Return-Path: Received: from MIT.EDU by po12.mit.edu (8.9.2/4.7) id QAA11512; Tue, 30 Jan 2001 16:01:14 -0500 (EST) From: Received: from archimedes.shmoo.com by MIT.EDU with SMTP id AA10567; Tue, 30 Jan 01 15:59:43 EST Received: from archimedes.shmoo.com (localhost [127.0.0.1]) by archimedes.shmoo.com (8.9.3/8.9.3) with ESMTP id MAA83671; Tue, 30 Jan 2001 12:00:04 -0900 (AKST) (envelope-from zealots-admin@shmoo.com) Date: Tue, 30 Jan 2001 12:00:04 -0900 (AKST) Message-Id: <200101302100.MAA83671@archimedes.shmoo.com> Subject: Zealots digest, Vol 1 #1 - 1 msg Reply-To: zealots@shmoo.com X-Mailer: Mailman v1.1 Mime-Version: 1.0 Content-Type: text/plain To: zealots@shmoo.com Sender: zealots-admin@shmoo.com Errors-To: zealots-admin@shmoo.com X-Mailman-Version: 1.1 Precedence: bulk List-Id: To discuss GAWD and the wireless universe X-Beenthere: zealots@shmoo.com X-Evolution: 00000073-0000 Send Zealots mailing list submissions to zealots@shmoo.com To subscribe or unsubscribe via the web, visit http://www.shmoo.com/mailman/listinfo/zealots or, via email, send a message with subject or body 'help' to zealots-request@shmoo.com You can reach the person managing the list at zealots-admin@shmoo.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Zealots digest..." Today's Topics: 1. Securing Wireless Access (Bruce Potter) --__--__-- Message: 1 From: "Bruce Potter" To: Date: Mon, 29 Jan 2001 21:55:36 -0500 charset="iso-8859-1" Subject: [Zealots] Securing Wireless Access -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy, The development of GAWD aimed to accomplish 2 purposes. The first was the obvious one of unifying information about access points all over the planet so folks could be connected whereever they were. The second, slightly more philosophical goal was to raise awareness of wireless security. By gathering all these AP's together, I think a lot of us have thought "if I enter my AP into the DB, how can I protect myself from malicious activity that's off my premise but still in range?" The term "drive-by spamming" has become en vogue in the last few weeks... it is a real threat, esp as more wireless communities develop and DB's like GAWD get populated. WEP is currenlty the standard for encryption on the wire (in the 802.11 world that is). However, it doesn't scale very well. Keys must be rotated by hand, and even worse some hardware companies make drivers that only support 1 key, not the standard 4. Also WEP has come under theoretical attack recently, and rumor has it it's going to be blown apart soon. So what are options besides WEP? There are serveral ways to view the need for security on a wireless LAN. - - Authentication: Verifying the entities who are on the LAN.. the AP itself and the client trying to connect both need to authenticate. WEP does this via a shared secret, but a certificate based system would scale better. - - Authorization: The AP (ie: the device that's the egress point of the wireless LAN into the rest of the network) needs to determine what activities a client is authorized to do... most systems allow you to just have carte blanche, but some folks funnel their AP's through a policy server that controls access. WEP doesn't provide any authorization.... Kerberos is about the oldest (and some say the best) authorization protocol around.. something like it (or RADIUS) might be a great thing for the wireless community - - Data integrity: If I'm sitting next to 15 other ppl accessing the same AP and being radiated with the same radio waves that I'm intending only for the AP, I need a way to provide link level encryption even if I don't have transport layer encryption. Sniffing data on a wire requires direct physical access... sniffing a wireless segment may simply require proximity. So for data that I may trust the wired world to protect without encryption I may still want link level encryption for the first jump to prevent other coffe shop patrons from knowing what stocks I'm looking at. WEP provides 40, 64, or 128 bit encryption, but again, this is suspect. Should link level encryption even be an option? or should vendors just say "encrypt end to end, or you're screwed" (I doubt that would ever happen.. vendors always went to give their customers a false sense of security... but it sure would be a kick in the butt for the industry). Anyhoo, What do you all think? How do you secure your AP's? later bruce -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use iQA/AwUBOnYtATqMpaE/ej/cEQKLEwCdGokSJKPV5ON/nPfBI5He7DetnmAAnRgP tlvz97H2yOJWI6adBgW4wNtB =X8NP -----END PGP SIGNATURE----- --__--__-- _______________________________________________ Zealots mailing list Zealots@shmoo.com http://www.shmoo.com/mailman/listinfo/zealots End of Zealots Digest