Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Wireless Networking Hardware

The Year 2003 in Wireless Network Security 66

OenMarK writes "I ran into an article that is basically an overview of events, software releases, and happenings related to wireless security. There's also a Q&A with some wireless security experts, one of which is from IBM. What's your take on wireless security? Are we there yet?" This is the same site that also hosts the look back at Linux security we posted earlier. They complement each other well.
This discussion has been archived. No new comments can be posted.

The Year 2003 in Wireless Network Security

Comments Filter:
  • by Anonymous Coward on Saturday December 27, 2003 @12:06PM (#7817560)
    ...gives the Microsoft security staff something to look down on.
  • by plover ( 150551 ) on Saturday December 27, 2003 @12:12PM (#7817588) Homepage Journal
    I would much rather more information about attacks and their severity.

    A study of honeypot projects that showed most wi-fi abuse was "bandwidth stealing" doesn't exactly fill me with a sense of dread. More useful would have been a list of attempts hackers sitting outside of unsecured businesses trying to get at the corporate data.

    Or are they trying to lull potential customers into a false sense of security?

    • A study of honeypot projects that showed most wi-fi abuse was "bandwidth stealing" doesn't exactly fill me with a sense of dread.

      Maybe it should. With the current state of "Internet crime" paranoia, having a wide-open anonymous access point, while not yet comparable to lending your gun to strangers on the street, might well be compared with leaving the keys to the ignition of your car with the exception that you know whoever takes it will bring it back.

  • What's this? Wireless and security in the same sentence?
    Wireless and security seem to be two words that are mutually exclusive these days, it would seem: between cocky administrators not securing their wireless networks, that few networks seem to be using WEP and huge bugs in phone's implementations of bluetooth...

    Know anyone who trusts WiFi? I don't. Even my university doesn't (and it isn't well known for good security practise). Useful, but slightly untrustworthy.
  • VPN... (Score:5, Informative)

    by craenor ( 623901 ) on Saturday December 27, 2003 @12:17PM (#7817613) Homepage
    Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
    • Re:VPN... (Score:4, Informative)

      by JKR ( 198165 ) on Saturday December 27, 2003 @12:21PM (#7817629)
      Or use WPA with RADIUS, and centralise all your external authentication. Based on my experiences with a NetGear FWAG114, that would be my preferred option.

      Jon.

    • Re:VPN... (Score:3, Informative)

      by Brushfireb ( 635997 ) *
      Sure, VPN will do it, but it will eat up your bandwidth too.

      Anyone who has done any significant work with large-scale wifi infrastructure knows this, any form of VPN will eat 20-30% of your bandwidth away just for itself. This is very bad for networks with hundreds (thousands) of users, like large corporations and universities.

      In cases like those, WPA/Radius is a better implementation, or you can use CISCO proprietary LEAP (i think..). They wont eat your bandwidth for breakfast, but they will provide s
      • Re:VPN... (Score:2, Informative)

        by Brushfireb ( 635997 ) *
        One more thing... The reason that something like A VPN is useful, which I forgot to point out (that you were perhaps hinting at), is that Universities jumped on board too quickly, and they now have boatloads of 802.11b equipment floating around. In such a case, VPN is really their only option, all bandwidth issues aside. They could potentially use the CISCO stuff, but that would mean that ALL users would need cisco cards, something which is NOT possible on large universities (they will see everything from
    • You forgot about the token stored on a smart card, your biometric information via finger print reader, along with a plain old username and password (which only corresponds to that particular set of biometrics) that are needed to log in to the VPN. A tad bit more cumbersome, yes, but voila! Complete wireless security.
  • by bagboy ( 630125 ) <neo AT arctic DOT net> on Saturday December 27, 2003 @12:20PM (#7817623)
    Despite the advances made in 802.11i - WAP/TKIP (TLS/TTLS/EAP/PEAP) - the best solution is "on-the-wire". 3DES IPSEC and now SSL Tunneling are two examples we are using to avoid new exploits as hacks become available for the wireless standards. The above are tried and true methods of encrypting data. If the end user simply runs a client (3DES IPSEC) or uses the well known SSL standard (no client needed) between themselves and your NOC/Colo/Facilities - you can gaurantee a measure of security for their data.
  • by Punk Walrus ( 582794 ) on Saturday December 27, 2003 @12:26PM (#7817644) Journal
    I have as of yet, found no way that you can make a wireless system secure. Sure, you could say the same with wired, but at least you can contain wired security. Someone has to break into the building, or use "social engineering." Some personal contact has to be made.

