Wireless Security Filtering

Filtering

Managing access to a WLAN through WEP keys or authentication is one viable security measure. You can also configure access to be restricted according to device; to do this, you use the Media Access Control (MAC) address or Internet Protocol (IP) address. For example, you can employ filtering on your APs to keep out clients who do not have an authorized client adapter. Without an explicitly approved MAC address on the network adapter, it doesn't matter if the correct username and password are presented because the AP does not allow access.

Simply put, filtering checks a wireless client's MAC or IP address against a list of authorized MAC or IP addresses maintained on the AP. When a client tries to connect to the AP, it must be on the list. If it is not, the client cannot connect.

Filtering should not be the only security measure, however. Both MAC and IP addresses can be spoofed, thus circumventing this layer of security.

MAC Filtering

You can set up a MAC filter two ways:

• To pass traffic to and from all MAC addresses except those you specify.

• To block traffic to and from all MAC addresses except those you specify.

Furthermore, you can apply these filters to either or both the Ethernet and radio ports and to incoming or outgoing traffic.

Note

Be careful when setting MAC filters. If you incorrectly apply the setting, you can easily lock yourself out of the AP. If this does occur, use the command-line interface (CLI) to disable filters, and then go in and correct your mistake.

MAC filters are managed on the MAC Address Filters page ; simply follow these steps:

Step 1. On the AP's web page, click Services on the menu to the left of the page.

Step 2. Click Filters in the list of services.

Step 3. Click the Mac Address Filters tab on the Apply Filters page.

After you reach the Apply Filters page, you can enable MAC address filters.

Note

Be aware that software often changes. The version of the AP firmware you use might differ from what is shown here, but the steps are similar.

Setting MAC Filters

To configure a MAC filter, follow these steps:

Step 1. To create a new MAC address filter, click Create > Edit Filter Index > . To edit a filter, select the filter number from the menu.

Step 2. In the Filter Index field, identify the filter with a number between 700 and 799. This number is used to assign an access control list (ACL) for the filter.

Step 3. Enter a MAC address in the Add MAC Address field. The address is entered as three groups of four characters, separated by periods (for example, 0125.4275.7879).

Step 4. Use of the Mask entry field enables the filter to check against certain bits, but not others. For example, if you have several clients whose MAC addresses all end in the same four bits, you can use the mask to allow any clients whose MAC address matches those four bits. If you want to force an exact match of the MAC address, in the Mask entry field, enter FFFF.FFFF.FFFF. If you just want to check the last four bits, enter FFFF.FFFF.0000.

Step 5. Choose Action > Forward or choose Action > Block.

Step 6. Click Add. The MAC address you entered has been added to the Filters Classes field. You can remove this address by selecting it and clicking Delete Class.

Step 7. Choose Default Action > Forward All or Default Action > Block All. You must establish the default action for this filter, and it must be the opposite of the action for at least one of the MAC addresses in the filter. For example, if you chose Forward for several MAC addresses, you should select Block All as the filter's default action.

Step 8. Click Apply.

Step 9. Click the Apply Filters tab.

Step 10.Select the filter number from one of the MAC drop-down menus. The filter can be applied to either the Ethernet port, the radio ports, or both. You can also apply the filter to incoming traffic, outgoing traffic, or both.

Step 11. Click Apply.

Note

You need to restart the system, so that all clients are appropriately filtered.

IP Filtering

You can also limit access to your AP with IP filters. IP filtering can be applied based on IP address, IP protocol, and IP port. This allows or prevents the use of specific protocols through the AP's Ethernet and radio ports. Like MAC filtering, you can also set up the filter to allow or deny sending or receiving traffic from the AP based on IP address.You can set up IP filters to allow combinations of all three IP filtering components (address, protocol, and port).

IP filters are managed on the IP Filters page.

To reach the IP Filters page, follow these steps:
Step 1. On the AP's web page, click Services on the menu to the left of the page.

Step 2. Click Filters in the list of services.

Step 3. Click the IP Filters tab.

After you reach this page, you can enable IP filters.
Setting IP Filters

To configure an IP address filter, follow these steps:

Step 1. To create a new IP address filter, select Create > Edit Filter Index > . To edit a filter, select the filter number from the menu.

Step 2. In the Filter Name field, identify the filter with a name.

Step 3. Select Default Action > Forward All or Default Action > Block All from the Default Action. You must establish the default action for this filter and it must be the opposite of the action for at least one of the IP filters. For example, if you chose Forward for several IP addresses, you should select Block All as the filter's default action.

Step 4. To filter a specific IP address, enter that address under the IP Address section. The Destination Address field is used to filter traffic going to an address; the Source Address filters filter traffic coming from a given IP address.

Note

If you intend to block traffic to all IP addresses except those specified, make sure you include the IP address of your own computer in the list of specified exceptions; otherwise, your computer is shut out from the AP.

Step 5. The Mask entry field allows the filter to check against certain bits, but not others. Type the subnet mask in this field. The mask is used if you are filtering everything to or from a subnet.

Step 6. Select Action > Forward or select Action > Block.

Step 7. Click Add. The IP address you entered has been added to the Filters Classes field. This address can be removed if you select it and click Delete Class.

Step 8. To filter an IP protocol, select one of the protocols from the IP protocol drop-down menu, or select the Custom radio button and enter the number of an existing ACL in the Custom field. Enter an ACL number from 0 to 255.

Step 9. Select Action > Forward or select Action > Block.

Step 10. Click Add. The protocol appears in the Filters Classes field. This field is at the bottom of the page and is shown in Figure 8-4. This filter can be removed if you click Delete Class.

Step 11. To filter a TCP or UDP port protocol, select one of the common port protocols from the TCP Port or UDP Port drop-down menus, or you can select the Custom radio button and enter the number of an existing protocol in one of the Custom fields. Enter a protocol number from 0 to 65535.

Step 12. Select Action > Forward or select Action > Block.

Step 13. Click Add. The protocol appears in the Filters Classes field. This filter can be removed if you click Delete Class.

Step 14. Click Apply.

Step 15. Click the Apply Filters tab.

Step 16. Select the filter names from one of the IP drop-down menus. The filter can be applied to the Ethernet port, the radio ports, or both. You can also apply the filter to incoming traffic, outgoing traffic, or both.

Step 17. Click Apply.

10 Tips for Wireless Home Network Security

Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That's totally understandable. It's also quite risky as numerous security problems can result. Today's Wi-Fi networking products don't always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use

The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

If you own a wireless router but are only using it wired (Ethernet) connections, you can also sometimes turn off Wi-Fi on a broadband router without powering down the entire network.

Security software for your Wireless LAN

The security included in all Wireless LAN is cost effective, so if you want security over your Wireless LAN, you may want to check those packages.

Generic security solutions

Generic security protocols are totally independant of the underlying technology, so will work on any kind of wired or wireless connection. Those solutions are often classical, well defined and proven.

• FreeS/WAN is the popular IPsec package for Linux. Only available with 3DES encryption.
• WaveSec is a part of the FreeS/WAN project looking at how it FreeS/WAN applies to Wireless LANs. They provide tools, documentations and sample configurations.
• Cerberus, an IPsec implementation from NIST. This implementation contain many different encryption cypher (including all the AES finalists), but is subject to US export controls.

• OpenSSH, an Open Source implementation of the SSH protocol. A favorite for Unix users.
• PoPTop, a PPTP server for Linux.
• PPTP-Linux, a PPTP client for Linux.

802.11 specific security solutions

802.11 specific solutions are more complex and depend on hardware support. They come in two parts, the first part runs between the card and the Access Point (802.1x, WPA), the second part runs between the Access Point and an authentication server (Radius).

• Open1x xsupplicant is an Open Source implementation of the 802.1x protocol (capable of using EAP/TLS to authenticate) for Linux and BSD. Recent version add support for the WPA and WPA2 protocols.
• Adam Sulmicki has written a FAQ on how to setup 802.1x with Radius under Linux.
• wpa_supplicant is complete implementation of the WPA and WPA2 protocols, providing enhanced privacy and security.

• PortSlave is the default Radius server of the LRP (Linux Router Project).
• FreeRADIUS, a Radius server with LDAP and SQL support, the official descendant of Cistron RADIUS.
• IC-RADIUS, another clone of Cistron RADIUS with MySQL and CGI support.

Public wireless LAN solutions

If you are deploying public wireless LAN access, you often don't want all those complication and can use a simple captive portal.

• NoCat is a captive portal based on HTTPS authentication and firewall filtering for Linux currently in development.
• Chillispot is a captive portal that support a Radius authentication server. It also works with WPA instead of the HTTP authentication.

>> next >>

Data Security on Wireless Networks

In the same way that all you need to pick up a local radio station is a radio, all anyone needs to detect a wireless network within nearby range is a wireless-equipped computer. There's no way to selectively hide the presence of your network from strangers, but you can prevent unauthorized people from connecting to it, and you can protect the data traveling across the network from prying eyes. By turning on a wireless network's encryption feature, you can scramble the data and control access to the network.

Wireless network hardware supports several standard encryption schemes, but the most common are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2 (WPA2). WEP is the oldest and least secure method and should be avoided. WPA and WPA2 are good choices, but provide better protection when you use longer and more complex passwords (all devices on a wireless network must use the same kind of encryption and be configured with the same password).

Unless you intend to provide public access to your wireless network — and put your business data or your own personal data at risk — you should consider encryption mandatory.

...Other articles next >> 1,2,3,4,5

How can you protect from Hacking WPA?

Hacking WPA - If you are here to learn how to hack WPA, you are on the wrong place. Here I will learn you how to protect your wireless network.

I have written a lot on Home-WLAN about a WPA. I have encouraged you to use WPA instead of WEP. But many of you have heard something about cracked WPA and that WPA is not safe any more.

Here are some useful advices on how to protect your wireless network from WPA hacking.

So the secret of your unbreakable WPA is very simple:

1) When you use WPA - authentication PSK with TKIP encryption in your home or small office:
- Shorten the timing of TKIP in wireless routers, so that keys are refreshed in less then 2 minutes.
- Do not put for pre-shared key world from dictionary and that is short in length. Use instead 63 characters password that is combination of random characters including special symbols.

2) In enterprise enviroment do not use WPA - authentication PSK with TKIP encryption. Use WPA with AES (Advanced Encryption System) encryption.

Wireless Internet Security

Wireless Internet Security was always a big issue. Check here free tips on wireless LAN security and how to secure wireless networks like they are wired.

Disabling the physical access to the network is the most important thing in the security. For the wireless networks this is much bigger issue than for the wired networks. Because of this reason, wireless networks use authentication and encryption for better security.

The biggest problem with wireless LAN security was that it used WEP as the algorithm protecting IEEE 802.11 wireless networks. WEP open or shared with wireless authentication has never deserved its name.
Here you can read about how to find a WEP key less than in a minute.

There is a replacement for WEP that guaranties much better WLAN security than WEP. The best advice is to use WPA and WPA2. What is WPA and much more about it read here.

On WEP vs WPA you could find comparison of WEP and WPA and why it is recommended to use WPA.

WLAN security with the use of Radius server, EAP and WPA could be even better than security for wired networks. The only issue is how much money and time you are ready to invest for WLAN security.

The most common Radius servers are Microsoft Radius server, FreeRadius server and Steel Belted Radius. Read more about the Radius server.

Lately there have been lots of articles and videos about hacking WPA. Read more about hacking WPA and how can you make wireless LAN security unbreakable

Security fix for wireless

Things are looking up on the wireless-networking front.

