Slashdot Mirror
The Year 2003 in Wireless Network Security
OenMarK writes "I ran into an article that is basically an overview of events, software releases, and happenings related to wireless security. There's also a Q&A with some wireless security experts, one of which is from IBM.
What's your take on wireless security? Are we there yet?" This is the same site that also hosts the look back at Linux security we posted earlier. They complement each other well.
...gives the Microsoft security staff something to look down on.
A study of honeypot projects that showed most wi-fi abuse was "bandwidth stealing" doesn't exactly fill me with a sense of dread. More useful would have been a list of attempts hackers sitting outside of unsecured businesses trying to get at the corporate data.
Or are they trying to lull potential customers into a false sense of security?
John
What's this? Wireless and security in the same sentence?
Wireless and security seem to be two words that are mutually exclusive these days, it would seem: between cocky administrators not securing their wireless networks, that few networks seem to be using WEP and huge bugs in phone's implementations of bluetooth...
Know anyone who trusts WiFi? I don't. Even my university doesn't (and it isn't well known for good security practise). Useful, but slightly untrustworthy.
Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
Despite the advances made in 802.11i - WAP/TKIP (TLS/TTLS/EAP/PEAP) - the best solution is "on-the-wire". 3DES IPSEC and now SSL Tunneling are two examples we are using to avoid new exploits as hacks become available for the wireless standards. The above are tried and true methods of encrypting data. If the end user simply runs a client (3DES IPSEC) or uses the well known SSL standard (no client needed) between themselves and your NOC/Colo/Facilities - you can gaurantee a measure of security for their data.
Wireless has no such limits. This is even skript kiddie level stuff.
This is my report on it.
On Linksys' site they have 7 things people should do to keep their wireless network safe:
1. Change the default SSID.
2. Disable SSID Broadcasts.
3. Change the default password for the Administrator account.
4. Enable MAC Address Filtering.
5. Change the SSID periodically.
6. Enable WEP 128-bit Encryption. Please note that this will reduce your network performance.
7. Change the WEP encryption keys periodically.
Now your telling me average joe (or administrator) is going to preform all these tasks, and remember to regularly change the WEP encryption keys. This is a problem, and until security setup and mantainance is automated and/or easy enough for the everyday folk, there is going to be a continual growth of attacks on these type of networks.
------------
Are we there yet? Lets see..
1) 802.11i is still not yet approved as a standard
2) WPA (the impetuously released TKIP variant) is not widely available and like 802.11i relies on 802.1X.
3) 802.1X has been withdrawn by the IEEE pending a re-write. Its broken for wireless. Don't expect to see the revision any time soon.
4) No semblance of a seamless, inter operator, inter hotspot, non web-pagey user authentication scheme for mobile devices is widely deployed for 802.11.
5) Other wireless networks that are deployed are insecure (E.G. GSM)
I think maybe there's a way to go yet.
Evil people are out to get you.
Up here in central Canada, early 2003 showed a nice, gradual uptake in wireless equipment by the business sector, and a few tech-heads putting it in their houses. Now that xmas is over, and stores were selling APs for as little as $15 (cdn) after rebates, I'm seeing almost a 10-fold increase in the number of hotspots compared to June of this year.
:)
I see a couple of trends on the horizon:
1. Just as you can no longer buy a 10mbit hub, because a 10/100 switch costs pennies more to make, soon all home cable/DSL routers will come with 802.11b at the very least. The "premium" models will include g for $5-10 more, to keep some price differentiation happening.
2. Back when it was us geeks and businesses, the WEP/non-WEP ratio seemed to hover around 50-75%, depending on area. Driving around last night, it's below 10%. This could be an indication of new xmas presents that the owner hasn't had time to configure, but really: how many people actually change from the default settings? (On that note, thank you SMC for having a blank default password and an SSID of "SMC"
Just the changes in the past 12 months have convinced me that 2004 will be the year wireless really takes off everywhere up here, and as long as it's still being shipped unsecured to the consumer, we're soon going to have a LOT more opportunity for this sort of thing.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You forgot about the token stored on a smart card, your biometric information via finger print reader, along with a plain old username and password (which only corresponds to that particular set of biometrics) that are needed to log in to the VPN. A tad bit more cumbersome, yes, but voila! Complete wireless security.
No more worries about wireless security alerts, finicky configurations, key management, weird drivers, setting up VPNs within my own house, strange network freezeups or having to read articles to keep on top of it all.
To me, keeping my mind uncluttered and free from all that minutia is worth the ugliness of a few network cables.
Do you install heaters in them or how do they survive the freezing temperatures and snow?
My company (Newbury Networks, Inc.) makes a product that provides physical perimeter security on 802.11. It uses our location-tracking technology to identify the location of all 802.11 traffic and can then both report and classify traffic as well as deny access to devices outside your physical perimeter. While some security problems remain, this largely mitigates the "attacker in the parking lot" scenarios.
Most people assume that wireless security cannot be coupled to physical security. If you can keep people outside your building off your network, it's a whold different ball game. This essentially eliminates spoofing problems because it doesn't matter if you're spoofing if you're outside. Obivously, internal threats are still an issue and any security system should be multi-factor. Location is simply a key element that it's hard to provide for wireless.