    Wireless has no such limits. This is even skript kiddie level stuff.

    This is my report on it. [punkwalrus.com]

    • Oh please. Your "report" mentions MAC filtering and WEP. SUre, if those are the only thing that you know about then sure wireless is going to always be insecure. But, duh, there are tons of other methods to positively secure your wireless network. Such as: a SSH tunnel, IPSEC, VPNs, etc. Get a clue please before you denounce wireless as "insecurable."
      • Clues are not solutions. Are you saying, with absolute certainty, that SSH, IPSEC, and any VPN cannot be hacked? On a $99 Linksys router you got from Circuit City?

        I envy your faith.

        • Yes, that is PRECISELY what I'm saying, and it has nothing to do with the quality (or lack thereof) of the wireless hardware. SSH, IPSEC, et al. work based on sound cryptography. They are designed such that it doesn't matter whether the attacker can see the entire message conversation between A and B. The link is still secure. The security doesn't come from the wireless hardware, it comes from the fact that you drop all packets except those that pass through a ssh tunnel, which itself is secured by publ
  • by dduardo ( 592868 ) on Saturday December 27, 2003 @12:27PM (#7817645)
    On Linksys' site they have 7 things people should do to keep their wireless network safe:

    1. Change the default SSID.
    2. Disable SSID Broadcasts.
    3. Change the default password for the Administrator account.
    4. Enable MAC Address Filtering.
    5. Change the SSID periodically.
    6. Enable WEP 128-bit Encryption. Please note that this will reduce your network performance.
    7. Change the WEP encryption keys periodically.

    Now your telling me average joe (or administrator) is going to preform all these tasks, and remember to regularly change the WEP encryption keys. This is a problem, and until security setup and mantainance is automated and/or easy enough for the everyday folk, there is going to be a continual growth of attacks on these type of networks.

    ------------
    • When my SO got a bit stupid and left her jacket containing her wallet and keys unattended for several hours in a bar, resulting in theft of said jacket with keys and ID (letting thief know exactly where the keys would work) it would have been nice if all the locks on the house and car changed automatically and the credit cards automatically changed their account numbers making them unusable by the thief but not interupting our own use.

      But we live in this universe, with these laws of physics.

      Yes, a compute
    • Personally I like the way my garage door open works. The only way to add a remote to the system is to open the box and push a few buttons to tell the system get ready for a new remote. Then you push the button on the remote and verify that the new remote was added.

      Networking devices should create and change their own WEP keys automatically. I know my mother certainly isn't going to change it frequently if at all, and if so it will be her kids names or something.

      The device would have MAC Address filt
  • Are we there yet? (Score:5, Interesting)

    by TechyImmigrant ( 175943 ) * on Saturday December 27, 2003 @12:30PM (#7817658) Homepage Journal
    Are we there yet? Lets see..

    1) 802.11i is still not yet approved as a standard
    2) WPA (the impetuously released TKIP variant) is not widely available and like 802.11i relies on 802.1X.
    3) 802.1X has been withdrawn by the IEEE pending a re-write. Its broken for wireless. Don't expect to see the revision any time soon.
    4) No semblance of a seamless, inter operator, inter hotspot, non web-pagey user authentication scheme for mobile devices is widely deployed for 802.11.
    5) Other wireless networks that are deployed are insecure (E.G. GSM)

    I think maybe there's a way to go yet.
  • by freeweed ( 309734 ) on Saturday December 27, 2003 @12:35PM (#7817676)
    Up here in central Canada, early 2003 showed a nice, gradual uptake in wireless equipment by the business sector, and a few tech-heads putting it in their houses. Now that xmas is over, and stores were selling APs for as little as $15 (cdn) after rebates, I'm seeing almost a 10-fold increase in the number of hotspots compared to June of this year.

    I see a couple of trends on the horizon:

    1. Just as you can no longer buy a 10mbit hub, because a 10/100 switch costs pennies more to make, soon all home cable/DSL routers will come with 802.11b at the very least. The "premium" models will include g for $5-10 more, to keep some price differentiation happening.

    2. Back when it was us geeks and businesses, the WEP/non-WEP ratio seemed to hover around 50-75%, depending on area. Driving around last night, it's below 10%. This could be an indication of new xmas presents that the owner hasn't had time to configure, but really: how many people actually change from the default settings? (On that note, thank you SMC for having a blank default password and an SSID of "SMC" :)

    Just the changes in the past 12 months have convinced me that 2004 will be the year wireless really takes off everywhere up here, and as long as it's still being shipped unsecured to the consumer, we're soon going to have a LOT more opportunity for this [canoe.ca] sort of thing.

  • by Waffle Iron ( 339739 ) on Saturday December 27, 2003 @12:53PM (#7817742)
    I made my wireless network secure this year. After a couple of years of use, my wireless adapters are now sitting in the bottom of a drawer, and I tacked a Cat5 ethernet cable to my ceiling and walls to replace them.

    No more worries about wireless security alerts, finicky configurations, key management, weird drivers, setting up VPNs within my own house, strange network freezeups or having to read articles to keep on top of it all.

    To me, keeping my mind uncluttered and free from all that minutia is worth the ugliness of a few network cables.

  • My company ( Newbury Networks, Inc. [newburynetworks.com]) makes a product that provides physical perimeter security on 802.11. It uses our location-tracking technology to identify the location of all 802.11 traffic and can then both report and classify traffic as well as deny access to devices outside your physical perimeter. While some security problems remain, this largely mitigates the "attacker in the parking lot" scenarios.

    Most people assume that wireless security cannot be coupled to physical security. If you can keep
  • by mesocyclone ( 80188 ) on Saturday December 27, 2003 @03:00PM (#7818234) Homepage Journal
    probably the most important news is that China will disallow standard 802.11 WEP security and mandate its own standard [eetimes.com] - WAPI for all Wi-Fi in the country. This could have wide ranging implications, from splitting the market to leading to a possibly improved system (on first glance, WAPI beats WEP hands down, except for privacy implications - big surprise) for the world.

    In any case, it is a dramatic development.
  • Working at a .edu we don't particularly trust our wired networks either, so pretty much all of our services (HTTP, IMAP, LDAP, etc.) require encryption (SSL or SSH). So the only thing special about wireless is that someone doesn't have to walk into the building to get on the network.

    The most common solution to this for now seems to be to do some magic with DHCP, iptables, etc. to force the user to a web page where they authenticate themselves before giving them normal network access. I'd prefer we could
  • Are we even at the "wireless" step yet? I've had nothing but trouble with wireless networks...even ones where everything I bought was from the same vendor. Eventually one of my cards broke - I'm not trying wireless again until it becomes more reliable, less expensive, and there is more support for cards in Linux.
  • Give that WiFI was crippled from birth I assume its clear even if its WEP-64. It would have been so easy to add DH key exchange plus strong crypto or use the SSL style encryption handshakes but no they invent their own. OK maybe I missed the fine technical details on WEP but its not exactly trused is it whereas SSLv3 (of a suitable key length and algorithm) is trusted.

    So yes I have WEP and MAC filters turned on my Home Wireless but the Access Point (infrastructure mode) is on its own DMZ LAN and plugged i

God made the integers; all else is the work of Man. -- Kronecker

Working...