Ray Olszewski wrote:
The basic problem remains -- you need to make the wireless LAN itself secure. To do that, you have the following options (that I can think of - can someone suggest others?):Remove "wireless" from the above, and I completely agree with you. I started a thread today on the FreeS/WAN about network security when any user can go to Best Buy and for $50 buy a WAP and connect it to their desktop, in the process making the "physical security" model so prevelent in today's firewall systems as obsolete as buggy whips.
There are useful methods for securing wireless (or other "untrusted") networks from other networks, but very little for preventing wireless to wireless hacking, or a wireless user attacking other user machines if someone installs a rogue WAP.
1. WEP encryption. The consensus of opinion seems to be that this works against casual break-ins, but not against determined ones. (Peter provided a link to one WEP cracker; another is airsnort.)Appallingly insecure, but it should still be enabled. It provides some measure of protection from wireless-wireless hacking the more centralized solutions below don't, and at the very least forces someone to break the new "cyber-terrorist" laws if they actually do decode your WAP key and start sniffing around your network.
2. MAC address control, implemented either in the WAP itself (however it does this) or in the LEAF router (as DHCP restrictions). Works as long as a break-in attempt does not manage to spoof an allowed MAC address.Spoofing MAC's from sniffed traffic is too easy for this to provide much protection. When used in conjunction with another authentication system, it can be useful.
3. Some other authentication mechanism for hosts. Possibilities are requiring use of an ssh tunnel or some form of IPSec. This slows down the wireless LAN but probably provides good security (though the mechanisms for doing this may not be available off the shelf).You might want to check out nocatauth (provide wireless internet service only to folks who authenticate) and WaveSec (locks down the wireless lan pretty tight using IPSec, with patched versions of DHCP server/client to register public keys/certs with DNS):
4. Service-level restrictions. The options available to you here (e.g., proxy servers, user-side certificates, pop-before-smtp checks on outgoing mail, SSL and ssh connections to LAN hosts) depend on how much you are willing to limit what legit users of the WAP LAN can do.
I haven't yet implemented a "real" WAP LAN here; I have just started experimenting with an isolated lab-bench one. So I offer these thoughts more as a first pass at the problem than as anything definitive, more designed to clarify the issues than to settle anything. I am quite interested in any better ideas that others can offer.
http://nocat.net/
http://www.wavesec.org/
Both provide pretty decent solutions from the free (as in beer and speech) software side. There are various commercial pakages available as well, but I have yet to see any real workable solution (commercial or open-source) that can protect a LAN if a WAP is plugged in without permission...the layer 2 ethernet security is just based too strongly on the physical security model.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
