Responsible Wireless Access For Your Access Point

bgood writes: "O'Reilly Network has an interesting article on authentication for wireless networks. The author discusses both the technical aspects, specifically NoCatAuth, and the overall context of why someone would choose (or not choose) to monitor or track the use of their wireless network. While geared towards network neighborhoods, the article definitely has applicability in more formal settings."

What would be nice

[Space+Coyote]

... would be if you could easily set aside a certain percentage of your bandwidth (say 10-15%) for use by other people, and more if its available. That way you aren't taking a backseat to freeloaders on your own network, but you also aren't curring people off whenever you start a big, bandwidth-heavy transfer.

Re:What would be nice

[rockwood]

That would be nice!

Specifically allowing businesses and residents to allocate percentages of their bandwidth to opposing buildings/households and reducing their own costs. Possibly even allowing passing motorists with roaming uplinks to their own central servers.

I haven't crunched actual numbers, but I can only guess that that would allow for everyone to have wireless access for an extremely nominal fee and provide the ability for additional redundancy.

Though I don't beleive I'd ever totally do away with a hard line (whether it be phone or cable)

Re:What would be nice

[vanguard]

That's pretty much what I do. It more or less happens naturally. I've made a decision to secure my network from the Internet but not from my neighbors. If I ever get burned by that (unlikely in my little suburban cul-de-sac) I'll change the policy.

As for giving them only 10% of my network, just be being 100 feet or so (~30 meters) from the access point they can only get about 1 Mbs from the next house over.

I can see that nobody has ever logged on but in my dreams most of the neighborhood starts providing wireless access and the entire subdivision is wireless and broadband. I'll bring a laptop to the pool and they'll bring a laptop to the basketball hoop down the street. (Ok, it's a weak dream but it seems neat to me)

Re:What would be nice

[GC]

Exactly - my (Wireless) network is open, but it's users are protected from the Internet. All my terrestial hosts on the same network are tied down with ssh and passwords except for the services that can be accessed from the Internet anyway.

I actually like it - I'm not making any bandwidth limitations as yet, simply because I haven't noticed any problems.

The Internet access is DSL 512kbps down/256kbps up.

I wonder how many other people are giving this service? Is there anyway to advertise it? I'm relying on word-of-mouth, it's probably better that way :-)

If bandwidth or security become a problem I'll get a third interface on the firewall and throttle them down whilst locking them out of my wires network.

Re:What would be nice

[_ph1ux_]

as far as advertising it, why not try it on craigslist.org - maybe we can talk to craig and get a NAN category or something - then you can look up all the NANs in your area...

and since NANs and CL are community based "grassroots" types of connecting... it would seem appropriate.

unless /. wants to put up a NAN arena for people to have an ongoing open discussion about the NANs they run - or know about... and have info for people on how to secure/share/setup.

like that article that ran some time ago about the guy who turned his primestar dish and a coffee can into a long range wireless antenae.

Re:What would be nice

[asland]

You can do that with 2.4s traffic shaping, or one of the user-space shaping daemons.

Re:What would be nice

[mike_the_kid]

Just make a strong recommendation to them that they buy a repeater. If it gets big enough, you can make a push to have them get you a fiber-optic line. Sounds good to me.

Re:What would be nice

[Explo]

Especially the 2.4 QoS features are nice way to provide shaping (I guess that's what you meant). I've toyed with them and it's pretty easy to create some classes, assing the bandwidth to them and control whether it will be shared to other classes if not needed or whether a class will accept extra bandwidth or not.

A registered SSL certificate?

[imrdkl]

The article claims that neighbors only need trust the "auth system". Seems to me that a group of neighbors would only need to agree on the authority of an self-issued root certificate, and let trust grow from there.

Otoh, any marketing folks from Verisign reading here? Could be a whole new niche...

NeighborCert (tm)

auth?

The major problem with access points are the ACL rules, and no the auth process. Even 128bit keys can be sniffed and cracked, the only mildly effective method for security of the AP is IPSEC on IP, and MAC address based firewall rules.

Re:auth?

[Falsch+Freiheit]

No, MAC address based firewall rules won't solve the security problem, either. They'll raise the barrier slightly, but it's fairly easy with most 802.11b cards (and with regular Ethernet cards, for that matter) to use a different MAC address than the one assigned to your device. Under Linux it's "ifconfig eth0 hw ether [new MAC address here]". Not nearly difficult enough.

