Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking Books Media Book Reviews Hardware

802.11 Security 179

JadeSky writes "Having played around with wireless networking at home a little bit, and then being faced with implementing a wireless network at the office for the purposes of in-house customer training in a cosmetically clean room (wires are ugly), I had been thinking for some time about the best way to implement a secure wireless networking solution. Amusingly enough, shortly after the idea of a wireless network at the office came up, I managed to win 802.11 Security in a raffle at the Kernel Panic Linux Users' Group monthly meeting. The book was thoughtfully donated (with a few others) by O'Reilly on the condition that the recipients contribute reviews. Since I've found the book genuinely helpful, I thought I'd let others know, and hence, my first Slashdot book review. Hooray!" This book emphasizes a multi-layer approach to wireless security; read on for more of JadeSky's review.
802.11 Security
author Bruce Potter and Bob Fleck
pages 192
publisher O'Reilly
rating very good
reviewer Gregory Ruiz-Ade (JadeSky)
ISBN 0596002904
summary Securing wireless networks

With the amazing proliferation of wireless networks these days, there seems to be constant churning about how best to secure them, while at the very same time, barely anybody is actually doing anything about it. Potter and Fleck have offered up this little book, 802.11 Security, as a no-nonsense guide to understanding the problem of wireless networking security (or, as the case may be, the complete lack thereof) as well as demonstrating how to implement viable solutions.

Straight from the horse's mouth, "This book is aimed at network engineers, security engineers, systems administrators or general hobbyists interested in deploying secure 802.11b-based systems." The greatest attention is given to Linux and FreeBSD systems, though OpenBSD, Mac OS X and Windows are covered as client systems, too. The authors split the book into four parts: "802.11 Security Basics (Part I)," "Station Security (Part II)," "Access Point Security (Part III)," and "Gateway Security (Part IV)."

Part I, "Security Basics," gives a very good introduction to the concepts of wireless communications. Chapter 1 explains how radio transmissions work (and how antenna shapes affect them), and why radio transmissions are inherently insecure (i.e., anyone with an antenna in range can listen in). 802.11 is explained, as well as WEP, and WEP's problems. Chapter 2 describes in detail the risks involved with wireless networking, and gives examples of types of attacks which can be performed against wireless networks.

Part II, "Station Security," outlines in great detail what you need to do to make sure your wireless network clients are as secure as possible. We're given two goals for client station security: prevent any access to the client systems, and make sure that the clients speak secure protocols for any network services they access. To the paranoid, both these goals are rather obvious, but they're important enough that the authors spent time explaining them. They follow with a couple paragraphs on logging and security updates on the client systems, and the rest of Part II (Chapters 4 through 8) give specific information on how to best secure client systems of various OSes.

Part III (Chapter 9, really), "Setting Up an Access Point," delves into the intricacies of setting up and securing a wireless access point, from generic advice on how to configure access point appliances to more specific instructions on configuring host-based access points running Linux, FreeBSD and OpenBSD. Comparatively little time is spent on host-based access points in the book, probably because most people generally don't do things things way since access point appliances are so cheap and simple to configure/install.

The remainder of the book is spent on Part IV, "Gateway Security" (Chapters 10 through 15), which describes the infrastructure end of how most wireless networks will likely end up being integrated to wired networks. Basic suggestions for structuring the combined networks are given, and follow what I'd consider to be really good advice: wireless networks should be on their own interface of the gateway (or firewall), physically separated from both internal networks and the Internet. The authors strongly recommend against simply attaching the access points to the internal network, as that introduces too many security risks (an example involving ARP poisoning is given to illustrate why and how). The next three chapters detail the configuration of Linux, FreeBSD and OpenBSD as a secure gateway.

Chapter 14, "Authentication and Encryption", introduces the idea of using strong authentication and encryption mechanisms outside of WEP, using NoCat (which will run on Linux, FreeBSD and OpenBSD) and WiCap (for OpenBSD only) for authentication and IPSec for strong encryption. The idea the authors present here is that for the most secure setup, in addition to enabling strong WEP (as detailed in the rest of the book), your wireless network is set up to not allow clients access to anything until they are authenticated. Then, and only then, the gateway will allow wireless clients to access other network segments (i.e., the internal LAN, and/or the Internet), but only if all the communications over the wireless segment are done through secure tunnels. Sadly, the authors neglected to mention OpenBSD's, Windows 2000's or XP's ability to do IPSec, and their treatment of IPSec for FreeBSD and Linux certainly isn't very detailed, though pointers are given to the appropriate web sites for more information. 802.1x authentication (physical port authentication) is also explained in some detail, though it is of little use, since very little equipment deployed today has support for it. It is an interesting concept, though.

Closing out the book, Chapter 15 is appropriately titled "Putting It All Together." Here we get a final overview of all the pieces as well as how they fit together, and how certain aspects of the system as a whole affects both the administrators and the users of the system.

