Slashdot Mirror

← Back to Stories (view on slashdot.org)

Responsible Wireless Access For Your Access Point

Posted by ryuzaki0 on from the accessability-and-sanity dept.

bgood writes: "O'Reilly Network has an interesting article on authentication for wireless networks. The author discusses both the technical aspects, specifically NoCatAuth, and the overall context of why someone would choose (or not choose) to monitor or track the use of their wireless network. While geared towards network neighborhoods, the article definitely has applicability in more formal settings."

23 of 64 comments (clear)

  1. What would be nice by Space+Coyote · · Score: 5, Interesting

    ... would be if you could easily set aside a certain percentage of your bandwidth (say 10-15%) for use by other people, and more if its available. That way you aren't taking a backseat to freeloaders on your own network, but you also aren't curring people off whenever you start a big, bandwidth-heavy transfer.

    --
    ___
    Cogito cogito, ergo cogito sum.
    1. Re:What would be nice by rockwood · · Score: 2, Interesting

      That would be nice!

      Specifically allowing businesses and residents to allocate percentages of their bandwidth to opposing buildings/households and reducing their own costs. Possibly even allowing passing motorists with roaming uplinks to their own central servers.

      I haven't crunched actual numbers, but I can only guess that that would allow for everyone to have wireless access for an extremely nominal fee and provide the ability for additional redundancy.

      Though I don't beleive I'd ever totally do away with a hard line (whether it be phone or cable)

      --
      Never try to beat a professional at his own game!
    2. Re:What would be nice by vanguard · · Score: 3, Interesting

      That's pretty much what I do. It more or less happens naturally. I've made a decision to secure my network from the Internet but not from my neighbors. If I ever get burned by that (unlikely in my little suburban cul-de-sac) I'll change the policy.

      As for giving them only 10% of my network, just be being 100 feet or so (~30 meters) from the access point they can only get about 1 Mbs from the next house over.

      I can see that nobody has ever logged on but in my dreams most of the neighborhood starts providing wireless access and the entire subdivision is wireless and broadband. I'll bring a laptop to the pool and they'll bring a laptop to the basketball hoop down the street. (Ok, it's a weak dream but it seems neat to me)

      --
      That which does not kill me only makes me whinier
    3. Re:What would be nice by GC · · Score: 4, Interesting

      Exactly - my (Wireless) network is open, but it's users are protected from the Internet. All my terrestial hosts on the same network are tied down with ssh and passwords except for the services that can be accessed from the Internet anyway.

      I actually like it - I'm not making any bandwidth limitations as yet, simply because I haven't noticed any problems.

      The Internet access is DSL 512kbps down/256kbps up.

      I wonder how many other people are giving this service? Is there anyway to advertise it? I'm relying on word-of-mouth, it's probably better that way :-)

      If bandwidth or security become a problem I'll get a third interface on the firewall and throttle them down whilst locking them out of my wires network.

    4. Re:What would be nice by mike_the_kid · · Score: 2

      Just make a strong recommendation to them that they buy a repeater. If it gets big enough, you can make a push to have them get you a fiber-optic line. Sounds good to me.

      --
      Troll Like a Champion Today
  2. A registered SSL certificate? by imrdkl · · Score: 4, Interesting
    The article claims that neighbors only need trust the "auth system". Seems to me that a group of neighbors would only need to agree on the authority of an self-issued root certificate, and let trust grow from there.

    Otoh, any marketing folks from Verisign reading here? Could be a whole new niche...

    NeighborCert (tm)

  3. Great for Laptops, but... by Quizme2000 · · Score: 2

    I live near Sonoma County and heard about the community networks, problem is that using a anything other than a regular computer with a wireless 802.11b device can't get access. I had my Ipaq with linux installed, and with a good signal. Maybe it just needs tweaking.

    --
    "Get them before they get....
    1. Re:Great for Laptops, but... by ConsumedByTV · · Score: 2

      What do you mean? If you can connect to the 802.11 network, you can ssh, ftp, http and all the other thing you would want to do. This can be done with an Ipaq or any other device that can get a dhcp lease with an 802.11 network.
      Try to find a network (mine if you want) in your area that is just a simple configuration of dhcp with NAT setup and try to get it to work. Or you can go downtown in santa rosa and use Sonic.nets Wireless Downtown Network but you need a sonic account. Good luck.

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  4. Re:What would also be nice by morcheeba · · Score: 3, Insightful

    I would gladly open up my wireless network, but the firewall/switch/access point puts the wireless network on my side of the firewall. That kindof defeats the whole purpose of the firewall - Sure it's secure from 99.999% of the internet, but people can get in via wireless. Ideally, I'd like to manage the rules between the wireless part and my wired desktop computer, but I guess that would require the purchase of a real firewall. It's a shame; it would just take a little more software!!

    --
    HIV Crosses Species Barrier... into Muppets
  5. A combination of crypto and validation techniques by imrdkl · · Score: 4, Interesting
    The basic protocol:
    • All clients get immediete dhcp lease with minimal bandwidth from local gateway
    • client optionally posts credentials via SSL to auth service (using server SSL, no client cert required, although this could save steps)
    • auth service sends PGP-encrypted credentials in a message to local gateway
    • local gateway decrypts and validates data from master and matches to client credentials
    • client is upgraded with more bandwidth, or other goodies (if he's neighborly :-)
    All in all, sounds like a cool perl script to me!
  6. Re:auth? by Falsch+Freiheit · · Score: 4, Informative

    No, MAC address based firewall rules won't solve the security problem, either. They'll raise the barrier slightly, but it's fairly easy with most 802.11b cards (and with regular Ethernet cards, for that matter) to use a different MAC address than the one assigned to your device. Under Linux it's "ifconfig eth0 hw ether [new MAC address here]". Not nearly difficult enough.

  7. Re:auth? by ConsumedByTV · · Score: 2

    And with most cards in windows such as the lucent cards, the software it comes with allows you to change the MAC address as part of the standard process of admining your network.
    So run etherreal for about ten minutes and you can use all the mac addresses you just dumped.

    Nblug power :)

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  8. My Santa Rosa Freenet by ConsumedByTV · · Score: 2

    I plan on using NoCatAuth in the future but currently I have my 802.11 network setup free and clear (minus a simple wep key that is only on for a joke reason (ask me what the key is :)).

    I don't really have to worry much about the bandwidth because no one that would use a wireless freenet comes into my area of town. Most of them have their own dsl, thats the irony of setting it up so far. If your in Santa Rosa near railroad square and you want free access (while traveling etc) send me an email.

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
    1. Re:My Santa Rosa Freenet by ConsumedByTV · · Score: 2

      In fact if anyone is interested in seeing how little of my bandwidth is being used on a rainy day you can go here : Bandwidth Monitor

      This is based on a semi hacked up version of bandwidth bar (that is available from kernel.org. Once I finish it I will post the source to the newer version.

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  9. Requires HTTP and a human by Animats · · Score: 3, Insightful

    Something that requires the use of HTTP and human intervention just to get IP-level access is no good. Your laptop can't connect itself up and poll for mail without manual intervention. Back to the drawing board.

    1. Re:Requires HTTP and a human by Webmonger · · Score: 2

      What's wrong with http? If you're going to use a protocol, it doesn't hurt to use one that's widely implemented and understood.

      And it doesn't require human intervention, either. It's not like they're doing a Turing test.
      You could probably whip up a PERL client in an afternoon. Because one of the places http is implemented is in a PERL library.

    2. Re:Requires HTTP and a human by crucini · · Score: 2

      In a perfect world, the authentication would be automated. But remember, this system is not just a way to admit registered, known users. It's also a way to catch strangers wandering into the network and let them know that a)Someone owns this network and there are rules, and b) If they help support the network financially they could get more bandwidth and more access.

      So it's kind of a combined advertising/security warning/authentication system. Which is a great idea. Because if they had implemented an automated client-server authenticator that was invisible to the user, then strangers would just be blocked from the network and would never learn about it or the benefits of (financially) joining it.