Re:auth?

[ConsumedByTV]

And with most cards in windows such as the lucent cards, the software it comes with allows you to change the MAC address as part of the standard process of admining your network.
So run etherreal for about ten minutes and you can use all the mac addresses you just dumped.

Nblug power :)

Re:auth?

[markov_chain]

Actually, for Lucent cards, both the 2.4 and latest pcmcia-cs drivers seem to have dropped support for changing the MAC addresses. You may think you've changed the hardware address at interface level, but the change won't get written to the card. And if the card doesn't know about it, it won't send any frames.

Great for Laptops, but...

[Quizme2000]

I live near Sonoma County and heard about the community networks, problem is that using a anything other than a regular computer with a wireless 802.11b device can't get access. I had my Ipaq with linux installed, and with a good signal. Maybe it just needs tweaking.

Re:Great for Laptops, but...

[ConsumedByTV]

What do you mean? If you can connect to the 802.11 network, you can ssh, ftp, http and all the other thing you would want to do. This can be done with an Ipaq or any other device that can get a dhcp lease with an 802.11 network.
Try to find a network (mine if you want) in your area that is just a simple configuration of dhcp with NAT setup and try to get it to work. Or you can go downtown in santa rosa and use Sonic.nets Wireless Downtown Network but you need a sonic account. Good luck.

Re:What would also be nice

[morcheeba]

I would gladly open up my wireless network, but the firewall/switch/access point puts the wireless network on my side of the firewall. That kindof defeats the whole purpose of the firewall - Sure it's secure from 99.999% of the internet, but people can get in via wireless. Ideally, I'd like to manage the rules between the wireless part and my wired desktop computer, but I guess that would require the purchase of a real firewall. It's a shame; it would just take a little more software!!

A combination of crypto and validation techniques

[imrdkl]

The basic protocol:

• All clients get immediete dhcp lease with minimal bandwidth from local gateway
• client optionally posts credentials via SSL to auth service (using server SSL, no client cert required, although this could save steps)
• auth service sends PGP-encrypted credentials in a message to local gateway
• local gateway decrypts and validates data from master and matches to client credentials
• client is upgraded with more bandwidth, or other goodies (if he's neighborly :-)

All in all, sounds like a cool perl script to me!

Welcome neighbor!

[Saeger]

Welcome to my Cable[2Mbps] WAP kind neighbor!

1) Login as Anonymous Terrorist.
2) Login as Registered Patriot (same as above, only more inconvenient)
3) Login as Port80 Leech-Only.
4) Login as Power-Tripping Network Admin.
5) Exit and try down the street.

Why?

[vanguard]

I see a lot of this on /. . Can you explain why? Isn't it boring to write dumb stuff on the web that nobody reads? You'll be modded down and it will disappear. Why do this?

Re:Why?

[ConsumedByTV]

That person might be modded down, but alot of us read at a pretty fair threshold (I moderate) and we all get to see it.

Re:What would also be nice

[Teribaen]

What model router/switch/accesspoint are you using?

My Santa Rosa Freenet

[ConsumedByTV]

I plan on using NoCatAuth in the future but currently I have my 802.11 network setup free and clear (minus a simple wep key that is only on for a joke reason (ask me what the key is :)).

I don't really have to worry much about the bandwidth because no one that would use a wireless freenet comes into my area of town. Most of them have their own dsl, thats the irony of setting it up so far. If your in Santa Rosa near railroad square and you want free access (while traveling etc) send me an email.

Re:My Santa Rosa Freenet

[ConsumedByTV]

In fact if anyone is interested in seeing how little of my bandwidth is being used on a rainy day you can go here : Bandwidth Monitor

This is based on a semi hacked up version of bandwidth bar (that is available from kernel.org. Once I finish it I will post the source to the newer version.

Re:What would also be nice

[morcheeba]

The Linksys BEFW11P1 - router+firewall+wirelessAP+printserver

Also, the version without the printserver but with more local wired outputs (3 vs. 1) looks similar, but is totally different! Mine has a crummy PCMCIA antenna, the other has 2 nice external antennas. (Same price for either)

Requires HTTP and a human

[Animats]

Something that requires the use of HTTP and human intervention just to get IP-level access is no good. Your laptop can't connect itself up and poll for mail without manual intervention. Back to the drawing board.