Overall, I'd have to say that this is exactly the type of "security in depth" book I've been needing to help me figure out how best to implement wireless networking at the office with minimal risk to the rest of the network. The authors write in a very approachable style and do a very good job of giving the necessary background before launching into any detailed discussions. I would highly recommend this book to anyone considering installing wireless networking without wanting to simultaneously install a simple back door to their network. Honestly, I haven't found much to complain about.

I'm of the opinion that, after reading this book, and using it as a guide to setting up a secure wireless network, I'll be able to sleep at night. Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.


You can purchase 802.11 Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

802.11 Security

Comments Filter:
  • by Mikey-San ( 582838 ) on Wednesday April 30, 2003 @11:04AM (#5843720) Homepage Journal
    "Wireless security"?

    Is that anything like "military intelligence"?

    -/-
    Mikey-San
    "I may be superficial, but you're fat."
  • by Sheetrock ( 152993 )
    What is so fundamentally different about 802.11 from other forms of networking that is making it so hard to secure? Is there an inherent vulnerability in wireless communication that I'm not spotting (besides not having to splice a wire or find an unused network drop to get in) or is this about people who don't follow good security practices and decide they want to compound their difficulties by broadcasting network access?

    Maybe the problem isn't 802.11 security, but computer security in general.

    • It's because you don't need physical access to the wiring closet to sniff packets now. All you need is netstumbler and a pringles can.

      There'd be a similar hubbub if there was a small LED display outside your cubicle, showing everything that was moving across the ethernet segment on your desktop.
    • by Migrant Programmer ( 19727 ) on Wednesday April 30, 2003 @11:10AM (#5843787) Journal
      besides not having to splice a wire or find an unused network drop to get in

      That is the inherent vulnerability. Someone can have "wired equivalent" access to your network from possibly miles away using a good antenna, so physical security is irrelevant. Compounding this problem is the fact that wireless networks are expected to have clients connecting and disconnecting all the time, from different places, whereas in most wired networks the client base is fairly stable (and easily policed).
      • Replying to myself to add another point:

        Wireless networks are broadcast-based, obviously; they work like a hub, not a switch. That means someone with an antenna can listen to everyone's packets, whereas with a switched network a "wire-splice" attacker only gets the packets belonging to a single client.
      • by _Sprocket_ ( 42527 ) on Wednesday April 30, 2003 @11:32AM (#5844050)


        Someone can have "wired equivalent" access to your network from possibly miles away using a good antenna, so physical security is irrelevant.


        This is something that doesn't seem to get a lot of attention. Even if you're using a rather low powered device, it is still fairly difficult to be sure of exactly where your signal is ending up or who is able to pick it up (which leads in to a discussion about directional antennas, I suppose).

        Another point is that its very difficult to tell who is using a wireless network. With the conventional network it ultimately involves someone being reasonably obvious about having plugged a cable in to a drop. With wireless it could be the guy outside in the park with his laptop or a sniffer sitting in a car in the parkinglot. Or someone in an office building blocks away using the right kind of antenna (as pointed out previously). Sniffing / attacking a wireless network involves considerably less risk than a conventional wired network.
    • Well, apart from the fact that to obtain entrance to most LANS, you need physical access (or have to get through a firewall), no.

      WEP is also wayyyyyy weak.

      • Physical access to a port does not guarantee access. For a start the port must be on the correct vlan of the network you want to access. Also, the port may be disabled, or set to secure mode, in which only learned hardware may make use of it.
      • by alkali ( 28338 )
        WEP is also wayyyyyy weak.

        Well, no. It's not as strong as it could be or ought to be, but someone has to sniff and crunch your packets for a good long time (there's a spam subject line if I ever heard one) to break WEP.

        This site [shmoo.com] suggests that you need the packet traffic generated by 500 person-hours of heavy network usage to break WEP. I use my network about 10 hours a week. Accordingly, if I change my password once every few months -- that is, once every 100-200 hours of network use -- I avoid the nig

        • hmm... but when there are many users sharing an access point (and WEP key), you can very quickly generate enough traffic to crack WEP.

          So corporations still need to rotate their keys on a daily/weekly basis to protect this layer of security. Pain in the ass...
          • by afidel ( 530433 ) on Wednesday April 30, 2003 @12:39PM (#5844776)
            That's why Cisco's LEAP uses per user WEP keys that are rotated at a user defined interval (the default is every couple hours I believe). Add to that TKIP which ensure that playback attacks can't be used (it hashes the packet with the time and attaches the hash) and Cisco's implementation is pretty darn secure. For the most paranoid of customers they still recomend vpn concentrators between the wireless and wired lans but I personally don't see much use for em in 90+% of installations.
            • I've got a question.

              As far as I can tell the Cisco solution, though it works, is mucho expensive. You require Cisco-only hardware, not just access points, but also Cisco client radios, so you have to kit out all the users with new PCMCIA cards etc. if you want everyone to use LEAP (well, unless they're using Macs, since Apple seems to have come to some arrangement with Cisco that allows their Lucent/Agere/whateverthey'recallednow-originating Airport cards to connect to LEAP networks. Does anyone have any
        • I avoid the nightmare scenario of someone printing 500 copies of goat-man to my color printer.

