Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Wireless Networking Security Hardware

Risk Management of Wireless Networks 109

An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.
This discussion has been archived. No new comments can be posted.

Risk Management of Wireless Networks

Comments Filter:
  • Banks? (Score:5, Insightful)

    by Anonymous Coward on Saturday January 03, 2004 @12:40PM (#7867636)
    I'm sorry, but banks should not be using wirless networks. Yes, yes, I realize wires are inconvenient, but they are much more secure. This is the customer's money and lives they're dealing with, not just some company secrets.
    • Re:Banks? (Score:3, Informative)

      I work at a bank and Wireless networks are a no no. We have none in our offices. People us them at home, including me, but we use VPN to remote in so it is all good.
    • Comment removed based on user account deletion
    • Re:Banks? (Score:3, Interesting)

      by Glonoinha ( 587375 )
      My first thought was the status screen part of the maintenance / configuration web interface to my router. Have it up, refresh it from time to time and just look at all the MAC addresses. Any clown that can't become familiar enough with 20-30 MAC addresses that are legit to memorize them, thus indentifying unwelcome intruders by looking at this screen ... doesn't belong in IT.

      And yes, that is one of the things I check from time to time when I want to reassure myself that my system hasn't been compromised
      • It's not that hard to spoof a mac address, your mac address logs are worthless.
        • Spoof might even be too strong a word considering how easy it is, most devices these days come with a pointy-clicky friendly gui to change the mac address even.
          • I agree - that is why I said that an insider could pretty easily circumvent this simply by adding his MAC address, or cloning one that is on the list. If you do not already know any white-listed MAC addresses, however, how are you to find out?

            I guess it is possible to sniff that out of the air, but if it is 128bit WEP'ed ... how reasonable is that?
      • Why shouldn't a bank allow home users connecting via VPN to use wireless at home? If the VPN is secure enough to protect a connection on the Internet, then the VPN connection I have (which disables my local network) should be just as good.
        • One word: Virii

          Seriously... the home machine gets infected and then you connect it conveniently into the VPN router and over-the-firewall-and-through-the-woods-to-grandmo thers-house-we-go goes the virus...

          VPN's are only as secure as the home user is vigilant. Never will be any better than that.
          • Or close along those lines, Trojans or Logic Bombs. Close in concept, but wicked different in payload - a Trojan that comes in on port 80 to the leet home user's web site (gotta run server if you gonna be leet) runs a program on that server which probes out to gather data from mapped drives - later on that user VPN's in and has some fairly important data available on some mapped drives, which can be rifled through and summarized, sent back out via any number of ways.

            Might as well post it on the web.
      • > Any clown that can't become familiar enough with 20-30 MAC addresses that are legit to memorize them, thus indentifying unwelcome intruders by looking at this screen ... doesn't belong in IT.

        --Oh, COME OFF IT man. Some of us have better things to do / suck at memorization. I get admin emails in Knoppix saying which MAC addresses have flipflopped or changed anyway, and I don't even have plans to run wireless.
        • It was a joke, very few people are RainMan enough to memorize 30 MAC addresses. I am doing good to remember 6 or 7 and I have a photographic memory.

          Granted, this is one place where standardizing on hardware helps because the first few digits of the MAC address are vendor specific. If you use 100% SMC cards in your organization, you will see a pattern (thus making it easier to spot an outsider.)
    • Re:Banks? (Score:3, Insightful)

      by chihowa ( 366380 ) *
      Exactly.

      I'd say that one of the most difficult (and dangerous (getting caught-wise)) aspects of getting info off of a network is actually getting yourself into the network. Having a wireless link in removes a great deal of the danger (of getting caught), and leaves the intruder plenty of time to do the job more efficiently (making security's job harder).

      A big fat lock on the door keeps most intruders out. (and WEP and MAC filtering don't count as locks)

    • Doctors (Score:4, Interesting)

      by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Saturday January 03, 2004 @03:33PM (#7868587) Homepage
      You are worried about banks? I noticed that my orthopedic surgeon's office uses a wireless network for pretty much everything (the doctor can dictate from anywhere, and nurses put your blood pressure and such in using a laptop from any exam room).

