Slashdot Mirror
802.11 Security
With the amazing proliferation of wireless networks these days, there seems to be constant churning about how best to secure them, while at the very same time, barely anybody is actually doing anything about it. Potter and Fleck have offered up this little book, 802.11 Security, as a no-nonsense guide to understanding the problem of wireless networking security (or, as the case may be, the complete lack thereof) as well as demonstrating how to implement viable solutions.
Straight from the horse's mouth, "This book is aimed at network engineers, security engineers, systems administrators or general hobbyists interested in deploying secure 802.11b-based systems." The greatest attention is given to Linux and FreeBSD systems, though OpenBSD, Mac OS X and Windows are covered as client systems, too. The authors split the book into four parts: "802.11 Security Basics (Part I)," "Station Security (Part II)," "Access Point Security (Part III)," and "Gateway Security (Part IV)."
Part I, "Security Basics," gives a very good introduction to the concepts of wireless communications. Chapter 1 explains how radio transmissions work (and how antenna shapes affect them), and why radio transmissions are inherently insecure (i.e., anyone with an antenna in range can listen in). 802.11 is explained, as well as WEP, and WEP's problems. Chapter 2 describes in detail the risks involved with wireless networking, and gives examples of types of attacks which can be performed against wireless networks.
Part II, "Station Security," outlines in great detail what you need to do to make sure your wireless network clients are as secure as possible. We're given two goals for client station security: prevent any access to the client systems, and make sure that the clients speak secure protocols for any network services they access. To the paranoid, both these goals are rather obvious, but they're important enough that the authors spent time explaining them. They follow with a couple paragraphs on logging and security updates on the client systems, and the rest of Part II (Chapters 4 through 8) give specific information on how to best secure client systems of various OSes.
Part III (Chapter 9, really), "Setting Up an Access Point," delves into the intricacies of setting up and securing a wireless access point, from generic advice on how to configure access point appliances to more specific instructions on configuring host-based access points running Linux, FreeBSD and OpenBSD. Comparatively little time is spent on host-based access points in the book, probably because most people generally don't do things things way since access point appliances are so cheap and simple to configure/install.
The remainder of the book is spent on Part IV, "Gateway Security" (Chapters 10 through 15), which describes the infrastructure end of how most wireless networks will likely end up being integrated to wired networks. Basic suggestions for structuring the combined networks are given, and follow what I'd consider to be really good advice: wireless networks should be on their own interface of the gateway (or firewall), physically separated from both internal networks and the Internet. The authors strongly recommend against simply attaching the access points to the internal network, as that introduces too many security risks (an example involving ARP poisoning is given to illustrate why and how). The next three chapters detail the configuration of Linux, FreeBSD and OpenBSD as a secure gateway.
Chapter 14, "Authentication and Encryption", introduces the idea of using strong authentication and encryption mechanisms outside of WEP, using NoCat (which will run on Linux, FreeBSD and OpenBSD) and WiCap (for OpenBSD only) for authentication and IPSec for strong encryption. The idea the authors present here is that for the most secure setup, in addition to enabling strong WEP (as detailed in the rest of the book), your wireless network is set up to not allow clients access to anything until they are authenticated. Then, and only then, the gateway will allow wireless clients to access other network segments (i.e., the internal LAN, and/or the Internet), but only if all the communications over the wireless segment are done through secure tunnels. Sadly, the authors neglected to mention OpenBSD's, Windows 2000's or XP's ability to do IPSec, and their treatment of IPSec for FreeBSD and Linux certainly isn't very detailed, though pointers are given to the appropriate web sites for more information. 802.1x authentication (physical port authentication) is also explained in some detail, though it is of little use, since very little equipment deployed today has support for it. It is an interesting concept, though.
Closing out the book, Chapter 15 is appropriately titled "Putting It All Together." Here we get a final overview of all the pieces as well as how they fit together, and how certain aspects of the system as a whole affects both the administrators and the users of the system.
Overall, I'd have to say that this is exactly the type of "security in depth" book I've been needing to help me figure out how best to implement wireless networking at the office with minimal risk to the rest of the network. The authors write in a very approachable style and do a very good job of giving the necessary background before launching into any detailed discussions. I would highly recommend this book to anyone considering installing wireless networking without wanting to simultaneously install a simple back door to their network. Honestly, I haven't found much to complain about.
I'm of the opinion that, after reading this book, and using it as a guide to setting up a secure wireless network, I'll be able to sleep at night. Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
You can purchase 802.11 Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
"Wireless security"?
Is that anything like "military intelligence"?
-/-
Mikey-San
"I may be superficial, but you're fat."
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
I recently was paid to get a wireless network working (as well as fix some shared Internet connectivity problems in general) for a client.
When I arrived, I found out the client had everything running through a Belkin firewall/router device with built in 802.1g wi-fi. (It was attached to an external DSL modem via ethernet cable.)
