Slashdot Mirror
802.11 Security
With the amazing proliferation of wireless networks these days, there seems to be constant churning about how best to secure them, while at the very same time, barely anybody is actually doing anything about it. Potter and Fleck have offered up this little book, 802.11 Security, as a no-nonsense guide to understanding the problem of wireless networking security (or, as the case may be, the complete lack thereof) as well as demonstrating how to implement viable solutions.
Straight from the horse's mouth, "This book is aimed at network engineers, security engineers, systems administrators or general hobbyists interested in deploying secure 802.11b-based systems." The greatest attention is given to Linux and FreeBSD systems, though OpenBSD, Mac OS X and Windows are covered as client systems, too. The authors split the book into four parts: "802.11 Security Basics (Part I)," "Station Security (Part II)," "Access Point Security (Part III)," and "Gateway Security (Part IV)."
Part I, "Security Basics," gives a very good introduction to the concepts of wireless communications. Chapter 1 explains how radio transmissions work (and how antenna shapes affect them), and why radio transmissions are inherently insecure (i.e., anyone with an antenna in range can listen in). 802.11 is explained, as well as WEP, and WEP's problems. Chapter 2 describes in detail the risks involved with wireless networking, and gives examples of types of attacks which can be performed against wireless networks.
Part II, "Station Security," outlines in great detail what you need to do to make sure your wireless network clients are as secure as possible. We're given two goals for client station security: prevent any access to the client systems, and make sure that the clients speak secure protocols for any network services they access. To the paranoid, both these goals are rather obvious, but they're important enough that the authors spent time explaining them. They follow with a couple paragraphs on logging and security updates on the client systems, and the rest of Part II (Chapters 4 through 8) give specific information on how to best secure client systems of various OSes.
Part III (Chapter 9, really), "Setting Up an Access Point," delves into the intricacies of setting up and securing a wireless access point, from generic advice on how to configure access point appliances to more specific instructions on configuring host-based access points running Linux, FreeBSD and OpenBSD. Comparatively little time is spent on host-based access points in the book, probably because most people generally don't do things things way since access point appliances are so cheap and simple to configure/install.
The remainder of the book is spent on Part IV, "Gateway Security" (Chapters 10 through 15), which describes the infrastructure end of how most wireless networks will likely end up being integrated to wired networks. Basic suggestions for structuring the combined networks are given, and follow what I'd consider to be really good advice: wireless networks should be on their own interface of the gateway (or firewall), physically separated from both internal networks and the Internet. The authors strongly recommend against simply attaching the access points to the internal network, as that introduces too many security risks (an example involving ARP poisoning is given to illustrate why and how). The next three chapters detail the configuration of Linux, FreeBSD and OpenBSD as a secure gateway.
Chapter 14, "Authentication and Encryption", introduces the idea of using strong authentication and encryption mechanisms outside of WEP, using NoCat (which will run on Linux, FreeBSD and OpenBSD) and WiCap (for OpenBSD only) for authentication and IPSec for strong encryption. The idea the authors present here is that for the most secure setup, in addition to enabling strong WEP (as detailed in the rest of the book), your wireless network is set up to not allow clients access to anything until they are authenticated. Then, and only then, the gateway will allow wireless clients to access other network segments (i.e., the internal LAN, and/or the Internet), but only if all the communications over the wireless segment are done through secure tunnels. Sadly, the authors neglected to mention OpenBSD's, Windows 2000's or XP's ability to do IPSec, and their treatment of IPSec for FreeBSD and Linux certainly isn't very detailed, though pointers are given to the appropriate web sites for more information. 802.1x authentication (physical port authentication) is also explained in some detail, though it is of little use, since very little equipment deployed today has support for it. It is an interesting concept, though.
Closing out the book, Chapter 15 is appropriately titled "Putting It All Together." Here we get a final overview of all the pieces as well as how they fit together, and how certain aspects of the system as a whole affects both the administrators and the users of the system.
Overall, I'd have to say that this is exactly the type of "security in depth" book I've been needing to help me figure out how best to implement wireless networking at the office with minimal risk to the rest of the network. The authors write in a very approachable style and do a very good job of giving the necessary background before launching into any detailed discussions. I would highly recommend this book to anyone considering installing wireless networking without wanting to simultaneously install a simple back door to their network. Honestly, I haven't found much to complain about.
I'm of the opinion that, after reading this book, and using it as a guide to setting up a secure wireless network, I'll be able to sleep at night. Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
You can purchase 802.11 Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Maybe the problem isn't 802.11 security, but computer security in general.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I have a hard time that 802.11 will ever be super secure. Just because all you need is a laptop a antennae and some good skills to break into a WaveLan, Hewlett-Packard still keeps their Wirless Network open, and I know of several others. So, Until a largescale hack on these systems happens then MAYBE will people get the Idea that 802.11 coiuld be secured better,. That and alot of people have not moved to WLAN yet, just because of the cost of the equipment, and the maitnence and configuration. is not really the easiest thing in the book. So even though I do use it at home, I still refuse to use it on a widescale level..
---
It really bothers me that we reward the makers of such a flawed system by buying their products. How can we expect WiFi to improved if we buy it now matter how bad it is?
UNIX/Linux Consulting
You just have to treat any wireless network segment as insecure and pass any traffic from it through your firewall as you would for internet traffic.
Sig for sale or rent. One previous user. Inquire within.
What if one of your neighbours decides to leach child porn off the net using your wireless network? Should they think of themselves as your guest?
Dinivin
MAC Authentication is virtually useless, though, in a large orginization. Imagine Fred in marketing gets a new laptop, or new PCMCIA card, and has to spend 3 weeks twiddling his thumbs while some giant confused IT department circlejerks around adding the MAC to the list.
Security is usually inconvenient, but it doesn't have to be too inconvenient. A wireless AP on a DMZ, with only the ability to VPN into the real network is a good solution.
Well, I can say two things here. If they aren't going to concern themselves with security, then they will not get security. It's just that simple. Security does not just happen. You don't get it in a box. It's not one or two mouse clicks. It's thinking about architecture, the pieces involved, and then actually implimenting it. This is very obvious at the company where I work -- everyone except me expected security to happen and it hasn't at all. We just couldn't be troubled with it. Sad. As for a confused IT department... if they have that much trouble adding a MAC address to an authentication list, they need removed and replaced. You don't let unauthorized machines on your network.
Join Tor today!
I don't understand why everyone has trouble with it. Stand up a VPN node accepting nothing but your favorite secure VPN protocol (IPSec is fine) on one card and putting your company network on the other. You then connect put your 802.11 routers on the VPN card and configure your 802.11 routers to allow the VPN protocol. You're now secure. Perhaps a DOS attack could make your 802.11 useless (plug an unshielded magnetron into an outlet in the building for example), but your data can't be compromised through it.
If you put the AP inside your network, you're an idiot looking for trouble. If you put it outside, it's basically like anyone on the net. You have to treat an AP as insecure! You still need a firewall to allow traffic from the internet or the AP to flow in. Just like you don't want people to "direct connect" to your servers, you have to use an encrypted VPN over your AP (as WEP is crackable if you want and MAC access can be spoofed). If you have problems with security, you can hire me :)
-- Leeeter than leet