Wifi and seurity...

Most corporations wouldn't have a wireless solution in the trusted zone behind the corporate FW that's the bottom line. If there was wireless, it would be out side the corporate FW in the non trusted zone with a VPN solution between the wireless solution most likely a wireless router or a wire router using a WAP device and using a VPN tunnel from the device into a FW appliance and the corporate trusted network zone.

Duane :)

Reply to
Duane Arnold
Loading thread data ...

Hi Folks,

I'm pretty new to the wifi world having been up and running in Germany for 2 months now using w2k.

I'm not the paranoid type but I'll always run some kind of protection on my most sensitive data because it's just too easy if you know what you're doing to get into where you shouldn't be it always seems.

Anyway, I'm running a D-link DI-824VUP+ router which handles firewall, wifi and wired networking and I set the system up as a honeypot to see what kind of intrusions I'd get and monitored traffic pretty closely. The cards are D-link Airplus xtremeG's

Surprise surprise, after a couple of weeks I had an unwanted guest deliberately causing trouble on my network. My first instinct was to restrict MAC addresses down to the devices I am using. Thinking that it's pretty easy to sniff for a MAC address, I tightened things up with 128bit encryption.

This is where I'm getting a little confused with all the different encryption protocol descriptors.

Currently the NIC's are set to Open authentification, 128 bit. (Shared Authentification, WPA and WPA-PSK available as well as 802.1x on open authentification))

The corresponding settings on the router are Security: WEP (802.1x, WPA, WPA-PSK available)

Now assuming I wanted to run the tightest security I can on this home network for experimental reasons (limited to WIFI OK?) what would give me "corporate level" security? Also what software/machines would I need to perform this - and is it really an option for the home user cost-wise... No... I'm running w2k pro - not server...

TIA cb

Reply to
Chris Berry

On Thu, 23 Jun 2005 02:29:53 +0200, Chris Berry spoketh

The most secure wireless solution would be something that requires actual authentication and uses dynamic key exchange.

Corporate level security would mean WPA and 802.1x authentication, either PEAP through a Radius (or similar authentication server) or by using certificates.

There's a small program called TinyPeap that will let you set up a small radius authentication system without the need for a Windows server and radius.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

The RADIUS or other authentication server needs to be on all the time. If you need RADIUS authentication and this is a problem, I suggest you look into the alternative firmware solutions from Sveasoft for the Linksys WRT54G router. The RADIUS server is built into the wireless router in some builds:

formatting link
my never humble opinion, running a RADIUS server for a home system is overkill. It's primarily useful if you have a large number of users that are constantly changing such as a WISP or a for-money wireless hot spot. Methinks WPA-PSK (pre-shared key) offers the same level of over-the-air security.

The real problem is physical security. With WPA-PSK, anyone that has access to your computer for even a few minutes can extract the shared key. Never mind the war driving evil hackers. It's your friends that borrow your computer that are a security risk. Some manufacturers are encrypting the saved encryption keys, but the practice is apparently not (yet) universal.

On what corporations are actually doing, I only have 3 customers with over 100 desktops. Not a great representative sample. All have wireless and all have implemented different forms of wireless security. I don't think I should leak details. However, one item is common among all three. The wireless gateway is carefully monitored for intrusion and logs are regularly inspected.

Mini-rant: I have a rather bad attitude about the excessive application of encryption. The wireless layers encrypt the data using RC4 and WPA. The customer then adds a VPN encrypted tunnel to their destination with 3DES encryption. They then use an SSL encrypted session in a web browser to access the corporate data. The data itself is often encrypted and keyed to deal with employee theft and access tracking issues. Each layer of encryption is designed to fix the inadequacies and security failures found in the next lower encryption layer. From here, it looks like a mess of patchwork. I wish I can offer a more elegant solution to security, but that would require scrapping everything and starting over. Meanwhile, the standard answer to security is yet another layer of encryption. Sigh.

