(keitai-l) Re: 802.11b (in)security

From: Curt Sampson <cjs_at_cynic.net>
Date: 08/16/01
Message-ID: <Pine.LNX.4.33.0108161412170.32607-100000@denkigama.nat.shibuya.blink.co.jp>
Well, I think part of this whole problem of WLAN security discussion
is that you can't say it's either "secure" or "not secure." There being
lots of different things you can do with such a network, there are lots
of different things you can secure against (or not, as you wish). In
some of the applications we're talking about, you don't want to secure
against certain actions. (A public access WLAN point is not much good
if the public can't access it!)

So let's look at the various points here from the point of view of public
data access eventually (one hopes) leading us to girls with keitai
in hand, chatting or browsing away for hours on end and paying almost
nothing for it.

In terms of preventing unwanted people from connecting to and using
your network, well, that's out of the question. The 802.11b security is
completely broken now, so there's nothing preventing someone from sending
and recieving packets. You could try filtering based on MAC address or
IP address, but there's nothing preventing someone from sniffing "valid"
versions of these and then using them.

As far as attacks originating from the network, well, this problem is
not much different from any other public access point, such as a wired
Internet cafe. Most attackers these days are only using their immediate
connection to control machines elsewhere (often thousands of machines
scattered all over the Internet) which actually perform the attack.

Spamming is a different sort of effect, and you might want to stop that
by just blocking port 25, if it becomes a problem. But then you need
a local, spam-reducing mail server to let people send mail out. Or you
could allow port 25 access only to the SMTP servers of major ISPs. Or
you could use a transparent proxy to limit the number of messages that
can be sent in any given period of time. Or you might just put yourself
in the dial-up MAPS list. There are solutions.

You could stop a few of the more obvious ones with some router filtering,
of course; blocking outgoing connections to port 25 (SMTP) will stop
anyone from sending spam, or any mail at all for that matter. You could
use this to encourage people to use your local SMTP server, which could
have spam filtering built in.

In terms of the user's data being secured against eavesdropping, well,
if he's not using end-to-end encryption, it's not, period. In any system
you're exposed to the network administrators and, if they're not careful,
anybody who's "hacked" their system in some way. (I put that in quotes
because if the network admin installed a hub instead of a switch, you're
broadcasting your packets to everyone, so if someone choses to listen
to them it's not even hacking anything--there was no security to break.)
With WLAN it's worse, you're really broadcasting to the entire immediate
vicinity. But in a way it may be helpful; since there's no way around
that (this is radio, after all), that will provide a lot more pressure
on everyone to start using proper end-to-end security. You can bet VPN
software is going to become a lot more popular now that 802.11 "security"
is toast.

The first paragraph above gives one of the reasons I see access generally
being unmetered and free, at least at first. We don't have the easy
infrastructure to support any way of preventing access to a WLAN, so
all WLANs are (or soon will be) public to anyone who wants to put in
just a little work to get access. The only real security I wouldn't be
surprised to see would be per-node badwidth limiting at the router to
keep the rogue elements down to a minor annoyance. Eventually we may
get to the point where you have to set up an authenticated tunnel to the
local router in order to route to the Internet, but we're not there yet.

And if we look at the public WLANs currently out there, we see that
most of them indeed are free, or at least unmetered. Often those in
coffee shops say you get free access when you buy a cup of coffee, but I
highly doubt that they're enforcing that to the point where you couldn't
just sit in a car outside and use it from there. Some projects, such as
www.nycwireless.org, are completely free; just go sit in the park and use
it to your heart's content. (A search for 'free wireless internet access
"802.11b"' turns up about 10,800 hits on Google, BTW. Many of these are
not pointers to free wireless access, but there's still a lot out there.)

As benjamin pointed out, at this point the average Unix power user is set.
Here's the scenario, which is not so hard to set up:

    1. Sit down, open notebook, bring it out of standby mode.

    2. Notebook comes up and and tries to figure out what it's going to
    do for network connectivity. It figures out what network interfaces
    are available (wired ethernet, whatever's in the PCMCIA slot, maybe
    some USB stuff) and eventually brings one of them up and successfully
    gets an address via DHCP.

    3. Notebook brings up the encrypted tunnel between itself and my
    home machine. (Well, in my case one of my colocated servers, as I
    don't have a network connection at home, but you get the idea.) Now
    anything addressed to one of the addresses of my home machine is
    forwarded to my notebook, and some outgoing stuff appears to come
    from that home address.

    4. My notebooks VoIP application connects to my home machine's VoIP
    server and now I can make and receive calls.

The commercial application looks just like this, except it runs over
Windows, connects to a commerical VoIP portal, and maybe just connects
directly and without encryption rather than using a tunnel. It would be
darn easy to use, except that you have to boot your computer and start
the application. That's where the little handheld thing comes in.

cjs <-- uses ssh, IPSec
-- 
Curt Sampson  <cjs_at_cynic.net>   917 532 4208   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC


[ Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/ ]
Received on Thu Aug 16 08:04:59 2001