First and foremost, it looks as though a relatively quick and painless fix may be in the offing for the security problems hanging over the hot wireless technology known as 802.11 -- a.k.a. Wi-Fi, or wireless Ethernet or, depending on your vendor, AirThis or AirThat.
In recent months, you'll recall, cryptographers have identified a series of flaws in the options the IEEE 802.11 spec provides for protecting network traffic from snoopers.

Last month the problem reached crisis proportions, when a team of internationally renowned experts published a paper detailing a gaping hole in WEP, the standard's data-encryption scheme. At least two teams of programmers quickly followed up by posting downloadable programs that make it easy to exploit the newly revealed flaw.

Now, you may not care whether anyone is eavesdropping on your e-mail and Web surfing. Or you may calculate, as I usually do, that you're safe simply because no one is likely to care enough about your boring existence to bother.

But if you're not willing to run that risk, the only prudent assumption at this point, as I noted here last week, is that anything you send over 802.11 is vulnerable to interception -- even if you have all the protocol's standard security mechanisms turned on.

As a team of scientists at NASA's Ames Research Center put it in a press release they issued last week to announce their own home-grown solution, they "decided not to depend on any security provisions bundled with 802.11b products." Instead, they began from "the premise that the network itself provides no reliable authentication and no security from eavesdropping."

(Of course, NASA can afford to take that position, because it has staffers who can develop their own alternative. All they needed, according to the release, was an off-the-shelf PC, some freeware Unix utilities and 40 hours of coding by two security experts. For those of us who don't have such talent at hand, the choices for now are badly flawed security or none at all. In that context "badly flawed" is probably preferable if you're concerned at all about privacy.)

TGI TO THE RESCUE: Even before WEP's vulnerability became public knowledge, the IEEE committee responsible for the 802.11 specification had a task force known as Task Group i developing plans to beef up the standard's security section.

But one of the schemes they were planning, known as WEP2, turned out to be just as vulnerable as the original version to the hack disclosed last month. An alternative encryption technology they were proposing was much more secure, but probably would not have worked on existing 802.11 cards. And the access- control scheme they were working on would require a special back-end authentication server -- something few small offices, let alone home users, are likely to have or want to get involved with.

As recently as a month ago, it appeared that products incorporating the improved security standard -- called 802.11i -- wouldn't be available until the second quarter of next year, or even later. And there were serious doubts as to whether cards and base stations manufactured before that would be upgradable to the new standard.

Here's where we finally get to the good news I promised: In response to the crisis, TGi convened a special session in Seattle last week. Four proposals were submitted for fixing the WEP problem, and while they differ in detail, they're sufficiently similar that it shouldn't be hard to hammer out a single unified plan, according to Dennis Eaton, vice chairman of the Wireless Ethernet Compatibility Alliance, the trade association that represents 802.11 vendors.

All four proposals provide a secure solution to all of the vulnerabilities so far identified, according to Eaton, who also chairs the alliance's technical and security committees. All four would work automatically, transparent to users. And they should have little or no negative effect on network speed, he said.

All four plans were also designed to work on existing Wi-Fi cards and base stations or access points, with only software and firmware updates required, according to Eaton said. (Of course, he hastened to add, backward compatibility is "not a done deal" -- there can't be any guarantees until a unified proposal is completed and tested -- but "we're trying like heck" to deliver it.)

As to timing, the group voted unanimously to offer its interim solution without waiting for the full, next-generation security spec to be completed. With luck the fix should be ready this fall.

That may mean it will never be part of an official wireless standard, but under that scenario TGi would hand it off to the 802.11 trade group, which would make it part of the test suite it uses as the criterion for awarding its "Wi-Fi" compatibility certification. Because virtually all vendors of 802.11 products already submit them to that process, the alliance's endorsement would make the security fix a de facto standard.

In other words, if all goes well, the current crisis could be just a bad memory within a matter of months -- perhaps in time for the holiday gift- shopping season. Last year Bill Gates reportedly gave 802.11 cards as Christmas presents. This year tens of thousands may follow his example -- and the recipients shouldn't have to worry about anyone intercepting their mail.

