Wireless

Wireless

Sorted By Creation Time

Wireless FAQ

Contact:http://www.packetnexus.com

I found this in my search for wireless security info.  Section 9 is
security.  The FAQ is pretty good.

http://allnetdevices.com/faq/

jas


Back to the Index

WEP links

Contact:http://www.packetnexus.com

http://www.networkcomputing.com/1113/1113f2full.html

http://www.wireless-nets.com/column_wireless_security.htm

http://student.axis.com/proposals/wep.htm

http://www.macwindows.com/airportpc.html

http://securitygeeks.shmoo.com/article.php?story=2000121306222979

http://www.seattlewireless.net/

http://www.teleport.com/~samc/psuwireless/

http://www.personaltelco.net/download/802.11b-primer.pdf

http://slashdot.org/article.pl?sid=00/12/04/1950212&mode=thread&threshold=1

http://www.personaltelco.net/project.html


Ya'll, ok...the Lucent Wavelan Silver cards slide nicely into the Wavepoint
basestation. We use these puppies as Points of Presence for a metro area
business only Internet access solution, full 11MB wireless pipes into a
backend with (2) OC3 pipes going up to the big boys...and yea..there are T1
backups and ISDN backups too... The client side demarc points are "very
custom" kernel Linux Router Project boxes based in 486's, with Wavelan
Silver cards stuck into the isa adapter card, got DMZs, private LAN and all
the goodies in there. Anyways we implement network security using first and
foremost really hard-to-guess names for the Wavepoint POPs with stupid hard
admin passwords. In the Wavepoint there is a nice little setting for only
allowing specific MAC (media access control)addresses to connect to the POP.
(such as the mac address of the Wavelan Silver card in the client side
router) In addition we encrypt the communication bi-directionally at some
nifty high bitrate that I cannot remember off the top of my head. On a side
note, the Wavelan cards are direct sequence and stick to one channel and
that channel is fixed and thus easy to identify using the site survey tool
(assuming you know the POP name or IP)...Note..the Breezecom products are
frequency hopping and harder to thus get a link on, but they are WAY, and I
mean WAY less dependable. That is my version of a warning to would be
Breezecom users. Anyways, we actually make solid money with this stuff...if
guys want to go solo..thats cool but make sure that you get the right
antenna for the right job....and if you are gonna try and setup Points of
presence in stead of direct shots...please, for your own sanity...use an
array of directionals and not a Uni antenna. Way too much interference on
client to Uni uplink usually as the Uni picks up everything in a 360 degree
radius... limit your pain with directional arrays is the moral of this
story. If you are gonna shoot long distances (15 to 20 miles) use as short a
wire from antenna to wavelan card as possible ( db loss can be a pain on
long runs) and use a pair of DB24 antennas with line amps. That would be my
braindump of the day. enjoy. Oh yeah...add a beowolf cluster in there
somewhere just to impress your friends.


Back to the Index

gartner pirate wirless networks

Contact:http://www.packetnexus.com

http://www.gartner.com/public/static/aboutgg/pressrel/pr20001108b.html


Back to the Index

Wireless Security Issues

Contact:http://www.packetnexus.com

January 2001 Wireless Security Issues
Wireless commerce security issues include the vulnerability of messages
being converted from wireless security protocol to Internet security
protocol, and the question of authentication. Several companies have devised
solutions to these problems.
[Editors' Note: "Wireless" is not a single space. We use CDMA, 802.11, CDPD,
HRF, and WAP each for different applications, each in different
environments. The security implications are different for each.]
Back to the Index

WLAN security

Contact:http://www.packetnexus.com

http://www.techrepublic.com/article.jhtml?id=r00220001206dmy01.htm&page=2


Back to the Index

802.11b is not bulletproof

Contact:http://www.packetnexus.com

802.11b wireless security is not bulletproof.

Things to think about:

WEP

The only WEP key standard is for 40-bit, anything higher then that (at this
point) is vendor specific ... if you implement it, there goes your
cross-vendor compatibility.

Most vendors use a shared key configuration; all devices have the key that
lets them onto the network. This is okay if you control all the nodes, but
if you're running a shared network, this is a serious problem. So you give a
newcomer the key, a month later you want to kick them off the network (for
whatever reason), since there is no cable to unplug, your only option is
change the shared key and then contact everyone else and get them to change
their key as well.  This would be a management nightmare.

Rotating the WEP keys (using all 4 of them) can help avoid a flag day where
all users have to change their key at once. Most base stations can be told
to transmit on any one of the four keys, so you can switch to a new transmit
key every week or month, and replace the old key material with new. That
way, any user can set up their device with the current set of keys, leaving
them with at least 3 key changes worth of future access time. This can make
changing WEP keys almost practical, and sets a three key change limit on the
access remaining after a user is booted for some reason. It has the added
benefit of requiring rogue users to go back to their social engineering to
get the current keys at least once every 4 key changes.  Of course, your
access point has to support the four keys.  You still have the management
problem of getting the keys to the users.

WEP is a performance hit. When you enable WEP, the card has to do the
encryption and they aren't the fastest things in the world. I haven't seen
any measurements of the performance hit.  I have read you take a huge hit if
the encryption takes place with software (Lucent?), and maybe no noticeable
hit if the encryption takes place with hardware (Cisco?).  I am not 100%
sure what the different vendors are using for the encryption. The
performance hit isn't a big deal when you're using it in your house to surf
from your couch but when you're trying to connect two houses that are 3
miles apart it quickly becomes more of an issue.

So we use WEP and now we are relying on it to keep intruders (only in close
proximity) at bay, if they can get the shared key they have direct access to
the inside of your firewall.  The firewall protects you from "the internet";
WEP protects you from your neighbors.


MAC based security

Many commercial access points offer MAC based access control. 802.11b cards
are Ethernet cards over a different medium, so they do have MAC addresses.
You can restrict access by manually controlling ARP entries (or figuring out
a way to do MAC based firewalling).  Some people are using Linux as an
access point for more flexibility. That solves the problem of access
control; by controlling access on the MAC level, each wireless community can
restrict (or not) anyone that they choose.

MAC address matching for access control isn't a complete solution either.
MAC addresses on most wireless cards are changeable, and discovering which
MAC addresses a base station allows to connect is not impossible. MAC
address access control is a hurdle for a rogue user to bypass, but not a
severely high one.

Managing such access control lists across a whole network of access points
with a large and/or dynamic user population is difficult.  Some kind of
management tool might help this, but there aren't any tools out there yet.


Alternatives

For example, because of the issues with WEP, I decide not to use 



WEP

Contact:http://www.packetnexus.com

The primary culprit in compromised security is human error in not turning on
security features, according to security analysts involved in the wireless
field. The built-in WEP encryption protocol must be turned on after
installation.


Back to the Index

802.11b

Contact:http://www.packetnexus.com

802.11b is an awesome wireless standard for LANs. It provides 2Mb to 11Mb
throughput and can cover distances as far as 300 meters (in open space). The
market is huge and will grow as the products mature and become reasonably
priced. There are 3 general markets:
1) Home networking. Create a LAN in your home without needing to run any
copper wiring through your house. This applies mostly to homes that are not
currently wired for ethernet lans, but I suspect it will continue to expand.
2) Corporate networking. For companies that do not want to constantly
add/move network drops as desks and realestate change. Mobility is becoming
important even in corporate environments.
3) Retail/Service. Imagine your waiter taking your order and inputing it
into the computer in real time while the kitchen sees the order immediately
on their display. Inventory management is another very good business to
target this technology.
We can talk for hours on this, but suffice to say, this is hot.
-Mister Safety


Back to the Index

802.11b interference

Contact:http://www.packetnexus.com

I beg to differ. I run it. I have 2.4Ghz phones. I have 5 CDMA cell phones
in my house. I have a CDPD network card. They all work fine (you can tell I
am a gadget geek). The only caveat I place on it is that it wont work well
near a running microwave. It definitely depends on the manufacturer and the
drivers you have. Some are better than others, especially concerning
distance limitations. The vendors I mentioned previously, all have decent
implementations.
BTW, Bluetooth does NOT run over the same spectrum. I will look up my notes
to give you specific information, if you are interested.
-Mister Safety


Back to the Index

Future of 802.11b

Contact:http://www.packetnexus.com

Another item to point out is that the 802.11b standard autonegotiates the
speed down or up depending on signal strength. There is also a built-in
buffering mechanism to alleviate packet lossiness. Overall, the standard
performs well, with 2Mb speeds at 100+ft (depending on cleanliness of path
to base station) and 11Mb speeds within the 30+ft range.
My bottom line? This standard is here to stay and is mature enough for
deployment for residential and comercial use. The costs will continue to
drop over the next 12-18 months. I estimate a 30-60% reduction in prices as
the standard becomes more readily accepted.
Next on my radar, is 3G.
-Mister Safety


Back to the Index

Pocket PC

Contact:http://www.packetnexus.com

http://www.pocketmatrix.com/


Back to the Index

Security warning over PDAs at work

Contact:http://www.packetnexus.com

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C084A0.D4417FB0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

 Security warning over PDAs at work

Thousands of proud new handheld-PC users may be putting their companies at
risk as they connect their devices up to corporate systems for the first
time.
According to Psion, around 75,000 people received handhelds for Christmas,
and the company has warned businesses to put policies in place to prevent
security and management nightmares as users attempt to connect to their
corporate networks.
Psion said that risks to businesses include the loss of sensitive company
information as users download data from their PCs, and network crashes as
the extra data traffic generated by the devices causes bandwidth overload.
The company said its own research found 70 per cent of IT managers are also
concerned about how to integrate mobile working and applications into office
networks, so employees can work more efficiently and without compromising
existing IT systems.
Psion warned that businesses risk not only security breaches, but
overspending and inefficient working practices if they do not set down
regulations and standards for users.
Wayne Sowery, special projects director at UK security consultancy MIS, said
users should also be warned about the increasing risk posed by viruses on
handheld devices.
"The first PC viruses were very basic and the first handheld viruses are the
same. But given time, the level of sophistication in these viruses will
grow. No-one saw the Melissa virus coming."
However, Sowery said one benefit of these devices being given as presents is
that users value them more. "They are more likely to look after them than if
they were given as part of a corporate package," he added.
"To protect against loss of sensitive information, users should use
encryption and password protection in case of loss or theft," he said.
http://www.vnunet.com/News/1116334

------=_NextPart_000_0001_01C084A0.D4417FB0
Content-Type: application/X-Microsoft-OLE-object;
	name="Picture"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Picture"

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAA
EAAAAgAAAAEAAAD+////AAAAAAAAAAD/////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////9
////BAAAAP7////+/////v//////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////1IA
b



Crackers can zap data off Palm Pilots

Contact:http://www.packetnexus.com

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C084A2.2EAE09E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Crackers can zap data off Palm Pilots

Security consultants @stake have added to the weight of expert opinion that
business use of PDAs such as a Palm Pilot may be a security risk.
@stake, a US-based security consultant, has written a piece of software code
that can zap passwords off targeted Palm Pilots through taking advantage of
the PDA's hotsync function. Hotsync is used to transfer data between the
user's PC and a Palm Pilot.
Called Notsync, the code fools the targeted Palm Pilot into thinking it is
talking to the user's desktop computer, rather than a hacker's PDA. The
hacker then downloads the target's password via the target machine's
infrared port.
Infrared ports have a range of 50cm to 100cm, but @stake said amplifying
systems can increase the range threefold.
The consultant said its Notsync code could be written by any competent
hacker, and is warning firms to make sure they know what company information
is being held on their employees' PDAs.
Notsync's author, Mudge, vice president of R&D at @Stake, said: "They are
completely vulnerable."
According to handheld manufacturer Psion, 70 per cent of IT managers are
concerned  about how to integrate mobile
working and applications into office networks. The firm said around 75,000
people received handhelds for Christmas.
@stake believes the line between personal and corporate information on
mobile technology is becoming blurred, and that this may put sensitive data
at risk through exposing links to corporate networks.
The firm believes that users often use the same password on their PCs as
other devices, thus exposing the corporate LAN from the Palm Pilot. It says
organisations should make it standard practice that employees use different
passwords for their various computers.
Mudge said: "Wireless is extending the frontier of the corporate network and
lowering the level of security, while magnifying the problems."But he added:
"We're not trying to scare anyone here. We're trying to stress that
companies must adopt a strategic approach to wireless security.
"There's an opportunity with wireless to accentuate security and have it
thought of as an enabling activity rather than as an after-the-fact
reaction."
"Companies may not need to increase their security budget," said Mudge, "but
they do need to focus more intensely on where they are spending. They need
to know which data is sensitive to them, where it is and what it's doing."
http://www.vnunet.com/News/1116644

------=_NextPart_000_0005_01C084A2.2EAE09E0
Content-Type: application/X-Microsoft-OLE-object;
	name="Picture"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Picture"

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAAQAAAAAAAAAA
EAAAAgAAAAEAAAD+////AAAAAAAAAAD/////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////



A LAN line

Contact:http://www.packetnexus.com

A LAN line
Jan 11th 2001 | SAN FRANCISCO
From The Economist print edition 

ALMOST unnoticed, a new wireless data networking standard, unmemorably
called 802.11b, has been gaining ground on more widely touted ways of
gaining wireless access to the Internet. University students, company
staff and computer geeks are increasingly using wireless LANs (local
area networks) to log on while they are out and about. Companies such as
MobileStar and Wayport are installing the necessary equipment in
airports, hotel lobbies and sports stadiums. There is even a growing
"free-network movement" of sorts, whose members provide free wireless
Internet access in their neighbourhoods.

On January 3rd, the technology got another boost when Microsoft and
Starbucks announced that they are to join forces to offer wireless
access, using 802.11b among other standards, in most of Starbucks'
coffee outlets over the next two years. The deal, some analysts say, is
a further sign that 802.11b could become a serious competitor to
better-known wireless technologies such as Bluetooth, HomeRF, or even
next-generation cellular networks. 

Such a prediction would have sounded ludicrous only a couple of years
ago. Wireless LANs were then relatively slow, expensive and rare. But in
November 1999, America's Institute of Electrical and Electronics
Engineers (IEEE) ratified the 802.11b standard for wireless data
connections of up to 11 megabits per second-200 times faster than a fast
PC modem. Once big manufacturers such as Cisco and Lucent started
building hardware based on the new standard, prices for the gear began
to tumble. 

Apple was the first to launch an 802.11b product line (called AirPort).
All its computers now include a built-in antenna which, in conjunction
with a networking card, can exchange data with a small base station
plugged into a broadband Internet connection up to 45 metres (150 feet)
away. Although some PC laptops now come pre-equipped with wireless
hardware, most users buy a credit card-sized piece of hardware that goes
into a laptop's card slot and doubles as an antenna. Including a base
station, networking kits for PCs start at around $400. They were popular
Christmas presents in California last year.

Wireless networking, even over such short ranges, is attractive for
several reasons. Because a single base station can support several
machines, all the machines in a house or small office can be connected
without having to run cables everywhere, and they can be moved around
easily. It did not take long for inventive individuals to begin using
the technology, developed for indoor use, outside. For instance, in
parts of San Francisco's Presidio, a former military base turned vast
park, you can sit on a bench and surf wirelessly-thanks to Brewster
Kahle, a high-tech entrepreneur and founder of SFLan, an experimental
Internet service provider. He and his friends have put up antennae on
several buildings nearby. 

SFLan and similar efforts such as Consume.net (in London), Guerrilla.net
(in Cambridge, Massachusetts), and Seattle Wireless are reminiscent of
the open-source movement, whose members contribute to free software such
as the operating system Linux. Mr Kahle hopes that his initiative will
grow into a citywide wireless LAN "from anarchistic
co-operation"-meaning an army of volunteers putting up radio beacons on
their rooftops. 

Such efforts reveal one big barrier for the technology, however: it is
not yet clear how the economics will work. Free wireless LANs will
sooner or later encounter free-rider problems. Commercial providers will
succeed only if users are willing to pay a fee. One possibility is that
firms which make their money elsewhere, suc



3 major problems with WEP

Contact:http://www.packetnexus.com

There are 3 major problems with WEP (which stands for "Wired Equivalanet
Privacy," BTW. I will list them in order of increasing severity. 

1) Key distribution. If you aren't the only person on the network,
getting the key out to other people is a non-trivial task and can be the
weakest link. 

2) 40-bit - the standard WEP keysize is completely insufficient and can
be cracked in relatively no time. 128bit versions of the hardware are
available, however, so this is an improvement. 

3) This is the biggie - the WEP authentication protocol relies on DNS
and is therefore prone to massive man-in-the-middle attacks. There is a
paper by Jesse Walker called "Wireless LANs Unsafe at Any Key Size; and
analysis of the WEP encapsulation" that I encourage everyone to read. 

WEP is especially dangerous because it establishes a false sense of
security that cause people to be more willing to send sensitive data
over the network. You still need to use some other encryption method on
to of WEP - even at best it gives the privacy of a standard ethernet
LAN. 

Other technologies are under development to improve the state of
wireless security, such as the IEEE 802.11 Task Group E, which is trying
to develop an authentication scheme suitable for 802.11 wireless
networks, or the IEEE 802.1x protocol which will do similar things at a
more generic level. 

There is no existing good solution to the wireless problem (PPPoE hacks
aside). 

-Alison
http://www.andrew.cmu.edu/~alison/


Back to the Index

Sniffing wireless

Contact:http://www.packetnexus.com

You'd be surprised the fun which goes on at conferences such as RIPE and
IETF when WaveLAN virgins get onto the network and realise it isn't
secure. 
You might have heard of a guy called Randy Bush, whose favourite party
trick at such events is to sniff the WaveLAN, and email out to captured
POP3 usernames their own password with the message 'Be careful with
radio!'. It's not even a switched network as a default install. 
Setting up some sort of VPN using PoPToP isn't a bad idea in such cases,
although WaveLAN does have some security built into it. Personally I use
the Buffalo Technology kit which seems to work for 'doze, BSD and Linux.

I've heard rumours that if you wander through Stockholm's business
district or through the Square Mile in London, if you're in promiscuous
mode you can pick up all sorts of transmissions and a large number of
DHCP servers offering IPs to anyone who gets the ESS ID right. 
Hope this helps someone. Just be careful out there ;)


Back to the Index

Wireless Security Overview

Contact:http://www.packetnexus.com

By Benjamin J. Field ([email protected]) 

April 25, 2000 - Wireless networks are adopting online commerce at a
dizzying pace, reminiscent of the Internet's adoption of ecommerce
during the last two years. Applications such as stock trading, shopping,
and banking are now available on wireless networks (Ameritrade,
Amazon.com, Bank of Montreal).

It is the market of the future, but wireless is worth paying attention
to right now. According to the Strategis Group (www.strategisgroup.com),
the number of professional mobile data users in the United States is
upwards of 32 million, and growing. Ericsson (www.ericsson.com) predicts
that there will be around 600 million mobile Internet subscribers
worldwide by 2004. 

Why this sudden growth? In part, it springs from consumers and
developers getting better at thinking alike. But the wireless growth
phenomenon ultimately comes down to security. Here's how it happened.

Early on, demand was easily met for wireless information such as weather
and stock tickers, because for these basic applications, security is no
concern. The problem was that professionals wanted more than a portable
weather watch. They wanted the functionality of the Internet merged with
the convenience of the telephone. A great deal of security is required
for financial transactions, though, and a trustworthy standard for
wireless network security was absent. This meant slow growth for the
wireless industry, until the WAP.

WAP

The Wireless Application Protocol (WAP) is the standard for wireless
applications.

It was developed by the WAP Forum -- a group of more than 200
telecommunications and software companies who see the need to cooperate.

The WAP addresses a lot of subjects, but the chief concern is, and will
continue to be security. A robust and reliable security model was
defined, to be usable on existing wireless networks. This move has
instilled real confidence in wireless developers and consumers alike.

WAP Security Model

The WAP Security model relies upon WTLS (see Wireless Transport Layer
Security below) and SSL (see The Internet Security Model below).

The central component in the model is the WAP Gateway, a virtual
gatekeeper between the worlds of WTLS and SSL. Picture this progression:

Wireless
Device  
 Wireless
Network 
 WAP
Gateway 
 Internet
Network 
 Content
Server 
 

A wireless phone communicates with the WAP Gateway over a wireless
network, using WTLS. The WAP Gateway then communicates with the Web
server over the Internet, using SSL.

WTLS is built on the Internet Security Model. A quick review--

Internet Security Model

Just as the wireless world, the Internet world experienced a push for
stronger security, only it happened in the mid-90s. The wish couldn't
become a reality, though, until Secure Sockets Layer (SSL) came along.

Here's a typical scenario for the SSL security mechanism:

1. A Web browser requests a secure conversation with a Web server.
2. The server provides the browser with its server certificate.
3. The browser authenticates the server by confirming that a valid
certificate authority issued the certificate.
4. The browser uses the public key stored in the certificate to encrypt
a shared secret key.
5. The browser sends the encrypted shared secret key to the server.
6. The (more efficient) shared secret key encrypts the rest of the
conversation.

Some web servers require a client certificate, but usually, a server
relies on a simple username/password system for authentication and
non-repudiation.

The Internet Security Model is the basis for WTLS.

WTLS

Wireless Transport Layer Security (WTLS) was formulated specific



So You Want To Be A Wireless Security Professional

Contact:http://www.packetnexus.com

by William Sieglein, Senior Security Engineer, Fortrex Technologies 
[ November 28, 2000 ] 

Q: I wish to know more about the security threats in the wireless area,
and I also want to know how dangerous these threats are. What types of
skill sets are required to deal with wireless security threats? I wish
to pursue a career in this area. What should one learn in order to
become a wireless security professional?
- Vivek Kashyap
A: You're either the pioneering type, or you're thinking this is the
next big wave and you want to get rich as a wireless security
consultant. Actually you might be both. 

Wireless technology is not brand-new; neither are the threats associated
with it. We've all heard about cases of cell phone cloning and the
incredible costs this brings to the industry. But now we're talking
about sending data over wireless networks -- potentially sensitive data.
We're opening up our trusted intranets to the public Internet. Of
course, we're already doing that over the wire-based Internet. But our
mobile friends need it via the airwaves. 

Is wireless any more dangerous than traditional wire-based networking?
The definitive answer is yes, it very possibly is. Wireless is just
another medium for getting data packets from point A to point B. The
wireless architecture provides possible points of attack against the
portable device (phone, PDA, laptop and so on), the wireless network and
the wireless gateway. Portable devices are vulnerable to DoS attacks,
malicious code, theft and compromise. Their packets, in transit over the
wireless network, are vulnerable to interception, modification and
replay or fabrication. Finally, the wireless gateways are potentially
vulnerable to DoS attacks and compromise. 

Does this mean there are "whackers" (wireless hackers) looming in the
shadows, waiting to pounce? Although there are no well-known incidents
of major attacks against wireless technology to date, there are ongoing
discoveries by research organizations and development companies that
expose weaknesses. So far, wireless technology providers have been less
than serious about closing these holes, primarily because the demand for
wireless technology is still modest. But rest assured that as wireless
picks up steam, these attacks will increase and the technology firms
will provide more solutions. 
You must keep this in mind as you educate yourself about wireless
security: Nothing in the real world happens in a vacuum. You can't just
look at a single solution to solve your security issues. You have to
consider the entire IT infrastructure when designing security solutions.
Putting up a WAP gateway is much like putting up a Web-based application
server. It usually exposes some portion of your back-end, trusted
infrastructure. So you must consider the entire solution, end to end,
and ensure that security addresses these vulnerabilities at all points.
Merely encrypting the link or requiring the user to authenticate is not
enough. You must consider intrusion detection, anti-virus, firewall
configuration, DMZ architecture, user authorization, access controls and
logging. 

I recommend that you become proficient in information security, with an
emphasis on wireless security technology. Wireless certainly holds
promise but, like all technologies, it will be superseded by another,
even cooler technology before you know it. 


Back to the Index

High school packet sniffing

Contact:http://www.packetnexus.com

My high school   http://global.mpa.pvt.k12.mn.us  is one of the first in
the country to use Apple's AirPort wireless technology in the classroom.
We all have Apple iBooks. Everyone uses AOL Instant Messenger in class
all day long. :-) 
One day someone figured out that packet sniffers can be used on the
network to see other people's POPmail passwords and AIM conversations,
as well as whatever websites they are at. It is genuinely disturbing.
However, I am terrified of telling our administration about this because
of a kill-the-messenger syndrome. 
Let me just say that this is one of the most ridiculously insecure
technologies in the world, just waiting for the packets to be pulled
down out of the air with a packet sniffer program like EtherPeek. People
have been doing this for months around here. 
This is just a school. It's terrifying to think that the world's
important financial institutions rely on this technology's security.


Back to the Index

Known Vulnerabilities in Wireless LAN Security

Contact:http://www.packetnexus.com

http://www.tml.hut.fi/Studies/Tik-110.300/1999/Wireless/vulnerability_4.html

Known Vulnerabilities in Wireless LAN Security 
11.10.1999 

Asma Yasmin 
Department of Electrical and Communication Engineering 
Helsinki University of Technology 
[email protected] 
  

Abstract

Wireless Local Area Networks are becoming a respectable alternative in
indoor communications. It offers flexibility and mobility in networking
environments, as the user is not bound to a certain workplace anymore.
Wireless technology allows the network to go where wire cannot go.
Mobile workforce who require real time access to data benefit from
wireless LAN connectivity since they can access it almost any time any
place. Wireless LANs are also ideal for providing mobility in home and
hot spot environments. Unfortunately, disgruntled employees, hackers,
viruses, industrial espionage, and other forms of destruction are not
uncommon in today's Networks. This essay addresses the common
vulnerabilities to the security of the wireless LAN. 



------------------------------------------------------------------------
--------

Contents 
1. Introduction to Wireless Local Area Network 

       1.1    Wireless LAN Architecture 
       1.2    Benefits of Wireless Local 

2. Known vulnerabilities in WLAN 
  
        2.1    Inherent flaws 
        2.2    Hackers, Virus, and Intruder 
        2.3    Distribution file and quality of password 
        2.4    Interception 
        2.5    Masquerading 
        2.6    A denial-of-service attack 
        2.7    Others 
  
3. Conclusion 

References 

Further Information 



------------------------------------------------------------------------
--------

1. Introduction to Wireless Local Area Network 

Conventional Local Area Networks are fixed and deploy cables as physical
medium. They were developed for interconnecting computers to enable
sharing of resources, and to interconnect various organizations. LANs
are typically restricted in size and offer a maximum throughput from 10
Mbit/s to 100 Mbit/s. The increased use of mobile phones and laptop
computers has created a need for communication methods that would enable
a user to access network resources from anywhere and at anytime. Office
workers may spend a lot of their working time away from their desks, and
yet they need to access the network resources without physically being
at their desks. Due to bandwidth limitations and expensive technologies,
cellular data networks, such as Global Systems for Mobile Communications
(GSM), are not suitable for local area high speed data networking.
Various wireless LAN standards have been developed to address the needs
of mobile users [3]. 

1.1  Wireless Local Area Network Architecture 

Due to  its architectural inheritance, wireless LAN poses some intrinsic
security flaws. So It seems to me incomplete if something regarding the
wireless LAN architecture is not mentioned in this study before going to
discuss it's security vulnerabilities. 
  
  


 

Figure 1.1 Wireless LAN Architecture

The wireless LAN consists of access points and terminals that have a
wireless LAN connectivity. Finding the optimal locations for access
points is important, and can be achieved by measuring the relative
signal strength of the access points. Placing the access points in a
corporation network opens an access way to the resources in the
intranet. With wired LANs an intruder must first gain physical access to
the building before she can plug her computer to 



Wireless LAN security flawed

Contact:http://www.packetnexus.com

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO57597,
00.html

Wireless LAN security flawed

Report: Systems have several vulnerabilities

By BOB BREWIN 
(February 12, 2001) Computer security specialists at the University of
California, Berkeley, sounded new alarms last week about the security
vulnerabilities of wireless LANs. But network managers said they're
aware of problems with the technology and are beefing up their defenses
in response. 
The Internet Security, Applications, Authentication and Cryptography
research group at Berkeley said in a report posted on its Web site
(www.isaac.cs.berkeley.edu) on Feb. 2 that it had "discovered a number
of flaws" in the Wired Equivalent Privacy (WEP) 40-bit algorithm used to
secure all IEEE 802.11 standard wireless LANs. These flaws, the Internet
Security, Applications, Authentication and Cryptography (ISAAC) report
stated, "seriously undermine the security claims of the system." 

The ISAAC report said wireless LANs have several vulnerabilities,
including a susceptibility to passive attacks aimed at decrypting
traffic based on statistical analysis - a process made easier by the
broadcast nature of wireless systems. WEP also has flaws that make it
easier to inject unauthorized traffic from mobile base stations and that
make traffic vulnerable to decryption by tricking the base station,
which in turn is connected to a wireless network, the report said. 

Enterprise network managers said the ISAAC report highlights problems
inherent in wireless LANs. But they said savvy users have already
factored the vulnerabilities into their defensive architecture. 

Michael Murphy, director of IS support services at Minneapolis-based
Carlson Hotels Worldwide, said his organization plans to deploy a
wireless LAN architecture encompassing about 250 properties. "I've been
aware of the shortcomings in WEP for some time," Murphy said. "I want
something stronger [including] VPN encryption." 

Tom Mahoney, network manager at Franklin & Marshall College in
Lancaster, Pa., is in the midst of deploying a 100-node wireless LAN
from Apple Computer Inc. A virtual private network (VPN) "seems to be a
reasonable solution to the problem," he said. But "only end-to-end
encryption will provide true security." 

The security warning comes as wireless LANs - which currently provide
high-speed connections at 10M bit/sec., with new products in the
pipeline that will double that speed - continue to gain popularity in
the corporate and home markets. Gartner Group Inc. in Stamford, Conn.,
estimates that more than half of Fortune 1,000 companies will have
deployed wireless LANs within two years. 

John Pescatore, a security analyst at Gartner Group, said the
proliferation of enterprise wireless LANs demands increased security
because every laptop equipped with a wireless PC LAN card is a potential
"sniffer." 

Pescatore said the underground hacker community is hard at work
developing downloadable scripts to tap into wireless LAN networks, and
he predicted that such tools will be available this year. 

"Within six months, 'script kiddies' are going to be able to drive
around corporate campuses" and easily tap into unprotected networks, he
said. 

Phil Belanger, chairman of the Mountain View, Calif.-based Wireless
Ethernet Compatibility Alliance, downplayed the ISAAC report. 

"This is not new news," Belanger said, noting that the IEEE has a group
working to beef up wireless LAN security. Organizations should take
steps to secure their wireless LANs, he said, suggestin



802.11 Wireless Security

Contact:http://www.packetnexus.com

http://securityportal.com/closet/closet20010207.html

802.11 Wireless Security
By Kurt Seifried ([email protected]) for SecurityPortal

Kurt's Closet Archive



----------------------------------------------------------------------------
----

February 07, 2001 - Wireless networks are becoming de rigeur, something you
must have if you want to keep up with the Joneses. You can now surf the Web
and pick up email while sitting in an airplane lounge, have your laptop in a
conference room with no unsightly cables, or read email while in bed. The
cost of these networks has plummeted. Base stations like the Apple AirPort
can be had for $300, and the cards are around $100 (both support 11
megabit/sec operation).

However, like all network technologies, they both solve problems (like where
to run cable) and create a lot of new ones (like how to communicate
securely). Unfortunately, most sites seem to have implemented 802.11
wireless networks without much (if any) thought for security.


A Wild Wireless World
The first problem is controlling access to your network. With Ethernet and
related (cable-based) technologies, your site was usually physically secure,
helping to prevent people from plugging their laptops, etc. into your
network. Thus, even if someone managed to plug into your network, they had
to manually discover who else was attached. While this wasn't impossible,
its difficulty improved the chances of you noticing an attacker (since they
couldn't use completely passive techniques).

With a wireless network, unless your building is externally shielded or has
a large open area around it, an attacker will be able to gain "physical"
access to the network just by bringing his laptop into proximity with your
network (up to several hundred feet). An attacker can as well use entirely
passive methods to monitor network traffic. All they need, again, is a
laptop with a wireless card and slightly modified software to grab all the
wireless data � instead of ignoring any traffic not destined to their
computer.

Another largely unremarked problem is that of wandering wireless users. They
are likely to leave their wireless card in and operating, meaning an
attacker can set up a rogue wireless network to which the users attach
themselves. If the users then send any unencrypted data, or have open file
shares, for example, they potentially open themselves up for an attack.

Attackers can also set themselves up as servers on other legitimate
networks, and by running a rogue DHCP server redirect all traffic through
their machine or commit other attacks. Users will open themselves up to
monitoring of how much data they transfer, what kinds of data, when they
transfer it, and so on. If your network is not properly secured, people will
use it as a free ISP and likely commit illegal acts to gain access to the
Internet.


WEP Will Encrypt Everything
This is going to be the biggest problem with wireless networking. Once it is
up and running, people will be quite pleased with themselves and not likely
to spend real time or effort securing it. Since this form of networking is
new and not very well understood � not that much of networking is well
understood � administrators are likely to think, "well, it has 128-bit WEP
encryption, so we're secure." Unfortunately, it is very easy to set up a
network (wireless or otherwise) in such a manner that it works and data
moves happily between systems � but leave it insecure.

You can configure a wireless network to broadcast its name, or not. It's
probably wise not to broadcast, so that people are less like



Subject: WLAN/ Response of WEP Security

Contact:http://www.packetnexus.com

Subject: WLAN/ Response of WEP Security
Importance: High

Response from the IEEE 802.11 Chair on WEP Security


Recent reports in the press have described the results of certain
research efforts directed towards determining the level of security
achievable with the Wired Equivalent Privacy algorithm in the IEEE
802.11 Wireless LAN standard. While much of the reporting has been
accurate, there have been some misconceptions on this topic that are now
spreading through the media. Befitting the importance of the issue, I am
inclined to make a response from the Chair to clarify these issues with
the following points:

1. Contrary to certain reports in the press, the development of WEP as
an integral part of the IEEE 802.11 standard was accomplished through a
completely open process. Like all IEEE 802 standards activities,
participation is open to all interested parties, and indeed the IEEE
802.11 committee has had a large and active membership.

2. The acronym WEP stands for Wired Equivalent Privacy, and from the
outset the goals for WEP have been clear, namely to provide an
equivalent level of privacy as is ordinarily present with a wired LAN.
Wired LANs such as IEEE 802.3 (Ethernet) are ordinarily protected by the
physical security mechanisms within a facility (such as controlled
entrances to a building), and the IEEE wired LAN standards do not
incorporate encryption. Wireless LANs are not necessarily protected by
physical security, and consequently to provide an equivalent level of
privacy it was decided to incorporate WEP encryption into the IEEE
802.11 standard. However, recognizing that the level of privacy afforded
by physical security in the wired LAN case is limited, the goals of WEP
are similarly limited. WEP is not intended to be a complete security
solution, but, just as with physical security in the wired LAN case,
should be supplemented with additional security mechanisms such as
access control, end-to-end encryption, password protections,
authentication, virtual private networks, and firewalls, whenever the
value of the data being protected justifies such concern.

3. Given the goals for Wired Equivalent Privacy, WEP has been, and
continues to be, a very effective deterrent against the vast majority of
attackers that might attempt to compromise the privacy of a wireless
LAN, ranging from casual snoopers to sophisticated hackers armed with
substantial money and resources.

4. The active attacks on WEP reported recently in the press are not
simple to mount. They are attacks, which could conceivably be mounted
given enough time and money. The attacks in fact appear to require
considerable development resources and computer power. It is not clear
at all whether the payoff to the attacker after marshalling the
resources to mount such an attack would necessarily justify the expense
of the attack, particularly given the presence of cheaper and simpler
alternative attacks on the physical security of a facility. Key
management systems also reduce the window of these attacks succeeding.

5. In an enterprise or other large installation, the complete set of
security mechanisms typically employed in addition to WEP would make
even a successful attack on WEP of marginal value to the attacker.

6. In a home environment, the likelihood of such an attack being mounted
is probably negligible, given the cost of the attack versus the typical
value of the stolen data.

7. IEEE 802.11 is currently working on extensions to WEP for
incorporation within a future version of the standard. This work was
initiated in July 1999 as Task Group E, with the specific



Experts ponder securing the wireless world

Contact:http://www.packetnexus.com

Experts ponder securing the wireless world

April 13, 2001
Web posted at: 10:23 a.m. EDT (1423 GMT)


By Cameron Crouch

SAN FRANCISCO, California (IDG) -- As security experts watch the
airwaves get crowded with wireless transmissions of voice and data, they
see their field becoming more vital -- and complicated, in this world of
mixed network protocols. 

Unlike the Internet, which uses only a handful of standard protocols,
the wireless world is built on many disparate protocols that don't
necessarily work together at all. This lack of standards complicates the
security of wireless networks, which discourages their wider adoption. 

Effective security requires widely accepted standards, agree security
gurus and vendors at the RSA Conference here this week. Discussion at
the gathering has tackled proposed new protocols, algorithms, and
networks for both the wired and wireless worlds. 

 
While still in their infancy, wireless broadband and other forms of
wireless networking, including home LANs, show great promise as an
alternative to wired services used by businesses and home users. But
unless the security of those networks can be assured, the young industry
could be stillborn, the security experts warn. 

To protect you, these networks will have to incorporate new security
protocols and algorithms as well as some existing methods found on the
wired Internet. But agreeing on which standards to adopt may be as big a
challenge as getting the high-speed services out the door. 

New toys raise risks
"Modern expectations of the Internet include [service that's] always on,
handy, and immediate as well as secure," says Shawn Abbot, president of
IVEA Technologies, a developer of security infrastructure products for
e-commerce. "But the challenge of these connected personal devices is
that they put more personal data into cyberspace, raising the threat to
privacy." 

The most dire risks include forms of identity theft. Someone might learn
and misuse your personal information through eavesdropping or
information tapping, Abbot says. 

 
Also, marketers are eager for the opportunities offered by global
positioning functions, which could let them target ads or services based
on your location. But "location-based services only magnify these
threats, increasing the need for trust from consumers," Abbot adds. 

Current networks won't do
Today's mobile phone and paging networks -- used for wireless devices --
weren't really designed to meet the security needs of transactions,
corporate communications, and network-based personal profiles, the
experts agree. 

The traditional mobile phone network has limited security, says Yiquin
Lisa Yin, research leader at NTT DoCoMo's Multimedia Communications
Labs. "The proprietary protocols and algorithms only provide security
for the air interface and not the whole network," Yin says. 

The air interface in traditional cell phone networks includes the
traffic between the handset and the cellular base station, Yin says.
Then, the base station connects to a core network for the carrier, often
with little security between them, she adds. 

On the reverse end, Internet data connects to the core network through a
wireless application protocol gateway. There, it is temporarily
decrypted and then re-encrypted in a mobile-phone-friendly format, Yin
says. 

That WAP gap isn't a big deal for simple applications, but it's becoming
more important with transaction services, Abbot agrees. 

But Yin urges security improvements not for the gateway, but for every
link in the network. She says security in traditional networks is



802.11 and swiss cheese

Contact:http://www.packetnexus.com

802.11 and swiss cheese
By Stephan Somogyi, 
April 16, 2001
URL:
http://www.zdnetasia.com/biztech/security/story/0,2000010816,20196487,00
.htm


There is no doubt that 802.11b - the technical name for products also
known as AirPort, Orinoco, Aironet, et al- is a life-changing
technology. 

All of a sudden companies don't have to string as many cables through
their offices to provide connectivity. Small offices, home offices, and
even just plain homes, are all beneficiaries as well, since you can set
up an access point somewhere in the house, ideally hidden from plain
sight, and still engage in e-mail and wander around the Web. 

YES 

The problem is that, unlike a piece of cable that you have to get
physical access to in order to connect, it's comparatively easy to get
near enough to a wireless access point to get good signal strength. Say,
in a caf� across the street. 

OK, but just because you're in the radio footprint of an access point
doesn't mean you can do anything useful with that wireless network,
right? Well, maybe. 

Placebo
Even the most user-friendly access points come with basic security
facilities. These security features give the appearance of protecting a
wireless network in two ways: making the traffic that flies through the
ether undecipherable by outsiders and making the access point, well,
inaccessible to anyone unauthorized. 

The encryption part is accomplished by defining a password that the
access point and all its clients share. One known weakness is that the
encryption scheme--called WEP--uses a key length of 40 bits, so it's
well behind the state of the art. However, I wouldn't be nearly so
perturbed if one really needed to brute force attack the full key
length. One doesn't. 

But wait, there's more. It also turns out that the parts of 802.11's
security not related to encryption are also flawed and can be
compromised. In short, even if you put all three available security
mechanisms--WEP encryption, MAC-based access control, and closed
networks--a smart and determined evildoer can still compromise your
network.


At least as far back as last October, the IEEE 802.11 committee knew
about the security flaws in 802.11 and was starting work to fix them.
Earlier this year, researchers with the Isaac project at UC Berkeley
publicized quite a few problems with WEP. Upon reviewing this work and
the design of 802.11's security, respected Bell Labs security researcher
Steven Bellovin was quoted in the Wall Street Journal on February 5th as
saying that there were some "real howlers" in the design. 

WECA, the Wireless Ethernet Compatibility Alliance, promptly issued a
formal response after the Berkeley researchers announced their findings.
Unfortunately, this response evoked little more than the lightbulb joke
whose punchline is "none--they redefine darkness as the standard." The
response spent more time focusing on semantic quibbles and how hard it
is to perform the attacks than admitting there were fundamental flaws in
the protocol in the first place. 

Adding to the UC Berkeley findings, a group of researchers at the
University of Maryland published a paper of their own outlining even
more vulnerabilities in 802.11. 

Both the quality and quantity of examination of 802.11's security leaves
little doubt about its significant shortcomings.


It's worth pointing out these many vulnerabilities that make 802.11's
security reminiscent of swiss cheese are manageable now that they're
understood. There can no longer be any false sense of security. 

It requires a determined attacker to put si



Fortress Strengthens Wired Equivalent Privacy

Contact:http://www.packetnexus.com

Windows IT Security News / Mark Joseph Edwards / April 18, 2001 
Fortress Strengthens Wired Equivalent Privacy

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=20706

Article Information 
InstantDoc ID: 20706


To strengthen known weaknesses in the Wired Equivalent Privacy (WEP)
protocol used in the 802.11b wireless network standard, Fortress
Technologies has released a new Layer 2 protocol called Wireless Link
Layer Security (wLLS). The new protocol provides secure frame and packet
transmissions by automating critical security operations, including
encryption, authentication, data integrity-checking, key exchange, and
data compression. Fortress based wLLS on techniques it uses in its
patented Secure Packet Shield (SPS) technology. 

WEP provides basic security mechanisms to help protect data as it
travels across the radio waves. The protocol also provides
authentication to help prevent unauthorized access to the network from
rogue wireless devices. In February 2001, we reported that scientists at
the University of California, Berkeley, released a report detailing
several security problems in the WEP protocol. In April 2001, we also
reported that researchers at the University of Maryland's Department of
Computer Science had discovered three more security risks in the
protocol. Fortress' new wLLS protocol resolves all of the WEP-related
vulnerability issues reported to date and could help prevent similar
risks in the future. 


In March 2001, Microsoft announced that Windows XP will support the new
802.1x wireless network standard (see our report Windows XP to Support
802.1x Wireless Network Standard, Windows IT Security News, March 27,
2001). The 802.1x standard defines port-based network access control for
wireless networks. John Dow, vice president of marketing and corporate
development for Fortress Technologies, said that wLLS complements 802.1x
and that Fortress intends to work with Microsoft to ensure seamless
integration of the two technologies. "We are excited to introduce our
solution to wireless equipment providers and, based on initial feedback,
we are confident that they recognize the immediate benefit wLLS would
offer their customers." Fortress will license the wLLS protocol to
wireless LAN equipment makers. 


Back to the Index

Your 802.11 Wireless Network has No Clothes

Contact:http://www.packetnexus.com



http://www.cs.umd.edu/~waa/wireless.pdf

Abstract

The explosive growth in wireless networks over the last few years
resembles the rapid growth of the Internet within the last decade. Dur-
ing the beginning of the commercialization of the Internet, organiza-
tions and individuals connected without concern for the security of
their system or network. Over time, it became apparent that some
form of security was required to prevent outsiders from exploiting the
connected resources. To protect the internal resources, organizations
usually purchased and installed an Internet firewall.

We believe that the current wireless access points present a larger
security problem than the early Internet connections. A large number
of organizations, based on vendor literature, believe that the security
provided by their deployed wireless access points is sufficient to
pre-vent
unauthorized access and use. Unfortunately, nothing could be
further from the truth. While the current access points provide sev-
eral security mechanisms, our work combined with the work of others
show that ALL of these mechanisms are completely in-effective. As a
result, organizations with deployed wireless networks are vulnerable to
unauthorized use of, and access to, their internal infrastructure.

Back to the Index

Everything You Wanted To Know About WAP

Contact:http://www.packetnexus.com

http://www.techweb.com/wire/story/TWB20010502S0007

Everything You Wanted To Know About WAP
By Mitch Hochhauser , Network Computing
May 2, 2001 (3:26 PM)
URL: http://www.techweb.com/wire/story/TWB20010502S0007 

The Wireless Application Protocol is still in its infancy here in the
United States, but everyone wants in on the action. WAP is built on a
layered protocol, making transmission of WAP content possible over
almost any available wireless network. 

These networks include those based on CDPD (Cellular Digital Packet
Data), CDMA (Code-Division Multiple Access), GSM (Global System for
Mobile Communications), Flex, and iDEN (Integrated Dispatch Enhanced
Network) technologies. 

WAP was designed and is maintained by the WAP Forum, which was created
in 1998 through the joint efforts of Ericsson AB (stock: ERICY),
Motorola Inc. (stock: MOT), and Nokia AB (stock: NOK). 

Today, the WAP Forum includes more than 100 members ranging from handset
manufacturers to consulting firms.

WAP consists primarily of two components. First is the all-important WAP
browser, which is responsible for processing bytecode sent to it by the
WAP gateway. 

The WAP gateway creates the interface between the Internet and the WAP
browser. In a typical WAP transaction, the browser sends a request to
the gateway, which then sends a request to the respective Web server on
the Internet; the Web server responds to the gateway with the requested
WML (Wireless Markup Language) file. 

The gateway encodes the file into bytecode, which is then transmitted to
the WAP browser. Next, thebrowser decodes the bytecode and displays the
requested website. 

Because bandwidth on wireless networks is limited, bytecode is used to
transmit the WML file instead of just transmitting the raw WML file.

WML works well for WAP devices because it is a fully compliant XML
(Extensible Markup Language)-based language. It yields better efficiency
than HTML because of its use of the deck concept.

To understand this, think of a deck of cards. A single WML file contains
a deck with multiple cards. Each card is a separately displayed screen,
depending on the input from the user. 

Unlike with plain HTML-where every link you click on downloads a new
HTML file-a single WML file contains many pages or cards. This reduces
unnecessary downloading.� More from Network Computing 


Back to the Index

Ways to attack 802.11

Home: www.packetnexus.com

Besides the fact it's trivial to sniff and then spoof a MAC address AND
someone using that same sniffer can crack the WEP after about 400,000
packets (Maybe less) -- if you are running everyone through an IPSEC tunnel
over the air and have a set of firewalls between your 802.11b and your
security domain, you should be fine as long as you change your key on the
WEP every 200,000 packets or so.

This is definitely NOT something for sensitive data. And it can be sniffed
with the right equipment from distances MUCH MUCH greater than it's
operational distances.

Use Google and look for 802.11b exploits. There are a bunch of papers out
there, including ways to increase the sniffing distances with common, easy
and cheap stuff.

I use it at home for guests, but I can't think of a corporate setting that
I'd volunteer to use it and, if forced, they'd have to sign a statement
saying they understand the weaknesses and the extra man-hours necessary to
support it.


Back to the Index

Rethinking wireless LANs

Home: www.packetnexus.com

http://www.nwfusion.com/news/2001/1022wlantips.html

Rethinking wireless LANs
Experts share their tricks and techniques for setting up these increasingly
popular nets.
By John Cox
Network World, 10/22/01

If you're thinking of deploying an 802.11b wireless LAN, you need to change
something a lot more important than the network interface cards in end
users' laptops. You need to change the way you think.

Network World talked with some people who have designed and installed
hundreds of wireless LANs to learn about the tricks and techniques of using
radio waves instead of cable.

Repeatedly, what emerged was the conviction that wireless LANS are more
"slippery" than wired LANs.

"It's half art and half science, and the former is very hard to teach," says
Clark Haynes, senior network engineer with Intermec, where he oversees
training for 135 wireless LAN installers.

Wireless LANs seem deceptively easy because at first glance you eliminate
the cumbersome pulling of Ethernet cable through ceilings and laying out
physical connections to every office cubicle. You just plug in the wireless
access point, outfit the computers and laptops with wireless interface
cards, switch on the 2.4-GHz radios that form the wireless link and -
presto! - an instant LAN. What could be easier?

A lot, according to experts.

"Unfortunately, a lot of customers go that route, then they're caught by
surprise at how they've left themselves wide open [to various problems],"
says Jeff Schwartz, a technical director with Enterasys Networks' wireless
engineering group.

The starting point is knowing who your end users are and what kinds of
applications they'll be using. Take a look at the applications on the wired
LAN as a starting point, these experts say.

"We sit down with customers and figure out the bandwidth requirements,"
Haynes says. "Do you need 11M-bit/sec throughput everywhere? If you're only
doing data collection, using bar code scanners, you can go down to 2M
bit/sec."

The number of users on any access point and the kind of work they perform
will affect performance, because wireless LANs are shared, not switched.
Users have to share the effective throughput of that wireless link. "You may
be able to get 100 users on one access point," Schwartz says. "It depends on
what they're doing."

When lighting up a university lecture hall, for example, he often sets up
two access points, each using a different one of the three 802.11b channels
available to it, and they balance the traffic load between them.

"Instead of getting 5M bit/sec, users can get about 10," he says.

All this data and much more is incorporated into what installers call a site
survey. A small team walks through the site, using one or more wireless LAN
access points and laptops with wireless cards. This is how you would decide
where to put the access points and how many to use.

"Experienced installers can just look around and say, 'You'll need one here
and here and here,'" Schwartz says. "An extra foot one way or the other can
mean the difference between, say, 1M and 2M bit/sec."

When positioning the access points, you want overlap between the access
points so a mobile user can roam from one place to another and still keep
the connection.

But you don't want overlap among the three radio channels available to each
802.11b access point: As you pack more access points together in a given
area, channel overlap creates contention, cutting overall performance,
explains E.J. von Schaumburg, CEO of InvisiNet



802.11a--Fast Wireless Networking

Home: www.packetnexus.com

802.11a--Fast Wireless Networking

December 3, 2001
By: Bruce Brown


Are you ready for fast wireless networking? Well, it's (almost) ready for
you. We got our hands on the first shipping 5GHz, 54Mbps 802.11a wireless
networking adapter PC Cards from Proxim, and beta adapters from two other
vendors. We also received a reference design 802.11a access point and pair
of adapters from Atheros Communications, Inc., the company that produces the
chipsets that will be used in all of the first round of 802.11a products
that come to market. We completed initial objective and anecdotal
performance testing and found that, even with many beta drivers for most
products, we can make general observations about 802.11a performance. The
quick and dirty answer: we found 802.11a to be almost five times faster than
802.11b (the current hands down wireless network standard) at short
distances.

802.11a and 802.11b aren't compatible because they operate on different
frequencies, so a 2.4 GHz 802.11b access point, for example, won't work with
a 5 GHz 802.11a network card - but the two standards can certainly co-exist.
On our test network we're currently running both 11a and 11b, using separate
access points and multiple clients for each, with both wireless access
points connected to our wired network and router-based DHCP server. In this
setup, all of our computers (wired, HomePNA, and both types of wireless) can
see each other and share resources including broadband Internet access.

So 802.11a is here, the first products are about as fast as expected, and
during the next 6-9 months we'll see a whole slew of new consumer- and
enterprise-level wireless network products based on this new standard. Will
you throw out your existing 802.11b equipment to replace it with 802.11a?
Probably not. Can you add 802.11a to an existing 802.11b wireless network?
Sort of, but it will be like starting over, at least until bridging products
are available (figure early- to mid-2002). If you're about to install a new
wireless network which way should you go? If you need it right now you
should stick with 802.11b because the 11a products are just trickling out,
and right now they're about twice as expensive as comparable 11b products -
but if you can wait three or four months, say until February or March of
2002, product availability and selection should be better, and prices should
start to come down at least a little bit, and in that case we believe you
should give serious consideration to 802.11a.

Finally, you may be wondering about the other recently approved high-speed
wireless standard 802.11g, and what it's all about and how it compares to
11a and 11b. Check out our sidebar that explores 802.11g in detail.

Just for background, let's recap the current state of local area networks.
The vast majority of LANs are based on wired Ethernet, including 10Mbps and
10/100Mbps networks, and, less commonly, gigabit (1000Mbps) Ethernet. Even
though the per unit cost of 10/100Mbps wired Ethernet network adapters is
low, overall costs for wired networks are high, particularly due to the
costs of installing, maintaining, and changing wired cable infrastructure.

Wireless networking wasn't accepted initially for three reasons: throughput
(1Mbps/2Mbps) was much too slow compared to the most prevalent (10Mbps)
wired Ethernet standard; wireless adapters and access points were
significantly more expensive than wired NICs and switches; and the first
wireless products didn't work well together with wireless products from
other ve



Fast LANs without the wires

Home: www.packetnexus.com

http://www.nwfusion.com/buzz2001/nowires/

Fast LANs without the wires

 By John Cox
Network World, 09/24/01


Wireless LANs are about to experience a boost that will give them enough
throughput to handle all but the most bandwidth-hungry corporate
applications. Yet security, network design and cost could be speed bumps to
acceptance.

By the end of this year, more than a dozen LAN vendors will introduce the
first wireless LAN access points and interface cards based on the IEEE
802.11a standard, approved in 1999. These products will use the 5-GHz
unlicensed radio frequency and reach a variety of speeds up to the 802.11a
maximum of 54M bit/sec. By contrast, today's nets, based on the 802.11b
standard (also approved in 1999) use the 2.4-GHz frequency and have a
maximum speed of 22M bit/sec. Some vendors, such as Proxim, promise an
optional and proprietary mode for their 11a products to boost speed to over
70M bit/sec.

A radio modulation technique called Orthogonal Frequency Division
Multiplexing (OFDM) is the source of 11a's higher speeds. OFDM divides one
high-speed data carrier into 52 low-speed subcarriers that transmit in
parallel. These subcarriers can be bunched much closer together than is
possible with the frequency division multiplexing, spread spectrum technique
used in 11b. So transmission is more efficient and yields higher data rates
on 11a nets.

Other differences between the specifications include radio ranges, antenna
designs, security add-ons and network management features.

To Top


What to ask 802.11a wireless LAN vendors

How can I migrate from 802.11b to your 11a products, and how will you
minimize migration costs?

Will your 11a products support the maximum 54M bit/sec speed specified by
the IEEE standard?

What additional wireless LAN security will you offer, particularly for
stronger encryption and authentication, above that specified by 802.11a?

Can I configure and manage access points and interface cards remotely,
instead of manually? If so, how?

What is the status of all necessary software drivers to support my mix of
wireless client devices?


Many of these differences will only be apparent, and measurable, in pilot
tests. Because the same products can perform differently in different
sites - depending on construction materials, user numbers and other
variables - such pilots will be the only way to tell if you'd need more 11a
access points than 11b, for instance. Theoretically, higher bandwidth means
shorter range. But Rich Redelffs, president and CEO of 11a chip maker
Atheros Communications of Sunnyvale, Calif., insists there is in fact little
difference in range between the two, at least for 11a products based on the
Atheros chipset.

Both standards also share the same security issues. A wireless protocol
sniffer can grab the wireless LAN network name, which works as a kind of
network password, and it can grab unencrypted media access control (MAC)
addresses, which identify nodes already authenticated on the wireless LAN.
Most LAN card drivers let the card's MAC address be changed, so attackers
could set their own card's address to be the same as a node already on the
wireless LAN.

Likewise, the Wired Equivalent Privacy encryption scheme used in 11a and 11b
has been criticized for weaknesses that could let a sophisticated hacker
decrypt the traffic.

These security issues were spotlighted in August when three leading
cryptographers discovered a relatively simple way of recovering the WEP
encryption key, whic



Exploiting and Protecting 802.11b Wireless Networks

Home: www.packetnexus.com

http://www.extremetech.com/print_article/0,3428,a%253D13880,00.asp

Exploiting and Protecting 802.11b Wireless Networks

September 4, 2001
By: Craig Ellison


How many network administrators do you think would allow a complete stranger
to walk into their wiring closet and plug in their notebook to their
company's network? Not too many, I suspect. But that's what's happening to
companies coast-to-coast. Well, not exactly. Strangers aren't plugging into
networks, but they are attaching to networks using 802.11b wireless network
cards, and that's essentially the same thing.

This year we've seen explosive growth in the deployment of 802.11b networks.
With the huge volume of cards being offered by close to 100 vendors, prices
have plummeted to sub-$100 for notebook cards, and as low as $150 for access
points. Physical deployment is extremely simple, for corporations and home
users alike--in fact, probably too simple. All you have to do to install an
access point out is take it out of the box, plug it into the wired Ethernet
segment and turn it on. And for corporations, that's the real problem. They
plug in an access point in their network, and many times, it's behind their
firewall.

WECA's Double-Edged Sword
Much of the growth in 802.11b networks could probably be accredited to
WECA--the Wireless Ethernet Compatibility Alliance. WECA has developed an
interoperability standard, named WI-FI (wireless fidelity), and vendors'
products that bear the WI-FI logo must pass a suite of basic
interoperability tests. WECA's goal was interoperability and ease of use,
not security. When people plug in a WI-FI certified access point, it should
work with any other WI-FI certified NIC. From a manufacturer's standpoint,
that makes a lot of sense. Manufacturers really want a good "out of box"
experience for their customers, as it cuts down on product returns. In fact,
according to an industry source, even as easy as it is to install, about 25%
of the networking gear purchased for home use is returned because of the
perceived installation complexity.

WEP is Wide Open
The 802.11b standard includes a provision for encryption called WEP (Wired
Equivalent Privacy). Depending on the manufacturer and the model of the NIC
card and access point, there are two levels of WEP commonly available - one
based on a 40-bit encryption key and 24-bit Initialization Vector (also
called 64-bit encryption and generally considered insecure) and a 104-bit
key plus the 24-bit IV (so called 128 bit encryption.) There has been a lot
of "buzz" in the computer and technology press over the last several weeks
about the basic insecurity of WEP. Recently, Scott Fluhrer, Istak Mantin and
Adi Shamir published a paper titled "Weakness in the Key Scheduling
Algorithm of RC4". This paper outlined a method for pulling up the master
WEP key that would allow a hacker to pose as a legitimate user of the
network.

Two weeks ago, a program named AirSnort appeared on the Internet. AirSnort,
a program that runs on a Linux system with a 2.4 kernel and Prism-based
NICS, takes advantage of the exploit outlined in the Fluherer, Istak, Shamir
paper, and can discover a WEP key after passively monitoring a wireless
network. According to the site (http://airsnort.sourceforge.net), AirSnort
can determine the WEP key in seconds after "listening" to



Achieving wireless security

Home: www.packetnexus.com

http://www.key3media.com/interop/thisweek/news/news101101_wireless.php

Achieving wireless security

By Veronica Williams

As the value of information traveling wirelessly increases, security becomes
a major concern. After all, there�s no need to tap into a cable or wire; a
thief can simply pluck information from the air. So, how do you protect data
that�s flying through the sky?

Vulnerability

Data is vulnerable when it can be accessed, and interpreted, in its
entirety. This often takes place when data is in memory or when it is
airborne. Data is often in raw form when it is in memory, where
transformation/conversion takes place. It�s airborne between the portable
device and the network access point, or the time between when data is
created or reviewed until it reaches the network (infrastructure).

The WAP gap, a security breach in the wireless access protocol (WAP), is
such an example. The point of vulnerability is where wireless transport
layer security (WPLS), which secures the link between the portable device
and the WAP gateway, converts to a secure socket layer (SSL) connection
between the AP gateway and the Web server.

Flaws in the wired equivalent privacy protocol, intended to deliver wired
level comparable security to wireless LANs, have been uncovered and
confirmed by numerous parties. In addition to compromising data, access to a
network can be prohibited by flooding the wireless access point with data.
The IEEE reportedly has a group working on 802.11i, a new wireless standard
with a focus on security.

Solutions taking hold

The current and planned introduction of m-commerce products and services by
financial institutions is validation of their base-level confidence in
security tools. Public key infrastructure (PKI), encryption and password
protection are among the techniques used by numerous companies that offer
security tools.

Last July, Baltimore launched Telepathy QuickStart with industry
heavyweights Ericsson, Siemens, Gemplus, Oberthur, SchlumbergerSema and
Giesecke & Devrient. This solution for secure mobile commerce combines
wireless PKI handsets and smartcard technologies in an integrated package,
reducing deployment complexity and time.

Certicom�s elliptic curve cryptography technology boasts a key size of 163
bits versus 1024 for RSA. Diversinet optimizes resource consumption by using
a digital certificate format that is much smaller than the IEEE X.509
standard. Certificate caching takes place on the device to minimize the
ability of thieves to penetrate. RSA�s recently released BSAFE Wireless Core
product, however, doubles performance, achieving an impressive 40 signatures
per second on COMPAQ�s IPAQ computer.

Ideally, data should be secured at the time that it is created. It must
remain secure until and after it is received and processed by the intended
party. That means authentication and encryption must be employed to operate
within the confines of the wireless computing environment. Many wireless
networks have a perceived degree of inherent security. Wireless LANs spread
transmission signals across a spectrum of frequencies according to a defined
pattern (FHSS, DSSS, OFDM). Packet-based wide area wireless networks are the
wave of the future. Messages are broken up into pieces that may take
different routes through the network. Retrieving every packet needed to
reconstruct a message can be daunting for the data thief. Nonetheless, many
do achieve that feat. To reach an accepta



WLAN Security

Home: www.packetnexus.com

http://www.techrepublic.com/article.jhtml?id=r00220001206dmy01.htm&page=2


Back to the Index

Security of the WEP algorithm

Home: www.packetnexus.com

Security of the WEP algorithm

This is some information about our analysis of the Wired Equivalent Privacy
(WEP) algorithm, which is part of the 802.11 standard. This work was
performed jointly by Nikita Borisov, Ian Goldberg, and David Wagner. If you
have any questions, please contact us at [email protected].

Executive Summary
We have discovered a number of flaws in the WEP algorithm, which seriously
undermine the security claims of the system. In particular, we found the
following types of attacks:

Passive attacks to decrypt traffic based on statistical analysis.
Active attack to inject new traffic from unauthorized mobile stations, based
on known plaintext.
Active attacks to decrypt traffic, based on tricking the access point.
Dictionary-building attack that, after analysis of about a day's worth of
traffic, allows real-time automated decryption of all traffic.
Our analysis suggests that all of these attacks are practical to mount using
only inexpensive off-the-shelf equipment. We recommend that anyone using an
802.11 wireless network not rely on WEP for security, and employ other
security measures to protect their wireless network.

Note that our attacks apply to both 40-bit and the so-called 128-bit
versions of WEP equally well. They also apply to networks that use 802.11b
standard (802.11b is an extension to 802.11 to support higher data rates; it
leaves the WEP algorithm unchanged).

WEP setup
The 802.11 standard describes the communication that occurs in wireless
local area networks (LANs). The Wired Equivalent Privacy (WEP) algorithm is
used to protect wireless communication from eavesdropping. A secondary
function of WEP is to prevent unauthorized access to a wireless network;
this function is not an explicit goal in the 802.11 standard, but it is
frequently considered to be a feature of WEP.

WEP relies on a secret key that is shared between a mobile station (eg. a
laptop with a wireless ethernet card) and an access point (ie. a base
station). The secret key is used to encrypt packets before they are
transmitted, and an integrity check is used to ensure that packets are not
modified in transit. The standard does not discuss how the shared key is
established. In practice, most installations use a single key that is shared
between all mobile stations and access points. More sophisticated key
management techniques can be used to help defend from the attacks we
describe; however, no commercial system we are aware of has mechanisms to
support such techniques.

The following two sections describe the problems in the algorithm and the
technical details of our attacks; they assume some background understanding
of cryptographic protocols. You may wish to skip to the following section,
which discusses the practicality of the attacks.

Problems
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A
stream cipher operates by expanding a short key into an infinite
pseudo-random key stream. The sender XORs the key stream with the plaintext
to produce ciphertext. The receiver has a copy of the same key, and uses it
to generate identical key stream. XORing the key stream with the ciphertext
yields the original plaintext.

This mode of operation makes stream ciphers vulnerable to several attacks.
If an attacker flips a bit in the ciphertext, then upon decryption, the
corresponding bit in the plaintext will be flipped. Also, if an eavesdropper
intercepts two ciphertexts encrypted with the same key stream, it is
possible to obtain the XOR of the two plaintexts. Kno



War Driving and WLAN Security

Home: www.packetnexus.com

(be careful: it's just a matter of time before the first fatal
accident involving use of wireless sniffers while driving...
i have termed this "war driving".)

a useful tool for win2k is wildpackets "airopeek" wireless sniffer.
it has just come out of beta, and the beta version only supports
the cisco 340 family NIC, due to modified NDIS drivers.

with this running on my laptop while i drive i usually pick up
an access point per mile or two, even at > 60 mph with no special
antenna.

you can see the wireless frames including 802.11 beacons, which contain
the name of the access point, the channel and whether WEP is in use,
as well as all of the MAC addresses of talking interfaces, and a signal
strength indication so you can figure out which way to go.

if you supply the wep keys, it will decrypt.

it's a useful sniffer ... but:  it does not produce frames in tcpdump
format. you need a separate utility for that.

also, it's EXPENSIVE: $1995 plus maintenance.  aargh.  (i got the beta
for free...)  (maybe they need more competition... from something free?)

regarding general sniffing of WLAN:

choice of antenna is important, by the way, if you want to do "war
driving".  (peter shipley recently mentioned he had a gps hooked up to
a sniffer as well, so he records an location when the frames were
received ...)

you don't need the SSID.  it provides no value anyway (since you can
use the ALL value).  but you can see it in the 802.11 beacons, and
with WEP it gives a clue to the organization owning the access point
(without WEP their email and web surfing is a much better clue...).

it does not appear that MAC-based access control (which some access
points have) is entirely useful, since you can change your MAC address
on some interfaces to spoof that of some NIC you've seen successfully
talking.

802.11b WEP provides little value (regardless of key length chosen)
due to the reuse of the keystream, the lack of dynamic rekeying, and
the possibility of known plaintext attacks.  you have to record a few
gigabytes of WEP data traffic to launch this attack, though, and i
don't believe anyone has yet automated the exploit.  (this has been
known by members of the 802.11 committee for at least a year, more
like two...)

(802.11e is trying to fix this, and cisco has announced an 802.1x
implementation for the 350 card which seemingly complies with the
compromise proposal in the 802.11 committee).

as a separate issue: some of the wireless access points ship with
naive ideas about administration and maintenance.

(run nmap against an access point...)

the smc and addtron access points, which use code licensed from a
little company in ontario, neesus, have an open service (a listener
for a no longer available proprietary and undocumented administration
utility) which does nothing (they say -- we shall see), a web server
for configuration with an unchangeable user "default", and a default
password (which is changeable, at least).  there are also strings in
the access point binary image which make me wonder about back doors --
neesus says they can't explain them and maybe they're from the
development environment they use.

it's the wild west out there...

