-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
State of wireless security today in 2006
Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
RebateMonger
Elite Member
OK. Now I get to tell my phishing story.
A couple of years ago, I received my "first" phishing attempt. It really made me angry.
I went to the web site where the fake PayPal site was located. Navigating up a few directories, I found a web page that was being used to create the automatic phishing emails! The guy had created a web page where you entered email addresses and it would automatically send out phishing emails to those email addresses, complete with fake headers. And he didn't bother to secure the creation page!
Soooo...
I got the email addresses of the Florida Computer Crime Commission, along with the Florida Governor's email address (the web site was hosted in Florida). Then I had the web page send 100 phishing emails each to the Governor's office and to the Florida Computer Crime Commission's office. They both got 100 fake emails stating that their PayPal accounts needed updating.
The fake Paypal web site was gone the next morning. I'm hoping I had a small part in that.
RebateMonger, I don't know where you got your definition of security. Where I come from, availability is part of security (assurance).
Woodie, your setup is exactly how I'd like to set up wireless LANs. Most of the time, I'm not allowed to, for cost reasons 🙁 But it makes a ton of sense to me to treat the WLAN as another public/untrusted network, and you VPN into it using the same exact stuff as you'd use to come in from any other public/untrusted network. As a bonus, your staff gets to set up and administer ONE solution for network admission from the outside, and ONE client for doing that, instead of a VPN and also wireless security. As an added bonus, you can mostly avoid the brain damaged Windows wireless client and all the support headache it brings.
Woodie, your setup is exactly how I'd like to set up wireless LANs. Most of the time, I'm not allowed to, for cost reasons 🙁 But it makes a ton of sense to me to treat the WLAN as another public/untrusted network, and you VPN into it using the same exact stuff as you'd use to come in from any other public/untrusted network. As a bonus, your staff gets to set up and administer ONE solution for network admission from the outside, and ONE client for doing that, instead of a VPN and also wireless security. As an added bonus, you can mostly avoid the brain damaged Windows wireless client and all the support headache it brings.
cmetz,
you've offered some great points.
IMHO, today's truly enterprise networks are completely segregated from the wired side. I'm used to a single (redundant) entry from the wireless to the wired side and you have the necessary proctection in place.
It all comes down to a matter of trust. How much do I trust the wireless net? semi-trusted?
I guess my main purpose was in today's campus environment you can trust wireless nets to the same extent you can trust a wired net - you don't know what is on the other end.
given that 802.1x/certificates are MUCH more employed on the wireless side than the wired side (although we're pushing towards that same trust/security on the wired side) I made my postulate with that in mind.
Sure, being a broadcast medium without physical access mean wireless will (or should be) more secure than wired as far as access. But the paranoia surrounding wireless is sometimes unfounded in an enterprise environment when you could just as easily "just plug in"
This of course coming from a guy who still thinks of wireless as a "niche" access medium. But in some sectors it is an absolute requirement (manufacturing/retail)
One cannot fight market forces, just do the best you can.
Reminds me of work in the pentagon way back fighting a nasty wired problem. Brought in a spectral analizer just to see what was going on with the noise and wired problems. That place is a fortress in more ways than I'd like to know as I was told to turn over my gear. Go get 'em boys (pentagon)...you've got the best and the brightest.
you've offered some great points.
IMHO, today's truly enterprise networks are completely segregated from the wired side. I'm used to a single (redundant) entry from the wireless to the wired side and you have the necessary proctection in place.
It all comes down to a matter of trust. How much do I trust the wireless net? semi-trusted?
I guess my main purpose was in today's campus environment you can trust wireless nets to the same extent you can trust a wired net - you don't know what is on the other end.
given that 802.1x/certificates are MUCH more employed on the wireless side than the wired side (although we're pushing towards that same trust/security on the wired side) I made my postulate with that in mind.
