|
Size: 10391
Comment:
|
← Revision 17 as of 2007-11-23 18:04:12
Size: 7361
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| !'''[http://0nline-casin0.newmail.ru Online Casino] Win money fast!'''! | AccessControl is a big issue for wireless networks. Because the physical layer is broadcast over the air you don't have the normal methods of control that you do in conventional ethernet of eye balling where the cables go, and knowing that someone has to get into your house/office to plug into your network. All of a sudden anyone with a US$50 PCMCIA card can get access from 100 feet away (or more) from your house. |
| Line 3: | Line 3: |
| !'''[http://united-airline.boom.ru/ United Airlines tickets] !'''! | It is important to be aware of this and know what your options are to secure your network. Most commercial AccessPoints come with a couple options, each has their strengths and weaknesses. |
| Line 5: | Line 5: |
| [http://online-degree.hotmail.ru/ Online degree] | ==== ESSID (Extended Service Set ID) ==== |
| Line 7: | Line 7: |
| [http://online1degree.chat.ru/ Online degree] | This is the most basic method that comes with [[802.11]]. When you create a network in InfrastructureMode you must give it a name. In order for a client to connect to your network they must know the name of the network. |
| Line 9: | Line 9: |
|
Pros: * It's very simple and easy to use. |
|
| Line 10: | Line 12: |
|
[http://chp-cigar.boom.ru/ cheap cigarettes] [http://disc-cigar.boom.ru/ discount cigarettes] [http://online-cigaret.hotmail.ru/ online cigarettes] [http://marlb-cigar.boom.ru/ marlboro cigarettes] [http://online-cigar.boom.ru/ online cigarettes] [http://winst-cigar.boom.ru/ winston cigarettes] [http://camel-cigar.boom.ru/ camel cigarettes] [http://winst-cigaret.hotmail.ru/ Cheap winston cigarettes] |
Cons: * Unless you are using [[WEP]], an unauthorized client can sniff the [[ESSID]] from the network without knowing it. * Again it's a shared key system so it won't scale. * It provides no encryption of traffic on the network. |
| Line 19: | Line 17: |
| ==== MAC (or Ethernet) Address Filtering ==== | |
| Line 20: | Line 19: |
| This is a method that lets you control who can connect to your wireless network by the MacAddress of their wireless network card. Every wireless card (just like an ethernet card) has a unique address. By limiting access only to the MAC's that you specify you can control who has the ability to use your access point. | |
| Line 21: | Line 21: |
| Best links: '''crystal cruise''' |
Pros: * It's not a shared key system so it will scale better. * It's relatively simple. |
| Line 23: | Line 25: |
|
Cons: * You manually have to maintain the list of client MAC addresses that can use your wireless network. Depending on how many clients you have this may or may not be an issue. * It provides no encryption of traffic on the network. * An unauthorized client can sniff the MAC addresses of authorized clients from the air. * MAC addresses aren't as "unique" as they used to be. On many (if not most) wireless network cards you can change the MAC with a software tool that comes with the card. Combined with the above flaw this provides a fairly trivial hack. |
|
| Line 24: | Line 31: |
| ==== WEP (Wired Equivalent Privacy) ==== | |
| Line 25: | Line 33: |
|
[http://crystalcruise.chat.ru/ | crystal cruise] [http://crystal1cruise.boom.ru/ | crystal cruise] [http://crystal1cruise.hotmail.ru/ | crystal cruise] |
This is a security method built into the 802.11 protocol. It uses a shared key system, this means that you configure a key (basically a password) into your access point. In order for a wireless client to connect to your network they must know the key and type it into their software. |
| Line 29: | Line 35: |
|
Pros: * It's simple and comes with almost all 802.11 cards. * In addition to providing AccessControl it also provides link encryption which keeps your data safe(er) from people snooping on it. * 40 bit WEP is a standard that will work with all [[WiFi]] certified cards (which is most of them), many cards also support 104 bit WEP. |
|
| Line 30: | Line 40: |
| Best links: '''didrex''' |
Cons: * Though 40 bit encryption is certainly better then nothing it is not considered safe anymore and is vulnerable to brute force attacks. * The more secure 104 bit WEP is not a standard and will not work between cards made by different vendors. * Some people at Berkeley have demonstrated a hack which utilizes flaws in the WEP protocol to break the encryption. Again it's not trivial but it has been proved that it can be done. * It doesn't scale. In a community setting WEP means that if you want to remove access from someone (because you don't like them, they've abused your network or whatever) the only way to do it is to change the shared key. However by doing this you also break '''everybody''' else that is using your network. Before they can use your network again you have to contact them and tell them the new key. |
| Line 32: | Line 46: |
| '''Note: WEP+ and WPA are basically the same as WEP only with work arounds for the encryption problems. Basically what they do is force rekeying to occur faster then the minimum amount of time required to gather sufficent entropy to break the key. In short it's an ugly but fairly effection solution.''' | |
| Line 33: | Line 48: |
| ==== Captive (or Forced) Portal ==== | |
| Line 34: | Line 50: |
| [http://didrex1.chat.ru/ | didrex] | While [[WEP]] and MAC filtering will probably deter all but the dedicated hacker they still have significant issues when it comes to usability. Neither will scale very well, neither allow for self provisioning via a web page (or any other method) and both have known, and usable, ways around them. |
| Line 36: | Line 52: |
| One possible answer to these problems is a CaptivePortal solution. Captive portals (also referred to as forced portals) have been used for a while by vendors like Nortel and Cisco for controlling DSL customers access to the Internet. Basically how they work is by providing connectivity to the client without any authentication (no password or anything), however the client is firewalled at a point so they can't get to anything interesting or useful. As soon as the client trys to connect to a web site they are forced (or captured) to a web site. At the web site they can log in with their username and password, if this authentication is successful then portal connects to the firewall and grants access to the clients IP address. | |
| Line 37: | Line 54: |
| Best links: '''divorce''' |
Pros: * No client software or configuration is necessary other then sensible defaults (DHCP). This means that everything from a desktop to a palm pilot could potentially use this as a method of getting on the internet. * Very flexible, the portal can authenticate the client from any type of database (System, LDAP, Radius, SSL Certificates, TACACS, SQL etc). * The authentication can happen over a SSL protected web site which means that the clients username and password is safe from potential hackers. * Can provide link encryption (like WEP) between the client and the access point, without a shared key. * Can differentiate network services on a per user basis. This means that you can say that one client gets full access to the internet, yet another can only use up to 64k of bandwidth. * Can provide options based on the time of day (eg. anonymous access is only allowed during off peak hours, 9:00am to 5:00pm). * The portal can potentially provide other services. Bandwidth control, traffic shaping, file serving, email and community web pages are all realistic options. * There are several OpenSource version of PortalSoftware packages do this this already including NoCatAuth and the up and coming MetaNet. |
| Line 39: | Line 64: |
|
