homepage Welcome to WebmasterWorld Guest from 54.145.209.80
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
Forum Library, Charter, Moderators: bakedjake

Smartphone, Wireless, and Mobile Technologies Forum

    
Wireless Security Basics
For Wireless Newbies
rtroxel

10+ Year Member



 
Msg#: 222 posted 5:19 pm on Dec 29, 2003 (gmt 0)

One of the critical issues involved with the growing wireless market is security. As I mentioned in an earlier post, consumers and home businesses have been purchasing wireless devices to transmit everything from music to photos. However, mid-sized to large businesses, especially financial ones (banks, brokers, etc.) don't trust this technology, and with a good reason. It's not secure. And here is why:

WEP

The Wired Equivalence Privacy protocol is the orginal and most widely-used security protocol for wireless devices. There are two problems connected with WEP however. It is based on a system of "keys". Hackers using the brute-force or "dictionary" method of entering alphanumeric combinations can eventually reveal the public and private keys.

The WEP encryption keys are short (and easily guessed) and static (instead of being updated dynamically from the server). To update the keys, a technician must visit each device on every "road" location (hot spot, motel, etc). This just isn't practical for most companies.

WAPs

WAPs are Wireless Access Points which are essential low-frequency radio devices capable of broadcasting over short distances: ten or twenty feet in a home or up to a few city blocks for a business. You can buy them for about $100 and they're manufactured by Microsoft, D-Link, Linksys, Netgear, and similar consumer-oriented comapnies. You can set up a WAP cable modem in your home, install a WAP card in each of your PCs and you now have a wireless home network, with each device having internet access.

But radio signals can be interfered with. They can be blocked by buildings and bridges and high-tension electrical cables can jam their signals. This isn't likely in the confines of your home, but for businesses it is a distinct possibility, because WAPs are set up by default to respond to the strongest RF signal available.

You can actually set up a "rogue" WAP to pull the signals from another WAP. In other words, you can eavesdrop on your neighbors' wireless networks. Just set up your own WAP in your car and drive through the neighborhood around 2am.

VPNs

Virtual private networking is currently being used to secure internet transmissions through phone lines. This can done by encapsulating the data within a protocol and sending the package out via the TCP/IP protocol. A similar use of this "tunneling" technology can be adapted to wireless transmissions.

Users Don't Care

The average consumers of today's wireless devices aren't overly concerned with security. Instead, they're going for the convenience, speed and novelty of PDAs and cell phones that can transmit pictures. For those people, WEP takes too long to configure and it can actually slow down the processing of their devices.

Those are the security issues, in general. The good news is that a new, tighter security protocol, WPA, is now on the market and a second, 802.11i, is in development, to be released in 2004. (I doubt if the consumer will bother configuring these on his her or her device, but companies and their employees will.)

 

Dreamquick

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 222 posted 4:01 pm on Dec 30, 2003 (gmt 0)

The good news is that a new, tighter security protocol, WPA, is now on the market

This would be the same WPA protocol that was found to be crackable on November 4th 2003? (See WiFi networking news from same date)

It's also worth bearing in mind that there are degrees of security when networking is involved - I'd wager that the average LAN isn't secure enough for financial companies either, especially at the transaction processing end of their business.

WEP
The Wired Equivalence Privacy protocol is the orginal and most widely-used security protocol for wireless devices. There are two problems connected with WEP however. It is based on a system of "keys". Hackers using the brute-force or "dictionary" method of entering alphanumeric combinations can eventually reveal the public and private keys.

The WEP encryption keys are short (and easily guessed) and static (instead of being updated dynamically from the server). To update the keys, a technician must visit each device on every "road" location (hot spot, motel, etc). This just isn't practical for most companies.

WEP was cracked, no denying that but it was more proof-of-concept than a real-life exercise as it would be a massive effort to actually crack WEP on a business wireless network, specifically sniffing enough traffic to be able to derive the keys from the traffic (2GB+ of traffic as far as I remember was the volumed needed to extract the keys).

Assuming we're talking about random war-driving rather than neighbor hacking neighbor / business hacking business, it's also worth noting that the time it takes to gather more traffic means more time sitting outside / moving around outside your victims location which means more chances of you being flagged as suspicious individuals and the police / private security being called and a lot of explaining being required.

(I'm sure there was a case of this recently)

Considering that everyone talks about how most people run with the defaults it's more likely that they'd just move on and try to find a node running a default rather than a node which is distinctly non-default.

Any well planned wireless network wouldn't rely on just SSID/WEP to keep the data secure but would instead implement a VPN / enforced IPSec (packet level encryption) or some other similar method to keep the internal data secure even if WEP was breached. You could also take this a step further and mix in wired networking with zoned wireless for added security.

While we are on the subject I know it's possible to update an AP's WEP keys programatically, presumably the same thing could be applied to the adapter - at which point you could update all clients that currently have valid connectivity with a fresh set of keys.

You can actually set up a "rogue" WAP to pull the signals from another WAP. In other words, you can eavesdrop on your neighbors' wireless networks. Just set up your own WAP in your car and drive through the neighborhood around 2am.

Sounds like it might work, let's look at how it would actually be used;

First of all they'd need to know the SSID and WEP keys, not that tricky with the defaults in place but a lot of work with non-defaults. This lets them act as part of the physical network.

Let's assume that this just affects businesses because consumers are on the whole too random to be able to consistently get anything useful from in a short space of time.

The same is probably true of most small businesses, which just leaves medium to large businesses who if they had any sense would have planned their network design with the assumption that wifi would/could be breached.

So what conclusion can we draw from all this?
WiFi will never be 100% secure in any implementation, but for most consumers and smaller businesses enabling the security features built into the device should offer enough security once changed from their factory defaults (custom SSID, 128bit+ custom WEP keys, broadcast null-SSID).

Anyone who requires a second-teir of security should consider firstly using VPN / IPSec solutions in addition to the standard security features, but they should also consider structuring their networks with the assumption that any wifi portions will be broken into.

If you're in an industry that really understands how to make a secure network I'm sure you don't need advice on how & where to implement wifi safely. :)

- Tony

rtroxel

10+ Year Member



 
Msg#: 222 posted 4:51 pm on Dec 30, 2003 (gmt 0)

Thanks for the comments, Tony.

Wi-Fi security is a subject that should be discussed more, especially since wireless is expected to "boom" in 2004. At least that's what a lot of industry analysts are predicting.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved