[Long Rant] Re: Encryption Question

Dominick, David David.Dominick at delta.com
Tue Sep 18 03:49:57 EST 2001 


-----Original Message-----
From: Alex Satrapa [mailto:grail at goldweb.com.au]
Sent: Monday, September 17, 2001 10:44 AM
To: Steven Hanley
Cc: wireless at lists.samba.org
Subject: [Long Rant] Re: Encryption Question


At 00:58 +1000 2001-09-11, Steven Hanley wrote:
>umm, okay, first off, the hardware encryption with wirelss cards is broken
and
>can not be relied on for any security at all. Anyone who wants to can rock
up
>with a standard laptop running linux and work out the key for the
encryption
>in about 15 minutes and thus have full access to all your data going across
>wireless.

First, sorry for the late reply.

Don't discount WEP so readily.

If you have a 128bit encryption card with encryption enabled, then 
the potential AirSnorter has to use a 128bit encryption card to sniff 
the connection.

WEP as an obfuscation mechanism works at least as well as ROT14* - 
someone who's geared up to AirSnort on a clear or 64bit connection is 
like the script kiddy with the ROT13 decoder. It makes it just that 
little bit harder for:
  - Casual or "accidental" snooping
  - Script Kiddies using "standard" cards (as opposed to "Gold")

Using WEP, especially with 128bit encryption, means that someone has 
to be monitoring your network with the intent of breaking in. Should 
you ever catch them physically (eg: you see the kid sitting out the 
front of the office with the laptop on the bike), it's much easier to 
prove intent. They were *trying* to break into your network. They 
weren't just WarDriving/Sailing/Riding.

I do agree with Steven on the VPN bit - the network connected to the 
wireless access point should be treated as *less* trusted than The 
Internet. Kids *are* going to be lugging their wireless laptops 
around on bikes, they *are* going to find your network. 802.11 
networks are the proverbial pots full of bragging rights at the end 
of the rainbow ("Mate - these people had access direct to the 
Internet over their wireless network, and guests had write access to 
their NT server, so I downloaded 1Gb of pr0n for them").

Have a host on that network that supports IPsec, PPPoE, PPTP or even 
PPP over SSH, and only allow "real" network access through this host. 
Do what you can to limit connections to the access point based on MAC 
address of the 802.11 cards (once again, this is obfuscation**). Do 
not allow routing between wired and wireless networks. Do not have 
any ports listening on the wireless network (except the VPN service). 
These are what I would consider part of setting up a wireless access 
point, even for "community" access.

But at least enable WEP and MAC restrictions, since you then arm 
yourself with proof of intent, should you ever catch someone snooping 
around your wireless network. WEP and MAC restrictions are much like 
putting a 30cm high picket fence between your front lawn and the 
footpath. It provides a barrier which people have to consciously 
cross. If you see someone snooping around in your wireless network 
after you've enabled WEP and MAC restrictions, they didn't get there 
by accident. You can get exercise your righteous indignance.

Alex

*Yes, I mean ROT14. Absolutely transparent to someone who knows what 
they're doing, but totally opaque to the script kiddy with the ROT13 
decoder. Of course the script kiddy with lots of money gets a ROT14 
decoder and you're back to square 1. And with that, I'll cease my 
analogy of 128bit WEP as ROT14.

**Security solely through obscurity is bad. That doesn't mean that 
you shouldn't use obscurity where it's cheap and effortless to 
implement. Obfuscation means that life is harder for script kiddies, 
and adds more ammo to your proof of intent argument.

PS: Don't forget that wireless security works both ways. It's not 
just the sitting-on-desks bit of the network you have to secure, it's 
also the sitting-on-lap bit of the network you have to secure. It's 
no use locking down the access point tighter than a fish's [thing] if 
the laptop is left wide open. The "firewall" on the laptop (or even 
wireless desktop) needs to be as tight (if not tighter) than the 
access point "firewall".

PPS: This opens up an activity which is the inverse of WarDriving. 
Rather than wandering around looking for networks that are open - how 
many people are wandering around with laptops that are happily 
chatting away on 802.11 to anyone who'll listen? I know some people 
who don't even know about turning off their PC Card ethernet when 
they leave the office, and I wouldn't expect them to understand about 
switching off the 802.11 card when they leave the office either.
-- 
Alex Satrapa                      tSA Consulting Group Pty Limited
ICQ: 5691434                 1 Hall Street, Lyneham, Canberra 2603
PGP Key 0x4C178C9C        fx: +61 2 6257 7311  ph: +61 2 6257 7111
PGP Fingerprint E4FA ADE6 97A4 3610 E008  A466 A03E 3D01 4C17 8C9C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: "03628E-Unsafe at any key size.doc
Type: application/msword
Size: 51712 bytes
Desc: not available
Url : http://lists.samba.org/archive/wireless/attachments/20010917/a3171163/03628E-Unsafeatanykeysize.doc

More information about the wireless mailing list