Sure, being a broadcast medium without physical access mean wireless will (or should be) more secure than wired as far as access. But the paranoia surrounding wireless is sometimes unfounded in an enterprise environment when you could just as easily "just plug in"
This of course coming from a guy who still thinks of wireless as a "niche" access medium. But in some sectors it is an absolute requirement (manufacturing/retail)
One cannot fight market forces, just do the best you can.
Reminds me of work in the pentagon way back fighting a nasty wired problem. Brought in a spectral analizer just to see what was going on with the noise and wired problems. That place is a fortress in more ways than I'd like to know as I was told to turn over my gear. Go get 'em boys (pentagon)...you've got the best and the brightest.
RebateMonger
Elite Member
Mostly, I'm thinking that it'd be a lot safer and more destructive for me to do a DDOS against your Servers or DNS servers than to try to get away with setting up a jamming transmitter against your 802.1x WiFi network. How many jamming attacks have been attempted against 802.1x networks so far?
Gillbot
Lifer
I still disagree, if you get into the line coming INTO my house, you are getting on RoadRunners network, not mine. If you can hack through all of my firewalls to get in to MY network, that's another story. I still say wired will be more secure because you are not broadcasting your presence to the world. Who is going to tear into the back of my house to get a wired connection as opposed to seeing a network "pop up" on their screen as they drive by for later "probing".
RebateMonger, a 2.4GHz wireless network is easily denied service accidentally using a cordless phone. This is much easier, lower-tech, and harder to track down and stop than a DDoS. All networks with contact with the outside world (public Internet, RF, etc.) are succeptable to denial of service, and thus not completely secure. So the philosophy to take is to raise the bar of attackers' resources required high enough that you're not worth it as a target.
A 2.4GHz or 5GHz wireless network can be knocked offline with a $50ish cordless phone, actually the cheaper the more effective since cheap cordless phones are stupid about RF. That's cheap enough and easy enough that someone who's just bored can take your net down. Spamming the channel with bogon 802.11 frames, or control frames that do damage, is a matter of a laptop and a wireless card, the right software and some knowledge. More expensive and more advanced than a cordless phone, but still quite approachable.
A DoS attack to take out a DSL/T1 business is not rocket science, but doing that and making it hard to track down your identity / stop the attack traffic requires more black-hat resources. When you get to the T3 and up level, it requires a pretty serious DDoS net.
So the point of all this is that it's still comparatively really easy to knock out a wireless net. There are things at the RF and 802.11 control levels that could be done that would improve this situation. In the case of the RF side, you can only improve, you can't totally fix. I believe the control protocol could be fully fixed.
spidey, wireless in manufacturing and retail is a fine example of clueless management types who don't understand all the details. They like the coolness of wireless, and the potential business benefits, and the fact that they don't have to go through annoying FCC licensing hoops. But watch as those same MBAs call their lawyers when somebody interferes with their network. And then watch the lobbying to fix this problem by imposing rules on everyone else. The end game is that the ISM bands will get a lot less free 🙁
I'd really like to see 802.11ish gear that runs on a nearby commercial band and requires a per-site FCC commercial license. Like some of the old wireless MAN bridging gear did. So at least people smart enough to go that route would have a legitimate claim to the resource, a legitimate legal basis to go after folks interfering with their network, and would raise the bar of gear/knowledge required to cause their network trouble. It's really a very not good situation when some nearby factory is running mission critical stuff on the same band as a lot of my home wireless electronics.
A 2.4GHz or 5GHz wireless network can be knocked offline with a $50ish cordless phone, actually the cheaper the more effective since cheap cordless phones are stupid about RF. That's cheap enough and easy enough that someone who's just bored can take your net down. Spamming the channel with bogon 802.11 frames, or control frames that do damage, is a matter of a laptop and a wireless card, the right software and some knowledge. More expensive and more advanced than a cordless phone, but still quite approachable.
