Think Security First! (Score 2, Informative)

Wireless 802.11b is riddled with insecurities. In addition to various improprieties within WEP (see attached), 802.11b access association scheme is inherantly insecure. The University of Maryland Study found that "while the current access points provide several security mechanisms,[their] work combined with the work of others show that ALL of these mechanisms are completely in-effective."

The mechanisms they are referring to are :

• WEP (Wired Equivalent Protocol)
• Open Systems Authentication
• Shared Key Authentication
• Access Control Lists (MAC Address Lists)
• Closed Network Access Control (LUCENTS Proprietary Access Control)

The important thing to note here is that EVERY one of these mechanisms can be worked around.

• WEP has known vulnerabilities allowing someone to decrypt information in real-time after capturing about a days worth of traffic.
• Open Systems Authenticationhas "shown that the authentication management frames are sent in the clear even when WEP is enabled."
• Shared Key Authenitication has shown that it is rudimentary to capture the Initialization Vector since it is sent in the clear as part of a WEP frame.
• Standard Access Control Lists are easily circumvented by an attacker sniffing the network for a valid MAC and thus reprogramming their network card to an appropriate value to gain access to the network.
• The proprietary Closed Network Access Control list that LUCENT (and others)touts as "a system that will not send the network identification (SSID) as a broadcast, thereby mandating that someone KNOW the SSID before they can associate to the network," is inherently flawed since:

"Several management messages contain the network name, or SSID, and these messages are broadcast in the clear by access points and clients. The actual message containing the SSID depends on the vendor of the access point. The end result, however, is that an attacker can easily sniff the network name, determining the shared secret and gaining access to the "protected" network. This flaw exists even with WEP enabled because the management messages are broadcast in the clear."

When setting up a wireless 802.11b network, you MUST consider it to be publicly accessible. Anyone who is motivated can gain access to your physical network. They need not be within 300 meters, and through the use of a Yagi antenna or some other directional device could gain access from miles away. If setting up a wireless network despite the vulnerabilities please follow the following suggestions:

1. The most effective strategy would be to put your wireless access points into aIPSEC enabled DMZ, and have your wireless users tunnel into your network using a VPN. If your corporation doesn't already have a VPN infrastructure in place, it's going to cost you some money to implement. Even if you do have a VPN in place, and all of your clients already have the VPN software, there's going to be an extra effort associated with setting up a VLAN for your DMZ. But this solution adds a layer of encryption and authentication that could make a wireless network suitable for sensitive data.
2. Consider using an additional level of authentication, such as RADIUS, before you permit an association with your access points. While it's not part of the 802.11b standard, a number of companies are optionally including some provision for RADIUS authentication. Orinoco access points, for example, can enforce RADIUS authentication of MAC addresses to an external RADIUS server. Intermec access points include a built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to allow wireless clients to authenticate to RADIUS servers using a single sign-on. )
3. At an absolute minimum, even with it's vulnerabilities, you should enable WEP. Whether you implement 64-bit or 128-bit doesn't really matter too much, as it's not the encryption scheme that's determining how long it takes to crack it, but the number of possible Initialization Vectors. WEP is only a low barrier to entry, but it will keep out many of the casual hackers because there are so many other wireless networks that are wide open and easier targets.

REFERENCES

University of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf

Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf

AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml