RE: Wireless Security Notes and Findings (from this list and other places)

• Previous message: DeGennaro, Gregory: "RE: Best Linux Distribution for laptop - Debian is not proper for laptop?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Jul 2003 14:17:16 -0500
To: <security-basics@securityfocus.com>

Trying again. Didn't seem to go through the first time...

Here is some info I've gleamed off this list. I can't credit all the
authors as this info is from about 10 different people. I've also
included the solution we are going to implement.

There are two general areas of wireless security: Authentication and
Encryption.

AUTHENTICATION:
Authentication is what will keep evil humans from logging into your
network. By far, the best way to do this is via 802.1x, which is an
authentication standard that works with wireless networks. Basically a
client computer runs a client program to connect to the network with a
username and password (client comes built in on Windows XP or Mac OS X.
Other operating systems will have limited support, but Cisco probably
makes a client app). Once a user is authenticated they are assigned a
WEP (wired equivalency protocol) key. This is where authentication
bleeds into encryption. What the WEP key does is encrypt user's wireless
transmissions on layer 2. Problem with WEP is that there is a flaw in
the algorithm that allows an attacker to crack the key with a certain
amount of data. This is overcame by rotating WEP keys.

ENCRYPTION:
The next step up is a quantum one. Use 802.1x for user to auth on the
network, access points will forward auth requests to RADIUS server (I
think FreeRADIUS will do the job. I think I saw somewhere that they had
LEAP (Cisco's EAP) extensions in CVS). Link your RADIUS server to your
LDAP server you use for your regular day to day network authentication
(hopefully someday these access points will support authing against
LDAP, anyways). Once authd, your users will receive a unique WEP key for
that session only. Allow users to roam with their authentication using
IAPP (inter access point protocol) for the access points to talk to each
other.
Well from what I know, setting up a RADIUS authentication server using
802.1x with a rotating encryption key is the only secure way to use
wireless at all.

WPA:
MS has released WPA drivers for XP. For Win2K, I believe that one needs
to obtain WPA drivers from the vendor.
To support WPA, the AP, NIC and client all have to support WPA and all
clients must run WPA.
For more info on WPA, check out http://www.wi-fi.org and google for
"Wireless WPA" (without quotes).

DESIGN:
I would suggest that you have all your AP's on the Outside or at least
in the DMZ of your firewall and then the clients should use VPN to get
into your network.
Group access points on different VLANs, according to the rights users
need. Require some kind of login to access out of the VLAN. This is
clumsy and awkward and horrible; be aware that a few "wireless switch"
products just use the user login to group clients into VLANs, and expect
your core inter-VLAN routing access lists to do all policy
enforcement...

MISC NOTES:
Specifying specific MAC addresses for access isn't really secure either
as an attacker can spoof the MAC address specified in the access point.
If you're going to do PEAP, you can't use Funk Steel Belted RADIUS. We
recently deployed Funk's RADIUS server and, for wireless, they work best
with their Odyssey client and EAP-TTLS.
A) Establish policy and standards.
1) Implement WEP, which is broken but better than nothing.
2) Do not broadcast the SSID.
3) Do MAC or layer 2 filtering.
4) Enforce authentication
5) And if you are really paranoid, use a VPN.
And oh yes, monitor your network!
1) OS specific. This thread has already shown the MS-centric option,
using PEAP or EAP-TLS type solutions to overcome the
scalability/compromise issues with static WEP. This is great if you have
this ability to dictate OS and AP choices so the environment is totally
supported
2) Hardware specific. I've had good success personally with
Cisco-specific solutions, using LEAP+TKIP+Broadcast Key rotation. This
gives you the authentication piece via a RADIUS back-end, dynamic keying
and re-keying (and on an 802.11b network, setting your key lifetime
below about 5 hours will significantly reduce the risk of compromise,
since it takes ~5.5 hours for the AP to transmit the 1M packets at which
a WEP flaw becomes statistically likely) and more. It does, however,
require Cisco or other LEAP compliant (including some Intel) Wireless
NICs and Cisco APs, plus a RADIUS server capable of passing the correct
AV pairs.
3) VPN. Firewall of your wireless network, and require a VPN to access
the internal network. This leaves you with a single point of entry that
you can control. The flip side of this is that it IS a single point of
entry, with all the issues therein, and the fact that users likely now
have an additional login step to access the wireless LAN. There are
also options such as Reefedge (http://www.reefedge.com) that will
provide a distributed firewall/VPN/authentication solution that provide
a very effective 'shim'.
4) Built in functionality, such as MAC filtering, static WEP, no
broadcast SSID and so on. This is the least effective of the solutions,
but should be built into any AP you choose to purchase and supported on
any NIC.

Some Links:
http://www.iss.net/wireless/WLAN_FAQ.php
http://www.drizzle.com/~aboba/IEEE/
http://www.internet.com/sections/wireless.html
http://www.wirelessweek.com/
http://www.80211-planet.com/
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_sol
utions_white_paper09186a008009c8b3.shtml
http://searchnetworking.techtarget.com/infoCenter/tip/0,294276,sid7_gci9
05077_tax293386,00.html?Offer=wlancross6.30

OUR SOLUTION:
We are going to go with Cisco Aironet 1100 and maybe 1200 Access Points.
We are going to implement 802.11b for now, but will upgrade to 802.11g
when it becomes available. Due to issues we've heard about dual b/g
environments, we will most likely cutt off b in the future and be
strictly 802.11g. In our pilot we will be testing various wireless
NIC's for range and performance.
We are going to place our access points on a DMZ hanging off our PIX
firewall. On our inside network, we will have our RADIUS server which
is going to be Windows 2003 Enterprise with their IAS (RADIUS) server.
We choose Enterprise because standard will only support up to 50 users.
We are also going to implement PEAP. Microsoft offeres built in support
for this. Cisco also supports this standard. We'll be rotating our
encryptoin keys, but not sure of the frequency at this point.
We will also disable SSID broadcasting and will implement MAC address
filtering. Our computers will need to be approvied for wirless access,
and at that time we will add the NIC's MAC address to the allowed list.
We will also be disallowing Ad-hoc mode.
We choose not to use a VPN solution because a client would have to be
installed on each wireless computer. This would defeat the purpose of
allowing visitors quick access to the Internet.

Anyway, I hope this info is useful. I've learned a lot about Wirless
Networking in the past few months - but still feel like I have a ways to
go!

Tim Potter, CCNP, CCDP
WAN Administrator
 

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: DeGennaro, Gregory: "RE: Best Linux Distribution for laptop - Debian is not proper for laptop?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]