July, 2004
Vol. 2 No. 2
|
Southeastern News Online July, 2004 Vol. 2 No. 2 |
Party with Wireless Security!
Last time I said that I’d discuss e-mail spoofing in this article. However, due to the length of this article, e-mail spoofing will be covered another time. Now on with the show!
Anyone that read my last article will understand that system security is at the forefront of my conscience. So it’s only fitting that when it came to implementing the wireless LAN that Southeastern uses for training, every decision I made centered around the security issues affecting wireless. If you’ve ever wondered why our wireless LAN is not a “drop-in” LAN where anyone can bring a wireless machine and connect, you’re about to find out why. You’ll also see one approach to keeping a wireless LAN as secure as possible.
So why isn’t it a “drop-in” LAN?
The wireless network using laptops was put in as a way for us to allow greater flexibility in setting up the training room for classes and presentations. Wired networks and desktop workstations make it difficult to reconfigure the room at-will and require that network cabling be strung throughout the room for each machine that will be used for a particular event. Wireless gives us the freedom to set up the room in any configuration without worrying about wires. It also allows an instructor or trainer to carry one laptop around to attendees for one-on-one assistance while keeping a connection to the Internet.
Thus, this particular wireless LAN was implemented with the idea that it would be for use only by those attending training sessions or classes. After deciding that the wireless LAN was only going to be for class use, it only made sense to keep things as secure as possible by not leaving the network open to anyone who happens to want in. After looking at the security issues involved in leaving a wireless network open, it didn’t take much to convince me to keep the network closed.
Protecting the inside goods: Building LAN, Staff, and Servers
The first reason that the wireless LAN is not “drop-in” is because its data is routed through part of the SENYLRC wired network on its way out to the Internet. Yes, there is a (very) restrictive firewall between the training lab network and the wired LAN, and that firewall prevents the wireless LAN machines from talking to any SENYLRC staff computers, printers, or servers (with the exception of specific servers for specific reasons, like viewing the SENYLRC web page). But since the networks are physically connected together (even with a firewall in between them), there is always room for compromise and exploit. And because there is sensitive data essential to the council’s operation on the other side of that firewall, the best practice is to keep track of exactly who is using the wireless network and when. And the best way to do that is to keep everyone out and require would-be visitors to register for access to the wireless LAN. This way, I always know who’s on.
Protecting the innocent…
Another reason that people try to gain unauthorized access to wireless (and wired) networks is to use those networks to carry out attacks, attempt to hack into other sites on the Internet or do other illegal activities (download copyrighted material, for example). If the ongoing fight between the Motion Picture Association of America (MPAA), the Recording Industry of America (RIAA) and users of peer-to-peer file sharing software has taught us anything, it’s that the account holder of the connection where illegal activity takes place is the one who will be held responsible for any illegal actions using that connection (see http://www.msnbc.msn.com/id/3078421/). Given the logic of the MPAA and RIAA, SENYLRC (or our ISP) would be responsible if someone used our connection to steal hundreds of dollars worth of music and such using our connection. And neither we nor our ISP would like a “cease and desist” letter from either organization. What’s the easiest way into someone’s network to abuse their Internet connection? Find a hole that’s easy to exploit. Wireless LANs make a great hole.
Battening down the hatches, but leaving the back door open…
Because wireless LANs broadcast their traffic over the air, anyone within range can listen in. And when you can listen in, it’s often possible to get in. And, wireless LANs often broadcast well beyond the walls of the institutions that are using them. I know what you’re saying: “But Chris, you can set up encryption (a.k.a WEP or ‘Wired Equivalent Privacy’) and everything will be secure, right?” Not quite. WEP is breakable. WEP works using a key that is entered at both the wireless access point and each client machine. Data sent over the wireless LAN is encrypted using a mathematical formula on the data that takes that key into account. The receiving machine uses the key and another mathematical formula to reverse the encryption and turn the data back into something readable. WEP keys can be figured out by “sniffing” (listening to) the encrypted data on a wireless network. Sniffing can be completely passive, meaning the listening machine does just that: it listens. It’s just like listening to the radio. You listen to a radio station that you’re in range of and the radio station has no idea that you’re listening. Your radio doesn’t send anything. Anyway, now that we have the data sniffed from the wireless LAN, it can be processed to figure out what key was used to encrypt it. This process does take some time, but once it’s complete that user has the key and probably has access to your wireless LAN (or will soon). Do we have WEP turned on? Of course! But it’s a little different from the normal WEP. I’ll get into that more later on.
