Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Detecting Wireless LAN Users 209

technosavvy writes "With wireless home networks and applications like NetStumbler becoming so popular, it's surprising that there are so few consumer-oriented applications that help monitor who is connecting to your wireless network. Bob Brewin of ComputerWorld lists three tools with this purpose in mind in his article "Tools for detecting rogue wireless LAN users"." I just like running etherape.
This discussion has been archived. No new comments can be posted.

Detecting Wireless LAN Users

Comments Filter:
  • Wireless lan technology is still in it's infancy, the thing is that people are more interested in hacking/cracking wireless networks than protecting them at the moment. That will change as people realise how insecure the default settings are.
    • Think about what you're saying here.

      Most wireless LANs can be found in places like Starbucks, shopping malls, and airports.

      I don't know about you, but I don't expect the idiot who can't understand what a latte is to properly configure a LAN firewall.
      • I don't know about you, but I don't expect the idiot who can't understand what a latte is to properly configure a LAN firewall.

        I set up and maintain firewalls and wireless networks, but I don't know what a latte is... Mind you I could find out fast enough, I'm just not the coffee type. :-)

  • by FreshMeat-BWG ( 541411 ) <bengoodwyn@ m e .com> on Tuesday September 03, 2002 @11:25AM (#4189485) Homepage
    So what if you can detect when a rogue has connected to your wireless network. A passive data gatherer connected to your wireless network can often times gain enough information to connect to your network externally (Internet, VPN, etc). So just knowing that noone is actively using your wireless network doesn't mean that noone is hacking your network because of your wireless network.
  • by NetMasta10bt ( 468001 ) on Tuesday September 03, 2002 @11:28AM (#4189520)
    Check out Kismet over here [kismetwireless.org]. It can run on Linux PDA's like the Zaurus and iPaq as well as your laptop. It also has GPS support and speach output (through festival).
    • It's actually kismetwireless.net ... .org is a portal site for wireless stuff that's not affiliated with the OSS program.
    • Unfortunately that URL (kismetwireless.org) is NOT the place you're looking for. Kismet, the 802.11b godsent, can be found at http://www.kismetwireless.net. This is an AWESOME tool, and I have to say I've been using it ever since I bought my Linksys WCP-11 (i'm broke, hence no Cisco gear) a while back. Dragorn, the guy who wrote it and maintains it, is one hell of a code-slinger, and can be found on IRC if you get really stuck with something. He also spoke at H2K2 this year about kismet, for those of you who wen
    • I've been using it for a little myself.

      Interesting little thing about Kismet - Apparently Netstumbler is not entirely passive (Otherwise it wouldn't be detectable). Unless your driver is bugged or you have an unsupported card, Kismet is purely passive. Even better, while NS only works with Orinoco (and maybe Aironet) cards, Kismet works with Prism2 cards.

      That said - With the exception of the last of the 3 utilities, most of them seem to be pretty similar to Netstumbler.

      Apparently Kismet currently (for whatever reason) seems to ignore Netstumbler packets for some reason, but this is considered to be a bug. Implementing Netstumbler detection is apparently not far off.
  • Ugh. Usually I wait until things near the bottom of the homepage before clicking a link. Otherwise, you can click and go for coffee. I hope the article is good. OOH! There's the Galeon tab turning blue now - Later! Good Luck.
  • Personally... (Score:3, Interesting)

    by YanceyAI ( 192279 ) <IAMYANCEY@yahoo.com> on Tuesday September 03, 2002 @11:30AM (#4189530)
    I know this is not a radical idea, but I'm going to say it again. I think broadband Internet access should become part of a city's infrastructure, like roads and garbage service. I'd even pay for it like a utility (like water treatment or gas). God knows it'd get rid of silly little disputes over 'stealing' or redistributing bandwidth and cable companies penalizing users for doing what they signed on to do...use lots of bandwidth.
    • While I agree with you, its not just about stealing bandwith, it could be someone with a more nefarious intent. Instead of leeching a little badnwith, it more along the lines of trash the servers. So, in reality its just a few bad apples spoiling it for the rest of us.

      Basically, I don't recommend deploying wireless to any type of network that you care about. Its just not there yet.

      • I don't recommend deploying wireless to any type of network that you care about. Its just not there yet\


        Maybe not basic wifi. If you don't mind locking yourself into a single vendor, Cisco has some extensions that are supposed to fix the worst flaws in WEP.

        It would be foolish to put complete trust in its security, but the same obviously goes for wired networks.

        • Along the same lines as Cisco, DLink has some products in 802.11b (AirPlus) [dlink.com] that utilize a different modulation scheme (Packet Binary Convolutional Coding) and provide 256-bit WEP. They also claim to provide 22Mbps. DLink's gear is compatible with other vendors' products if you want to go with std 802.11b (ie. 11Mbps).
    • Why in the heck would you want to do that?

      John Stossel has shown on his 20/20 TV segment that cities make things WORSE when they run it. Privatize the city water system, and you get cleaner water cheaper. End the city's monopoly on cable TV providers, and you get competition.

      Get the phone company out of city regulation, and you get competition.