Cons: * By using something other then the access point to control access you introduce a new point of failure. * This would probably run on an computer running one of the free Unixes (most likely Linux, FreeBSD or OpenBSD). These boxes are complicated and can be tricky to fix if/when they break. * The more features you offer, the more complicated the box. The more complicated the box, the more likely it is to break and the harder it is to fix. |
|
| Line 40: | Line 69: |
| ==== 802.1x ==== | |
| Line 41: | Line 71: |
|
[http://floridadivorce.chat.ru/ | divorce florida] [http://ncarolinadivorce.chat.ru/ | carolina divorce north] [http://divorce1help.chat.ru/ | divorce help] [http://divorce1form.chat.ru/ | divorce form] [http://divorce1advice.chat.ru/ | advice divorce] [http://nydivorce.chat.ru/ | divorce new york] [http://divorceuncont.chat.ru/ | divorce uncontested] |
This is a new option that I don't yet know very much about. Basically [[802.1x]] provides a way of using client side certificates to provide end to end security and authentication for wireless networks. By using [[LDAP]]/[[Radius]] as authentication backends it's possible to quite secure networks. |
| Line 49: | Line 73: |
| Unfortunately the algorithms currently in use have flaws as well and so 802.1x isn't a huge improvement at this point. It will be fixed but it hasn't happened yet. | |
| Line 50: | Line 75: |
| Best links: '''drugs''' | -- AdamShand |
| Line 52: | Line 77: |
|
[http://phentermine1.chat.ru/ | buy phentermine] [http://best-phent.boom.ru/ | buy phentermine] Best links: '''equipment''' [http://exe-equipment.boom.ru/ | exercise equipment] [http://heavy-equipment.boom.ru/ | heavy equipment] [http://construction-eq.boom.ru/ | construction equipment] [http://home-fitness-eq.boom.ru/ | home fitness equipment] [http://surv-equipment.boom.ru/ | surveillance equipment] [http://scuba-equipment.boom.ru/ | scuba equipment] [http://eq-leasing.boom.ru/ | equipment leasing] Best links: '''financial aid''' [http://financial-aid.newmail.ru/ | financial aid] [http://financial1aid.chat.ru/ | financial aid] Best links: '''first aid''' [http://first-aid.newmail.ru/ | first aid] [http://first1aid.chat.ru/ | first aid] Best links: '''flower delivery''' [http://flower-1delivery.boom.ru/ | flower delivery] [http://flower1delivery.chat.ru/ | flower delivery] Best links: '''flowers''' [http://birthday-flower.boom.ru/ | birthday flower] [http://send-flower.boom.ru/ | send flower] [http://flower-shop.boom.ru/ | flower shop] [http://order-flower.boom.ru/ | order flower] [http://flower-arrange.boom.ru/ | flower arrangement] [http://a-1-800-flower.boom.ru/ | 1 800 flower] Best links: '''ford''' [http://ford-engine.newmail.ru/ | ford engine] Best links: '''ford engine''' [http://engine4ford.chat.ru/ | ford engine] Best links: '''hawaii''' [http://hawai-hotel.boom.ru/ | hawaii hotel] [http://hawaii-hot.boom.ru/ | hawaii hotel] [http://hawaii-hotel.newmail.ru/ | Hawaii hotels] [http://hawaii-hotel.hotmail.ru/ | hawaii hotel] [http://hawaii1hotels.chat.ru/ | hawaii hotel] [http://hawaii-vacation.hotmail.ru/ | hawaii vacation] [http://hawaii1vacation.chat.ru/ | hawaii vacation] [http://hawaii-vacation.boom.ru/ | hawaii vacation] [http://hawaii-resort.hotmail.ru/ | hawaii resort] [http://hawaii-resort.boom.ru/ | hawaii resort] [http://hawaii1resort.chat.ru/ | hawaii resort] Best links: '''hawaiian cruise''' [http://hawaiian-cruise1.hotmail.ru/ | hawaiian cruise] [http://hawaiian-cruise1.boom.ru/ | hawaiian cruise] [http://hawaiiancruise1.chat.ru/ | hawaiian cruise] Best links: '''insurance''' [http://chealth-insur.boom.ru/ | california health insurance] [http://c-auto-insh.boom.ru/ | california auto insurance] [http://lcost1insurance.chat.ru/ | low cost health insurance] [http://health1insurance.chat.ru/ | california health insurance] [http://hinsurancelead.chat.ru/ | health insurance lead] [http://insurance5.chat.ru/ | online life insurance] [http://healthinsuranceq.chat.ru/ | health insurance quote] [http://rentersinsurance.chat.ru/ | renters insurance] [http://cautoinsurance.chat.ru/ | california auto insurance] [http://carinsurrate.chat.ru/ | car insurance rate] [http://ainsurancerate.chat.ru/ | auto insurance rate] [http://health2insurance.chat.ru/ | health insurance coverage] [http://home1insurance.chat.ru/ | homeowner insurance] [http://mercuryinsurance.chat.ru/ | mercury insurance] [http://healthiplan.chat.ru/ | health insurance plan] [http://life1insuranceq.chat.ru/ | life insurance quote] [http://car1insurances.chat.ru/ | car insurance company] [http://tlifeinsuranceq.chat.ru/ | term life insurance quote] [http://lifeinsurancep.chat.ru/ | life insurance policy] [http://cautoinsurance1.chat.ru/ | cheap auto insurance] [http://lifeinsurancec.chat.ru/ | life insurance company] [http://lifeinsurancer.chat.ru/ | life insurance rate] [http://ahealthinsurance.chat.ru/ | affordable health insurance] [http://auto1insuranceo.chat.ru/ | auto insurance online] [http://healthinsurances.chat.ru/ | self employed health insurance] [http://car-insurance.hotmail.ru/ | car insurance] [http://car-ins.boom.ru/ | car insurance] Best links: '''intranet''' [http://intranet-software.newmail.ru/ | intranet] [http://intranet-soft.boom.ru/ | intranet software] Best links: '''lake tahoe''' [http://lake-tahoe.boom.ru/ | lake tahoe] [http://lake-tahoe.nm.ru/ | lake tahoe] [http://travel2tahoe.chat.ru/ | lake tahoe] [http://tahoe-lodging.boom.ru/ | lake tahoe lodging] [http://lake-tahoe-lodging.newmail.ru/ | lake tahoe lodging] [http://lake-tahoe-casin0.hotmail.ru/ | lake tahoe casino] [http://tahoe1casino.chat.ru/ | lake tahoe casino] [http://tahoe-rental.newmail.ru/ | tahoe vacation rental] [http://tahoe-vacation.boom.ru/ | tahoe vacation rental] [http://tahoe1vacation.chat.ru/ | tahoe vacation rental] Best links: '''lamp''' [http://desk-lamp.hotmail.ru/ | desk lamp] [http://floor-lamp.hotmail.ru/ | floor lamp] [http://floor1lamp.chat.ru/ | floor lamp] [http://lamp-shades.hotmail.ru/ | lamp shades] [http://lamp1shades.chat.ru/ | lamp shades] [http://tiffany-lamp.hotmail.ru/ | tiffany lamp] [http://tiffany4lamp.chat.ru/ | tiffany lamp] [http://lamp-plus.hotmail.ru/ | lamp-plus] [http://lamp1plus.chat.ru/ | lamp plus] [http://projector2lamp.chat.ru/ | projector lamp] [http://projector-lamp.hotmail.ru/ | projector lamp] Best links: '''laptop''' [http://dell-laptop.newmail.ru/ | dell laptop] [http://dell1laptop.chat.ru/ | dell laptop] Best links: '''lift chair''' [http://lift-chair.boom.ru/ | lift chair] Best links: '''loan''' [http://homeequityloanr.chat.ru/ | home equity loan rate] [http://fastloan.chat.ru/ | fast loan] [http://carloan.chat.ru/ | car loan] [http://bcrloanmortgage.chat.ru/ | bad credit loan mortgage] [http://fastcashloan.chat.ru/ | fast cash loan] [http://debtconsloan.chat.ru/ | debt consolidation loan] [http://cashloan.chat.ru/ | cash loan] [http://bcreditautoloan.chat.ru/ | bad credit auto loan] [http://personalloan.chat.ru/ | personal loan] [http://vahomeloan.chat.ru/ | va home loan] [http://homeloanmortgage.chat.ru/ | a home loan mortgage] [http://cashadvanceloan.chat.ru/ | cash advance loan] [http://unsecuredploan.chat.ru/ | unsecured personal loan] [http://improvementloan.chat.ru/ | home improvement loan] [http://bcreditcarloan.chat.ru/ | bad credit car loan] [http://badcreditloan1.chat.ru/ | bad credit loan] [http://badcreditloan.chat.ru/ | bad credit loan] [http://pdloanonline.chat.ru/ | payday loan online] [http://fhaloan.chat.ru/ | fha loan] [http://mortgageloan.chat.ru/ | mortgage loan] [http://nfpaydayloan.chat.ru/ | no faxing payday loan] [http://floridahomeloan.chat.ru/ | florida home loan] [http://consolidloan.chat.ru/ | consolidation loan] [http://countryhomeloan.chat.ru/ | countrywide home loan] [http://refinanceloan.chat.ru/ | refinance loan] [http://valoan.chat.ru/ | va loan] [http://chomeloan.chat.ru/ | california home loan] [http://homeequityloan.chat.ru/ | home equity loan] [http://eloancom.chat.ru/ | e loan] Best links: '''massage chair''' [http://massage-chair.hotmail.ru/ | massage chair] [http://chair4massage.chat.ru/ | massage chair] Best links: '''mat''' [http://floor-mat.nm.ru/ | floor mat] [http://floor1mat.chat.ru/ | floor mat] [http://yoga-mat.newmail.ru/ | yoga mat] [http://mat4yoga.chat.ru/ | yoga mat] Best links: '''mediterranean cruise''' [http://mediterr-cruise.boom.ru/ | mediterranean cruise] [http://mediter1cruise.chat.ru/ | mediterranean cruise] [http://mediterranean-cruise.hotmail.ru/ | mediterranean cruise] Best links: '''mortgage''' [http://lowmortgagerate.chat.ru/ | lowest mortgage rate] [http://calif1mortgage.chat.ru/ | california mortgage] [http://ameriqmortgage.chat.ru/ | ameriquest mortgage] [http://mortgage1lead.chat.ru/ | mortgage lead] [http://wmutualmortgage.chat.ru/ | washington mutual mortgage] Best links: '''network monitoring software''' [http://network-software.hotmail.ru/ | network monitoring software] [http://network-software.boom.ru/ | network monitoring software] [http://software2network.chat.ru/ | network monitoring software] [http://network-monitor.boom.ru/ | network monitoring software] Best links: '''nursing''' [http://nursing-degree.hotmail.ru/ | nursing degree] [http://nursing1degree.chat.ru/ | nursing degree] [http://nursing-home.hotmail.ru/ | nursing home] [http://nursing-home.boom.ru/ | nursing home] [http://nursing-school.hotmail.ru/ | nursing school] [http://nursing2-school.boom.ru/ | nursing school] [http://nursing2school.chat.ru/ | nursing school] [http://nursing-job.boom.ru/ | nursing job] [http://nursing4job.chat.ru/ | nursing job] [http://travel4-nursing.boom.ru/ | travel nursing] [http://travel2nursing.chat.ru/ | travel nursing] [http://nursing-college.hotmail.ru/ | nursing college] [http://nursing-college.boom.ru/ | nursing college] [http://nursing2college.chat.ru/ | nursing college] [http://nursing-career.boom.ru/ | nursing career] |
---- [CategoryDocumentation] |
AccessControl is a big issue for wireless networks. Because the physical layer is broadcast over the air you don't have the normal methods of control that you do in conventional ethernet of eye balling where the cables go, and knowing that someone has to get into your house/office to plug into your network. All of a sudden anyone with a US$50 PCMCIA card can get access from 100 feet away (or more) from your house.
It is important to be aware of this and know what your options are to secure your network. Most commercial AccessPoints come with a couple options, each has their strengths and weaknesses.
ESSID (Extended Service Set ID)
This is the most basic method that comes with 802.11. When you create a network in InfrastructureMode you must give it a name. In order for a client to connect to your network they must know the name of the network.
Pros:
- It's very simple and easy to use.
Cons:
Unless you are using WEP, an unauthorized client can sniff the ESSID from the network without knowing it.
- Again it's a shared key system so it won't scale.
- It provides no encryption of traffic on the network.
MAC (or Ethernet) Address Filtering
This is a method that lets you control who can connect to your wireless network by the MacAddress of their wireless network card. Every wireless card (just like an ethernet card) has a unique address. By limiting access only to the MAC's that you specify you can control who has the ability to use your access point.
Pros:
- It's not a shared key system so it will scale better.
- It's relatively simple.
Cons:
- You manually have to maintain the list of client MAC addresses that can use your wireless network. Depending on how many clients you have this may or may not be an issue.
- It provides no encryption of traffic on the network.