      So, for kicks, I took my libretto to the office on my next visit and fired up kismet.

      They are wide open. No WEP, Windoze boxes (including the domain controllers) all easily accessible. A quick port scan showed all types of vulnerable services and such. I did not take the time to go further, but figure that getting patient records would not be too difficult.

      From the port scans, it seems that this small office is also on the same subnet as other businesses in the area. WTF???

      So what is one to do? I dare not tell them what I found, what with the risk of being labeled a terrorist and all. I thought that an anonymous letter to them might be best. But how can I be sure that they ever fix the problem?

      • A doctor replies (Score:5, Insightful)

        by The Tyro ( 247333 ) on Saturday January 03, 2004 @06:12PM (#7869425)
        Tell him... gently.

        Explain to him that you're a hardcore networking geek with an interest in security, and that you often run security checks against your own systems. You were there, running one just for kicks, and viola! You are a patient of his presumably, so you already have a relationship and rapport... it would be different if you were some joe-blo off the street who came waltzing into his office running kismet on your Zaurus.

        He probably has NO CLUE that whoever set up his network has left it open to be plundered (tech-saavy doctors are rare. Thinking about all my colleagues, I can count the tech-saavy on one hand).

        Take him aside privately, and explain to him that you were hesitant to come forward (for obvious reasons... like being labeled a cracker), but that you really felt he should know what was up, not only for the security of your own medical records, but also for the security of everyone else's. Heh... he might even hire you to help fix it.

        You will likely find him VERY receptive if you approach him the right way. I'm quite certain he contracts his IT stuff out to somebody, so he probably has ZERO emotional investment in the security of his network... he just wants it to work, and pass HIPAA muster (which it probably doesn't right now).

        I bet he'd be receptive.
        • While I still think there is an assumption on your part that approaching someone rationally is always going to work, it might also be worth mentioning that the doctor's office could be criminally charged for not adequately protecting patient data.
        • people have been successfully convicted for exactly this...

          The zero-risk to yourself approach is to do nothing. Next up is the anonymous letter, and the continuum extends right up to admitting you've used their network...your choice where you draw the line.

          • Hence my admonition... it's all in the presentation.

            Physicians are insanely busy people... busy taking care of patients, busy dealing with insurance companies, busy trying to comply with govt. regulations. No doctor has a legal department sitting on its hands with nothing to do, just waiting to prosecute/sue a patient who happens to fire up his laptop in the waiting room and inadvertantly pick up the open AP. The original poster is a patient of that physician, and did not hack into the open network.. he
      • I agree with the other replier to tell him gently, but I would do it in a backhanded way. Make sure you're surfing the web or checking your email when he walks in. Be sure to say something like, "wow, I am *so* glad you guys put this wireless in for us, it *such* a timesaver while I'm waiting to see you! THANK YOU so much." And if you're brave.. "and thanks for keeping it easy to get on the network. So many places have all these convoluted security settings. If you're just letting your patients check their
      • I know this is a bit late, but I thought I'd chime in. I wouldn't admit that you already know that they're vulnerable. I'd first mention that you see that they use a wireless network and ask them who set up their network and if they know how secure it is. You don't even have to lie; you can say that you are concerned about their security and your privacy (which, IIRC, they are mandated to protect).

        If they blow you off, then I'd actually contact an agency that might care about the privacy laws and just a
    • If you require high levels of security, e.g. financial transactions, you should not assume that a cable is any more secure than a wireless link.
  • Risk #1 (Score:1, Funny)

    by Anonymous Coward
    THOSE PESKY WARDRIVERS!!
  • by stuph ( 664902 ) on Saturday January 03, 2004 @12:44PM (#7867660)
    I have great doubts that say, the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
    Fiber should continue to be used for any info that could be considered sensitive at all.. but then again, who am i kidding.. businesses just want things to be easy, not safe
    • by Anonymous Coward
      the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
      Drat, what are we going to do with the $8.5 billion we already spent on the satelites?
    • This subject deserves mod points. I don't have any today, so you have to suffer through one of my posts.

      If you are running a business with wireless, and you care at all about security, and you allow anything to go over that link unencrypted, you're insane.

      The only IP address that should be reachable over your wireless network is the IP address of your IPSec VPN gateway.

      Most APs will accept re-addressed packets. This means the perp doesn't have to even crack the keys. All he needs to do is readdress pa
      • by Alrescha ( 50745 ) on Saturday January 03, 2004 @01:44PM (#7867961)
        (not only do you have to read my posts, you have to read me replying to my own post).

        I realized that I over-simplified the re-addressing problem.

        From the UCLA paper:

        "Active Attack from Both Ends

        The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls."

        A.
    • by Frennzy ( 730093 ) on Saturday January 03, 2004 @02:09PM (#7868117) Homepage
      The government already uses wireless links for data. Ever heard of satellite communications?

      Back to the point, 802.11 networks are inherently insecure.

      WEP is fairly trivial to crack for someone determined to break in. The problem lies in the init vector of the key, not the length of the key.

      SSID 'hiding' achieves nothing...the first time your box associates or reassociates, a listener has your SSID.

      WPA is not as secure as people think either, even with a PSK. This was covered on /. a week or so ago (or was that Ars?)

      MAC filtering is beyond trivial...most NIC drivers nowdays allow you to set your MAC...which you could easily see on a target network while hunting.

      You can make your home network more effort than it's worth to hijack...but for business use, make damned sure you want that traffic exposed...because you simply have to assume it will be. I wouldn't install wireless client access in a work environment without the use of VPN. I've heard some interesting theories about getting past even *that*, but I've never seen or heard a practical way to do it.

      Unless and until I see some more thorough reviews of the newer 802.11 security standards (EAP and it's variants) I wouldn't implicitly trust them...however I do get the feeling they are going to be far more difficult to compromise.

      As mentioned in a previous post, there are a number of problems with wireless that many people don't think about, especially in a corporate environment. One of the worst is the rogue AP. I've found no less than three unauthorized WAPs on networks I've run in the last three years. Each time it was a (l)user who brought it and just plugged it into their switch port so they could 'use their laptop'. Each time, the AP was completely wide open. So much for the quarter-million-dollar security infrastructure of firewall, VPN, IDS, etc. They might as well have run a wire outside the building and hooked up a PC with a sign that said 'Free Corporate Access!'

      There is yet another problem with rogue access points. Someone who brings one into close proximity with your wireless users. Guess what information the blackhat can get in that scenario?
  • by James A. C. Joyce ( 733782 ) on Saturday January 03, 2004 @12:44PM (#7867662) Homepage Journal
    I think that the problem is that there are a lot of people who are hearing of the WiFi craze, hearing that it is a good idea, and then setting up these adhoc networks. The problem is, they often don't bother to read up about the potential security risks of misconfiguration and so if (when?) they mess up, there's a wide open hole right there.

    (And no, "wide open hole" isn't a goatse link :-))

    • I gave a friend of mine a wireless card for her laptop as a graduation present, the idea being she could use it when she's at coffee shops offering wireless connections, or in grad school on campus (she doesn't subscribe to broadband). As it turns out, she has a minimum of 4 options to connect to the internet from her apartment at any given time thanks to her careless neighbors.

      • Heh.

        Over christmas, I stayed a few nights at my girlfriend's mother's house. I brought a modem along, since they don't have broadband, but just for kicks fired up kismet.