      There could be interesting possibilities in such a protocol if it were widely used (read, part of Windows) - computers could autodiscover networks and compare their bandwidth, reliability, coverage, prices and policies, producing a nice comparison chart after your walk around town. But given that we cannot affect the client side immediately, NoCatAuth is a pretty good solution.

  10. Oh good... by tunah · · Score: 2, Funny
    While geared towards network neighborhoods, the article definitely has applicability in more formal settings.

    Good. I was going to scream if this was another article whose only set of instructions began 'right click on Network Neighborhood'.

    --
    Free Java games for your phone: Tontie, Sokoban
  11. Hacking wireless networks by Kiro · · Score: 5, Interesting

    Hello. I might be considered an "insider" in this field. I work at a semi-large ISP where we provide wireless connectivity using BreezeCom network equiptment. Employing large (from 9-24 inch) antennas, and uni-and omni-directional antennas mounted on prominent structures, we are able to send up to 3Mb/s to hosts.
    The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.
    There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.
    I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less

    .

    1. Re:Hacking wireless networks by brer_rabbit · · Score: 2
      I'm posting anonymously, because my company has a history of firing and suing for less

      Unless the "Anonymous Coward" was replaced by "Kiro" in the new Slashcode, you better hope they don't sue or fire.

      I wouldn't worry about it. Really.

  12. Re:What would also be nice by mike_the_kid · · Score: 2

    Sounds like you need to create another side to your network.
    If you have one machine running a firewall with the public internet connection (that is, it has a real IP address), you can have one set of rules for computers that you trust, one for wireless access. The wireless network has different rules for Owner, Co-Op, and Public, and does not have to use the same firewall rules as your wired network. You can still block the wireless access (different blocking for each group, ie owner might have access to the wired network, Co-Op and Public do not).
    Stateful firewalls do not have to filter only one direction, and you could not run No-Cat without a stateful firewall.

    --
    Troll Like a Champion Today
  13. Liability by Cato · · Score: 3, Insightful

    The biggest issue for freenets, IMO, is liability - if someone wanders past your access point and sends a huge amount of spam, or starts a DoS attack on remote sites, you may well find your ISP cuts off your access. In the worst case, you might be legally liable under various anti-spam or other laws.

    Just as ISPs have contracts with their customers, and authenticate them, it may end up being necessary to have contracts with your freenet users and to authenticate them. Of course, if they are friends it may be enough to just authenticate them... IANAL but something that indemnifies you against lawsuits etc would be very useful.

    This goes against the freenet ideal but unfortunately providing Internet access can be a legal minefield.

  14. Assumptions. (and questions). by crucini · · Score: 2
    To keep the connection open, a small window is opened on the client side (via JavaScript) that refreshes the login page every few minutes. Once the user moves out of range or quits their browser, the connection is reset and requires another manual login.

    And then later:
    The wireless client requirements again are minimal (only an SSL-enabled browser is required).

    No, it also requires Javascript. I'm sure I could script a workaround, but it's one more damn thing to go wrong. And if ubiquitous 802.11 existed, I'd want to use it primarily for ssh, not web. Reading between the lines, 'the public' would not be allowed to ssh. This scheme is oriented towards the idea that internet==web, and of course everyone has javascript.

    On the whole, however, I'm impressed by this system. The idealistic idea of free open wireless was threatened by the possibility of anonymous abuse and bandwidth hogging. Nocat appears to make it viable, even in the face of real-world threats. This could have far-reaching effects in undermining the emerging broadband monopolies. The ability to charge for unrestricted access could lead to financially healthy networks with lots of upstream bandwidth. And the ability to use before buying means that you would already know a network's reliability and coverage.

    Lastly, I'm a little concerned by the centralization of power implied in the article. If I read it correctly, there is a single trusted authentication service at nocat.net. If the nocat scheme takes off, this center will be a natural target for foes of the internet such as MPAA/RIAA/etc. I hope that if the system takes off, multiple authentication sites will emerge.