Reply to
Jeff Liebermann

That's MS they have enough problems just trying to keep their O/S(s) from being attacked. Let's have one of those credit card companies that had millons of accounts compromised by a hacker here recently go to an all wireless network in the safe zone behind the company FW. ;-)

Duane :)

Reply to
Duane Arnold

What do I know? "Microsoft has decided to replace its massive corporate wireless LAN with equipment from Aruba Wireless Networks," this article reports."The network will cover 277 buildings on the main campus in Redmond,Wash.,as well as branch offices in more than 60 countries.Spanning more than 17 million square feet and serving as many as 25,000 sessions at once,it will be among the world's biggest corporate Wi-Fi networks".

formatting link

Reply to
Chris Berry

I don't see a whole lot of companies jumping on that band wagon anytime soon, IMHO. ;-)

Duane :)

Reply to
Duane Arnold

What, Like a paranoid banker getting caught out and not being able to cover up/restrain the leak? The fact is that corps are more open to wifi abuse if they don't adopt wifi. Just plug in a wifi router and you can roam within the corporate network. The reality is that corps *will have to* head in that direction

formatting link
"71 percent of U.S. large businesses (defined as those generating $100 million or more in annual revenue) are supporting 802.11 networks or will do so in the next 12 months. " which probably means that only the paranoid are getting left behind... cb

Reply to
Chris Berry

Thanks Lars, I'll check it out. cb

Reply to
Chris Berry

Lars, I've taken a good look at tinypeap and it looks great. I will test it in the next couple of weeks. Can you (or anyone) tell me what the most secure I can make my current system without having to run a server all the time? Correct me if I'm wrong but tinypeap requires one machine to be on all the time authenticating the users. cb

Reply to
Chris Berry

Yeah I know it's overkill - I'm happy with security as it is. It's a matter of experimentation though as I always like to know the bounds and the workings of my system. I had a look at the WPA-PSK settings and they make no sense to me. On the clients, all it asks for is a WPA passphrase (Max 63 chars) while the router needs a 64 char hex key. (Using random number generation in excel, dec2hex, and concatenate I can generate a random enough one) I've looked at the manual and there's nothing on it... typical eh? So, any idea on where to look to try this out?

That's not a problem in my environment. The key is substituted with asterisks in the NICs and pass protected on the router.

That's quite logical - also what I was doing with my honey-pot. Assuming they'd get in, I wanted the easy target to be attacked - and that was easier to monitor as well.

It's sad isn't it. Unfortunately that's PC culture for you. Ever since hacking and counter hacking became acceptable and even entertainment, things have just gotten worse. Capitalism at it's worst eh? cb

Reply to
Chris Berry

Setting WPA PSK gives quite reasonable protection if a long, randim passphrase is used. I wrote a program (free!) to generate a random key.

formatting link
John Steele

Reply to
John Steele

Thanks John, been there and done that with excel already... basically:

concatenate ascii of x random numbers from 0-255...

Similar to the Hex random concatenation I used for the hex key....

Stranger things are happening though with regard to key length and characters... Dlink thought it prudent to convert the passphrase to the sub-ascii standard used in links - and used the same page/settings for the channel config. This means that you lose the router key whenever you change anything... Nice eh?

Another Dlink wierdo is that the network cards and the router have different max lengths of encryption key... yup, you guessed it...32 ascii/64 hex for the router - 256 bit and 53 chars for the nics.

Anyway, thanks for the pointers... cb

Reply to
Chris Berry

I wished I had time for that.

Huh? 64 char hex? What manner of hardware are you working with?

I can fish it out of the firmware image. Some wireless clients hide the key in plain text in the registry.

formatting link
client that I tinkered with cleverly "encrypted" the WEP keys using simple bit rotation. Cisco does it right and stores the encryption keys in flash ram in the card.

I don't see your connection between culture, hacking, entertainment, and capitalism. Are you suggesting that wireless security would improve under a socialist or communist regime? Please re-read what I scribbled. I was commenting on multiple layers of encryption being used solely to fix the security issues of the underlying layers. This is a technical issue, and has nothing to do with culture, entertainment, and capitalism. Well, maybe a bit with hacking, but that's a stretch.

