Security Basics mailing list archives
Re: About War Driving ..
From: Layne FInk <admin () linuxniche com>
Date: Tue, 12 Dec 2006 19:01:51 -0700
My suggestions were basic security measures that, again, are apart of most wireless routers at no additional cost to the original poster minus a little over head. Implementing a RADIUS server would be more like adding a Security Guard - Higher Cost but Higher Security.
(most) My suggestions were, IMHO, easy to implement, and increased the security for a typical "war driving" idiot. If the network calls for more advanced things I pointed out some things that I hadn't seen someone else say (at the time) .. which excluded RADIUS because it was already mentioned - although I didn't (and couldn't, lack of information) go into details on how.. and also were more "Damage Mitigation" like what Ansgar said. Be equivalent to changing the type and style of lock on every room inside the house.
Eric's Analogy worked for Disabling the SSID. Moving your door and painting it blue is about the same as trying to mask your signal and changing the name. IMHO, this takes all of 2 minutes to select "Hide SSID" radio button.. and if it stops even 1 joe-idiot from getting on (or attempting to) it was worth it - this takes no "overhead". This makes it so those "passer-by's" don't choose your house on a whim.
Note: if you use a 50-Character WPA2 Pass phrase consisting of 5 Numbers, 5 Specials, 5 Lower, 5 Upper, and 10 random; Never Write it down or store it on anything that can be accessed except your brain, this becomes moot - even if they see your network there's not much they are going to be doing on it for a while - But how many people "really" use pass phrases that high - and if they do - don't write it down for the next time they have to add a machine to the network.
However I wouldn't exactly blanket Static DHCP assignments (or no DHCP), IP and MAC Filtering, equivalent to "moving your door". That's more equivalent to giving your 10 best friends 10 unique key's so that they may use your house at will and hope an attacker doesn't steal it, copy it, and give it back so your friend never noticed it was missing. This requires more overheard to maintain (your friend might lose his key, or you get a new friend that needs a new key) - and will stop a little better attackers than those that stopped when they saw you "didn't have a door". (Ansgar does not find this overhead worth the benefit - that's fine. That's his opinion/call.)
I can -possibly- see larger networks that utilize wireless not liking MAC and IP filtering.. but I still stand by it. I have probably 8k users at my current job across the US - and my Previous job with the Navy had.. well.. every Navy and Marine Corps individual in the US.. and they both use them. They won't touch wireless with a 30-ft pole - but they have Port Security, Static DHCP, MAC, and various other filters/traps all over the place. But this is government.. lots of money - lots of SA's to maintain it. Users literally cannot move their own computer 5 ft to move to a new Desk. They have to call their local SA Department - who will do it for them. (there are also multiple level's of SA's.. I personally couldn't move the desk either, I was the on site-tech but I could only "start the process" that could take more than a week to actually get a desk moved :))
Ansgar's biggest issue - I think - was that if you Enable Filtering and Hide the SSID... an attacker runs a sniffer (say he uses Kismet); he will receive all 3 things at once. Valid IP, Valid MAC, And your SSID. Then 1 ifconfig command, accompanied with 1 iwconfig command will then put all three things into play - and if you have NO encryption - you stopped him for about a total of 10 minutes (including boot up time for his laptop.) But the attacker first has to know that you have filtering on both IP and MAC. My guess is he'll first try an available IP on the subnet. But again.. stop him for maybe another couple minutes to figure it out (if he's intelligent). My personal setup at home I have a Wireless LAN behind a Wireless Router that NAT's the ip to my firewall's Internal LAN. My firewall denies -all- outgoing access to that NAT'd IP. So I then have to open an SSH (keys) tunnel to a third machine as a Proxy that has IPTables configured to forward the ports to the firewall (Nat'd as if they are coming from the third box.) And I use WPA, and MAC Filtering - and Hide the SSID for fun. Root is not allowed to login the third machine at all, through SSH or any TTY. And only My username is allowed to su up. I'm in an apartment with 20+ SSID's floating around and all but 2 of us Use WPA - and some idiot is unencrypted. I'm Good. :). (my wife hates opening Putty whenever she wants online - but she got over it.) Overkill?? Maybe.. But I like it.
