Wifi and seurity...

Hi Folks,

I'm pretty new to the wifi world having been up and running in Germany for 2
months now using w2k.

I'm not the paranoid type but I'll always run some kind of protection on my
most sensitive data because it's just too easy if you know what you're doing
to get into where you shouldn't be it always seems.

Anyway, I'm running a D-link DI-824VUP+ router which handles firewall, wifi
and wired networking and I set the system up as a honeypot to see what kind
of intrusions I'd get and monitored traffic pretty closely. The cards are
D-link Airplus xtremeG's

Surprise surprise, after a couple of weeks I had an unwanted guest
deliberately causing trouble on my network. My first instinct was to
restrict MAC addresses down to the devices I am using. Thinking that it's
pretty easy to sniff for a MAC address, I tightened things up with 128bit
encryption.

This is where I'm getting a little confused with all the different
encryption protocol descriptors.

Currently the NIC's are set to Open authentification, 128 bit. (Shared
Authentification, WPA and WPA-PSK available as well as 802.1x on open
authentification))

The corresponding settings on the router are
Security: WEP (802.1x, WPA, WPA-PSK available)

Now assuming I wanted to run the tightest security I can on this home
network for experimental reasons (limited to WIFI OK?) what would give me
"corporate level" security?
Also what software/machines would I need to perform this - and is it really
an option for the home user cost-wise...
No... I'm running w2k pro - not server...

TIA
cb


--
=================================
Some people have something to say... others have to say something!

> Now assuming I wanted to run the tightest security I can on this home
> network for experimental reasons (limited to WIFI OK?) what would give me
> "corporate level" security?

Most corporations wouldn't have a wireless solution in the trusted zone
behind the corporate FW that's the bottom line. If there was wireless, it
would be out side the corporate FW in the non trusted zone with a VPN
solution between the wireless solution most likely a wireless router or a
wire router using a WAP device and using a VPN tunnel from the device into
a FW appliance and the corporate trusted network zone.

Duane

What do I know?
"Microsoft has decided to replace its massive corporate wireless LAN with
equipment from Aruba Wireless Networks," this article reports."The network
will cover 277 buildings on the main campus in Redmond,Wash.,as well as
branch offices in more than 60 countries.Spanning more than 17 million
square feet and serving as many as 25,000 sessions at once,it will be among
the world's biggest corporate Wi-Fi networks".
http://www.smartmobs.com/archive/200...rporate_w.html
cb

--
=================================
Some people have something to say... others have to say something!

Chris Berry wrote:

> What do I know?
> "Microsoft has decided to replace its massive corporate wireless LAN with
> equipment from Aruba Wireless Networks," this article reports."The network
> will cover 277 buildings on the main campus in Redmond,Wash.,as well as
> branch offices in more than 60 countries.Spanning more than 17 million
> square feet and serving as many as 25,000 sessions at once,it will be
> among the world's biggest corporate Wi-Fi networks".
> http://www.smartmobs.com/archive/200...rporate_w.html
> cb
>

That's MS they have enough problems just trying to keep their O/S(s) from
being attacked. Let's have one of those credit card companies that had
millons of accounts compromised by a hacker here recently go to an all
wireless network in the safe zone behind the company FW. ;-)

Duane

"Duane Arnold" <(E-Mail Removed)> wrote in message
news:Zcwue.80542$x96.45002@attbi_s72...
> Chris Berry wrote:
>
> > What do I know?
> > "Microsoft has decided to replace its massive corporate wireless LAN
with
> > equipment from Aruba Wireless Networks," this article reports."The
network
> > will cover 277 buildings on the main campus in Redmond,Wash.,as well as
> > branch offices in more than 60 countries.Spanning more than 17 million
> > square feet and serving as many as 25,000 sessions at once,it will be
> > among the world's biggest corporate Wi-Fi networks".
> > http://www.smartmobs.com/archive/200...rporate_w.html
> > cb
> >
>
> That's MS they have enough problems just trying to keep their O/S(s) from
> being attacked. Let's have one of those credit card companies that had
> millons of accounts compromised by a hacker here recently go to an all
> wireless network in the safe zone behind the company FW. ;-)
>

What, Like a paranoid banker getting caught out and not being able to cover
up/restrain the leak?
The fact is that corps are more open to wifi abuse if they don't adopt wifi.
Just plug in a wifi router and you can roam within the corporate network.
The reality is that corps *will have to* head in that direction
http://www.clickz.com/stats/sectors/...le.php/2110771
"71 percent of U.S. large businesses (defined as those generating $100
million or more in annual revenue) are supporting 802.11 networks or will do
so in the next 12 months. "
which probably means that only the paranoid are getting left behind...
cb

On Thu, 23 Jun 2005 02:29:53 +0200, Chris Berry spoketh

>Now assuming I wanted to run the tightest security I can on this home
>network for experimental reasons (limited to WIFI OK?) what would give me
>"corporate level" security?
>Also what software/machines would I need to perform this - and is it really
>an option for the home user cost-wise...
>No... I'm running w2k pro - not server...
>
>TIA
>cb

The most secure wireless solution would be something that requires
actual authentication and uses dynamic key exchange.