        Suffice it to say, I was on a much faster network than dialup, thanks to a friendly neighbor with a default-configured linksys, dhcp and everything :)

  • VPN (Score:5, Interesting)

    by Munkey_123 ( 737498 ) on Saturday January 03, 2004 @12:45PM (#7867667)
    Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
  • SSIDs and WEP (Score:5, Informative)

    by USAPatriot ( 730422 ) on Saturday January 03, 2004 @12:46PM (#7867677) Homepage
    Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:

    Security Practicum: Essential Home Wireless Security Practices [arstechnica.com]

    • ars's 2nd tip is to turn off SSID broadcasting to "hide" your network. Anyone with a packet sniffer though can tell you that this really doesn't help hide you at all. In fact, as this [icsalabs.com] paper suggests, it may actually harm the performance of your wireless network.
      • Comment removed based on user account deletion
      • Re:SSIDs and WEP (Score:3, Insightful)

        by Zocalo ( 252965 )
        Yes, it's security through obscurity, and not very opaque obscurity at that, but that's not really the point. It's more of a deterrant to stop the casual cracker, rather than the determined one. It's kind of like not responding to ICMP pings; by default a lot of port scanners don't scan an IP that fails to respond to a ping. Blocking pings prevents full port scans from those that don't know any better. It also prevents scans from those that do know about this, but work to the assumption that if you are
      • What about if you do the following:
        1. turn off SSID broadcasting
        2. Use WEP 128bit encryption
        3. Limit connections to specific MAC addresses
        Is that good enough outside setting up VPN between hosts?

        I am curious to know
        • Re:SSIDs and WEP (Score:4, Informative)

          by Glonoinha ( 587375 ) on Saturday January 03, 2004 @01:48PM (#7867989) Journal
          Locking the connections to specific MAC addresses is about your strongest link if protection from unknown outsiders is your concern. WEP128 is nice, the SSID thing is spiffy but if the WAP is rejecting connections from anybody not on the MAC white-list, unless someone is on the inside of your organization and can get his hands on that list I would say that you are going to be pretty tight.

          Remember - you don't have to be uncrackable, you just have to be harder to crack that the other guy. My WAP has 64bit WEP and that's it - but in my hood there are 4 WAPs, two of which are totally open - it is easier for someone that wants to play to get into those systems than to get into mine.

          If security is a serious concern, consider installing (on a different channel) a nearby wireless access point with no encryption, with a SSID that seems to indicate that it is worth hacking into, on a lame box connected to the internet but not on your internal network. Keep your eyes on this box watching for intruders. I think the term is 'honeypot' but I am not overly fond of that term.
          • Re:SSIDs and WEP (Score:2, Insightful)

            by Anonymous Coward
            As people've said before, your MAC list is only effective is no one ever uses it. As soon as a whitelisted computer logs on their MAC's all over the air. Clearly this can't work for a financial institution. WEP, WAP, etc... all seem poorly implemented (however newer routers seem to nix airsnort pretty effectively by not using weak IVs). No SSID makes the AP silent to NetStumbler but any nix hacker with Kismet will see the anonymous beacon packets.

            As for a honeypot to distract attackers, that may be interes
          • on a lame box connected to the internet but not on your internal network

            perhaps not even connected to the Internet. I occasionally have to work in midtown Manhattan, which is wireless heaven. I do occasionally have to configure stuff by hand, such as guessing the default gateway and using known external DNS servers, but given enough time, I can pretty reliably get service from my office or hotel room.

            One particularly annoying connection gave me a 192.168.1 address and let me ping 192.168.1.1 but do absol
            • -Its like someone bought a Linksys and powered it up without attaching it to anything else on the internal or external side.

              Never attribute to malice, that which is easily explained by ignorance. I would give about 50/50 odds that it was a wireless link between friends (Quake3A/UT/whatever deathmatch), and 50/50 that your first assessment was correct (somebody simply powered it up without plugging it into the Internet) - maybe swiped it from work to use as a network hub. Funny story though, tempts me to
            • One particularly annoying connection gave me a 192.168.1 address and let me ping 192.168.1.1 but do absolutely nothing else. I ran nmap and nessus against the ip and absolutely nothing came back. It was freakiest thing I've ever seen. Its like someone bought a Linksys and powered it up without attaching it to anything else on the internal or external side.

              Most likely, neither solution is correct. The WIN box sharing the internet connection is in BSOD and nobody noticed it yet. ;-)
  • by Twid ( 67847 ) on Saturday January 03, 2004 @12:47PM (#7867684) Homepage
    I've had some fun sniffing the network around the office, around town, and at O'Reilly OSXCon, and I think the biggest security risk I see on wireless networks are plaintext POP passwords going out in-the-clear.

    It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.

    The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.

    I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.

    Anyway, that's my .02.

    • by gvc ( 167165 ) on Saturday January 03, 2004 @01:00PM (#7867738)
      I agree 100%.

      The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.

      If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.
    • The problem with plaintext POP passwords is that many ISPs (mine included) do not offer any other option. I wish they would, but they do not.

      Thus, I just choose a mail-only password that I use for POP access. I guess a hacker could read my e-mail and maybe even send mail as me, but I've done what I can to minimize the risk of stupidly designed mailservers.

      • by Twid ( 67847 ) on Saturday January 03, 2004 @01:48PM (#7867988) Homepage
        Yeah, I see a lot of people stuck like that with insecure POP, and a lot of people who use the same password for their home account (which is almost always POP only) as they do for their work account. Bad bad bad.

        One thing you could do, if you want to be a bit more secure, is to port forward port 110 using SSH to a server at home. Your POP password is still going out in the clear then, but it's going in the clear from your house, which is presumably more secure that going out over open wireless.

        the tunnel would be something like this:

        ssh -L 110:www.yourhomeserver.com:110 -f -N yourname@www.yourhomeserver.com

        Here's a howto [tldp.org] that goes into a little more depth.


      • many ISPs do not offer any other option

        Use your ISP for connectivity and spend $30-35 a year for a better mail service.

        For less than 3 bucks a month, you might even get HTTPS webmail thrown in ... some extra storage ... and one of those "lifetime" domain names that gives you some flexibility regarding additional accounts and spam control.

        If email matters to you, it is doubtful you can find an ISP for twice the price that gives you mail security and your current level of non-mail speed and features (how

    • I would like to use encrypted passwords but most providers do not have encryption password feature for POP3 on their side. :(
  • by gellenburg ( 61212 ) <george@ellenburg.org> on Saturday January 03, 2004 @12:53PM (#7867713) Homepage Journal

    Disclaimer: I work in Information Security.

    • APs should be configured so as not to broadcast their SSID.
    • 128bit WEP keys should be chosen.
      • WEP keys should be changed as frequently as practical.
      • APs should be firewalled, and on their own DMZ.
      • If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
      • If the AP supports it, consider additional authentication such as RADIUS.

    But, by all means:

    • Please change the damned default SSID that was configured on your AP:
      • Linksys
      • Default
      • Netgear

    We now return you to your regularly scheduled programming.

    • by Twid ( 67847 ) on Saturday January 03, 2004 @01:07PM (#7867771) Homepage
      Please change the damned default SSID that was configured on your AP

      A funny aside:

      I was in Park City visiting friends over the holidays. The ISP for the friend that I was staying at went out of business, so I walked around the house looking for another wireless AP.

      At one corner of the house, I find one, and the name is the first initial and last name of the person running it. It's not running with any security so I'm able to hop onto the net. So, I feed in his first initial and last name and "park city" into google (on his own wireless, even) and google gives me his home address and phone number.

      I felt like calling him to thank him for the free wireless access. :)

      • "I felt like calling him to thank him for the free wireless access. :)"

        You should have, if he's left his network open for everyone to use and he's bright enough to change the network ID then I'm sure he did this on purpose. I do the same and I expect others to do the same so that we can all get free net anywhere we go.
        • I do the same as well and have for years. Every now and then I see people hop onto my network and as I travel alot I do the same. Never abusing anyone elses connection most of the time all I am really doing is checking email and browsing web pages.

          One thing to add: I use Secure IMAP, SSH, SCP, and SSL for accessing most things work related. No cleartext passwords being transmitted by me for this exact reason that I'm always on other peoples networks.
    • I just got a wireless Ad-Hoc network using iwconfig on Linux.

      How do I tell iwconfig not to broadcast the essid?
    • I'm going to take the complete opposite point, if you have a business AP, OPEN your wireless network, assume that it is compromised from the start. This will force you to encrypt your network traffic with something that actually resembles security.

