Paranoid wireless network

Hello.

My home network is currently all cat5. I'd like to add another room, but I
can't do the cable for this room.

(Well okay, I could, but it would involve ripping up floorboards.)

I'd consider some sort of wireless network, but I'm worried about the
security of the various commodity devices for sale.

What I'd like...

ADSL box ------ Gizmo /\/\/\/\/\/\/\/\/ Gizmo ------ Computer
cat5 wireless cat5

And that so long as AES, RSA, etc remain uncompromised...

A. No-one within range of the signal can see the cleartext traffic.
B. No-one can feed traffic into the wired network without securly
"introducing" thier device to the network.

Is such a device in production? Where can I buy a pair?

In the would-be-nice category, I'd like each one to have a (say) 5 port hub
built in to save me buying a hub and finding an extra power socket.

Many thanks.

Bill, insecure wireless? 'tis the devil's work!

>
> What I'd like...
>
> ADSL box ------ Gizmo /\/\/\/\/\/\/\/\/ Gizmo ------ Computer
> cat5 wireless cat5


Doesn't quite work like this... The easiest method is a wireless Access
point plugged in (cat5) to your adsl router box. You then get a PCI wireless
card for your client machine. Or, if you want to create a seperate network
but then bridge the two wirelessly, you can buy a wireless bridge between
the two.

>
> And that so long as AES, RSA, etc remain uncompromised...
>
> A. No-one within range of the signal can see the cleartext traffic.
> B. No-one can feed traffic into the wired network without securly
> "introducing" thier device to the network.
>

The current wireless security procedures seem to be as follows:

a. Disable SSID broadcasting. This means that no computer can pickup your
network unless they already know the name of it. Wireless sniffers such as
Netstumbler can still pick up the signal from the access point, though.

b. MAC filtering. This means that no device can connect to the network
unless it has an approved MAC address. There is such a thing as MAC
spoofing, where devices can copy another device's MAC address, but you have
to physically find the MAC address to do this!

c. WEP. This is builtin encryption for the network that comes as standard on
nearly all wireless devices now. It comes in either 64bit or 128bit flavours
and encrypts your data on-the-fly.

Hope this clears up some of your concerns.

-George


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.720 / Virus Database: 476 - Release Date: 14/07/2004

"George Hewitt" <(E-Mail Removed)> wrote:

<snip>
> Or, if you want to create a
> seperate network but then bridge the two wirelessly, you can buy a
> wireless bridge between the two.

That sounds more like what I'm after.

Everything already has a wired ethernet RJ45/cat5 socket. A wireless bridge
sounds like just the thing.

Would anyone like to recommend a wireless bridge which has good security
please?

> a. Disable SSID broadcasting. This means that no computer can pickup your
> network unless they already know the name of it. Wireless sniffers such
> as Netstumbler can still pick up the signal from the access point,
> though.

Worth doing, but not worth relying on, for the reasons you state. I'd want
a secure authentication protocol instead (or as well) than some password
exchanged in the clear.

RSA signatures or shared-salt MD5/SHA1 hashes would be reasonable.

> b. MAC filtering. This means that no device can connect to the network
> unless it has an approved MAC address. There is such a thing as MAC
> spoofing, where devices can copy another device's MAC address, but you
> have to physically find the MAC address to do this!

Isn't the MAC address broadcast as part of the packet? (I don't know)

I presume I'd have to configure the bridge whenever I add a new node to one
of the wired networks linked together by the wireless bridge.

If so, this feels like rather misplaced configuration. I'd only really care
that each of the two bridge devices will reject traffic that doesn't come
it's partner on the other side of the bridge. I'm not bothered about
individual nodes on either wired network because I have secured access to
the wires.

Even then, there are only 2**48 possible MAC addresses. Much of that 2**48
can be predicated as more likely than others.

> c. WEP. This is builtin encryption for the network that comes as standard
> on nearly all wireless devices now. It comes in either 64bit or 128bit
> flavours and encrypts your data on-the-fly.

