Contents
802.11 Security Web Page
IEEE 802.1x Authentication
IEEE 802.1x Authentication for wireless networks.
APs
Encryption
Because wireless networks use a shared medium to transport data, anything that is broadcasted could be intercepted and read. Any unencrypted protocols allow passwords and data in clear text. Telnet, POP3, and FTP should be avoided whenever possible. Also, passwords you send to webpages with an address that starts with http:// are considered insecure.
- Instead of Telnet consider using SSH.
- Instead of FTP consider using SFTP, or even SCP.
- Instead of POP3 consider using SPOP3 (POP3 over SSL), or APOP rather then plaintext passwords
- Instead of IMAP consider using IMAPS (IMAP over SSL)
- Instead of SMTP (sending email) consider SMTP with STARTTLS (SMTP over SSL/TLS), and SMTP AUTH.
Another alternative is to encrypt all traffic passing over the wireless. However, the first protocol that did this (WEP) was extremely weak. It doesn't take very much traffic sniffing before even the 104-bit keys used in WEP-128 (the IV is 24 bits, and is passed in the clear in every packet) can be discovered. WPA was an improvement on WEP, but basically the only differences between them are the way that keys change. WEP keys don't change until the admin visits the AccessPoint and all clients to change it; WPA changes the key on clients and the AccessPoint at a preset interval. Both protocols use the RC4 stream encryption cipher (which I view as a weakness: wireless traffic is in packets, not streams, so a block cipher is probably a better choice). In effect, WPA is WEP plus a key-change protocol, plus a couple of other minor enhancements that somewhat offset the weaknesses of RC4.
WPA can run in two modes: standard and WPA-PSK (pre-shared key) mode. In standard mode, the AccessPoint gets the key to use as part of a RADIUS packet, so RADIUS is required. WPA-PSK mode is similar to WEP, in that the administrator hands out a master key to each client and AccessPoint, and both wireless devices generate an encryption key from that master key. The keys used for the actual encryption rotate in both modes, however, so WPA-PSK is a decent substitute for WEP if but you want more privacy (and your clients all support WPA in PSK mode).
Then there's WPA2/802.11i (two names for the same protocol). It uses the AES block cipher (the successor to DES; required for most current U.S. government encryption IIRC), which I believe is much better than RC4 for the kind of encryption happening on wireless packets.
But no matter what you do for wireless encryption (nothing, WEP, WPA, or WPA2), using encrypted protocols on top of the wireless encryption is always recommended anyway. This guards against a single point of failure in your privacy. If SSL gets broken somehow, WPA2 might still be enough for you, at least for a while. Likewise, if your WEP key is discovered, SSL will still be encrypting traffic, so you're OK for a short time.
Cranite Systems WirelessWall
WirelessWall is Cranite's product to provide security and mobility for 802.11 and 802.16 networks. They're one of only a couple of vendors that meet the DoD standards for security--FIPS 140-2 certified protection at Layer 2. They're using 802.1x (EAP-TTLS) and AES to do authentication and encryption, and also provide seamless subnet mobility. Cranite is also the only vendor in the space to provide a software-only solution, meaning that they run on off-the-shelf servers rather than a proprietary appliance--we're using HP servers at $1000 a pop, versus other vendors' appliances that are 2-5x that. They've got a cool solution for tying into Active Directory, too--just run a DLL on a local Windows machine, and all the AD stuff gets tied into their Policy Server dynamically. Plus, the licensing model is wicked cool--Cranite charges based on simultaneous users (concurrency), rather than seats, which meant we were able to roll out a gold disk to all our users and never had to touch the Cranite client application. I can't even quantify what that saved in terms of time versus having to do a license on each user's machine. And, since all the seats will never be on the network at once, you only have to pay for concurrency...Cranite claims that the typical concurrency numbers are about 50%, meaning that you're really only paying for half as many clients as you might have to with other solutions.
AirFortress
The AirFortress, from Fortress Technologies (http://www.fortresstech.com) is a comprehensive layer 2 security solution for wireless LANs. It was the first US Government approved WLAN solution, the first to use AES for WLANs, and they have sold it to the US Army and the Veteran's Administration. They have clients for Win32, Pocket PC, Palm, and DOS, and can authenticate to RADIUS, NT/Active Directory, and their own policy server. They also feature "device authentication", which they say can allow admins to limit what laptops/pda's can be used by valid users.
