Can 802.11 Networking Be Made Safe?

plumpy asks: "I am a developer at a small (~100 people) company that develops web and wireless (Palm, WAP) applications. Recently a few developers began a campaign to get a wireless access point for the company so that we could carry our laptops to meetings and work more flexibly. Two people had been bringing in their own personal access points from home while we waited for someone to actually purchase one for the company. Everything was going okay, and it sounded like the purchase request was going to go through. Then our IT manager read a few of the recent articles about the lack of security in 802.11 networks and killed the idea." Wireless Networks, like their wired counterparts are only as secure as the procedures behind the people that maintain them. A wireless AP can be secured against casual attacks and WEP, properly implemented, should take care of the rest, shouldn't it?

"From what I've read, it sounds like 802.11 is not as secure as it COULD be, but is plenty secure for most networks. My IT manager LIKES wireless (he has an 802.11 network at home) but doesn't think it's secure enough for the workplace. Does anyone have any links to articles that could convince him otherwise? Or does anyone have any articles that can convince me he's right? Also, does anyone have any stories about where wireless networking has been helpful for developers. There is some additional resitance because management thinks it's just a toy for us with no real useful applications."

what sort of work are you doing? dictates needs

[StandardDeviant]

Seriously, if you're doing work that is too sensitive for 128-bit WEP (need both AP and client cards to be 128, obviously), well, yeah, wireless is inappropriate. (If your work is this sensitive, as the CTO how secure your LAN cable is against emission snooping or unauthorized taping.)

Further, are you in a crowded office building? Are your 2-6 side-sharing neighbors competitors? How absorbant are the walls (I mean of RF radiation)?

Plus, let's not forget that 128-bit gear isn't cheap. Not uber-expensive, but definitely not cheap either (especially if you have a large number of potential clients which means you will need several access points in addition to many client pcmcia cards; you might need several access points to begin with if you office has lots of structural walls and whatnot in it).

--
"Overrated" is "overfuckingused".

Wireless in business?

[DrQu+xum]

The only time wireless'd be any good is if you have a laptop, aren't concerned with security, and take your laptop with you to the loo. :)

For God's sake, if you are concerned about security, don't broadcast your messages over the air! If you're f'n paranoid, use fibre, as it has no magnetic field around it to be intercepted.

If you really want to be secure, turn off your computer, use a removable drive, take it out, lock it in a safe, and take the network cable out of the machine when you leave. That way, there is no physical nor electronic access to your data. Simple.
Thus sprach DrQu+xum.

WEP isn't that bad

[kevin42]

Keep in mind WEP stands for "Wired Equivilancy Protocol" which means it's meant to be about as secure as physical ethernet cables.

Yeah, there's a big hole in WEP, but in order to crack it the person would have to have a lot of equipment that isn't readily available, not to mention cryptoanalysis expertise. It would probably be a lot easier for them to break into your building and put a device on the network somewhere and capture packets.

It's not as if you can wander within range of a WEP protected network and just start sniffing. First off the NIC has to associate and authenticate with the AP to even get the packets past the MAC layer. You can turn access control on with most APs so you only allow certain MAC addresses. Even if they got past that layer they're going to not be able to sniff anything because the MAC chip in the card will discard anything it can't decrypt, even in promiscuous mode.

The only way they could sniff you out with 802.11 and WEP would be to have some custom hardware and software to bypass the MAC layer(or be able to rewrite the firmware for an existing card). Anyone who goes to these lengths are going to be able to get past your pysical security anyway.

Security concerns are common

[Raetsel]

I've seen several cases where the security provided with 802.11b was not considered adequate.

The solution was to configure the network in such a way that access to the corporate LAN was impossible, unless

• You authenticated with a VPN server, and tunneled your LAN connection over that -- in addition to the security already provided by the hardware

• OR

• You used SSH to tunnel (again to a gatekeeper/firewall machine), and then again to tunnel your X session over.

I know it's a lot, and it's not the easiest thing to just set up. Hardware is something you can plug in and have running 5 minutes later -- this takes a lot more work.

Remember that it's worth it -- you're already doing this, it needs to have the level of security the company is comfortable with. If you drive the project underground, you won't know what's going on, what hardware is being used -- or even by who.

Don't let your PHB be scared away by the fact that the hardware is not as secure as he'd like. You have options to make it more secure, and these options have already been enough to placate other PHBs.

You can do this. Yes, you can make a wireless connection secure enough -- unless you're doing something to piss off the NSA. If you're up against an adversary like that, my money's on them.

Just trying to keep things in perspective.

Re:Wireless in business?

[tzanger]

For God's sake, if you are concerned about security, don't broadcast your messages over the air! If you're f'n paranoid, use fibre, as it has no magnetic field around it to be intercepted.

Remember that you can bend a piece of fiber enough to pick up a tiny bit of signal which can't make the bend and read that. Without being detected.

