Wireless Network Security

Roast

Weaksauce
Joined
Dec 31, 2002
Messages
101
Hello,
I took a look in the FAQ, but didn't see anything realated to this, so I thought I would ask. Asides from putting a PW on a folder and using WEP, is there anyother good way to secure a wireless network? I also took a look at a few sites on line. Some suggest using NetBIOS instead of TCP/IP, but i need everything standardized here, and the users only want TCP/IP. Thank you.
 

skritch

2[H]4U
Joined
Apr 16, 2001
Messages
2,688
Originally posted by Roast
Hello,
I took a look in the FAQ, but didn't see anything realated to this, so I thought I would ask. Asides from putting a PW on a folder and using WEP, is there anyother good way to secure a wireless network? I also took a look at a few sites on line. Some suggest using NetBIOS instead of TCP/IP, but i need everything standardized here, and the users only want TCP/IP. Thank you.


Change the AP from "open network" to "closed network" to eliminate AP advertisement frames.

Use WPA instead of WEP, if possible.

Change encryption keys weekly.

Only use encrypted protocols via wireless.

Use MAC-based access control on the AP.

Do not hand out DHCP addresses via wireless.

Put the AP in a DMZ, require all users to authenticate against a VPN server to use the network. This kills two birds with one stone: It enforces strong user authentication, and it butresses wireless's weak encryption protocols.

(extra-paranoid security): Install mutliple anti-wardriving sniffers. Use relative signal strengths to triangulate and locate potential users in physical space. Do not allow access to your APs from users outside physical boundaries you set.
 

Roast

Weaksauce
Joined
Dec 31, 2002
Messages
101
thanks for the tips.
for the do not hand out DHCP via wireless, should i just manually give out IPs?
 

skritch

2[H]4U
Joined
Apr 16, 2001
Messages
2,688
Originally posted by Roast
thanks for the tips.
for the do not hand out DHCP via wireless, should i just manually give out IPs?

Well, it depends on the feasibility of that situation. A compromise would be to use DHCP, but use its ability to assign a given IP to a given MAC. Since you're going to be using MAC access control anyway, you'll already have a list of all MACs that are allowed to use the wireless net. Use that list to assign IPs via DHCP.

The reasoning for not using DHCP is fairly simple: If the intruder can't figure out your internal addressing scheme, he can't get in. The ever-popular and much-maligned "security through obscurity". It's not sufficient on its own, but when layered with multiple other security measures, it can add that extra bit of boundary between you and the Bad Guys.
 

Roast

Weaksauce
Joined
Dec 31, 2002
Messages
101
Thanks for your guidance here, alot of this i had never even considered.
 

NetJunkie

[H]F Junkie
Joined
Mar 16, 2001
Messages
9,682
Not using DHCP is far more effort than it is worth. Kismet will tell me what IP range a wireless network uses. It gets that by ARP and data packets.
 

skritch

2[H]4U
Joined
Apr 16, 2001
Messages
2,688
Originally posted by NetJunkie
Not using DHCP is far more effort than it is worth. Kismet will tell me what IP range a wireless network uses. It gets that by ARP and data packets.


...which can be spoofed successfully by producing dummy traffic. And there's another program that'll produce "ghost" APs. Kismet can't distinguish.
 

NetJunkie

[H]F Junkie
Joined
Mar 16, 2001
Messages
9,682
Originally posted by skritch
...which can be spoofed successfully by producing dummy traffic. And there's another program that'll produce "ghost" APs. Kismet can't distinguish.

I think we'd both agree that spoofing traffic is more trouble than it's worth. How long would it take to figure out some real traffic and use that address? How long to figure out that those thousand fake APs don't have any clients but that one real one does?

Far better ways to secure things.
 

NetJunkie

[H]F Junkie
Joined
Mar 16, 2001
Messages
9,682
Originally posted by Roast
such as?

Do what skritch said at the beginning. It's good advice. Anything else requires a lot more work, equipment, and/or time.
 
Top