          I get your point, but since wireless places everybody on a big LAN (the same goes for cable modem networks), it is smart to disable file and print sharing on a windows PC. If this isn't practical (the user has several PCs in his apartment and needs to share files and printers, or the WLAN is at an office doing the same), the inner network needs to be behind a firewall.

          Either way, ports 137-139 should be firewal

    • Maybe the problem isn't 802.11 security, but computer security in general.

      Of course. But wireless makes in expodentially worse because you are broadcasting your insecurity to anyone within range. Whereas an insecure wired network is inherently more secure for the fact that you have to be plugged into it.
    • by sporty ( 27564 ) on Wednesday April 30, 2003 @11:17AM (#5843863) Homepage
      Yes, 802.11 is a little more insecure due to one facet.

      Take 2 computers, link them by ethernet cable, lock it up pretty well, and poof you have a mostly secure network.

      Only thing stopping you from getting on my home network right now, is the fact you don't have a cable plugged into my switch at home. I also have a good firewall on my dsl line.

      Now, if i were to put the switch on the sidewalk, anyone could just walk up, and jack in. They'd have access behind my firewall and to my dsl line. That is what wireless is like: putting an invisible switch whever you happen to be, within certain distance of an access point. So it's harder to secure by the fact that you don't need a wire to connect, but just be in proximity.. and unless you have shielding around your AP and computers that use the AP's, you are more open.
      • If you put the AP inside your network, you're an idiot looking for trouble. If you put it outside, it's basically like anyone on the net. You have to treat an AP as insecure! You still need a firewall to allow traffic from the internet or the AP to flow in. Just like you don't want people to "direct connect" to your servers, you have to use an encrypted VPN over your AP (as WEP is crackable if you want and MAC access can be spoofed). If you have problems with security, you can hire me :)
    • What is so fundamentally different about 802.11 from other forms of networking that is making it so hard to secure?

      I think you hit it on the head here. You don't have to have physical access to a wire. You could be 50 meters away from the AP and be able to access the network.

      Another problem was with the first implementation of WEP. The 40/64 bit encryption is terribly easy to break, as is well documented. The 104/128-bit WEP is more secure, enough for casual use, but with enough packets sniffed,
      • by The_K4 ( 627653 )
        Or they just don't read the info that came with the wireless router on HOW to. There are a great many home users who buy these things, plug them into the wall and their DSL/Cable modem, add a wireless card to their PC or laptop and start surfing, They have no idea WHAT a SSID is let alone why they should change it!
    • What is so fundamentally different about 802.11 from other forms of networking that is making it so hard to secure?

      It's the simplicity.
      Anyone who can open a Internet Explorer window can instal, configure and "secure" a 802.11 device or network.
      Even my aunt, who don't understand anything about computers managed to get her new SMC Barricade Turbo Wireless up and running with Win2k. (She forgot to enable the 256-bit WEP, but I did that for her.)
      This means that there a tons of peolpe out there without a

    • by ShooterNeo ( 555040 ) on Wednesday April 30, 2003 @11:36AM (#5844096)
      Its all about convenience. The barrier to entry in any security system always affects how many individuals actually try to break in. For instance, a moderately reinforced steel door is dramatically more secure than a plate glass window, even though both can be trivially defeated by anyone with the knowledge. This is because there is so much lower a barrier to entry with the window that a much larger proportion of the populance will be tempted.

      In a similar manner, open wireless networks can usually be used to grant free internet access without doing anything but hanging near the building. Special antennae can be even used to grant one near perfect anonymity and immunity to prosecution. Wired network break-ins require physical access to key wiring somewhere, and the commission of a much more obvious and deliberate crime. (by contrast, most 802.1 war-drivers probably think of it more as walking into a building uninvited when they find the door left cracked open)

      Sneaking around a building with a toolkit looking for network cable seems incredibly stupid and dangerous, an almost certain way to end up in jail eventually. It would only be worth even considering if the rewards were immense. By contrast, if one sits at a cafe/van with a laptop one can just power it up and run a few programs and sometimes break into a nearby network with little to no effort but a few clicks. And if one can snoop into a few internal network files, maybe read some mail, so much the better.
    • 40 bit WEP is effectively worthless. I use 40 bit WEP because my Linksys card won't speak to my D-Link access point on 128 bit WEP. My neighbor, a security professional (totally out of my league), has boasted that he could hack my network in as little as 15 minutes. I called him an amature and pointed out that he could walk in my unlocked back door and totally 0wnz me in less than 30 seconds.

      I say this to illustrate the real insecurity of a wireless network: there's no physical access restriction. I o
      • From all the articles I've read on wireless security, 15 minutes sounds about right for 40 bit. 128 bit is only good for about a max of about 3 days against bruit force. So in otherwords both 40 and 128 bit are pretty much worthless.

        Basically from everything I've gathered is that wireless encryption is only good for a minimal wrapper. The only good way to secure a wireless network is to put an accesspoint in a DMZ and only allow clients to connect via a VPN that has real security. In otherwords treat
    • Today I was on a training course at a major software supplier which shall remain nameless for reasons to be discussed below.

      Unfortunately there was no internet access in the training room

      Fortunately my Mac told me there was a wireless lan.

      Unfortunately it was encrypted

      Fortunately the password needed was the name of the company

      Unfortunately there was no DHCP server so I'll have to guess an IP address, router and DNS server in order to get arrested for unauthorised use of their LAN.

      But the main thing wa
  • 802.11 (Score:1, Insightful)

    I have a hard time that 802.11 will ever be super secure. Just because all you need is a laptop a antennae and some good skills to break into a WaveLan, Hewlett-Packard still keeps their Wirless Network open, and I know of several others. So, Until a largescale hack on these systems happens then MAYBE will people get the Idea that 802.11 coiuld be secured better,. That and alot of people have not moved to WLAN yet, just because of the cost of the equipment, and the maitnence and configuration. is not reall
    • Just because all you need is a laptop a antennae and some good skills to break into a WaveLan

      Shouldn't that be all you need is a laptop an antennae and some good skills to break into an unsecured Wavelan

      There is plenty that you can do on existing WLANS to lock down access, disable broadcast SSID, enable WEP,use MAC ACL's within the access point and even treat the WLAN as an insecure LAN and VPN tunnel through to the LAN. On top of this the latest kit gives you 802.1x Access control and WPA encryption an

  • I leave my home network open on purpose. If passerby's want to check they're email or something be my guest. I use Linux and Mac OS X I fear not the script kiddy ;)
    • Re:Personally... (Score:4, Insightful)

      by dinivin ( 444905 ) on Wednesday April 30, 2003 @11:11AM (#5843798)

      What if one of your neighbours decides to leach child porn off the net using your wireless network? Should they think of themselves as your guest?

      Dinivin
      • What if one of your neighbours decides to leach child porn off the net using your wireless network? Should they think of themselves as your guest?

        I'd ask my ISP about that one, but they are all in jail because one or two of their customers decided to download kiddie porn. Oh wait, they are not in jail and neither am I. The core thought of your statement is dangerous. I'm not resoponsible for the actions of others and common carriers should not be either.

    • I leave my home network open on purpose. If passerby's want to check they're email or something be my guest. I use Linux and Mac OS X I fear not the script kiddy ;)

      Then I hope you don't live in New Hampshire [slashdot.org]. With the burden of securing networks falling upon the network owner, and the propensity of the law to look unfavourably at those who "facilitate" illegal behaviour (think bars and party hosts in relation to drunk driving), I would think that it would very well be worth applying some amount of se
  • by Anonymous Coward
    for the purposes of in-house customer training in a cosmetically clean room (wires are ugly)

    Power, keyboard, and mouse cables are less ugly than Ethernet?
    • Laptop.
      • Or a laptop that is on a different floor than the wired network. In that case, wireless is invaluable compared to stringing cat5 between floors. Even if I install wall jacks for the latter, I'm still tethered to that wall jack.
      • > Laptop

        Five finger discount...!

    • What, you haven't seen those wireless keyboards and mice?

      Personally I would love to see a computer training room where all of 12 or 24 computers are all using wireless keyboards and mice. I would love to see the expression on the administrators face when the mice and keyboards are all randomly moved from one workstation to another, mouse a to system b, keyboard a to system c. a, b and c, randomly allocated.

      Of course all of these systems are using integrated displays, with internal battery systems, and eve
  • by Neil Watson ( 60859 ) on Wednesday April 30, 2003 @11:09AM (#5843779) Homepage
    It really bothers me that we reward the makers of such a flawed system by buying their products. How can we expect WiFi to improved if we buy it now matter how bad it is?
    • If we only bought computer products that worked without flaws we'd still be using typewriters right now.
    • I think we've already let the cat out of the bag in terms of accepting poorly designed protocols and buggy software.

      This came to me as I power cycling my cable box (which had crashed) not long after power-cycling my DVD player because it "crashes" during certain disc-change cycles (eg, don't hit OPEN when its inventorying the changer -- it will crash every time).

      I think so many people have already been so exposed to software bugs and things that don't work right, we've come to expect it instead of expecti
    • But if we don't buy into it, and at least TRY to make something useful and semi-secure out of it, it'll die off as a technology. Think of all the really cool things that companies have tried to market over the years, but which quietly dried up because of a lack of consumer interest. One thing leaps to mind: the laserdisk of the early eighties. And, another: vector displays like in the old Vectrex video game.

      If it dies off, it's gone and no company will take a chance on it. If we keep it alive long enough,
  • by King_TJ ( 85913 ) on Wednesday April 30, 2003 @11:09AM (#5843786) Journal
    I recently was paid to get a wireless network working (as well as fix some shared Internet connectivity problems in general) for a client.

    When I arrived, I found out the client had everything running through a Belkin firewall/router device with built in 802.1g wi-fi. (It was attached to an external DSL modem via ethernet cable.)

