Secure your own darned network

Along with the responsibility to protect ourselves and our property from harm rather than relying on the government to do it for us comes the responsibility to protect our assets in the electronic world.

Since it doesn't hurt Microsoft (or any other software or hardware company) if you lose your data or someone steals it and blackmails you with it or shares it with someone else, they have little incentive to protect you any more than absolutely necessary to keep people forking out the dough for their products. Clearly you need to take some responsibility for yourself.

Wireless is becoming more and more popular, and I encourage everyone to start using it because it's quite convenient. Unfortunately, part of the convenience is that by default wireless access points tend to be wide open, so when you plug an access point into your network and plug a wireless card into your computer, it will Just Work. Unfortunately, it also Just Works for your neighbor who doesn't want to pay for internet access. It also Just Works for someone who wants to blackmail someone else through email and doesn't want it traced back to them. It also Just Works for someone who wants to see what you're up to.

The popular suggestions that are being spouted on news sites these days turn out to be not only useless but downright harmful. The majority of them increase the inconvenience to an attacker in direct proportion to the inconvenience to you and your users. Not broadcasting your SSID, for example, means that your users have to type in the SSID manually the first time they use your network. To an attacker it means running a wireless sniffing tool like Kismet for a couple minutes to find out your SSID. Kismet is free and included with most Linux distributions, including Knoppix, which runs directly off a CD. I taught my client's VP of marketing to use Kismet in about ten minutes and he'd never used Linux before in his life. Now he's giving wireless hacking demos to NPR reporters.

Similarly, MAC address filtering only prevents casual access to the network. Like turning off SSID broadcast, it doesn't prevent passive capture of the data going over the wireless network. It also doesn't prevent someone from simply looking in the captured data to find allowed MAC addresses (which are sent in the clear even if you use encryption) and changing their own wireless card's MAC address to match.

The only suggestion usually made that has any use at all is enabling WEP. WEP, unfortunately, is very weak encryption because it wasn't designed by a cryptographer. Cracking a WEP key is only a matter of sitting there in range of the wireless networks and waiting until you capture enough packets. Rather than having to brute force the key, cracking a WEP key is more like the way the WOPR cracked the missile launch code in the movie Wargames. If this is too esoteric for you, just look at it this way: if someone wants your WEP key and you don't change it frequently (at least monthly), it's only a matter of time before they have it. And not years; we're talking days or a few weeks.

People really need to be using WPA. WPA is encryption, like WEP, but it was designed by cryptographers. It doesn't have the weaknesses of WEP, though the type of WPA that uses a shared password (PSK, or pre-shared key) is vulnerable to simply guessing the key, so you'd better use a long, random key if you use that. WPA RADIUS, which requires a RADIUS server, is quite strong. It allows each user on your network to have their own username and password, so you don't have to share a hard-to-remember key with everyone. Unfortunately, setting up a RADIUS server is a pain, though Wireless Security Corp provides a subscription-based service that will let your network use their RADIUS server. Linksys has their own branded version of the service.

In my opinion, the only excuse for not using WPA is if you have equipment that doesn't support it. Ideally, though, if you have non-WPA wireless hardware, you should consider upgrading. Current 802.11g hardware usually supports WPA, and you get more bandwidth too!

Share this

Question from a techie who's

Question from a techie who's not used wireless: how about using a VPN instead? Something like OpenVPN where all ports except OpenVPN's UDP port are firewalled, and normal LAN traffic runs across the VPN. OpenVPN is pretty easy to set up if you're technical.

A VPN doesn't protect

A VPN doesn't protect computers that are on the wireless network from one another. If you rely on a VPN for wireless security, you must also rely on each computer's firewall to protect it from attacks via the wireless network. Any flaws in that firewall will open the machine to attack, and users may disable the firewall to allow certain software to work. WPA prevents attackers from gaining access to the wireless network in the first place.

To give you an example, when I was up at SBC park preparing for an interview on CNBC talking about the security risks of using an open wireless network, I found that my client's marketing consultant had an open instance of MySQL running on his machine, with no password for the root account and remote access wide open. He didn't even know what MySQL was; it had been installed by another application he was testing out. I had full access to all that application's data, and it was a financial application!

BTW, I would strongly recommend the use of IPSEC (potentially over UDP) rather than OpenVPN if you're planning on using a VPN for anything. IPSEC has been much more closely studied than OpenVPN, and though it's harder to set up, the reduced potential for unknown security flaws is worth the additional effort.

Well, I was thinking more

Well, I was thinking more like, the VPN pretends to not be a VPN, if you see what I mean. The VPN is routed as part of the regular LAN, it's just used as a transparent data pipe between wireless nodes. So, the very restrictive firewall that protects all "raw" wireless access except OpenVPN is never user-visible, because no user programs see "raw" access on the wireless connection, they instead see routes via the OpenVPN TAP device. The user-visible firewall then sits at this LAN level, and users can open "holes" in it without compromising the wireless.

IPSEC may be better studied, but it's so much more complex that to me it would be a worse security risk - I could misconfigure it and leave a hole without ever knowing.