Router/Firewall Recommendation

Otto Haliburton ottohaliburton at comcast.net
Wed Jun 30 22:12:38 UTC 2004 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Ward William E DLDN
> Sent: Wednesday, June 30, 2004 3:17 PM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Router/Firewall Recommendation
> 
> > -----Original Message-----
> > From: Otto Haliburton [mailto:ottohaliburton at comcast.net]
> > Sent: Friday, June 25, 2004 11:04 AM
> > To: 'General Red Hat Linux discussion list'
> > Subject: RE: Router/Firewall Recommendation
> 
> > .. but he didn't read the post carefully and opened his mouth and
> inserted
> foot.
> > Wireless networks can be penetrated, but it is not trivial.  You need to
> know
> > where it is and come into range of the transmission limitations to start
> out
> > with, you have to be able to select that wireless network out of all of
> the
> > ones that are up and running.
> 
> Since all I wanted to comment on was this statement, I've cut out all the
> insults and venom.
> 
> You very much need to qualify this statement to make it anywhere NEAR
> close to being true.
> 
> I've had Wireless (on and off) for about a year and a half; about 9 months
> ago, the Wireless Nic went bad, and the RMA came back worse.  I ended up
> going for a new .G router (DLink) to use (note, I only use it as a
> wireless
> SWITCH; it's inside my network, but I've got it nailed down; I use IPCop
> for my Firewall, and the both the new WAP and the old one were only used
> for Wireless and as extra ports hanging off one of my three switches...
> I have a LOT of computers at home).  When I set up the new NIC, it
> promptly
> connected not with my new WAP, but to a Linksys one of my neighbors has
> (and
> no, I don't know which neighbor).  Boom, I'm on the Internet before I even
> had a chance to set up the connection to my OWN (more secure) WAP.  Oh,
> yeah, Wireless >OUT OF THE BOX< is Secure </roll eyes>.  The trouble is,
> even after being "configured", most WAPs are STILL unsecure; the average
> user is clueless about how to secure these things.  You want the REALLY
> sad news?  The Linksys was doing that on my OLD WNIC, too.... over a year
> ago.  If my old 11b WAP (which has now gone to my B-I-Law) had failed,
> instead
> of the original 11b WNIC, I'd never have lost Wireless Internet access on
> the
> laptop.
> 
> Bill Ward
> 
>
Wireless LAN Security FAQ 

By Christopher W. Klaus of Internet Security Systems (ISS). Please send
corrections, additions, and new questions to cwkpublic at iss.net. 

Version 1.7 - Last Updated October 6th 2002


----------------------------------------------------------------------------
----
All you ever wanted know and more about WLAN security.


Contents 
[0] Where do I get the latest version of this Wireless LAN Security FAQ? 

[0.1] Is there translated versions of this Wireless LAN Security FAQ? 
[1] What is the overview of Wireless LAN 802.11 technology? 

[1.1] When will 802.11a arrive and how will the security be different than
802.11b? 
[1.2] What is an Access Point? 
[1.3] How much does the equipment for wireless 802.11b cost? 
[1.4] Are companies the only wireless targets by attackers? 
[1.5] Where can you find wireless 802.11 networks? 
[1.6] How does the antenna affect wireless LAN security?
[1.6.1] How do I build a cheap and effective antenna? 
[1.7] Can you spot a laptop with wireless 802.11 capability by looking for
the antenna? 
[2] What are the major security risks to 802.11b?

[2.0.1] War-driving, War-walking, War-flying, War-Chalking 
[2.1] What are Insertion Attacks? 

[2.1.1]Plug-in Unauthorized Clients 
[2.1.2]Plug-In Unauthorized Renegade Base Stations 
[2.2] What are Interception and monitoring wireless traffic attacks? 

[2.2.1] Wireless Sniffer 
[2.2.2] Hijacking the session 
[2.2.3] Broadcast Monitoring 
[2.2.4] ArpSpoof Monitoring and Hijacking 
[2.2.4.1] Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell)
connections 
[2.2.5] BaseStation Clone (Evil Twin) intercept traffic 
[2.3] What are AP and Client Misconfigurations? 

[2.3.1] Server Set ID (SSID) 
[2.3.1.1] What are the default SSID's? 
[2.3.2] What is Secure Access Mode? 
[2.3.3] Bruteforce Base Station SSID 

[2.3.4] Can the SSID be encrypted? 
[2.3.5] By turning off the broadcast of SSID, can someone still sniff the
SSID? 
[2.3.6] Wired Equivalent Privacy (WEP) 
[2.3.6.1] Attacks against WEP 
[2.3.6.2] Default WEP Keys 
[2.3.6.3] How Large is WEP Keys 
[2.3.7] SNMP community words
[2.3.7.1] SNMP Vulnerabilities 
[2.3.8] Configuration Interfaces 
[2.3.9] Client side security risk 
[2.3.10] Installation Risk 
[2.4] What is Jamming? 

[2.4.1] 2.4 GHz Interfering Technology 
[2.5] What are Client to Client Attacks? 

[2.5.1] Filesharing and other TCP/IP service attacks 
[2.5.2] DOS (Denial of Service) 
[2.5.3] Hybrid Threats 
[2.6] War Driving Access Point Maps 
[2.7] Parasitic Grids
[2.7.1] Hotspots 
[3] What are solutions to minimizing WLAN security risk? 

[3.1] Wireless Security Policy and Architecture Design
[3.1.1] Basic Field Coverage 
[3.2] Treat BaseStations as Untrusted 
[3.3] Base Station Configuration Policy
[3.3.1] 802.1X Security 
[3.3.2] MAC address filtering 
[3.4] Base Station Discovery
[3.4.1] Honeypots - FakeAP 
[3.5] Base Station Security Assessments 
[3.6] Wireless Client Protection 
[4] Who is making 802.11 Security Solutions? 

[4.1] 802.11 Gateway Infrastructure 
[4.2] 802.11 Security Analysis Tools 
[5] About Internet Security System's Wireless 802.11b Solution 
[6] Acknowledgements 

----------------------------------------------------------------------------
----

Recent Updates 
Version 1.7

Added War-driving, war-walking, war-flying, war-chalking activities. 
Added MAC address filtering. 
Added Italian Translation 
Added HotSpots 
Version 1.6

Added new war driving maps. 
Updated 802.11a as being now available. 
Added how large is WEP key information. 
Added acknowledgements section 
Added Honeypots - FakeAP 
Add basic field coverage strategy 
Version 1.5

Added all of Netgear's default WEP keys. 
Added Pringles Can and Waveguide Antenna Info. 
Added hybrid threats, next-gen virus/worm spread by wireless. 
Added Parasitic Grids. Free anonymous access for intruders. 
Added SNMP vulnerabilities.  
Added 802.1X Security, and its flaws. 
Added MiniStumbler, Wireless Scanner, BlackICE PC Protection. 
Added info on Broadcast pings. 
Version 1.3 

Added Section 1.7 regarding internal antenna. 
Added link to Cigital regarding ArpSpoofing. Cigital put together a nice
diagram of the attack. 
Added Default WEP key for NetGear AP. 
Added link to BSD version of AirSnort. 
Version 1.2 

Added where this WLAN Security FAQ can be found. 

Cleaned up the formatting 
Added better indexing, added hyperlinks between index and content 
Added link to article on wireless LAN antennas 

Version 1.1

Added NetStumbler, WEPCrack tools, Added WEP insecurity paper 

Added Ecutel, BlueSocket, and NetMotion as WLAN Sec. Products 

Updated Accuracy of WEP description and made it clear that SSID not being
encrypted. 

Added Broadcast of SSID turned off can still be circumvented. 

Added Addtron's default SSID, a popular AP 

Added War Driving AP maps. 

Added 802.11 ArpSpoof, a technique used by ISS X-Force Consulting. 

Added hijacking SSH and SSL connections via wireless. 

Added 2 X-Force Advisories on Wireless 802.11 flaws 

Version 1.0 

First draft 


----------------------------------------------------------------------------
----

[0] Where do I get the latest version of this Wireless LAN Security FAQ? 
The most current version is on the Web at http://www.iss.net/wireless 

It will be regularly posted to issforum at iss.net
(http://www.iss.net/maillists). 

It will be posted to the following Usenet newsgroups: 

comp.security.misc,comp.security.firewalls,comp.security.unix, 

comp.std.wireless,comp.dcom.sys.cisco,comp.dcom.sys.nortel, 

comp.dcom.telecom 

[0.1] Is there translated versions of this Wireless LAN Security FAQ?

An Italian translated version is available at
http://www.airgate.it/faq/wlsfaq.htm 
Please e-mail cwkpublic at iss.net if you translate this FAQ to another
language and make it available on the Internet. 

[1] What is the overview of Wireless LAN 802.11 technology?
Wireless LAN technology standard 802.11b has the strongest momentum to
becoming the main standard for corporate internal wireless LAN networks. The
bandwidth of 802.11b is 11 mbits and operates at 2.4 GHz Frequency. The
successor of this current 802.11b standard is 802.11a and it is designed to
be faster speed and operate at a different frequency. While 802.11a standard
and the technology behind it has become available, 802.11b is still widely
used today and many companies and individuals are deploying it or deploying
dual 802.11b and 802.11a devices. 

As more wireless technology is developed and implemented, the complexity of
the types of attacks will increase, but these appear the standard main
methods used to break and attack wireless systems. These attacks may be very
similar against other wireless type technologies and is not unique to
802.11b. By understanding these risks and how to develop security solution
for 802.11b, this will be a good stepping-stone for providing a good secure
solution to any wireless solution. 

[1.1] When will 802.11a arrive and how will the security be different than
802.11b?
Most manufacturers of wireless technologies have come out with 802.11a
technology now. The specifications for the protocols of 802.11a are very
similar to 802.11b, therefore many of the security risks are shared for both
802.11a and 802.11b. Many of the security issues around 802.11b will
continue to be an issue with 802.11a, therefore by understanding current
issues will help organizations deal with future issues as well. 

