Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing 802.11 Transmissions, Part 1

Posted by timothy on from the mac-address-barriers-are-nice dept.

dW writes "Write down your most private information, and then throw it out the window. That's what wireless data transfers are doing when they're not secured. The deployment of various wireless LANs and Wi-Fi networks or configurations are under consideration by many organizations, and network security is a major concern. This article discusses problems, tips, and best bets for 802.11x's elusive security."

15 comments

  1. fuck fuck fuckity by Anonymous Coward · · Score: -1, Offtopic

    blah fuck fuck crap shit

  2. Will it really help? by Anonymous Coward · · Score: 0

    Will it really help?

  3. In Prison (aka webchat.org) by Anonymous Coward · · Score: -1, Offtopic

    If you dont have a secure 802.11 transmission, kc and ScottK will take over your channel and forcefeed you cock.

  4. WHAT? by Anonymous Coward · · Score: -1, Troll
    please don't secure the transmissions! Transmissions want to be FREE!


    Also, they're not transmissions, they're GNU/Transmissions in honor of their FREEdom!

  5. Simple 3 Step Security by slackergod · · Score: 1, Informative

    1.Isolate the access point (AP) only it's own
    local network, so that all a surfer can see
    is the internal firewall.

    1a. have a good firewall setup too :)

    2. Allow only know MACS at AP, deny all others.

    3. Use SSH, SFTP, tunnel EVERYTHING else through SSL or the like.

    OR
    1. Use WEP, leave it wide open.

    OR
    1. Dont use wireless


    -slackergod

    1. Re:Simple 3 Step Security by Havokmon · · Score: 1
      OR. 1. Get a life. Please XP is a PITA enough just trying to remember the key itself. You REALLY think I'm going to go through all that garbage so someone can't spy on my slashdot profile?

      Get a life. It's 802.11. If anyone tries that at my house, they're on my property, and will get a pummeling.

      I need a sign, "Forget the dog, beware of owner (802.11)".

      --
      "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  6. protect and serve by cornjones · · Score: 1

    hey all,
    i am just getting a wireless setup. I wanted something like the following:
    1. Any traffic from/to a short list of machines is encrypted and has the highest priority
    2. Anybody that wants to can piggy back on my connection w/ a low priority. (ie my traffic always comes first

    One complication is that i have an "always on" vpn to my corp network. I would like to have my laptop able to access that network wirelessly but obviously, I can't let anybody else use it. I have been thinking I would want to give all of my machines IP's from a certain range and deny anybody outside of that range at the vpn firewall (my side). Is this going to be possible w/ the linksys 802.11g gear? Does anybody have any tips for me when I get all my stuff next weekend?

    thanx

    1. Re:protect and serve by Piquan · · Score: 2, Insightful

      No AP is going to do that for you securely. You can use MAC filtering, perhaps, but that can be subverted.

      Use some random AP. Hook it up to a firewall. Use IPSec. From your "secure" IP range, only allow IPSec. Only allow packets to the VPN from the secure IP range.

  7. MOD UP by Anonymous Coward · · Score: 0

    Very insightful.

  8. OT: Anyone know of multiprotocol 802.11x routers? by Anonymous Coward · · Score: 0

    or APs that bridge all protocols coming to them?

  9. *BSD is dying by Anonymous Coward · · Score: -1, Offtopic
    It is official; Netcraft now confirms: *BSD is dying

    One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

    You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

    FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

    Let's keep to the facts and look at the numbers.

    OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

    Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

    All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

    Fact: *BSD is dying

  10. Yawn.. by whois · · Score: 4, Insightful

    So I read this article thinking "Hey, someone wrote a guide on securing 802.11" completely forgetting that I'd seen one of those before.

    The problem with these guides is that they all look the same, they all recommend the same course of action, but they provide no details as to how you run security.

    For my wireless network I run mac address filtering, have the SSID set to not broadcast (and not accept ANY) and run these behind a firewall that only sends DHCP and only accepts encrypted PPTP traffic. (Not because PPTP is good, but because it's easy to setup in Linux and clients are free for windows). You can debate about DHCP being a good idea or not, but I like being able to take my laptop to other networks and not have to reconfigure.

    So obviously I've given some thought to securing the LAN, but I don't think my answer is the best one and it's sure not the only one. What I want out of a "guide to securing 802.11" is some comments from the front line. I want to know what works and what doesn't. If checkpoint secureremote is what everyone uses, then I'd like to hear about it. If everyones using ipsec tunnels in freeswan, or Nortel Contivity stuff then great. Let us know what works and what doesn't.

    1. Re:Yawn.. by etcshadow · · Score: 1

      Well, ok... here is what I do/what my home network looks like... admittedly its very similar to what you describe:

      cable modem
      |
      |
      linux router ---- wireless LAN
      |
      |
      wired LAN

      (that is a linux router sitting between three different networks (three NICs in the router))

      On the WAP I'm running max WEP encryption (128 bits). I don't bother to do MAC filtering because MAC could be spoofed *far* more easily than cracking the WEP key. I know that WEP is not a great security protocol, but it is not completely ineffective, either. At the very least, it will slow down an attacker. (Also, there's the fact that there are at least 3 wide-open WLANs in the imediate vicinity: "If you and a friend are being chased by a bear... you don't have to be faster than the bear, just faster than your friend".)

      The linux router runs dhcp for both the wired and wireless LANs. It runs FreeS/WAN (free linux IPSec gateway). I use iptables to perform NAT (I only have one real IP address, so the two internal subnets use imaginary IPs) to the cable modem.

      I also use iptables on the linux router to enforce simple firewall rules. Inbound new (and not "related") connections from the cable modem are blocked except to allowed services (http and ssh). Apart from dhcp, only ipsec traffic is forwarded from the wireless LAN.

      From my laptop (about the only user of the wireless LAN), I use win2k's ipsec (stupid pain in the ass to configure).

      And that's about it.

      --
      :Wq
      Not an editor command: Wq
  11. Could somebody give a little info on MAC filtering by heldlikesound · · Score: 1

    How easy is it to set-up and how easy is it to spoof?

    I could look it up on the web, but I find short, to the point blasts of information from fellow geeks to be infinetly more useful.

    --


    Cloud City Digital: DVD Production at its cheapest/finest
  12. Re:Could somebody give a little info on MAC filter by NerdsMatter · · Score: 1

    How Do They Spoof You Ask?

    They must crash your compuer, regenerate your MAC

    address using a program & change to match your IP.

    You may decide to use WEP Encryption afterall.
    I heard you groan, WEP Encryption but that slows me
    down! It is a question of How important is your
    security to you V.S. Speed?

    If the hacker dosen't know what that all important WEP
    password. Keep the ball in your court and over secure your network.
    It's a good idea if you dont know alot about security to
    not put anything on a computer you wouldn't want me,
    next door neighboor, anybody to hack your ass.