Re: wirless connection security issues

["Jarrod Frates" <jfrates.ml () gmail com>]

On 7/28/06, Cherian Thomas <cherian.in () gmail com> wrote:
>              I am pretty much a newbie into this wireless arena and
> therefore ignorant of the best security practices. Can you suggest me
> methods to setup a "secure" wireless environment? Consider me paranoid
> :-)

There are a couple of points to consider.  How paranoid do you want to
be?  Truly paranoid would implement a locked-down, dedicated, external
RADIUS server authenticated with a token-based one-time password
architecture over PEAP/EAP-TLS to provide the WPA2 key for securing
the connection.  :)  However, this is probably overkill at the moment
for you.

Most popular security measures (MAC filtering, disabling BSSID
broadcast, etc) are pointless in light of the ease of learning these
through casual traffic listening.  In fact, they are probably now more
of an annoyance than a security measure, especially if you have a
friend over who wants to connect to your network.  Troubleshooting the
inability to connect can become bothersome when it's being blocked by
settings that add no real security.

At the basic level, you should disable WEP and WPA, and enable WPA2.
WPA2 is available in all current firmware revisions for the WRT54GL,
and the three largest third-party firmwares (Sveasoft, OpenWRT, and
DD-WRT) all implement it, though at least in the case of OpenWRT you
need to install an additional, proprietary module for it to work.  The
shared key should be a hard-to-guess passphrase or a random
alphanumeric of at least 32 characters (maximum is 63, IIRC), changed
on a basis of three to six months.  When you configure this, if
appropriate, you'll want to use AES, not RC4, and CCMP, not TKIP, if
the separate options are presented.

Once you have this, you can begin layering other protections, such as
the RADIUS server, certificates for the various EAP types that you
might use, rotating keys...  There are a lot of things that you can
do.  One point to consider is that all hostile traffic that does get
on your network goes through your wired PC due to your infrastructure,
and this presents a possible attack vector from systems that get on
the wireless network, even if you expect and allow them to be on.  Do
you know *for certain* that your friends' systems do not have any
malware that might try to contact other systems on the network --
including your own?  Something to think about as you consider your
topology.

While it doesn't translate directly to your multiple-provider setup,
my architecture has the wireless router out in front, connected to the
cablemodem, and other systems are kept behind another router which
also uses NAT.  This provides a DMZ of sorts on the outside, though
the traffic routing can sometimes become a real pain.

I hope that helps you set a path.


Jarrod

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------