Date: Sun, 15 Jul 2001 20:02:38 -0400 From: Bob Johnson <bobj@ufl.edu> To: kjerste soderberg <kjerstes@yahoo.com> Cc: mobile@FreeBSD.ORG, pir@pir.net Subject: Re: Driver for D-Link DWL-650 card? [encryption now working] Message-ID: <3B522F1E.CF1732C6@ufl.edu> References: <20010715183319.48320.qmail@web9707.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
kjerste soderberg wrote: > > My worries are the same. We'd also use the same AP's > and same cards (D-LINK DWL-650's)w/ FBSD4.3 but > regardless of the H/W, I've been thinking about the > SAME statement U make "xtra layer of security". > Yep! worried about the "parking lot" lurkers with a > promisc. mode wireless card .. sniffin away .. > > Here is what I'm contemplating; Pls if ANYONE has a > better mousetrap Pls advise; > Take a look at http://micro.circa.ufl.edu/walkup/tech.shtml A user who plugs in to a walk-up port (wired or wireless) can only connect to a web page that authenticates them. Once they are authenticated, the router dynamically reconfigures to give them access to the Internet (or whatever they are authorized). Not a perfect solution, but far better than nothing. The router is Linux-based. In this case, authentication and routing are performed by different boxes, but most organizations could probably be served fine by a single system doing both. It seems to me that putting together a simple FreeBSD based version would be fairly straightforward. As Brett Glass mentioned, PPPoE could provide another approach to this, but the solution above has the advantage that the user need no special configuration other than a web browser and a DHCP client. The solution above also doesn't address the problem of sniffing, but could certainly be modified to do so at the expense of makeing it harder for users to set up their systems to be compatible. E.g. tunnelling through SSH, IPsec, etc. I believe the long- term plan for the network mentioned above is to use IPsec. > PLAN A; > The AP IS NOT directly plugged into the ethernet hub. > Instead in-between the AP and the hub sits a P133 > (yesterday's "trash") w/ FBSD4.3 running as a firewall > BUT on the same 192.168.x.x segment for the purpose of > servicing the few laptops. > No inetd and just ssh allowed solely. > ssh would also forward X traffic > The only way the laptops would access the LAN is via > ssh. > > Of course this leaves me with much to be desired, > sacrificed for security's sake; > like NO EASY WAYS to: > POP3 & SMTP > general surfing on port80 > (remember everything's denied save ssh) > also propagating past just 1 AP to multiple APs > scattered about for "infrastructure type coverage". > A firewall per AP is a headache. > > So I was thinking of PLAN B; > running an extra hub plugged into our router. > This 16 port hub would be used for all the AP's > solely. > Our "real" wired network would sit behind our present > firewall. > So the AP's and ALL the associated wireless users > would be part of the "great unprotected", if they > wanna get into our regular network they gotta ssh in > thru our firewall just as if they're comin in from the > "outside". > > Better suggestions welcomed please. > > --- Peter Radcliffe <pir@pir.net> wrote: > > Bob Johnson <bobj@ufl.edu> probably said: > > > Keep in mind that if you aren't using WEP, anyone > > with a null network > > > name in their NIC can probably connect to (and > > use) your AP if they > > > can get within range. That is what my real worry > > is - I've been > > > turning off the AP when I wasn't using it. > > > > Well, you can use a closed network so they at least > > have to sniff the > > network name from raw packets (possible but not > > trivial for j.random > > person on the street) If you are referring to the network name as defined by the access point, I believe that a NIC with a null network name can connect to any access point. It can certainly connect to mine. > > or you can limit by MAC address with some base > > stations so they'd have to sniff a valid MAC address > > and use it > > (possible but nontrivial) ... even if you use WEP > > then they can break > > the key (shown to be possible but very nontrivial, I > > havn't seen any > > tools to do this yet). All of these things can slow > > people down, > > though. As I understand it, the theoretical scheme for breaking WEP encryption is based on a technique developed in WW I. If you have more than one message encrypted with the same key, and you have good knowledge of the statistics of the underlying plaintext messages, then you can start to guess at the occurrence of common letters and letter combinations, allowing you to eventually decipher the messages with a little luck and good guessing. The weak part of this scheme is that you are unlikely to have detailed statistical knowledge of the traffic being sent over the net, and the statistics probably vary from message to message. I.E. one message may be English text, the next may be a web page in French, and the next may be a log file. I'm not sure how much it would help to simply assume that all messages are, for instance, English language web pages, but even if it helps, the attack is probably only feasible on a high-volume network. The attacker must capture millions of packets to start to get meaningful results. So my home network is probably safe. And I don't expect to see an effective automated attack in the near future. > > > > If you're worried about your network you need an > > extra layer of > > security between the wireless and anything else. If WEP is workable in your environment, then it provides a lot of protection despite its theoretical weaknesses. Unfortunately, it doesn't scale well: how do you distribute new WEP keys on a regular basis to 20,000 users? - Bob > > > > P. > > > > -- > > pir pir@pir.net > > pir@net.tufts.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-mobile" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B522F1E.CF1732C6>