Corporate level security would mean WPA and 802.1x authentication,
either PEAP through a Radius (or similar authentication server) or by
using certificates.

There's a small program called TinyPeap that will let you set up a small
radius authentication system without the need for a Windows server and
radius.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Chris Berry wrote:

> "Duane Arnold" <(E-Mail Removed)> wrote in message
> news:Zcwue.80542$x96.45002@attbi_s72...
>> Chris Berry wrote:
>>
>> > What do I know?
>> > "Microsoft has decided to replace its massive corporate wireless LAN
> with
>> > equipment from Aruba Wireless Networks," this article reports."The
> network
>> > will cover 277 buildings on the main campus in Redmond,Wash.,as well as
>> > branch offices in more than 60 countries.Spanning more than 17 million
>> > square feet and serving as many as 25,000 sessions at once,it will be
>> > among the world's biggest corporate Wi-Fi networks".
>> > http://www.smartmobs.com/archive/200...rporate_w.html
>> > cb
>> >
>>
>> That's MS they have enough problems just trying to keep their O/S(s) from
>> being attacked. Let's have one of those credit card companies that had
>> millons of accounts compromised by a hacker here recently go to an all
>> wireless network in the safe zone behind the company FW. ;-)
>>
>
> What, Like a paranoid banker getting caught out and not being able to
> cover up/restrain the leak?
> The fact is that corps are more open to wifi abuse if they don't adopt
> wifi. Just plug in a wifi router and you can roam within the corporate
> network. The reality is that corps *will have to* head in that direction
> http://www.clickz.com/stats/sectors/...le.php/2110771
> "71 percent of U.S. large businesses (defined as those generating $100
> million or more in annual revenue) are supporting 802.11 networks or will
> do so in the next 12 months. "
> which probably means that only the paranoid are getting left behind...
> cb

I don't see a whole lot of companies jumping on that band wagon anytime
soon, IMHO. ;-)

Duane

Thanks Lars, I'll check it out.
cb

--
=================================
Some people have something to say... others have to say something!

Lars,
I've taken a good look at tinypeap and it looks great. I will test it in the
next couple of weeks.
Can you (or anyone) tell me what the most secure I can make my current
system without having to run a server all the time? Correct me if I'm wrong
but tinypeap requires one machine to be on all the time authenticating the
users.
cb


--
=================================
Some people have something to say... others have to say something!

On Thu, 23 Jun 2005 16:37:12 +0200, "Chris Berry"
<(E-Mail Removed)> wrote:

>Can you (or anyone) tell me what the most secure I can make my current
>system without having to run a server all the time? Correct me if I'm wrong
>but tinypeap requires one machine to be on all the time authenticating the
>users.
>cb

The RADIUS or other authentication server needs to be on all the time.
If you need RADIUS authentication and this is a problem, I suggest you
look into the alternative firmware solutions from Sveasoft for the
Linksys WRT54G router. The RADIUS server is built into the wireless
router in some builds:
http://www.sveasoft.com/content/view/20/1/
In my never humble opinion, running a RADIUS server for a home system
is overkill. It's primarily useful if you have a large number of
users that are constantly changing such as a WISP or a for-money
wireless hot spot. Methinks WPA-PSK (pre-shared key) offers the same
level of over-the-air security.

The real problem is physical security. With WPA-PSK, anyone that has
access to your computer for even a few minutes can extract the shared
key. Never mind the war driving evil hackers. It's your friends that
borrow your computer that are a security risk. Some manufacturers are
encrypting the saved encryption keys, but the practice is apparently
not (yet) universal.

On what corporations are actually doing, I only have 3 customers with
over 100 desktops. Not a great representative sample. All have
wireless and all have implemented different forms of wireless
security. I don't think I should leak details. However, one item is
common among all three. The wireless gateway is carefully monitored
for intrusion and logs are regularly inspected.

Mini-rant: I have a rather bad attitude about the excessive
application of encryption. The wireless layers encrypt the data using
RC4 and WPA. The customer then adds a VPN encrypted tunnel to their
destination with 3DES encryption. They then use an SSL encrypted
session in a web browser to access the corporate data. The data
itself is often encrypted and keyed to deal with employee theft and
access tracking issues. Each layer of encryption is designed to fix
the inadequacies and security failures found in the next lower
encryption layer. From here, it looks like a mess of patchwork. I
wish I can offer a more elegant solution to security, but that would
require scrapping everything and starting over. Meanwhile, the
standard answer to security is yet another layer of encryption. Sigh.



--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558