Slashdot Mirror
802.11 Security
With the amazing proliferation of wireless networks these days, there seems to be constant churning about how best to secure them, while at the very same time, barely anybody is actually doing anything about it. Potter and Fleck have offered up this little book, 802.11 Security, as a no-nonsense guide to understanding the problem of wireless networking security (or, as the case may be, the complete lack thereof) as well as demonstrating how to implement viable solutions.
Straight from the horse's mouth, "This book is aimed at network engineers, security engineers, systems administrators or general hobbyists interested in deploying secure 802.11b-based systems." The greatest attention is given to Linux and FreeBSD systems, though OpenBSD, Mac OS X and Windows are covered as client systems, too. The authors split the book into four parts: "802.11 Security Basics (Part I)," "Station Security (Part II)," "Access Point Security (Part III)," and "Gateway Security (Part IV)."
Part I, "Security Basics," gives a very good introduction to the concepts of wireless communications. Chapter 1 explains how radio transmissions work (and how antenna shapes affect them), and why radio transmissions are inherently insecure (i.e., anyone with an antenna in range can listen in). 802.11 is explained, as well as WEP, and WEP's problems. Chapter 2 describes in detail the risks involved with wireless networking, and gives examples of types of attacks which can be performed against wireless networks.
Part II, "Station Security," outlines in great detail what you need to do to make sure your wireless network clients are as secure as possible. We're given two goals for client station security: prevent any access to the client systems, and make sure that the clients speak secure protocols for any network services they access. To the paranoid, both these goals are rather obvious, but they're important enough that the authors spent time explaining them. They follow with a couple paragraphs on logging and security updates on the client systems, and the rest of Part II (Chapters 4 through 8) give specific information on how to best secure client systems of various OSes.
Part III (Chapter 9, really), "Setting Up an Access Point," delves into the intricacies of setting up and securing a wireless access point, from generic advice on how to configure access point appliances to more specific instructions on configuring host-based access points running Linux, FreeBSD and OpenBSD. Comparatively little time is spent on host-based access points in the book, probably because most people generally don't do things things way since access point appliances are so cheap and simple to configure/install.
The remainder of the book is spent on Part IV, "Gateway Security" (Chapters 10 through 15), which describes the infrastructure end of how most wireless networks will likely end up being integrated to wired networks. Basic suggestions for structuring the combined networks are given, and follow what I'd consider to be really good advice: wireless networks should be on their own interface of the gateway (or firewall), physically separated from both internal networks and the Internet. The authors strongly recommend against simply attaching the access points to the internal network, as that introduces too many security risks (an example involving ARP poisoning is given to illustrate why and how). The next three chapters detail the configuration of Linux, FreeBSD and OpenBSD as a secure gateway.
Chapter 14, "Authentication and Encryption", introduces the idea of using strong authentication and encryption mechanisms outside of WEP, using NoCat (which will run on Linux, FreeBSD and OpenBSD) and WiCap (for OpenBSD only) for authentication and IPSec for strong encryption. The idea the authors present here is that for the most secure setup, in addition to enabling strong WEP (as detailed in the rest of the book), your wireless network is set up to not allow clients access to anything until they are authenticated. Then, and only then, the gateway will allow wireless clients to access other network segments (i.e., the internal LAN, and/or the Internet), but only if all the communications over the wireless segment are done through secure tunnels. Sadly, the authors neglected to mention OpenBSD's, Windows 2000's or XP's ability to do IPSec, and their treatment of IPSec for FreeBSD and Linux certainly isn't very detailed, though pointers are given to the appropriate web sites for more information. 802.1x authentication (physical port authentication) is also explained in some detail, though it is of little use, since very little equipment deployed today has support for it. It is an interesting concept, though.
Closing out the book, Chapter 15 is appropriately titled "Putting It All Together." Here we get a final overview of all the pieces as well as how they fit together, and how certain aspects of the system as a whole affects both the administrators and the users of the system.
Overall, I'd have to say that this is exactly the type of "security in depth" book I've been needing to help me figure out how best to implement wireless networking at the office with minimal risk to the rest of the network. The authors write in a very approachable style and do a very good job of giving the necessary background before launching into any detailed discussions. I would highly recommend this book to anyone considering installing wireless networking without wanting to simultaneously install a simple back door to their network. Honestly, I haven't found much to complain about.
I'm of the opinion that, after reading this book, and using it as a guide to setting up a secure wireless network, I'll be able to sleep at night. Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
You can purchase 802.11 Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Quick take: ehh. It's good for small, Unix savvy sites, but windows shops or large installations should probably look elsewhere.
Check out my eclectic infosec blog at InfoSecPotpou
What is so fundamentally different about 802.11 from other forms of networking that is making it so hard to secure?
I think you hit it on the head here. You don't have to have physical access to a wire. You could be 50 meters away from the AP and be able to access the network.
Another problem was with the first implementation of WEP. The 40/64 bit encryption is terribly easy to break, as is well documented. The 104/128-bit WEP is more secure, enough for casual use, but with enough packets sniffed, can be broken as well.
A lot of the vendors are coming out with proprietary security systems which greatly increase the difficulty level of unauthorized access. Cisco, 3Com, Linksys, etc.
But I agree with you. I do tech support for 802.11b products, and the vast majority of our users just don't use encyrption and leave everything in default mode. They don't change the SSID, they broadcast said SSID and set access levels to ANY, simply because they won't take the 5 minutes to setup MAC Access Control and 128-bit WEP.
"Bold as Love"
We haven't done any 802.11 here for a garden variety of reasons, but security coupled with usability is one of them. Everything I've read seems to emphasize putting your 802.11 infrastructure on a DMZ-type segment and requiring some kind of VPN connection to gain access to the Internet and internal network.
..which always leads me to the seperate VPN infrastructure for 802.11 solution, which is more expensive and complicated to setup and maintain.
The simple implementation of this just puts the 802.11 network on the outside of the firewall, using whatever existing VPN infrastructure you have to gain internal access. The downside to this is the set of people with "anywhere" VPN access is a minimally overlapping subset of the people who should have 802.11 VPN access.
And then I'm left with the usability/training issue, explaining to people (lusers, help desk, etc) why the VPN connection is necessary and other sundry details of usage.
And then there's equipment. It makes no sense to equip all ~100 laptops that don't have 802.11 with 802.11 cards for the few conference rooms that would get it.
It looks fun, but there's so much baggage associated with it I can't see it happening in these economic times..
I don't think that most people would be suprised that there is a lot of corporate espionage being done by going down to CompUSA and paying $100 cash for your untraceable security hole.
This is something that doesn't seem to get a lot of attention. Even if you're using a rather low powered device, it is still fairly difficult to be sure of exactly where your signal is ending up or who is able to pick it up (which leads in to a discussion about directional antennas, I suppose).
Another point is that its very difficult to tell who is using a wireless network. With the conventional network it ultimately involves someone being reasonably obvious about having plugged a cable in to a drop. With wireless it could be the guy outside in the park with his laptop or a sniffer sitting in a car in the parkinglot. Or someone in an office building blocks away using the right kind of antenna (as pointed out previously). Sniffing / attacking a wireless network involves considerably less risk than a conventional wired network.
essid and mac limiting would be helpful. disable dhcp serving on the router, and provide it at a server, with the network not participating in the internal network, except to a security server that requires a ssh session to route traffic elsewhere in the network, then only out the gateway to the Internet.
That's just a start. You can require rsa key ssh tunnels into the security server for the WiFi attached device, which implements a VPN to provide access to your own network for authorized users.
Obviously there are more options, but if you want to provide a secure sollution for your client, this would be a good start. Adding a security and dhcp server would also provide for better income potential.
-Rusty
You never know...
Its all about convenience. The barrier to entry in any security system always affects how many individuals actually try to break in. For instance, a moderately reinforced steel door is dramatically more secure than a plate glass window, even though both can be trivially defeated by anyone with the knowledge. This is because there is so much lower a barrier to entry with the window that a much larger proportion of the populance will be tempted.
In a similar manner, open wireless networks can usually be used to grant free internet access without doing anything but hanging near the building. Special antennae can be even used to grant one near perfect anonymity and immunity to prosecution. Wired network break-ins require physical access to key wiring somewhere, and the commission of a much more obvious and deliberate crime. (by contrast, most 802.1 war-drivers probably think of it more as walking into a building uninvited when they find the door left cracked open)
Sneaking around a building with a toolkit looking for network cable seems incredibly stupid and dangerous, an almost certain way to end up in jail eventually. It would only be worth even considering if the rewards were immense. By contrast, if one sits at a cafe/van with a laptop one can just power it up and run a few programs and sometimes break into a nearby network with little to no effort but a few clicks. And if one can snoop into a few internal network files, maybe read some mail, so much the better.
That's why Cisco's LEAP uses per user WEP keys that are rotated at a user defined interval (the default is every couple hours I believe). Add to that TKIP which ensure that playback attacks can't be used (it hashes the packet with the time and attaches the hash) and Cisco's implementation is pretty darn secure. For the most paranoid of customers they still recomend vpn concentrators between the wireless and wired lans but I personally don't see much use for em in 90+% of installations.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Yeah, but how many organizations are using WLANS for ssh? Most of them are running Win9x LANs with file and printer sharing (and usually without password protection). These are about as secure as.... ummm... never mind, they aren't secure at all. And yes, it is theoretically possible to sniff data through cables, but it's several orders of magnitude more difficult and expensive and requires physical access to the facility (or at least being near a wall with a cable going through it).
:)
802.11 sniffing and cracking WEP codes (for the less than 5% of sites that even bother turning on WEP) is trivial skr1pt-k1dd13 stuff, can be accomplished for less than $200, and from several miles away.
So, in short, for a savy *nix (or even Windoze) admin / user, wireless can be used in a reasonable secure manner. But you have to keep in mind that this represents less that 0.001% of the wireless users out there. Therefore, wireless security is a massive timebomb of a problem.
Remember: your average small- to medium-sized businesses and home users usually have inexperienced people administering their networks. I hate when people assume that just because experts can get it to work it means that a product or service is "fine."
Help save the critically endangered Blue Iguana
I believe you're overlooking the case of network abuse.
We had our DSL turned off with no warning, and apparently it was due to somebody trying to spam/attack the MSN Gaming Zone boards.
When tracked back, it appears to have been a laptop with a wireless card, that was reconfigured to bridging - turning it into an open WAP.
At no time did the intruder do anything to any of our systems... but it still caused us major grief for a day!
Actually, now that WPA is starting to be rolled out, security will likely get much better. WPA has 128 bit keys, mutual authentication between client and access point, as well as per session and per packet keys. Best if all, vendors of current products can implement it as a firmware upgrade.
WPA is a subset of 802.11i.
2 separate security issues. Firstly there is the security of the internet connection. This is why the default values of the router should be changed (ESSID, password, enabling WEP, MAC filters). The second issue is the security of your internal network where a further level of encryption and authenication should take place. it's one thing to give someone free internet but you don't want them accessing your private information.