Granted, fiber probably gives you the best protection today if you must have secure data in a network. Strong encryption over copper really isn't all that bad though. And I really don't know what's all that wrong about strong encryption over wireless. Both copper and wireless will give the snoop something to read but if your encryption is good enough (and I don't believe that 128 bit is) the snoop will have your data long after it's usefullness is past.

Use IP's security instead

[sstammer]

Usually the security of the link (e.g. 802.11) isn't important unless you need to prevent denial of service attacks (perhaps that's a possibility where you work :-). Instead, you can rely on the security mechanisms that IP (and Mobile IP) provides.

The beauty of IP is that being software & readily available, it has been able to spread over all sorts of networks, providing connectivity, and consequent demand for features (such as security) that provide functionality irrespective of what functionality the lower layers of network hardware etc provide.

Insecure? Compared to what?

[NoahSpurrier]

I'd trust 128-bit WEP more than an ethernet line. Heck, I'd trust 40-bit WEP more than a regular lane. It's trivial to tap into an ethernet line. That's not theorestical. I've never heard of a real system for tapping into an 802.11b link. But the point is that you shouldn't trust any communication link. You should learn more about SSH or a VPN.

Yes

[peccary]

IPsec
CIPE
SSH

Basically, if you treat the wireless LAN as untrusted, and think about it that way, there are natural solutions that will present themselves.

Re:Insecure? Compared to what?

[Hast]

Well, you can check the small slide show presentation at dsniff [monkey.org] for starters. It was mentioned (along with a bunch of others) not too long ago in the "WEP Isn't Secure" thingy here on Slashdot a week or so ago...

IPSEC

[RoninAdmin]

From a Linux angle, FreeS/WAN works on just about everything, even adaptive load balanced NIC teams. It provides decent packet level encryption, and is interoperable with other IPSEC implementations such as Intel Packet Protect. Both FreeS/WAN and Packet Protect are free. Packet Protect requires an Intel NIC though, but with offloading, it is worth it. Both should offer sufficient security for all applications where networking outside of a vault is okay.

exactly

[mikeee]

Treat wireless the same way you would remote access via Internet; firewall it off, layer a VPN over the wireless LAN and you're good.

Probably.

Re:exactly

[True Dork]

That's exactly what I do. I used DHCP to assign a private subnet that I dont route and then PoPToP [lineo.com] to establish a connection that I assign a ppp IP that I do route for the laptops. Works perfectly.

Re:Insecure? Compared to what?

[dblair]

> I've never heard of a real system for
> tapping into an 802.11b link.

Any packet sniffer will do.

Re:WEP isn't that bad

[HiNote]

Keep in mind WEP stands for "Wired Equivilancy Protocol"

Close, its actually "Wired Equivalent Privacy," but you have the right idea. It was only intended to be as secure as wire.

Re:Insecure? Compared to what?

[HiNote]

No not really. In order to use a regular packet sniffer, you have to know the encryption key(s) and the network name, otherwise the radio card will drop the packets before they are passed along to your laptop.

Re:Wireless in business?

[CoderDevo]

Wireless is necessary for some businesses to be efficient. Consider manufacturing plant floor IS systems. It isn't easy or cheap to retrofit a plant with copperwire. Plants often are reconfigured based on current production needs. Wireless is perfect.

Others:
Store or warehouse inventory control devices, ie scanners.
Hospitals where doctors & nurses each have handheld touch screen displays that bring up patient status & records.
Schools where students & teachers change rooms every hour, but will need constant access to school servers.
There's tons...

WEP is insecure...

[X]

The specific failings of WEP are documented here [berkeley.edu]. If your boss is concerned about WEP security, he/she should read this document, and make an assessment as to whether adding WEP to your network significantly increases the security risk.

Assuming you use 128-bit WEP, you have a reasonable chance of blocking attackers. While you could be compromised, it's important to compare the risk vs. the risk of your wired LAN being compromised. For example, do you allow visitors to plug in their computers into your LAN? If so, 802.11b is not going to increase your security risk.

Even if 802.11b would increase the security risk, you need to asses if it's a good trade-off in return for your benefits. Finally, if you can't accept the risk, then just run IPSec (or the poor-man's IPSec: SSH ;-) for communications over 802.11b. Indeed, you could have an IPSec gateway on whatever is plugged in to your 802.11b access point. Sure, it's a bit more work to setup, but the benefits would be substancial.

802.11b - link to article

[yucca]

You asked for a link - http://www.nwc.com/1203/1203ws1.html

One sentence summary of link: 802.11b not yet ready for the bleeding-edge averse enterprise IT manager (anyone know a CIO/CTO who digs deploying bleeding-edge stuff?), but there are ways to make it work for smaller organizations.

Re:what sort of work are you doing? dictates needs

[tzanger]

Plus, let's not forget that 128-bit gear isn't cheap.

Uhhh... compared to what? There's only like $16 difference between the silver (64) and gold (128) bit encrypted versions of the Lucent (Orinoco) wireless cards. Silver is $133.76 and Gold is $149.76 from CDW, not exactly the cheapest place on the planet.

In fact, I'm picking up a half dozen of them and a few PCMCIA-PCI bridge cards this Saturday.