Re:Requires HTTP and a human

We don't need to go 'back to the drawing board.' First, the auth system _allows_ ip access without http access, and without human intervention. This access can be limited or prohibited by the owner of the node.

Second, and more importantly, the auth system exists _right now_ and it works very very well. If node owners want to require logins, then that is more than their right! To bitch and whine about it shows that you have not considered the issue.

Perhaps you could write some code before you whine.

Re:Requires HTTP and a human

[Webmonger]

What's wrong with http? If you're going to use a protocol, it doesn't hurt to use one that's widely implemented and understood.

And it doesn't require human intervention, either. It's not like they're doing a Turing test.
You could probably whip up a PERL client in an afternoon. Because one of the places http is implemented is in a PERL library.

Re:Requires HTTP and a human

[crucini]

In a perfect world, the authentication would be automated. But remember, this system is not just a way to admit registered, known users. It's also a way to catch strangers wandering into the network and let them know that a)Someone owns this network and there are rules, and b) If they help support the network financially they could get more bandwidth and more access.

So it's kind of a combined advertising/security warning/authentication system. Which is a great idea. Because if they had implemented an automated client-server authenticator that was invisible to the user, then strangers would just be blocked from the network and would never learn about it or the benefits of (financially) joining it.

There could be interesting possibilities in such a protocol if it were widely used (read, part of Windows) - computers could autodiscover networks and compare their bandwidth, reliability, coverage, prices and policies, producing a nice comparison chart after your walk around town. But given that we cannot affect the client side immediately, NoCatAuth is a pretty good solution.

Oh good...

[tunah]

While geared towards network neighborhoods, the article definitely has applicability in more formal settings.

Good. I was going to scream if this was another article whose only set of instructions began 'right click on Network Neighborhood'.

Hacking wireless networks

[Kiro]

Hello. I might be considered an "insider" in this field. I work at a semi-large ISP where we provide wireless connectivity using BreezeCom network equiptment. Employing large (from 9-24 inch) antennas, and uni-and omni-directional antennas mounted on prominent structures, we are able to send up to 3Mb/s to hosts.
The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.
There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.
I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less

.

Re:Hacking wireless networks

[brer_rabbit]

I'm posting anonymously, because my company has a history of firing and suing for less

Unless the "Anonymous Coward" was replaced by "Kiro" in the new Slashcode, you better hope they don't sue or fire.

I wouldn't worry about it. Really.

Re:Hacking wireless networks

testing testing 1 2 3 ;)

Re:Hacking wireless networks

I know a company like this in wee little Herrin Illinois. Is this you?

Re:What would also be nice

[mike_the_kid]

Sounds like you need to create another side to your network.
If you have one machine running a firewall with the public internet connection (that is, it has a real IP address), you can have one set of rules for computers that you trust, one for wireless access. The wireless network has different rules for Owner, Co-Op, and Public, and does not have to use the same firewall rules as your wired network. You can still block the wireless access (different blocking for each group, ie owner might have access to the wired network, Co-Op and Public do not).
Stateful firewalls do not have to filter only one direction, and you could not run No-Cat without a stateful firewall.

802.1x

NoCatAuth is unnecessary...

802.1x is the standard to follow

Of course, 802.1x needs to have the ability to pass authentication of to a third, external party (like Verisign) added to the spec., but that's a simple matter of sematic and coding (which, of course, is trivial).

You know... I expected more from the IEEE, but, hey, from what I understand they're handing out EE degrees these days like lollypops to children.

Re:802.1x

[funky+womble]

Captive portals like NoCatAuth are necessary, since 802.1x isn't widely supported yet.

Liability

[Cato]

The biggest issue for freenets, IMO, is liability - if someone wanders past your access point and sends a huge amount of spam, or starts a DoS attack on remote sites, you may well find your ISP cuts off your access. In the worst case, you might be legally liable under various anti-spam or other laws.

Just as ISPs have contracts with their customers, and authenticate them, it may end up being necessary to have contracts with your freenet users and to authenticate them. Of course, if they are friends it may be enough to just authenticate them... IANAL but something that indemnifies you against lawsuits etc would be very useful.