- An unauthorized client can sniff the MAC addresses of authorized clients from the air.
- MAC addresses aren't as "unique" as they used to be. On many (if not most) wireless network cards you can change the MAC with a software tool that comes with the card. Combined with the above flaw this provides a fairly trivial hack.
WEP (Wired Equivalent Privacy)
This is a security method built into the 802.11 protocol. It uses a shared key system, this means that you configure a key (basically a password) into your access point. In order for a wireless client to connect to your network they must know the key and type it into their software.
Pros:
- It's simple and comes with almost all 802.11 cards.
In addition to providing AccessControl it also provides link encryption which keeps your data safe(er) from people snooping on it.
40 bit WEP is a standard that will work with all WiFi certified cards (which is most of them), many cards also support 104 bit WEP.
Cons:
- Though 40 bit encryption is certainly better then nothing it is not considered safe anymore and is vulnerable to brute force attacks.
- The more secure 104 bit WEP is not a standard and will not work between cards made by different vendors.
- Some people at Berkeley have demonstrated a hack which utilizes flaws in the WEP protocol to break the encryption. Again it's not trivial but it has been proved that it can be done.
It doesn't scale. In a community setting WEP means that if you want to remove access from someone (because you don't like them, they've abused your network or whatever) the only way to do it is to change the shared key. However by doing this you also break everybody else that is using your network. Before they can use your network again you have to contact them and tell them the new key.
Note: WEP+ and WPA are basically the same as WEP only with work arounds for the encryption problems. Basically what they do is force rekeying to occur faster then the minimum amount of time required to gather sufficent entropy to break the key. In short it's an ugly but fairly effection solution.
Captive (or Forced) Portal
While WEP and MAC filtering will probably deter all but the dedicated hacker they still have significant issues when it comes to usability. Neither will scale very well, neither allow for self provisioning via a web page (or any other method) and both have known, and usable, ways around them.
One possible answer to these problems is a CaptivePortal solution. Captive portals (also referred to as forced portals) have been used for a while by vendors like Nortel and Cisco for controlling DSL customers access to the Internet. Basically how they work is by providing connectivity to the client without any authentication (no password or anything), however the client is firewalled at a point so they can't get to anything interesting or useful. As soon as the client trys to connect to a web site they are forced (or captured) to a web site. At the web site they can log in with their username and password, if this authentication is successful then portal connects to the firewall and grants access to the clients IP address.
Pros:
- No client software or configuration is necessary other then sensible defaults (DHCP). This means that everything from a desktop to a palm pilot could potentially use this as a method of getting on the internet.
- Very flexible, the portal can authenticate the client from any type of database (System, LDAP, Radius, SSL Certificates, TACACS, SQL etc).
- The authentication can happen over a SSL protected web site which means that the clients username and password is safe from potential hackers.
- Can provide link encryption (like WEP) between the client and the access point, without a shared key.
- Can differentiate network services on a per user basis. This means that you can say that one client gets full access to the internet, yet another can only use up to 64k of bandwidth.
- Can provide options based on the time of day (eg. anonymous access is only allowed during off peak hours, 9:00am to 5:00pm).
- The portal can potentially provide other services. Bandwidth control, traffic shaping, file serving, email and community web pages are all realistic options.
There are several OpenSource version of PortalSoftware packages do this this already including NoCatAuth and the up and coming MetaNet.
Cons:
- By using something other then the access point to control access you introduce a new point of failure.
- This would probably run on an computer running one of the free Unixes (most likely Linux, FreeBSD or OpenBSD). These boxes are complicated and can be tricky to fix if/when they break.
- The more features you offer, the more complicated the box. The more complicated the box, the more likely it is to break and the harder it is to fix.
802.1x
This is a new option that I don't yet know very much about. Basically 802.1x provides a way of using client side certificates to provide end to end security and authentication for wireless networks. By using LDAP/Radius as authentication backends it's possible to quite secure networks.
Unfortunately the algorithms currently in use have flaws as well and so 802.1x isn't a huge improvement at this point. It will be fixed but it hasn't happened yet.
-- AdamShand