Here are some articles from their web site.
http://www.fcw.com/fcw/articles/2002/1028/web-va-10-30-02.asp
http://www.techbizfl.com/news_desc.asp?article_id=716
http://www.gcn.com/21_8/tech-report/18361-1.html
BlueSocket
Bluesocket's award-winning Wireless Gateways reliably secure and manage wireless LANs in hundreds of organizations in more than 20 countries. Our global network of specialized channel partners have made Bluesocket the leading worldwide provider of WLAN gateways to large organizations -- corporate, education, government, healthcare and in public areas like airports and hotels.
SSL (Secure Sockets Layer)
SSL is commonly used on the internet in ecommerce applications, but can be used very nicely in a client/server web proxy situation. Setting up an SSL proxy on your gateway machine and setting your browser to use the proxy can stop most casual sniffers from seeing your web-browsing.
SSL when used with protocols other then HTTP (web browsing) is sometimes called TLS (Transport Layer Security).
- TLS isn't SSL, it's an extension of SSL (think of it as SSLv4, most webservers actually have TLS support), it will allow virtual hosting using the same IP, rather then as is mostly done at present with a different IP per certificate.
http://www.CACert.org - free X.509 certificates, these can be used with IMAPS, POPS, HTTPS, or 802.1x (site can issue both client and server certificates, which is better then using usernames and passwords...
SSH (Secure Shell)
Using SSH authentication for your unix shells over a wireless network is easy to set up and fairly secure. As with all encryption methods, it is a good idea to keep a close eye on your key exchanges.
It is possible for SSH (and many other protocols) to be hijacked by a man-in-the-middle attack.
Here's a tutorial on oreillynet.com for using ssh for security on a wireless network.
A nice way to encrypt your wireless web traffic is to use a combination of squid and OpenSSH
- Set up squid on your gateway machine and have it listen to localhost. Create an SSH Tunnel to your squid port on your client machine. Point your web browser proxy setting at the client's localhost port. Traffic can still be watched over the wire, but wireless sniffers will only see SSH.
Kerberos
IPSec
IPSec is for when you want full host to host (transport) or net to net (tunnel) encryption. It is a little bit more complicated to learn/setup than the other options mentioned above, but the end result is much better imo.
Alternative Windows version here might be free for non-commercial use. Also an article that describes how to configure it
Nowadays, IPSec *can* be used with NAT. IPSec is one way to make a virtual private network (VPN).
OpenVPN
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls
OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
Intrusions and Network Probes
Probe Monitoring
Probing networks is a pretty common thing in the wired world and is starting to be pretty common in the wireless world. Installing port monitoring or intrustion detection software is generally a good idea if you are paranoid about intrusions or just want to know what is happening on your network. If you are running Linux; try using portsentry; it will automagically blackhole ip addresses that scan (unopened) ports on your machine
- Actually, automated reactions to scans can be a dangerous thing. Wouldn't it be fun if someone set their source-address to be that of a global top-level domain (GTLD) server, scanned your system, and repeated this procedure for all GTLD servers? Your system would blackhole all traffic from the TLD servers, so you wouldn't be able to query for new (i.e. un-cached) NS records until the blackholing was stopped.
Intrusions
Snort is a free, network-based Intrusion Detection System .
Dave Dittrich has put up some details on Unix forensics for attack and intrusion analysis .
AirDefense's wireless LAN security products provide for enterprise class WLAN monitoring.
Intrusion Detection Links & Documents at honeypots.net -- contains hundreds of technical whitepapers, articles and links about Intrusion Detection.
Website Security?
I was looking for somone to e-mail about this, but I couldn't find a e-mail address. Anyway your website is very insecure, you can click on a link and edit any page on the site. I think you should at the least use some form of securty to access the editing options of the page. You might be interested in a php nuke based website, if you are not all that html friendly, it uses php and a sql db. If your stuck with this engine, then I suggest finding a patch, or update that incorporated password protection. - Omni
--> We often get feedback on website security. One of the joys (and problems) about a WIKI type website is the ability to edit the entire website by the general public. In many ways, this site continues to reflect our FAITH and TRUST in the members of the wireless community to constructively add or make changes to the website. On rare occasion, we get a vandal, but we recover and continue to move on. (StartideRising, maintainer of SenaoCard and other pages)
--> You are a very trusting group, and I wish you the best with your project(s). I hope all of your future vandals are as polite as I, and that they do not destroy any information, or hinder your project goals. - Omni
--> Heh, you are not a vandal. By vandal, I mean there are people who get jollies by deleting stuff or replacing selected words with something that makes the sentence mean something else. Some webpages have text at the top such as HardwareComparison which some people deleted en masse because they thought it was too wordy. However, the webpages have to be useful not just to the impatient "expert" who doesn't want to read text and wants only the data in the tables, but also be useful to the beginner who might want some words to read. From our meetings and discussions, we know beginners like to read words and explanations and need such. So, a wiki-web-based project such as this website has to deal with many aspects like this. --StartideRising
--> Out of curiosity, an abridged webpage Vandals was made.
Yet again security is breached at a highly secure site
- Sun recently experienced an all encompassing attack on their servers and are afraid to admit the real level of damage that has been unleashed on their network worldwide. The CEO at Sun Microsystems was pooing his pants when he found out a child with the mental capacity of a dead monkey on heat, hacked their servers with a Barbie Notebook and a USB cable. Apparently an errant computer programmer brought in his four year old son and had said he could borrow his sisters Barbie Notebook, just dont drop it. He took his son into work and left him alone for approximately 12 minutes, which was long enough for the child to gain root access to the main NIS server at Sun. Needless to say, deleting the NIS database caused a few issues at Sun, especially as the child then proceeded to replicate the removed data worldwide and managed to convince the backup units they were no longer required and should reset to factory defaults and wipe all existing tapes. The Barbie Notebook in question is currently being held by detectives at the local police centre as they believe someone else has masterminded this piece of work and are not discounting outside interference from Mattel or alien life forms from a distant galaxy and are thus far stumped by the notebooks ability to serve coffee and kill flies. The child who performed this marvel of modern hacking was summarily executed and burnt to powder and the programmer is currently being electrified by the left eyeball until he confesses his sins. If you wish to read more, go to the Sun Microsystems website, where you will find nothing on this article, or alternatively do a Google search and youll likely find nothing there either, but it might be worth a laugh.
<comment by vandal> me thinks that was the same kid that did this http://badgerbadgerbadger.com in that case he was a bit smarter than your average joe toddler; more like cool people that can make awsome linksys firmware =D
Radius Servers
Aradial Radius server
Aradial Radius server Aradial is a high performance RADIUS server with Tier 1 levels of reliability and scalability. Aradial supports the latest RFCs, vendor specific attributes, NAS templates and has a multitude of pre-configured settings that support most Access Servers in the market today. Aradial is based on a plugin architecture, which allows customizing the authentication and accounting logic, outside of the core product. Aradial RadiusServer Runs on Windows, Linux and Solaris, and supports all databases. Aradial RadiusServer is integrated with top Billing solutions for ISP, WISP, Wifi - Hotspots and VOIP.
FreeRADIUS
I could repeat all the features on the FreeRADIUS distribution page here, but that would be kinda pointless.
Instead, I'll just say that it's what I use on my wireless network. I use EAP-TLS -- client certificates -- for authentication, so I don't have to bother changing the client keys or passphrases. I also use the WPA2 protocol -- basically, AES -- for encrypting the traffic. (Though that's not a function of the RADIUS server: it's more a function of the AP and client firmware.)
To set it up, this (PDF link) is one of the better howtos that I saw: EAP-TLS on XP HOWTO. But note that you no longer need CVS versions of anything -- recent OpenSSL packages can now add arbitrary OIDs to certificates, and FreeRADIUS has supported EAP-TLS since (IIRC) 1.0.0-pre0.
Bottom line, IMO, is that this is a pretty good RADIUS server if you're looking for something free (as in speech: it's GPL, and beer: it's freely downloadable) that runs on Linux, and you want EAP-TLS. I'm sure it's at least decent for other authentication types, too, I just can't vouch for it there.
