Hi,

I am considering what best can be done to prevent Client-to-Client Attacks. We want to establish working groups at the university but are afraid of these C2C-Attacks, so until now the possibility to establish these groups is prohibited and that is not really a desirable situation.

All of your comments are really highly appreciated.

Here are some questions that have come to my mind when trying to get a solution to this problem:

Can you prevent users from bypassing the AP and would there be an advantage if communication would only be allowed via the AP? What can be done to prohibit access to the own wireless station? Is a firewall a adequate solution and what trade-offs must be considered? What about intrusion detection systems and VPNs? Could bring 802.1x success?

Thanks a lot for every reply or annotation to this problem.

Kay

Originally posted by Sophos

Can you prevent users from bypassing the AP and would there be an advantage if communication would only be allowed via the AP?

Bypass to do what? Access the network behind the AP? That won't happen if your AP is configured correctly. Do you mean bypass the AP to do ad hoc networking with other clients?

The advantages of infrastructure communication over ad hoc are numerous: better throughput, better reliability, probably better coverage and range of the WLAN, blah, blah, blah. But the most important advantage is security.

Running an ad hoc network without a very, very good reason is a huge security issue and should almost never be allowed when there is a network attached to any of the clients. When you run an ad hoc network, then the security of your attached wired LAN is only as good as the security on your most vulnerable wireless client.... and we all know how much most end-users have security in mind.

What can be done to prohibit access to the own wireless station? Is a firewall a adequate solution and what trade-offs must be considered? What about intrusion detection systems and VPNs? Could bring 802.1x success?

(It would be better if you used standard terminology. 'Wireless station'. You mean an AP or a client or what? 'Client-to-client'? You mean ad hoc mode of networking?)

The best and most fundamental security method for a wireless client are to simply not run in ad hoc mode. That requires all wireless communication with that client to be via an associated and authenticated AP, which generally makes things more secure. Use of firewall software (like ZoneAlarm) is an absolute must and should be required at a minimum.

The trade-off with security is always ease of use both for the end-user and the admin. Users have to be educated as to why they can or cannot do certain things (like not running in ad hoc mode) and they have to be trusted to keep things like firewall and anti-virus software up-to-date. Admins have to administer security tasks and stay on top of management of users.

Intrusion detection is one of those admin tasks that can be part of security. At the very least, it should include periodic checks for misconfigured clients and rogue hardware/APs. It should include basic wired network security tasks, like periodic checks of logs and if you can swing it, logging of client use of APs. But the best intrusion detection is simply to prevent it in the first place.

VPNs are an administrative nightmare and end-users don't like it either. They also significantly decrease your throughput and while they secure your data stream, they don't prevent rogue users from accessing your system. Thus they are not a complete security measure.

802.1x is a relatively good security framework. But even without it, there are a lot of things admins can and have to do to ensure security. Using 802.1x and doing nothing else is like getting super-duper alarm system for your car... but leaving the windows rolled down with the keys in the ignition.

Thanks a lot for your detailed answer!

Does this mean, you can prevent people from sending data to your client without going via an AP? To clarify my question: Is there a "switch" on my client (or better in the SW running on it), which I can turn on and my client will only(!) work in infrastructure mode as long as this "switch" is turned on? How is this realized? Does the client only accept data from the address of the AP?

The (only?) advantage would be, that every client would have been authenticated when he accesses the client or can the AP do more for me?

The rest is completely clear...at least I hope! :)

Again thanks a lot!

Originally posted by Sophos
Does this mean, you can prevent people from sending data to your client without going via an AP? To clarify my question: Is there a "switch" on my client (or better in the SW running on it), which I can turn on and my client will only(!) work in infrastructure mode as long as this "switch" is turned on? How is this realized? Does the client only accept data from the address of the AP?


When configured to work in infrastructure mode, the client machine is configured to only communicate with the AP that has the same SSID as itself. It will ignore all other WLAN communication. In ad hoc mode, a client machine will communicate with any other wireless device configured for the same SSID. So the 'prevention' is in how the client device is configured.

It's really up to the end-user to configure his/her machine to be in infrastructure or ad hoc mode. You can't (easily) automatically prevent them from configuring their machine to work in ad hoc mode. So that's where user education and wireless sniffing for machines in ad hoc mode come into play.

This is why WLANs can be such a pain for network admins: end-users have a lot of responsibility to maintain security themselves and have a lot of opporunity to really screw things up by going off and doing things they shouldn't be doing. Whether it's setting up a rogue AP or (mis)configuring their client software or just not caring about network security, it's difficult to stay on top of end-users.


The (only?) advantage would be, that every client would have been authenticated when he accesses the client or can the AP do more for me?

We're ambiguously mixing terms again. A client is a piece of hardware that communicates wirelessly with other clients (ad hoc) or with an AP (infrastructure). A client is not a 'he'; what you're refering to then is a user, an actual person. A user uses or operates a client to access a WLAN. So are we talking about hardware (MAC) authentication or user authentication?

I meant the AP not the user, so the use of the word "he" was wrong. These are the difficulties, when you are not a native speaker...

Can you please tell me, which security advantages the infrastructure communication exactly has? Only the effect of authenticated clients?

Your answers are very appreciated!

The use of ad hoc networks essentially means that the security of your network (and any network it's connected to) is whatever the least secure client on your WLAN has. That isn't a good way to ensure security.

Use of the infrastructure mode makes all wireless communication go through the AP, which means that you can more easily control security because you can make the AP as secure as you want and you don't have to manage the security of all clients as closely (although you have to stay on your client users to maintain some basic network security tasks, like use of anti-virus software and software firewalls, etc.)

With infra. mode, you can also more easily use back-end servers for AAA (authentication, authorization, and accounting) , which not only helps security but also management.

But you're still not seriously considering using an ad hoc network are you? Unless your ad hoc network is completely isolated from any other network, you're asking for trouble. If you want to allow isolated ad hoc networks among users, there isn't too much that you can easily do about it. But then it isn't your problem to set it up, either.

I would strongly, strongly suggest that you do not allow ad hoc mode in connecting to your network and simply stay with or accept the notion that your network should be in infrastructure mode only.