AccessControl is a big issue for wireless networks. Because the physical layer is broadcast over the air you don't have the normal methods of control that you do in conventional ethernet of eye balling where the cables go, and knowing that someone has to get into your house/office to plug into your network. All of a sudden anyone with a US$50 PCMCIA card can get access from 100 feet away (or more) from your house.
It is important to be aware of this and know what your options are to secure your network. Most commercial AccessPoints come with a couple options, each has their strengths and weaknesses.
ESSID (Extended Service Set ID)
This is the most basic method that comes with 802.11. When you create a network in InfrastructureMode you must give it a name. In order for a client to connect to your network they must know the name of the network.
Pros:
- It's very simple and easy to use.
Cons:
Unless you are using WEP, an unauthorized client can sniff the ESSID from the network without knowing it.
- Again it's a shared key system so it won't scale.
- It provides no encryption of traffic on the network.
MAC (or Ethernet) Address Filtering
This is a method that lets you control who can connect to your wireless network by the MacAddress of their wireless network card. Every wireless card (just like an ethernet card) has a unique address. By limiting access only to the MAC's that you specify you can control who has the ability to use your access point.
Pros:
- It's not a shared key system so it will scale better.
- It's relatively simple.
Cons:
- You manually have to maintain the list of client MAC addresses that can use your wireless network. Depending on how many clients you have this may or may not be an issue.
- It provides no encryption of traffic on the network.
- An unauthorized client can sniff the MAC addresses of authorized clients from the air.
- MAC addresses aren't as "unique" as they used to be. On many (if not most) wireless network cards you can change the MAC with a software tool that comes with the card. Combined with the above flaw this provides a fairly trivial hack.
WEP (Wired Equivalent Privacy)
This is a security method built into the 802.11 protocol. It uses a shared key system, this means that you configure a key (basically a password) into your access point. In order for a wireless client to connect to your network they must know the key and type it into their software.
Pros:
- It's simple and comes with almost all 802.11 cards.
In addition to providing AccessControl it also provides link encryption which keeps your data safe(er) from people snooping on it.
40 bit WEP is a standard that will work with all WiFi certified cards (which is most of them), many cards also support 104 bit WEP.
Cons:
- Though 40 bit encryption is certainly better then nothing it is not considered safe anymore and is vulnerable to brute force attacks.
- The more secure 104 bit WEP is not a standard and will not work between cards made by different vendors.
- Some people at Berkeley have demonstrated a hack which utilizes flaws in the WEP protocol to break the encryption. Again it's not trivial but it has been proved that it can be done.
It doesn't scale. In a community setting WEP means that if you want to remove access from someone (because you don't like them, they've abused your network or whatever) the only way to do it is to change the shared key. However by doing this you also break everybody else that is using your network. Before they can use your network again you have to contact them and tell them the new key.
Note: WEP+ and WPA are basically the same as WEP only with work arounds for the encryption problems. Basically what they do is force rekeying to occur faster then the minimum amount of time required to gather sufficent entropy to break the key. In short it's an ugly but fairly effection solution.
Captive (or Forced) Portal
While WEP and MAC filtering will probably deter all but the dedicated hacker they still have significant issues when it comes to usability. Neither will scale very well, neither allow for self provisioning via a web page (or any other method) and both have known, and usable, ways around them.
One possible answer to these problems is a CaptivePortal solution. Captive portals (also referred to as forced portals) have been used for a while by vendors like Nortel and Cisco for controlling DSL customers access to the Internet. Basically how they work is by providing connectivity to the client without any authentication (no password or anything), however the client is firewalled at a point so they can't get to anything interesting or useful. As soon as the client trys to connect to a web site they are forced (or captured) to a web site. At the web site they can log in with their username and password, if this authentication is successful then portal connects to the firewall and grants access to the clients IP address.
Pros:
- No client software or configuration is necessary other then sensible defaults (DHCP). This means that everything from a desktop to a palm pilot could potentially use this as a method of getting on the internet.
- Very flexible, the portal can authenticate the client from any type of database (System, LDAP, Radius, SSL Certificates, TACACS, SQL etc).
- The authentication can happen over a SSL protected web site which means that the clients username and password is safe from potential hackers.
- Can provide link encryption (like WEP) between the client and the access point, without a shared key.
- Can differentiate network services on a per user basis. This means that you can say that one client gets full access to the internet, yet another can only use up to 64k of bandwidth.
- Can provide options based on the time of day (eg. anonymous access is only allowed during off peak hours, 9:00am to 5:00pm).
- The portal can potentially provide other services. Bandwidth control, traffic shaping, file serving, email and community web pages are all realistic options.
There are several OpenSource version of PortalSoftware packages do this this already including NoCatAuth and the up and coming MetaNet.
Cons:
- By using something other then the access point to control access you introduce a new point of failure.
- This would probably run on an computer running one of the free Unixes (most likely Linux, FreeBSD or OpenBSD). These boxes are complicated and can be tricky to fix if/when they break.
- The more features you offer, the more complicated the box. The more complicated the box, the more likely it is to break and the harder it is to fix.
802.1x
This is a new option that I don't yet know very much about. Basically 802.1x provides a way of using client side certificates to provide end to end security and authentication for wireless networks. By using LDAP/Radius as authentication backends it's possible to quite secure networks.
Unfortunately the algorithms currently in use have flaws as well and so 802.1x isn't a huge improvement at this point. It will be fixed but it hasn't happened yet.
-- AdamShand