    It struck me that unless I'm missing something, these combo wi-fi bases/routers are inherently limiting in how much security they can offer the user. (EG. You can't really place the wireless clients behind some sort of a VPN tunnel with authentication if the other end of the wi-fi connection is managed by integrated firmware in the router itself, right?)

    I ended up enabling 128-bit WEP for the guy, as well as disabling "broadcasting" of the existance of the router/w-fi base, but couldn't see much else to do beyond those measures.
    • essid and mac limiting would be helpful. disable dhcp serving on the router, and provide it at a server, with the network not participating in the internal network, except to a security server that requires a ssh session to route traffic elsewhere in the network, then only out the gateway to the Internet.

      That's just a start. You can require rsa key ssh tunnels into the security server for the WiFi attached device, which implements a VPN to provide access to your own network for authorized users.

      Obviously
    • I've played a bit with these and you're somehow right. Most cheap switches/routers treat the wireless and the LAN as 1 net (which is bad!). So you see everything on all the ports. It's very easy to use "arp poisoning" to fool a cheap switch and become a trusted machine.

      Better wireless switchs have "dual subnets" and this allows you more flexibility by denying access to the insecure subnet. Unfortunately, most home users can't really afford one, or can't justify the price increase.

      Now, home usage and busin
    • 2 separate security issues. Firstly there is the security of the internet connection. This is why the default values of the router should be changed (ESSID, password, enabling WEP, MAC filters). The second issue is the security of your internal network where a further level of encryption and authenication should take place. it's one thing to give someone free internet but you don't want them accessing your private information.
  • by ites ( 600337 ) on Wednesday April 30, 2003 @11:10AM (#5843788) Journal
    You just have to treat any wireless network segment as insecure and pass any traffic from it through your firewall as you would for internet traffic.
  • 802.11 (Score:2, Funny)

    by Anonymous Coward
    Interesting. We can get a man to mars. We are now a matter of months from curing almost every known disease via un diferiantiated cells and some protiens.

    But we can't create a united task force to spread wireless broad band across my blood back yard?
  • warning! (Score:2, Informative)

    by Anonymous Coward
    Make sure to read the errata at the o'reilly website. A friend of mine read the book, and used it as a guide to set up 802.11 security on OS X. He got nailed due to a couple of missing steps.

    otherwise, it's a good book.

  • Another review... (Score:4, Interesting)

    by Hanashi ( 93356 ) on Wednesday April 30, 2003 @11:14AM (#5843833) Homepage
    I reviewed this a while ago on my site. In case you're interested in a slightly different take, check it out here [infosecbooks.com].

    Quick take: ehh. It's good for small, Unix savvy sites, but windows shops or large installations should probably look elsewhere.

  • Before you exchange data with another host, simply use Diffie-Hellman to get a symmetric key and then encrypt/decrypt all your communications. I thought SSL solved this problem ages ago.....
    • That presumes that every tool you intend to use, has support for SSL built in, or you are proxying all traffic across an SSL encrypted link.

      Is this do-able? Sure.

      Is this widely documented as a simple general solution for all operating systems that support WiFi connectivity? I don't think so. If so, is it cross platform? Again, I am not aware of any, but then I have not done any research papers on this topic.

      Then again, I could be wrong. It's happened before, and I expect it will happen again.

      -Rusty
  • wireless security (Score:5, Informative)

    by knightinshiningarmor ( 653332 ) on Wednesday April 30, 2003 @11:16AM (#5843856)
    I hate it when people say wireless is so incredibly insecure. It's true that the wireless signals can easily be picked up by anyone. It's also true that one can pick up radiation from cables to sniff packets on your "secure wired network."

    The solution is to not rely on the hardware encryption of your card and hub. Instead, use encrypted streams for all communications from your laptop. Use SSH, never use telnet (that should be common sense). If you just do that, then you don't have to worry about someone sniffing your packets because they are encrypted (and if they're also hardware encrypted you have some nice double-encryption). Also, you could easily set up an ssh tunnel to your router for the http protocol or whatever else you need. That way you have the security through the air. Anything after that is subject to wires on the internet, which like I said before, give off measurable radiation.

    In short, just remember to always use software encryption and not rely on the hardware encryption of your wireless devices. Simples as that.
    • and if they're also hardware encrypted you have some nice double-encryption

      That's what I thought, but then someone cracked my rot13. I swear, if double-encrypted rot13 isn't secure, nothing is.
    • Re:wireless security (Score:4, Interesting)

      by ErikTheRed ( 162431 ) on Wednesday April 30, 2003 @12:58PM (#5845010) Homepage
      Yeah, but how many organizations are using WLANS for ssh? Most of them are running Win9x LANs with file and printer sharing (and usually without password protection). These are about as secure as.... ummm... never mind, they aren't secure at all. And yes, it is theoretically possible to sniff data through cables, but it's several orders of magnitude more difficult and expensive and requires physical access to the facility (or at least being near a wall with a cable going through it).