“But Chris, I have set up an access list that says only computers I list can join my wireless LAN. This list combined with WEP should keep me safe, right?” I’m sorry, that’s incorrect. Our announcer will tell you what parting gifts you’ve won. Lists of computers allowed to use a wireless network, known as Access Lists, contain the hardware (MAC) address of each wireless card that is allowed to log onto a wireless network. Excluding manufacturing defects, a reason I’ll get into in a second and other reasons, every network adapter has a different hardware address. Hardware addresses look something like this: 00-04-AC-C4-70-80. But as I alluded to before, there are circumstances where two cards will have the same address. Other than manufacturing defects and some other reasons, hardware addresses for wireless adapters (and wired adapters) can often be changed from their pre-programmed addresses to whatever address a user wishes. This can be a problem.
Each piece of data traversing a network (wired or wireless) contains the hardware address of the sending machine and the address of the receiving machine. The wireless LAN can be sniffed to determine hardware addresses in use on that network. Using this information and a little work, one can effectively change the hardware address of their wireless card to match the address of an authorized card and gain access to the network. This process is known as spoofing. Do we use filtering? Yes! It’s just one more layer that a person has to waste time circumventing before they can get in.
The final piece to keeping people out…
So now that I’ve established the fact that it’s relatively easy for someone with a little skill to get into a wireless LAN that is using the basic protections, you’re probably wondering what we do differently. What I’ve done is set up our network so that to successfully sign on, the computer you’re connecting with must have a special digital certificate that I create and “sign”. This certificate has a range of dates for which it is valid (usually one day for guests) as well as other identifiable information about the user connecting. This certificate must be created on the server handles our wireless LAN security. The certificates can’t be downloaded from a website. Instead, I create them as-needed.
When a computer with one of my signed certificates comes onto the network, the access point asks to see its certificate. It then forwards the certificate to a server that I set up, which compares it with a list of valid certificates, checks to make sure it hasn’t expired, and a few other things. If the certificate is valid, the server tells the access point that the computer is allowed to access the network. If not, the computer is denied access.
This process has a couple added bonus features. First, this certificate checking isn’t just done once. It’s done very 15 minutes. This ensures that if a certificate expires while a user is on, the user will be promptly booted off the network. The other bonus feature is that fact that every time your computer is asked to identify itself again, a new WEP key is generated by the server and is used in place of the original key. This means that if the key is cracked as I explained above, the cracked key is good for 15 minutes at the most. After 15 minutes the key will change and that user will be booted off. And each computer on the network gets its own key, instead of sharing one key among all machines. Could this be broken too? Sure…but it’s harder and it’ll take more time.
Why on Earth are you worried about this?
I have very enterprising friends – friends that keep me up to date with the latest findings relating to how they have figured out how to break into (or just break) someone else’s wireless LAN. Now, I trust my friends and all. But if they can do it, so can somebody I don’t trust. To give you an idea of the type of thing I’m talking about, consider this:
About 3 years ago while sitting in my dorm room at Marist, the above friends sent me an instant message asking me to guess where they were. Assuming they were on campus somewhere, I replied appropriately. They weren’t on campus. They weren’t even near it. Instead, they were sitting in the parking lot of a local retail store, and had managed to gain access to said store’s network. They were instant messaging me from a parking lot. With great detail, they gave me specifics about the network they had gained access to. They even mentioned that they could see other devices on the wired network of the store, such as cash registers. Obviously this store hadn’t done a good job keeping wireless and wired networks appropriately secured, but that’s not the point. The point is that open networks are a great security risk, as are partially or poorly secured networks. And that’s one risk I’m not willing to take.
By Chris Hyzer, Systems Manager
Contents | People in the News | Calendar of Events | Job Opportunities | SENYLRC Home