(I hope this isn't taken as inappropriate product pushing, but I believe it is a useful and relevant solution to many wireless security problems)
My WiFi access point sits by its lonely self on the high speed modem, with its own IP address, next to my firewall. I use plain text when surfing the internet and ssh to my own servers.
If a neighbour wants to use the network at 1Mbps or whatever lousy data rate he would get from over yonder - be my guest - won't bother me...
How secure are wifi lans at starbucks etc??? Are all email passwords etc at risk? sci-fi/horror fanfiction
stereoscopic multimedia pioneer view3d.tv
WEP works just fine for certain things. For example, keeping people from abusing my internet connection, downloading child pornography, etc. In order to crack a 128-bit WEP key, last I checked, you need something like 5-10 GIGABYTES of traffic to analyze. I don't use that much bandwidth in a year over wireless - it's just to be able to surf from the living room, etc.
:)
I've checked out the range on my AP using some nice high-gain antennas, and seeing as it's in the basement, someone would have to be within 3 or 4 houses of me. That's a pretty limited range, so I can narrow it down to say 100 of my neighbours. And one of them would have to sit and passively sniff my traffic for an ENTIRE YEAR. Answer: change my WEP key every few months, and unless I'm not up to date with the latest security issues, I'm virtually immune. Sure, they can sniff my SSID. Big whoop if they can't get on it.
Disclaimer: I haven't played with Kismet in over 6 months, so if there's some new "grab 10 packets and crack the WEP key" setting that I haven't heard about, please correct me
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
probably the most important news is that China will disallow standard 802.11 WEP security and mandate its own standard - WAPI for all Wi-Fi in the country. This could have wide ranging implications, from splitting the market to leading to a possibly improved system (on first glance, WAPI beats WEP hands down, except for privacy implications - big surprise) for the world.
In any case, it is a dramatic development.
The only good weather is bad weather.
Working at a .edu we don't particularly trust our wired networks either, so pretty much all of our services (HTTP, IMAP, LDAP, etc.) require encryption (SSL or SSH). So the only thing special about wireless is that someone doesn't have to walk into the building to get on the network.
The most common solution to this for now seems to be to do some magic with DHCP, iptables, etc. to force the user to a web page where they authenticate themselves before giving them normal network access. I'd prefer we could negotiate an IPSec tunnel, but all the attempts I've seen so far were a bit of a hack. Most Linux distros don't even come with FreeS/WAN, and configuring the Windows IPSec client to talk to a non-Windows IPSec server is a nightmore.
Personally I like the way my garage door open works. The only way to add a remote to the system is to open the box and push a few buttons to tell the system get ready for a new remote. Then you push the button on the remote and verify that the new remote was added.
Networking devices should create and change their own WEP keys automatically. I know my mother certainly isn't going to change it frequently if at all, and if so it will be her kids names or something.
The device would have MAC Address filtering on by default and would only be able to add devices by pushing a certain button on the device and putting it into "Add Network Device" mode. Then your new WiFi card would work on the system.
I think adding some physical requirement to the mix is the only way to have real security that's relatively easy to use.
As with most software or hardware, making it secure by default raises the bar required to use it. The company ends up fielding thousands of support calls from people who don't RTFM. Security out of the box is expensive to handle for general users. So everyone else ends up paying for it instead of the creators.
That's why windows has viruses, wifi is insecure and linux is "hard to use".
http://www.colubris.net/en/products/enterprise/CN1 050/
i've been looking at these guys for a project. it's an integrated vpn/wap. has anyone had any experience with this vendor they could share?
FYI:the slashdot gayness filter has added the customary erroneous space into the url.
Are we even at the "wireless" step yet? I've had nothing but trouble with wireless networks...even ones where everything I bought was from the same vendor. Eventually one of my cards broke - I'm not trying wireless again until it becomes more reliable, less expensive, and there is more support for cards in Linux.
I belong to the ______ generation.
First time i have seem a Vulcan modded as flaimbait!
roflmao, my 2nd favorite troll :)
So yes I have WEP and MAC filters turned on my Home Wireless but the Access Point (infrastructure mode) is on its own DMZ LAN and plugged into a Linux box. This Linux box has 3 Ethernets - the ADSL router and trusted LAN connections plus the Wireless LAN. The firewalling is all done via iptables configured using FWBuilder on a different Linux machine-I really recommend FWBuilder once you get into it.
The firewalling ONLY allows PPTP tunnels to be setup from WiFI clients. The Linux PPTP server is PoPToP on Linux side and standard PPTP client with WinXP on Laptop side. The laptop thus gets allocated a new IP address for the tunnel from within my trusted address space (so as to thus get through iptable filters OK) on the PPTP link and the laptop also uses this as its default gateway. BTW: Counterpane found flaws in how MS implemented PPTP not PPTP itself so I'm happy with PPTP for the moment and I use a separate (non-easy) password for the PPTP tunnel.
Wokflow is thus...powerup Laptop. Double-click Connect To Homelan (password is cached in dialog box on WinXP). Wait for handshacking and authentication and tunnel setup. Surf.
My next move has to be IPSec with FreeS/WAN but ideally certificate based. So for me WiFi security is just not relevant anymore because it'll always be more flexible to place the crypto burden inside software as opposed to using hardware devices.
Needs More Testicles
Sucking such a large bumppy penis would cause shellshock to him from the tremors of it going through his skull...
Karma: Good, or bust!