Now we're talking. What cryptographic algorithm does it use? AES?
(64bit keys? No thanks.)

I presume any wireless bridge would already know about each other's key out
of the box. If not, how would I go about generating and configuring the key
in each end of the bridge?

> Hope this clears up some of your concerns.

Many thanks. Here's my shopping list.

I'd like a wireless bridge for connecting two RJ45/cat5 networks together.

All traffic over the bridge must be encrypted with AES or better. Each end
would decrypt received traffic and feed that into the RJ45 ports.

Each bridge device must reject traffic received over the wireless link that
did not come from it's partner. It must use a secure authentication
protocol, like RSA or salted MD5/SHA1 (or better).

Any recommendations please?

Bill, gone shopping.

On 16 Jul 2004 17:54:00 GMT, bill-(E-Mail Removed)lid (Bill
Godfrey) wrote:


>please?
>
>> a. Disable SSID broadcasting. This means that no computer can pickup your
>> network unless they already know the name of it. Wireless sniffers such
>> as Netstumbler can still pick up the signal from the access point,
>> though.
>
>Worth doing, but not worth relying on, for the reasons you state. I'd want
>a secure authentication protocol instead (or as well) than some password
>exchanged in the clear.
>
>RSA signatures or shared-salt MD5/SHA1 hashes would be reasonable.
>

If you want secure Wireless, then you will need to look into WPA -
which will need a RADIUS server to authenticate users - also requires
a certificate as well

I have just implemented a wireless solution based on the following
spec

Funk Software Odyssey RADIUS server
Odyssey client
Proxim AP 4000 Access Points
D-Link/Proxim 802.11g cards
Verisign Wireless certificate


works greatly with as good security as you can expect from WPA - we
use our NT Domain to authenticate users via wifi - however may move to
RSA for that added security.

>
> > c. WEP. This is builtin encryption for the network that comes as
standard
> > on nearly all wireless devices now. It comes in either 64bit or 128bit
> > flavours and encrypts your data on-the-fly.
>
> Now we're talking. What cryptographic algorithm does it use? AES?
> (64bit keys? No thanks.)

WEP uses RC4. Some information on securing wireless networks can be found
here (albeit a bit basic)
http://www.cableforum.co.uk/board/showthread.php?t=8435

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html (bit more in-depth)

I forgot to mention WPA, which is the new kid on the block for wireless
security and is supported on most new devices, based on improving the
shortcomings found in WEP.

http://www.wi-fiplanet.com/tutorials...le.php/2148721

Read the above link, and as always, Google is your friend!
>
> I presume any wireless bridge would already know about each other's key
out
> of the box. If not, how would I go about generating and configuring the
key
> in each end of the bridge?

I'm not 100% certain on bridges, but I suspect it's the same principle as
for a wireless card in the client PC, except that the settings will of
course be made in the bridge device! Keys can either be specified manually
or automatically (when they would automatically discover, out of the box as
you say) at each end.

>
> Many thanks. Here's my shopping list.
>
> {snip}
>
> Any recommendations please?
>

I don't have much experience with bridges, so I wouldn't be in a situation
to comment at the moment, besides what Google throws up at me.

HTH


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.720 / Virus Database: 476 - Release Date: 14/07/2004

"Bill Godfrey" <bill-(E-Mail Removed)> wrote in message
news:20040715191656.316$(E-Mail Removed)...
<snip>
> And that so long as AES, RSA, etc remain uncompromised...
>
> A. No-one within range of the signal can see the cleartext traffic.
> B. No-one can feed traffic into the wired network without securly
> "introducing" thier device to the network.
>

You can't
if someone wants to get into a wireless network, they will.
The best thing to do is what everyone else has said (turn off SSID, MAC
address control, WEP, WPA etc) and then run an IPSec VPN tunnel inside
all that.
However someone can spoof both ends of the VPN and get everything, so if
you want security, don't use wireless. Pluss its a lot of hassle for
minimum gain.
Wires Rule
G

"THe NuTTeR" <(E-Mail Removed)> wrote:

[Secure wireless bridge]

> You can't
> if someone wants to get into a wireless network, they will.

I'd disagree with that. All it takes is for someone to build the device.

> However someone can spoof both ends of the VPN and get everything,

You can't spoof the end of of a VPN unless you know the private key or
single shared key. (Or if the protocol or algorithm is broken.)

> so if
> you want security, don't use wireless.

Here's a design. If someone will build it at a reasonable price, I'll by a
pair.

-=-=-
Build two boxes with a shared 128 bit salt and a shared 128 bit AES key.
Use a good source of random bits.

For each wired ethernet packets arrive where the destination address is on
the other side of the wireless bridge...

The packet is "signed" using an MD5 of the packet and the salt value.

The original packet and it's signature is encrypted using AES.

The encrypted packet is broadcast over the wireless link. (Don't care if it
conforms to any standard or if it's interoperable with other wireless
equipment. In fact - I don't want it to be interoperable with other
wireless equipment.)

On the arrival of an encrypted packet over the wireless link...

Decrypt it with the shared AES key.

Detach the MD5 siganture and check the decrypted packet and the shared
salt's MD5 matches the attached MD5 signature. (Reject it if it doesn't.)

If it passes, inject it out on the wired eithernet ports.
-=-=-

Bill, if you build it, they will come.

Using 802.11a is a good start in securing a network, its better, because
less people have 11a devices.
G


"Bill Godfrey" <bill-(E-Mail Removed)> wrote in message
news:20040719215335.553$(E-Mail Removed)...
> "THe NuTTeR" <(E-Mail Removed)> wrote:
>
> [Secure wireless bridge]
>
> > You can't
> > if someone wants to get into a wireless network, they will.
>
> I'd disagree with that. All it takes is for someone to build the
device.
>
> > However someone can spoof both ends of the VPN and get everything,
>
> You can't spoof the end of of a VPN unless you know the private key or
> single shared key. (Or if the protocol or algorithm is broken.)
>
> > so if
> > you want security, don't use wireless.
>
> Here's a design. If someone will build it at a reasonable price, I'll
by a
> pair.
>
> -=-=-
> Build two boxes with a shared 128 bit salt and a shared 128 bit AES
key.
> Use a good source of random bits.
>
> For each wired ethernet packets arrive where the destination address
is on
> the other side of the wireless bridge...
>
> The packet is "signed" using an MD5 of the packet and the salt value.
>
> The original packet and it's signature is encrypted using AES.
>
> The encrypted packet is broadcast over the wireless link. (Don't care
if it
> conforms to any standard or if it's interoperable with other wireless
> equipment. In fact - I don't want it to be interoperable with other
> wireless equipment.)
>
> On the arrival of an encrypted packet over the wireless link...
>
> Decrypt it with the shared AES key.
>
> Detach the MD5 siganture and check the decrypted packet and the shared
> salt's MD5 matches the attached MD5 signature. (Reject it if it
doesn't.)
>
> If it passes, inject it out on the wired eithernet ports.
> -=-=-
>
> Bill, if you build it, they will come.

On Tue, 20 Jul 2004 09:15:58 +0100, "THe NuTTeR"
<(E-Mail Removed)> wrote in <(E-Mail Removed)>:

>Using 802.11a is a good start in securing a network, its better, because
>less people have 11a devices.

Anyone seriously interested in breaking in to your wireless net will be
using a multimode system. Dual band laptops have been available for over
a year. The only benefit of 11a from a security point of view is the
shorter range, but don't count on that being enough.


--
Owen Rees - opinions expressed here are mine; for a full disclaimer
visit <http://homepages.tesco.net/~owen.rees/index.html#disclaimer>
for e-mail use "owen.rees at tesco.net" instead of the From address