It struck me that unless I'm missing something, these combo wi-fi bases/routers are inherently limiting in how much security they can offer the user. (EG. You can't really place the wireless clients behind some sort of a VPN tunnel with authentication if the other end of the wi-fi connection is managed by integrated firmware in the router itself, right?)
I ended up enabling 128-bit WEP for the guy, as well as disabling "broadcasting" of the existance of the router/w-fi base, but couldn't see much else to do beyond those measures.
besides not having to splice a wire or find an unused network drop to get in
That is the inherent vulnerability. Someone can have "wired equivalent" access to your network from possibly miles away using a good antenna, so physical security is irrelevant. Compounding this problem is the fact that wireless networks are expected to have clients connecting and disconnecting all the time, from different places, whereas in most wired networks the client base is fairly stable (and easily policed).
Bitchslapped. Neat.
You just have to treat any wireless network segment as insecure and pass any traffic from it through your firewall as you would for internet traffic.
Sig for sale or rent. One previous user. Inquire within.
What if one of your neighbours decides to leach child porn off the net using your wireless network? Should they think of themselves as your guest?
Dinivin
Quick take: ehh. It's good for small, Unix savvy sites, but windows shops or large installations should probably look elsewhere.
Check out my eclectic infosec blog at InfoSecPotpou
I hate it when people say wireless is so incredibly insecure. It's true that the wireless signals can easily be picked up by anyone. It's also true that one can pick up radiation from cables to sniff packets on your "secure wired network."
The solution is to not rely on the hardware encryption of your card and hub. Instead, use encrypted streams for all communications from your laptop. Use SSH, never use telnet (that should be common sense). If you just do that, then you don't have to worry about someone sniffing your packets because they are encrypted (and if they're also hardware encrypted you have some nice double-encryption). Also, you could easily set up an ssh tunnel to your router for the http protocol or whatever else you need. That way you have the security through the air. Anything after that is subject to wires on the internet, which like I said before, give off measurable radiation.
In short, just remember to always use software encryption and not rely on the hardware encryption of your wireless devices. Simples as that.
We used 802.11 to make a secure office home network, and like any insecure medium for IP, you can secure it against sniffing by layering a secure tunnelling protocol on top of it. This probably wasn't necessary since most sensitive information goes over ssh or SSL connections anyhow, but the way to do it is to use a encrypted network device tunnelling driver thingy.
:)
... )
I'm used to CIPE and like it because it has a Windows NT/2K/XP implementation as well as a Linux module. VTUN does much the same job, is slightly easier to set up, although instead of a Windows driver, runs on Solaris and various BSDs. We used the latter to make a link between mine & my partner's house and managed to use the Linux bridging features to bridge his home wireless network to the office ethernet-- the bridge is over a vtun interface which sits on top of the 802.11 link between our office and his house. Complicated but it seems to work
Anyone else have a similar setup? I'd be interested to know how to grow this kind of setup manageable (not that we have a need for it, but
Matthew @ Bytemark Hosting
Yes, 802.11 is a little more insecure due to one facet.
Take 2 computers, link them by ethernet cable, lock it up pretty well, and poof you have a mostly secure network.
Only thing stopping you from getting on my home network right now, is the fact you don't have a cable plugged into my switch at home. I also have a good firewall on my dsl line.
Now, if i were to put the switch on the sidewalk, anyone could just walk up, and jack in. They'd have access behind my firewall and to my dsl line. That is what wireless is like: putting an invisible switch whever you happen to be, within certain distance of an access point. So it's harder to secure by the fact that you don't need a wire to connect, but just be in proximity.. and unless you have shielding around your AP and computers that use the AP's, you are more open.
-
ping -f 255.255.255.255 # if only
We haven't done any 802.11 here for a garden variety of reasons, but security coupled with usability is one of them. Everything I've read seems to emphasize putting your 802.11 infrastructure on a DMZ-type segment and requiring some kind of VPN connection to gain access to the Internet and internal network.
..which always leads me to the seperate VPN infrastructure for 802.11 solution, which is more expensive and complicated to setup and maintain.
The simple implementation of this just puts the 802.11 network on the outside of the firewall, using whatever existing VPN infrastructure you have to gain internal access. The downside to this is the set of people with "anywhere" VPN access is a minimally overlapping subset of the people who should have 802.11 VPN access.
And then I'm left with the usability/training issue, explaining to people (lusers, help desk, etc) why the VPN connection is necessary and other sundry details of usage.
And then there's equipment. It makes no sense to equip all ~100 laptops that don't have 802.11 with 802.11 cards for the few conference rooms that would get it.
It looks fun, but there's so much baggage associated with it I can't see it happening in these economic times..
Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.
...
Actually, layer2 is completely unauthenticated, so anyone can associate with your access point using no key or the wrong key. IP and above will get dropped however.