[1.2] What is an Access Point?
The AP (access point also known as a base station) is the wireless server
that connects clients to the internal network. Base stations typically act
as a bridge for the clients. There is an IP address for management
configuration of the base station. The base stations typically have an SNMP
agent for remote management. 

[1.3] How much does the equipment for wireless 802.11b cost? 
Base stations have become relatively inexpensive, approximately under
$300US. The 802.11 client cards for PDAs, laptops, and desktops are
approximately under $100US. Because of inexpensive equipment to get into
wireless, attackers can get easy access to the tools necessary to apply the
attack. Because of the inexpensive price, within many companies employees
can purchase wireless equipment without approval and deploy this in a rogue
fashion, creating additional risk. 

[1.4] Are companies the only wireless targets by attackers? 
While this FAQ focuses on the risk issues from a corporate network
perspective, these same issues apply to home networks and telecommuters that
are using wireless. As the corporate networks are allowing in remote users,
these remote users may be using wireless at their end-point to connect in.
In this case, even if wireless capabilities have not been installed on the
corporate network, they may still be affected by the risk that their remote
employees are using wireless at home or on the road. 

[1.5] Where can you find wireless 802.11 networks?
Airports, hotels, and even coffee shops like Starbucks are deploying 802.11
networks so people can wirelessly browse the Internet with their laptops. As
these types of networks increase, this will create additional security risk
for the remote user if not properly protected. 

[1.6] How does the antenna affect wireless LAN security?
Because the intruder must be within range of the signal, a properly selected
and positioned antenna within a building can minimize how far the signal can
reach and therefore reduce leakage and interception. For selecting different
antenna designs for appropriate signal reception, here is an article on
wireless antennas:

Antennas Enhance WLAN Security in Byte Magazine, October 2001. 

http://www.byte.com/documents/s=1422/byt20010926s0002/1001_marshall.html 

[1.6.1] How do I build a cheap and effective antenna? 

There are many people who are building cheap antennas with various cheap
cans bought at the grocery store including the Pringles can and beef stew
cans.  The waveguide cans appear to be significantly stronger in strength.
Here is a good guide to building Pringles and waveguide antennas:

802.11b Homebrew Antenna Shootout 
http://www.turnpoint.net/wireless/has.html 
 

[1.7] Can you spot a laptop with wireless 802.11 capability by looking for
the antenna?
Many major computer manufacturers are now supporting built in wireless
802.11 capability and many new laptops are building an internal wireless
antenna. The physical antenna will not be easy to spot on all laptops.

[2] What are the major security risks to 802.11b? 
Here is the list of main known security risks with 802.11b:

Insertion Attacks 

Interception and monitoring wireless traffic 

Misconfiguration 

Jamming 

Client to Client Attacks 

[2.0.1] War-driving, war-walking, war-flying, war-chalking
Taken from the movie, "WarGames", dialing many phone numbers looking for
computers to access was called "War-Dialing". This similar action has been
applied to wireless. War-walking, war-driving, war-flying refer to the modes
of transportation for going around and identifying various Access Points.
Most reports of war-walking, war-driving, and war-flying has resulted in
identifying large numbers of wide open un-secure Access Points in most
cities.

War-chalking is the act of marking the area or vicinity with a symbol to
infer that an AP is within range. WiFi War-chalking Symbols are at
http://www.warchalking.org 

[2.1] What are Insertion Attacks? 
The insertion attacks are based on placing unauthorized devices on the
wireless network without going through a security process and review. 

[2.1.1] Plug-in Unauthorized Clients 
An attacker tries to connect their wireless client, typically a laptop or
PDA, to a basestation without authorization. Base stations can be configured
to require a password before clients can access. If there is no password, an
intruder can connect to the internal network by connecting a client to the
base station. 

[2.1.2] Plug-in Unauthorized Renegade Base Station 
Many companies may not be aware that internal employees have deployed
wireless capabilities on their network. An internal employee wanting to add
their own wireless capabilities to the network plugs in their own base
station into the wired intranet. This is a risk if the base station has not
been properly secured. This could lead to the previously described attack of
unauthorized clients then gaining access to unauthorized base stations,
allowing intruders into the internal network. Typically, companies may need
a policy against allowing employees to add wireless base stations onto the
corporate network without requesting permission and going through a security
process. A sophisticated intruder may physical place a base station on the
victims' network to allow them remote access via wireless. 

[2.2] What are Interception and monitoring wireless traffic attacks? 
These interception and monitoring attacks are popular on broadcast wired
networks like Ethernet. The same principles apply to wireless. 

[2.2.1] Wireless Sniffer 
An attacker can sniff and capture legitimate traffic. Many of the sniffer
tools for Ethernet are based on capturing the first part of the connection
session, where the data would typically include the username and password.
An intruder can masquerade as that user by using this captured information.
An intruder who monitors the wireless network can apply this same attack
principle on the wireless. 


One of the big differences between wireless sniffer attacks and wired
sniffer attacks is that a wired sniffer attack is achieved by remotely
placing a sniffer program on a compromised server and monitor the local
network segment. This sniffer based attack can happen from anywhere in the
world. Wireless sniffing requires the attacker to typically be within range
of the wireless traffic. This is usually around 300 feet range, but wireless
equipment keeps strengthening the signal and pushing this range further out.


[2.2.2] Hijacking the session 
If an attacker can sniff the wireless traffic, it is possible to inject
false traffic into a connection. An attacker may be able to issue commands
on behalf of a legitimate user by injecting traffic and hijacking their
victim's session. 

[2.2.3] Broadcast Monitoring 
If a base station is connected to a hub rather than a switch, any network
traffic across that hub can be potentially broadcasted out over the wireless
network. Because the Ethernet hub broadcasts all data packets to all
connected devices including the wireless base station, an attacker can
monitor sensitive data going over wireless not even intended for any
wireless clients. 

[2.2.4] ArpSpoof Monitoring and Hijacking 
Normally, in regards to an AP, the network data traffic on the backbone of a
subnet would be treated similarly like a network switch, thus traffic not
intended for any wireless client would not be sent over the airwaves. This
could reduce significantly the amount of sensitive data over the wireless
network. 

An attacker using the arpspoof technique can trick the network into passing
sensitive data from the backbone of the subnet and route it through the
attacker's wireless client. This provides the attacker both access to
sensitive data that normally would not be sent over wireless and an
opportunity to hijack TCP sessions. Dsniff is a popular tool that enables
arpspoofing and is available at: http://www.monkey.org/~dugsong/dsniff/ 

and Cigital has a diagram depicting the attack available at:
http://www.cigital.com/news/wireless/arppoison.gif

[2.2.4.1]Hijacking SSL (Secure Socket Layer) and SSH (Secure Shell)
connections. 

By using arpspoofing technique, an attacker can hijack simple TCP
connections. There are tools that allow for hijacking SSL and SSH
connections. Typically, when SSL and SSH connections get hijacked, the only
alert to the end-user is a warning that the credentials of the host and
certificate have changed and ask if you trust the new ones. Many users
simply accept the new credentials, thus allowing an attacker to succeed. A
reasonable interim measure to prevent the attack is to have users enable
SSH's StrictHostKeyChecking option, and to distribute server key signatures
to mobile clients. 

The Dsniff FAQ explains how to hijack in detail SSH and HTTPS connections:
http://www.monkey.org/~dugsong/dsniff/faq.html 

[2.2.5] BaseStation Clone (Evil Twin) intercept traffic 
An attacker can trick legitimate wireless clients to connect to the
attacker's honeypot network by placing an unauthorized base station with a
stronger signal within close proximity of the wireless clients that mimic a
legitimate base station. This may cause unaware users to attempt to log into
the attacker's honeypot servers. With false login prompts, the user
unknowingly can give away sensitive data like passwords. 

[2.3] What are AP and Client Misconfigurations? 
By default, all the base stations analyzed out of the box from the factory
were configured in the least secure mode possible. Adding the proper
security configuration was left up as an exercise to the administrator to
lock down. Unless the administrator of the base station understands the
security risks, most of the base stations will remain at a high risk level.
The analysis of three base station models by the leading 802.11 vendors lead
to many configuration issues that should be audited and assessed by the
organization. The top three base station vendors analyzed were Cisco,
Lucent, and 3Com. The security risks identified may change in newer versions
of the 802.11 solution as it is evolving rapidly. Each vendor had different
implementation security risks, but the underlying issues are the same and
can be applied to other vendors not listed here. 

[2.3.1] Server Set ID (SSID) 
SSID is a configurable identification that allows clients to communicate to
the appropriate base station. With proper configuration, only clients that
are configured with the same SSID can communicate with base stations having
the same SSID. SSID from a security point of view acts as a simple single
shared password between base stations and clients. 

[2.3.1.1] What are the default SSID's? 
Each of the base station models came with default SSIDs. Attackers can use
these default SSIDs to attempt to penetrate base stations that are still in
their default configuration. Here are some default SSIDs: 

"tsunami" - Cisco 
"101" - 3Com 
"RoamAbout Default Network Name" - Lucent/Cabletron 
"Default SSID" 
"Compaq" - Compaq 
"WLAN" - Addtron, a popular AP 
"intel" - Intel 
"linksys" - Linksys 
"Wireless" 
[2.3.2]What is Secure Access mode? 
Lucent has Secure Access mode. This configuration option requires the SSID
of both client and base station to match. By default this security option is
turned off. In non-secure access mode, clients can connect to the base
station using the configured SSID, a blank SSID, and the SSID configured as
"any". 

[2.3.3] Bruteforce Base Station SSID 
Most base stations today are configured with a server set id (SSID) that
acts as a single key or password that is shared with all connecting wireless
clients. 

An attacker can try to guess the base station SSID by attempting to use a
bruteforce dictionary attack by trying every possible password. Most
companies and people configure most passwords to be simple to remember and
therefore easy to guess. Once the intruder guesses the SSID, they can gain
access through the base station. 

The SSID could be obtained through one of the wireless clients becoming
compromised or an employee resigns knowing the key, there is risk that
anyone with the SSID could still connect to the base station until the SSID
is changed. If there are many wireless users and clients, it can become
problematic to scale this security solution if the SSID needs to be changed
frequently and all clients and base stations need to reconfigured with an
updated shared single SSID each time. 

[2.3.4] Can the SSID be encrypted? 
WEP, the encryption standard for 802.11, only encrypts the data packets not
the 802.11 management packets and the SSID is in the beacon and probe
management messages. The SSID is not encrypted if WEP is turned on. The SSID
goes over the air in clear text. This makes obtaining the SSID easy by
sniffing 802.11 wireless traffic. 

[2.3.5] By turning off the broadcast of SSID, can someone still sniff the
SSID? 
Many APs by default have broadcasting the SSID turned on. Sniffers typically
will find the SSID in the broadcast beacon packets. Turning off the
broadcast of SSID in the beacon message (a common practice) does not prevent
getting the SSID; since the SSID is sent in the clear in the probe message
when a client associates to an AP, a sniffer just has to wait for a valid
user to associate to the network to see the SSID. 

[2.3.6] Wired Equivalent Privacy (WEP) 
WEP can be typically configured in 3 possible modes: 

No encryption mode 

40 bit encryption 

128 bit encryption 

WEP, by default out of the box, all base station models analyzed have WEP
turned off. 64 bit encryption versus 128 bit encryption provides no added
protection against the known flaw in WEP. 

Most public wireless LAN access points (i.e., airports, hotels, etc) do not
enable WEP. Based on statistical analysis in regions like New York, San
Francisco, London, Atlanta, 

most companies do not turn on WEP security on their APs. If the AP does not
enable WEP, the wireless clients can not use the WEP encryption.

In some base stations, it is optional whether the encryption is enforced.
The WEP encrypted may be turned on, but if it is not enforced, a client
without encryption with the proper SSID can still access that base station. 

[2.3.6.1] Attacks against WEP 
802.11b standard uses encryption called WEP (Wired Equivalent Privacy). It
has some known weaknesses in how the encryption is implemented. 

Papers on WEP Insecurities 

Researchers at Berkeley have documented these findings at: 

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html 

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP 

http://www.cs.rice.edu/~astubble/wep/wep_attack.html 

Using WEP is better than not using it. It at least stops casual sniffers.
Today, there are readily available tools for most attackers to crack the WEP
keys. Airsnort and others tools take a lot of packets (several million) to
get the WEP key, on most networks this takes longer than most people are
willing to wait. If the network is very busy, the WEP key can be cracked and
obtained within 15 minutes. 

The fix for encryption weakness for the standard is not slated to be
addressed before 2002. 

Because of the WEP weakness, wireless sniffing and hijacking techniques can
work despite the WEP encrypted turned on. 

There is the IEEE 802.1X standard which allows network access to be
authenticated and keys to be distributed. This allows access to APs to be
authenticated and WEP keys to be distributed and updated. More APs are
starting to support this standard. 

[2.3.6.2] Default WEP Keys
The NetGear Access Point uses the following 4 WEP sequences as default keys.

10 11 12 13 14 
21 22 23 24 25 
31 32 33 34 35 
41 42 43 44 45 
It is recommended not to use the default WEP keys.

Please e-mail cwkpublic at iss.net if you know of other default WEP keys for
Access Points.

[2.3.6.3] How Large is WEP Keys
The original 802.11 specification defined a 40-bit key. This key is combined
with a 24 bit quantity known as the "initialization vector" (which is
created automatically by the wireless network hardware) and these 64 bits
are used within the RC4 encryption in order to produce the encrypted data.
Some vendors describe this as 64-bit encryption (since technically RC4 is
using 64 bits), but others describe it as 40-bits (since the initialization
vector is public unencrypted data so it does not contribute to the security
of the system). Therefore 40-bit and 64-bit WEP keys are the same thing,
just being described from different points of view. Most 802.11 hardware now
supports a larger 104-bit key; this also has a 24-bit initialization vector
and so it is also sometimes marketed as a 128-bit system.

[2.3.7] SNMP community words 
Many of the wireless base stations have SNMP (Simple Network Management
Protocol) agents running. If the community word is not properly configured,
an intruder can read and potentially write sensitive information and data on
the base station. If SNMP agents are enabled on the wireless clients, the
same risk applies to them as well. 

By default, all three base stations are read accessible by using the
community word, "public". With the default of most base stations using the
community word "public", potentially sensitive information can be obtained
from the base station. 

By default, the 3com base station has write access by using the community
word, "comcomcom". Cisco and Lucent/Cabletron require the write community
word to be configured by the user before it is enabled. 

[2.3.7.1] SNMP vulnerabilities 

Many implementations of SNMP were found to be vulnerable by using the PROTOS
tool developed by University of Oulu .  This affected many vendors, many of
which produce wireless access points.  Check with your vendor and see if
there is a firmware patch regarding SNMP vulnerabilities.  For more
information on the testing tool for finding SNMP issues, check here:

http://www.ee.oulu.fi/research/ouspg/protos/ 
http://www.iss.net/security_center/alerts/advise110.php 
[2.3.8] Configuration Interfaces 
Each base station model has its own interfaces for viewing and modifying the
configuration. Here are the current interface options for each base station:


Cisco - SNMP, serial, Web, telnet 

Lucent / Cabletron - SNMP, serial (no web/telnet) 

3Com - SNMP, serial, Web, telnet. 

3com base station lacks any access control from the web interfaces for
reading the configuration options. By connecting to the 3com base station
web interface, it provides SSID on the "system properties menu" display. An
attacker who finds a 3com base station web interface can easily get the
SSID. 

3com base station does require a password on the web interface for write
privileges. The password is the same as the community word for write
privileges, therefore 3com base stations are at risk if deployed using the
default, "comcomcom" as the password. This gives an attacker easy write
access. 

[2.3.9] Client side security risk 
For the clients connecting to the base station, they store sensitive
information for authenticating and communicating to the base station. If the
client is not properly configured, access to this information is available. 

Cisco client software stores the SSID in the Windows registry. Cisco stores
the WEP key in the firmware, which is difficult to gain access to. 

Lucent/Cabletron client software stores the SSID in the Windows registry.
The WEP is stored in the Windows registry but it is encrypted. The
encryption algorithm is not documented. 

3Com client software stores the SSID in the Windows registry. The WEP key is
stored in registry with no encryption. 

Windows XP has 802.11 configuration and has a display of the available
SSID's built-in to the OS. 

[2.3.10] Installation Risk 
By default, all installations are optimized for the quickest configuration
to get users successful out of the box. Inversely, by default, the
installations are configured the least secure mode as possible. 

>From out of the box experience, Cisco was simple and easiest to install.
3Com installation was straight forward out of the box. And Lucent/Cabletron
had many firmware upgrades which led to confusion on which upgrades to
install. 

[2.4] Jamming 
Denial of service attacks for wired networks are popular. This same
principle can be applied to wireless traffic, where legitimate traffic gets
jammed because illegitimate traffic overwhelms the frequencies, and
legitimate traffic can not get through. 

[2.4.1] 2.4 GHz Interfering Technology 
An attacker with the proper equipment and tools can easily flood the 2.4 GHz
frequency, so that the signal to noise drops so low, that the wireless
network ceases to function. This can be a risk with even non-malicious
intent as more technologies use the same frequencies and cause blocking.
Cordless phones, baby monitors, and other devices like Bluetooth that
operate on the 2.4 GHz frequency can disrupt a wireless network. 

[2.5] What are Client to Client Attacks? 
Two wireless clients can talk directly to each other by-passing the base
station. Because of this, each client must protect itself from other
clients. 

[2.5.1] Filesharing and other TCP/IP service attacks 
If a wireless client, like a laptop or desktop, is running TCP/IP services
like a web server or file sharing, an attacker can exploit any
misconfigurations or vulnerabilities with another client. 

[2.5.2] DOS(Denial of Service) 
A wireless client can flood another wirelss client with bogus packets,
creating a denial of service attack. An attacker and sometimes employees
unintentionally can configure their client to duplicate the IP or MAC
address of another legitimate client causing disruption on the network. 

[2.5.3] Hybrid Threats

Next generation virus and worms have become a multi-vector attack programs
that self-propagate through any TCP/IP interface including wireless.  If one
computer on a wireless network is infected with a hybrid threat, this threat
can easily spread to other wireless computers and potentially internal
computers behind the wireless network.

[2.6] War Driving Access Point Maps 
As people are "War Driving", and locating the APs and recording the GPS
coordinates of the AP location, these AP maps are being shared to any
attacker on the Internet. If a company has their AP location and information
shared on the Internet, their AP becomes a potential target and increases
their risk. They usually include a visual map and a database query tool for
locating various AP's. Here are some popular places to upload War Driving AP
maps.

http://www.netstumbler.com. 
http://www.wigle.net 
http://www.wifimaps.com 
[2.7] Parasitic Grids

>From article, "An underground movement to deploy free wireless access zones
in metropolitan areas is taking hold...   The movement, called by some the
"parasitic grid" and by others more simply the "free metro wireless data
network," has already installed itself in New York; San Francisco; Seattle;
Aspen, Colo., Portland, Ore., British Columbia; and London..."  This
provides attackers and intruders completely untraceable anonymous access.
Trying to locate and trace attackers using the parasitic grid becomes an
impossible task.  

http://www.infoworld.com/articles/hn/xml/01/08/24/010824hnfreewireless.xml 
[2.7.1] HotSpots

Hotspots are WiFi access point areas provided by businesses to enable their
customers with access to the Internet.  Hotspots are being put up
telecommunication companies and start-ups.  They are being deployed at
airports, hotels, restaurants, and coffee shops. 

