Creating wireless security without WEP - Network Magazine India - Focus Page 1 of 3

-
[AD-SIZE]
Home Home > Cover Story
Archives
About Us Creating wireless security without WEP
Advertise
Feedback WEP is no longer sufficient to ensure data safety using the 802.11b WLAN
Subscribe standard. And with the details behind 802.11a, 802.11g, 802.11i and
802.11e still murky, here’s a better and cost-effective solution to secure
Our other sites your wireless networks. by Seamus Phan

On Aug 14, 2001, a new attack designed by three well-known

cryptographers and re-created by a team of AT&T Labs researchers,
enabled an eavesdropper to capture a small amount of network traffic and
recovered the user's secret key in less than one hour.

"This is the last straw for WEP (Wired Equivalent Privacy)," said Adam Stubblefield, a
summer intern at AT&T's famed lab who wrote the code used to compromise WEP. "WEP
is basically useless," he said.

If that is so, what of the thousands of 802.11b WLANs out there in the world today? Are
we adopting a second-rate technology, or is there a better way to build wireless walls?

We can take a cue from NASA, and look at how they approach WLAN security, and also
explore the use of Unix workstations to increase security and reduce costs. In addition,
these techniques also facilitate the migration to faster WLAN technologies, including
802.11g and 802.11a.

Further, as the 802.11i security standard for WLANs finally emerges (hopefully early next
year), it will serve to improve 802.11's basic security measures which is currently served
by WEP. However, as with other security implementations, only time will tell if 802.11i
will be as secure as IEEE claims.

Unix Base Stations

Here is a money-saving tip. You can leverage your Unix workstations as base stations to
reduce WLAN expenditure, without losing seamless connectivity. Workgroups that have
spare Unix boxes (FreeBSD, OpenBSD, NetBSD, Linux and other Unixes) or even stock
G3 or G4 workstations running Mac OS X, can set them up as base stations. If you prefer
Linux, you can even set up Yellow Dog Linux (www.yellowdoglinux.com) on your Mac as a
base station. Yellow Dog Linux also offers the BriQ, a pre-configured PowerPC
architecture server appliance, that can be used for this purpose.

A wireless base station is akin to an IP router, and by setting up your BSD box properly,
you can get it to work as a base station. Basic Service Set or BSS "infrastructure" mode
allows true base station functionality and several Unix coders have developed ways to
allow BSS mode for Lucent and Prism adapters. For NetBSD workstations to work in BSS
mode, use the ifconfig command (please note that specific adapters and environments
may demand different parameters):

# ifconfig wi0 media DS11 do not use mediaopt adhoc)

# ifconfig wi0 nwid yourname (substitute "yourname" with the WLAN network name)

If it is not possible to run in BSS infrastructure mode, then run your adapter on your box
in IBSS (independent BSS), which is peer-to-peer, functioning like a shared Ethernet

http://www.networkmagazineindia.com/200111/focus2.htm 10-Dec-07
Creating wireless security without WEP - Network Magazine India - Focus Page 2 of 3

cable. The command for NetBSD is:

# wiconfig wi0 -c 1

According to coders, you have to ensure that your adapter's firmware is as recent as
possible because older firmware does not allow IBSS operations. Also note that laptops
need to support WLAN adapters,while desktops must support wireless PCI cards.

The NASA Hack

On Aug 20, 2001, the US-based National Aeronautics and Space Administration (NASA)
described a method, using a wireless firewall gateway, to secure standard 802.11b
networks without WEP.

A white paper by Nichole K. Boscia from NASA proposed the use of a wireless firewall
gateway as a router between a wireless and external network, with the ability to
dynamically change firewall filters, as users authenticate themselves for authorized
access.

It also operates as a server responsible for handing out IP addresses to users, running a
website in which users can authenticate, and maintaining a recorded account of who is on
the network and when. To make things accessible to users of any client platform, only a
Web browser and DHCP client software are required.

