Security Basics mailing list archives
Re: radius+ wireless
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Thu, 18 Nov 2004 22:19:18 -0600
Well, if you or someone else has duplicated a MAC address on the same network, it's highly likely that neither of the duplicate addresses will get any intelligible traffic. Google on "arp poisoning" while you're googling for the other stuff :). I'd think that under your current set up with weak WEP and but decent authentication, that you'd be more likely to be the victim of a DOS attack. Some ankle biter that can break WEP but not RADIUS will decide that if he can't play no one else will be able to either. You didn't mention what kind of wireless, what your coverage area is, etc. For some of the point-to-point directed beam or line-of-sight gear, RADIUS might be sufficient. However, the general feeling from most of the folks here is that you're using 802.11B or G possibly even though you don't state this. Contrary to popular opinion, there are other wireless protocols :) My suggestion is to use WEP like a "No Tresspassing" sign and contain the route on your side of the access point (hopefully the wired side) so that it routes them to a VPN gateway. Use a VPN client that blocks the NIC from any other connections while it's attached to the gateway. Then the whole session is encrypted with fairly strong encryption (IPSEC) when ever the user is connected. This can be done fairly inexpensively using something like FreeSWAN, OpenVPN, PopTop, etc. for the server and/or client. On Thu, 18 Nov 2004 12:40:48 -0600, Andre Derek Protas <randori82 () hotmail com> wrote:
Maybe use token authentication for your customers. What is the range of your signal? If you are blowing your signal all over a neighborhood and you're using nothing but radius and a weak wep, you may be in trouble. Perhaps offer your customers "enhanced security" with an "enhanced price" and incorporate some token authentication devices in your network. Let me know if you need any equipment. -Andre Derek Protas Security Engineer | Electus Solutions www.electussolutions.com -----Original Message----- From: GuidoZ [mailto:uberguidoz () gmail com] Sent: Wednesday, November 17, 2004 6:30 PM To: Gaspar de Elías Cc: security-basics () securityfocus com Subject: Re: radius+ wireless The quick answer - you bet it's possible. And yes, depending on the WEP key and the amount of access an attacker has to the signal, it could be fairly quick. I'll allow you to do your own research, though I'll point you in some directions. Also, instead of giving you a large list of tools that are used, allow me to point you at a well known list: http://www.wi-foo.com/index-3.html Take a close peek at programs like Kismet/Netstumbler and AirCrack/AirSnort. Having MAC filtering enabled and not broadcasting the SSID is two simple steps to help "secure" your wifi network from your average script kiddie. However, this will do little more then create a speed bump for anyone remotely knowledgable about wifi and the means of breaking WEP/WPA. Google is also your friend. If you have specif questions beyond this, feel free to drop me a line directly or straight to the list. =) -- Peace. ~G On Wed, 17 Nov 2004 19:18:03 -0300, Gaspar de Elías <gaspar.delias () gmail com> wrote:hello I'm an isp, and i'm providing internet to my customers via wireless, authenticating with a radius server on freeBSD. My question is the folowing: Can somebody sniff the wireless conections, crack WEP alghoritm, and cheat his mac and ip addresses in order to steal information from one of my customers? A friend told me that doing this is incredibly easy, so i'm investigating. What should i implement to make my wireless lan more secure? -- Gaspar de Elías
-- Thanks, Jimi
Current thread:
- radius+ wireless Gaspar de Elías (Nov 17)
- Re: radius+ wireless GuidoZ (Nov 18)
- RE: radius+ wireless Andre Derek Protas (Nov 18)
- Re: radius+ wireless Jimi Thompson (Nov 19)
- RE: radius+ wireless Andre Derek Protas (Nov 18)
- Message not available
- Re: radius+ wireless Gaspar de Elías (Nov 18)
- Re: radius+ wireless GuidoZ (Nov 18)
- Re: radius+ wireless Tomas Wolf (Nov 18)
- <Possible follow-ups>
- RE: radius+ wireless Keodouangsy, Chinda (Keo) (Nov 18)
- RE: radius+ wireless Matvei Kliuchnikov (Nov 18)
- Re: radius+ wireless Gaspar de Elías (Nov 19)
- RE: radius+ wireless Bowes, Ronald (EST) (Nov 19)
- Re: radius+ wireless Kenzo (Nov 19)
- Re: radius+ wireless - ssh Alvin Oga (Nov 22)
- RE: radius+ wireless Brett Zink (Nov 19)
- RE: radius+ wireless M. Shirk (Nov 19)