Starbucks Hotspot at http://www.starbucks.com/retail/wireless.asp 
HotSpots listed at http://www.80211hotspots.com/ 
[3] What are solutions to minimizing WLAN security risk? 
There are many options that organizations can do today to put proper
security protection around their wireless strategy and technology. 

[3.1] Wireless Security Policy and Architecture Design 
Many organization need to develop a wireless security policy to define what
is and what is not allowed with wireless technology. From a holistic view,
the wireless network should be designed with the proper architecture to
minimize risk. 

[3.1.1] Basic Field Coverage

Because of wireless leakage, one of the first principals to basic field
coverage is to only provide coverage for the areas that you want to have
access.

By using directional antennas and lowering the transmit power (on commercial
class equipment - i.e., Cisco and Lucent), 85% (or higher) of the typical
802.11 signal leakage can be effectively eliminated.

[3.2] Treat BaseStations as Untrusted 
>From an network security architecture, the base stations should be evaluated
and determined if it should be treated as an untrusted device and need to be
quarantined before the wireless clients can gain access to the internal
network. The architecture design may include a Wireless DMZ. This WDMZ
includes appropriately placing firewalls, VPNs, IDSes, vulnerability
assessments, authentication requirements between access point and the
Intranet. 

[3.3] Base Station Configuration Policy 
The wireless policy may want to define the standard security settings for
any 802.11 base station being deployed. It should cover security issues like
the Server Set ID, WEP keys and encryption, and SNMP community words.
Turning off broadcast pings on the Access Point makes it invisible to
802.11b analysis tools like NetStumbler.

[3.3.1] 802.1X Security 

Windows XP and many hardware vendors are building in 802.1X security
standards into their Access Points.  This provides a higher level of
security than the typical WEP security.  The 802.1x standard has a key
management protocol built into its specification which provides keys
automatically. Keys can also be changed rapidly at set intervals.  Check to
see if your Access Points support 802.1X.  

There have been some security flaws noted by security researches in 802.1X
standard. This points out the need for good VPN technology despite this new
standard. Here is a document that outlines the issues in 802.1X security:

http://www.cs.umd.edu/~waa/1x.pdf 
[3.3.2] MAC Address Filtering

Some Access Points have the ability to filter only trusted MAC addresses.
MAC addresses are suppose to be unique addresses on the network. This
feature is usually very difficult to implement in a dynamic environment due
to the tedious nature of trying to configure AP for each and every trusted
client. The MAC address is transmitted in the clear text, so any intruder
can sniff authorized MAC addresses, and with proper tools, configure and
masquerade their MAC address as a legitimate MAC address and by-pass this
security mechanism. Enabling this security feature can be more effort than
the actual security benefit that it provides.

[3.4] Base Station Discovery 
>From a wired network search, an organization could identify unknown and
rogue base stations by searching for SNMP agents. The rogue base stations
are identified as 802.11 devices through SNMP queries for host id. 

Some base stations have a web and telnet interface. By looking at the banner
strings of these interfaces, this provides another method of identifying
some 802.11 devices. 

An additional means is by using unique TCP/IP attributes like a fingerprint,
it can help identify devices as base stations. Most TCP/IP implementations
have a unique set of characteristics and many OS fingerprinting technologies
use this method for identifying the OS type. This concept can be applied to
the base stations. 

>From a wireless network search, an organization can identify these rogue
base stations by simply setting up a 2.4 GHz sniffer that identifies 802.11
packets in the air. By looking at the packets, you may find the IP addresses
to help identify which network they are on. In a densely populated area with
many businesses close together, running a sniffer may pick up more the
intended organization's traffic, but a close neighboring company. 

[3.4.1] Honeypots - FakeAP 

Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access
points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As
part of a honeypot or as an instrument of your site security plan, Fake AP
confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables. 

http://www.blackalchemy.to/Projects/fakeap/fake-ap.html 
[3.5] Base Station Security Assessments 
An organization can examine and analyze the base station configuration. A
security audit and assessment could determine whether the passwords and
community words are still default or easily guessed and if better security
modes have been enabled like encryption. 

With router ACLs and firewall rules, an organization can minimize access to
the SNMP agents and other interfaces on the base station. A security
assessment can determine how widely accessible is the configuration
interfaces to the base stations are allowed to within the organization. 

[3.6] Wireless Client Protection 
The wireless clients should be assessed for having the following security
technologies: 

firecell (distributed personal firewalls) - lock down who can gain access to
the client. 

VPN - adds another layer of encryption and authentication beyond what 802.11
can provide. 

intrusion detection - identify and minimize attacks from intruders, worms,
viruses, Trojans and backdoors. 

desktop scanning - identify security misconfigurations on the client. 


