Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Real-World Wireless Network Security

advertisement

Real-World Wireless

Network Security

What We Want

Easy to use

Broad compatibility

Low administrative overhead

No special client software

What We Have

Wi-Fi drivers overcomplicate the task of setting SIDs or WEP keys

Current Wi-Fi systems do not include any unique client identifiers

VPNs, LEAP, 802.11x, etc. require certain cards, drivers and operating systems, tend to be complex and unreliable, and it will be years before we can assume otherwise

The Compromise

We cannot trust wireless clients any more than general Internet hosts and will not waste time pretending otherwise

Wireless Setup

Stock 802.11b

Broadcast SID

No WEP

Access points on a highly-untrusted

VLAN

Registration

The first time a system is connected, all outbound web requests will be redirected to a registration page

(See http://www.net.cmu.edu/netreg/ )

Registration provides limited accountability by restricting access to people who already have accounts.

A side benefit is the security warning every user will see during the registration process

Registration Details

DHCPD v3 allows you to serve different

IP ranges to known MACs

Unregistered MACs are assigned a separate IP range with a special DNS server, 30 second lease times and no internet access

The registration web server’s IP is returned for every DNS request

Registration Details

The registration web server issues a redirect for any HTTP request to the

HTTPS server netreg.example.edu

to avoid browsers caching our page instead of the real www.nytimes.com

After authenticating the user’s MAC is added to the registered client list in dhcpd.conf

Security

Registered clients are behind NAT and a firewall to protect the internal network from abuse

Snort sensor inside the NAT layer

Rate-limiting 802.11b is an exercise in optimism but we should do it anyway

Security Details

Open internet access limited to the ports used by encrypted protocols for web

(443), email (993, 995), and ssh (22)

Unencrypted HTTP is diverted to squid

Windows and Mac file sharing limited to two secured servers

Everything else is dropped

Known Problems

Registration can be bypassed using

MAC spoofing

Potentially nasty things may be tunneled over SSL ports

SMTP AUTH requires client support

Future Directions

Compromise on ease of use and security by allowing PPTP, IPSec or

PPPoE users greater access

Bandwidth allocation and traffic shaping

Automatic de-registration after long periods of inactivity

Automatic IDS-driven firewall rule updates

Related documents
Real-World Wireless Network Security
Real-World Wireless Network Security
802.11b and the Joy of WarCycling in Dublin David Malone 12 November 2002
802.11b and the Joy of WarCycling in Dublin David Malone 12 November 2002
Allowing others to connect to my DLINK wireless network
Allowing others to connect to my DLINK wireless network
WirelessMobile Computing dan Satelit Pertemuan 4
WirelessMobile Computing dan Satelit Pertemuan 4
WAEA
WAEA
itb wireless network user registration form
itb wireless network user registration form
TASK - ict4u.net
TASK - ict4u.net
AirPort Extreme 802.11n (5th Generation) - Technical
AirPort Extreme 802.11n (5th Generation) - Technical
Networks
Networks
Home Networks
Home Networks
Wireless Networking (WiFi) update IRMA-BCS meeting 21st October 2003 - 4.30pm
Wireless Networking (WiFi) update IRMA-BCS meeting 21st October 2003 - 4.30pm
CNT 4704: Analysis of Computer Communication Networks
CNT 4704: Analysis of Computer Communication Networks
Download
advertisement