This goal was achieved and the numbers are growing.

An important target metric was to gauge the level of insertion of WiFi facilities into the community at large. An important measure was related to the number of accounts converted from use of free WiFi services to paid WiFi services at the end of the project. This target still remains to be evaluated, since the vendor has extended the free service period to allow for testing delayed by the CJIS certification process. The details are still undergoing negotiation.

A comprehensive test and security assessment plan was prepared by the ATIC project team that detailed network testing processes and metrics for coverage, bandwidth, latency, traffic capacity, resiliency, security, first responder prioritization, etc. However, it was decided that substantial additional resources would be needed to execute the plan and should be provided in a later project phase with additional support funding as needed.



June 28, 2006 of 40

5. Project Innovation. WI-VOD, and its partners, RoamAD (Auckland, New Zealand) and ABLE, Inc (Chandler, Arizona) have provided a network to service First Responders (police, fire, ambulance, border patrol, etc.), various community agencies, schools, business and local residents as the deployment expands beyond its targeted coverage areas. The WiFi network is capable of providing multi-story, blanket, near ubiquitous, WiFi coverage and connectivity both indoors and outdoors in rural settings, campuses and other dense commercial/residential environments. Anywhere inside the coverage area end-users can enjoy a mobile broadband connection. Our configuration also enables similar functionality to mobile end-users and is one of very few solutions to support mobile VoIP due to the very low latency, built-in redundancy, high signal availability, and seamless handoff. The solution is also suitable as a transport mechanism for WiFi compatible closed circuit television (CCTV) cameras placed in the network area, thereby avoiding the need to cable each individual CCTV camera. This WiFi solution is a cost-effective and efficient delivery alternative for Telco-grade broadband service. The CANAMEX Corridor network configuration provides a middle and last mile connectivity to serve static or mobile WiFi customers as well as broadband customers who are looking for an alternative to DSL or cable. The CANAMEX Corridor configuration also includes wireless backhaul directly from the Internet, wireless backhauls between individual nodes to primary aggregation points, seamless roaming, fast hand-off, support for mobile VoIP, and the ability to easily expand network size and capacity. The initial design of the network followed the general characteristics outlined in the figure to the right:

Figure 1: Solution Architecture


June 28, 2006 of 40

Node Characteristics and Specifications The challenge was to solve the problem of providing continuous high quality coverage along the highway corridor from within vehicles traveling at speeds up to 75 miles per hour. Node locations were selected and engineered to provide optimum coverage along I-19. This introduced a number of novel factors that contributed to the complexity of the engineering solution. Allowances had to be made for the interference to line-of-sight communication caused by increased foliage in the spring and summer along the highway median. Since this is a rural area, power supplies for the nodes were limited. The solution was to provide low weight nodes with a wide range of line-of-sight access. The nodes including the encasement and internal cabling have a combined weight of 20 lbs 11oz (excluding supplemental power resources where required). Hardware consists of a small form factor embedded device with four integrated IEEE 802.11 radios in a robust all-weather cabinet with cables leading to antennas that propagate the signal to the surrounding area. Nodes were placed on appropriate existing facilities such as:

Electrical poles servicing buildings and street lighting

Water towers and/or other municipal tower construction (RF towers, traffic monitoring camera poles, weather sensor poles, etc)

Municipal buildings (of a height equal or greater than neighboring buildings)

Tall Traffic or community notification signs (with existing power feeds).

Utility Pole Deployment on I-19

Existing Tower Deployment on I-19

Commercial Building

Deployment on I-19

Low Impact Solar Powered

Deployment on I-19

This solution design provides low latency, high levels of redundancy, and multiple paths for routing of data traffic. It has been devised as a solution to the complex problems associated with traditional mesh routing topologies. The distribution of end-user traffic or management data is optimized by using network based radio links over the span of the network coverage area. These wireless links form the entry and egress points of traffic, as well as the transport mechanism for materials destined for devices in other areas of the network.


June 28, 2006 of 40

This design provides flexibility in the size of the network coverage area, the number of users within the coverage area, and future network expansion plans. Benefits of this network architecture include:

• A very low hop count, with a typical maximum of 6 (or fewer) hops between any two points on the network.

• A very low latency across the network, with a one-way average maximum latency of approximately 24ms between any two points.

