REVIEW: "Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis Khwaja

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKBSWNW8.RVW   20030208

"Building Secure Wireless Networks with 802.11", Jahanzeb Khan/Anis
Khwaja, 2003, 0-471-23715-9, U$40.00/C$62.95/UK#29.95
%A   Jahanzeb Khan
%A   Anis Khwaja
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2003
%G   0-471-23715-9
%I   John Wiley & Sons, Inc.
%O   U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471237159/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471237159/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471237159/robsladesin03-20
%P   330 p.
%T   "Building Secure Wireless Networks with 802.11"

As with any hot topic, there are lots of people willing (eager!) to
tell you about the security of wireless local area networks, without
first making sure that they really know the subject.

Part one is an introduction to wireless LANs.  Chapter one is a
history of networks, an outline of topologies (concentrating on
cabling, interestingly enough), and a review of the TCP/IP (actually
OSI, [Open Systems Interconnection] protocol stack.  The last page
gives too little information for an exercise in setting up a home LAN. 
Terms in regard to wireless technology are listed in chapter two, but
the material is verbose without being informative.  The explanations
given for spectrum multiplexing are unclear, and seem to be delivered
by rote without any understanding.  The discussion does not build on
that from chapter one to, for example, point out that ad hoc wireless
networks are similar to bus topologies, while infrastructure networks
are more akin to stars.  The various IEEE (Institute of Electrical and
Electronics Engineers) 802.11 standards are listed in chapter three. 
However, there is a great deal of material repeated from prior text
(the discussion of spectrum is reprised almost word for word), and,
other than some frequency and maximum bandwidth information, there is
little additional detail.  (Repetition and duplication is rife
throughout the book, as well as a good deal of space wasted with
pointless figures and graphics.  On page 125 we are told that "The 40-
bit shared key is concatenated with a 24-bit long initialization
vector" and referred to figure 6.1.  Figure 6.1 tells us
"Concatenated-Key = Shared-Key + IV."  Not very helpful.)  Chapter
four is supposed to help you decide whether a wireless LAN is right
for you, but only has some vague opining, a little content on wireless
ISPs (Internet Service Providers: hardly suitable for LAN
discussions), and almost no analysis or details.

Part two purports to emphasize secure wireless LANs.  Chapter five has
random topics regarding network security.  Most of it is irrelevant to
the specific needs of wireless situations or is not discussed in terms
of the particular needs of wireless networks.  (Physically securing
the components of a wireless LAN has some importance in overall
security, but may be pointless if someone driving by can take over the
network).  Securing the IEEE 802.11 wireless LAN is not reviewed well
in chapter six.  There is more duplication of content, few details
about WEP (Wired Equivalent Privacy), and some clear evidence of
misunderstanding of the base technologies.  (If you are going to talk
about 40 bit keys at the low level, higher level security should be
104, rather than 128, bit.  And a 128 bit key is *not* equivalent to
64 characters, in anybody's representation.)  When security aspects
are discussed, often they relate to issues that are beyond the control
of the user, such as moderation of signal strength.

Part three collects topics related to the building of secure wireless
LANs.  Chapter seven is a simplistic overview of generic LAN planning. 
Shopping for the right equipment is important, but the list of product
specifications in chapter eight fails to address vital areas, such as
driver availability, default key length, and the existence of default
accounts.  More space is devoted to where you can buy equipment than
how to evaluate it.  The installation instructions, in chapter nine,
pretty much ignore security considerations.  Chapter ten supposedly
deals with advanced wireless LANs, including security, but has little
new material aside from screenshots of Microsoft Windows utilities
with some relationship to VPNs (Virtual Private Networks).

Part four covers troubleshooting and maintenance.  Chapter eleven
touches on a number of possibly wireless connectivity problems.  A
collection of text repeated from prior chapters is in chapter twelve.

There is a glossary included with the book.  It is quite limited, and,
in particular, does not deal well with acronyms.  In fact, the book is
full of TLAs (Three Letter Acronyms) and other abbreviations that get
used before they are defined, and do not appear in either the glossary
or the index.  This can be quite aggravating, particularly in cases
where the acronyms aren't standard.  (The authors use "PHY" to refer
to the physical layer of the OSI model, which is not commonly so
represented in either communications or security literature.)

The text of the book is excessively padded with useless verbiage and
irrelevant material.  The actual content pertinent to the security of
wireless LANs is barely enough to fill a decent magazine article. 
Overall, the book is poorly structured, limited in detail, and bloated
with meaningless or repetitious content.

copyright, Robert M. Slade, 2003   BKBSWNW8.RVW   20030208

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
          March 31, 2003           Indianapolis, IN



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.