A DoS attack to take out a DSL/T1 business is not rocket science, but doing that and making it hard to track down your identity / stop the attack traffic requires more black-hat resources. When you get to the T3 and up level, it requires a pretty serious DDoS net.
So the point of all this is that it's still comparatively really easy to knock out a wireless net. There are things at the RF and 802.11 control levels that could be done that would improve this situation. In the case of the RF side, you can only improve, you can't totally fix. I believe the control protocol could be fully fixed.
spidey, wireless in manufacturing and retail is a fine example of clueless management types who don't understand all the details. They like the coolness of wireless, and the potential business benefits, and the fact that they don't have to go through annoying FCC licensing hoops. But watch as those same MBAs call their lawyers when somebody interferes with their network. And then watch the lobbying to fix this problem by imposing rules on everyone else. The end game is that the ISM bands will get a lot less free 🙁
I'd really like to see 802.11ish gear that runs on a nearby commercial band and requires a per-site FCC commercial license. Like some of the old wireless MAN bridging gear did. So at least people smart enough to go that route would have a legitimate claim to the resource, a legitimate legal basis to go after folks interfering with their network, and would raise the bar of gear/knowledge required to cause their network trouble. It's really a very not good situation when some nearby factory is running mission critical stuff on the same band as a lot of my home wireless electronics.
1. Nobody said to run mission critical gear on wireless. This is a discussion on SECURITY, not on AVAILABILITY
2. I can get around your cordless phone use in an enterprise level rollout. It's called Cisco AP's and Cisco WLSE. It will find the noise, figure out the best bands to use, adjust power levels/channels/load automagiclly without missing a beat. Wireless in the enterprise CAN (and should) be much more then plugging an AP in and turning encrpytion on. If you have Wireless in the enterprise, you should be able to find rogue clients within minutes, rogue AP's within minutes, and your enviroment should be self healing and smart.
In (at least) some cases, the WLSE (or other IDS/IPS) will send a "Disconnect" message to clients it sees as rogues (can be dangerous to use in a high-rise .... at least take time to ID your friendly neighbors ...)
I believe they can also shut down the (Cisco) switchport that it associates with the rogue traffic.
FWIW
Scott
I believe they can also shut down the (Cisco) switchport that it associates with the rogue traffic.
FWIW
Scott
scott, yes the WLSE will shut down a rogue AP switch port.
it's pretty slick stuff, but I'm sure there are other wireless mangement systems out there that may be more powerful. There are some where you just have "guard" APs that don't really have clients, they are there to listen and actively thwart "unknown" radio sources.
What we really need (and I'm sure somebody is working on it) is guard APs with high gain directional antennas that are movable in the horizontal and vertical plane. Then these guard APs automatically triangulate the offending radio and blast it with 2.4 RF.
In reality I can't see this as being difficult to do.
it's pretty slick stuff, but I'm sure there are other wireless mangement systems out there that may be more powerful. There are some where you just have "guard" APs that don't really have clients, they are there to listen and actively thwart "unknown" radio sources.
What we really need (and I'm sure somebody is working on it) is guard APs with high gain directional antennas that are movable in the horizontal and vertical plane. Then these guard APs automatically triangulate the offending radio and blast it with 2.4 RF.
In reality I can't see this as being difficult to do.
dphantom
Diamond Member
We recently implemented the Cisco gear from what used to be Airespace. We can isolate rogues, triangulate and shut them down. Of course, we have to be careful we do not shut down a neighboring business doing legitimate wireless traffic.
just amazes me how many businesses throw in home-grade wireless aps and still don't take a few minutes to change the defaults.
This has been a great discussion. Real big :thumbsup: to all the experts here.
As a library, we do not have a lot of money and implementing a full security model with certificates is beyond our reach. But we do what we can and use WPA-PSK on our internal (staff) side and isolate traffic on separate vlans where we can to mitigate security risks.
Not perfect, but better than WEP.