• Provision of a very controlled and manageable communication service to end-users, and high compatibility with most end-user latency sensitive applications such as Voice over WLAN (VoWLAN).

The layout of the actual nodes along the I-19 corridor is as follows:

Another challenge was to provide for an extensible and cost-effective network that would allow for expansion along other segments of the CANAMEX Corridor as well as provide for self-sustainability in the post-grant period.

The solution was to provide a properly dimensioned network that would adjust its routing capabilities as new areas and users are added to the network.

A-Bridge

I-19 Highway

Orthogon Link

B Bridge

Elephant Head

KM48

KM34E

KM22

KM19

KM14

KM13

KM25

Rio Rico

KM34W

KM37

KM32

KM42

KM49

KM46

KM45

KM40

KM26

Rex Ranch

Rio Rico Tower KM17

KM29

KM16

KM52


June 28, 2006 of 40

In a correctly dimensioned network, the failure of a single Intelligent Network Node (INN) has no overall effect on traffic handling, or the number of hops to any destination on the network. The grid creates, by way of its design and the unique routing policies, a tightly controlled network environment. The network routing scheme used on the network has been developed to take advantage of some of the best features of common L3 routing protocols such as Open Shortest Path First (OSPF), and to get around some of the common issues with L2 routing topologies such as with Spanning Tree Protocol. The routing policies are enforced at the INN and the Intelligent Network Server (INS). The Star Grid network architecture and routing policies mean that the solution is able to support both connection oriented (i.e. TCP) and connectionless (i.e. UDP) network protocols.

In addition, the routing policy is able to guarantee the delivery of packets in the correct sequence to every destination device on the network, due to:

• A low network hop count between any two points

• A low latency across the network or between any two points on the network

• Design and control of authentication-processing delays on network devices.

Network dimensioning takes into account: the number of end-users; the likely location of end-users; the required bandwidth during peak times vis-à-vis coverage and backhaul links; as well as the applications being utilized (i.e. data and VoIP traffic requirements). As end-user demand grows in an area, or as service deliverables such as individual end-user bandwidth increases over time, additional Intelligent Network Node (INN) devices can be added to the high demand areas to provide additional coverage. These new INNs are auto-configuring, meaning that very little resource (or cost) is involved in increasing existing network coverage capacity. As with the coverage corridor established for this project, WI-VOD’s methodology maximizes the capabilities for interoperability with future grids and supports end-user roaming into other WI-VOD


June 28, 2006 of 40

networks. This provides almost unlimited horizontal expansion to the CANAMEX network as it grows across the entire span of the corridor, potentially into other jurisdictions and states.

Figure 2: Project Architecture

With this network WI-VOD and its partners have built upon critical advantages:

• Development of flexible flat-fee, hourly, daily and monthly subscription services • Simultaneous data and voice over IP offerings • Integration of this deployment of WiFi with enabled locations throughout the United

States and Canada which will ensure the WI-VOD solution as a truly universally accessible service offering to the CANAMEX Corridor participants

• Integrating applications and other service offerings of our local participants to enable further benefit with the inclusion of other value-added elements

• Offering “private labeled” development and integration services to location participants (e.g., GPS tracking, etc.)

• Leveraging WI-VOD’s expertise in industry related applications and development • Creating cooperative relationships with other technology providers in order to keep

applications as flexible and cost-competitive as possible • Implementing an aggressive marketing plan with potential partners to provide a

network for local education and awareness.

INS - Tucson Data Center Elephant Head

Hub

Peck Canyon North

Peck Canyon South

KM45

Tubac Fire Hall SE

A-Bridge

Ethernet

KM14

KM13

KM19

KM25

KM13 Hub

KM52

Orthogon Link

Orthogon 4

Orthogon 3

Orthogon 2 Orthogon 1

Ovis Link 4

Ovis Link 5

Orthogon 5

Orthogon 6

Ovis Link

Ovis Link

Ovis Link 1

Ovis Link 2 Ovis Link 3

B Bridge

Tubac Fire Hall N

KM46

KM42

KM49

KM48

KM32

KM34

KM37

IP Mapping Table (see below)

KM40

KM16

WaveMax 7

KM17 Ovis Link 6

KM17 KM26

KM29

WaveMax 1

WaveMax 2 WaveMax 3

WaveMax 4

WaveMax 5

WaveMax 6

Rex Ranch


June 28, 2006 of 40

WI-VOD has deployed redundant backhaul connections to ensure the network is served by more than one mechanism to the primary Internet.

6. Actual Costs and Schedule.

Planned Versus Actual Costs:

Cost Item Planned Cost Summary Actual Cost Summary

Consultants Fees and Expenses $81,355 $81,325Contracts $384,466 $384,466Equipment $34,000 $34,000

TOTAL PROJECT COSTS $499,821 $499,791

The tasks for the project are listed below:

Task 1– Develop and Refine Conceptual Designs Task 2 – Verify Design, Assign Participants and Establish Evaluation Metrics Task 3 – Connect the Middle Mile to Vehicle Access Points Task 4 – Add Layered and Scaled Security Task 5 – Progress and Final Reports Against Project Goals and Requirements Task 6 – Establish Final Governance, Oversight Roles and Responsibilities Task 7 -- Finish final Operational Roles and Responsibilities Task 8 -- Operate and Maintain the Corridor Task 9 -- On-Going Governance, Oversight and Reporting Activities.

ATIC DHS WiFi Security Project

Task# Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar1-Plan 1-Actual 2-Plan 2-Actual 3-Plan 3-Actual 4-Plan 4-Actual 5-Plan 5-Actual 6-Plan 6-Actual 7-Plan 7-Actual 8-Plan 8-Actual 9-Plan 9-Actual


June 28, 2006 of 40

7. Project Stakeholder Involvement. From the start of the project, it was felt that involving Arizona government leaders at the highest levels would optimize acceptance of the project at the county, municipal and community levels. Impetus for high level involvement was provided by associating the project with the CANAMEX Corridor. Arizona’s Governor, Janet Napolitano, had defined economic development along the CANAMEX Corridor as a high priority for her administration. Because of the proximity to the international border with Mexico at Nogales, Arizona, a common nexus of priorities quickly became evident between CANAMEX and this project. As a result, directors of agencies involved with CANAMEX initiatives were naturally invited to be part of the project. They became part of an oversight advisory board. Key agency directors were selected from Arizona’s Department of Transportation (ADOT), Department of Commerce (DOC), Department of Public Safety (DPS), Office of Homeland Security (OHS), and GITA. These directors met regularly with project leaders, receiving progress reports, and providing assistance and direction to lower echelons of their agencies as coordinating actions were required. Such high level involvement proved to be invaluable many times.

The Office of Homeland Security assisted in setting up the initial meetings that identified and invited the local area first responders who would become involved. Later, as it became apparent that Santa Cruz County had deficits of mobile hardware and software necessary to connect to the WiFi Project, OHS helped coordinate other funding sources to acquire such assets.

Arizona’s Commerce Department validated the project to local business leaders in and around Rio Rico. The project received consistent affirmation as an important CANAMEX Corridor asset, helping local leaders to envision a number of value-added applications enabled by the increase of broadband assets that came with the project.

In one instance, Commerce facilitated a number of meetings regarding the need for increased security for the vegetable produce crossing from Mexico to warehouses just inside the United States. It was determined that a successful WiFi project would enable a consortia of growers to utilize more sophisticated technology to protect against chemical and biological threats to the food supply housed in their warehouses. About forty percent of the U.S. supply of winter produce travels through the project area.

The Arizona Department of Transportation’s leadership, likewise helped expedite some of the processes at their regional offices, as wireless node sites were determined. Their influence and advice was also helpful as contact was made with utility companies and other private sector entities.

The involvement in and affirmation of the project by state agency directors increased the likelihood of political subdivisions such as counties, cities, towns and school districts to support and participate in the project. This acceptance was important, because only with local help and support would the project succeed.

However, such high level influence did not make success automatic. For example, local government prerogatives had to be respected in their use of permits and rights-of-way as a source of revenue. Indeed, such constraints, along with similar issues from the private sector, led to major project delays and to the constant need to re-engineer the network. Until near the end of the project, key antenna node sites were being changed or eliminated because right-of-way or permitting issues either prohibitively increased costs or pushed time limits beyond viability.


June 28, 2006 of 40

Entities participating in the project include the following:

Public Organizations:

• Arizona Government Information Technology Agency (GITA) • Arizona Office of Homeland Security (OHS) • Arizona Department of Public Safety (DPS) • Arizona Department of Transportation (ADOT) • Arizona Department of Commerce (ADOC) • Arizona Department of Emergency & Military Affairs (DEMA) • CANAMEX Corridor Project • Santa Cruz County (SCC) • Santa Cruz County Sheriff’s Office (SCCSO) • University of Arizona Telemedicine Program • University of Advancing Technology (UAT)

Public Safety Communities:

• University of Arizona Telemedicine Program • Rio Rico Fire District • Tubac Fire District • Green Valley Fire District, in Pima County • U.S. Customs and Border Protection.

Non-Profit Organizations:

• The Arizona Telecommunications and Information Council (ATIC) is the project manager.

Private Organizations:

• WI-VOD, Corp., provided the connectivity • ABLE, Inc has provided installation and maintenance support.

The roles played by the above entities included:

• Oversight and project guidance by GITA and DEMA • Advisement by a Steering Committee consisting of the Directors of GITA, OHS, DPS, ADOT

and ADOC • Implementation management by ATIC • Deployment by WI-VOD and ABLE • First-responder roles by DPS, SCCSO and the three Fire Districts at Rio Rico, Tubac and

Green Valley. • Emergency management roles played by the three Fire Districts at Rio Rico, Tubac and

Green Valley and the University of Arizona Telemedicine Program. • Testing support provided by UAT.

8. Replication of Project Outcomes. The ATIC DHS WiFi Security Project yielded various lessons learned that should be considered, as well as a series of steps and procedures that ought to be undertaken by other organizations interested in replicating the project’s process and outcomes.


June 28, 2006 of 40

• For similar projects where first responders are considering adding WiFi to their mobile communications capabilities, some will have the opportunity to participate in the initial development and deployment of such systems as was the case on this project, while others will be looking to integrate existing community WiFi capabilities developed for broader purposes into their communications resources. The majority of the lessons learned and procedures followed by this project are applicable to both groups.

• The project utilizes standard WiFi technology, now broadly deployed in homes, businesses, and government facilities for local area networks (LANs), and increasingly found in wireless access metropolitan area network (MAN) infrastructure deployed or planned for many larger municipalities and selected other locales. WiFi capabilities are embedded in most laptops as well as some mobile phones and personal digital assistants (PDAs), thus such devices may be easily activated and integrated to WiFi networks. Such WiFi networks built with commoditized equipment yield a cost effective, high performance wireless infrastructure that ensures an interoperable pathway between various first responder agencies and personnel.

• When utilizing commercial WiFi deployments or partners, public safety agencies should participate in investigation, dialogue, and negotiations regarding their anticipated special needs and considerations for network priority use in times of emergency, adding of VPN and other security protocols, minimum performance requirements and Quality of Service (QoS) appropriate to their applications, etc. This project’s deployment utilizes a sophisticated mesh network topology with low latency, seamless handoff for mobile users, and coordinating control over the various network elements that was deemed necessary for the participating first responders’ needs and may or may not be found in other existing or planned WiFi metropolitan area networks (MANs).

• Use available specifications, well-defined security policies, audit trails, and specialized data security tools to minimize risk of inappropriate access to data or compromise to the network and attached devices.

• Where significant commercial WiFi deployments are already in place or planned, public safety agencies should consider subscribing to commercial or municipal offerings, rather than building and managing their own. The use of such open systems reduces costs and assures availability of a wide variety of hardware and software products.

• ATIC had a strong desire to provide for self-sustainability after the expiration of the grant so public safety services and wireless broadband will continue to remain available to the broader community. Representatives were engaged from all stakeholder groups and significant awareness and cooperation were engendered through a concerted outreach program. This mobile WiFi network built along a critical transportation corridor has the dual potential to enhance public acceptance of broadband applications by various stakeholders through usage and familiarity and to create a seminal network with one or more anchor tenants that can continue to build out. Providers of such WiFi “build outs” then can focus on providing secure economical broadband services to customers other than first-responders, including residents, local businesses, real estate developers, and other government agencies including schools and libraries. A viable business model around such services has already been clearly demonstrated in this project, which would facilitate replication at other locations.

• The individual public agencies and their regional government (city and/or county) may have


June 28, 2006 of 40

vertical assets such as existing communications towers, building rooftops, signage, light and utility poles, etc. that may be leased directly or offered for use under in-kind arrangements with telecom providers to offset the ongoing cost of public safety wireless services. In our project, several agencies, especially fire departments, are providing access to towers and other facilities in exchange for cost offsets or in one case received a new, installed tower in exchange for collocation privileges. A study of this nationwide trend in public-private partnering yields numerous examples of best practices and models for use in similar projects.

• Federal and state homeland security funds and grants may be available to acquire laptop computers and other mobile information appliances, to support information technology applications and infrastructure as well as to pay for ongoing telecom service fees. Projects that leverage existing systems, involve multiple stakeholders, and incorporating public-private partnership elements could receive favorable consideration when competing with other types of projects that may be more expensive, involve a narrower range of participants, and deliver fewer results. Some local matching funds or use of in-kind contributions may be necessary.

9. Next Steps. Potential extensions and contributions that could be provided in a second phase include:

• Expansion of the network coverage along the I-19 corridor • Addition of more first responder agencies and participants • Extension of current users’ subsidized service • Network testing for coverage, bandwidth, latency, traffic capacity, resiliency, security, first

responder prioritization, etc. • Deployment and testing of advanced applications

Targeted advanced applications might include first responder real-time vehicle tracking & dispatch, EMT mobile data transmission and remote diagnostics/assistance, vehicle & mobile video camera transmission, monitoring & logging, image recognition cameras (license plates, person or vehicle presence/movement in target locations), mobile command center support, border security, trucking & product (produce) logistics support, biohazard detection, VPN & encrypted data transmission, etc.

Another example of one of those advanced applications would be to investigate probe data techniques within the I-19 WiFi corridor as has been discussed with Tim Wolfe of ADOT and involving Bishop Consulting. Details of a preliminary investigation are sketched out below: Arizona I-19 WiFi Corridor: Assessment of Opportunities for Probe Data Operations

• The challenge is for the Arizona Department of Transportation (ADOT) to utilize probe data

collection techniques for monitoring traffic and road condition parameters.

As a result of this WiFi Project, ADOT commissioned a short study of Opportunities for Probe Date Operations by the Bishop Consulting group. This study identified several vehicle probe data techniques that would map to the I-19 WiFi Corridor provided by this effort. The report begins with an overview of probe data techniques and R&D and deployment relating to probe systems generally. The specifics of the WiFi corridor are then described, and


June 28, 2006 of 40

several methods for probe data collection using the corridor WiFi equipment are explored. An approach to proof-of-concept testing is provided, and a Field Operational Testing approach for the most promising implementation is offered. This work is intended to provide a foundation for ADOT to pursue further work in the areas of probe data collection techniques for monitoring traffic and road condition parameters. The consultant’s report for ADOT titled “Arizona I-19 WiFi Corridor: Assessment of Opportunities for Probe Data Operations” from 10/05 is available on the ADOT site at: http://www.azdot.gov/TPD/ATRC/publications/QuickStudies/TRQS-02.pdf. The following methods of generating and using probe data were provided in this report: Method One: Vehicles traveling the corridor which are not MAP-equipped5 using registered laptops. If vehicle does not have the advantage of a Mobile Access Point (MAP) to access the WiFi network (MAP equipment amplify the WiFi signal), gaps in coverage will exist along the corridor. Such gaps would be at consistent locations along the roadway allowing a “gap map” to be created. A software routine running on the on-board laptop could note the time of signal loss and signal re-acquisition and correlate this to the gap map to estimate link travel times. Method Two: Assess location of MAP-equipped vehicles based on received signal strength. This technique would rely on the initial creation of a lookup table of the received signal strength based on location. Then, as vehicles travel the corridor, the on-board laptop could continuously log signal strength and correlate that to location; comparison of successive log entries would provide an estimate of the vehicle speed for that section of the corridor. Method Three: Get location of vehicles via GPS-equipped laptops on-board. Laptops on-board vehicles that are equipped with GPS could create time/location logs and send this data to the traffic management center via the WiFi network. Link travel times could then be calculated. This data transmission would be seamless with MAP-equipped vehicles and intermittent for normal vehicles. Most likely, though, information would only need to be transmitted on a periodic basis, say every 5 minutes, so that the WiFi connectivity would be adequate for either type of vehicle. Method Four: Track the antenna handoff times as a MAP-equipped vehicle passes a roadside radio tower. The WiFi system switches the connection between these successive antenna/radio pairs as a vehicle approaches, passes, and departs the immediate location of the tower. WiFi system designers note that this handoff zone is on the order of 100 meters. Therefore, data could be gleaned from the switching system at the roadside tower showing an in-vehicle laptop (uniquely identified by its registration number) passing by the tower. For a southbound vehicle, the laptop would initially be communicating through the narrowbeam north-pointing antenna, then be switched to the broadbeam antenna near the radio tower, then be switched to the south-pointing antenna shortly thereafter. The process would repeat

