Wi-Fi User Authentication

From: N407ER (n407er_at_myrealbox.com)
Date: 07/20/03

  • Next message: Swordsman: ""Netstat -anp" in Solaris"
    Date: Sun, 20 Jul 2003 13:29:32 -0400
    To: security-basics@securityfocus.com
    
    

    Hi, folks,

    We're (I use the anonymous "we" here with apologies) in the process of
    setting up a Wi-Fi access point here. Bear in mind that we have little
    control over client configuration or consistency--personal computers
    would be used, with any OS--and don't want to spend a lot of time
    providing technical support.

    One of the other groups here went with a product called ReefEdge to
    provide Wi-Fi authentication to prevent unauthorized usage; as far as I
    can tell from chatting with them, it does pretty much the same as what
    we were thinking; however, due to cost, we'd prefer to develop something
    in-house or use something open source.

    So the plan I had was this:

    Set up the gateway with a firewall which would by default redirect all
    outgoing tcp/80 traffic to some the local machine, which would have a
    "sign-in" page. Users authenticate with their username/password, and a
    ruleset is temporarily added to the firewall allowing them full outgoing
    traffic. When they are done, they log out, deleting the ruleset (or we
    time out their connection after a certain amount of inactivity).

    The real question I have is, even if we were to use MAC address matching
    instead of IP (iptables has an option in the 2.4 kernel for MAC
    matching, as I recall) anyone can grab all the information he needs to
    spoof a valid connection from a single captured packet. Now, assuming we
    close or timeout connections when the user logs out, he'd have to take
    over a connection still in use. There is no guarantee, though, that the
    victim client would even notice (nor would we), especially if it is
    running something like ZoneAlarm and simply drops, with no ICMP reject,
    all unexpected packets. This would mean the attacker could simply pick
    up all the responses to his spoofed connections without the victim
    noticing.

    So how can you prevent this without using something which would require
    client-side support, like VPN? VPN is not much of an option for us, I've
    been told that a Mac VPN client costs money, and regardless, we don't
    want to have to support user configuration. Do I have to simply hope no
    one will be able to hijack a connection which is in use?

    I've seen software which claims to detect attempts to hijack Wi-Fi
    networks, but most appear to just detect brute-forcing on the IP
    address, etc. Any attacker could merely passively capture a single
    packet and bypass this detection in a snap.

    Thanks for any help.

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: Swordsman: ""Netstat -anp" in Solaris"

    Relevant Pages

    • RE: VPN connection
      ... I understand that when you try to establish a VPN ... connection from a remote client, the connection terminated in the process ... Please temporarily place a client directly connected to the external NIC ... of the SBS Server. ...
      (microsoft.public.windows.server.sbs)
    • RE: Problems with connectcomputer and active directory
      ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN timeouts
      ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN issues on SBS2003 with ISA 2004 installed
      ... Based on our work above, it seems the problem in client side, so I suggest ... and then click the Network and Dial-up ... Right-click the VPN connection that you want to change, ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN fail to connect
      ... How do you configure the VPN connection? ... Please logon to an internal client computer, ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)