[vpn] Update to: Securing 802.11b in W2K environment?

Kurt Seifried bugtraq at seifried.org
Thu Nov 8 18:36:00 EST 2001 

> All the responses I've received so far have been very informative!  I'm
left
> with a few questions:
>
> 1.)  A few people have mentioned using MAC ACL's on my wireless access
> point.  As far as I can tell, my Linksys WAP11 does not support this.  I
did
> notice however that when I upgraded the firmware to the latest version,
the
> access point was upgraded to 128bit WEP (from 64) and had DHCP server
> functionality, amongst other things.  So possibly MAC ACL's will be added
to
> the firmware in the future?

MAC's can be trivially spoofed. Do not use them as a "Security" measure. Use
a VPN to a secure gateway.

> 2.) It was also suggested that I not allow the access point to broadcast
> various information, including the SSID and session name.  As above, it
> doesn't appear the Linksys WAP11 has this functionality.

I wouldn't rely on SSID either, it's trivial to break in. Use a VPN to a
secure gateway.

> 3.) This may be something I have to talk to Linksys and/or D-Link about,
but
> I set the WEP on the access point to "Required".  I noticed that when I
> pulled out my D-Link 560DWL access card from my notebook and then put it
> back in I apparently lost my WEP settings.  I was still able to access the
> access point and my cable broadband connection however!  I'll have to do
> more testing on this to verify what is happening.  It could be the D-Link
is
> retaining the WEP settings, but the client incorrectly displays the status
> information.

WEP is useless, do not rely on it as a security measure. Use a VPN to a
secure gateway.

Many 802.11 solutions default to being an Ethernet bridge, as long as you
can connect, you can talk to everthing. This is why you put it directly
connected to a firewall with VPN capability.

> 4.) People have mentioned using an IPSEC server on my W2K gateway,
requiring
> IPSEC connections, and running IPSEC on the clients.  Can I set this up
with
> Windows 2000 Professional, or do I need additional software?  I looked in
> the advanced networking properties for one of my NIC's on the W2K box, and
> it didn't look like there was much there in terms of IPSEC
configurability.

Win2k ships with IPSec, and good policy support, authentication is done via
kerberos, which is quite secure. You need to read documentation, as ipsec is
easy to setup, but hard to setup correctly (aka securely).

> 5.) PPTP was also mentioned.  I thought PPTP was shown to be flawed, or
was
> that just the MS implementation?  Are PPTP and IPSEC completely different
> protocols?

PPTP and IPSec are completely different protocols. PPTP has numerous flaws,
sort of fixed in the later version, but all an attacker needs to do is
request the server downgrade the protocol version used and it will.
Attacking it is far to easy.

> 6.) A suggestion that was offered by Kent Dallas was to place a hub
between
> the cable modem and my outside NIC on the W2K gateway, and hanging the
> wireless solution off the hub, outside of my LAN.  I'm probably going to
try
> that this week.  My question is, if I setup the Linksys WAP11 to serve up

I would not do this. I can then use your wireless access to get Internet
access. This type of thing will make life MUCH easier for attackers, free,
truly anonymous Internet access. Not a good idea.

> DHCP to my wireless clients, won't it serve up DHCP to ANY wireless
client?
> Or would the WEP run over the DHCP functions providing some kind of
> authentication?  I guess a problem that is encountered is that my cable
> modem is tied to the MAC of my W2K gateway machine.  So the wireless
clients
> need to connect to the access point on the hub, pass through the switch to
> my W2K machine, then back out via the Sygate application which is serving
my
> NAT.  I think this packet forwarding with multiple interfaces, NAT, VPN,
and
> wireless issues are going to make this somewhat murky.

this is what I have:

Internet---firewall---internal lan
                  |
              wireless access unit

You can talk to the firewall, protocols 50, 51 from the wireless side (IPSec
in other words). That's it. You need to authenticate and setup an IPSec
connection to access the Internet or internal lan. Most laptops/etc have
more then fast enough cpu's that IPSec will not cause a performance hit for
the encryption.

> Thanks for all the help!  I have a rough understanding of many of these
> principles and am trying to smooth out the edges .. ;)
>
> Mark


Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/




VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list