Slashdot Mirror
Can 802.11 Networking Be Made Safe?
plumpy asks: "I am a developer at a small (~100 people) company that develops web and wireless (Palm, WAP) applications. Recently a few developers began a campaign to get a wireless access point for the company so that we could carry our laptops to meetings and work more flexibly. Two people had been bringing in their own personal access points from home while we waited for someone to actually purchase one for the company. Everything was going okay, and it sounded like the purchase request was going to go through. Then our IT manager read a few of the recent articles about the lack of security in 802.11 networks and killed the idea." Wireless Networks, like their wired counterparts are only as secure as the procedures behind the people that maintain them. A wireless AP can be secured against casual attacks and WEP, properly implemented, should take care of the rest, shouldn't it?
"From what I've read, it sounds like 802.11 is not as secure as it COULD be, but is plenty secure for most networks. My IT manager LIKES wireless (he has an 802.11 network at home) but doesn't think it's secure enough for the workplace. Does anyone have any links to articles that could convince him otherwise? Or does anyone have any articles that can convince me he's right? Also, does anyone have any stories about where wireless networking has been helpful for developers. There is some additional resitance because management thinks it's just a toy for us with no real useful applications."
Seriously, if you're doing work that is too sensitive for 128-bit WEP (need both AP and client cards to be 128, obviously), well, yeah, wireless is inappropriate. (If your work is this sensitive, as the CTO how secure your LAN cable is against emission snooping or unauthorized taping.)
Further, are you in a crowded office building? Are your 2-6 side-sharing neighbors competitors? How absorbant are the walls (I mean of RF radiation)?
Plus, let's not forget that 128-bit gear isn't cheap. Not uber-expensive, but definitely not cheap either (especially if you have a large number of potential clients which means you will need several access points in addition to many client pcmcia cards; you might need several access points to begin with if you office has lots of structural walls and whatnot in it).
--
"Overrated" is "overfuckingused".
News for Geeks in Austin, TX
The only time wireless'd be any good is if you have a laptop, aren't concerned with security, and take your laptop with you to the loo. :)
For God's sake, if you are concerned about security, don't broadcast your messages over the air! If you're f'n paranoid, use fibre, as it has no magnetic field around it to be intercepted.
If you really want to be secure, turn off your computer, use a removable drive, take it out, lock it in a safe, and take the network cable out of the machine when you leave. That way, there is no physical nor electronic access to your data. Simple.
Thus sprach DrQu+xum.
DrQu+xum: Proof that the lameness filter doesn't work.
Yeah, there's a big hole in WEP, but in order to crack it the person would have to have a lot of equipment that isn't readily available, not to mention cryptoanalysis expertise. It would probably be a lot easier for them to break into your building and put a device on the network somewhere and capture packets.
It's not as if you can wander within range of a WEP protected network and just start sniffing. First off the NIC has to associate and authenticate with the AP to even get the packets past the MAC layer. You can turn access control on with most APs so you only allow certain MAC addresses. Even if they got past that layer they're going to not be able to sniff anything because the MAC chip in the card will discard anything it can't decrypt, even in promiscuous mode.
The only way they could sniff you out with 802.11 and WEP would be to have some custom hardware and software to bypass the MAC layer(or be able to rewrite the firmware for an existing card). Anyone who goes to these lengths are going to be able to get past your pysical security anyway.
The solution was to configure the network in such a way that access to the corporate LAN was impossible, unless
- You authenticated with a VPN server, and tunneled your LAN connection over that -- in addition to the security already provided by the hardware
- You used SSH to tunnel (again to a gatekeeper/firewall machine), and then again to tunnel your X session over.
I know it's a lot, and it's not the easiest thing to just set up. Hardware is something you can plug in and have running 5 minutes later -- this takes a lot more work.OR
Remember that it's worth it -- you're already doing this, it needs to have the level of security the company is comfortable with. If you drive the project underground, you won't know what's going on, what hardware is being used -- or even by who.
Don't let your PHB be scared away by the fact that the hardware is not as secure as he'd like. You have options to make it more secure, and these options have already been enough to placate other PHBs.
You can do this. Yes, you can make a wireless connection secure enough -- unless you're doing something to piss off the NSA. If you're up against an adversary like that, my money's on them.
Just trying to keep things in perspective.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
The beauty of IP is that being software & readily available, it has been able to spread over all sorts of networks, providing connectivity, and consequent demand for features (such as security) that provide functionality irrespective of what functionality the lower layers of network hardware etc provide.
I'd trust 128-bit WEP more than an ethernet line. Heck, I'd trust 40-bit WEP more than a regular lane. It's trivial to tap into an ethernet line. That's not theorestical. I've never heard of a real system for tapping into an 802.11b link. But the point is that you shouldn't trust any communication link. You should learn more about SSH or a VPN.
IPsec
CIPE
SSH
Basically, if you treat the wireless LAN as untrusted, and think about it that way, there are natural solutions that will present themselves.
From a Linux angle, FreeS/WAN works on just about everything, even adaptive load balanced NIC teams. It provides decent packet level encryption, and is interoperable with other IPSEC implementations such as Intel Packet Protect. Both FreeS/WAN and Packet Protect are free. Packet Protect requires an Intel NIC though, but with offloading, it is worth it. Both should offer sufficient security for all applications where networking outside of a vault is okay.
Treat wireless the same way you would remote access via Internet; firewall it off, layer a VPN over the wireless LAN and you're good.
Probably.
The specific failings of WEP are documented here. If your boss is concerned about WEP security, he/she should read this document, and make an assessment as to whether adding WEP to your network significantly increases the security risk.
Assuming you use 128-bit WEP, you have a reasonable chance of blocking attackers. While you could be compromised, it's important to compare the risk vs. the risk of your wired LAN being compromised. For example, do you allow visitors to plug in their computers into your LAN? If so, 802.11b is not going to increase your security risk.
Even if 802.11b would increase the security risk, you need to asses if it's a good trade-off in return for your benefits. Finally, if you can't accept the risk, then just run IPSec (or the poor-man's IPSec: SSH ;-) for communications over 802.11b. Indeed, you could have an IPSec gateway on whatever is plugged in to your 802.11b access point. Sure, it's a bit more work to setup, but the benefits would be substancial.
sigs are a waste of space
You asked for a link - http://www.nwc.com/1203/1203ws1.html
One sentence summary of link: 802.11b not yet ready for the bleeding-edge averse enterprise IT manager (anyone know a CIO/CTO who digs deploying bleeding-edge stuff?), but there are ways to make it work for smaller organizations.