By design, our public wireless is completely separate vlan and is wide open. Access only to the Internet. Lots of customers come into our libraries just to use the wireless Internet access. And now that we are adding 100MB fiber links between some of our locations, we expect even more traffic.
RebateMonger
Elite Member
I think it's great when a technical discussion can stimulate debate without restoring to name-calling. There's too much of that in this world.
RebateMonger
Elite Member
Actually, to implement 802.1x, all you really need is a single Windows 2003 Server. Or an SBS 2003 server, which costs even less (about $450 for the OS). Not THAT much more than the $200 for XP Professional.
Of course, it does take a bit of training to actually implement it, too......
RebateMonger
Elite Member
Hush, you Linux loser!!!! 🙂
[PLEASE, don't us seriously, folks!]
RebateMonger
Elite Member
Internet Authentication Service (IAS, the Windows RADIUS server) is available for install in SBS 2003 and all versions of Server 2003 (except, possibly, the Web version). And, no, I've never actually INSTALLED IAS on an SBS Server, but Microsoft's 700-page book on SBS says that it works fine. They have three pages on installing it and using it for 802.1x.
Scarpozzi
Lifer
With the right software and distributed computing technology approaches utilized by many hackers, you could conceivably hack a 40bit encryption with approximately 100-150 computers in 1-2 days using brute force.
Most web encryptions are 64bit hex at best and would be at risk. Greater encryption technologies put more load on WAP structures and threaten the efficiency of a large-scale wireless network. As long as you're not doing your banking in an airport and have decent firewalling on your laptop before you connect, it's probably ok...just be aware that there are definitely gaps in security because WEP is flawed.
Link (beware 3.7 meg pdf)
Most web encryptions are 64bit hex at best and would be at risk. Greater encryption technologies put more load on WAP structures and threaten the efficiency of a large-scale wireless network. As long as you're not doing your banking in an airport and have decent firewalling on your laptop before you connect, it's probably ok...just be aware that there are definitely gaps in security because WEP is flawed.
Link (beware 3.7 meg pdf)
RebateMonger
Elite Member
While it never hurts to have multiple security layers, my PERSONAL PREFERENCE is to not mess with MAC restrictions and SSID broadcast. It adds too many complications for my clients, and they are likely to just dump the whole WiFi security thing as being too messy. I DO want them to keep WPA enabled! It's enough work for them just to copy that long shared key!
If somebody is determined enough to spend the time and effort to crack a WPA network, they probably won't consider it a big deal to crack MAC restrictions or SSID broadcast. Turning off SSID will keep your next-door neighboor from knowing about your network, but anybody determined enough to break WPA isn't going to need SSID to find your WiFi network in the first place.
Just my OPINION.....that doesn't make it the right answer for you.
I thought most SSL (online bank sites and such) were 256 bit, but I'm not that savvy on that stuff, so I could be wrong.
As far as brute forcing a password, we did a test for the FBI's DC program that will crack password hashes/password protected files. It's "intelligent" as far as social engineering. (fill in info on the suspect). It will build social engineered libraries to try, as well as 27 foreign language dictinoaries, and then just plain brute force. We had just under 500 PC's, (mix of P3 550's and P4 2.6 non HT's) and brute forced a password that was 10 digits, non dictionary, uppercase and lowercase, alphanumeric in 6 hours or so.
As far as brute forcing a password, we did a test for the FBI's DC program that will crack password hashes/password protected files. It's "intelligent" as far as social engineering. (fill in info on the suspect). It will build social engineered libraries to try, as well as 27 foreign language dictinoaries, and then just plain brute force. We had just under 500 PC's, (mix of P3 550's and P4 2.6 non HT's) and brute forced a password that was 10 digits, non dictionary, uppercase and lowercase, alphanumeric in 6 hours or so.
RebateMonger
Elite Member
That's why I suggest 20-character pass phrases for my clients. Breaking those should take quite a bit longer.....
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
