Responsible Wireless Access For Your Access Point

bgood writes: "O'Reilly Network has an interesting article on authentication for wireless networks. The author discusses both the technical aspects, specifically NoCatAuth, and the overall context of why someone would choose (or not choose) to monitor or track the use of their wireless network. While geared towards network neighborhoods, the article definitely has applicability in more formal settings."

What would be nice

[Space+Coyote]

... would be if you could easily set aside a certain percentage of your bandwidth (say 10-15%) for use by other people, and more if its available. That way you aren't taking a backseat to freeloaders on your own network, but you also aren't curring people off whenever you start a big, bandwidth-heavy transfer.

Re:What would be nice

[GC]

Exactly - my (Wireless) network is open, but it's users are protected from the Internet. All my terrestial hosts on the same network are tied down with ssh and passwords except for the services that can be accessed from the Internet anyway.

I actually like it - I'm not making any bandwidth limitations as yet, simply because I haven't noticed any problems.

The Internet access is DSL 512kbps down/256kbps up.

I wonder how many other people are giving this service? Is there anyway to advertise it? I'm relying on word-of-mouth, it's probably better that way :-)

If bandwidth or security become a problem I'll get a third interface on the firewall and throttle them down whilst locking them out of my wires network.

A registered SSL certificate?

[imrdkl]

The article claims that neighbors only need trust the "auth system". Seems to me that a group of neighbors would only need to agree on the authority of an self-issued root certificate, and let trust grow from there.

Otoh, any marketing folks from Verisign reading here? Could be a whole new niche...

NeighborCert (tm)

A combination of crypto and validation techniques

[imrdkl]

The basic protocol:

• All clients get immediete dhcp lease with minimal bandwidth from local gateway
• client optionally posts credentials via SSL to auth service (using server SSL, no client cert required, although this could save steps)
• auth service sends PGP-encrypted credentials in a message to local gateway
• local gateway decrypts and validates data from master and matches to client credentials
• client is upgraded with more bandwidth, or other goodies (if he's neighborly :-)

All in all, sounds like a cool perl script to me!

Re:auth?

[Falsch+Freiheit]

No, MAC address based firewall rules won't solve the security problem, either. They'll raise the barrier slightly, but it's fairly easy with most 802.11b cards (and with regular Ethernet cards, for that matter) to use a different MAC address than the one assigned to your device. Under Linux it's "ifconfig eth0 hw ether [new MAC address here]". Not nearly difficult enough.

Hacking wireless networks

[Kiro]

Hello. I might be considered an "insider" in this field. I work at a semi-large ISP where we provide wireless connectivity using BreezeCom network equiptment. Employing large (from 9-24 inch) antennas, and uni-and omni-directional antennas mounted on prominent structures, we are able to send up to 3Mb/s to hosts.
The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.
There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.
I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less

.