      802.11 sniffing and cracking WEP codes (for the less than 5% of sites that even bother turning on WEP) is trivial skr1pt-k1dd13 stuff, can be accomplished for less than $200, and from several miles away.

      So, in short, for a savy *nix (or even Windoze) admin / user, wireless can be used in a reasonable secure manner. But you have to keep in mind that this represents less that 0.001% of the wireless users out there. Therefore, wireless security is a massive timebomb of a problem.

      Remember: your average small- to medium-sized businesses and home users usually have inexperienced people administering their networks. I hate when people assume that just because experts can get it to work it means that a product or service is "fine." :)
    • I believe you're overlooking the case of network abuse.

      We had our DSL turned off with no warning, and apparently it was due to somebody trying to spam/attack the MSN Gaming Zone boards.

      When tracked back, it appears to have been a laptop with a wireless card, that was reconfigured to bridging - turning it into an open WAP.

      At no time did the intruder do anything to any of our systems... but it still caused us major grief for a day!
    • Apart from all the other reasons given above, it is also much easier to snoop a wireless lan than an ordinary lan since your laptop probably comes with all the necessary hardware built in (i.e. wireless card). To snoop a normal ethernet you probably need some sort of really expensive radio receiver and software (well expensive by comparison with a wavelan card).
    • The wireless threat model is more complicated than just passive eavesdropping.

      For example, what if someone drives by and sets up an access point with the same name as yours? Then you'd have all the clients authenticating to your intruder.

      You'd need to make sure you had 2-way authentication going on, and tunnel everything through ssh or ipsec or whatever.
  • by mattbee ( 17533 ) <matthew@bytemark.co.uk> on Wednesday April 30, 2003 @11:16AM (#5843858) Homepage
    We used 802.11 to make a secure office home network, and like any insecure medium for IP, you can secure it against sniffing by layering a secure tunnelling protocol on top of it. This probably wasn't necessary since most sensitive information goes over ssh or SSL connections anyhow, but the way to do it is to use a encrypted network device tunnelling driver thingy.

    I'm used to CIPE [sites.inka.de] and like it because it has a Windows NT/2K/XP implementation as well as a Linux module. VTUN [sourceforge.net] does much the same job, is slightly easier to set up, although instead of a Windows driver, runs on Solaris and various BSDs. We used the latter to make a link between mine & my partner's house and managed to use the Linux bridging features to bridge his home wireless network to the office ethernet-- the bridge is over a vtun interface which sits on top of the 802.11 link between our office and his house. Complicated but it seems to work :)

    Anyone else have a similar setup? I'd be interested to know how to grow this kind of setup manageable (not that we have a need for it, but ... )
  • I've read it and am using the information as a basis for developing a wireless security (yeah I know it's never completely secure) solution. If nothing else, it's a centralized resource explaining the major protocols and issues involved. It gives you a great overview of which avenues to explore, and then take it to a test environment and see what works for you......
  • by Nick Driver ( 238034 ) on Wednesday April 30, 2003 @11:19AM (#5843893)
    There is no such thing as viable security with 802.11. Get over it.

    That's it, the whole book, two sentences, and it's free for the public domain.
  • Thank goodness you can buy this book for $22.01, with free shipping from buy.com [buy.com]. O'Reilly [oreilly.com] says the book has 192 pages. At a cover price of $34.95, that's over 18 cents per page. For $22.01, though, you're spending less than 12 cents per page.

    Compare that to one of O'Reilly's best books, Building Internet Firewalls [oreilly.com], with a cover of $49.95 and 890 pages -- less than 6 cents per page. buy.com [buy.com] has it for $31.47, dropping the ratio to less than 4 cents per page!

    O'Reilly books seem to be the most expensi

  • by swb ( 14022 ) on Wednesday April 30, 2003 @11:21AM (#5843916)
    We haven't done any 802.11 here for a garden variety of reasons, but security coupled with usability is one of them. Everything I've read seems to emphasize putting your 802.11 infrastructure on a DMZ-type segment and requiring some kind of VPN connection to gain access to the Internet and internal network.

    The simple implementation of this just puts the 802.11 network on the outside of the firewall, using whatever existing VPN infrastructure you have to gain internal access. The downside to this is the set of people with "anywhere" VPN access is a minimally overlapping subset of the people who should have 802.11 VPN access. ..which always leads me to the seperate VPN infrastructure for 802.11 solution, which is more expensive and complicated to setup and maintain.

    And then I'm left with the usability/training issue, explaining to people (lusers, help desk, etc) why the VPN connection is necessary and other sundry details of usage.

    And then there's equipment. It makes no sense to equip all ~100 laptops that don't have 802.11 with 802.11 cards for the few conference rooms that would get it.

    It looks fun, but there's so much baggage associated with it I can't see it happening in these economic times..
  • Creating a secure WiFi enviroment is not hard. So waht, you are broadcasting everything over the air to anyone within range. Big deal, with a few precautions and some know how, you can easily secure the wireless network.