This goes against the freenet ideal but unfortunately providing Internet access can be a legal minefield.

What about limitations by the ISP?

[pvera]

The AUP on my @home account explicitly forbids sharing the service with "third parties." I can either pay for up to 5 distinct IP addresses ($6.95 extra) or I can use a Linksys router and then there is no limit in how many computers I connect as long as they are all within my household.

My linksys is currently sitting in a box waiting for me to put in on eBay. It is a great piece of work, but my company installed a checkpoint firewall and the router won't work with our VPN even if I put the machine in the DMZ.

I am planning on switching my assigned PC at work for a laptop, and What I would like to have is a wireless access point that works as a hub or switch, not as a router. And I want something that won't allow access to the access point unless there is some real encryption. This way I can have wireless access for my household and I don't have to worry about @home killing my account for violating AUP. I cannot afford to lose my broadband since we don't have DSL around here yet :-(

Any suggestions?

Re:What about limitations by the ISP?

[PMan88]

try looking up the MAC address of the original computer you set up your broadband with and put that in the MAC address spoofer on the linksys setup page

Re:What about limitations by the ISP?

[pvera]

@home allows me to use the Linksys router (caveat: they will not provide me with technical support for network configuration issues).

What I cannot do is allow people outside of my household to connect to my network. This is why I cannot just plug-in a wireless gateway until I am sure that I can lock people out of it.

Re:What about limitations by the ISP?

[funky+womble]

A WAP11 will do fine (runs as a bridge). Setting up WEP will raise the bar significantly on someone getting free access, anything needing stronger crypto can probably go through your VPN. There are internet-drafts about VPNing through NAT gateways, but it doesn't seem to be mentioned on the websites of the big VPN manufacturers, so it's probably not in shipping code yet. But it is supported by Checkpoint and Nortel so should be there sometime... (google 'VPN NAT' should get you started for info on that one).

Potential Liability?

[spacefrog]

The thing that I have to wonder about in all of this is potentially nasty liability that having an open access point may open you up to.

We have all read the stories of the FBI busting people's doors down and confiscating equipment because they were suspected of a heinous act, be it hacking, kiddie-porn, etc.

Hell, just inviting a few thousand of your closest friends to join your pyramid scheme is usually enough to get your ISP to cut your connection with no warning. Do you really want to risk becoming spam central?

The last thing I want is my door being busted down because of what an anonymous freak with an 802.11 card did from behind MY IP address!

Although I applaud the generosity of the people who provide the so-called "community networks", I would have to think they are just opening themselves up to a world of hurt.

Assumptions. (and questions).

[crucini]

To keep the connection open, a small window is opened on the client side (via JavaScript) that refreshes the login page every few minutes. Once the user moves out of range or quits their browser, the connection is reset and requires another manual login.

And then later:

The wireless client requirements again are minimal (only an SSL-enabled browser is required).

No, it also requires Javascript. I'm sure I could script a workaround, but it's one more damn thing to go wrong. And if ubiquitous 802.11 existed, I'd want to use it primarily for ssh, not web. Reading between the lines, 'the public' would not be allowed to ssh. This scheme is oriented towards the idea that internet==web, and of course everyone has javascript.

On the whole, however, I'm impressed by this system. The idealistic idea of free open wireless was threatened by the possibility of anonymous abuse and bandwidth hogging. Nocat appears to make it viable, even in the face of real-world threats. This could have far-reaching effects in undermining the emerging broadband monopolies. The ability to charge for unrestricted access could lead to financially healthy networks with lots of upstream bandwidth. And the ability to use before buying means that you would already know a network's reliability and coverage.

Lastly, I'm a little concerned by the centralization of power implied in the article. If I read it correctly, there is a single trusted authentication service at nocat.net. If the nocat scheme takes off, this center will be a natural target for foes of the internet such as MPAA/RIAA/etc. I hope that if the system takes off, multiple authentication sites will emerge.

Re:Assumptions. (and questions).

it's all GPL'd so you could start your own authentication server. There's nothing stopping you. It's also set up so that groups could roam from group to group. Say you're from Seattle and you're in NYC. You should be able to get co-op status.

Re:What would also be nice

[funky+womble]

And both of those are totally different to the WAP11, which has wireless and one wired output. (The WAP11 supports wireless network bridging to similar units, both point-point and point-multipoint).