keeping people off the net

Jim Carter jimc at math.ucla.edu
Fri Jan 31 11:32:17 EST 2003


I may have left an incomplete impression in my last post about keeping
unauthorized people off a wireless net.

To get onto my net the interloper has to sniff packets to determine my MAC
address, crack my WEP key with AirSnort, wait for me to get off (leaving
the server up), and configure his card to use my MAC address.  These steps
would be hard for a casual user to accomplish, and in the soft underbelly
of the corporate world they are considered to be sufficient security.

But any competent industrial spy, with a specific interest in little old
me, should be able to go through them in a few minutes (except waiting for
me to go away), which is why I say that there is no effective barrier to
getting on my net.  To me, "effective" means mandatory encrypted tunneling,
e.g. via FreeS/WAN hypothetically running on the access point.  You could
do it, with a wireless card in the server and the host-ap drivers.
(Ignoring the signal strength problems.)  I have stuff I need to protect,
but I'm too insignificant to deserve a targeted attack, and I don't think
it's good use of my time to install "effective" access control.

I make good backups, in case of wireless vandalism that gets through a
security hole in the individual machine(s), and also earthquakes.

At work we've done the FreeS/WAN thing with X.509 authentication (over
wired Ethernet).  We have licensing issues, and this is our "effective"
access control, so only our own people can use the FreeS/WAN terminus,
thereby appearing to originate from within the network to which the license
is granted, even though they are off campus.  This scheme could potentially
be used for access control in a community wireless net.  Is it overkill?
Or is it prudent to get encryption that actually works?

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc at math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)




More information about the wireless mailing list