5 The original research report used the term MAD, for Mobile Access Device. For the sake of consistency with other sections of this Final Report, we use the term MAP, for Mobile Access Point.

http://www.azdot.gov/TPD/ATRC/publications/QuickStudies/TRQS-02.pdf�


June 28, 2006 of 40

itself as the vehicle neared the next radio tower, further south. Therefore, the time of the vehicle passing each radio tower along the corridor would be precisely known. Method Five: Equip on-board MAP devices with GPS positioning. Here, the MAP equipment would be upgraded with a GPS receiver so that each MAP-equipped vehicle would know its position at all times. The communications management data stream within the WiFi system could be modified to include a location/time log, which could then be transmitted to the Traffic Management Center to generate link travel times, as in Method Three.

10. National Strategy Benefits. The WiFi Security Project facilitates communication and information sharing in support of Homeland Security missions in several areas:

• It provides a means for inter-agency communications during an emergency event. Those directly impacted are agencies in charge of border and transportation security, agencies protecting critical infrastructure and agencies responsible for emergency preparedness.

• Critical infrastructure is protected through redundancy provided by the WiFi Project services. • Emergency response is enhanced with the mobility, speed, and the security of the

bandwidth made available through this grant. • The addition of capacity for high speed data transmission while mobile, adds a new

dimension to the traditional paradigm of voice only mobile communication. Adding the ability to communicate visually (live streaming video, high resolution graphics, ad-hoc panning and zooming of observation cameras) revolutionizes communication expectations. A picture is indeed worth a thousand words.

• Besides visual communication, WiFi technology provides an inexpensive and commonly available method of transport for exchanging information between disparate groups of first responders. Once the data hits the Internet, it can virtually be transported anywhere. The project shows that security for data (voice and video included) is a manageable issue.

• In the last two years over 400 communities nationwide that have either deployed or begun to deploy, WIFI umbrellas or canopies, over themselves, allowing for near ubiquitous wireless connectivity at broadband speeds. Experts predict hundreds more communities in the U.S. will join this trend every year.

• This grant shows that such communication resources can also be installed successfully in rural settings, thereby connecting cities and communities into one large grid, instead of islands of separate connectivity. If such connectivity between cities is fostered, the impact could be as far-reaching as was the impact of a national highway system on the United States in the 1950’s and 1960’s.

11. Key Project Participants. Oris Friesen, Project Coordinator ATIC Vice Chair and IT Consultant

5136 E. Le Marche Ave. Scottsdale, AZ 85254-1667 Phone: 602-992-4504 Mobile: 602-689-1084 Fax: 305-723-6239 E-Mail: [email protected]

Mike Keeling, Project Consultant ATIC Chair and IT Consultant

Data Site Consortium, Inc. One E. Camelback Road Suite 660 Phoenix, AZ 85012 Phone: 602-265-9003



June 28, 2006 of 40

Mobile: 602-332-0341 E-Mail: [email protected] URL: http://www.data-site.com/

Mark Goldstein, Project Consultant ATIC Secretary and IT Consultant,

International Research Center PO Box 825, Tempe, AZ 85280-0825 Phone & Fax: 602-470-0389 Mobile: 602-670-6407 Skype: mark.goldstein E-Mail: [email protected] URL: http://www.researchedge.com/

Galen Updike, Project Oversight Telecommunications Development Manager, Government Information Technology Agency (GITA)

100 N. 15th Ave., Ste. 440 Phoenix, AZ 85007 Phone: 602-364-4794 Mobile: 602-614-3831 E-Mail: [email protected] URL: http://www.azgita.gov/

