Re: radius+ wireless

[Jimi Thompson <jimi.thompson () gmail com>]

Well, if you or someone else has duplicated a MAC address on the same
network, it's highly likely that neither of the duplicate addresses
will get any intelligible traffic.  Google on "arp poisoning" while
you're googling for the other stuff :).  I'd think that under your
current set up with weak WEP and but decent authentication, that you'd
be more likely to be the victim of a DOS attack.  Some ankle biter
that can break WEP but not RADIUS will decide that if he can't play no
one else will be able to either.

You didn't mention what kind of wireless, what your coverage area is,
etc.  For some of the point-to-point directed beam or line-of-sight
gear, RADIUS might be sufficient.  However, the general feeling from
most of the folks here is that you're using 802.11B or G possibly even
though you don't state this.  Contrary to popular opinion, there are
other wireless protocols :)

My suggestion is to use WEP like a "No Tresspassing" sign and contain
the route on your side of the access point (hopefully the wired side)
so that it routes them to a VPN gateway.  Use a VPN client that blocks
the NIC from any other connections while it's attached to the gateway.
 Then the whole session is encrypted with fairly strong encryption 
(IPSEC) when ever the user is connected.  This can be done fairly
inexpensively using something like FreeSWAN, OpenVPN, PopTop, etc. 
for the server and/or client.


On Thu, 18 Nov 2004 12:40:48 -0600, Andre Derek Protas
<randori82 () hotmail com> wrote:
> Maybe use token authentication for your customers.  What is the range of
> your signal?  If you are blowing your signal all over a neighborhood and
> you're using nothing but radius and a weak wep, you may be in trouble.
>
> Perhaps offer your customers "enhanced security" with an "enhanced price"
> and incorporate some token authentication devices in your network.
>
> Let me know if you need any equipment.
>
> -Andre Derek Protas
> Security Engineer | Electus Solutions
> www.electussolutions.com
>
>
>
>
> -----Original Message-----
> From: GuidoZ [mailto:uberguidoz () gmail com]
> Sent: Wednesday, November 17, 2004 6:30 PM
> To: Gaspar de Elías
> Cc: security-basics () securityfocus com
> Subject: Re: radius+ wireless
>
> The quick answer - you bet it's possible. And yes, depending on the
> WEP key and the amount of access an attacker has to the signal, it
> could be fairly quick.
>
> I'll allow you to do your own research, though I'll point you in some
> directions. Also, instead of giving you a large list of tools that are
> used, allow me to point you at a well known list:
> http://www.wi-foo.com/index-3.html Take a close peek at programs like
> Kismet/Netstumbler and AirCrack/AirSnort.
>
> Having MAC filtering enabled and not broadcasting the SSID is two
> simple steps to help "secure" your wifi network from your average
> script kiddie. However, this will do little more then create a speed
> bump for anyone remotely knowledgable about wifi and the means of
> breaking WEP/WPA.
>
> Google is also your friend. If you have specif questions beyond this,
> feel free to drop me a line directly or straight to the list. =)
>
> --
> Peace. ~G
>
> On Wed, 17 Nov 2004 19:18:03 -0300, Gaspar de Elías
> <gaspar.delias () gmail com> wrote:
> > hello
> > I'm an isp, and i'm providing internet to my customers via wireless,
> > authenticating with a radius server on freeBSD. My question is the
> > folowing: Can somebody sniff the wireless conections, crack WEP
> > alghoritm, and cheat his mac and ip addresses in order to steal
> > information from one of my customers?
> > A friend told me that doing this is incredibly easy, so i'm investigating.
> > What should i implement to make my wireless lan more secure?
> >
> > --
> > Gaspar de Elías


-- 
Thanks,

Jimi