Secure your wireless networks, or else

ZDNet ^ | Friday, October 15 | Robert Vamosi

[gitmo]

snip

Fictional scenario

At this year's Black Hat Briefing in Las Vegas, the annual Hacker court involved a scenario where a houseboat sailing up and down the Potomac River was able to use various unsecured wireless networks to access troop deployment plans from the Naval Academy at Annapolis. Presented in the form of a mock court case--including a real live federal court judge--the prosecution laid out how it identified various Web addresses used to launch the intrusion on the Naval Academy. However, when federal agents arrived at the homes matching the Internet addresses, they found the computer hard drives to be lacking any evidence of the crime. All of the homes, however, had 802.11 networks that were not secure, and all bordered the Potomac. Through some silly testimony that I won't explain here, prosecutors ultimately revealed that a houseboat sailing on the river had the ability to receive wireless signals from shore; the occupants of the boat had used the onshore wireless networks to commit their crimes. The prosecution provided forensic evidence of the houseboat's laptop, which contained the incriminating data.

Think that scenario is pretty far-fetched? Not so. snip

[tdadams]

If everyone with a wireless access point would take ten minutes to secure their system doing what you did, and configuring a firewall to shut off unneeded ports and services, there would be absolutely nothing to worry about.

[Dinsdale]

access to this level of control is protected by federal regulation.

I'm sure that will stop the blackhats. Why did'nt I think of that.

[Redcloak]

But then again, you can use the MAC Address list at home...

This is what we've done at home. While I was setting up the network, I noticed that I could see someone else's network. There's an office building about 2 blocks away. If not for the neighborhood trees, I could probably see the building from my house. My guess is that the network was in one of those offices. But looked at another way, this means that I could probably break into their network from our kitchen.

[rocksblues]

I bought my daughter a laptop and set up her for wireless and her pc kept interrupting her saying that a new wireless network was available.

Turns out it was our next door neighbor that had not changed or set up their wireless network.

I mentioned to them that I could use them to access the Internet and haven't had that problem since.

[taxcontrol]

Placing the AP outside the FW is of little benefit if the intent is to prevent hijacking of the bandwidth to prevent the above scenario.

Further, many uses place their AP behind the FW as their cable or DSL provider does not permit more than one IP address for that account. Some even lock the account by MAC address which must be cloned by the router from the customer machine.

In an enterprise environment, APs are normally placed on a DMZ (a separate interface off the FW). More trusted than the Internet but still access is controlled by the FW. This is considered "best practice". Further, many environments only allow WI-FI access after it has gone through a VPN server / appliance. In such a configuration, the hacker may be able to access the WI-FI but would be unable to gain further access to either the Internet or to the enterprise. Effectively making the connection worthless to most hackers.

[Antonello]

At present, the only way to truly secure a wireless network is through 802.1X authentication and data encryption. Basically, this requires at a minimum setting up a domain and RADIUS server network. WEP and WPA offer some protection, but have several security flaws that make them easily bypassed.

Placement of your APs with respect to your firewall is only effective if you can prevent another unauthorized AP from relaying to yours. APs have no way of authenticating each other, so the only way to block this type of attempt to gain access is to require authentication on a server through either passwords or certificates.

Bottom line is wireless networks can be made as secure as hard wired ones, but currently require more hardware, software, and system administrative resources than the typical home user has available.

[Musket]

Thanks. But what is this sniffed trivially. Is that as in TFTP? Do you know why they use the word trivial? I've always wondered that.

[Antonello]

Can a MAC address be spoofed?

yes.

[sneaky_goofy]

There's so much hype about insecurities of IEEE 802.11 or wireless LAN or WiFi. Yes WEP, basic WLAN security is crackable. But how many who will try to crack yours? Only people using Linux or BSD (Unix). I've been using WiFi since Lucent Technologies made it available to consumers.

My advise: simply change your wirelesss router defaults like change administrator's password, turn off SSID broadcast and use MAC address authentication. You may turn on WEP but if signal is marginal you'll get annoying disconnection and auto reconnected from time to time.

So I turned off WEP but SSID broadcast is off, MAC address filtering is on. The only people who can uncloak your SSID hackers using Linux or BSD OS. By the way, I watch out unknown vehicles park within 300 feet near my house.

[Dinsdale]

Iffen ya dan't lick haw Is spels wayt a litle, Ill spel it defirent next tyme.

[sneaky_goofy]

You cam block popups by editing your hosts file. See http://practice.chatserve.com/hosts.html for more.

[stainlessbanner]

bttt

[KoRn]

All you would have to do is run a sniffer during routine work days. You could get business habits, web sites visited, network addresses(inside and out)just 1 address you can map the entire address scope of the network, and last but not least MAC addresses. Of course alot of what I said depends on whether or not they secure their wireless traffic and where on the network their WAP's are placed. Knowing what I know, I would NEVER have a wireless network at this point in time unless I had to, but technology and security will improve over time....I hope

[Fiddlstix]

....access to this level of control is protected by federal regulation.

How true. Federal regulation has always stopped the dedicated criminal from committing crimes. (Not)

(They can't let you tinker with the radio or all hell would break loose).

You mean like those CB'ers using illegal 2000 watt linear amplifiers or those illegal pirate radio stations? Just to mention a couple of well known instances.

(I'm not trying to make fun of you or be sarcastic toward you. Just trying to make a point. Laws have never stopped criminal activity.)

[Mr Ramsbotham]

I'm don't know how to do this on a home router.

On a home router, your access point and your firewall are often the same device.

[gitmo]

Laws have never stopped criminal activity.

LOL! If it weren't for laws, there wouldn't BE any criminal activity.

[konaice]

Point taken.

But this is a single chip radio, and the interface is
protected with security measures as well as not documented.

Those two facts have kept the best hacker minds in the world (the Linux community) from using wireless nics (unless manufacturer releases drivers) for several years after availability in Windows. In fact the most successful method of using wireless in Linux is to put a wrapper around the windows drivers and use the windows drivers in linux.

So its not exactly like the CB world. Its more like you purchased a CB welded into a solid block of steel. Hard to tinker with.

Yes, its possible but programming on that level is well beyond the scrupt kiddies that hack your home wireless. In fact virtually all defeated by the simplest means, which leaves you worrying about 1000 hackers world wide capable of blowing thru your wireless security. As long as they live within 300 meters. ;-)

[Weirdad]

MAC addresses can be read and spoofed, but I agree that it is worth doing as one more obstacle. Use 128 bit encryption also (lesser is OK but change your keys a lot of you use lesser). (Encryption is slow on the 802.11b networks but fast enough not to bother you on 802.11g provided your computer is not too old. If it is really slow you might take the risk and not use encryption but be sure to use MAC filtering!) Don't broadcast your network SSID either.

You actually CAN place access points outside a firewall, but it is a mess. It requires two routers your router facing the Internet, and the second wired router (for the wired portion of your LAN) uses the wireless one as a gateway. This setup has its own problems because your wireless computers are not inside that firewall. If you just want to give wireless clients access to the Internet and each other without access to your wired network, that setup will work. However, but if you want to let the wireless clients access your wired network, then you have to set it up so that your wireless router can reach inside your wired network, and if you do that then there is little point in having the inside firewall unless you also set up a "virtual private network" in which the wireless computers have special software )or hardware) enabling them to reach through your inside firewall - very complicated and somewhat expensive, and slow, and also involves some other issues that may cause some communication problems.
Also, just be sure your firewall itself is configured correctly!

I think that non-broadcast of the SSID plus 128 bit encryption, plus MAC address filtering all at once is enough to keep hackers from wasting their time on your wireless net.

[PeterFinn]

Hate to tell you...

MAC addresses can be set manually on certain types of NIC cards (for obvious reasons I won't say which ones) and I discovered this quite accidently when I bought a few NICs for some boxes at the office and they all had the same MAC address. RTFM. Sure enough, they came with instructions on how to select and set a MAC address.

Regardless, it's just an OSI protocol that is terribly easy to spoof. Spoofing a WLAN card is really easy since it's done with an emulator and does not have to be hardcoded. You can even 'scan' a network for vulnerable MAC addresses the same way you can scan for open IP addresses on a network.

MAC address security along with 128bit WEP keys and a nice, tight, algorithmic hash security method are your best bet for keeping a network secure.

Even then, it's all for naught if you share security info with the wrong people - or even the right people who happen to be stupid.

The smartest security people do not allow WLAN despite the 'convenience'.

[mattdono]

True, MAC address can be easily spoofed.

And, I don't do this often, but I'm going to plug my company here in the forum, because my company just so happens to install secured wireless networks for residential and commercial properties (Link to my company site). Myself and a network guru buddy of mine have designed encryption that is very secured and perfect for these markets.

But, I tell all of my clients, this is like an alarm on your home. If someone really wants in, it is possible. However, most wardrivers with malicious intent (including many terrorists --they believe that this is one of the main ways terrorists are cloaking their activity in cyberspace),are looking for easy targets. And, because 70 to 80% of all wireless networks are unsecured, it is a target-rich environment.

And, while I'm admittedly biased, it really is a good idea to have your wireless network locked down. I tell all of my clients, "You wouldn't leave the front door of your house unlocked and open to the public, would you? There's no reason to do it with your wireless network."

GW and Twins Pawpaw....you said,

"Another reason to hardwire..."

I agree and disagree. My company also designs wired networks too, but wireless is a market trend for many reasons.

First, it is conveinient. You aren't, literally, tied down to one location in a home. So, you set up a laptop at a small kitchen nook. With a wireless print server, you can put your printer anywhere in your house without having to jam it into a deskspace.

Second, you don't have to wire your home. If your home was built in the last 5 years, then it is may be wired with CAT5 cabling (or better). But, unfortunately, most houses are much older than 5 years old. Having a wireless solution can eliminate the need for these types of rennovations. And, let's be perfectly honest, if you are into the DIY thing, who wants to crawl around an itchy old attic dropping cable. Not many.

Third, a secured wireless solution is great for small businesses. Small business that rent storefront or operate out of executive office-type places move frequently. The business is likely to have high-speed access, but if they have more than 2 or 3 workers/computers, then having wires running around the office or pay money to have "drops" put in. The wiress running along the floor is unsightly and unsafe. Doing the drops can be expensive. With the wireless network, if the business moves, they unplug it, move, plug it back in, reboot and they are gold.

The key for homeowners or business owners is value. A wireless network can provide them value. But, it really is imperative that the network is locked down.