THE BIG GUN: Meanwhile, 802.11 also got a double-barreled endorsement from Intel last week.

The chipmaker has marketed 802.11 products for corporate customers since last year, but for the consumer market it was until recently committed to a rival technology called HomeRF. Last week, however, Intel announced a full line of consumer 802.11 products, which it will market as the AnyPoint II Wireless series.

The line includes a PC Card for notebooks, a USB adapter for desktops and a gateway or base station, all of which are competitively priced. (Details at www.intel.com/anypoint.)

(By the way, I erred a few weeks ago in saying that cards are useless without a base station. Any desktop or notebook PC with both an 802.11 card and a wired Internet connection can function as a base station. I don't usually recommend that approach because it means that PC has to be on for anyone else to get online wirelessly, but it does save some money.)

I haven't yet had a chance to try the Intel products -- they won't actually be in the stores for another week or two -- but I was impressed with what I saw in a demo last week. The setup software is the simplest I've seen this side of Apple's.

For now, Intel's products use only the flawed security mechanisms in the current 802.11 spec, but the company has paid attention to the problem. The products are the first I know of that ship with WEP encryption turned on. And while many vendors' software provides a default network ID, which most users never change and which hackers therefore have no trouble guessing, Intel's software prompts the user during setup to provide a unique name.

An even more important indicator of the company's enthusiasm for 802.11 came from Sean Maloney, a rising star in the company's management who recently assumed the tile of executive vice president and general manager of Intel Communications Group.

In a meeting with reporters at last week's Intel Developer Forum, he declared that 802.11 has already won out as the standard for the wireless portions of the giant Ethernet network he predicted will eventually circle the globe. "Bluetooth," he said, "is in full retreat."

(Intel's PR staffers later called to explain that he was talking only about Internet access and that Intel still views Bluetooth as a complementary technology with an important role to play for other applications, such as connecting phones and handheld organizers. But Maloney himself didn't bother to make any such distinction.)

He also suggested that Intel is likely to get into the business of making 802.11 chips. It won't bother with the current version, called 802.11b, but 802.11a, a faster version expected to come to market next year, "starts to look very interesting," and Intel already has hundreds of engineers working on it.

Given Intel's resources and experience in high-volume chip production, that sounds like a challenge for the current leader in the fledgling 802.11a market,

a Sunnyvale startup called Atheros Communications. But Intel's commitment should also mean declining prices, continuing technical progress and mainstream support for a technology that's already the most exciting innovation to hit computing in many a year.

Wireless Firewall Gateway White Paper

1. Introduction

With the deployment of wireless network access in the workplace, the requirement for a more enhanced security design emerges. Wireless technology offers a more accessible means of connectivity but does not address the security concerns involved with offering this less restrained service. In order to facilitate management of this network, maintain a secure network model, and keep a high level of usability, a multi-functional device to do these tasks must be placed in the wireless environment.

2. Design Objectives

The WFG (Wireless Firewall Gateway) is designed to take on several different roles in order for the process to be near transparent to the user. Since the wireless network is considered to be an untrusted environment, access is restricted in order to limit the amount of damage that can be inflicted on internal systems and the Internet if an intruder invokes an attack. This impedes the convenience of the wireless service to users who wish to access external sites on the Internet. Since unknown users are difficult to identify and hold accountable for damages, a method of user authentication is needed to ensure that the user takes responsibility for their actions and can be tracked for security concerns. A trusted user can then gain access to services and the commodity Internet from which unauthenticated users are blocked.

Keeping simplicity in mind, the WFG acts as a router between a wireless and external network with the ability to dynamically change firewall filters as users authenticate themselves for authorized access. It is also a server responsible for handing out IP addresses to users, running a website in which users can authenticate, and maintaining a recorded account of who is on the network and when.