      WEP, MAC filering and stopping SSID broadcasting aren't really worth anything in terms of security - they might prevent the casual user from drifting in, but it is pretty clear that the security they provide is trivial at best and they are more of a hinderance to
    • Disclaimer: I work in Information Security.

      Funny, me too. I'll only address the things that I disagree with and leave the other points that stand alone.

      APs should be configured so as not to broadcast their SSID.

      Doesn't matter. It's trivial to determine the SSID. I can either catch a client associating to the AP or force any/all connections to disassociate and then catch the SSID when the card reassociates. I don't even need low-level 802.11b code to do this. A simple connection cutter writte
      • I agree with you whole-heartedly on all points; but as you know, security is all about balancing risk & deterrence with the business-needs and usability.

        While the 802.11x protocols provide little to no effective security within them, my comments were targeted towards the typical /. audience - the gamer & geek who happens to have a WAP set up in his apartment. I was not writing a best-practices & standards document. ;-)

        Ultimately though, the most secure WAP is one which isn't turned on, but so
    • The problem is that some WiFi devices can't connect to AP if it does not broadcast the SSID.

      I got two USB WiFi devcies and they would not work until I re-enabled SSID broadcasting.

      When you buy devices it is not obvious if they will work without the SSID being broadcasted.

      Perhaps a compilation of devices that are more secure should be gathered somewhere.
  • I for one, welcome our new OCC over lords.

    I couldn't resists.

    I shall now bathe in the cleansing flame.
  • I saw only a tiny blurb about WPA, which should be a primary consideration for banks and credit unions analyzing the risk of wireless.

    WPA has stronger encryption that WEP and authentication mechanisms built in. I work for a Credit Union processing/software company, and many financial institutions are waiting for WPA to become more mature before they jump into wireless.

    For more info, google, or check this [wi-fi.com] out.
    • They shouldn't even be considering it, there are so many things that can go wrong with it and I think that's just too much risk for customers.

      If I knew my bank or anyone else handling my financial information was using wireless to transmit my information I would go somewhere else. I dont trust wireless even if it is secure.

      Any encryption that can be dycrypted is instantly insecure.
    • Finally!
      All this talk of MAC-address locking, SSID changes, WEP key rotation. (All good steps if you can't use WPA)

      And WPA fixes (almost) everything.

      So while I give flinxmeister "The Hammer" for hitting the nail on the head, I've got to add my voice to the general theme, BANKS should NEVER go wireless.

      Historic building? Asbestos? Cutting quarterly costs to make bonus targets? Fuggedaboutit. There ain't no "safe" wireless vis a vis any financial institution.

      But for the rest of us, get the upgrades in
      • Well, you certainly sound more sane than the prior post....and I appreciate that hammer!

        However, remember the title of the article: "Risk management". There is no safe way of banking or doing business...period. There are only various shades of grey. As long as a financial institution understands the risks and takes appropriate steps to mitigate the risks and shield their customers/members from damage, they can implement a given technology. The question this thread seems to be encountering is "what is
    • Umm, I thought WPA just rotated standard WAP keys? If that's true, that's not "stronger encryption" that's just "changing encryption at the same strength".
  • by routerwhore ( 552333 ) * on Saturday January 03, 2004 @01:00PM (#7867737) Homepage
    A wireless switch you ask? Isn't that an oxymoron? A wireless god box may be a better description. Using a system such as this, you too can provide, or prevent, secure wireless access.

    The switch has all inline power ports to power the APs, which may or may not be directly connected. Each AP automatically creates an IPSEC tunnel back to the switch. The switch supports every auth method under the sun (EAP-TTLS being generally most secure) when combined with 802.1x (which includes dynamic WEP/WPA 2.0). The switch itself supports a per-user firewall, integrated, signature-based IDS (that detects things like monkeyjack and netstumbler), and terminates 2 Gbps of IPSEC (which includes the IPSEC client running on each user's machine.

    All of this for a couple of grand. Secure wireless is possible, the market is demanding it, and vendors have come to meet that demand.