But Anyway, The original poster has probably long since fixed their issues by now :). And Eric tried warning not to take his analogy too far - as I'm sure he intended it as a simple example to clarify to some that might have got Lost in Translation.
-FatalSaint David Gillett wrote:
Eric didn't say *layered defence* was painting the door blue and moving it around the side. He said that Ansgar's view of the measures which FatalSaint offered -- and which FatalSaint *called* "layered defence" (calling it doesn't necessarily make it so!) -- were like painting and moving the door. Layered defence is an important and valuable concept. But to be useful, the individual layers need to actually constitute defences, and Ansgar and Eric are saying that FatalSaint's suggestions don'treally measure up to that requirement.If FatalSaint had suggested measures analogous to a guard and bars and a dog, I don't think anyone would have argued. The question then is: What measures are available to the admin of a wireless network that are more analogous to these sorts of physical measures than the suggestions that were offered? (All of my authorized wireless points are behind firewalls that filter traffic and log activity, and the new one can triangulate client location as well. But that's probably out of the original poster's budget range.) David Gillett-----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois YangSent: Tuesday, December 12, 2006 9:36 AM To: Eric Furman Cc: security-basics () securityfocus com Subject: Re: About War Driving .. I actually disagree with this analogy.layered defense in this scenario would be; add a security guard to the front door, add bars to the windows and add a watch dog inside the house. So the entry points are the same they didn't move, you just added some extra security to these entry points. So now if someone wanted to get in the house, they would have to get past the security guard before reaching the door, or get past the bars on the windows before getting to the windows, and once they get past those, hopefully the guard dog would catch him/her.On 12/9/06, Eric Furman <ericfurman () fastmail net> wrote:On 8 Dec 2006 14:28:21 -0000, krymson () gmail com said:Ansgar -59cobalt- Wiechers and FatalSaint:Just want to say I'd watched this thread and I wanted to quickly point out something I felt was kind of a poignant thingin our field.defense withYou both have good points and, in my mind, you both have rather correct approaches. One of you believes that a layeredmeasuresmultiple hurdles will slow down attackers and stop a lot of non-savvy attackers, and the other prefers to shoot for the highly-skilled attacker and focus his efforts.I believe both approaches are just fine, and just depends on the people, business/network, and needs.I disagree. ;-) I do agree with layered defenses, if they're real.Ansgar -59cobalt- Wiechers objects to FatalSaint's securitybecause they amount to the following analogy; I want tokeep burglarsout of my house. Everyone knows that the entrance to housesis in theattacker. All Ifront and all doors are painted red.To increase my security I am going to move the entrance to the side and I am going to paint my door blue. Yes, to the casual person, walking by, this will work, but not to any determinedhave really done is make thing more inconvenient for me,the resident.Do not push this analogy to far, but it is essentiallycorrect. IMHO.--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer.http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect----------------------------------------------------------------------------------------------------------------------------------------- ------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s fmaildetect -------------------------------------------------------------- ---------------------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- RE: About War Driving .., (continued)
- RE: About War Driving .. Dan Bogda (Dec 04)
- Re: Re: About War Driving .. anone (Dec 04)
- RE: Re[2]: About War Driving .. Paul Stone (Dec 07)
- RE: Re[2]: About War Driving .. David Gillett (Dec 08)
- RE: Re[2]: About War Driving .. Murda Mcloud (Dec 08)
- Re: About War Driving .. krymson (Dec 08)
- Re: About War Driving .. Eric Furman (Dec 12)
- Re: About War Driving .. Francois Yang (Dec 12)
- RE: About War Driving .. David Gillett (Dec 12)
- Blue Lane PatchPoint Mark Brunner (Dec 13)
- Re: About War Driving .. Layne FInk (Dec 13)
- Re: About War Driving .. Eric Furman (Dec 12)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 14)