    Put the AP itself on a port of its own on the firewall (not on of those cheap appliances, but something that will do nat/ipsec/ip firewalling).
    Do not use DHCP, disable broadcasting so that for someone to connect to the network they have to actually know it is there.

    Use ipsec to connect t
    • You can use wep which is almost completely useless for an added bonus.

      WEP is NOT useless. It is a "NO TRESSPASSING" sign. It informs a casual passerby that you INTEND the AP to be private (perhaps saving his time trying to figure out why this particular "open" AP isn't working for him).

      And if your firewall or configuration screws up, or somebody cracks it, it gives you ammunition in court to show that the guy who broke in knew he wasn't supposed to be there.
  • by PureFiction ( 10256 ) on Wednesday April 30, 2003 @11:27AM (#5844007)
    Even though people can still war drive (or even war fly) and find your access points, even if they managed to crack the WEP keys and associate to the AP, the network will still be secure because of the multiple layers that have been put in place.

    Actually, layer2 is completely unauthenticated, so anyone can associate with your access point using no key or the wrong key. IP and above will get dropped however.

    The lack of an authentication mechanism in the 802.11b MAC leaves a number of nasty weaknesses that can be exploited by malicious persons.

    Denial of service (forged disassociation) and active man-in-the-middle attacks (using higher signal and forged BSSID/SSID) continue to remain possible in even the latest security extensions to 802.11.

    I'm surprised no mention was made of IDS systems that can detect and respond in real time to 802.11 layer 2 attacks (and other higher level IDS checks on the IP traffic), although even these are of limited utility ...
  • by jj_johny ( 626460 ) on Wednesday April 30, 2003 @11:30AM (#5844032)
    Seems that every discussion about 802.x is all about how to set up the legal (approved) network access points up. But the question of how to really protect your network from someone who puts up a rouge AP is really where most security minded folks fail. After all understand WEP and the other stuff that you need to be doing is important but it really does not do much for you if someone has a rouge AP that they only put up on occasion like a meeting or something ie you won't find it unless you are scanning 100% of the time.

    I don't think that most people would be suprised that there is a lot of corporate espionage being done by going down to CompUSA and paying $100 cash for your untraceable security hole.

    • I work at a bank. Recently I asked the security team how they prevent this.

      They set up wireless sniffers at the sites and those packets go to a central monitoring system. So if you put up a WAP, they get alerted and can track you down. They even send out people to practice this to make sure it works.

      If you get caught, you get your walking papers. More than one person has left the bank this way.
    • Rouge [m-w.com] APs want to be found. Otherwise, why would they be applying cosmetics for coloring the cheeks or lips red? Alas, frequently, due to their garish application of rouge, most APs tend to attract only rogues [m-w.com].

    • Airmagnet has a number of good solutions for rogue AP detection. I worked with an early edition of their Mobile [airmagnet.com] product and I could figure things out fairly easily even in Cisco Aironet's office which is arguably one of the busiest AP environments in the world (literally hundreds of AP's in one office building). Their product supports not only all the standard .11b stuff but also the Cisco extensions like LEAP.
  • Sure, if you have a tangle of wires, it's not going to look good. But just because you've gotten rid of your CAT-5's doesn't mean you're wire-free. Do you power your PCs and monitors wirelessly? Do you have wireless keyboards, mice, and speakers on all your computers? Heck, you'd need to wirelessly transmit the video signal to your monitors too. Am I missing anything? Well, maybe printers and scanners, PDAs, or any other peripheral you might plug into your computers.

    If you're going wireless just because wi
    • I don't think most people are using 802.11 wireless because they think wires are ugly. :)

      But with a laptop running on battery power, you would be completely wireless unless you use an external mouse. Even then you can get a wireless external mouse. But you have to plug the laptop in SOME time. :)
    • yes wires are ugly, why not wire the phone jacks with cat5 cable, a RJ11 or RJ12 phone jack plug goes right into a RJ45 jack no problem. just run a couple extra cables to each outlet box. IMHO for every electrical outlet, you should also have a least 1 data/voice outlet with 4-6 cables in it; you can connect them in the future.

      when somebody has an office that has bare cat5 cable dangling from the drop ceiling it's ugly and a sign of poor planning or a real cheap-skate
    • Apart from the power cables and the monitor's screen signal I have no cables left on my desktop.

      Keyboard, mouse, printer are all wireless.
  • by L. VeGas ( 580015 ) on Wednesday April 30, 2003 @11:40AM (#5844140) Homepage Journal
    1604.22 is twice as secure as 802.11
  • by Waffle Iron ( 339739 ) on Wednesday April 30, 2003 @11:47AM (#5844210)
    After using a wireless setup in the house for a couple of years, I've given up on it. The constant security alerts, buggy drivers, dropped connections, and the need to read entire books to understand the security implications is just too much. Plain old ethernet usually just works out of the box, and I can understand the security model.

    I ended up tacking a ethernet cable along the ceiling down to the kitchen. I told the wife that it is just temporary until I drill a hole in the ceiling to run a hidden cable. (I even meant it at the time.)

