July 15, 2004

Wireless Threat Matrix, for the layman

I work as a systems and network administrator for internet solutions provider Webformix here in Bend, Oregon. We are handling an exceedingly large number of wireless projects for various clients, which I'm responsible for speccing out. For anyone who has ever done any study of the wireless world, it is obvious what a state wireless security is in these days.

802.11 wireless technologies have spread across the landscape like wildfire due to their ease of implementation and standardized interoperability, but security features for this network platform have been left in the dust for the exact opposite reasons: they are difficult to deploy and lacking a coherent standard vendors have failed to make your average access point play nicely with your standard wireless card, or sometimes even play at all.

Security is espescially important in a wireless network since you are essentially broadcasting your internet access presence into the air. Unsecured, anyone in the vicinity may accidentally wind up on your network, or else a determined attacker can see everything you do online and/or jump online with you and abuse your connection (waste your bandwidth, commit fraud online, send spam, and you'll get blamed) with ridiculous ease. With a fairly inexpensive directional antenna, the attacker could be on a hill 20 miles away and still eavesdrop on your email.

Worse yet is that many of the encryption and authentication methods that are available must be watertight in order to be any help at all, but many of them are not. The data encryption standard "WEP" (Wireless Equivilent Protection) that was ratified as part of the 802.11 protocol was proven easily crackable in 2001. It is still better than nothing for your home network. Just like a car door lock it can deter your average attacker.. espescially since your neighbor probably set up no encryption at all. But if an attacker is determined, or if they have nothing better to do than sit on a hill for a few hours cracking your network, then that's really all that they need.

Many other concerted attempts at encryption and authentication have been proposed, and implemented, and none of them so far are a silver bullet. To rest easy, what we need is strong security, with strong user authentication and — for those of us who want it — accounting. But we also need this to be easy to set up, on the server and for the client. We need it to be interoperable, so that different hardware from different vendors can use the protocol fluently on the same network, and so that your laptop or PDA can get online even if you're running OSX. The more transparent and user-proof, the better.

Many home-brewed solutions have been attempted above the link-layer. Capture-auth gateways that force you onto a web page where you need to log in before you can get access, throwbacks from dialup and DSL such as PPPOE and PPTP, and encryption technologies initially meant to bridge corporate networks such as IPSEC and VPN have all been plyed at. These have their own strengths and weaknesses, but as has been the case so far.. the easier they are to implement on server and on client, the less secure they end up being, and vice versa.

IEEE has been brewing up the successer to the WEP standard for a few years now, known as 802.11i. This promises to be the silver bullet everyone has been pining for.. but it has not yet materialized. It may during the next few months or years, it just got ratified like last week, but very very few vendors have it implemented yet.

While it was being proposed, the WiFi alliance saw fit to create a defacto standard known as WPA (Wifi Protected Access) which takes many of the important elements from the upcoming 802.11i standard and makes them available as a temporary software-upgrade solution for existing hardware. Alas, for whatever reason it has spent at least a year being poorly implemented by vendors so that a majority of it's authentication-related functionality remains unusable to the wireless world. Vendors like Cisco and Microsoft have riddled their implementations with so many vendor specific changes that they cannot co-exist with other hardware. Most wireless AP/bridge combo's I've tested (linksys, microsoft, motorola, engenius) support serving advanced WPA features in AP mode, but not authenticating by them in bridge mode. Finally Windows XP's heralded new WPA client support lacks the ability to specify your username and password for a wireless network — the only option allowed is to use your windows username and password.

For you wireless security buffs out there, the next post will be a discussion of what can be done about the situation. Every choice appears full of trade-offs, and I've put together a grid which displays these trade-offs visually, to help us make those tough choices.

Posted by jesse at July 15, 2004 11:59 PM
Comments