Users of the wireless network are only required to have a web browser if they wish to authenticate and dynamic host configuration (DHCP) software, which comes standard on most operating systems. Minimal configuration is required by the user, allowing support for a variety of computer platforms with no additional software. The idea is to keep the wireless network as user-friendly as possible while maintaining security for everyone.

3. Internals

Given the multiple functionalities and enhanced security required for this device, a PC running OpenBSD Unix was chosen with three interfaces on different networks: wireless, external (gateway), and internal (management). The following sections elaborate upon the services that constitute the device's various roles:

3.1 Dynamic Host Configuration Protocol (DHCP) Server

DHCP is used to lease out individual IP addresses to anyone who configures their system to request one. Other vital information such as subnet mask, default gateway, and name server are also given to the client at this time. The WFG uses a beta DHCPv3 open-source server from the Internet Software Consortium with the additional ability to dynamically remove hosts from the firewall access list when DHCP releases a lease for any reason (client request, time-out, lease expiration, and so on). Configuration files for the server are located in /etc and follow the ISC standard (RFC) format. However, the server executable is customized and does not follow these standards. If the server needed to be upgraded, then the source code would need to be re-customized as well.

The DHCP server is configured to only listen on the subnet interface of the wireless network. This prevents anyone from the wired network to obtain a wireless IP address from this server. As an added security measure, packet filters prevent any DHCP requests coming in on any other interfaces.

3.2 IP Filtering

Stateful filtering is accomplished using OpenBSD's IPF software. IP routing is enabled in the kernel state allowing for the packet filtering to occur between the wireless and external network interfaces. Static filters are configured on boot up in the /etc/ipf.rules file and are designed to minimize remote access to the WFG. Only essential protocols such as NTP, DNS, DHCP, and ICMP are allowed to reach the system. This builds a secure foundation for the restricted environment. For the users who do not require an authenticated session, access is granted to selected servers for email, VPN, and web. Where applicable, packet filtering is done at a transport layer - UDP or TCP, to allow for stateful inspection of the traffic. This adds a higher level of security by not having to explicitly permit dynamic or private port sessions into the wireless network.

The same script that authenticates a user over the web also enables their access to the unrestricted environment. When a user connects to the web server, their IP address is recorded and upon successful login, gets pushed to the top of the firewall filter list, permitting all TCP and UDP connections out of the wireless network for that IP address.

In order to prevent succeeding users from being allowed trusted access when the IP address is recycled, the in-memory database software removes the firewall filter permit rule whenever the user's next lease binding state is set to free, expired, abandoned, released, or reset. The DHCP server will not issue the same IP address until it frees the lease of the last client. This helps avoids the security issue of someone hijacking an IP address that's been authenticated and using it after the valid user is no longer using the wireless service

3.3 Web Authentication

The need for web-based authentication is necessary so that any user running any platform can gain access to the wireless network. Apache (open-source) web server is designed to securely handle this task. The server implements Secure Socket Layer (SSL) for client/server public-and-private key RSA encryption. Connecting to the web server via HTTP automatically redirects the client browser to use HTTPS. This ensures that the username and password entered by a user will not be sent in clear text. To further increase security, the SSL certificate is signed by Verisign, a trusted Certificate Authority (CA), which assures that an attacker is not imitating the web server to retrieve a user's password information.

A website is setup where a user can go to type in their username and password information. This site displays the standard government system access warning and shows the IP address of the user's system (using PHP). Once a user has typed their username and password at the website where prompted, a Perl/CGI script then communicates with a Radius server with RSA's MD5 digest encryption to determine if the information submitted is correct. If the account information matches what is in the Radius database, then commands to allow their IP address, obtained through the Apache environment variables, are added to the IPF access rules. If the user is not found in the Radius database, or if the password entered is incorrect, a web page stating "Invalid Username and Password" is displayed to the user. If everything is successful, the user is notified of their privileged access.