Reply to
Jeff Liebermann

Ummm.... 63 characters of ASCII generates 126 characters unless one is using Unicode, where it expands to 16 bit code or 504 hex digits. As far as I know, WPA keys do not support Unicode. I'm not sure as Googling around did not provide a definite answer. I tried typing in some Unicode charcaters in the WPA key entry box and found that it did not "convert" the Unicode character to ASCII.

Dlink has an online emulator for the DI-824VUP+ at:

formatting link
in the WPA-PSK config:
formatting link
either ASCII or HEX key entry for WPA. Well, that's the first time I've ever seen a Hex WPA key, but I guess it makes sense. However, be advised that you do have the option of entering the key in ASCII.

I'm too lazy to check the DWL-G650 for the same issue

Different manufacturers and drivers bury the WEP/WPA keys in different places. I only provided the links as an example. It's in there somewhere, and may actually be encrypted. I think I have a DWL-G650 in the office and can find the registry key for you if I have time.

Ummm... nope. However, please don't explain. I'm rather irate at the US Supreme Courts latest stupidity allowing property ownership transfers and confiscations.

My SSID on our neighborhood network is my home address. My office SSID is my phone number. I get lots of "interesting" phone calls and visits.

Yep. The local kids turned my access point into their personal game machine repeater. Ate all my over the air bandwidth up until I put a stop to it.

I guess you've read about the coffee shops that are pulling the plug on wi-fi because it creates rather unsociable customers who would rather commune with their laptops than with the other patrons.

I have a different view. No technology is considered successful until it has been abused. Wireless is most certainly considered successful.

Reply to
Jeff Liebermann

Hey, wireless is going to save corporate. The last time I looked, they don't want you to leave your desk to take a dump let alone walk around corporate with some wireless solution other than a cellular phone. :)

Duane :)

Reply to
Duane Arnold

"Jeff Liebermann" wrote in message news: snipped-for-privacy@4ax.com...

Dlink DI-824VUp+ and Dlink DWL-G650 nics.

63 character ascii is equivalent to 504 digit hex - I don't need to tell you that...

luckily I can find no instances of that in files or registry in my system.

Not delving that deeply into politics - no-no area. political philosophy maybe. One assumption of capitalism is that Greed is the major driver of progress and productivity. One outcome that results is fear and paranoia with regard to property and theft. You might say "property IS theft" but that's another level completely. Taking that line though, you could infer that political power is nothing more than mob enforcement of theft - which makes politicians... get it? Nah, it was a bit of a light poke at the way we view security and how the unsuspecting person with too little knowledge let loose on wifi can wind up in court for no other reasn that they were hijacking the dentist next-door's network. Wait for it, it will come. Personally, I'd like to meet the guy who decided it would be fun to piggy back on my lan. Ask him what he wants to do. If all he wants is to sit in a cafe and surf/work, he'd be welcome to it. No sweat off my back. The culture side of things comes into it right there. With Wifi, we can be a little more collaborative, share resources, give the kid next door broadband access and the only thing it costs us is peace of mind.... It reintroduces the local aspect of things back into our information age world... Excuse the rant but technology is always what you make of it and I really see wifi making a difference on a much wider plane so long as it ends up catering for more than corporations. cb

Reply to
Chris Berry

The emulator is only half there... on the router here's what it displays a chunk of my access key as: Wf%40%28%3Bi% Hint: there are no % signs in the access key The NIC has no emulator but accepts a longer key. There is also no selection between ascii and hex.

Precisely... you got it... making theft legal doesn't make it right now does it?

Nice ramblings... enjoy your day. cb

Reply to
Chris Berry

A (very) small town company, a mom and pop operation with nothing on their system that is of much concern to them or to others, wants to host a local hotspot for the good of the community. (they are located across the street from a small pocket park where much of the community comes to sit and visit.

Regardless they want to set the system up so that a) visitors can't see access their company network and b) allow their staff to use lap tops/PDAs to access via the wifi their network and data.

I'm doing this project for free and have very little clue on how to proceed much less what hardware to source. Except for being friendly neighbors there is nothing in this for the owners or myself.

All input is appreciated.

Reply to
Not Me

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.