Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: About War Driving ..

From: Layne FInk <admin () linuxniche com>
Date: Tue, 12 Dec 2006 19:01:51 -0700
My suggestions were basic security measures that, again, are apart of most wireless routers at no additional cost to the original poster minus a little over head. Implementing a RADIUS server would be more like adding a Security Guard - Higher Cost but Higher Security.
(most) My suggestions were, IMHO, easy to implement, and increased the security for a typical "war driving" idiot. If the network calls for more advanced things I pointed out some things that I hadn't seen someone else say (at the time) .. which excluded RADIUS because it was already mentioned - although I didn't (and couldn't, lack of information) go into details on how.. and also were more "Damage Mitigation" like what Ansgar said. Be equivalent to changing the type and style of lock on every room inside the house.
Eric's Analogy worked for Disabling the SSID. Moving your door and painting it blue is about the same as trying to mask your signal and changing the name. IMHO, this takes all of 2 minutes to select "Hide SSID" radio button.. and if it stops even 1 joe-idiot from getting on (or attempting to) it was worth it - this takes no "overhead". This makes it so those "passer-by's" don't choose your house on a whim.
Note: if you use a 50-Character WPA2 Pass phrase consisting of 5 Numbers, 5 Specials, 5 Lower, 5 Upper, and 10 random; Never Write it down or store it on anything that can be accessed except your brain, this becomes moot - even if they see your network there's not much they are going to be doing on it for a while - But how many people "really" use pass phrases that high - and if they do - don't write it down for the next time they have to add a machine to the network.
However I wouldn't exactly blanket Static DHCP assignments (or no DHCP), IP and MAC Filtering, equivalent to "moving your door". That's more equivalent to giving your 10 best friends 10 unique key's so that they may use your house at will and hope an attacker doesn't steal it, copy it, and give it back so your friend never noticed it was missing. This requires more overheard to maintain (your friend might lose his key, or you get a new friend that needs a new key) - and will stop a little better attackers than those that stopped when they saw you "didn't have a door". (Ansgar does not find this overhead worth the benefit - that's fine. That's his opinion/call.)
I can -possibly- see larger networks that utilize wireless not liking MAC and IP filtering.. but I still stand by it. I have probably 8k users at my current job across the US - and my Previous job with the Navy had.. well.. every Navy and Marine Corps individual in the US.. and they both use them. They won't touch wireless with a 30-ft pole - but they have Port Security, Static DHCP, MAC, and various other filters/traps all over the place. But this is government.. lots of money - lots of SA's to maintain it. Users literally cannot move their own computer 5 ft to move to a new Desk. They have to call their local SA Department - who will do it for them. (there are also multiple level's of SA's.. I personally couldn't move the desk either, I was the on site-tech but I could only "start the process" that could take more than a week to actually get a desk moved :))
Ansgar's biggest issue - I think - was that if you Enable Filtering and Hide the SSID... an attacker runs a sniffer (say he uses Kismet); he will receive all 3 things at once. Valid IP, Valid MAC, And your SSID. Then 1 ifconfig command, accompanied with 1 iwconfig command will then put all three things into play - and if you have NO encryption - you stopped him for about a total of 10 minutes (including boot up time for his laptop.) But the attacker first has to know that you have filtering on both IP and MAC. My guess is he'll first try an available IP on the subnet. But again.. stop him for maybe another couple minutes to figure it out (if he's intelligent). My personal setup at home I have a Wireless LAN behind a Wireless Router that NAT's the ip to my firewall's Internal LAN. My firewall denies -all- outgoing access to that NAT'd IP. So I then have to open an SSH (keys) tunnel to a third machine as a Proxy that has IPTables configured to forward the ports to the firewall (Nat'd as if they are coming from the third box.) And I use WPA, and MAC Filtering - and Hide the SSID for fun. Root is not allowed to login the third machine at all, through SSH or any TTY. And only My username is allowed to su up. I'm in an apartment with 20+ SSID's floating around and all but 2 of us Use WPA - and some idiot is unencrypted. I'm Good. :). (my wife hates opening Putty whenever she wants online - but she got over it.) Overkill?? Maybe.. But I like it.
But Anyway, The original poster has probably long since fixed their issues by now :). And Eric tried warning not to take his analogy too far - as I'm sure he intended it as a simple example to clarify to some that might have got Lost in Translation. 

-FatalSaint

David Gillett wrote:

  Eric didn't say *layered defence* was painting the door blue and
moving it around the side.  He said that Ansgar's view of the
measures which FatalSaint offered -- and which FatalSaint *called*
"layered defence" (calling it doesn't necessarily make it so!) --
were like painting and moving the door.

  Layered defence is an important and valuable concept.  But to be
useful, the individual layers need to actually constitute defences,
and Ansgar and Eric are saying that FatalSaint's suggestions don't
really measure up to that requirement. 
  If FatalSaint had suggested measures analogous to a guard and bars
and a dog, I don't think anyone would have argued.  The question then
is:  What measures are available to the admin of a wireless network
that are more analogous to these sorts of physical measures than the
suggestions that were offered?  (All of my authorized wireless points
are behind firewalls that filter traffic and log activity, and the
new one can triangulate client location as well.  But that's probably
out of the original poster's budget range.)

David Gillett



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang 
Sent: Tuesday, December 12, 2006 9:36 AM
To: Eric Furman
Cc: security-basics () securityfocus com
Subject: Re: About War Driving ..

I actually disagree with this analogy.
layered defense in this scenario would be; add a security guard to the front door, add bars to the windows and add a watch dog inside the house. So the entry points are the same they didn't move, you just added some extra security to these entry points. So now if someone wanted to get in the house, they would have to get past the security guard before reaching the door, or get past the bars on the windows before getting to the windows, and once they get past those, hopefully the guard dog would catch him/her. 


On 12/9/06, Eric Furman <ericfurman () fastmail net> wrote:

On 8 Dec 2006 14:28:21 -0000, krymson () gmail com said:

Ansgar -59cobalt- Wiechers and
FatalSaint:
Just want to say I'd watched this thread and I wanted to quickly point out something I felt was kind of a poignant thing 
in our field.
You both have good points and, in my mind, you both have rather correct approaches. One of you believes that a layered
defense with
multiple hurdles will slow down attackers and stop a lot of non-savvy attackers, and the other prefers to shoot for the highly-skilled attacker and focus his efforts.
I believe both approaches are just fine, and just depends on the people, business/network, and needs. 
I disagree. ;-) I do agree with layered defenses, if they're real.
Ansgar -59cobalt- Wiechers objects to FatalSaint's security
measures
because they amount to the following analogy; I want to
keep burglars
out of my house. Everyone knows that the entrance to houses
is in the 
front and all doors are painted red.
To increase my security I am going to move the entrance to the side and I am going to paint my door blue. Yes, to the casual person, walking by, this will work, but not to any determined
attacker. All I
have really done is make thing more inconvenient for me, 
the resident.
Do not push this analogy to far, but it is essentially 
correct. IMHO.

----------------------------------------------------------------------

----- This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.



http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildet

ect


----------------------------------------------------------------------

-----



--------------------------------------------------------------
-------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
fmaildetect
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: