Go Back   Internet Business Forums > Technology & Internet

Reply
 
Thread Tools Search this Thread Display Modes
Old 13-02-2005, 06:54 AM   #1
rtroxel
Senior Member
 
rtroxel's Avatar
 
Join Date: Oct 2004
Location: Bel Air, Maryland
Posts: 414
Default Is Always-On Always Secure?

One of the critical issues involved with the growing wireless market is security. Consumers and home businesses have been purchasing wireless devices to transmit everything from music to photos. However, mid-sized to large businesses, especially financial ones (banks, brokers, etc.) don't trust this technology, and with a good reason. It's not secure

Layers of Security

A recent article in PC World advises to "layer" your wireless defenses in this manner:

1. To defend themselves against "war driving," users can simply turn on the WEP encryption that is already built in, and most war drivers will just move on to one of the many wireless LANs that isn't protected.

2. Going to the next step, users can implement user authentication and dynamic WPA, with keys that change, to protect themselves from "script kiddies," teenagers who use packaged hacking tools to infiltrate systems. Those authentication systems should include one of the current versions of the Extensible Authentication Protocol. (More about these later.)

3. For protection against professional hackers, the article recommends going the next step to strong encryption systems such as TKIP (Temporal Key Integrity Protocol), which will be used in WPA and 802.11i, or CKIP (Cisco Key Integrity Protocol), a proprietary implementation of the 802.11i recommendations that Cisco developed as a stop-gap measure.

Maximum wireless security, then, is a combination of several techniques: strong authentication and a strong encryption mechanism, coupled with data integrity.

Wi-Fi security currently has four choices: WEP, VPN, WPA and IDS.

WEP

The Wired Equivalence Privacy protocol is the orginal and most widely-used security protocol for wireless devices. There are two problems connected with WEP however. First, it is based on a system of "keys". Hackers using the brute-force or "dictionary" method of entering alphanumeric combinations can eventually uncover the public and private keys.

The keys themselves are short (and therefore easily guessed) and static, instead of being updated dynamically from the server. To update the keys, a technician must visit each device at every location (hot spot, motel, etc). This just isn't practical for most companies.

WAPs

WAPs (Wireless Access Points) are essentially low-frequency radio devices capable of broadcasting over short distances: ten or twenty feet in a home or up to a few city blocks for a business. You can buy a WAP at Best Buy for about $100. They're manufactured by Microsoft, D-Link, Linksys, Netgear, and similar consumer-oriented companies. You can set up a WAP cable modem in your home, install a WAP card in each of your PCs and you now have a wireless home network, with each device having internet access.

But all radio signals are subject to interference; for example, they can be blocked by buildings and bridges. High-tension electrical cables can jam their signals.

Many WAPs are set up by default to respond to the strongest RF signal available. Therefore, anyone can set up a "rogue" WAP to pull the signals from another WAP. You can eavesdrop on your neighbors' wireless networks by setting up your own WAP in your car and driving through the neighborhood.

Going to the next step, users can implement user authentication and dynamic WEP, with keys that change, to protect themselves from "script kiddies," teenagers who use packaged hacking tools to infiltrate systems.
rtroxel is offline   Reply With Quote
Old 13-02-2005, 06:55 AM   #2
rtroxel
Senior Member
 
rtroxel's Avatar
 
Join Date: Oct 2004
Location: Bel Air, Maryland
Posts: 414
Default Re: Is Always-On Always Secure?

Wireless VPNs

Virtual private networking is currently being used to secure internet transmissions through phone lines. This is done by encapsulating the data within a protocol and sending the package out via the TCP/IP protocol. A similar use of this "tunneling" technology can be adapted to wireless transmissions.

Although the IPSec VPN is a tried and true security method for dial-up, it is also limited to IP traffic, complex to configure and needs client-side code. However, VPNs might always be necessary for people working in "hot spots" to connect with the company WLAN.

Therefore, the VPN market is clearly here to stay. VPN market leaders include Cisco, Check Point, Nokia, Nortel Networks, and Symantec. Nokia, in fact, is launching compression software to speed the operation of its cell phones. The company is also planning to market the Opera browser on all its phones.

PDA Security

PDAs are subject to a number of security breaches, including password theft, viruses and data theft through line sniffing.

The biggest security risk to PDAs is theft of the device itself. Securing the data on the device in standalone mode is probably the best type of precaution users can take (along with putting it in your pocket when you go for that second cup of coffee).

The encryption solutions that exist for PDAs typically are one of two types: products to secure the data as the PDA sits in standalone mode, or products to secure the link as the data moves back and forth from infrastructure devices (such as the desktop unit that it uses for hot-syncing).

As with other wireless devices, one of the best ways to protect your PDA is to install a VPN client on on it.

VPNs operate using a client-server architecture, therefore PDAs using VPN clients need to connect to a VPN gateway server residing on the destination network. It is not possible to establish a VPN tunnel with the VPN client by itself. Therefore, unless you have a VPN gateway server on the destination network that your PDA client will connect to, there is no point in trying to configure a VPN client. For stronger VPN security, you'll want to use X.509 digital certificates for authentication.

For example, a policy that requires the wireless port be disabled will reduce the risk of sensitive data being transmitted to unauthorized individuals. By creating end-user behavior security policies, organizations can hold the end-users accountable for security violations.

CheckPoint Security has developed special VPN software for PDAs, and The Intranet Journal has published an excellent primer on PDA security.

Attacker can Introduce a rogue WAP to the WLAN.

Many wireless LANS simply connect to the WAP (Wireless Access Point) with the strongest signal. Low-cost WAPs can be used to detour transmissions which can then be monitored by the attacker. In fact, someone inside a company can install a WAP on the company's wired LAN via the ethernet node in the wall in his office. Hide the WAP under his desk. Then anyone outside the building in a car at midnight has complete access to the corporate LAN. this individual can be detected by monitoring sensors placed at key points around the building.

Denial of Service (DoS) Attacks

This basic form of cyber attack easy to use on WAPs. Like all generators of radio signals, WAPs can be blocked by buildings or bridges and they also can be jammed by other RF devices, including other WAPs. The only drawback for the attacker is that he or she must be physically close to the WAP or else its low-frequency signals can be used. Explain how the DoS attack works.

Wireless Intruder Detection Systems

These are often sniffer devices or software that have been optimized to identify computer system and network intrusions by gathering and analyzing data. The wireless IDS does its work by recognizing patterns of known attacks, identifying abnormal network activity. The software also detects policy violations for WLANs and generates alerts based on predefined signatures or anomalies in the traffic.

Features of a WIDS

1. IDS can be purchased from a vendor or developed in-house. There are also open source solutions like Snort-Wireless and WIDZ.

2. Wireless IDS's can also work in combination with physical sensors because hackers must be within a close physical distance to the WLAN. This procedure also involves the physical deployment of agents to identify the attacker. For this reason IDS technolgy might require more human resources.

3. An IDS typically uses directional antennae to triangulate the 802.11 attacker's signal source. IDS can also spot MAC address spoofing.

4. Wireless IDS is a new technology, so be careful it doesn't interefere with normal WLAN operation by cutting off too many routes and subnets. It can also slow down traffic.

WPA

Wi-Fi Protected Access, developed by Microsoft, Cisco and the Wi-Fi Alliance, an industry trade group which also developed WEP.

WPA is the interim protocol before the ratification of 802.11i, WPA includes rapid key updates, stronger encryption algorithms, and stronger authentication.It also periodically and dynamically generates a new encryption key for each client.

WPA is vulnerable to Denial of Service attacks, however. A hacker can bring down a WPA-protected network by sending at least two packets using the wrong key each second. When this occurs, the WAP assumes that an attacker is trying to gain access to the network and it closes down.

802.11i

Finally, there is the 802.11i protocol, considered the last word in wireless security, and predicted to become the deciding factor for banks and other financial institutions to join the wireless world.

According to PC World, the new protocol will include all the elements of WPA, but with stronger encryption. WEP encrypts data on the wireless network but is flawed because it reuses the same encryption key. A would-be hacker can figure out that key from a small amount of traffic, and WEP also doesn't stop interlopers from altering data as it crosses the network.

Maximum wireless security, then, is a combination of several techniques:strong authentication, a strong encryption mechanism, coupled with data integrity.

Among other improvements, 802.11i will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it will use a RADIUS (Remote Access Dial-In User Service)server to authenticate users and the IEEE 802.1x standard.

The 802.1x Authentication Standard

Among other improvements, the new 802.11i protocol will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users. To manage keys, it will use a RADIUS (Remote Access Dial-In User Service)server to authenticate users and the IEEE 802.1x standard.

The authentication process begins when the end user attempts to connect to the WLAN. The authenticator server receives the request and creates a virtual port with the user's device. The authenticator then acts as a proxy for the end user passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server. (Note there are TWO servers, a proxy and an authentication server, involved here.)

In a nutshell, the authentication process goes like this:

1. The user (with laptop, PDA or cell phone) sends a message to his business network.

2. The message is encapsulated with the EAP protocol which passes through a proxy server to the network's authentication server. The authentication server sees the EAP header as an "ID card" and then compares it with the other ID numbers in its database.

3. If the end user was accepted, the authenticator (proxy) changes the virtual port with the end user to an authorized state allowing full network access to that end user.

4. When the user logs off, the client virtual port on the server is changed back to the unauthorized state.

The Extensible Authentication Protocol

The 802.1x authentication process outlined above depends on the Extensible Authentication Protocol or EAP.

The problem is that there are currently five different commercial versions of EAP, including a proprietary version from Cisco. In order for 802.1x to work, both client and server must be running the same version of EAP!

Cisco's version, Light EAP (or LEAP) can be compromised by dictionary attacks, and several hospitals that have been using Cisco wireless connectivity. (A denial of service attack on a hospital server could be considered negligent homicide if it caused the death of a patient who was on a life-support system.)

Another version, Protected EAP (PEAP) has ben developed by Cisco, Microsoft and RSA. It uses certifications in a manner similar to SSL and is included in the Windows XP service pack.

(For more details on EAP, consult the Computerworld site.)

In the meantime...

Current measures that a company can take include directional antennae to aim the signal at a specific location and lower transmission power so the signal won't be sent over too large an error.

Measures the home user can take include:

1. Disable or change all default IDs. Many wireless routers or access points come with default IDs. (Cisco uses "tsunami".) The attacker can easily learn the default IDs from the device's manufacturer.

2. Many home devices "broadcast" their existence by default. The broadcast service is useful in corporate environments for workstations to locate a server, but you don't need it in your home - not with war drivers cruising around your neighborhood. Disable the service.

3. Change the default administrator password. Most people do this when they install Windows on their PCs but neglect to do it on a wireless device.

4. Install other security devices that are available. Configure WEP, a fireweall and an ani-virus. These measures might slow down your traffic, so you must be the judge of which is more important: security or speed. If you communicate with your company or do financial transactions from home, these measures might well be worth a little slowness.

But Most Users Don't Care

The average consumers of today's wireless devices aren't overly concerned with security. Instead, they're going for the convenience, speed and novelty of PDAs and cell phones that can transmit pictures. For those people, WEP takes too long to configure and it can actually slow down the processing of their devices. The same is true for VPNs. Unless you have extremely sensitive data (e.g. government classified data), using a VPN on your PDA may not be worth the peformance hits you will suffer.

In the meantime, wireless is still insecure and financial institutions still haven't accepted it. In fact, you can stand in your local mall and eavesdrop on cell phone conversations, just by using your ears.
rtroxel is offline   Reply With Quote
Old 13-02-2005, 10:39 AM   #3
Brian Turner
Business Guru
 
Brian Turner's Avatar
 
Join Date: Dec 2003
Location: Near Inverness, Highlands, Scotland
Posts: 7,951
Default Re: Is Always-On Always Secure?

Stickied.
Brian Turner is offline   Reply With Quote
Old 24-09-2005, 07:42 PM   #4
fakir005
Junior Member
 
Join Date: Sep 2005
Posts: 10
Default Re: Is Always-On Always Secure?

I'm in a fix. I've to criticise the moderator. Moderator will obviousely not allow me. But I'll do it any way. I wish the message was put up by somebody else so I could discuss it because there are uissues involved. The issue involved iis not whether it is "always safe". The issue is if it is ever safe? The answer is it is never safe inspite of the devices or gasgets mentioned by the moderator. The reasons is the flaws. There has not been anything found that does not have flaws.

A Cisco employee was attending a confrence in Neveda and talked about the flaws in the software behind the Cisco routers. The employees was immediately fired and enjoined from talking about any flaws.

People are talking about flaws in browsers, flaws in applications.