      The same is true over and over and over again. Some cities in foreign countries have been privatizing the roads (so you only pay for what you use, rather than distribute it to people who don't even use the roads), and have seen wide success in those ventures.

      I don't want the city controlling anything, especially my data. This idea is frightening to me, and I'd gladly vote with my feet if something like this happened.

      • Take the post office. Tremendous infrastructure, and tremendous service. You can mail a sizable letter from almost anywhere to almost anywhere for pennies.

        Yes, implementing a WiFi infrastructure might be done cheaper, more scalable, etc, but compare to the NSF and the current Internet. The NSF put in the standards, and by implementing them, made the standards change je jure become de facto.

        Look at all the different cell phone systems we have available to us... pretty great, huh? Except that they are incompatible with each other, have different coverages, and infrastructure is at least tripled to accomadate different standards without tripling the bandwidth.

        I think competition is a great thing.. once you have standards in place, not as a knee-jerk reaction to getting the job done best.

        Also, Cook county kicks Lake county's ass.

      • Privatize the city water system, and you get cleaner water cheaper. End the city's monopoly on cable TV providers, and you get competition.
        That's funny. Every city I have lived in with privitized water system has had far worse service than city owned. And when cable providers were deregulated, they jacked up the price and cut the quality of service significantly.

        The economics of utilities with large capital costs and large captive populations were worked out in the 1880s. The conclusion then was that either a government owned utility, or a highly regulated private monopoly, was the best solution. I don't know of any fundamental law of economics that has changed since then.

        sPh

        • the economics of utilities ... were worked out in the 1880s by marxists and other utopianists with an alternate agenda. Can you imagine Thomas Edison, Rockefeller, Hoffa or anyone else arguing that they should be smaller?

          Of course they'll find an economist who will say allowing them to run an industry is the most efficient way to do things. Funny thing though how Standard Oil was broken up even though they were the most efficient producer...

          An amusing anacdote is that this same agenda had been used by Microsoft to justify its "self-normalizing monopoly" claim. E.g. operating system costs spread over all PCs are lower with a monopoly, and there are no compatibility issues. In a sense, you can see the argument if this economic cost/unit objective is the only criteria you use.

          However, there are other consequences, political, economic, behavioral, etc. Monopolies have a slight problem with ending up unaccountable. Fantasies of government regulation aside, the regulators quickly normalize to either being in the monopoly's pay, or get replaced by pro-monopoly officials. Or you'll have scenarios where the regulators control the power and grow their monopoly through special deals with select associates, kickbacks, etc.

          Look at the status of both US political parties - both are nearly identical in that they're run by large organizations pursuing dominance in their industry/sector. It doesn't matter if its a union, a fortune 1000, or an industry association, the motivation is the same (and so is the corrution). Enron, RIAA, AFL-CIO, Global Crossing, NAB, etc.

          As any honest German will tell you, efficiency shouldn't be your only objective.

          *scoove*

      • Privatizing roads == stupid.
        You can't have competition in Roads. It's not like there are going to be 6 functionally identical roads all going to the same place. so the 1 road that does go there will charge a 100$ per car toll. And you either pay that, or you drive 250 miles out of your way to go around the countryside to get to where you are going. That's not competition.
        There's also no motivation to improve the road if there isn't an alternate road people can take.

        Kintanon
      • Good counter example is with the Los Angeles Department of Water and Power: before Enron were recognized as breaking the rules that favored them by giving them public-goods for a song, they were not popular in California because of how their "free-market" screwed up power supply. LADWP (gross, corrupt government bureaucracy that it was) was able to provide power with no blackouts, brownouts or interruptions during the long, hot summer of 2001. Immediately abutting LA city was Santa Monica City, (they're so contiguous that you'd find it hard to know where one stopped and the other started) which had bought into the "get government out of public services and bring in the robber barons instead" myth. They had blackouts.

        Privatizing some things doesn't make sense: it's too hard to separate out the costs and benefits, too hard to prevent local profit-driven corruption, too hard to do anything without creating a less-efficient regulation regime which is government in all but name.

        Give it up.
    • Ummm.... (Score:3, Informative)

      by tgd ( 2822 )
      In most places in the country, people pay individually for their garbage service, water and gas. If I'm paying by the bag, you better damn well not put your trash in my can.

      The only service that can't be stolen is free service, and there simply isn't such a beast. Hell, even roads aren't free. If you have an unregistered car (and thus, have paid no taxes), you can't legally use the road.
      • The only service that can't be stolen is free service, and there simply isn't such a beast. Hell, even roads aren't free. If you have an unregistered car (and thus, have paid no taxes), you can't legally use the road.

        Unless you use a bike or walk. I think those are still legal even though one didn't necessarily pay car taxes.

        • Close the pedestrian loophole!

          (It was better in all caps... stupid lameness filter).

          • In a good number of places (I'd almost say everywhere, but I can only say for certain everywhere I've ever lived), you in fact DID have to register bikes, but its not a widely enforced law.
    • sounds good, but here it goes... 3456 w St apt. A is downloading something massive all the time, apt. B just downloads his private email. Should they pay the same? Apt B doesnt think so. anything to lower his bill. what happens? massive bit transfer is for wealthy only. Another way we leave the poor in the dust. no we need free, we need 'in the wild' internet bandwidth that is rooted at the grass root level. freedom of information for everyone.
      • Except that when i use more electric power, or water then my neighbor i DO pay more then him.. but we all get access due to the 'system'

        Not that im for governmental inovlvement in our lives, but sometimes the general public cant do it on their own..
        • but information access controls can limit the ability of poor joe smoe from climbing up the economic latter. information, like a library should cost nothing to use by the public. if they were to pay only the infrastructure cost, but not infrastructure+ profit. thats better.
    • Re:Personally... (Score:2, Interesting)

      you know, here in san francisco, the attitude takes it even further into the public's hands. i am sitting at a (non-Starbucks) cafe at california and divisidero, and my PCMCIA 802.11b card sniffs not only the free WAP at the cafe proper, but also the chinese restaurant across the street, and the dude around the corner who not only makes his WAP available, but LET'S PEOPLE KNOW. [nodedb.com] And let's other people know. Pretty soon those people start talking [bawug.org],and even communicating in other ways [warchalking.org].

      The internet itself has been described as the great equalizer. Grassroots wireless networking has the potential to put one more bullet into the chest of inequality, and then the internet may begin to continue it's evolution from shitstream teevee/radio corporate fuckfest, to the greatest tool mankind has ever made. ...Then we throw out the dixie cup...
      • and my PCMCIA 802.11b card sniffs not only the free WAP at the cafe proper

        Which should be fine as long as the owner of the property consents to this use (which it appears is the case), and the other owners of what you're using also consent.

        Is the upstream Internet connection aware and consenting to this use? If they're not, you're no more than a thief.

        The problem with free Internet that people can't seem to get around is that you've got some things that aren't free, such as:

        - the engineers that run the networks you're travelling
        - the fiber, cable, submarine cables, etc. that someone put in and maintains
        - the switches, routers, servers, etc. needed to run service provider networks (last time I looked, Cisco wasn't giving their stock away for free)

        I work my ass off and have taken one hell of a pay cut to bring cheap broadband to small towns. I'll be damned if some freeloader steals from my communities. Let him build his own damn network and pay for his DS3.

        evolution from shitstream teevee/radio corporate fuckfest

        Oh, you mean like the radiofrequency givaway both parties have sponsored in the US? Or the rule bending for corporate buddies like Clear Channel (psst... donate to our parties and we'll let you own all the radio stations in every market so you can fire the local people and pump canned crap sent via satellite)? Funny how the RIAA loves this - course, they have artist promo deals with Clear Channel too. No wonder radio broadcasting is so vanilla...

        In order to fight institutional theft, you've got to recognize property rights and oppose all theft - what belongs to someone else ain't yours! Pay for it or get your own. Otherwise you're just another thief (on the losing side of the battle, as they've got better guns).

        *scoove*
    • ...broadband Internet access should become part of a city's infrastructure

      It may be a good idea in terms of lowering prices and increasing access (to neighborhoods that currently don't have any broadband options) but anything that's part of a city's infrastructure will be regulated as such. Not to mention that Big Brother won't have to go far to log and snoop on your browsing habits, etc. I can imagine way too much potential for abuse in such a scenario.
    • Problems with this:
      From the Lobbying side:
      Who would pay Cable, DSL money for 384K when you can get 11M from the town? No one. So Cable and DSL and Powell's son will fight such an idea, tooth and claw.

      From the Common Sense side:
      Once Internet access becomes a government service and drives out the competition (see above) everything on the Internet becomes subject to political censoring.
      No religious content: seperation of church and state. No porn, gotta protect the children. No commercial activity from users its a public utility. No hate groups, no hate speech, only politically correct speech.

      Each town would build a Great Firewall of China around themselves like in South Park.

      Your town could get around 1st amendment issues by saying that this is one of many ways to access the Internet and you are free to sign up with another provider. Only no other provider could exist in your town because it could not compete with a publicly subsidized system.

      Don't get me wrong. I was thinking about a public utility wireless network the other day while looking at all the ugly cable strung up through my neighborhood. I would love for it to be a reality but the above causes me to doubt it would ever happen, or be a good thing if it did.
    • Re:Personally... (Score:4, Insightful)

      by Nighttime ( 231023 ) on Tuesday September 03, 2002 @12:13PM (#4189841) Homepage Journal
      I'd even pay for it like a utility (like water treatment or gas). God knows it'd get rid of silly little disputes over 'stealing' or redistributing bandwidth and cable companies penalizing users for doing what they signed on to do...use lots of bandwidth.

      Why do people think because they have an unmetered, always-on broadband connection they must use it flat-out all the time? I have a cable modem here and don't feel the need to be constantly utilising it to the max.

      If I can draw an analogy to the broadband ISPs being similar to the water companies. In the UK, most domestic homes pay a flat rate for their water supplies, for this they have the ability to turn on a tap at any time and not worry about the cost. Fetching your e-mail, light web browsing etc would be the equivalent of washing your hands, flushing the toilet or filling the kettle in terms of demand. A large file download, e.g. the latest distro ISOs would be akin to running a bath, washing your car or watering the garden. A spike in demand, but the water companies ensure that the water pressure is sufficient such that other users in the area are not affected. Same as for the ISPs, they can cope with occassional high demands on the system. Now, imagine the situation if everyone decided to wash their car at the same time or all shared the same bath time, or decided to just leave their taps running because they can.

      Heavy users of the water supply (domestic and commercial) are metered and charged appropiately for what they use so why should a resource like bandwidth be any different?
      • Assuming metered access and not flat rate, would I then be able to sue anyone who sent me an unrequested e-mail, pop-up window, or anything else since they would be directly increasing my bill by sending me things I didn't want?
        I'm pretty sure that's the idea behind Fax spam laws.

        Kintanon
      • ---snipHeavy users of the water supply (domestic and commercial) are metered and charged appropiately for what they use so why should a resource like bandwidth be any different?
        ---snip

        Because uses for water do not grow nearly as fast as uses for bandwidth. In enough time, _everyone_ will become a heavy user, so the flat rate model will quickly cease to be used.

        Bandwidth:
        Once upon a time, my 300 baud applecat modem was more than adequate for my needs and excellent for many phreaking tasks, if I ever needed to "borrow" some wired service from someone, or if I needed to wardial a prefix for carriers (change wired to wireless, change phreaking to launching netstumbler, change wardialing a prefix to wardriving/network discovery...alas, the words change, but...).

        That modem could keep up with my typing. Having the results outputted to me at 30 cps (10 bits per byte in my typical config) was annoying but was still more than adequate for most any use; many people stuck behind teletypes were running at 150 bps or slower.

        Fast forward 20 years. Where I am sitting now I have two 1.5Mb/s connections bonded together, giving me a 3Mb link, both ways. At my office, we have a fractional T3 running at twice that speed (and we utilize it, as well as a comparable connection at a remote location).

        Nowadays the average user complains about their "slow" 44,000 bps connection they get with their dialup modem.

        Water:
        20 years ago I was a little smaller. But I had the same habits; I drink when I am thirsty etc. etc. My water consumption has remained mostly the same. I drink about 8 glasses of water a day (yeah for me!), before, just for comparison, then I would probably drink 6.

        Over almost 20 years my burstable bandwidth needs have increased 10,000 fold. The difference in sustained needs is even larger, as nowadays I've always got some type of data going over that pipe (gnutella, newsfeed, mail, what have you) vs. back in the day that 300 baud modem was actually in use for small parts of the day. I bet in another 20 years this 3Mb connection could very well seem as quaint as the 300 baud modem seems today.

        My water needs on the other hand went up 33%. My individual water needs are not likely to ever grow much larger.
    • if it was treated like a utility it would be taken advantage of monetarily like those are.

      I would take calls from customers that were complaining that their Internet was down. These were normally people who wouldn't pay their bill for 60 days and wonder why it was off. They even had the nerve to complain that it was like Gas or Water and that we MUST give notice in the mail of their delinquency (it's not like gas or water). These people actually believed it was a NECESSARY item in their lives (giving me the excuse that they couldn't pay their bills b/c they used the Internet for paying it -- I asked them if they ever used checks..)

      We do NOT need this to become part of the cities infastructure. I am much happier w/it being controlled by a third party. I am already annoyed w/the electric bill being estimated half the time, and I am REALLY annoyed that natural gas prices have gone up.

      Could you imagine getting billed for "estimated bandwith use" or being told that the price of Internet was going up b/c too many people were hogging bandwith? Hell NO.
    • become part of a city's infrastructure, like roads and garbage service.

      Please, no.

      Hmm... the roads in my city are hopelessly broken (save for the ones in the west part of town where all the yuppies live). We joke about putting a sign up saying "Closed for the season" - perpetual construction, engineered by under-the-table deals between our city council and their construction industry buddies. (Thankfully our newspaper did an article this weekend about how outsiders never get the same info the insiders get about bids, and other nonsense).

      City-administered garbage service? You mean the scam where they miss my cans one week out of four, and throw them all over when they do? I've videotaped them on windless days letting recycle trash drop more than hit the trucks, and leaving cans in streets. Don't like it? Tough.

      Yea, we need Internet service like this. Oh, and I'm sure everyone wants to pay $120/month for $30 Internet. That's the best part of city/municipal administration. We can shift funds from other areas to subsidize it, so we can hide the ineffeciencies.

      Eliminate competition and engineer perpetual inefficiency, laziness and unaccountability.

      it'd get rid of silly little disputes over 'stealing' or redistributing bandwidth

      Do you get unlimited electricity, just because it comes from a municipality? Can you dump anything you want in your trash? Theft is still theft, and rules tend to optimize to the extreme with unaccountable government-run operations.

      I've had trash missed because my cans weren't curbside - they were two feet away from curbside. At least once a month, I'll have my entire trash pickup skipped because I have "yard waste" (meaning a neighbor has tossed a twig on top of my trash can, or I've put a scoop of street garbage that has a half-dozen leaves in it).

      You can bet your Internet will quickly become universally miserable too. What's that maxim about socialism making everyone equal - equally miserable?

      *scoove*
    • Right. But the problem is corporate networks that are supposed to be secure. Or home networks that don't want people sniffing their traffic and intercepting their porn.
    • Well, gee, the Internet is important to many of us, so it should be povided by a government and paid for in taxes. Interesting concept.

      OK, there are some lame problems with the current system, the one you mentioned about cable companies penalizing users who subscribe to the system to get high bandwidth is a perfect example. But taking your logic, isn't food even more important than Internet access? If it is, shouldn't we replace all the grocery stores with a government run grocery system? Whould you really want to get your food from a grocery store run by the government? Do you think you would still have a choice to buy at the private stores? How many of them could afford to stay in business if all of their customers were also paying the food tax and getting food at the government store? And what do you think the new prices for food at the remaiming exclusive private stores would be? Could you afford to eat from such stores or would you have to eat whatever the government stores decide is good enough for you?

      Look at what has happened to our education system. Sure, there are still private schools, but few can afford to send their children to them and also pay the taxes for the awful government run schools. The school system is so bad that many in government advocate a voucher system, which is an admission of the failure of the public schools. And you want these people to take more control of what we get?

      Sure, there are problems with the current system. But ask why. My answer is because we already have too much government medeling in what should have been a free market. By granting monopoly powers to a single phone company and cable company in an area, they have greatly limited the consumer choices for service. Whithout that monopoly, pitching customers the benefit of high speed access and then penalizing them for using it wouldn't be tolerated, there would be other providers who would be glad to take the customers. With the monopoly in place we get they type of system we have. Why not strengthen the monopoly by giving it to the Post Office? No Internet access Saturdays, Sundays or Holidays.

      • I think you make several excellent points, but I do feel like the goverment's (we the people's) job is to provide the best basic infrastructure for allowing commerce to flourish. It's the concept behind road building. If the Internet isn't a road, what is it?
        • If the Internet isn't a road, what is it?

          The Internet ain't a road, no matter what it's inventor Al Gore tells us. Reminds me of the "an elephant must be like a tree" story. That's one danger of analogies, some people will carry them to false conclusions and dangerous extremes.

          I'm not sure I even like the idea of the government even running our roads, but that's another (off topic) issue. But a road must have access to land (private property) that in most cases completely eliminates the use of that property for any other use. Not so with the Internet. The basic infrastructure there, when run on dedicated lines, can be buried and co-exist with other uses of the property. No "taking" of private property is required as it is with putting down an Interstate highway, just the much less oppressive right of free access through a property (a concept I find no fault with, as it is understood when society grants private ownership to property). There are also various plumbing systems that go below ground and pass through private property. So maybe a much better analogy would be rather than calling the Internet a Information Highway it should be called the Information Sewage System.

  • For corporations with Mucho Moolah(TM), you can get ISS Wireless Scanner ( http://www.iss.net/products_services/enterprise_pr otection/vulnerability_assessment/scanner_wireless .php ).

    Actually it's a pretty cool product, it'll detect access points with SSID broadcast turned off, it'll detect wireless users, it'll even try to break into the access points (haven't used the feature much, so I'm not sure what it tries to do there).

    Unfortunately it only runs on Win 2000 (I run it on XP, but that's unsupported), and only works with Orinoco cards and a couple of the known derivatives. On the plus side, it's got all the cool alerting features like SNMP and SMTP, and it has the "authorized list" of access points to minimize false positives...

    -Jack Ash

    PS: No, I'm not affiliated with ISS, but I run and administer their products at my office, including Wireless Scanner.
  • If memory serves (and it's been about a year since I had an Airport base station [apple.com]) the interface was very good and let you monitor who was using your bandwidth, etc.

    As I recall, it made it very easy to require a password or enable 802.11b encryption, etc.
    • And the Airport basestation works under Linux as well. There is a configurator etc here [drexel.edu]. The only problem is that parts of it (last time i checked) were closed source. Plus there can be problems with java and swing (help offer the debian people here [debian.org]).

      Its cheap, easy to setup und has good security features which can be viewed here [apple.com].
  • That someone in my apartment complex gets a wireless router and I can steal their bandwith and get free internet access :) Seriously instead of purchaisng this just make sure only registered MAC's can be authorized by your router and that knocks out the casual browser. Then have it log all access ( I am sure most routers can do this) and at least for home use you should be good. Coporations need to take some more precautions but i am not a security expert so...
    • I know I dont know why that ass has it out for me, he posted similar comments to several other of my post. Oh well what can you do.
  • Hey,
    This is all good for network security assurance and auditing, but doesn't fix the basic security problems with using WLAN 802.11 technology. I suggest that we use a new security model for WLAN security:

    1) Obscure SSID names and WEP should not be used on your WLAN just to provide management/users with a false sense of security;

    2) Put the WLAN access point outside your firewall (layer 1 security);

    3) Use firewall VPN technology for layer 2 security;

    4) Use IPSec protocol for network layer 3 encryption;

    5) Use digital certificates for layers 4-6 strong authentication;

    6) Enforce Corporate security policy on WLAN deployment & use;

    7) Regular audit and security assurance work to detect the addition of new WLAN points to your network.


    There are good reasons for using WLANs, and you probably can't stop the keeners from adding access points, but you can try to mandate how they will be added in a secure and managable fashion.

    Cheers,
    -wjc.

    • by sulli ( 195030 )
      This is exactly correct. 802.11 should ALWAYS be used OUTSIDE firewalls, and considered standard, public, insecure internet service. Then use IPSec plus whatever additional features are required to get into the private network.
    • And, by the time you add in VPN as step 6a) you are down to about 56k speeds right? Doesn't seem quite worth it to me.
    • That all sounds expensive. It'd be better to stick with copper than to pay somebody to set all that up for you.
    • So, what do you recommend for home users then? I've got an ipchains/NATted box that serves most of my house with Cat5 strung about the place. I was thinking of adding in WiFi just to eliminate some wiring and make our portable devices (laptop, PDA) genuinely *portable*.

      Should I just add in MACs to the WiFi allow list by hand? It's not a lot of trouble to do so if you're only hosting one or two visitors at a time, after all, and they will probably never use more than one MAC/adapter. I presume this is something that you can do with a WiFi basestation, a la DHCP. I don't have any equipment yet, so I don't actually know.

      Then I can keep the WiFi behind the firewall, and I don't have to worry about a VPN or any of that mess. Does this sound reasonably safe?

      And, provided that the functionality I mentioned above *is* available in WiFi basestations, is it present in the AirPort? That's likely the basestation I'd wind up getting, unless someone tells me it's a really bad idea.
      • It depends on when you think an attacker might be trying to get on your network.

        Will it stop a casual user just trying to hook up with your AP to use it for a minute? Sure. But those MAC addresses are being transmitted all the time, so if you actually use your network and someone is listening in, it would be trivial to spoof MAC to gain access.
      • Should I just add in MACs to the WiFi allow list by hand?

        Nope. It's fairly easy, but doesn't contribute much to security.

        Then I can keep the WiFi behind the firewall, and I don't have to worry about a VPN or any of that mess. Does this sound reasonably safe?

        NO! The easiest approach should be (depending on the firewall and wiring, of course) is to add a third NIC to the firewall. Connect the basestation(s) to THAT NIC, and block everything from it except VPN or IPSECed traffic.

        I'm 802.11-less for now, but starting to plan a firewall+802.11a/b setup for once I move: probably a mini-PC from these guys [soekris.com] with one of their PCI crypto accelerators. Add OpenBSD with the built-in IPSEC, and I'm a few client-side tweaks away from a fully secure WLAN and firewall, all in one! (That's the theory, anyway...)

    • by Anonymous Coward
      actually both IBM and AirDefense's solutions are not for network enumertation they are for IDS, i can tell you how well they work but they dont sound like auditing tools to me...

      as for VPN securing your wlan this i can dispute...

      a friend and i gave a talk at Black Hat this year on advanced wireless attacks, in this we broke a VPN implimentation wide open with a wireless man in the middle attack, in this attack we forced a victim onto another channel where we then had an AP with the same mac and SSID as his original...this lets us beat any sort of VPN that doesnt use strong two way authentication...

      so yes you said to use PKI there, but i submit to you that people are simply not doing this, if they were going to start they would have a long time ago and so any solution that the general populous of administrators deem too cumbersom or otherwise not worth the trouble to impliment will not be...

      what you are basicly saying is that all you need is a VPN and you dont need to watch your network...im glad my bank doesnt take this solution for their security, a bank vault with no security cameras...

      wireless security is alot harder to attain than wired equivelant...in the end you're going to need more than just network enumeration, vpn's and auditing tools...you are going to need something to monitor and manage the thing, not sure which one of these will prove the best, but im glad someone is working on the problem...

      --Abaddon

      http://802.11ninja.net
    • 3) Use firewall VPN technology for layer 2 security;

      Are you talking OSI layer here ? If yes, I would be interested in knowing wich VPN technologies operate on that level ...

  • I was driving through my neighborhood, innocently watching my laptop which is equipped with zero snooping software, and noticed I suddenly had a "very low" signal. I circled around a bit and narrowed it down to a couple of houses. I wish I had a way to let this person know they were vulnerable.
    network: linksys
    user: (null)
    pw: admin

    ok. They deserve whatever they get.

    I would like a log to know which of my neighbors is trying to "share" my bandwidth.
    • I went wardriving this past weekend.

      Orinoco silver, no ext antenna, laptop inside the car (lots of nice metal shielding)

      Probably 1/3 of the networks heard (45 found in a relatively short loop) were factory default Linksys boxes.

      There are a total of *3* 802.11 networks near my house.

      One on Ch11 with a custom SSID (mine - No WEP, I don't really care. I'm in the boonies and not much damage someone could do)
      Two on Ch6, one factory default Linksys, one listed as by Kismet. Needless to say, those two weren't going to be getting max performance. :)
  • A lot of the virii and worms we've seen lately, a big threat is the home user. I consider myself pretty computer savvy and I've set up a home wireless LAN since I've recently bought a laptop and wanted freedom to be wherever with it.

    Weeeelllll, I didn't install the Wireless encryption software (don't remember the exact name) and would instead unplug the wireless HUB when I wasn't using it. One weekend, I forgot to do this. Out of curiousity, I check the ARP on my DSL switch and found _3_ MAC entries. I only have 2 computers...

    Was this my own fault? Yes, absolutely, no question. Was I a moron for not configuring and running the WEP (Wireless Encrption Protocol)? Again, yes. But think about all the wireless LAN products being sold and how many are protected, or NOT protected.

    Where has your internet connection been today?

  • A thread on pen-test over at securityfocus has developed into an extremely well developed list of wireless security tools. The most recent thread post is archived at neohapsis [neohapsis.com], among other places, and the list of all the tools with description and license information is also online [networkintrusion.co.uk].
  • I guess with the opensourcing of Apple's zeroconf implementation there could be some implementation that enables you to monitor rogue network connections.

    I was fooling around with iChat and its Rendezvous component and I would imagine that when some idiot neighbour connects to your Airport network and forgets to quit iChat,you could be in for a laugh when he gets an instant-message from you ;-)
    A simple "Who are you and why are you using my Airport network" would be quite a shock I guess.

    And a reply from your neighbour stating that you were asking for it because your didn't implement WEP or MAC restriction would be a nice one too ;-)

  • I don't get this (Score:3, Interesting)

    by wirefarm ( 18470 ) <jim@@@mmdc...net> on Tuesday September 03, 2002 @11:55AM (#4189701) Homepage
    Wait a sec -
    You know you're running an unsecured wireless network and you want tools to find the 'rogue' people using it?
    You're going to *buy* this tool?

    Why don't you just secure the network?

    Even WEP, with all its faults, will keep out casual stumblers. Use a VPN if you need real security.

    When I see a wireless network with no WEP and a DHCP server, I see a 'welcome Mat'. I assume it's OK for me to check my mail or browse the web a bit.

    In fact, I no longer have to do anything to set up my laptop - Os X Jaguar sets up the connection for me.

    There's an old saying that good fences make good neighbors - I think that applies to wireless networks as well...

    Cheers,
    Jim

    (PS - Go ahead, be a dork - mod me overrated instead of replying. I no longer care.)

    • So when you're the internal auditor and your job is to find this stuff it would be one way to check on it. Also it's good to run something like this coupled with an alerting engine so that when/if something goes wrong the right people are told about it.
      • If I were that Internal Auditor, (which I sort of am, at my company,) I'd probably just get NetStumbler and try to connect in the office, in the lobby, from the street outside, across the street with a directional antenna. (All of which I did at my company.)
        Even transparent proxies can keep logs. If you learn to read them, you'll catch a lot of stuff.

        I just hate to see tools that try to make up for deficiencies in basic security procedures without correcting them. Having a wireless network is no different than having an ethernet port on your front porch - sure, it can be a convenience, but you have to be aware of the security implications.

        Cheers,
        Jim
  • Why not just lock the rogue users out. Putting a password on your network to prevent usage, nullifies the need for such programs as NetStumbler, meaning that this is both a waste of time and money.
  • wireless insecurity (Score:3, Informative)

    by LinuxWoman ( 127092 ) <damschler AT mailcity DOT com> on Tuesday September 03, 2002 @12:00PM (#4189735)
    It's quite obvious many people have short memories. It hasn't been THAT long since all you needed was a cheap scanner to listen in on the calls of any neighbors using cordless phones. It took a couple years of that problem for laws to pass banning scanners that scanned cordless freq's without user modifications. When it became known that people could still modify their scanners to pick up the freq's it still took years to people to realize they should start buying encrypted cordless phones.

    Considering how clueless most people are about technology and how little the average person cares about security it's not the least bit surprising that we're now seeing similar problems with WLAN. My experience has been the typical person's thought process ends at "OOOOOO....I could get one of these and use my laptop in the living room or bedroom or backporch..." and never reaches "would anyone be able to access my data/internet connection without my knowledge".

    Look how many viruses are passed along because people don't bother using (or properly using) antivirus. Look how many SPAM'ers and DOS attackes manage to use machines that aren't secured in any real way...
    • Viruses are passed along because people are careless/stupid as far as running untrusted software.

      I have never bothered using an antivirus because I'm careful about where I get my software from. Never have been infected.

      For me, AVs just slow the computer down too much.

      (Of course, it should be noted that 90% of the time I'm booted into Linux, and 99% of the software downloading I do is under Linux, not Windows.)
    • It's amazing what baby monitors pick up...
  • Here's a suggestion for a new warchalking icon:
    <Humor>
    as per closed node, a complete circle. Below, two figures, composed of a parabola on top, opening down, joining two vertical parallel lines, with the two parallel lines then joining a single horizontal line, forming a close figure. Below the two figures, a number, a slash, and a number.

    The meaning of the two figures and numbers:

    The calibre and rate of fire of the weapon that will be turned on anyone sniffing the network (the figures I described are 2 rounds of ammunition.)
    </Humor>
  • by Anonymous Coward
    I suppose there are two kinds of people out there.

    Those that think anyone with an AP left alive and uncontrolled (no wep, no MAC address lists, no filters) are public use and those that think the above AP is not public.

    I'm in the "It's public use" crowd. I equate it to someone playing a radio and if I stop by and listen, I stop by and listen. If someone says 'dont listen to my radio' they'd be wrong to do so, as they're broadcasting it to the public at a volume at which I can here (and for those who say 'radio stations are free, just say 'they are playing a CD in their stereo' instead of radio).

    The user is broadcasting a signal to me, I can hear it, I will hear it.

    If I'm sitting in the park and open my laptop and there's a network, wide open, my computer ASKS for an IP, it RECEIVES one, and I'm on the net, it's obviously permitted use. If they didn't want me on their network, they wouldn't have given me an ip address when I asked for one. They could have easily denied me that. They chose not to deny it. I knock, they give me a key and invite me in.

    I've brought up this argument on wireless lists I'm on and would be interested in knowing what some of the others out there think about it. No, this isn't a troll, intelligent opinions are welcome (hrm, and I'm asking for such on slashdot? Well, there's some wheat amongst the chaff).

    • by StevenMaurer ( 115071 ) on Tuesday September 03, 2002 @01:21PM (#4190345) Homepage
      You are correct, but not for the reason you state.

      The analogy of just "listening to someone's radio" doesn't hold water, because you are not merely passively listening to a private network, you are interacting with it. A better analogy would be watching someone's TV through a window and also controlling which channel is on using an IR universal remote.

      However legally speaking, for computer tresspass to occur one must be informed that unauthorized access is not allowed, or it must be plainly obvious to a layman. This is the reason for all those "Authorized Users Only" notices you see on computer systems.

      Since when you are sitting in a park requesting WAP based IP access, you don't know whether the access you have has been left intentionally open or not, you should be in the clear.

      But only until you read something that informs you otherwise. It is not necessary for the people whose network you are using to perform encryption; they need only post a notice. On the other hand, if they don't post notice, again it's not your fault.
  • by Pfhreakaz0id ( 82141 ) on Tuesday September 03, 2002 @12:19PM (#4189889)
    I'm kinda new to this networking stuff. I bought a dlink router/access point/firewall combo. I turned on WEP, limited the DHCP to the MAC's of my desktop LAN card, the notebook LAN card and the Notebook Wireless card. Also, I used (as I read somewhere) Netbui as the protocol for all the windows shares and unbound TCP/IP from the windows sharing stuff. Am I reasonably secure? Everything is behind the firewall, I run Command antivirus and stay on top of patches with Windows Update.
    • by wirefarm ( 18470 )
      You've probably eliminated 95% of the potential problems you might otherwise encounter.
      Sure, WEP is crap and MAC addresses can be spoofed, but unless someone really wants to get you, you're reasonably safe.
      Think 'lions and gazelles' - if you're not the slowest gazelle, the lion will probably see easier prey. You just have to stay on your toes...

      Now go grab a copy of PGP and encrypt those pictures of your girlfriend that you have in C:¥Private¥Pictures¥JamaicaVacation¥ and you'll be all set...

      Cheers,
      Jim
    • Heck, unless you're superparanoid, you don't even need to bother with WEP.

      Even MAC restrictions (easy to bypass if there's traffic) will discourage probably 90%+ of people who might find your AP. Most people who run sniffers are either a) curious
      b) Looking for free access

      Those who are malicious might actually go for the MAC-restricted WEP-enabled APs *first* because they prevent the largest challenge and are most likely to have something juicy available if they get in.

      So you don't want to be either extreme. Do something midrange. I suggest MAC restrictions rather than WEP. MAC restrictions are harder to "see" than WEP is.
  • Why not do this:

    ping (usally ends in .255)
    arp -a

    Really easy, and free!
  • Secure Setup (Score:2, Informative)

    by perljon ( 530156 )
    You should set up your wireless network just like you do a network jack on the outside of your house. [WAP]----[FIREWALL]----[Intranet] | [Internet]----+ The connection between the WAP and Firewall should be an encrypted tunnel. This way, it doesn't matter who is on your network. WAP to FIREWALL traffic can't be sniffed (encrypted) and all other traffic is firewalled.
  • and limit the number of clinet to the actual registered number. Requires some decent admin skills but not hard to do...
  • I'm hoping to write some scripts of my own to scan the various MAC addresses that show up on the network I manage for 802.11 access points.

    So far I haven't been able to find a list of the prefixes used by various manufacturers for their access points. I asked about this on usenet but the only replies I got were the IEEE lists of ALL MAC address prefixes, with no distinction between NICs, APs, switches, etc.

    I'm sure various vendors must have compiled such a thing for their auditing tools... but it doesn't seem like there's anything available through Google just yet.

    Thanks for any help you can give!

    -carl
  • Did anybody else read that and wonder what "ether rape" was? A sick off-shoot of cyber sex?
  • For users of GNU/Linux who would like to peep on others on your tcp/ip network: Driftnet [freshmeat.net]

    I wont tell you about the pics of a Ballroom-Gown-Wearing-Cross-Dresser who appeared on my GNU/Linux box here in my cube about 15seconds after firing Driftnet up.. scary...

  • Is most access points have this type of thing built in. Mine does and I got a Linksys. No big hairy deal really. Go to a web page on the router and click a button and poof you have a list of all users on the wireless. Quick. Simple.
  • See title...

    What is wrong with arpwatch? [lbl.gov]

    "apt-get install arpwatch" and the ARP table is monitored for new stations, station changes, etc. You stay up-to-date by email.

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...