Mark Howard, Project Director Homeland Security Grants Administrator, Division of Emergency Management (DEM), Arizona Department of Emergency & Military Affairs (DEMA)

5636 E. McDowell Road, #101 Phoenix, AZ 85008-3495 Phone: 602-231-6212 Mobile: 602-910-6005 Fax: 602-231-6212 E-Mail: [email protected] URL: http://www.dem.state.az.us/ & http://www.azdema.gov/

Allan Meiusi, Wireless Design and Services Provider Chief Solutions Architect, WI-VOD Corporation

HQ : PO Box 1541, Ashland, VA 23005, Main: 866-802-6060 Phone: 905-754-3112 x3302 Toll-Free : 866-802-6060 x3302 Mobile: 208-412-8412 Fax: 905-752-3117 Skype: alcabit E-Mail: [email protected] URL: http://www.wi-vod.com/

Advisory Steering Committee:

• Chris Cummiskey (Chair), Arizona CIO and Director of GITA, [email protected] • Frank Navarrete, Director, Arizona Office of Homeland Security (OHS), [email protected] • Victor Mendez, Director, Arizona Department of Transportation (ADOT),

[email protected] • Gilbert (Gil) Jimenez, Director, Arizona Department of Commerce (DOC),

[email protected] • David Felix, Deputy Director, Arizona Department of Public Safety (DPS), [email protected]

Other state and local government and private sector entities participating in the project include:

• CANAMEX Corridor Project, Marisa Walker, Executive Director, [email protected]

• Santa Cruz County Office of Emergency Management, Louis Chaboya, [email protected]

• Santa Cruz County, Mike Lindsey, Telecommunications Specialist, [email protected]


http://www.data-site.com/�


http://www.researchedge.com/�


http://www.azgita.gov/�


http://www.dem.state.az.us/�

http://www.azdema.gov/�


http://www.wi-vod.com/�











June 28, 2006 of 40

cruz.az.us • Santa Cruz County, Raul Mavis, Information Technology Director, [email protected]

cruz.az.us • Santa Cruz County Sheriff’s Office, Ramon Romo, Major, [email protected] • University of Arizona Telemedicine Program, Richard (Rick) McNeely, Co-Director,

[email protected] • Rio Rico Fire District, Michael Foster, Fire Chief, [email protected] • Tubac Fire District, Kevin Keeley, Fire Chief, [email protected] • Green Valley Fire District, Ken Shultz, Captain, Operational Support, [email protected] • U.S. Customs and Border Protection, OIT/FSO/Arizona/Nogales, John Grijalva, Field

Technology Supervisor, [email protected] • Able, Inc., David Whitt, Technology Specialist, [email protected] • University of Advancing Technology (UAT), Raymond “Todd” Blackwood, IT Manager of

Development, [email protected]

Selected List of Project Document References

1. ATIC. “ATIC DHS WiFi Project for First Responders Users Guide.” Version V01C. March 6,

2006.

2. ATIC. “ATIC DHS WiFi Security Project Contact List." Version V01R. September 24, 2005.

3. ATIC. “ATIC DHS WiFi Security Project for First Responders.” January 8, 2006.

4. ATIC. “End-user Mobile Equipment & Mobile Service Account Recipient Agreement.”

5. ATIC. “First Responder Participant Vehicles Using Mobile Access Points (MAPs).” June 20,

2005.

6. ATIC. “Grant Application: WIFI SECURITY for First Responders –Border area Grant.” June 23,

2004.

7. ATIC. “Project Plan for DHS Wireless CANAMEX: WIFI SECURITY for First Responders –

Border area Grant.” Rev 1A. January 9, 2005.

8. ATIC. “Test Report – WiFi Test matrix.” July 11, 2005.

9. ATIC. “Wireless Network Security Assessment Plan.” Version 2. July 10, 2005.

10. Bishop, Richard. “Arizona I-19 Wi-Fi Corridor: Assessment of Opportunities for Probe Data

Operations.” Report TRQS-02. October 2005.

11. Friesen, Oris and Galen Updike. "Post-Grant Sustainability Model for WiFi Broadband

Development. "December 13, 2005.












atic dhs wifi security project - ieee · atic dhs wifi security project ... atic dhs wifi security...

Documents