On Tue, Mar 06, 2001 at 07:23:22PM -0600, Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> I know the technologies are rather new compared to wired networks,
> but does anyone have and pointers for penetration tests of wireless
> networks, 802.11b in particular?
>
> In my opinion, with th



What's up with WEP?

Home: www.packetnexus.com

What's up with WEP?
Don't let it compromise your data
Larry Loeb ([email protected])
Author, Secure Electronic Transactions
April 2001


Wired Equivalent Protocol, or WEP, is the security behind the wireless IEEE
802.11 protocol. IEEE 802.11 is used by many manufacturers as the wireless
extension of the networks that feed computers. Trouble is, the design of WEP
allows eavesdroppers to decode the WEP-encrypted messages fairly simply, and
thus gain access to networks and data. Here, Larry takes an in-depth look at
WEP -- what it is, how it's flawed, how serious those flaws are, and what
can be done about them.

The Possible Dream
Wireless networking (and connectivity to a base network) has been a dream of
users since portables first appeared. One technology that has become popular
recently is the "Wi-Fi" wireless LAN. Operating at 2.4GHz, this is a
radio-based way to link computers to networks with an acceptable connection
bandwidth. As wireless networking enthusiast John Saxton notes, "'Wi-Fi' was
designed and developed by IEEE P802 members, including Lucent (now Agere)
and Harris (now InterSil), who have been shipping wireless Ethernet LANs for
years." These were the supposed experts in this area, so their work
(codified as the standard IEEE 802.11b ["802.11" for brevity]) should have
been exemplary

802.11 is the IEEE's solution to the problem of how to comprehensively
network disparate computing elements over relatively short physical
distances. The IrDA infrared link used in the Palm PDA is another defined
solution to the same problem. IrDA allows PDAs to communicate with their
IrDA-hardware-equipped hosts (as well as each other) right out of the box,
over short distances. 802.11 aims to provide the same seamless
functionality, but on a larger physical scale. The device-to-access-point
distance is increased by the use of radio waves, and the data flow has been
encrypted in what is referred to as the Wired Equivalent Protocol, or WEP.

WEP
WEP is part of the system security of 802.11, and its goals are to provide
confidentiality and data integrity, and to protect access to the network
infrastructure by rejecting all non-WEP packets.

WEP uses a secret key shared between the communicators. Some versions use
the 40-bit key that was originally used to formulate the standard, while
other newer versions use a 128-bit (104 in reality) key.

The actual encryption/decryption process looks like this:

The data frame is checksummed (using the CRC-32 algorithm) to obtain c(M),
where M is the message. M and c(M) are concatenated to get the plain text
P=(M, c(M)).
P is encrypted using the RC4 algorithm. This generates a keystream as a
function of the initialization vector (IV) v and the secret key k; which is
notated as RC4 (v, k). The cipher text results from applying the XOR
function to the plain text and the keystream. The cipher text and the IV are
then transmitted via radio.
Graphically, the process looks like this:


Decryption is simply the reverse of encryption. The recipient regenerates
the keystream and XORs it against the cipher text to recover the initial
plain text. This message (P') is then split into the two parts of M' and c'.
c(M') is then computed and compared with the received checksum c'. If it
does not match, then the message body has changed in some manner during
transmission. Decryption generates the identical keystream used for
encryption using the transmitted-with-the-packet IV and the shared secret
key. Finally, the result is XORed with the cipher text to reveal the
message.

WEPbusters come calling
It can 



Sniffing Wireless From Remote Locations

Home: www.packetnexus.com

Sniffing Wireless From Remote Locations
Summary: A friend of mine got me started on the subject of wireless lan and
the insecurities of it. Bascially, a wireless LAN uses radio signals, like
most
other things wireless. This being the case, why could we not turn our
laptops into radios capable of receiving these signals?

Hardware:
  Sony Vaio SR-5k running OpenBSD 2.8
  Toshiba Satelite Pro 415CS(P-90, 16mb, 1gig) running FreeBSD 4.2-RELEASE
Lucent Wavelan Gold (128 bit encryption)
  Lucent Wavelan Antenna
  promiscuous interface software such as tcpdump and dsniff

Tips:
Install the nessisary network and security auding tools such as dsniff,
nmap, hping, nbaudit(you will see lots of windows machines) from the ports
tree, smbtcpdump, samba also if you wish to map shares.

Listening In:

To start listening what I do is have a virtual console w/ a shell prompt for
me to issue commands from, one with tcpdump -n running(you monitor this for
traffic), another virtual console and tcpdump logging to file, remeber to
set the snaplen to something a little more reasonable than the defualt of 96
bytes otherwise all you will capture is the first 96 bytes. By saving to a
file you can go back and run tcpdump with the -r option and use diffrent
options, or run strings on the file to look for interesting text. Now, you
need to have your wi adaptor set up to some reasonable settings, for best
results hunting i use "wicontrol -i wi0 -p 1 -f  3", 3 is the default
channel, that the cards seem to be on, -p 1 puts the interface in BSS(Basic
Service Set) infrastructure mode, by default the interface is in ad-hoc
mode. In infrastructure mode every machine sends all it's traffic to one
central point(i.e Access point or gateway). We are hunting for access
points, because they are usually set up with an Antenna, and thus are easier
to find than an Ad-hoc network of a few computers. After a few minutes of
driving(in an urban enviornment) around and looking at the screen with
tcpdump -n running you should start to see some traffic.

Determining What you are Seeing.

Get the list of OUI #'s from IEEE(Aids in determining what type of equipment
is on the network),

The list of networks and who owns the IP block from ARIN. Helps you figure
out what network you are looking at while on the network, keep a local copy
on the laptop so you can refrence this while in the field.

Assign your self an IP, usually you are seeing non-routable IP's because
this network is behind a firewall/NAT box, and that gives you the ability to
choose from a large number of IP's. Once you have an IP then you can proceed
to map and audit their network for vulnerabilites.

Once you get back home go over your logs, and make a mental note of where
you were when you got this dump, then if there is something that identifys
it as company XXX, look at company XXX's website and determine where their
office is.


What you will most likely see:
One thing that will become apparent is that a lot of these networks
Windows/Novell, from the amount of SMB and IPX/SPX that you will see. I also
saw a signifigant amount of IP multicast at certain places.

Status:
Still in development and exploration

I'd like to correlate my position via GPS with the time stamps from tcpdump
logs so I can automate the process of figuring out where I was when I got
this traffic and the streingth of the signal. And possibly integrate and
plot  it with some GIS software/data. The data for the 15minute sectionals
is freely availabe from the USGS



WEP cracked - so what ?

Home: www.packetnexus.com

Toens Bueker wrote :
> Hi *,
>
> I just read this slashdot story:
>
> http://slashdot.org/articles/01/02/05/1411215.shtml
>
> Here's the details:
>
> http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
>
> Does anybody know anything about what the
> vendors/developpers are going to do about this?
>
> By
> T�ns

	Read it, my answer is why bother.
	By the way, don't read the SlashDot comments, the people here
are totally clueless and don't even talk about the correct stuff.

	I've got two main objections with their "attack".
	First, WEP is Wired Equivalent Privacy, which means exactly
what it does. This is not high security, but just enough to fend off
the casual attacker.
	The attack depend on snopping successfully the network for a
minimum of 5 hours (in fact, their maths are wrong, because max
throughput is more like 5 Mb/s, and that's assuming full traffic). 5h
is not a casual attacker in my book. And you need 15GB of storage and
process this 15GB for each newly received packets. Not a casual
attacker in my book.
	Then, the bit flipping is quite unrealistic. That would
require some pretty sophisticated radio equipement (especially
considering the timing requirement, all the multipath effect and that
the receiver might use an equaliser or a directive antenna - yuck !).

	So, if somebody is willing to spend 5h and 15GB and all the
programming complexity to process the data to try to break into your
network, I don't think that anything at the sophistication of WEP will
stop him. I don't think that brute forcing RC4 will stop him. And I
don't think that breaking in your flat and putting clips on your
Ethernet cable will stop him either.
	On the other hand, WEP is enough to discourage your neighboor
to try, especially that the value of your traffic is not much anyway,
so why would he bother. Anyway, he probably spend much of his time
watching TV.
	So, in essence they look at WEP and they say : "Ho, that's not
a high security system". Of course, it was never designed to be !

	Now, let's talk of the *real* security problem of 802.11, as
opposed to the wandering mind of a few academics. And I don't
understand how they could miss something so fundamental. The real
problem is :
		ONE SINGLE STATIC SHARED KEY
	I can tell you that this one is the one that prevent our
security people from sleeping at night (not the other stuff). If one
laptop get lost, basically the whole security of the network is gone
(and we have a few laptop stolen in building every year).
	Moreover, people tend to write down the key in visible place,
because otherwise they won't remember it. Ouch. A bit of human
engineering, and you will get those darn keys.
	Then, as it's a shared network, users can listen on each
other, whereas in a switched infrastructure, you get only your traffic
on the wire. Of course, you should assume that if it's unsecure with
WEP, it's also unsecure on a shared 10T (unless you can physically
control every centimeter of the cable).

	Of course, there is only so much you can do at the MAC layer,
so I don't expect the MAC layer to get any better security. We are
dealing with a connectionless broadcast paradigm anyway.
	Vendors such as Lucent and Cisco are going for Radius
authentication, so you can see that the general tendancy is going to
be VPN over WLAN (IPsec, PPPoE, SSH, whatever). Why reinvent the wheel
at layer 2 when you have good solutions abo



WLAN summary

Home: www.packetnexus.com

sum up from different papers and other various sources.
[email protected]

------------------------------------------
ftp://ftp.orinocowireless.com/pub/software/ORiNOCO/PC_Card/Firmwarelookup
warheac.net

http://www.cs.umd.edu/~waa
http://www.cs.umd.edu/~waa/wireless.pdf
datatwirl.yi.org/wep-faq.html
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

misc quotes from papers.
Later on a few comments by myself:
---------------------------
Operating at 2.4GHz,

I've heard rumours that if you wander through Stockholm's business
district or through the Square Mile in London, if you're in promiscuous
mode you can pick up all sorts of transmissions and a large number of
DHCP servers offering IPs to anyone who gets the ESS ID right.
Hope this helps someone. Just be careful out there ;)

3) This is the biggie - the WEP authentication protocol relies on DNS
and is therefore prone to massive man-in-the-middle attacks. There is a
paper by Jesse Walker called "Wireless LANs Unsafe at Any Key Size; and
analysis of the WEP encapsulation" that I encourage everyone to read.

The
authentication methods supported by the current 802.11 standard are Open
System and Shared Key. The Shared Key method requires that the WEP
algorithm be implemented on both the wireless terminal and the access
point. In the Open System authentication scheme, which is the default
scheme, a terminal announces that it wishes to associate with an access
point, and typically the access point allows the association.

The user authentication in TWISS is based on public-key cryptography.
Each user has a public/private key pair, which is generated on the TWISS
server and then delivered to the user in a distribution file. The keys
in a distribution file are protected using a password that only the user
knows. The password is entered when logging locally to the TWISS client
in order to access the private key needed when logging on to the TWISS
server. As the user logs on to the TWISS server, the client and the
server negotiate a symmetric encryption/decryption key that is used for
data confidentiality during a single security connection.

If attacker cuts
down the power of the whole site, then all wired networks are usually
useless, but the wireless LANs can be used in the ad-hoc configuration
with laptops or other battery powered computers.

The data security is accomplished by a complex encryption technique know
as the Wired Equivalent Privacy Algorithm (WEP). WEP is based on
protecting the transmitted data over the RF medium using a 64-bit seed
key and the RC4 encryption algorithm. WEP, when enabled, only protects
the data packet information and does not protect the physical layer
header so that other stations on the network can listen to the control
data needed to manage the network. However, the other stations cannot
decrypt the data portions of the packet.

You can configure a wireless network to broadcast its name, or not. It's
probably wise not to broadcast, so that people are less likely to
accidentally discover it.

You can configure most wireless access points to
allow only certain MAC addresses (like Ethernet 802.11 uses MAC addresses).

a useful tool for win2k is wildpackets "airopeek" wireless sniffer.
it has just come out of beta, and the beta version only supports
the cisco 340 family NIC, due to modified NDIS drivers.
with this running on 



Wireless T1 WANs Make Waves

Home: www.packetnexus.com

http://www.networkcomputing.com/1019/1019f3.html

Wireless T1 WANs Make Waves

September 20, 1999
By Dave Molta and Asad Irshad

Your mission: Establish a reliable WAN able to carry voice and data without
using dedicated circuits or requiring FCC approval. Impossible? Take a look
at unlicensed radio-based T1 wireless local loops. For a onetime equipment
and installation fee, you can avoid recurring charges for T1 lines, which
can top $1,000 per month for a local loop, and cost much more than that when
the connections cross LATA (local access transport area) boundaries. Perhaps
more important than these savings, wireless T1 loops can provide flexibility
in areas where the cabling infrastructure to support dedicated lines is
lacking, as is often the case in rural communities, for example.

For years, microwave towers have dotted the landscape, but these systems are
usually very expensive and require FCC licenses. Technological advances and
government policy have spawned an alternative--unlicensed spread-spectrum
radio systems operating at 2.4 GHz and 5.8 GHz. Many products are now
available, including a number of 10-Mbps and 100-Mbps offerings designed
primarily to interconnect Ethernet LANs. Although it's tough to beat T1
products when your needs include both voice and data, T1 tends to cost a lot
more than 10-Mbps bridges. If your needs call exclusively for LAN
connectivity, bridges make more sense.
In Network Computing's Real-World Labs� at Syracuse University, we put five
wireless T1 products--Adtran Tracer, BreezeCom BreezeLink, Glenayre Western
Multiplex (GWM) Lynx.sc, P-Com AirPro T1/E1 and Wave Wireless Speedcom
T1/E1-- through a series of tests to assess their suitability for
transporting both voice and data across metropolitan area networks.

Lynx.sc edged out P-Com AirPro T1 and Adtran Tracer for our Editor's Choice
award; it was easy to install and performed flawlessly. GWM also provides
the broadest line of single and multichannel T1 products at both 2.4 GHz and
5.8 GHz. In addition, AirPro earned our Best Value award. Besides the fact
its $6,995 retail price was almost the lowest among the products we tested,
P-Com is running a promotion through the end of 1999 offering a pair of
radios, antennas and cabling for $6,995. That's value.

We tested the wireless devices in a hybrid voice-data network, passing data
among Cisco routers and voice traffic across Nortel Meridian PBXes (see "How
We Tested,"). All the products got the job done, though only the Lynx.sc
provided 100 percent of the baseline throughput we were able to achieve with
a hardwired connection between the ADC/Kentrox CSU/ DSUs we used on our test
bed. Tracer fell just shy of 100 percent, while AirPro and Speedcom were
also very close, achieving throughputs in excess of 98 percent. BreezeCom's
BreezeLink did not fare quite so well. On the PBX side, all the products
delivered clear voice communication.

Installing these products is not a job for amateurs (see "Installation
Issues," page 90). Aiming antennas, particularly across distances of 20
miles or more, isn't easy; make sure that you install lightning arrestors
and follow other safety precautions. Selecting the proper cables, antennas
and output signal level requires knowledge of RF transmission
characteristics, as well as the impact of weather conditions. With the
exception of BreezeLink, all the products claim to support links of 10 miles
or more with 99.999 percent availability (5.25 minutes of expected o



Wireless security riddled with flaws

Home: www.packetnexus.com

Wireless security riddled with flaws
P.J. Connolly

THE INTERCEPTION OF wireless traffic has gone on for decades, initially
proving its value during World War I. In the years since, anxiety about
wireless security has shifted but is no less valid. Now it has less to do
with the movements of armies and fleets and more to do with data and privacy
concerns. Although security is a concern for companies implementing wireless
networking, it appears to be taking a back seat to bread-and-butter issues
such as making the stuff work and keeping overall cost down, according to
the 2001 InfoWorld Wireless Survey.

Of the 500 InfoWorld readers polled, almost twice as many cited cost rather
than security, 31.2 percent vs. 16 percent, as the greatest roadblock to
implementing wireless networking. Very few, 2.6 percent, indicated that
security enhancements were necessary for their company to effectively
implement wireless technologies. Most survey participants prefer to bang the
drum for better applications -- 71 percent of combined responses -- and
improved training -- 73 percent of combined responses

You can't argue with the frustration expressed by those whose expectations
for wireless remain unmet. After all, without applications and training,
what you have left isn't good for much more than placing calls and receiving
stock quotes. But IT leaders everywhere are placing too much faith in the
built-in security of wireless technologies, when wireless security is in
fact a contradiction in terms.

By their nature, radio technologies are an insecure medium. In most cases,
transmission to client devices is an omnidirectional broadcast, so that
anyone within range of the transmitter can intercept the signal with a
properly equipped receiver.

If that weren't bad enough, the basic encryption technologies used in many
of the emerging wireless standards are generally not worth the CPU cycles
they consume; they're weak and easily cracked because of poor
implementation.

Whither WEP?

It is one thing to have weak, 40-bit encryption in a Bluetooth-enabled
device with an effective range of about 30 feet. But fundamental problems
with the WEP (Wired Equivalent Privacy) protocol, which is at the heart of
the 802.11 wireless networking standard, are another thing.

Three separate teams of researchers -- one at Intel, another at the
University of California at Berkeley, and yet another at the University of
Maryland at College Park -- have raised questions about WEP's capability to
provide secure communications.

This first came to light last October when Intel's Jesse Walker told the
IEEE that WEP was "unsafe at any key size" because the basic cryptographic
structure was unsound. Walker refuted the notion that the only thing wrong
with WEP was its use of a 40-bit key.

He demonstrated that the practice of using an easily determined
"initialization vector" renders the encrypted traffic vulnerable because
keys are reused when they shouldn't be. He also pointed out that the RC4
"stream cipher" method used by WEP isn't well-suited to wireless networks
that can and will drop packets because the lost packets foul up the
encryption and decryption engines, like vapor lock does to a car on a hot
day.

Since then, more evidence of the problems with WEP has surfaced, and WEP2,
the proposed next generation of 802.11 security, is also at risk. For
example, in January, the Berkeley team went beyond the math, outlined how
one might go about collecting the necessary data for breaking the
encryption, and



Can Bluetooth compete with WLAN?

Home: www.packetnexus.com

Can Bluetooth compete with WLAN?
By Mattias Ringqvist and Will Daugherty, McKinsey & Company, Special to
ZDNet
May 4, 2001 9:49 AM PT
URL:
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2715556,00.html
COMMENTARY--Much debate is brewing over whether Bluetooth will replace WLAN
standards like 802.11b. Yet, how can a technology, initially developed for
cable replacement, be seen as a threat to a Wireless LAN technology? Our
perspective is that, in most cases, it will not be a threat.


In fact, Bluetooth is delayed by at least a year, primarily due to a delay
by manufacturers in getting products to market. In the meantime, 802.11b is
gaining strong momentum as the WLAN standard. Realistically, the Bluetooth
industry should focus on developing applications to take advantage of this
superior cable replacement technology that will eventually be embedded in
hundreds of millions of handheld devices.

Common wisdom in favor of Bluetooth
Bluetooth is a low cost, low power, robust wireless connection method with a
small footprint that makes it very well suited for millions of handheld
devices. Some common early assumptions favoring Bluetooth include:

* The price of a Bluetooth chipset, excluding application interface
software, is expected to drop from $20 to $5 by 2003.

* A Bluetooth chip, designed to communicate in the 10m range, consumes only
1mW of power, compared to an 802.11b chip, which consumes more than 1W. A
single Bluetooth chipset is also fairly small, with a size of 8x8mm,
compared to the smallest 802.11b at 30x14mm.

* Bluetooth and WLAN use the same frequency, 2.4GHz. However, given
Bluetooth is designed to be a very robust technology that changes frequency
at the speed of 1600 hops/second, it has an advantage over WLAN technologies
like 802.11b.

* Bluetooth is expected to have a very large reach this year with
installation in more than 120 million end user devices, compared to only 4.3
million WLAN products.

A somewhat different reality
However, not all is what it seems. The predicted price drop for a Bluetooth
chipset is driven by aggressive forecasts in volumes shipped. Recently
revised volume forecasts of end-user devices shipped with Bluetooth
functionality are in fact only 20-30 million units this year. At the same
time, the cost of a WLAN chip is now, according to some manufacturers, also
expected to fall to around $5 by 2003; competitive with Bluetooth chipsets.
In addition, Bluetooth faces interoperability issues, not only on the
physical layer between different hardware manufacturers, but also on the
application layer, where so far, few profiles have been developed or agreed
upon.

Several players in the WLAN industry predict a move to 5GHz by 2004,
positioning to avoid potential Bluetooth interference and reaching
transmission speeds of 24Mbps. Bluetooth only gives a maximum speed of
721kbps for data, compared to 11Mbps for 802.11b. Therefore, streaming video
applications, or downloading large quantities of information from the
Internet to a laptop or PDA, is more likely to happen over a WLAN
connection.

Moreover, Bluetooth was never intended to become a network technology, and
it holds limited ability to do handoffs between access nodes-an essential
feature to ensure mobility. Several manufacturers have solved this for data
communication, but real time mobile voice communication is still being
developed.

Finally, with Bluetooth on every laptop, communic



WEP can't stand alone for security

Home: www.packetnexus.com

WEP can't stand alone for security
By Herb Bethoney, eWEEK
April 15, 2001 9:00 PM PT
URL:
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2706267,00.html

Although the IEEE's 802.11b wireless LAN standard includes a provision for
security called Wireless Equivalent Privacy, or WEP, the protocol leaves
much to be desired.

WEP is supposed to provide the same security that a locked door does for a
building, but recent research from the University of California at Berkeley
and the University of Maryland has shown that compromising an 802.11b-based
network is easier than picking the lock on an organization's door and
jacking in to its network.

For example, an attacker could eavesdrop on a wireless network using a
wireless LAN analyzer application. The attacker could capture the plain and
encrypted text of shared keys used for authentication, figure out the
authentication response, and then provide a new checksum using another known
exploit and connect to the network as a valid user.

Wireless LANs are susceptible to a number of other attacks, but the point
is: WEP is no guarantee of security in the face of a determined attacker.
And, to the extent that it offers a false sense of security, WEP is worse
than no security at all. WEP must be enhanced with end-to-end encryption,
additional user authentication, virtual private networks and firewalls (at
the very least).

The IEEE is working on a better security algorithm to replace WEP, and
802.11b equipment vendors are including proprietary security enhancements
with their products. These security enhancements may well become the most
important differentiators among the growing large number of wireless LAN
options.


