Securing 802.11 Transmissions, Part 1

dW writes "Write down your most private information, and then throw it out the window. That's what wireless data transfers are doing when they're not secured. The deployment of various wireless LANs and Wi-Fi networks or configurations are under consideration by many organizations, and network security is a major concern. This article discusses problems, tips, and best bets for 802.11x's elusive security."

Will it really help?

Will it really help?

Simple 3 Step Security

[slackergod]

1.Isolate the access point (AP) only it's own
local network, so that all a surfer can see
is the internal firewall.

1a. have a good firewall setup too :)

2. Allow only know MACS at AP, deny all others.

3. Use SSH, SFTP, tunnel EVERYTHING else through SSL or the like.

OR
1. Use WEP, leave it wide open.

OR
1. Dont use wireless


-slackergod

Re:Simple 3 Step Security

[Havokmon]

OR. 1. Get a life. Please XP is a PITA enough just trying to remember the key itself. You REALLY think I'm going to go through all that garbage so someone can't spy on my slashdot profile?

Get a life. It's 802.11. If anyone tries that at my house, they're on my property, and will get a pummeling.

I need a sign, "Forget the dog, beware of owner (802.11)".

protect and serve

[cornjones]

hey all,
i am just getting a wireless setup. I wanted something like the following:
1. Any traffic from/to a short list of machines is encrypted and has the highest priority
2. Anybody that wants to can piggy back on my connection w/ a low priority. (ie my traffic always comes first

One complication is that i have an "always on" vpn to my corp network. I would like to have my laptop able to access that network wirelessly but obviously, I can't let anybody else use it. I have been thinking I would want to give all of my machines IP's from a certain range and deny anybody outside of that range at the vpn firewall (my side). Is this going to be possible w/ the linksys 802.11g gear? Does anybody have any tips for me when I get all my stuff next weekend?

thanx

Re:protect and serve

[Piquan]

No AP is going to do that for you securely. You can use MAC filtering, perhaps, but that can be subverted.

Use some random AP. Hook it up to a firewall. Use IPSec. From your "secure" IP range, only allow IPSec. Only allow packets to the VPN from the secure IP range.

MOD UP

Very insightful.

OT: Anyone know of multiprotocol 802.11x routers?

or APs that bridge all protocols coming to them?

Yawn..

[whois]

So I read this article thinking "Hey, someone wrote a guide on securing 802.11" completely forgetting that I'd seen one of those before.

The problem with these guides is that they all look the same, they all recommend the same course of action, but they provide no details as to how you run security.

For my wireless network I run mac address filtering, have the SSID set to not broadcast (and not accept ANY) and run these behind a firewall that only sends DHCP and only accepts encrypted PPTP traffic. (Not because PPTP is good, but because it's easy to setup in Linux and clients are free for windows). You can debate about DHCP being a good idea or not, but I like being able to take my laptop to other networks and not have to reconfigure.

So obviously I've given some thought to securing the LAN, but I don't think my answer is the best one and it's sure not the only one. What I want out of a "guide to securing 802.11" is some comments from the front line. I want to know what works and what doesn't. If checkpoint secureremote is what everyone uses, then I'd like to hear about it. If everyones using ipsec tunnels in freeswan, or Nortel Contivity stuff then great. Let us know what works and what doesn't.

Re:Yawn..

[etcshadow]

Well, ok... here is what I do/what my home network looks like... admittedly its very similar to what you describe:

cable modem
|
|
linux router ---- wireless LAN
|
|
wired LAN

(that is a linux router sitting between three different networks (three NICs in the router))

On the WAP I'm running max WEP encryption (128 bits). I don't bother to do MAC filtering because MAC could be spoofed *far* more easily than cracking the WEP key. I know that WEP is not a great security protocol, but it is not completely ineffective, either. At the very least, it will slow down an attacker. (Also, there's the fact that there are at least 3 wide-open WLANs in the imediate vicinity: "If you and a friend are being chased by a bear... you don't have to be faster than the bear, just faster than your friend".)

The linux router runs dhcp for both the wired and wireless LANs. It runs FreeS/WAN (free linux IPSec gateway). I use iptables to perform NAT (I only have one real IP address, so the two internal subnets use imaginary IPs) to the cable modem.

I also use iptables on the linux router to enforce simple firewall rules. Inbound new (and not "related") connections from the cable modem are blocked except to allowed services (http and ssh). Apart from dhcp, only ipsec traffic is forwarded from the wireless LAN.

From my laptop (about the only user of the wireless LAN), I use win2k's ipsec (stupid pain in the ass to configure).

And that's about it.

Could somebody give a little info on MAC filtering

[heldlikesound]

How easy is it to set-up and how easy is it to spoof?

I could look it up on the web, but I find short, to the point blasts of information from fellow geeks to be infinetly more useful.

Re:Could somebody give a little info on MAC filter

[NerdsMatter]

How Do They Spoof You Ask?

They must crash your compuer, regenerate your MAC

address using a program & change to match your IP.

You may decide to use WEP Encryption afterall.
I heard you groan, WEP Encryption but that slows me
down! It is a question of How important is your
security to you V.S. Speed?

If the hacker dosen't know what that all important WEP
password. Keep the ball in your court and over secure your network.
It's a good idea if you dont know alot about security to
not put anything on a computer you wouldn't want me,
next door neighboor, anybody to hack your ass.