    Of course, I never got around to that, but it seems she's gotten used to the cable. Another problem solved by procrastination.

  • Rating: Outdated (Score:3, Informative)

    by sjvn ( 11568 ) <sjvnNO@SPAMvna1.com> on Wednesday April 30, 2003 @11:57AM (#5844349) Homepage
    Now, mind you I like this book too, but it's already out of date. Wi-Fi changes too fast to be captured in a book. For example, WEP has never worked that well even when you try to make the most of it (http://www.80211-planet.com/tutorials/article.php /2106281), but as of a few days ago, WPA (http://www.80211-planet.com/news/article.php/2198 151) finally became available. That said, I still wouldn't write a book about it. Why not? Because by the time a book got into print, WPA, which is only a stopgap, will be replaced by 802.11i. If you want to secure your WiFi network, a book, even this one, is only a start, you really need to keep your nose to the Web sites specialized in WiFi like Glenn Fleishman's Wi-Fi Networking News (http://wifinetnews.com/) and 802.11 Planet.

    Steven
  • by nolife ( 233813 ) on Wednesday April 30, 2003 @12:01PM (#5844401) Homepage Journal
    in a cosmetically clean room (wires are ugly)

    HAHAHA
    Spoken like typical non technical person..

    My last IT manager was so anal about wires it was insane. We averaged 300 drops per communications room coupled with the wires that needed to run into the switches, it was a nightmare. He made us rewire the entire things and neaten up the wires. I'm not a neat freak but I am not a slob either. The way he wanted it done it was impossible to track down any wires or work on any wires without completely undoing the bundles and starting over. He wanted the closer wires to be shorter so they would not have to be looped around the tray so instead of using prefabbed wires we had to cut and crimp our own in roughly 6in increments (some 18in, 24in, 30in etc..) He did not give a crap about the router upgrades we did, the uptime charts we had, the firmware upgrades, the cooling system or the UPS's we installed to keep the equipment running, all he wanted was a clean looking room in case any of his bosses vistited our site and wanted to look around. It was very obvious he could not impress anyone with his technical ability or oversight, so he decided to go the "neat" route.
  • by NetJunkie ( 56134 ) <`jason.nash' `at' `gmail.com'> on Wednesday April 30, 2003 @12:10PM (#5844491)
    Most wireless hardware is a lot harder to crack than it used to be. Vendors got a lot smarter when implementing their IV selection algorithms. Go try and AirSnort a Cisco AP these days. I tried against my .b/.a Linksys AP running the latest firmware (that's the important part) and only got 19 weak IVs after two weeks and GBs, and GBs, and GBs of traffic going across it. I flooded the network so I could see lots and lots of packets.

    That's fine for home use. I'm not so worried about my simple 128bit WEP now. For the office you can go pricey, but good, with something like Cisco LEAP...or you can buy any old AP and do VPN/SSH/Tunnel.
    • by Anonymous Coward
      LEAP is good because it authenticats itself every 30mins. What is missing in the LEAP mix is the man in the middle protection that is possible with this security model.

      EAP-TLS is also another model of security that is ignored when creating wireless networks.

      The cool thing about these aforementioned security types is that they create a per user WEP key.

      Basically, if you are not running a Cisco 1200 or Symbol T3 AP, you're not doing wireless security right.
  • by RhettLivingston ( 544140 ) on Wednesday April 30, 2003 @02:02PM (#5845818) Journal
    I don't understand why everyone has trouble with it. Stand up a VPN node accepting nothing but your favorite secure VPN protocol (IPSec is fine) on one card and putting your company network on the other. You then connect put your 802.11 routers on the VPN card and configure your 802.11 routers to allow the VPN protocol. You're now secure. Perhaps a DOS attack could make your 802.11 useless (plug an unshielded magnetron into an outlet in the building for example), but your data can't be compromised through it.
  • by Freeptop ( 123103 ) on Wednesday April 30, 2003 @04:49PM (#5847977)
    Okay, so you won't find 802.1x support in your standard el cheapo LinkSys or NetGear AP. In fact, you won't find 802.1x support in any cheap access point. On the other hand, if one does pay for the higher-end access points, pretty much every major vendor supports 802.1x authentication. It is considered a requirement for an access point to be considered an "enterprise" AP. Furthermore, WECA's requirements for WiFi certification this year are adding "WPA", which is a stripped down version of 802.11i, which happens to depend heavily on 802.1x. Any new products after this requirement is added will have to have 802.1x support in order to be "WiFi Certified."
    Believe me, the wireless industry is moving heavily towards 802.1x (I've written two different implementations of 802.1x for two different access point products myself), so it should not be so casually dismissed.

    For those who scoff at wireless security: sure, it probably won't be as secure as locked away wired networks; but 802.11i does at least make it non-trivial to break the security of wireless networks (pairwise session keys on a per-client basis, larger size keys, larger IV space, message integrity checks, etc).

To be is to program.

Working...