  • by Anonymous Coward on Saturday January 03, 2004 @01:00PM (#7867739)
    used to use WiFi between it's checkouts and inventory system. No encryption, SSID broadcasts were switched on and everything, to the extent that we used to sit in the car park and surf the web via their connection for hours on end on Saturday afternoons.

    This was a good 18 months ago though. I'd assume they've changed it now. I certainly made a point of telling them why I wasn't shopping there any more, rather than doing the whole 'your network is totally unsecure and I found out why' thing and getting myself arrested...
  • If you're smart when you set up your access point, and turn on WEP, 99.9% of people that might hack your network are going to go find an easier target. The typical figure I've heard is 24 hours or more to get enough traffic to break the encryption. Unless someone knows you have something they want, they're not going to bother.

    Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a
    • by NetJunkie ( 56134 ) <`jason.nash' `at' `gmail.com'> on Saturday January 03, 2004 @01:17PM (#7867820)
      But what about your neighbors? From my office upstairs in my house I can see 9 wireless networks. 24 hours to get enough data? That's easy. That is what concerns me. You never know who you live around and they have all the time they want to break it.

      From what I've seen most of my neighbors don't use their connect enough to get enough traffic but 1 or 2 do. In a test of AirSnort I got close to 1K interesting packets in 2 days for one network. Given a week or two of a system sitting in a corner I bet I could break it.

      This is the main reason I totally dropped wireless in the new house. I had it wired with CAT5 for data everywhere I'd need it. I work a lot from home and have a site-to-site VPN and don't want to compromise that.

      Your suggestions are good... But turning off SSID broadcast is overrated. As soon as a client associates I can get that. As soon as they associate I can get a MAC address to clone.
  • by lewko ( 195646 ) on Saturday January 03, 2004 @01:10PM (#7867787) Homepage
    If you are responsible for a company's security, you should regularly search for wireless nodes within your organization which you are not aware of WHETHER OR NOT you are using wireless as policy.

    I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.

    Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.

    In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!
  • script kiddies (Score:2, Insightful)

    As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out.

    Nevermind the professional hackers with a 12db antenna engaged in corporate espionage...

    I mean seriously, I think the scR1pt k1Dd13 n00bs are the least of our problems.

  • by Frisky070802 ( 591229 ) * on Saturday January 03, 2004 @02:14PM (#7868145) Journal
    Simson Garfinkel ran a blog entry [techreview.com] a few days ago about detecting overuse of his home network and tracing it to unauthorized WLAN access by his teenage neighbor who then got affected by a Kazaa virus. Nearly got his broadband shut off from over-use.

    He'd left it open to facilitate use by visitors, but no longer.

  • I am aware of the dangers of wirelsss, it's becoming the top networking solutions for homes and small business. A simple drive around town yields 80+% open networks, there is a solution though. it will eventually cost money(a) and it will be a long process but it will work.. Simply create and air a PSA on local television, by law they have to run them and they are free to run, you only have production cost(a(depending on scale and quality will determine the cost)) and that is a non-issue really. A good PSA
  • The simplicity of the problem is compounded by the complexity of the solution.
  • This lawyer runs a WIFI hotspot for his office. All boxes have decent firewalls and the CPUs are all off-line after hours (e.g. whenever we are not working late).

    I don't care about free riders. I want a few. Let the RIAA claim I have downloaded anything. . . I haven't and neither have my staff. BUT I would love the accusation.

    The client data and the electronic filings are all all encrypted (PGP on office systems or SSL in submission to the federal courts where most become a public record) and so is al
    • Unless you're blocking port 25 outbound, you (and everyone else running open "oh the world is beautiful, share your bandwidth flower-child brothers and sisters!" access points have created just another way for spammers to inject crap into our inboxes.
      • I made it clear that the access to mail servers is zip. Port 80 is all they have.

        I also mentioned the bandwidth issue. I monitor system usage and will choke - or kill - all access when the free riders approach 50% saturation.

        I have a wifi access point that is available to a few folks in a small town near a big city. The access is limited (by range) and aside from somebody putting a clandestine antenna and cable on my building - I should be able to actually SEE the person who accesses my wifi site.

        You

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost

Working...