3.4 Security

Every step is taken to ensure that a desirable security level is maintained both on the WFG system and the wireless network while not hindering functionality and usability. Only hosts connecting from the wireless network can access the web server. For system management purposes, Secure Shell (OpenSSH) connections are permitted from a single, secured host. All other methods of direct connection are either blocked by the firewall filters or denied access through the use of application-based TCP wrappers.

Users' authentication information is encrypted throughout the process: SSL encryption with a certificate signed by a trusted CA between the client's web browser and the server, and MD5 digest encryption between the web server and the Radius system for account verification.

Logs are kept for all systems, which gain access to both the restricted and authorized network. The DHCP server keeps a record of what MAC address (NIC address) requests an IP address and when it is released, then passes that information to syslog. Syslog then identifies all logging information from DHCP and writes it to /var/log/dhcpd. Additionally, any user who attempts to authenticate via the web interface has their typed username and source IP address logged with the current time along with whether or not they were successful. When a lease on an IP address expires and is removed from the firewall filters, it is noted with the authentication information in /var/log/wireless. These logs are maintained by the website script and DHCP server software, not syslog. Combined, it is possible to identify who is on the network at a given time - either by their userid, or by their burned-in physical address, for auditing purposes.

With the DHCP server managing the firewall filters, it is possible for a user to manually enter a static IP address and authenticate, with the permit rule never being removed. To prevent this, the CGI script reads in the dhcpd.leases file and determines if the source IP address, obtained through the environment variable $ENV{'REMOTE_ADDR'}, has an active lease. If no lease is found, or if the lease is expired or abandoned, authentication is denied.

For an optimal security solution, the use of Virtual Private Networks (VPN) is recommended. Since implementation of this solution requires VPN software to be installed and configured on each wireless client, it is beyond the scope of this whitepaper.

Wireless LAN security

One issue with corporate wireless networks in general, and WLANs in particular, involves the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers. Such corporate issues are covered in wireless security.

Concerns

Anyone within the geographical network range of an open, unencrypted wireless network can 'sniff' or record the traffic, gain unauthorized access to internal network resources as well as to the internet, and then possibly sending spam or doing other illegal actions using the wireless network's IP address, all of which are rare for home routers but may be significant concerns for office networks.

If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot. Since most 21st century laptop PCs have wireless networking built in (cf. Intel 'Centrino' technology), they don't need a third-party adapter such as a PCMCIA Card or USB dongle. Built in wireless networking might be enabled by default, without the owner realizing it, thus broadcasting the laptop's accessibility to any computer nearby.

Modern operating systems such as Mac OS, or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking" is usually achieved without the wireless network operators knowledge; it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.

Security options

There are three principal ways to secure a wireless network.

* For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model.
* For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
* Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

Access Control at the Access Point level

One of the simplest techniques is to only allow access from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures.

Another very simple technique is to have a secret ESSID (id/name of the wireless network), though anyone who studies the method will be able to sniff the ESSID.

Today all (or almost all) access points incorporate Wired Equivalent Privacy (WEP) encryption and most wireless routers are sold with WEP turned on. However, security analysts have criticized WEP's inadequacies, and the U.S. FBI has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack).

The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address these problems. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

Restricted access networks

Solutions include a newer system for authentication, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

End-to-End encryption

One can argue that both layer 2 and layer 3 encryption methods are not good enough for protecting valuable data like passwords and personal emails. Those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the application layer, using technologies like SSL, SSH, GnuPG, PGP and similar.

The disadvantage with the end to end method is, it may fail to cover all traffic. With encryption on the router level or VPN, a single switch encrypts all traffic, even UDP and DNS lookups. With end-to-end encryption on the other hand, each service to be secured must have its encryption "turned on," and often every connection must also be "turned on" separately. For sending emails, every recipient must support the encryption method, and must exchange keys correctly. For Web, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text.

The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.

Open Access Points

Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community network (which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.

The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.

According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:

* The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
* The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible crackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
* If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
* With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
* It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
* Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.

On the other hand, in some countries including Germany, persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point.