[4] Who is making 802.11 Security Solutions? 
[4.1] 802.11 Gateway Infrastructure 
BlueSocket: The WG-1000 Wireless GatewayT offers a single scalable solution
to the security, quality of service (QoS) and management issues facing
enterprises and service providers that deploy wireless LANs based on the
IEEE 802.11b and BluetoothT standards. 

EcuTel: Viatores Secure WLAN edition is different from legacy virtual
private networks (VPNs) in that it maintains VPN and application sessions
uninterrupted with no configuration or re-boot required. Viatores combines
two advanced protocols for mobility and security to enable roaming from LANs
to WLANs and between WLAN subnets seamlessly and securely. Application
sessions and security tunnels are maintained while the user moves from one
subnet to another. Roaming users can communicate easily with colleagues,
regardless of where they are or how they are connected, because Viatores
maintains a single network address. Viatores Secure WLAN edition includes: 

Industry-strength secure communication well beyond the WEP standard; 

Seamless roaming from wired to wireless networks and between different
wireless networks; 

Support for two-way, peer-to-peer communication; 

Data confidentiality and integrity, including key exchanges, digital
signatures, and industry-strength encryption; 

Option to upgrade to secure and seamless roaming from public networks. 

NetMotion Wireless - NetMotion Mobility provides a VPN designed to work with
WLAN security.
http://www.netmotionwireless.com/resource/whitepapers/netmotion_security.asp
has an overview of wireless security and how NetMotion MobilityT prevents
unauthorized users from accessing your system and stops eavesdropping,
replay, and other network-level attacks. 

[4.2] 802.11 Security Analysis Tools 
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It
operates by passively monitoring transmissions, computing the encryption key
when enough packets have been gathered. AirSnort will work for both 40 or
128 bit encryption. 

http://freshmeat.net/projects/airsnort/ 

http://www.dachb0den.com/projects/bsd-airtools.html 

WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest
discovered weakness of RC4 key scheduling. 

http://sourceforge.net/projects/wepcrack 

Network Stumbler scans for networks roughly every second and logs all the
networks it runs into--including the real SSIDs, the AP's MAC address, the
best signal-to-noise ratio encountered, and the time you crossed into the
network's space. If you add a GPS receiver to the notebook, it logs the
exact latitude and longitude of the AP. Network Stumbler does not use
promiscuous mode.  Thus, by simply turning off broadcast pings hides the
Access Point from NetStumbler.  Now NetStumbler website includes a PocketPC
MiniStumbler.

http://www.netstumbler.com/ 

http://www.netstumbler.com/download.php?op=getit&lid=21  PocketPC
MiniStumbler 

Internet Scanner, assesses many 802.11b security checks.  This is done by
doing analyzing via the wired network and contacting the management
interface. 

Wireless Scanner, examines 802.11b security issues via the 802.11b airwaves.
Has a penetration testing mode and discovery mode.  Uses promiscuous mode,
thus capable of capturing the raw 802.11b packets for forensics analysis and
replay.  Even if broadcast pings are turned off, Wireless Scanner will still
catch any Access Points if it sends any kind of traffic due to using
promiscuous mode.  

http://www.iss.net/download/ Evaluation copy of Wireless Scanner. 
https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php WS Knowledge
Base 
RealSecure, monitors many 802.11b attacks.  Recommend putting Intrusion
Detection and Intrusion Prevention behind the Access Point, directly on any
servers and desktops behind the access point, as well as, on any wireless
clients. 

BlackICE PC Protection 3.5, personal firewall with Intrusion Protection
capability, is used on wireless laptops and desktops to protect against
client to client attacks. 

[5] About Internet Security System's Wireless 802.11b Solution 
ISS offers the comprehensive wireless security solution: 

Wireless Security Assessments and Penetration Testing 

Wireless Policy Design and Workshops 

Vulnerability Scanning with specific 802.11 configuration checks 

Intrusion Detection for Wireless LAN networks 

Wireless 802.11 Security Classes 

ISS X-Force Advisories: 

http://xforce.iss.net/alerts/advise83.php 802.11 SNMP Auth. Flaw 

http://xforce.iss.net/alerts/advise84.php WEP Key exposed via SNMP 

[6] Acknowledgements

This FAQ is written and maintained by Christopher Klaus. The following
people have contributed to the FAQ. Their contributions are deeply
appreciated.


Skip Carter 
Gunter Ollmann 
Jim Broome 
Phil Brass 
Massimo Dileo 
Copyright C 2001, Internet Security Systems. All rights reserved. 

This document may be redistributed only in its entirety with version date,
authorship notice, and acknowledgements intact. No part of it may be sold
for profit or incorporated in a commercial document without the permission
of the copyright holder. Permission will be granted for complete electronic
copies to be made available as an archive or mirror service on the condition
that the author be notified and that the copy be kept up to date. This
document is provided as is without any express or implied warranty.
 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list