There are three components to such a wireless firewall gateway design: a DHCP server,
an IP filtering mechanism, and a Web authentication system.

NASA used a beta DHCPv3 open source server from the International Software
Consortium (www.isc.org). This differs from older DHCP servers, in that it can
dynamically remove hosts from the firewall access list when the DHCP releases a lease
for any reason (including client-initiated requests, time outs, and expiration).

NASA configured the DHCP server running on Unix or Unix-like platforms to only listen on
the subnet interface of the WLAN, thus preventing users from the wired network from
obtaining a wireless IP address from the DHCP server. NASA also installed a packet filter
to stop requests from any other interface.

For IP filtering, NASA used OpenBSD's IPF software (www.openbsd.org), a stateful

filtering mechanism. IP routing is enabled in the kernel state allowing for the packet
filtering to occur between the wireless and external network interfaces. Static filters are
configured on boot up in the /etc/ipf.rules file and are designed to minimize remote
access to the wireless firewall gateway.

Packet filtering is done at the transport layer (UDP or TCP) so that stateful inspection can
be effected, again raising security by not explicitly permitting dynamic or private port
sessions into the WLAN. NASA restricts traffic to essential protocols such as NTP, DNS,
DHCP, and ICMP. In the NASA implementation, there are two kinds of users-
authenticated and non-authenticated. Non-authenticated users can be granted to specific
services such as e-mail, VPN and Web.

In order to prevent succeeding users from being allowed trusted access when the IP
address is recycled, the in-memory database software removes the firewall filter permit
rule whenever the user's next lease binding state is set to free, expired, abandoned,
released, or reset.

The DHCP server will not issue the same IP address until it frees the lease of the last
client. This overcomes the security issue of someone hijacking an IP address that's been
authenticated and using it after the valid user is no longer using the wireless service.

For authentication, NASA used a script system running on a Web browser so that clients
from any platform will not be excommunicated. The script system is a combination of PHP
(www.php.net) and Perl (www.perl.org) scripts for easy maintenance and updates. Unlike
some authentication schemes which restrict clients to using Microsoft Windows, this

http://www.networkmagazineindia.com/200111/focus2.htm 10-Dec-07
Creating wireless security without WEP - Network Magazine India - Focus Page 3 of 3

method allows users from Unix, Mac, Windows and Linux to enter easily and yet securely.

NASA simply used an Apache (www.apache.org) Web server running Secure Sockets
Layer (SSL) for client/server public-and-private key RSA encryption. When a user logs on
using http, he/she will automatically be redirected to the https Web page for
authentication.

When the user enters his/her username and password, the session will be encryption and
all transport will be encrypted text. NASA also ensured that its SSL certificate was signed
by Verisign, a trusted certificate authority (CA). This prevents intruders from mimicking a
user's information.

When a user logs on, his/her IP address will be displayed and logged by the PHP script,
with ample warnings against illegal access. When the username and password are
entered, the Perl script will communicate with a Radius server with RSA's MD5 digest
encryption to check if the information submitted is legitimate.

Then the IP number of the user is authenticated and added to the IPF access rules and
the user is passed through with on-screen notification of their user privileges. If the
details are not legitimate, the user is denied access.

Painful Wait
The waters of 802.11a, 802.11g, 802.11i and 802.11e are still murky, with no ratification
in the short term coming from the IEEE working groups.

Meanwhile, those of us who cannot wait can explore alternative implementations. And
you may want to clean the dust off those Unix boxes and get busy with turning them into
base stations and secure gateways for your 802.11b WLANs.

Seamus Phan is research director at KnowledgeLabs News Center

(www.knowledgelabs.net), an independent technology news bureau and writes for
Network Computing-Asian Edition. He can be reached at

Send your feedback to editor@networkmagazineindia.com

<< >>

[AD-SIZE]
- <Back to Top>-

© Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai
by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD

http://www.networkmagazineindia.com/200111/focus2.htm 10-Dec-07