Back to the Index

The WDF Wireless Data Primer

Home: www.packetnexus.com

The WDF Wireless Data Primer

Introduction
The last twenty years have seen an explosion in wireless communications and
computer technology. The last five years have seen the explosion of the
Internet. Standing at the center of this convergence is the wireless data
industry. This "primer" provides a general overview of the industry and its
key components.

Definition
Wireless data telegraphy is defined as communication without wires over
distance by the use of arbitrary codes. Primitive examples include waving
lanterns by night or sending smoke signals.
Modern examples include hand-held devices like pagers, smart phones and
personal digital assistants (PDAs) using wireless modems to enable wireless
data communications.

Wireless data: basic types and applications
While the technologies, protocols and network infrastructure supporting
wireless data are often complex, most data applications can be simply
divided into three main types: bursty, query-response, and batch-files

Bursty data -- quick bursts of data are sent from point-to-point. Emerging
applications in this area include remote electric power meter readings,
wireless burglar alarms, and other remote sensing applications.
Query/response -- query and response lies at the heart of new wireless data
applications and devices that allow for wireless e-mail and Internet access.

The wireless data market
Current revenue forecasts for the wireless data market predict strong
industry growth.
Some examples:

Frost & Sullivan:
The compound annual growth rate (CAGR) for wireless data from 1996 through
2003 is projected to be 35 percent. The market is expected to grow to ten
times its current value and reach close to $2.5 billion by the year 2002.
sources: Frost & Sullivan reports, "Mobile Data Services: How to Keep Your
Customers and Profits Moving" and "North American Wireless Office Markets."

Yankee Group:
The Yankee Group projects that more than 1 million wireless intelligent
terminals (WITs) will be sold in the year 2000 - comprising almost 4 percent
of total wireless terminal sales that year.
Source: The Yankee Group, "Phones with WITs: Wireless Intelligent Terminals
Wireless/Mobile Planning Service White Paper v.4, n.10, Published May 1996

Gartner Group:
The opportunity for wireless data communication in the United States is
huge, with 25.3 million of the 112.1 million workforce having a mobile job
requirement, but growth will be slow and steady.
Source: The Gartner Group, The Dataquest Market Analysis Perspective,
"Wireless Data in the United States: Pieces of the Puzzle are Missing, but a
Picture is Taking Shape"

Strategis:
Two million wireless data subscribers exist in 1997 and the market is
predicted to grow at an average annual rate of over 40 percent through 2002.
Source: US Mobile Data Marketplace: 1997

Ovum:
By the end of the year 2000, there will be over 3 million users of data over
GSM services in Western Europe, rising from a current installed base of
around 300,000. In the UK, there will be 900,000 users of data over GSM
services by 2000, rising from the current installed base of around 90,000.
source: "Data over GSM: Market Development", Ovum (UK)

The wireless data market: vertical and horizontal
The wireless data industry began its development through vertical
applications within specific industries, such as dispatching, fleet
management and point-of-sale.
Horizontal applications cut across different industries: examples include
so-called "road warrior" devices such as pagers and PDAs.

Vertical Applications
Field service



WaveLAN and RoamAbout Support in Linux

Home: www.packetnexus.com

WaveLAN and RoamAbout Support in Linux

Update: This information has been updated to include the WaveLAN (now known
as Orinoco) 11Mbps Silver/Gold PC Cards and Cabletron RoamAbout PC Card.
Additional information about using WEP (wired equivalent privacy) is
available separately.




This page is about using the WaveLAN wireless LAN PC card with Linux. A
binary driver library is provided by Lucent for their older Turbo 8Mbps
Bronze cards, but which also works with newer variants of the cards. The
supported cards are:
WaveLAN Turbo 8Mbps Bronze PC Card: This is 802.11 compliant only at 2Mbps.
The 8Mbps mode is proprietary to Lucent. This card does not support WEP.
WaveLAN Turbo 11Mbps Silver/Gold PC Card: These cards are 802.11 compliant
at 11Mbps and support WEP with 40-bit and 128-bit encryption (for Silver and
Gold respectively). I have not personally tested the Gold variant, but I
believe the information here applies to it just as well.
Cabletron RoamAbout: This card is OEM'ed from Lucent and is functionally
identical to the WaveLAN Turbo 11Mbps PC Cards. It supports WEP too (40-bit
and 128-bit versions available).
Since these are all basically WaveLAN cards, I'll just refer to them all as
WaveLAN below.

The WaveLAN cards provide notebooks with wireless Ethernet connectivity via
a base station known as an Access Point. The base station acts as a bridge
between the wireless LAN and a wired Ethernet LAN. The WaveLAN cards have a
little section that sticks out of the PCMCIA slot and houses the antenna;
This is somewhat more elegant that having a separate antenna unit (as in the
old WaveLAN designs).


Required Software
To use the WaveLAN card in Linux, you need to install at least two software.
The first is the PCMCIA support, which typically already comes with your
Linux distribution. You will need to have the source in order to compile
support for the wireless PCMCIA card.
Next, you also need to get the WaveLAN/IEEE Software for Linux. This is
distributed by Lucent Technologies. The PCMCIA package itself also comes
with a WaveLAN driver, but I don't know if this will work with the Turbo
version of the card.


Get the PCMCIA source from the PCMCIA Homepage. I am using version 3.1.6.
WaveLAN/IEEE Software for Linux. I am using version 4.00.

Linux Installation
The installation procedure involves merging the WaveLAN driver source into
the PCMCIA source, recompiling the PCMCIA software and then installing the
PCMCIA package. Make sure you are running as the root user when you begin as
the actual software installation and configuration requires root privileges.

Extract the PCMCIA distribution archive. You need to specify the actual
location of the archive. For our example here, we will build the source in
/usr/src.
$ cd /usr/src
$ tar zxvf pcmcia-cs-3.1.6.tar.gz
Extract the WaveLAN/IEEE distribution archive into the PCMCIA source
directory.
$ cd pcmcia-cs-3.1.6
$ tar zxvf wavelan2_cs-4.00.tar.gz
For Red Hat users, you want to use the PCMCIA network script that Red Hat
provides. The PCMCIA installation step replaces this script with its own
unnecessarily more complicated version. So, save a copy of the Red Hat
version now.
$ cp /etc/pcmcia/network /etc/pcmcia/network.rh
Build and install the PCMCIA package according to the instructions in the
PCMCIA-HOWTO file (in the pcmcia-cs-3.1.6 directory). You can usually accept
all the defaults in the make config step.
$ make config
$ make all
$ make install
For Red Hat users, you should use the PCMCIA network scri



Security Still Up in the Air

Home: www.packetnexus.com

Security Still Up in the Air

  February 5, 2001
  By Tom Zeller


The idea of a wireless LAN has always had a certain charm -- suggesting an
end to the expense and inconvenience of running cable, and to users' whining
about being tethered to their desks. And now, with wireless standards
firming up, throughput increasing and prices dropping, more and more IT
managers are succumbing to temptation. In fact, Cahners In-Stat Group
predicts that the wireless LAN market will grow 25 percent annually over the
next few years, from $771 million last year to nearly $2.2 billion in 2004.




At the enterprise level, however, security is a major stumbling block. While
the 802.11b wireless Ethernet standard includes several security measures
that can lock down small installations, how well these measures scale to
environments with tens of access points and hundreds of users is still
unclear.
Enterprise-level wireless-LAN security is a two-pronged concern: Network
access must be limited to authorized users, and wireless traffic must be
shielded from sniffing by would-be packet hijackers.

Access Control

The best way to secure access to a wireless network -- and, hence, a
corporate network -- is to instruct access points to pass only those packets
originating from a list of known Ethernet addresses. Of course, MAC (Media
Access Control) addresses can be spoofed, but an intruder would have to
learn the address of an employee's Ethernet card. Unfortunately, this may
not be difficult -- unlike internal NICs, many wireless PC cards have the
MAC addresses printed in plain sight, right on the card.



Click here to enlarge


Even assuming physical card security can be ensured, the problem of
compiling and distributing a list of valid MAC addresses remains. In
addition, each brand of access points has some limit on the number of
addresses allowed. Lucent Technologies' Orinoco access point, for example,
has a limit of 492 MAC addresses, so scalability is a concern. The good
news, though, is that once entered, the list of addresses often can be saved
and used to populate other access points.

Another setting on the access point that can be used to restrict access to
approved users is the network name, also referred to as the SSID (Service
Set ID). This feature was designed to let specific groups use particular
access points. An access point can be configured either to allow any client
to connect to it or to require that a client request use the access point by
name. While not meant primarily as a security feature, setting the access
point to require the network name can let the name act as a password.

As with any password scheme, however, the more people who know the password,
the higher the probability that an unauthorized user will misuse it.
Certainly the network name can be changed periodically, but each user must
be notified of the new name and make the few clicks required to reconfigure
his or her client -- arguably a deal killer as your network grows.

Stopping the Sniffer

The 802.11b standard allows for encrypted communication between clients and
access points via WEP (Wired Equivalent Privacy). WEP is an optional
RC-4-based, 40-bit encryption mechanism that encrypts the data portion of
the packet. Because an initialization string is tacked on, adding in the 24
bits that are used to identify a device to the LAN, WEP is referred to by
vendors as 64-bit encryption.

Unfortunately, high-end equipment can break 40-bit encryption in a matter of
seconds. In addition, WEP has a loophole wide enough to sail a bo



Security in Wireless Local Area Networks

Home: www.packetnexus.com

Security in Wireless Local Area Networks
Sami Uskela
Department of Electrical and Communications Engineering
Helsinki University of Technology
[email protected]

Abstract
When the wireless communications is coming to the offices and the homes,
there are some new security issues to be taken care of. Today we have
continuously growing markets for the wireless LANs, but there is big black
hole in the security of this kind of networks. This paper gives an overview
of the security functions specified in two wireless LAN standard, namely in
the IEEE 802.11 and the HIPERLAN. There is also some discussion about the
threats and vulnerabilities in wireless networks compared to wired networks.
And last but not least the protocols and mechanisms needed in the secure
wireless LAN are described.


----------------------------------------------------------------------------
----


Table of Contents
1 Introduction
2 Abbreviations and Definitions
3 Standards
3.1 HIPERLAN
3.2 IEEE 802.11
4 Threats and Vulnerabilities Compared to Wired LANs
4.1 Eavesdropping
4.2 Transitive Trust
4.3 Infrastructure
4.4 Denial of Service
5 Secure Solution
5.1 Design Goals
5.2 Design Overview
5.3 Authorization
5.4 Integrity and Confidentiality
5.5 Key Change Protocol
5.6 Key Management
5.7 Solution Analysis
6 Conclusions
7 References


----------------------------------------------------------------------------
----


1 Introduction
Around 1980 was the concept of the wireless LAN introduced and since 1985
have many companies tried to implement variety of wireless LAN applications
using spread spectrum, infrared and traditional wide band radio [1]
technologies. Now is the real breakthrough of the wideband wireless
applications happening; the IEEE 802.11 standard, approved June 1997, gives
a solid platform for new applications and the chips supporting IEEE 802.11
are already in the market. The wireless office market revenue was year 1996
$390 million from which $218 million belonged to wireless LANs and it is
expected to break a billion dollar in early next millennium [1].

The commercial wireless LAN applications can be divided in five category
[2]:

LAN extension - indoor wire replacement
Inter-LAN bridges - outdoor wire replacement
Campus Area Networks (CAN) - wireless LANs with infrastructure
Ad-hoc networking - wireless LANs without infrastructure
Nomadic access - a wireless LAN service
Today's existing applications aims at four category of applications [2]:

Healthcare industry
Factory floors
Banking industry
Educational institutions
The security issues in the wireless environment are much more stressed than
in the wired networks, but there are still products without any security
functions and even the IEEE 802.11 specifies the security functions as an
optional feature. Anyhow the security in the Internet is coming more and
more vital and the IPSEC concept and IPv6 are going to demand the ciphering
and authentication as mandatory functions in the network equipment. So there
is a real need for developing the security in the wireless networks.

2 Abbreviations and Definitions
In this document are following abbreviations (table 1) and definitions
(table 2) used.

AP  Access Point
ATM  Asynchronous Transfer Mode
BER  Bit Error Rate
BSS  Basic Service Set; A set of stations communication wirelessly on the
same channel in the same area. (in IEEE 802.11)
CA  Certificate Authority
CAC  Channel Access Control (in HIPERLAN)
CAM  Channel Access Mechanism (in HIPERLAN)
CCITT Comit� Consultatif Int



Recipe for a Linux 802.11b Home Network

Home: www.packetnexus.com

 Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/a/wireless/2001/03/06/recipe.html
 See this if you're having trouble printing code examples

Recipe for a Linux 802.11b Home Network
by Schuyler Erle
03/06/2001 Related Articles

My introduction to wireless networking was right here at O'Reilly Network,
where our own Rob Flickenger has set up an 802.11b network spanning the
three buildings that house the home offices of O'Reilly & Associates.

The idea of a wireless network was right on my wavelength. "You mean I can
get Ethernet-speed web browsing, file transfers, and the whole works -- with
nary a cable connection in sight -- from as far away as the coffeehouse
across the street? Um, I'll be working from there this morning. IM me if you
need me."

Needless to say, it wasn't long before I started thinking about other
applications for this technology. I wanted Net access on my notebook
computer from anywhere in or near my apartment, too. I started thinking
about how I might control my stereo. I envisioned working on my laptop at a
little garden table on a beautiful day under a stand of trees on my
property, while birds chirp, leaves rustle, a light breeze wafts by, and one
of Beethoven's symphonies blares from my window at, say, 80 dB. Freude!
Naturally, the IEEE 802.11b wireless networking standard was the logical
candidate for a means of implementing this nefarious scheme.

However, OEM wireless "residential gateway" hardware isn't exactly cheap,
running into the hundreds of dollars and even thousands before you even
start thinking about radios for the portables. And bona fide access points
are even pricier. Why go to all that expense, I reasoned, when hardware
that's gathering dust in my friends' closets -- hardware that they're not
using, and would part with for nothing -- will do the job just as well, with
only a little extra effort on my part. People have been using free operating
systems to build dedicated firewalls and routers on i386 and i486 machines
for years. Why not add wireless?

So I set about about building a wireless gateway using Linux, 802.11b, and
an old PC. The project was a stunning success. Doing it right took some
research, and a bit of trial-and-error, but it seemed to me that, in the
end, the task was straightforward enough that anyone with the right hardware
and a little know-how could easily replicate our results. Therefore I've
endeavored to produce my "recipe" for an 802.11b gateway for you to follow
at home. (It didn't hurt that my manager, Peter, was interested in building
one for his house.) Those of you who own the home version of our show should
be able to play along.

Ingredients for a wireless gateway:

1 desktop PC, 386 or better. No, really. You can take that 486/50 out of the
attic, dust it off, and put it to work. We'll call this machine the
"gateway."
1 or more notebook PCs. Each should have at least one free PCMCIA slot.
We'll call these machines the "clients."
Two or more 802.11b wireless Ethernet PCMCIA cards. We like the Lucent
WaveLAN/ORiNOCO cards, but you can in theory use any 802.11b-compliant card.
One ISA-to-PCMCIA or PCI-to-PCMCIA adapter. This should be suitable for
installation on the gateway.
Hardware to set up the link from the gateway to the Internet. This can be a
cable modem, DSL, ordinary Ethernet, another wireless link, a sat



802.11b Tips, Tricks, and Facts

Home: www.packetnexus.com

Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/a/wireless/2001/03/02/802.11b_facts.html
 See this if you're having trouble printing code examples

802.11b Tips, Tricks, and Facts
by Rob Flickenger
03/02/2001 Related Articles


There's much more to 802.11b spec than that teeny little "b" indicates.
802.11b is not just the downstairs apartment of 802.11; it's a whole new
world of wireless possibilities.

Before we examine what makes that little "b" so special, let's take a look
at the original 802.11:

Approved in 1997 by the IEEE 802 committee, 802.11 details the framework
necessary for a standard method of wireless networked communications. It
uses the 2.4-GHz microwave band designated for low-power unlicensed use by
the FCC in the USA in 1985.
It allows for two different (and incompatible) methods of encoding, FHSS and
DSSS.
FHSS (Frequency Hopping Spread Spectrum) spreads the conversation across 75
one-MHz subchannels, continually skipping between them.
DSSS (Direct Sequence Spread Spectrum) breaks the band into 14 overlapping
22-MHz channels and uses one at a time.
Two operating modes are defined: infrastructure and ad hoc. Most dedicated
hardware (the "access point") provides a basic or extended service set that
builds the wireless "infrastructure." It goes a bit beyond basic bridging,
allowing clients to roam from access point to access point (provided they
all exist on the same physical Ethernet segment; roaming across routers
isn't allowed -- at least, not yet). The ad hoc (IBSS, or Independent Basic
Service Set) mode allows individual nodes to participate in a peer-to-peer
network without an access point.
The 802.11 spec also allows for Wired Equivalent Privacy encryption at the
MAC (Media Access Control) layer.
But 802.11 isn't perfect. For example, how do you detect collisions with a
device that can transmit or receive at any given moment, but can't do both
at the same time?

What happens when packets you've sent bounce off of a distant wall and come
right back at you microseconds later?

Another major problem with 802.11 equipment was its relatively low speed
compared to wired networking -- only up to 2 Mbps -- and the fundamental
incompatibility (and confusion) between FHSS and DSSS equipment. But because
they were incompatible, a choice had to be made. And that choice led to the
802.11b spec.

The move to DSSS and 802.11b
The FHSS frequency-hopping cards were the first to hit the marketplace, as
they were cheaper to produce and easier to implement than DSSS. As time
marched on (and with Moore's Law in effect), the processing power needed to
cheaply implement DSSS soon became available. As it turned out, given the
FCC's broadcasting constraints and some terribly clever engineering, DSSS
began to prove itself as the more reliable solution.

In September of 1999, the 802 committee extended the specification, deciding
to standardize on DSSS. This extension, 802.11b, allowed for new, more
exotic encoding techniques. This pushed up the throughput to a much more
respectable 5.5 Mbps (up to 11 Mbps). While breaking compatibility with FHSS
schemes, the new extensions made it possible for new equipment to continue
to interoperate with older 802.11 DSSS hardware.

With the ever-present need for speed temporarily quenched, everyone who is
anyone started jumping on the wireless roller coaster. While Lucent a



Using the Fluhrer, Mantin, and Shamir Attack to Break WEP

Home: www.packetnexus.com

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
AT&T Labs Technical Report TD-4ZCPZZ, Revision 2, August 21, 2001
Authors
Adam Stubblefield
John Ioannidis
Aviel D. Rubin

Abstract
We implemented an attack against WEP, the link-layer security protocol for
802.11 networks. The attack was described in a recent paper by Fluhrer,
Mantin, and Shamir. With our implementation, and permission of the network
administrator, we were able to recover the 128 bit secret key used in a
production network, with a passive attack. The WEP standard uses RC4 IVs
improperly, and the attack exploits this design failure. This paper
describes the attack, how we implemented it, and some optimizations to make
the attack more efficient. We conclude that 802.11 WEP is totally insecure,
and we provide some recommendations.

Text
http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
----------------------------------------------------------------------------
----

Adam Stubblefield


Back to the Index

Avoiding WLAN Set-up Headaches (Part I)

Home: www.packetnexus.com

Avoiding WLAN Set-up Headaches (Part I)
By Gerry Blackwell



The sudden explosion of Wi-Fi equipment on the market and the broad
acceptance of the technology by business and home users is mostly a good
thing for the industry and for users. But there is a downside.

Vendors, not without justification, have pushed the idea that Wi-Fi networks
are extremely easy to set up - and so they are sometimes. But sometimes, a
lot of times, they're not.

Too many companies are trying to do their own installs with only the most
rudimentary understanding of the equipment and of RF technology. Many as a
result screw up. It's too bad. Some of the mistakes they make are eminently
avoidable.

At this week's 802.11 Planet conference in San Jose CA, we're convening a
panel of grizzled veterans of the fixed wireless wars to discuss "Building &
Equipping Wireless Networks That Work." It's essential training for novice
WLAN designers.

We thought we'd offer a little conference preview, though, so we called on
panelist Jesse Frankel, chief strategy officer and vice president of
advanced technology at NeTeam Corp. (www.neteam.com) in Akron OH.

"There are cases," says Frankel, "where you can take the equipment out of
the box, turn it on and it works. But there are many others where it's a lot
more complex."

Frankel, with over ten years experience in the field, including pioneering
work at Austin TX-based Wayport Inc. (www.wayport.com), was a perfect choice
for our conference forum.

His company, which refers to itself as "The Wireless Network Architects,"
has worked with scores of clients across the eastern U.S., setting up office
WLANs, campus networks, point-to-point bridges and even a few wide area
access networks - mostly using 2.4 GHz spectrum. The company also has
offices in Atlanta and southern Florida.

NeTeam is the designer of one of the largest Cisco Aironet installations -
if not the largest - in the U.S., at the University of Akron right in the
company's home town.

The UA network will eventually provide broadband wireless coverage in every
one of the campus's 80-odd buildings and across all the green spaces in
between. So far the build-out includes 650 access point, but the NeTeam
design calls for double that number.

In the first of this two-part article, Jesse Frankel talks about some of the
common mistakes self-installers make and how to solve them. In the second
part, we'll take a more step-by-step approach to designing WLANs that work.

Not surprisingly perhaps, Frankel suggests that sometimes self-installers
can't solve all the problems they encounter, that it takes an expert - like
him. Still, some problems are avoidable as we'll see.

One of the most egregious design blunders Frankel has ever seen was by an
unnamed company that set up a point-to-point bridge to link two buildings.
The design and install were done during the winter when the trees were bare.
You can guess what happened.

"Come spring," Frankel relates, "they discovered there were leaves in the
way of the path. Which totally screwed up the reliability of the link. It's
obviously something you need to take into account."

The key mistakes made: poor path analysis - or no path analysis at all - and
inappropriate selection of antenna.

Most companies recognize that setting up outdoor point-to-point bridges
requires specialized expertise and wouldn't think of doing it themselves, he
says. But the same is not true of indoor office WLANs.

"The main problem we see in WLAN self-installations i



Avoiding WLAN Set-up Headaches (Part II)

Home: www.packetnexus.com

Avoiding WLAN Set-up Headaches (Part II)
By Gerry Blackwell



Building WLANs that really work may not be as easy as it's cracked up to be,
as we started to discover last week in the first part of this two-part
primer on design and implementation.

In Part I, Jesse Frankel, chief strategy officer and vice president of
advanced technology at Akron OH WLAN integrator NeTeam Corp.
(www.neteam.com), pointed out some of the wires that all too often trip up
first-timers.

Readers who took in last week's 802.11 Planet conference in San Jose will
also remember Frankel as a panelist in the "Building & Equipping Wireless
Networks That Work" session. This week, he takes us through some of the
basic step-by-step process of designing and installing a successful WLAN.

The first set of steps - and as in most IT- and communications-related
projects, it's absolutely crucial - is gathering and analyzing requirements.

"You have to make sure that all of the real-life usage requirements are well
understood," Frankel says. "One thing we harp on is understanding users'
performance expectations. A lot of people may not have a totally realistic
idea of what can be achieved. And then we also run into a lot of people who
haven't thought about the question at all."

This goes back to an example Frankel used last week of a training room where
30 users may all need to connect at once over the WLAN. If the room is only
within range of one access point, users will not get the performance they
expect.

You also have to look at the existing wired infrastructure, he says -
assuming the WLAN is an extension of or overlay on an installed wired LAN -
and ask what new equipment, if any, and what integration effort will be
required to make LAN and WLAN work together seamlessly?

Then there are constraints and restrictions related to the physical
infrastructure and the environment. What are the building materials and how
will that effect propagation if at all? And where is it permissible to
install antennas and access points in the facility?

"Sometimes there can be aesthetic requirements," Frankel notes. "You don't
see it so often in office settings, but if you've got an executive floor,
people sometimes don't want antenna masts sticking out through the ceiling,
for example."

Another set of questions about requirements bears on security issues. In
many installations, you may need optimum performance near the perimeter of
the coverage area. But without careful design, that can result in coverage
extending well beyond the perimeter - up to a half mile outside the building
in some cases.

"This is something that is generally not well understand," Frankel says. As
witness all the stories about hacktivists cruising up to office buildings
and easily hacking into the corporate WLANs inside.

There are ways to solve such problems using pico-cell architecture,
employing low-powered access points. It's even possible to engineer a WLAN
that will provide good coverage in one area - a boardroom say - but no
coverage at all in an insecure adjacent area such as a lobby.

"This phase of the requirements collection and investigation is where a lot
of the competency comes into play," Frankel points out. "Much of the
effectiveness of [NeTeam's] process is the result of [what we do in] this
initial phase."

Another aspect of requirements gathering is understanding cost objectives.
There are costs outside the price of the access points themselves and the
cabling.

One important question is how easy or



Understanding Basic WLAN Security Issues

Home: www.packetnexus.com

Understanding Basic WLAN Security Issues
By Eric Janszen



A wireless LAN is the perfect way to improve data connectivity in an
existing building without the expense of installing a structured cabling
scheme to every desk. Besides the freedom that wireless computing affords
users, ease of connection is a further benefit. Problems with the physical
aspects of wired LAN connections (locating live data outlets, loose patch
cords, broken connectors, etc.) generate a significant volume of helpdesk
calls. With a wireless network, the incidence of these problems is reduced.

There are however, a number of issues that anyone deploying a wireless LAN
needs to be aware of. First and foremost is the issue of security. In most
wired LANs the cables are contained inside the building, so a would-be
hacker must defeat physical security measures (e.g. security personnel,
identity cards and door locks). However, the radio waves used in wireless
networking typically penetrate outside the building, creating a real risk
that the network can be hacked from the parking lot or the street.

The designers of the IEEE 802.11b or Wi-Fi tried to overcome the security
issue by devising a user authentication and data encryption system known as
Wired Equivalent Privacy, or WEP.

Unfortunately, some compromises that were made in developing WEP have
resulted in it being much less secure than intended: in fact a free program
is now available on the Internet that allows a hacker with minimal technical
knowledge to break into a WEP-enabled wireless network, without being
detected, in no more than a few hours.

The IEEE standards group is working on an improved security system that is
expected to overcome all of WEP's known shortcomings but it is unlikely that
products incorporating the new technology will be widely available before
late 2002 or early 2003.

In the meantime, security experts agree that all sensitive applications
should be protected with additional security systems such as Internet
Protocol Security (IPsec). However, if excessive security measures are
forced on users of non-sensitive applications, the wireless network becomes
cumbersome to use and system throughput is reduced.

A good wireless networking system should therefore provide a range of
different user authentication and data encryption options so that each user
can be given the appropriate level of security for their particular
applications.

Another point to bear in mind is that each access point in a Wi-Fi network
shares a fixed amount of bandwidth among all the users who are currently
connected to it on a first-come, first-served basis. It is therefore
important to make sure that sufficient access points are installed for the
expected volume of users and traffic. Even then there is a tendency in a
first-come, first-served kind of network for a small number of wireless
devices (typically those who are physically closest to the access point) to
grab most of the available bandwidth, resulting in poor performance for the
remaining users. The best way to resolve this issue is to choose a system
which has quality of service (QoS) features built into it.

Since one of the major benefits of wireless networking is user mobility,
another important issue to consider is whether users can move seamlessly
between access points without having to log in again and restart their
applications. Seamless roaming is only possible if the access points have a
way of exchanging information as a user connection is handed off f



Cipher attack delivers heavy blow to WLAN security

Home: www.packetnexus.com

Cipher attack delivers heavy blow to WLAN security
By Patrick Mannion, EE Times
Aug 3, 2001 (3:51 PM)
URL: http://www.eetimes.com/story/OEG20010803S0082

MANHASSET, N.Y. � A new report dashes any remaining illusions that
802.11-based (Wi-Fi) wireless local-area networks are in any way secure. The
paper, written by three of the world's foremost cryptographers, describes a
devastating attack on the RC4 cipher, on which the WLAN wired-equivalent
privacy (WEP) encryption scheme is based.

The passive network attack takes advantage of several weaknesses in the
key-scheduling algorithm of RC4 and allows almost anyone with a WLAN-enabled
laptop and some readily available "promiscuous" network software to retrieve
a network's key � thereby gaining full user access � in less than 15
minutes.

The new attack has implications for a wireless LAN market that is on the
cusp of reaching critical mass. According to Frost & Sullivan, the WLAN's
market value will approach $2 billion by the end of this year and spring to
almost $5 billion by 2005.

The fallout for WLANs could be "huge, mainly because you can recover the key
in roughly 15 minutes with a 40-bit key," said Bill Arbaugh, assistant
professor of the Computer Science Department at the University of Maryland
and the author of that university's WEP attack. "And it scales linearly with
the number of bits used. It makes little to no difference if you go to 128
bits."

The IEEE-802.11i Task Group (TGi) has been hard at work defining a second
version of WEP (WEP2) that would use a 128-bit key instead of the 40-bit key
now widely deployed.

Complicating the matter, said Arbaugh, is that in many cases RC4 is
implemented as an ASIC, so it is impractical to make changes to deployed
systems. Other schemes tend to put the encryption in software and hence can
be upgraded in response to such attacks.

Previous attacks on the long-embattled WEP protocol � most notably by
researchers from Berkeley and the University of Maryland � have taken
anywhere from eight hours to several days. And those attacks resulted only
in the capture of finite amounts of data passing on that network, not the
retrieval of the full network key.

Renowned cryptographers Adi Shamir and Itsik Mantin of the Computer Science
Department of the Weizmann Institute (Rehovot, Israel) and Scott Fluhrer of
Cisco Systems Inc. (San Jose, Calif.) describe the new attack in a report
titled "Weaknesses in the Key Scheduling Algorithm for RC4." They will
present the report at the Selected Areas in Cryptography (SAC) conference in
Toronto Aug. 16-17.

Devastating blow


"This is devastating to the standard," said David Wagner, an assistant
professor in the Computer Science Department at Berkeley, who worked with
the two students involved in the infamous Berkeley attack earlier this year.
"They're able to break the scheme with fewer resources, and the impact [of
that break] is much more significant.

"It's definitely a big advance and leaves me all the more worried about
security, as more than ever it raises the possibility of someone riding
around in a van and intercepting your wireless communications in the
office."

"We all knew it could be done," Craig Mathias, principal at the Farpoint
Group (Ashland, Mass.), said of the attack. "The whole purpose of WEP was to
make it difficult, not impossible. Forty bits was all the [IEEE 802.11
Working Group] could legally



Wireless technology presents new security challenges

Home: www.packetnexus.com

Wireless technology presents new security challenges


September 7, 2000
Web posted at: 12:27 p.m. EDT (1627 GMT)


by Matt Hamblen

(IDG) -- Every business should be lucky enough to get a visit from a
friendly hacker like Jeff Schmidt. On July 27, Schmidt tried out a brand-new
wireless LAN card on his laptop at work. He didn't expect anything to
happen, because his organization's wireless LAN wasn't up and running yet.
But to his surprise, he was able to connect without any trouble to the
network of an office down the street. Oops.

Rather than swipe passwords from the other office's domain name server,
Schmidt called the office to warn it. It shut down its wireless hub shortly
thereafter, he says.

Schmidt, a network engineer at the U.S. Department of Agriculture in New
Orleans, provided printouts of his communications with the other office,
which he declined to name.

"Imagine our surprise when their hub instantly returned my signal," Schmidt
says. "Since the other office was still using the factory defaults on its
wireless hub, I connected just fine. No hacking, no planning - just plain,
dumb chance."

Chance played a key role in Schmidt's penetration of an outside network, but
analysts say wireless LANs can be easily accessed by neighbors - friendly or
not - and need strong protection.

According to analysts, information technology managers can provide robust
security by making sure wireless users are authenticated, preferably with a
user name and password as well as a token. They also say encryption should
be used end-to-end in a connection.

Security can even be made strong enough to allow purchases or money
transfers over the Web, banks and retailers say.

"We feel very comfortable with our wireless security, and we feel our
equipment is secure," says Mark Ebel, director of digital communication
services at BestBuy.com, a division of Best Buy Co. in Eden Prairie, Minn.

"However, we do believe we have to get better at security than today's
approach, because if we don't do something, we know the hackers will find
ways to get better," he adds.

BestBuy.com is about to launch wireless purchasing on its Web site. The
system has worked well in tests but hasn't been launched yet because the
company has been tweaking other features of the site that aren't related to
security.

Banks such as Wachovia Corp. in Winston-Salem, N.C., are confident enough
about wireless security to plan a rollout of banking services for consumers
and businesses by year's end.

One group that has already gone wireless is 500 attorneys at Paul Hastings
Janosky and Walker LLP in Los Angeles. The lawyers send e-mail wirelessly
via Research in Motion Ltd. (RIM) BlackBerry personal digital assistants,
which resemble pagers with small keyboards. They started using the devices
last October.

"They have been an invaluable tool for the lawyers, and a lot of them
travel," says Mary Odson, CIO at Paul Hastings. "We carefully evaluated the
RIMs and the network, since security with legal matters was one of the most
important components."

Banking on wireless
Encrypting connections from end to end requires a developer to consider
every device used to access a network, users and analysts say. In addition,
the security standards of each wireless network carrier must be understood.

To deal with this complexity, Wachovia chose 724 Solutions Inc. in Toronto
to help it develop wireless banking applications, says Lawrence Baxter, head
of e



Some good ideas about wireless networking.

Home: www.packetnexus.com

Some good ideas about wireless networking. 

We recently had a "wireless summit" here at SDSC and UCSD.

We brought together staff, system admins, network admins, some
faculty, and one of the authors of 802.11.

I'll post some notes from our workshop later, but I will offer a few
quick tidbits:

* WEP is useless; use end-to-end encryption, such as IPSEC, SSH, or
  SSL, whatever you have.  WEP requires long-term keys, which everyone
  will need to have, and also limits the number of connections per
  access point.  It costs more and does less than end-to-end software
  encryption.

* *require* some form of strong authentication (with auditing) to use
   the wireless network

* you can't stop a DoS within a single access point, you can restrict
  DoS (perhaps) to only the wireless net, you MUST restrict DoS from
  the wireless net to the rest of your nets (and the world)

* the wireless net should be unrouted, and "flat"; don't mix wireless
  and wired on the same subnet, it is easier to run a single wireless
  net for an sntire campus (unrouted class-A if needed) than to deal
  with mixed wired/wireless issues

* a really cranky and agressive firewall/filter/proxy between the
  wireless net and all your other nets is pretty much a requirement.

- --tep


Back to the Index

Tutorial: Wireless Security

Home: www.packetnexus.com

Tutorial: Wireless Security

  January 22, 2001
  By Mike Fratto


While WAP (Wireless Application Protocol) applications are all the rage in
Europe and NTT's DoCoMo is storming through Japan, the United States is just
beginning to see WAP devices emerge. As transaction-based Internet access
applications, such as checking stock quotes and banking and buying via cell
phones or handheld devices, takes off, the need for secure wireless
connectivity is gaining ground.




Wireless security is not much different from wired security. You want
several things from security, wired or not: authenticate whom you are
talking to, secure the data as it travels from the handheld device to the
destination host, and ensure that the traffic hasn't been altered en route.
Not unlike what Amazon.com, E-Trade or a VPN gateway does in the wired
world.
However, wireless has some unique difficulties, such as limited bandwidth,
high latency and unstable connections. Several options just around the
corner address these issues. We will be focusing on two approaches: Wireless
Transport Layer Security (WTLS) -- an SSL-like security protocol--and
connection-oriented security communication using established protocols, such
as IPsec and SSH.

Understanding WTLS

WTLS functions similar to SSL (Secure Sockets Layer), which is alternatively
known as Transport Layer Security (TLS). WTLS provides for client or server
authentication and allows for encryption based on negotiated parameters
between the handheld device and the WAP gateway. WTLS's key exchange
protocol is uniquely suited for wireless applications. Vendors can implement
any of three classes of authentication types.

Class 1 (anonymous authentication) has limited use -- mainly for testing
purposes -- because end users have no way of determining to whom they are
talking. The client forms an encrypted connection with an unknown server.
Class 2 (server authentication) probably will be the most common model used.
As with SSL, once clients are assured they are talking securely to the
correct server, they can authenticate using alternative means such as user
name/password. Bear in mind that WTLS certificates are not the same as X.509
certificates, and they can't be used interchangeably. Class 3 (server- and
client-authentication) is possibly the strongest class, as the server and
the client authenticate each other's WTLS certificate.

Client certificates required for Class 3 authentication pose special
management problems. Not only must the key pairs be generated on the mobile
device (or generated in bulk and securely loaded onto the mobile devices),
but the client certificate has to be safeguarded and managed until the
certificate expires. Client certificates need not be retained on the
handheld device. Rather, during negotiation, the client may refer the WTLS
gateway to a directory to retrieve the client certificate from a directory.
That saves the bandwidth needed to send the client certificate over the air
and may improve negotiation performance; however, the WAP gateway needs to
trust the directory the client refers to in order to have any assurance of
authentication. The directory that holds user certificates also must be
available at all times, or it won't be able to retrieve the certificate when
requested. The key pair associated with the client certificate resides only
on the client.

Bear in mind that the WTLS specification does specify cryptographic
algorithms that may be supported by WAP devices, but doesn't require any for
basic functionality. For example, the WTLS 



Wireless Policies

Home: www.packetnexus.com

Wireless Policies (Draft 08/8/2000)

Intent
The expected proliferation of wireless communications products in the next
few years and the resulting likelyhood of interference between devices and
services using wireless make it essential that wireless activities on the
UCSD campus be coordinated. This is particularly important in public open
access areas where several campus activities may have an interest in a
similar wireless service.

This document sets out policies and procedures to provide that coordination.
It also describes a cooperative pilot project that will encourage an
organized approach to uniform 802.11b wireless data networking in general
access and departmental areas.

The document is presently in a rather odd outline format with textual
explanations embedded. This will be converted to a more straightforward text
document in the final form. The document also contains references to and
extractions from notes from other institutions that have been used to
formulate the UCSD policy. These will be removed as the UCSD policy is
finalized.
Key points

Wireless base stations must be registered and coordinated throughACTNO

Probably all wireless equipment will be required to register

Any conflict between wireless devices will be resolved in favor of general
access

A cooperatiive effort to eliminate interference

ACT/NO creating a subsidized 802.11b, 11 Mbps. general access network in
certain public areas

Departments are expected to create additional segments attached to general
access network

Departments encouraged to use general access control mechanisms to allow
general roaming

General Access network is IP only

Addresses assigned via DHCP

Departmental segments run necessary protocols for business.

Pilot project question

Access control to general access network via network username/password
through SSL web browser

Passwordless access for known individual user devices or

UC X.509 certificates if available through UC implementation

Data security and access control are responsibility of the application
rather than the less general network card

There may be a VPN endpoint on campus to assist in data security

Consistent addressing and free mobility only within a building complex

Movement between building complexes will break software that creates long
term connections

The policies

Wireless equipment and users must follow general communications policies.
Wireless services are subject to the same rules and policies that govern
other communications services at UCSD. See in particular the following:
PPM sections on

Security

Responsibility

ACS use policy

Abuse or interference with other activities is a violation
Interference or disruption of other authorized communications or
unauthorized interception of other traffic is a violation of policy.
Radio interference
In addition, because of its dependence on a scarce shared resource, radio
communication is subject to additional rules concerning interference and
shared use.
Equipment must meet all applicable rules of regulatory agencies

FCC.

PUC

Equipment must be installed so as to minimize interference with other RF
activities particularly as described below.

Reporting: ALL wireless equipment (of greater than X power) must be
registered with ACTNO
The limited radio spectrum available, particularly in unlicensed
frequencies, and the resulting likelyhood of interference between uses
requires that ALL radio frequency equipment used on campus must be
registered in a central database so that the campus community can track the
use of radio spectrum.
Covered technolgies
Most



Wireless FAQ

Home: www.packetnexus.com

I found this in my search for wireless security info.  Section 9 is
security.  The FAQ is pretty good.

http://allnetdevices.com/faq/


Back to the Index

Wireless Security Howto

Home: www.packetnexus.com

Abstract: This aims to provide a detailed security howto for wireless
networks..


Why wireless is an insecure medium inherently (broadcast nature)
"15-mile sniff" example of San Francisco to Berkeley (Peter Shipley example)
Peter Shipley conducted a proof of concept of associating with a standard
desktop access point over 15 miles away across the SF bay, with a 24 dBi
parabolic grid, and a powerful amplifier.
Why people should be using these security measures on their wired networks
and on the wired internet, and not just the wireless networks.
Simple explanation of WEP problems (not the purpose of this text)
Brute Force
~200 days on a laptop for 40bit WEP, and 10^19 years for 104-bit WEP
Using vulnerabilities in the implementation of RC4 in WEP
you need to collect a lot of packets to complete this crack. ~6 million to
10 million. For a normal home user this is over 1 month of activity. For a
corporate wireless lan this is over a week (unless someone is doing some
high traffic activity such as backups across the wireless lan). Using ping
flooding to artifically generate more traffic (1 data byte ping packets) you
can generate enough traffic in over an hour. This attack can be a completely
passive attack. For tools search for AirSnort or WEPCrack on google or
freshmeat.
40-bit WEP becomes 21-bit wep when using generated pass phrases.
Tim Newsham's crack on passphrase generate WEP keys. Capture 20 packets,
analyze for a couple of minutes, and you have the WEP key. The passphrase
generated WEP keys are uses by vendors such as Linksys and DLink. Works on
128/104 and 64/40 bit WEP. (2^21 vs 2^40 = 2097152 possible combinations vs
1099511627776 possible combinations) http://www.lava.net/~newsham/wlan/
40-bit WEP becomes less when using ASCII password (~62^5 vs 2^40 = 916132832
vs 1099511627776)
http://www.cranite.com/wireless_card_install.htm for a list of the ASCII to
hexadecimal conversion.
Why you wouldn't use WEP in a public network. --Adam Shand
the security implications of 802.11b are basically not an issue for what
we're doing. i'm not sure how much detail you want on it but here's the real
basics and feel free to ask for more detail.
802.11b has a protocol called WEP (which stands for wired equivlent
privacy). wep was intended to give a wireless connection as much security as
a normal wired (like traditial ethernet) connection. so basically you can
control who connects, at a physical level, to your network.
wep has been widely used by corporations to deploy access points in their
corporate networks. this way you could deploy an access point inside your
firewall without fear of someone sitting in the parking lot using it.
the problem is that wep is an awfully written protocol. technically it has
more holes in it then a seive and an hostile attacker can circumvent it on
less then an hour with publically available tools. this really sucks for
corporations who have deployed access points in this way because now they
have a glaring security problem in the soft insecure part of their network.
... now, why don't i care? because we were never using wep. from a community
networking point of view wep is useless, it uses a shared password so anyone
who you want to give access to has to know the password, if you now want to
revoke access from someone (lets say cause they did something bad on the
network) you can do that without changing the password, which means that you
break everyone else ... and all your ot



Antenna on the Cheap (er, Chip)

Home: www.packetnexus.com

Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/cs/user/wlg/448

Antenna on the Cheap (er, Chip)
by Rob Flickenger
Jul. 5, 2001

Like many would-be 802.11b hackers, I'm increasingly obsessed with pushing
more bits further and faster for less cost (I believe the unofficial goal of
our community wireless project is to provide infinite bandwidth everywhere
for free. Of course, there are problems with approaching infinity, but it's
still fun to try!)

The work that Andrew Clapp and others have done is helping to demystify the
ancient black magick of Resonance (i.e. antenna building). And so, over last
weekend, some friends and I decided to give it a go for ourselves.

(standard disclaimer): Anything you do with your gear is YOUR
RESPONSIBILITY. This is a stupid idea that will probably ruin your radio,
set your house on fire, bring the FCC to your door, ruin your crops, and
send famine and pestilence across the land. And as the operator, it is YOUR
RESPONSIBILITY to not take the word of some raving lunatic on the web with
funny colored hair, and find things out for yourself. Your mileage will
vary. I'm probably lying. You have been warned.

Anyway, our first run was a direct rip-off of Andrew Clapp's terrific
original design (knowing next to nothing about antenna construction, it's
helpful to start off with a working known good.) By using PVC, all-thread,
washers, some cheap copper tubing, a Pringles can, and some scrap cardboard,
we were able to make a prototype shotgun yagi in a matter of hours. Having a
couple of other excited alpha geeks around can help move construction
projects along very quickly.



Once this was up and running, we looked at the design, and of course
speculated about ways to optimize it. While a directional antenna showing
between 12 and 15db gain is impressive, it's also pretty large, physically.
We realized that, if we were careful, we could fit a full wavelength inside
the Pringles can itself (at a reduced total gain), but make the entire
antenna much more compact.

In about 45 minutes, we had the collector rod built, the locknuts on, and
the whole thing in place. The result: A Pringles can that pulls about 12db!


Parts list:
All-thread, 5 5/8" long, 1/8" OD $1.00
two nylon lock nuts $0.10
five 1" washers, 1/8" ID $0.10
6" aluminum tubing, 1/4" ID $0.75
A connector to match your radio pigtail
(we used a female N connector) $3.00
1 1/2" piece of 12 gauge solid copper wire
(we used ground wire from house electrical wiring) $0.00
A tall Pringles can
(any flavor, Ridges are optional.) $1.50
Scrap plastic disc, 3" across
(like another Pringles can lid) $0.00
Total: $6.45

Of course, buying in bulk helps alot. You probably won't be able to find a
6" piece of all-thread; buy the standard size (usually one or two feet) and
a 10-pack of washers and nuts while you're at it. Then, you'll have enough
for two, for about $10.


Tools required:
Ruler
Scissors
Pipe cutter (or hacksaw or dremel tool, in a pinch)
Heavy duty cutters (or dremel again, to cut the all-thread)
Something sharp to pierce the plastic (like an awl or a drill bit)
Hot glue gun
Soldering Iron

Construction time: about an hour


Front collector construction:
Mark and cut four pieces of tubing, about 1.2" (1 15/64"). Where did I get
this number? First figure out the wavelength at the bottom of the frequency
range we're using (2.412 GHz, or channel 1). This will be t



Top 10 Things To Know About Wireless

Home: www.packetnexus.com

Top 10 Things To Know About Wireless
Curious about interoperability, encryption, management and standards?

Here's the lowdown on wireless technology today. By Joel Conover

10. Cost

Thanks to integrated chipsets from Intersil Corp. (formerly Harris
Semiconductor), Lucent Technologies and other component manufacturers, the
cost of developing and delivering a wireless solution has dropped
significantly.

The result is a PC Card solution that is on par with that of wired Ethernet.
The products we tested for this article list for $179 to $249 per card? A
price that can be easily justified for home office or mobile users. Wireless
has become cost effective; for its PowerBook line of notebooks, Apple
Computer even has a wireless module that costs just $99, a price we expect
most vendors to hit within 12 months.

9. Performance

Wireless performance has nearly quadrupled over solutions based on
proprietary or even 2-Mbps products using 802.11. Single-card performance
can reach 6 Mbps, which is more than sufficient for the average business
user. Much of this is thanks to the 802.11b high-rate standards body, which
was driven primarily by Lucent and Harris. The 802.11b standard uses a
technology called CCK (complimentary code keying) to encode the wireless
data in a format that fits within the 802.11 DSSS (direct-sequence
spread-spectrum) FCC rules. CCK is what allows these wireless devices to
operate at 11 Mbps. Of course, CCK is not without its trade-offs; 11-Mbps
products have significantly shorter range than their 2-Mbps counterparts.
Fortunately, most vendors have implemented 802.11b products that drop back
to 5.5 Mbps, 2 Mbps and 1 Mbps as range increases. As you inspect our
performance charts (see graphics from main story), it is easy to identify
where the cards under test dropped down to lower rates to support increased
range.

8. Interoperability

The 802.11b high-rate wireless standard is the best thing ever to happen to
the industry. In our labs, we found that every one of the products we tested
was capable of interoperating with products from competing vendors. The fact
that we needed no special engineering support to make any of these products
work together tells us that this technology has finally jelled. Rather than
11 vendors delivering 11 wireless products, there is one industry capable of
delivering a wireless Ethernet solution.

The efforts of the IEEE and the Wireless Ethernet Compatibility Alliance
(WECA) and work being done at the University of New Hampshire are making
wireless interoperability a nonissue. The work of these groups guarantees
802.11b will be the future of high-speed wireless. Without these groups and
participation of the wireless networking vendors en masse, 802.11b would
just be another shot-in-the-dark technology. WECA's WiFi (Wireless Fidelity)
branding scheme is your guarantee that the wireless products you buy will be
interoperable.

7. DS Reigns Over FH

There is an almost religious war raging between the DS (direct sequence) and
FH (frequency hopping) camps. However, because of the technology used in
802.11b, only DS solutions can operate at 11 Mbps. Fortunately, DSSS offers
superior range and performance, and today's technology makes it affordable.

DS technology uses a chipping code to spread a signal across a larger chunk
of spectrum. A typical 2-Mbps DS system uses 11 chips to spread its signal,
resulting in about 22 MHz of spectrum utilized. Note that there's 83.5 MHz
of bandwidth, so you can get three clean DS channe



Using SSH Tunneling

Home: www.packetnexus.com

Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html
 See this if you're having trouble printing code examples

Using SSH Tunneling
by Rob Flickenger
02/23/2001
They say that the Wired Equivalent Privacy protocol has been cracked. What's
a wireless user to do?

WaveLAN's silver and gold cards
In November, I wrote an introduction to Lucent's WaveLAN wireless card, the
802.11b PC card that we've been using at the O'Reilly Network to bring our
machines online in a wireless local area network.

A lot can happen in a couple of months. In that article, I explained the
difference between the WaveLAN silver and gold cards, and suggested that
since the gold cards were only a few dollars more for much stronger
encryption, it was worth it to buy the gold cards (assuming that breaking
total compatibility with the 802.11b spec wasn't an issue.)

Since then, a team of cryptographers at the University of California at
Berkeley identified weaknesses in the way the Wired Equivalent Privacy (WEP)
algorithm was implemented in 802.11b, potentially making the strength of
encryption irrelevant.

This news should not be cause for alarm, or even discomfort. WEP was not
designed to be the ultimate "killer" security tool (nor can anything claim
to be). Its acronym makes the intention clear: wired equivalent protection.
In other words, the aim behind WEP was to provide no greater protection than
you would have when you physically plug into your Ethernet network.

So, if it has been cracked, what good is WEP? And how can one protect
oneself if WEP isn't the answer?

802.11b's security weaknesses
"You can try it for yourself; run tcpdump on your laptop, and watch the
traffic going through your access point just fly by!"
WEP has never provided much more than a form of access control to your
wireless nodes. With a shared private key, everyone participating in your
network has the potential to eavesdrop on everyone else. You can try it for
yourself; run tcpdump on your laptop, and watch the traffic going through
your access point just fly by! Passwords, private e-mails, web traffic,
everything could potentially be logged and pored over later by anyone who
can associate with your access point.

Plus, key management under 802.11b is difficult. Who wants to distribute a
shared password, only to have to change it regularly (and revisit all of
those clients who weren't adept enough to set it up themselves in the first
place?) Some drivers try to cope with this by letting the user assign
multiple keys and pick between them, but this just postpones the inevitable.

Tunneling for security
WEP insecurity really isn't a problem for people who are already tunneling
their traffic. Sure, Johnny and Jane Cracksalot may point their high-gain
dish at the company from two blocks away, and even take the 5+ hours and
gigs of disk space necessary to track every packet. But if you're using an
SSH tunnel from your laptop to your servers, they'll still have the
insurmountable task of cracking strong cryptography (Blowfish, 3DES,
Arcfour, etc.). Until someone finds a cheap way to build a quantum computer
(and perhaps a cold fusion cell to power it) this is generally considered a
waste of time. Ditto for SSL (Secure Sockets Layer) connections to secure
web servers.

A tunnel is a networking term with an appropriate name. It refers to a
connection, usually encrypted, that connects two computers to



War driving by the Bay

Home: www.packetnexus.com

http://www.securityfocus.com/news/192

War driving by the Bay
Wireless network hacking turns cyber attack into street crime.
By Kevin Poulsen
Apr 12 2001 4:57PM PT

SAN FRANCISCO--In a parking garage across from Moscone Center, the site of
this year's RSA Conference, Peter Shipley reaches up though the sunroof of
his car and slaps a dorsal-shaped Lucent antenna to the roof-- where it's
held firm by a heavy magnet epoxied to the base.

"The important part of getting this to work is having the external antenna.
It makes all the difference" says Shipley, snaking a cable into the car and
plugging it into the wireless network card slotted into his laptop. The
computer is already connected to a GPS receiver -- with its own mag-mount
roof antenna -- and the whole apparatus is drawing juice through an octopus
of cigarette-lighter adapters. He starts some custom software on the laptop,
starts the car and rolls out.

Shipley, a computer security researcher and consultant, is demonstrating
what many at the security super-conference are quietly describing as the
next big thing in hacking. It doesn't take long to produce results. The
moment he pulls out of the parking garage, the laptop displays the name of a
wireless network operating within one of the anonymous downtown office
buildings: "SOMA AirNet." Shipley's custom software passively logs the
latitude and longitude, the signal strength, the network name and other
vital stats. Seconds later another network appears, then another:
"addwater," "wilson," "tangentfund."

After fifteen minutes, Shipley's black Saturn has crawled through twelve
blocks of rush hour traffic, and his jury-rigged wireless hacking setup has
discovered seventeen networks beaconing their location to the world. After
an hour, the number is close to eighty.
'People don't believe there's a security problem if you don't prove it to
them.'
-- Peter Shipley
"These companies probably spend thousands of dollars on firewalls," says
Shipley. "And they're wide open."

"Absolutely huge"
Dramatic drops in hardware prices over the last year have made it enormously
attractive and convenient for corporations and home user to go wireless, in
particular with equipment built on the 802.11 standard - which was
popularized with Apple's AirPort, and is now widely used on PCs. But
computer security experts say that in the rush towards liberation from the
tethers of computer cable, individuals and companies are opening the doors
to a whole new type of computer intrusion.

"It's absolutely huge," says Chris Wysopal, also known as ""Weld Pond,"
director of research and development at Boston-based @Stake. The company
added wireless auditing to their consulting menu approximately two months
ago, after months of laboratory research convinced them that it was a grave
problem. "802.11 is inherently less secure than other wireless technology,
Wysopal says, "and the way it's being deployed makes it worse."

The 802.11 cards and access points on the market implement a wireless
encryption standard, called the Wired Equivalent Protocol (WEP), that in
theory makes it difficult to jump onto someone's wireless network without
authorization, or to passively eavesdrop on communications. But in January,
researchers at the University of California at Berkeley published a paper
revealing a number of severe weaknesses in WEP that allow attackers to crack
the crypto with sophisticated software, and ordinary off-the-shelf
equipment.

"Hardware to listen to 802.11 transmissions is readily available 



The war over 802.11x security

Home: www.packetnexus.com

The war over 802.11x security
By Rich Santalesa, Enterprise
July 10, 2001 3:00 PM PT
URL:
http://www.zdnet.com/enterprise/stories/wireless/0,11928,2783681,00.html
Not long ago, when wireless networking was new and rare, security was an
afterthought. The reason? The scarcity of 802.11b cards acted as a form of
back-handed security. If no one had an 802.11b card, outsiders couldn't very
well scan your setup, right? Now, however, that's changed. Wireless gear is
readily available--and cheap--so that almost anyone with a PC can afford a
Wi-Fi network card, making security more vital.

Why? Ever hear of "war driving"? War driving is the updated version of "war
dialing"--popularized in the 1980s by the movie War Games--in which a PC
dials number after number attempting to locate other modems. In war driving,
you take an 802.11b-equipped notebook, the right software and, well, drive
around scanning for 802.11b access points (APs).

For example, with a utility like Marius Milner's nicely done Network
Stumbler, pinpointing and cataloging any AP in the area is child's play.
Network Stumbler scans for networks roughly every second and logs all the
networks it runs into--including the real SSIDs, the AP's MAC address, the
best signal-to-noise ratio encountered, and the time you crossed into the
network's space. If you add a GPS receiver to the notebook, the program even
logs the exact latitude and longitude of the AP.

Milner didn't create Network Stumbler for any nefarious purpose, but rather
to learn more about wireless networking and to aid in public-access wireless
networking projects. I use the program myself during wireless network
installs to test coverage and APs.

Still, those with more devious intentions can use the same tactics to locate
unsecured corporate APs behind the firewall. That means everything on the
network is potentially accessible. Remember the old saying, "Fool me once,
shame on you. Fool me twice, shame on me"? Well, any company that finds its
carefully protected network has a wide-open back door when someone sets up a
"test" 802.11b AP will likely take steps so it's not fooled again.

How so? For starters, by making sure that any use of corporate wireless
networking includes Wired Equivalent Privacy (WEP) and authentication
systems. In the face of a determined attack, WEP--which isn't perfect by a
long shot--makes it more difficult for the attacker to succeed.

In the meantime, the IEEE 802.11 Task Group I of the 802.11 Working Group is
working on a draft text to "enhance the current 802.11 MAC to provide
improvements in security." Although everyone recognizes the need for
additional wireless security, the Task Group's conclusions and
recommendations have raised concerns.

For example, the IEEE 802.11 Task Group I's latest full meeting in May
basically settled on making Kerberos authentication mandatory and left open
the possibility of requiring new and additional authentication methods (such
as RADIUS). Additionally, a motion to remove WEP2, which improves on WEP but
doesn't completely address the need for easy, strong encryption, failed.
While WEP is acknowledged to have serious problems, WEP2's sliding window
algorithm makes breeching more difficult for attackers. WEP2's improvements
include 128-bit encryption keys and better encryption algorithms. But since
it's based on the same RC4 encryption and key system as WEP, it's vulnerable
to the same attacks.

But the Kerberos mandate was 



Bridging 802.11 Networks with Linksys

Home: www.packetnexus.com

Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/a/wireless/2001/08/24/linksys.html
 See this if you're having trouble printing code examples

Bridging 802.11 Networks with Linksys
by Glenn Fleishman
08/24/2001


My downstairs office neighbor, a running coach named Tony, has an inquiring
mind. He has heard me and my officemates wax sci-fi about wireless IEEE
802.11b networking. We somehow got him jonesing for it for when he expanded
his coaching facilities to a second office in a building about 30 feet away,
to which a wired extension to our shared network wasn't possible.

The new office is embedded bunker-like into a concrete foundation below
ground, as well as having thick walls in its above-ground portion.
Otherwise, we could have hung his new computers as wireless devices on our
existing 802.11b network. He also has some legacy equipment that needs an
Ethernet hub, so couldn't go entirely wire free.

We needed a solution that would allow us to extend our high-speed Internet
service as well as the rest of the intranet in our existing building to
Tony's new office 30 feet away. We wanted to bridge the gap wirelessly,
making one seamless combination of wired and wireless networks. I'd been
following discussions on the Bay Area Wireless User Group's (BAWUG) mailing
list about the Linksys WAP11 access point (AP), and thought a pair of them
might do the trick.

At a street price (with manufacturer's rebate) of about $185, this AP
supports a firmware upgrade that turns it into the bargain wireless bridge
of the century. Comparable devices from vendors such as Cisco can run $800
or more.

The Wireless Access Point
Typically, an access point acts as a central hub, router, bridge to
Ethernet, and server for dynamic host configuration protocol (DHCP) and
network address translation (NAT), as well as other functions. The standard
home gateways often have a wide-area network (WAN) Ethernet port (to connect
to a DSL or cable modem) and one or more local area network (LAN) ports for
the local network.

The access point negotiates with wireless computers and other devices, hands
out non-Internet-reachable NAT addresses via DHCP, and bridges traffic from
the wireless LAN to the wired LAN and, through it, out to the Internet.
(Home gateways with a WAN port bridge the traffic internally and send it all
the broadband router.)

The Linksys WAP11 with its single Ethernet port handles all this perfectly
fine. It has minimal but sophisticated options for set up, and removable
antennas with standard connectors so that you could hang a higher-gain
antenna off the back - important for connecting networks over longer
distances.

Upgrading to build a bridge
But the bridging firmware makes the WAP11 more than just cheap and
functional. In bridging mode, you can connect two or more WAP11s together to
pass wired Ethernet traffic among one another, creating a super-network. If
you have multiple facilities nearby or with line of sight between them, you
can avoid telephone company digital line charges, as well as recurring fees
for separate Internet connections in each facility.

Linksys's firmware upgrade 1.4f5, which supports bridging, was released,
pulled and then re-released; the version number stayed the same. The two
WAP11's I purchased for our multi-office installation came with release 1.3i
installed; reports indi



802.11 Alphabet Soup --What's g Got that b and a Don't?

Home: www.packetnexus.com

http://www.ispworld.com/isp/newsletter/tech/standards_120701.htm


802.11 Alphabet Soup --What's "g" Got that "b" and "a" Don't?

By Doug Mohney 
ISPworld News 


Are you confused over the three (3) different wireless standards,
802.11a, 802.11b, and 802.11g? Of course, each of these standards were
implemented in different orders, so here's our snapshot of the three
unlicensed.  

802.11a - This standard uses the 5 Ghz wireless band, but different
parts of the 5 Ghz band are approved for use in North American verses
the rest of the world. 802.11a is designed to crank data at rates
starting at 54 Mbps using an encoding scheme called orthogonal frequency
division multiplexing (OFDM). Some of the hardware is incorporating
proprietary schemes to use two virtual data channels for speeds of 108
Mbps. Equipment using 802.11a is just starting to hit the shelves at a
list price of around $450 for a notebook PC card or $700 for an external
"access point."  The newly minted trade name for the standard is WiFi-5.


802.11b - Using the 2.4 Ghz wireless scheme, 802.11b is a worldwide
standard that delivers throughputs of up to 11 Mbps.  There are
literally hundreds of thousands of cards and devices using the standard
worldwide at pricing as low as $99 for a PC card and under $150 for an
access point. The trade name to cover up geek label 802.11b is WiFi. 

802.11g - Just ratified in November, 802.11g works in the 2.4 Ghz
wireless band and is designed to support speeds at 1.1 Mbps, 5.5 Mbps,
11 Mbps, 22 Mbps, and 54 Mbps. The standard is designed to be backwards
compatible with the 802.11b standard, but there may be a split of how
data rates beyond 11 Mbps are implemented, since the two major wireless
chip manufactures are split on how to do it. TI has a subtle lead in
this race since they managed to incorporate the 22 Mbps data rate into
shipping chip sets AND got their 22 Mbps standard incorporated into the
802.11g rate. No trade name has been assigned for the higher standard. 

Which standard is the best? From a pure technical standpoint, 802.11a is
the best because it delivers the most sheer speed and is in the 5 Ghz
band. The 5 Ghz band is relatively uncluttered with other devices, but
2.4 Ghz is full of extraneous garbage from wireless phones, microwave
ovens, and even Bluetooth devices. (Bluetooth is a separate wireless
standard designed to network PC devices) On the other hand, 802.11b is
established and cheap and has an upward growth path to the faster
802.11g standard. 



 
 

What's New 
Microsoft Resource Center Live on ISPworld! 
  If you're a Service Provider, you need to check out the Microsoft
Resource Center on ISPworld. This new resource provides you with the
software, support, and resources necessary to run your business more
efficiently. Take advantage of technical and business resources, white
papers, How-to Articles, the Microsoft Knowledge Base, licensing and
certification programs, bulletin boards and much more! Just click on the
Microsoft Resource Center link on the ISPworld home page! 

http://www.ispworld.com/msrc.htm


------------------------------------------------------------------------
--------
  ISPworld Enhanced Sections 
More news and information can be found on ISPworld in recently launched
sections: Breaking Ne



The Art of War Driving

Home: www.packetnexus.com

The Art of War Driving

Members of the ISP-Wireless list share wit, wisdom, and stories about
fighting the latest iteration of bandwidth thief. No hacker tool is as
terrifyingly powerful as Windows XP.

[December 18, 2001]   

On the ISP-Wireless list in November, JD inquired, 

"I've got three CPRs up in AP mode right now, and all of them have now
seen hackers connect to them. Is this just random associations, or
competitors, or what?" 

A number of respondents shared some possible explanations: 

[KM warned] "These guys are probably your competition, trying to check
out what equipment you are using, and seeing if they can find a
weakness." 

[MB admitted] "Being a student, war driving is something we do when
we're not partying; we used to drive around and download all night long
in our van." 

Others noted that Windows XP can sometimes do this without even trying: 

[EG observed] "Windows XP will automatically scan for you and jump on
the best network it can find. It's the best hacker tool there is right
now, because with XP, a novice can become a hacker without even knowing
about it!" 

[JN agreed] "While using my Windows XP laptop this afternoon to align an
antenna at a client site, I stumbled across two other networks without
even trying: one competitor, and one 802.11b corporate LAN." 

ML offered a tutorial in the fine art of war driving: 

"Here is what I have done to educate myself on the strengths and
weaknesses of the wireless systems in my area, learn my customers'
traffic patterns, and deal with the war drivers who want a free ride on
our system. 

"First, learn your surroundings by becoming a war driver yourself. I use
NetStumbler to determine other DS access points in my area. A quick
drive around one of my service areas with an omni sticking out of the
sunroof produced 26 DS access points, including five of my own. Using
GPS, NetStumbler can give good approximations of AP locations as well.
This told us how many channels were in use and by whom, what kind of
equipment was being used, approximate antenna locations, and signal
strengths. Asking around in your area, and keeping an eye out for 2.4
GHz antennas, will also serve as excellent sources of clues as to what
the competition is doing. 

"Second, determine your customers' traffic patterns, and detect war
drivers. What you need is some kind of network sniffer that can collect
packet data and provide a useful format for reading that data, as well
as some kind of graphing program to monitor historical trends. We have
used MRTG for some time to monitor the traffic on our routers. By having
SNMP-capable switches at each AP location, we can monitor the bandwidth
on the port that serves the AP gateways. Ntop, a network protocol
analyzer for Linux, will provide all the information you need about the
traffic on the network segment it's monitoring. Ntop makes it easy to
spot hackers: it provides the MAC address, manufacturer, IP addresses
used, when they appeared, and where they went while they were on the
network. The first time we turned Ntop on, an ex-employee was sitting
right there on our network just like any other paying customer, except
he was no longer paying for it. 

"Third, you need some kind of bandwidth management. Fortunately, CBQ
capability is in the stock RedHat 6.2 kernel; all that's needed is a way
to specify the bandwidth rules with a set of commands. A script called
CBQ-Init [ftp] works like a champ. All open IP addresses that are not in
use are set to zero Kb up and zero Kb down: everything looks normal, but
no traffic passes. Presto,



Improving WLAN Security

Home: www.packetnexus.com

Improving WLAN Security
As the vulnerabilites of 802.11b wireless networks become widely known
and exploits are made available, ISPs need to improve security. We
examine tools-and basic security procedures-that are available to
everyone.

by Lisa Phifer
VP Core Competence, Inc. 
[November 26, 2001] 
  

Over the past year, much has been written about the vulnerabilities of
802.11b wireless LANs. Researchers from AT&T Labs, UC Berkeley, Intel
[.zip], and University of Maryland have identified holes in Wired
Equivalent Privacy (WEP) that let attackers learn the keys used to
encrypt 802.11b traffic. 

Tools like NetStumbler exploit 802.11b behavior, sniffing the airwaves
to discover cards, access points, and the peer-to-peer or infrastructure
networks in which they participate. AirSnort and WEPCrack even use
captured traffic to recover crypto keys. Today, anyone armed with one of
these shareware tools, a wireless card, antenna, and GPS is capable of
"war driving". 

First, acknowledge the problem
802.11b vulnerability assessment products are finding opportunity in
WEP's misfortune. One company, Cigital, offers assessment services that
survey 802.11b access points, identifying correctable configuration
weaknesses that range from default Service Set IDs (SSIDs) to risk
factors for ARP cache poisoning [.pdf]. 


NetStumbler and AirSnort are also handy for self-assessment. By roaming
around your building or campus, you may discover underground WLANs that
you didn't know about. For more systematic, ongoing introspection,
consider commercial products like the ISS Internet Scanner and
RealSecure IDS, recently enhanced to spot and monitor 802.11b
wireless-borne attacks. 

Next, make the best of WEP
War drivers report that just 30 to 40 percent of discovered WLANs now
use WEP. For heaven's sake, enable WEP and change your keys frequently!
Consider using 802.11b products with dynamic key generation, like
Agere's ORiNOCO AS-2000 or NextComm's R7210. Configure long,
hard-to-guess SSIDs. Apply MAC filters or use VLANs to restrict access
to authorized cards. Track inventory to make sure those cards stay in
employee hands, and please block MACs that belong to lost or stolen
cards. Lock down access point management interfaces, just as you would
on any perimeter router or firewall. Use anti-virus and personal
firewall software to keep the wireless client clean, preventing
back-channels. 


By combining firewall defense with IPsec, SSH, or SSL, you can better
prevent wireless eavesdropping and block access by unauthenticated
clients. For example, many companies have already deployed a SafeNet or
Ashley-Laurent VPN client on laptops for secure remote access. The same
client can often tunnel IPsec over wireless to a VPN gateway located
between the access point and the rest of the corporate network.
Alternatively, consider an access point with built-in IPsec, available
from vendors like Colubris Networks. 


When roaming, wireless cards often use DHCP to obtain a new IP from each
access point. This can be a problem for network layer solutions like
IPsec. If roaming is essential to your 802.11b deployment, consider
wireless "VPN" solutions from companies like NetMotion, Columbitech, or
Ecutel. These products use servers that run proprietary, WTLS, or Mobile
IP protocols to avoid session interruption when a wireless client
changes its address. They also offer user-level authentication, which
may or may not be present in your IPsec VPN today. 

For Windows XP, consider using 802.1x 
802.11b Open System Authentication is no authentication



Wireless Networking

Home: www.packetnexus.com

Published on The O'Reilly Network (http://www.oreillynet.com/)
 http://www.oreillynet.com/pub/a/bsd/2001/04/05/Big_Scary_Daemons.html
 See this if you're having trouble printing code examples

Wireless Networking
04/05/2001

Today I made my wife happy. Yesterday, a 50-foot Ethernet cable ran across
the living room floor, under the dining room table, over the gerbil cage,
down the cold air return grate, through the basement rafters, and into my
basement office hub. Today, it's gone. Instead, a little PC card sticks out
two inches or so from the side of the laptop. Here's what you need to know
to set up a wireless network in your home or office.

First of all, wireless networks are deceptively similar to Ethernet. Both
are broadcast media, and can actually interoperate via a bridge. If you're
familiar with Ethernet, you're 80% of the way towards getting your wireless
network set up. The other 20% is enough to drive you nuts if you don't know
what's going on.

There's three different standards for wireless communication: HomeRF,
Bluetooth, and 802.11b.

HomeRF is an older standard. Throughput peaks at 1.6 meg on a good day, with
a maximum range of about 150 feet.

Bluetooth has been promised for quite some time. It's fast, secure, and
reliable. No hardware is actually available yet. (This might change by the
time this article is printed.) Since neither hardware nor BSD drivers are
available, we don't really care about this right now.

802.11b is more expensive than HomeRF, has considerably greater range, and
supports speeds up to 11meg/second. This is the most popular option, and the
one with the best FreeBSD support, so we'll cover it here.


802.11b is an IEEE standard, much like classic 802.3 Ethernet. This means
that products from different vendors are supposed to work reliably together.
There are still few enough vendors that this is basically true;
interoperability testing is fairly straightforward. Lucent, Cisco, Apple,
and 3Com are the major vendors, while smaller companies like D-Link are just
starting to enter the fray.

When establishing a wireless system, you need to start up front with some
basic decisions about how your setup will work. Do you want to build a
separate IP network just for wireless communications, or do you want to
bridge your wireless systems into an existing Ethernet?

If all the devices on your network are wireless, all you need is a wireless
NIC for each machine. Unlike Ethernet, no central hub is required. This is
called "ad-hoc" mode.

If you want to integrate wireless into an existing network, you need to
invest in a wireless access point to bridge between the two. This is
"infrastructure" mode.

You can use ad-hoc mode in combination with an existing Ethernet, but you
can't bridge them together. You would need a router with one wireless
interface and one Ethernet interface, and each network needs separate blocks
of IP addresses. This might make sense if your network is large enough.

Most people are probably interested in infrastructure mode. No company can
afford to simultaneously replace all their NICs with wireless ones, let
alone discard all their old-fashioned CAT5 network infrastructure.

Besides, a wireless network will never run as fast as a physical network.
Ethernet relies on "collision detection." Only one packet can be transmitted
over an Ethernet at a time. When two machines transmit Ethernet packets
simultaneously, this is a collision. Both machines wait 



Wi-Fi Security - Don't Think Out of the Box

Home: www.packetnexus.com

Wi-Fi Security - Don't Think Out of the Box
By Stephanie Losi, Wireless.NewsFactor.com

The increasingly popular Wi-Fi (aka 802.11b) wireless networking standard
took a harsh blow earlier this month, when a report by cryptography experts
pinpointed a critical flaw in the standard's WEP (wired equivalent privacy)
security protocol.

Attackers could exploit this flaw to gain access to an entire WLAN (wireless
local area network) in a short period of time, according to the experts. To
make matters worse, the exploit was passive: Attackers could glean data by
eavesdropping on network traffic, making them virtually undetectable.

But that report was based on theoretical research, and would-be wireless
crackers needed a certain level of know-how to attempt an attack. Those good
ol' days ended last week with the release of AirSnort, a program that
automates the attack process so anyone with a Linux (news - web sites) box
and a wireless networking card with a Prism2 chipset can download the
program and exploit WEP's weakness.

"Just like many years ago the SATAN tool was released on the Internet that
let unsophisticated hackers break into wired computers, Snort is a similar
tool for the wireless world," Gartner research director for network security
John Pescatore told Wireless NewsFactor. SATAN (Security Administrator Tool
for Analyzing Networks), released in 1995 by Wietse Venema and Dan Farmer,
caused an uproar because it allowed network administrators (and intruders)
to scan wired networks for vulnerabilities.

Out Here in the Fields

One might wonder about the rationale behind releasing such a program to the
public -- but in an FAQ (frequently asked questions) document, AirSnort
creators Blake Hegerle and Jeremy Bruestle of Internet services firm
Cypher42 wrote: "We felt that the only proper thing to do was to release the
project. It is not obvious to the layman or the average administrator how
vulnerable 802.11b is to attack. Yes, AirSnort can be used as a cracking
tool, but it can also be used to settle arguments over the safety of WEP."

In addition, according to the FAQ, "The only sane assumption to make is that
a malicious hacker would have developed a tool like this. While we are
troubled by the fact that script kiddies can get their hands on this tool,
we still figure that the benefits of full disclosure outweigh the risks. If
you disagree, it's just an academic debate, since we cannot withdraw this
program."

Attack Time Varies

The time it takes to decipher the secret key to a WLAN varies according to
the amount of traffic on the network. AirSnort programmer Hegerle told
Wireless NewsFactor that an attack program developed by AT&T researchers --
but not released to the public -- reportedly could recover keys faster.

"AirSnort has, for us, only operated effectively after 10 million packets,"
Hegerle said. "Stubblefield, et. al., [at AT&T] have reported that it took
them 5 to 6 million packets. We have yet to try it against a real network;
all of our estimates come from information gleaned from our (very small)
wireless test network.

"If the AT&T paper turns out to be true against real networks, it would only
take about an afternoon. The only thing that is certain is that the attack
time is dependent on the network being attacked," Hegerle added.

Long-Term Benefits

AirSnort's release obviously deals major damage to 802.11b WLAN security in
the short term, but it may have more positive effects for wireless
security -- althoug



Frequency Hopping security?

Home: www.packetnexus.com

> I haven't heard of a FHSS system being sniffed/cracked yet.  Does anyone
> have any "first hand knowledge" of this happening?

Yes.  

Many years ago, the CEO of a company who's name you would know, were I
to mention it, sat in the men's room in the building of another
company who's name you would (all) know, were I also to mention it,
and sniffed his way into the wireless LAN of the (second) company,
which was running Proxim's FHSS gear (that's the only hint you're
going to get.)

Jim


Back to the Index

LEAP authentication description

Home: www.packetnexus.com

This document describes the LEAP authentication
protocol as used by
Cisco Aironet wireless routers etc. It was deduced by
analysis of 
packets passed between an Aironet and Cisco ACS.

Relevant RFCs are: 2284, 2716, 2433.

LEAP is a type of Radius EAP protocol (see RFC
draft-ietf-radius-eap-05.txt "Extensible
Authentication Protocol
Support in RADIUS"). The EAP type for LEAP is 17
(0x11). It is used to
authenticate access by a wireless client (typically a
laptop or pc) to
a wireless router, typically a Cisco Aironet base
station.

Definitions
AP: Access Point (the Aironet base station)
RS: Radius Server
APC: Access Point Challenge
APR: Access Point Response
PC: Peer Challenge
PR: Peer Response
PW: Users plaintext ASCII password 
SK: Session Key
SS: Shared Secret shared between AP (or upstream
proxy)  and RS
AUTH: The 16 octet Radius authenticator of the
incomintg request

A typical successful LEAP authentication sequence
consists of the
following Radius packets passed between the wireless
access point
(AP) and the Radius server (RS). Each packet contains
an EAP-Message
as described below. The EAP Message-Authenticator
attribute is always
present as usual for EAP. 

The general description of the protocol is:

1. AP->RS: Radius Request/EAP Identity, containing the
name of the
   user to be authenticated

2. RS->AP: Radius Challenge/EAP Request/LEAP,
containing a 8 octet random
   MSCHAP Peer Challenge (PC)

3. AP->RS: Radius request/EAP Response/LEAP,
containing the 24 octet MSCHAP
   response to the challenge in 2 above (PR).

4. RS->AP: Radius Access-Accept/EAP Success

5. AP->RS: Radius Request/EAP Request/LEAP, containing
8 octet Access Point
   Challenge (APC).

6. RS->AP: Radius Access-Accept/EAP Response/LEAP,
containing 24 octet
   response to the challenge in 5 above (APR), plus a
session key sent
   in a cisco-avpair vendor-specific attribute.

LEAP data is carried in an EAP-Message in the
Type-Data
subfield. The format of the Type-Data subfield is:

1 octet LEAP protocol version number, currently always
0x01.
1 unused octet, currently always 0x00.
1 octet byte count for the following binary data
m octets of binary data
n octets, the name of the user being authenticated

So, for example, packet 2 in the above sequence,
containg the access
point challenge (APC) would contain an EAP-Message
Request (Code 0x01)
attribute something like this:
    0                   1                   2         
         3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
5 6 7 8 9 0 1
  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code 0x01 |  Identifier   |            Length
            |
  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type 0x11 |  Version 0x01 | Unused 0x00   |
Count 0x08    |
  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |               Peer Challenge                     
            |
  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |               Peer Challenge                     
            |
  
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   User Name .....         
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-


Count is 8 octets since the Peer challenge is 8 bytes.
Length is the
total nunmber of octets in the EAP-Message.

The Session Key (SK) is sent from RS to AP in the
final packet. It is
carried in a cisco-avpair vendor specific radius
attribute. The value
of the attribute is:
"leap:session-key=nnnn" where nnnn is 34



EAP vs. LEAP

Home: www.packetnexus.com

--Hushpart_boundary_aLagWpteUOIFAOGDeRRPKvqjfoOwuezG
Content-type: text/plain

I put out some wrong information in an earlier post about
Cisco's "proprietary" implimentation (LEAP) of EAP.  Since I don't
like "disinformation"; I  posted below  the explantion of the difference
between the two.
(courtesy Cisco DOCS!)

 Also, EAP-TLS (Microsoft) is and extension of the EAP
standard to utilize mutual authentication using certificates (i.e.
smartcards)
while also doing
the EAP portion of creating session keys; and passing them through ssl (TLS)
------------------------------------------------------------------------
-------------------------------

EAP and LEAP

EAP is an optional IEEE 802.1x security feature that is ideal for
organizations
with a large user base and access to an EAP-enabled Remote Authentication
Dial-In User Service (RADIUS)
server, such as Cisco Secure ACS 2.6. The RADIUS server uses EAP to provide
server-based authentication for clients.

Server-based authentication can be enabled for your client adapter in one
of two ways:

     Through a host device and code built into its operating system
(referred
to as EAP)

     Through your client adapter's firmware and Cisco software (referred
to as LEAP)

     This method provides authentication service to client adapters whose
host devices are not running an operating system with built-in EAP support.
The term LEAP is used to distinguish authentication provided by the client
firmware from authentication provided by a host and its operating system.

For Windows 95, 98, NT, 2000, or Me or future Windows operating systems,
 the Aironet Client Utility setup program, which installs the client
utilities,
 is used to enable LEAP or EAP. After LEAP or EAP is enabled and the
computer
is rebooted, the client adapter authenticates to the RADIUS server using
the username and password entered by the user at the network logon. See
the "Installing the Client Utilities and Enabling LEAP or EAP" section for
instructions on using the Aironet Client Utility setup program to enable
LEAP or EAP.

For Windows CE, Linux, and MacOS 9.x, LEAP is enabled through a particular
screen in the client utilities. The username and password entered in this
screen are used by the client adapter to authenticate to the RADIUS server.
In Windows CE, you do not need to re-enter your username and password after
your device is rebooted or your client adapter is ejected. In Linux and
MacOS 9.x, the username and password need to be re-entered at the start
of each new session. See the Cisco Aironet Wireless LAN Adapters Software
Configuration Guide for instructions on enabling LEAP through the client
utilities.

When you enable EAP on your Access Points and LEAP or EAP on your client
adapter, authentication to the network occurs in the following sequence:

     1. The client adapter uses the username and password to start the
authentication
process.

     2. The Access Point communicates with the EAP-compliant RADIUS server
to authenticate the username and password.

     3. If the username and password are valid, the RADIUS server and the
client adapter negotiate a dynamic, session-based WEP key. The key, which
is unique for the authenticated  client, provides the client with secure
network access.

     4. The client and Access Point use the WEP key for all data
transmissions
during the session.
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_aLagWpteUOIFAOGDeRRPKvqjfoOwuezG--


Back to the Index

Gnet 802.11 Architecture

Home: www.packetnexus.com

http://www.guerrilla.net/docs/gnet-80211.html
Gnet 802.11 Architecture
[DRAFT]
February 1st, 2001



----------------------------------------------------------------------------
----


There are a few ways two ways to approach this.  The first is to roll our
own infrastructure, the second, is to use the infrastructure that is being
built around us.  We'll address building our own infrastructure first,
and the second approach will be discussed further into this document.

802.11 wireless ethernet devices have finally proliferated the market and
are now in a price range within many people's grasp.  Many support
1Mbit/sec and 2Mbit/sec data rates at a cost of under $100USD.  Even
802.11b (11mbit/sec) NIC's can be purchased at prices under $150 US
dollars.  However this is changing every day and we are starting to see
802.11 Access Points that are under the 802.11 mark.

One should not alienate non-802.11 wireless ethernet devices, as they can
still be employed as point-to-point links, especially crossing a large
distance, and Proxim ISA/PCI cards generally fit the bill.  A very well
written and maintained [Low-Cost Wireless How-to] describes how to modify
Proxim cards to work over a greater distance inexpensively.  Another non-
802.11 solution are the old wavelan 900Mhz and 2.4Ghz Wireless NIC (wNIC),
which can be commonly purchased on ebay and other auction sites for around
$80 US dollars.

First some general descriptions of 802.11 hardware is in order.  The major
component is the Wireless STAtion (STA).  These generally come in a PCMCIA
(PCCARD) form factor however, I have heard of USB STA's entering the market.
STA's are somewhat versatile in that they can be configured to operate in
STA mode or Access Point(AP) mode.  In STA mode the act as a client.  In
AP mode they act as a centeral server mode, allowing STAs to connect to
them.

Access Points can be a STA installed in a PC running specialized software,
or
can be a stand-alone unit with a wireless interface on one end, and an
ethernet port on the other.  STAs in the surrounding area connect to APs
and APs connect to a backend Distribution Service(DS).  The DS in Gnets
case SHOULD be a wireless link as well.  In traditional 802.11 networks the
DS is the wired LAN.

802.11 can operate in two distinct modes.  The first is Infrastructure mode,
where there are STAs and APs, and STAs must communicate through an AP
in order to participate in the network.  The second is Ad Hoc mode, where
STAs can talk to each other, and APs can act as relay points.  Depending
on the terrain and local situation Gnet may support either of these modes.
We will mostly be using Infrastructure mode until custom software is written
to handle automatic routing in dense areas.


On to the generally network diagram.

The basic 802.11 g.net installation of three nodes would be as follows:



   Cell 1                                               Cell 2


        |                                                   |
        |       directional                  directional    | <- omni
omni -> |          |                              |         |
        =          |                              |         =
        |          V              |  <- omni      V         |
      |--------|   /              |               \    |--------|
      | site 1 |--[ - - - - - - - | - - - - - - - -]-- | site 2 |
      |--------|   \              |               /    |--------|
                                  =
                        



the future of wireless

Home: www.packetnexus.com

thought everyone might be interested in some food for thought [1] from
the former cto of british telecom on why broadband access is in such a
sorry state and a prediction on how we might move towards a shiny, happy
future:

"So how are we going to advance? I think we have been here before. Back
in the 1940s USA TV companies couldn't find an economic means of
providing signals to outlying communities. So people clubbed together to
build towers and antenna systems, and wired their houses to realize
Community Antenna TV. This was so successful that the expanded systems
became the Cable systems of today.

In a similar manner, youngsters now frustrated by the lack of bandwidth
are linking homes with CAT5 LAN wiring strewn across gardens. Schools
are buying 802.11 wireless-LAN cards to create their own networks at a
much lower cost than building wiring schemes. There is a message here
for the network companies, and a huge opportunity. If they don't provide
the bandwidth demanded by rapidly advancing terminal technologies,
people will just set to and provide their own. Hotels, schools, coffee
shops and places of work are starting to look like the phone boxes of
the 21st Century. People are gathering there to satisfy their craving
for wide-bandwidth, which isn't a 56Kbit/s or 2Mbit/s dribble, but
orders of magnitude more."


[1]
http://www.interesting-people.org/archives/interesting-people/200112/msg0035
5.html

- http://snowdeal.org [mutated daily]


Back to the Index

fun_with_the_wap11

Home: www.packetnexus.com

http://www.wi2600.org/mediawhore/nf0/wireless/docs/802.11/WAP11/fun_with_the
_wap11.txt

This text file by Xam (C) 2001 .. and all that jazz

comments/questions/etc to [email protected]

OH yea; if you break your shit becuase of soemthing
you read in here, don't expect me to take any sort
responsibility. The potential to void your warranty
and break your AP is real; if you don't feel like you
understand the language and instructions here, don't
go forward with this howto! I felt I should say this
in the interest of the idiots out there who think
that somehow, by merely describing a way to do a
task I somehow am responsible if they screw up. Bzzt!
Wrong!

----------------------------------------------------

This file is a result of learning of an interesting
set of features available to the user of a "WAP11"
access point, sold by Linksys. The origional persons
who dispensed this little bit of knowledge are
deserving of much thanks and credit, however, I'm not
sure if much detail should be gotten into. In any
case, the origional discovery was not my own.

For now, they are known as the:

	"super secret canadian wireless group"

<G>

What's so cool about the WAP11? Well, lets cut to
the chase; with a little bit of effort, you can turn
the "normal" WAP11 into an Access Point with suprising
range and power, by simply telling it's radio to
output a stronger signal. True, this will ammount to
3 to 4 db gain in power, which isn't all that much, but
heck, it's free.

If you are using some sort of external amplifier system,
observe caution.

Many external amp's will not like seeing this much power
at their input. However, if the amp is auto-ranging, and
accepts a wide range of power (some are 10 to 100 wm),
then using additional power may not be important. The
only case that comes to mind where higher power out
of the AP would be good would be in where you have
a long run of very poor coax, and need that additional
3 to 4 db of signal to obtain a higher signal to noise
ration at the input of the amplifier.

Anyway, yes; the power output IS a software-controlable
parameter set. A location in the bridges configuration
space called "register CR31" contains 14 values, each
one byte in size which serve to control the transmit
power. Yes, there is a byte per channel; you're not
stuck with a signle output power for all channels. This
could serve to be usefull in cases where contoured
power output within the 2400 to 2480 Mhz band is needed.

Within the tool (discussed later) you'll be setting this
byte to various values depending on the power output
you're looking for.

The scale is as follows:

00----------80----------FF
0mw--------100mw-------0mw

The scale is linear, 80h (128 decimal) being the highest
power, at nearly 100 mw! YES! The Wap11 in fact, contains
a radio which is capable of 100 mw opperation. It is
interesting to note that the power decreases as you near
FF and 00 on either end the byte values.

Listed here is the default channel set power for a WAP11
bought recently with the FCC regulatory domain set.

Channel		Power

1		c0
2		bf
3		bb
4		bb
5	 	b9
6		b7
7		b7
8		b7
9		b5
10		b5
11		b5
12		b5
13		b5
14		b5

The defaults are moving away from higher values to lower
values as you go from from channel 1 to 14. However, this
translates into lower power UP to higher power through
the band. This could simply be precompensation for greater
absorbtion exerienced by higher frequencies. Or, a number
other other reasons. I'm not inclined to think it'



Linux wireless info

Home: www.packetnexus.com

-----Original Message-----
From: [email protected] [mailto:[email protected]]On
Behalf Of Perry Wagle
Sent: Monday, February 11, 2002 10:48 PM
To: [email protected]
Subject: [[email protected]: [ptp] Pioneer Courthouse Square]


I'm also posting this from the Starbucks in Pioneer Square, and have
waited five years to do something like this (network connectivity from
a coffee shop).  Very cool and exciting.  Much much thanks to the
provider of the access point!

I'm running Redhat 7.2 on a Dell Inspirion 4000 notebook with a
Orinoco Silver wireless card.  Just doing pump worked fine after doing
a "iwconfig eth0 key off essid any mode managed".  Bandwidth is great!
I'm running xemacs in X11 mode to write this, and its displaying on my
notebook with amazing little lag.

Thanks again, and I look forward to getting more active in ptp.

-- Perry


Back to the Index