Wireless Networking for the Paranoid Hacker
Wireless Networking for the Paranoid Hacker
Implementing Basic Wireless Security
We've all done it; we've all seen the insecurity that wireless networking has brought our world. It's a new frontier, and there are open doors where ever we turn. Fewer among us are those who have actually sat down and broken an 802.11b WEP key. Although it is time consuming it can be done, especially when it comes to business networks administered by wanna-be network administrators. Point being is that we know the keys can be broken. Where does leave those of us who want to enjoy the freedom of wireless? Whether it is in our own networks, or in public access nodes, we are concerned both with data security and privacy. Here I will cover a few methods of securing a wireless network, as well as securing your connection over a public wireless network.
One slight detail to keep in mind whilst reading this article: My suggestions on home wireless cover mainly security and ways of keeping people off of your network to begin with. If you want to open your network to all those in range you can take the majority of tips from the public wireless network section and apply them.
Home Wireless Security
ACL or an access control list is feature that I have found in almost every wireless router I have come across. In my opinion it is an indispensable security tool. I can already hear the objections of those who have either defeated these systems or know how to, at least in theory. ACL's filter based on a listed of wireless card MAC addresses. They examine the MAC address of any card that attempts to join the network, and if that MAC is not found on a list of approved MAC addresses the card is not permitted to join the network. Of course this can be defeated by an attack her sniffs an approved MAC address out of the air, uses a MAC spoofer to make their MAC your own, and then join the network. Once you're in its easy enough to knock the real user off the network, however strictly speaking you don't have to in order for you to use the network. My suggestion, for a home network would be to only authorize your own cards, and the cards of users who are permitted to join the network. This is not a sure way to keep unauthorized users out, however when coupled with other security methods it can be effective.
WEP, or wired equivalent privacy, is the determined hacker's best friend. WEP can be broken in less than eight hours. Most of you will read this and conclude that it is a weak encryption and unfit to secure data, however there are two points to keep in mind when considering WEP. Firstly, network traffic must be at a peak for the attacker to capture enough packets to break WEP, and secondly it takes up to 8 hours of sniffing to capture the packets. For my own personal network the first point is negated because I have a cron job which transfers files to a wireless client in gigantic dumps nightly, however it still requires a dedicated attacker to break WEP. A determined attacker can be slowed by rotating WEP keys weekly, or for the paranoid, daily, however if you are so paranoid, why are you using WEP? Key rotation can only take you so far.
Many new 802.11g access points allow for use of WPA (wifi protected access). WPA uses a pre-shared key in order to encrypt wireless transmissions. There are currently no tools for cracking WPA; however WPA is vulnerable to a dictionary attack meaning that a determined attacker can simply try every combination of words, and common phrases until he/she breaks your key. As you can guess this is much more time consuming than automated cracking of WEP keys. WPA is significantly more secure, and if you have the cash, and are buying a dedicated wireless router, I would choose an 802.11g router simply for the added strength of encryption.
How WPA Works
What makes WEP weak is its initialization vector (IV). The IV is a 24 bit number that is combined with the key that the network administrator (you) entered into your access point's configuration interface. A new IV is used for each frame (packet) transmitted. There are two problems with this. First of all the IV is a pseudo random number, which is not truly random, and thus can be predicted within a range. Secondly, and more problematic, is that fact that the IV will recycle itself over a certain amount of time, which means you have the same IV and same key with a different payload. If an intruder collects enough of these frames (packets) that person is able to compromise your network. WPA has been improved by using a 48 bit IV, which means it will be significantly longer before the IV is recycled. The second way that WPA improves over WEP is the way that users connect to a WPA enabled AP. When a user connects they are authenticated using a pre-shared key, or in more advanced configurations a password from an authentication server (LDAP, RADIUS, etc). Once they are made a member of this network a WPA key is created. Periodically WPA will generate a new key per client, which when combined with the longer IV makes WPA much harder to crack. Finally WPA uses has strengthened a technology used in WEP verification. Upon transmission of every frame WEP added a 4 bit ICV (integrity check code) to verify that data integrity (i.e. no injected packets, no forgeries). The problem with this is apparent. An intruder can intercept the transmission, modify the payload, recalculate the ICV, and then retransmit, and none will be the wiser. However, WPA solves this problem with a new 8 bit MIC (message integrity code), that resides within the encrypted payload, and factors into the calculation of the ICV, which reduces the possibility of forged packets. These improvements over WEP make WPA a sound security method for any network, until that is they release 802.11i, but that's a topic for another day.
Summary for Home Users
For the average user using an ACL combined with either WEP (with key rotation), or hopefully WPA, will provide adequate security, at least for preventing unauthorized users from accessing the network. If you are looking to share your network but want to ensure that your data remains private please look at the data security section in the next section.
Any form of massive connection sharing, over a public network whether it is wired or wireless can be sniffed. Along with the threat of interception comes with the added risk of data injection. If an attacker can capture your private information he/she can then inject packets, and forge communications to interfere with your communication. In many other security articles VPN's have been listed as a way for users to ensure the reliability and authenticity of data flow, however it has been listed as either a last resort or a unsavory method. Anyone who has ever intercepted "secure" communication over a network knows that VPN's are an invaluable tool for keeping your private information private. There are several methods of doing this.
VPN's as they pertain to this article allow for the user to create a secure channel of communication between two points, whether they are two nodes on a network, or two routers, or creating a link between networks. They do so by using IPSec, which is a part of IPv6 that has been back ported for IPv4. VPN's encrypt traffic, and then encapsulate the original encrypted packet, in a normal IP packet, and then send to the other end of the tunnel. Upon receiving thing encrypted packet, the packet is decapsulated, and decrypted. VPN assure a user that their path to a remote system is both encrypted and secure, even through it traverses through an insecure network.
Wireless VPN Routers
Wireless VPN routers are a good one box solution to the wireless security problem. Upon joining a wireless network, whether it is public or encrypted, clients can form a secure connection with the wireless router via VPN tunnel. Hence forth all data is encrypted. This is the easiest solution, however the most expensive.
VPN Routers on a Wired Segment
Wired VPN routers are a two box solution, which are slightly cheaper than buying a one box wireless VPN router. Same actual solution, you are establishing a VPN tunnel with a router on the network. Clients access the network using a wireless access point. Upon joining the wireless network the client forms a VPN tunnel with the wired VPN router, securing all connections through that tunnel.
VPN Wireless Solutions (Reef Edge)
There are several free offerings, such as Reef Edge. Although I have not personally experimented with Reef Edge, it seems to be a promising VPN wireless router solution. On that note, many other products exist; free bootable Linux Router OS's that'll do the job. This is the cheapest way, however the one that requires the most experience.