What is a flaw. It is something that a hacker uses to get arround the device or the software and do his dastardly deed to do what he wanted to do. Like he may be wanting to get all the computers in your network to crash or he may be wanting to steal all the data in all your files or he may be just trying to steal your passwords or he may be setting up a mirror site and making people believe they are doing business with you. The possibilities are endless.

It's the people like the moderator who make people believe that their sites are encrypted and evedrything is safe and go ahead like nothing wrong is going to happen.

It is these people that Hackers exploit.

There is only one solution. The solution is the abandoing of this system in the favor of the system discussed at blogs that I can't give the links to. I don't know why I'm posting here.

But I find people like the moderator interesting and can't resist expressing my thoughts even though my thoughts wouldn't go beyond the moderator. I wish they would because that is the only way the surfing would always become safer and people would not have to ask the question moderator was asking.
fakir005 is offline   Reply With Quote
Old 24-09-2005, 09:09 PM   #5
rtroxel
Senior Member
 
rtroxel's Avatar
 
Join Date: Oct 2004
Location: Bel Air, Maryland
Posts: 414
Default Re: Is Always-On Always Secure?

Quote:
Moderator will obviousely not allow me.
Who told you that?
Quote:
A Cisco employee was attending a confrence in Neveda and talked about the flaws in the software behind the Cisco routers. The employees was immediately fired and enjoined from talking about any flaws.
Not that I'm defending Cisco, but could you give us some proof of that?
Quote:
It's the people like the moderator who make people believe that their sites are encrypted and evedrything is safe and go ahead like nothing wrong is going to happen.
If you're talking about me, I can proudly say that I've never done anything like that.
Quote:
There is only one solution. The solution is the abandoing of this system in the favor of the system discussed at blogs that I can't give the links to. I don't know why I'm posting here.
Please read Brian's reply, below.
rtroxel is offline   Reply With Quote
Old 25-09-2005, 09:00 AM   #6
Brian Turner
Business Guru
 
Brian Turner's Avatar
 
Join Date: Dec 2003
Location: Near Inverness, Highlands, Scotland
Posts: 7,951
Default Re: Is Always-On Always Secure?

Hey, fakir005, there's nothing wrong with criticising opinions of moderators on this forum.

However, it would nt be acceptable to use this forum to criticise moderators of another board.

Feel free to ask any questions you need to ask - at the moment you are coming across as somewhat confused, and this doesn't necessarily make for a good way to help move the conversation forward.
Brian Turner is offline   Reply With Quote
Old 25-09-2005, 05:20 PM   #7
bumfluff
Senior Member
 
bumfluff's Avatar
 
Join Date: Aug 2004
Location: London
Posts: 1,337
Default Re: Is Always-On Always Secure?

"It's the people like the moderator who make people believe that their sites are encrypted and evedrything is safe and go ahead like nothing wrong is going to happen."

Things change all the time. "Secure" isn't a static state that you reach and then not have to worry about again, you always have to change. Sure, there's always going to be some people that can hack through whatever you do, but theres not many people that would be able to hack a secured site or computer. Just because you can't stop the 1% of good hackers doesn't mean you shouldn't secure yourself against the other 99%.
bumfluff is offline   Reply With Quote
Old 05-09-2007, 05:48 PM   #8
Tracy123
Senior Member
 
Tracy123's Avatar
 
Join Date: Jan 2007
Posts: 189
Default Re: Is Always-On Always Secure?

This post made me laugh, I often see you kids outside my house hooking up to our wireless internet, if only I had an air rifle and could shoot.
Tracy123 is offline   Reply With Quote
Old 05-09-2007, 07:58 PM   #9
Brian Turner
Business Guru
 
Brian Turner's Avatar
 
Join Date: Dec 2003
Location: Near Inverness, Highlands, Scotland
Posts: 7,951
Default Re: Is Always-On Always Secure?

Have you tried a secure wireless connection by any chance? WEP encryption, for example?
Brian Turner is offline   Reply With Quote
Old 18-06-2008, 10:14 PM   #10
essexboyracer
Junior Member
 
Join Date: Jun 2008
Posts: 2
Default Re: Is Always-On Always Secure?

I dont trust wireless, and have it switched off ALL THE TIME. I have even gone to the extent of installing an IPCOP firewall with snort IDS and daily oink updates. (actually I only did this for my own edification) but serves a point
essexboyracer is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 10:58 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.

All times are GMT +1. The time now is 10:58 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.