The lack of an authentication mechanism in the 802.11b MAC leaves a number of nasty weaknesses that can be exploited by malicious persons.
Denial of service (forged disassociation) and active man-in-the-middle attacks (using higher signal and forged BSSID/SSID) continue to remain possible in even the latest security extensions to 802.11.
I'm surprised no mention was made of IDS systems that can detect and respond in real time to 802.11 layer 2 attacks (and other higher level IDS checks on the IP traffic), although even these are of limited utility
This is something that doesn't seem to get a lot of attention. Even if you're using a rather low powered device, it is still fairly difficult to be sure of exactly where your signal is ending up or who is able to pick it up (which leads in to a discussion about directional antennas, I suppose).
Another point is that its very difficult to tell who is using a wireless network. With the conventional network it ultimately involves someone being reasonably obvious about having plugged a cable in to a drop. With wireless it could be the guy outside in the park with his laptop or a sniffer sitting in a car in the parkinglot. Or someone in an office building blocks away using the right kind of antenna (as pointed out previously). Sniffing / attacking a wireless network involves considerably less risk than a conventional wired network.
Its all about convenience. The barrier to entry in any security system always affects how many individuals actually try to break in. For instance, a moderately reinforced steel door is dramatically more secure than a plate glass window, even though both can be trivially defeated by anyone with the knowledge. This is because there is so much lower a barrier to entry with the window that a much larger proportion of the populance will be tempted.
In a similar manner, open wireless networks can usually be used to grant free internet access without doing anything but hanging near the building. Special antennae can be even used to grant one near perfect anonymity and immunity to prosecution. Wired network break-ins require physical access to key wiring somewhere, and the commission of a much more obvious and deliberate crime. (by contrast, most 802.1 war-drivers probably think of it more as walking into a building uninvited when they find the door left cracked open)
Sneaking around a building with a toolkit looking for network cable seems incredibly stupid and dangerous, an almost certain way to end up in jail eventually. It would only be worth even considering if the rewards were immense. By contrast, if one sits at a cafe/van with a laptop one can just power it up and run a few programs and sometimes break into a nearby network with little to no effort but a few clicks. And if one can snoop into a few internal network files, maybe read some mail, so much the better.
1604.22 is twice as secure as 802.11
Best Windows Freeware
I ended up tacking a ethernet cable along the ceiling down to the kitchen. I told the wife that it is just temporary until I drill a hole in the ceiling to run a hidden cable. (I even meant it at the time.)
Of course, I never got around to that, but it seems she's gotten used to the cable. Another problem solved by procrastination.
Most wireless hardware is a lot harder to crack than it used to be. Vendors got a lot smarter when implementing their IV selection algorithms. Go try and AirSnort a Cisco AP these days. I tried against my .b/.a Linksys AP running the latest firmware (that's the important part) and only got 19 weak IVs after two weeks and GBs, and GBs, and GBs of traffic going across it. I flooded the network so I could see lots and lots of packets.
That's fine for home use. I'm not so worried about my simple 128bit WEP now. For the office you can go pricey, but good, with something like Cisco LEAP...or you can buy any old AP and do VPN/SSH/Tunnel.
That's why Cisco's LEAP uses per user WEP keys that are rotated at a user defined interval (the default is every couple hours I believe). Add to that TKIP which ensure that playback attacks can't be used (it hashes the packet with the time and attaches the hash) and Cisco's implementation is pretty darn secure. For the most paranoid of customers they still recomend vpn concentrators between the wireless and wired lans but I personally don't see much use for em in 90+% of installations.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I don't understand why everyone has trouble with it. Stand up a VPN node accepting nothing but your favorite secure VPN protocol (IPSec is fine) on one card and putting your company network on the other. You then connect put your 802.11 routers on the VPN card and configure your 802.11 routers to allow the VPN protocol. You're now secure. Perhaps a DOS attack could make your 802.11 useless (plug an unshielded magnetron into an outlet in the building for example), but your data can't be compromised through it.
Okay, so you won't find 802.1x support in your standard el cheapo LinkSys or NetGear AP. In fact, you won't find 802.1x support in any cheap access point. On the other hand, if one does pay for the higher-end access points, pretty much every major vendor supports 802.1x authentication. It is considered a requirement for an access point to be considered an "enterprise" AP. Furthermore, WECA's requirements for WiFi certification this year are adding "WPA", which is a stripped down version of 802.11i, which happens to depend heavily on 802.1x. Any new products after this requirement is added will have to have 802.1x support in order to be "WiFi Certified."
Believe me, the wireless industry is moving heavily towards 802.1x (I've written two different implementations of 802.1x for two different access point products myself), so it should not be so casually dismissed.
For those who scoff at wireless security: sure, it probably won't be as secure as locked away wired networks; but 802.11i does at least make it non-trivial to break the security of wireless networks (pairwise session keys on a per-client basis, larger size keys, larger IV space, message integrity checks, etc).