Metro WiFi and security?

Anyone familiar with how Houston, Philly, et.al., are going to manage
security on their metro WiFi schemes?

Should be interesting.

They need something. WEP is out. WPA-TKIP/PSK would mean having preshared
keys all over the place.

How about enterprise level WiFi security such as EAP? Does that have
applicability?

tnx
jtm

On Tue, 28 Sep 2004 19:39:56 -0400, "Jim Miller"
<(E-Mail Removed)> wrote:

>Anyone familiar with how Houston, Philly, et.al., are going to manage
>security on their metro WiFi schemes?
>Should be interesting.

Yeah, sorta.

>They need something. WEP is out. WPA-TKIP/PSK would mean having preshared
>keys all over the place.
>
>How about enterprise level WiFi security such as EAP? Does that have
>applicability?

WPA? Whazzat? Most of the existing and proposed metro WiFi system
are using WEP and MAC address filters.
http://www.tropos.com/pdf/Tropos_Security_WP.pdf
However, the real security is end to end tunnels using IPSec VPN
tunnels.

A big headache in a mesh network is that each poletop access point has
to talk to each other access point. Individual encryption keys
between poletops is an administrative nightmare. Therefore, the entire
system has to use one common encryption key or pass phase. Changeing
the key regularly is not impossible but rather tricky. In addition,
with a store-n-forward, single radio type poletop, the client radios
must also have the encryption key or pass phrase configured. So much
for system wide security. The ones that I've seen, that are actually
deployed, use a trivial WEP key to keep the casual tourists out, MAC
address filtering, IDS (intrustion detection system), and lots of
system monitoring. Only one I know about provides VPN termination
services at the ISP gateway. Since over half the client radios
currently in service do not have WPA capabilities, WEP is the common
denominator.

There are some proprietary schemes being tested. Sorry, I can't talk
about them.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

i'm having a little trouble understanding how a city providing universal
access to the net will implement mac address filters for every citizen. also
these networks are hyped as a means for commerce to develop that wouldn't
have otherwise. what happens when vendors from out of town come to visit and
expect to connect?

it just seems a little half baked...

bwdik

jtm

On Wed, 29 Sep 2004 06:56:31 -0400, "Jim Miller"
<(E-Mail Removed)> wrote:

>i'm having a little trouble understanding how a city providing universal
>access to the net will implement mac address filters for every citizen. also
>these networks are hyped as a means for commerce to develop that wouldn't
>have otherwise. what happens when vendors from out of town come to visit and
>expect to connect?
>
>it just seems a little half baked...

The security issue with metro wireless is in 3 almost seperate areas.
1. Mesh network security. The idea is to keep the hackers (like me)
out of the mesh and backbone. Impersonating a poletop is a good
example.
2. Client security to prevent sniffing of passwords.
3. Traffic security, to prevent gamers from using the poletops as
their private repeaters.

There are others, but these are the main issues. Unfortunately, the
encryption issues are different in all cases, with little overlap.
For example, the correct way to deal with email security is to have
the ISP's provide an IPSec VPN termination at their gateway. The
customer can then create their own individual secure tunnel. Locally,
I only know 1 ISP that's actually doing that and 2 more that are
considering it. Everyone else says to use webmail with SSL
encryption. Yech. It's not like such boxes are difficult to find or
impliment:

http://www.nokiausa.com/business/mob...,2888,,00.html

From what I've seen, most metro wireless systems are not for the GUM
(great unwashed masses). They are primarily for municipal services
(police, fire, roads, utilities, etc) and whatever excuse was used to
fund it in the name of anti-terrorism. These can make effective use
of VPN's and MAC address security. The GUM is on their own.

Traffic security is interesting in that most WISP's don't appreciate
the problem until it hits them. Turning a public poletop into a
private network repeater is fairly simple. It comes under "theft of
bandwidth" or some such security buzzword. No need to connect to the
internet, just your friends and neighbors.

I'm not really sure how these metro wireless systems are going to be
managed, who's gonna get the support headache, and how they're going
to deal with enforcement. One funding proposal I've seen had zero
dollars for management. Just turn it on and walk away. It's no
different than an ISP or WISP, but on a much larger scale. I guess it
should be handled the same way with the added enjoyment of municipal
bureacracy. Dunno.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

from the news reports philly and houston are specifcally targetted at the
GUM.

jtm

On Wed, 29 Sep 2004 12:02:54 -0400, "Jim Miller"
<(E-Mail Removed)> wrote:

>from the news reports philly and houston are specifcally targetted at the
>GUM.

Hint: It's an election year, where the politicians have to make
grandiose promises to the GUM. After November, I would not be
surprised if the whole idea hits some "unexpected obstacle" such as
pressure from the cellular companies or some type of legal challenge
against municipalities competing against private enterprise. However,
it hope it happens as we do need at least one good solid disaster as
an incentive to clean up the technology.

Incidentally, Tropos Networks is "considering" the use of WPA and
802.1x authentication in their systems. Progress blunders onward.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# 831.421.6491 digital_pager (E-Mail Removed) AE6KS