Internet Security: Wireless Roaming: Creating Wireless Security Without WEP

By Dr. Seamus Phan

On August 14, 2001, a new attack designed by three well-known cryptographers and re-created by a team of AT&T Labs researchers, enabled an eavesdropper to capture a small amount of network traffic and recovered the user’s secret key in less than one hour.” This is the last straw for WEP (Wired Equivalent Privacy),” said Adam Stubblefield, a summer intern at AT&T’s famed lab who wrote the code used to compromise WEP. “WEP is basically useless,” he said.

If that is so, what of the thousands of 802.11b WLANs out there in the world today? Are we adopting a second-rate technology, or is there a better way to build wireless walls? We can take a cue from NASA, and look at how they approach WLAN security, and also explore the use of Unix workstations to increase security and reduce costs. In addition, these techniques also facilitate the migration to faster WLAN technologies, including 802.11g and 802.11a. Further, as the 802.11i security standard for WLANs finally emerges (hopefully early next year), it will serve to improve 802.11’s basic security measures which is currently served by WEP. However, as with other security implementations, only time will tell if 11i will be as secure as IEEE claims.

Unix Base Stations

Here is a money-saving tip. You can leverage your Unix workstations as base stations to reduce WLAN expenditure, without losing seamless connectivity. Workgroups that have spare Unix boxes (FreeBSD, OpenBSD, NetBSD, Linux and other Unixes) or even stock G3 or G4 workstations running Mac OS X, can set them up as base stations. If you prefer Linux, you can even set up Yellow Dog Linux (www.yellowdoglinux.com) on your Mac as a base station. Yellow Dog Linux also offers the BriQ, a pre-configured PowerPC architecture server appliance, that can be used for this purpose. A wireless base station is akin to an IP router, and by setting up your BSD box properly, you can get it to work as a base station. Basic Service Set or BSS “infrastructure” mode allows true base station functionality and several Unix coders have developed ways to allow BSS mode for Lucent and Prism adapters. For NetBSD workstations to work in BSS mode, use the ifconfig command (please note that specific adapters and environments may demand different parameters): # ifconfig wi0 media DS11 do not use mediaopt adhoc) # ifconfig wi0 nwid yourname (substitute “yourname” with the WLAN network. name).

If it is not possible to run in BSS infrastructure mode, then run your adapter on your box in IBSS (independent BSS), which is peer-to-peer, functioning like a shared Ethernet cable. The command for NetBSD is: # wiconfig wi0 -c 1. According to coders, you have to ensure that your adapter’s firmware is as recent as possible because older firmware does not allow IBSS operations.

Also note that laptops used need to support WLAN adapters, while desktops must support wireless PCI cards.

The NASA Hack

On August 20, 2001, the US-based National Aeronautics and Space Administration (NASA) described a method, using a wireless firewall gateway, to secure standard 802.11b networks‹without WEP. A white paper by Nichole K. Boscia from NASA proposed the use of a wireless firewall gateway as a router between a wireless and external network, with the ability to dynamically change firewall filters, as users authenticate themselves for authorized access. It also operates as a server responsible for handing out IP addresses to users, running a Web site in which users can authenticate, and maintaining a recorded account of who is on the network and when. To make things accessible to users of any client platform, only a Web browser and DHCP client software are required.

There are three components to such a wireless firewall gateway design: a DHCP server, an IP filtering mechanism, and a Web authentication system. NASA used a beta DHCPv3 open source server from the International Software Consortium (www.isc.org). This differs from older DHCP servers in that it can dynamically remove hosts from the firewall access list when the DHCP releases a lease for any reason (including client-initiated requests, time outs, and expiration).

NASA configured the DHCP server running on Unix or Unix-like platforms to only listen on the subnet interface of the WLAN, thus preventing users from the wired network from obtaining a wireless IP address from the DHCP server. NASA also installed a packet filter to stop requests from any other inter-face.

For IP filtering, NASA used OpenBSD1s IPF software (www.openbsd.org), a stateful filtering mechanism. IP routing is enabled in the kernel state allowing for the packet filtering to occur between the wire-less and external network interfaces. Static filters are configured on boot up in the /etc/ipf.rules file and are designed to minimize remote access to the wireless firewall gateway.

Packet filtering is done at the transport layer (UDP or TCP) so that stateful inspection can be effected, again raising security by not explicitly permitting dynamic or private port sessions into the WLAN. NASA restricts traffic to essential protocols such as NTP, DNS, DHCP, and ICMP In the NASA implementation, there are two kinds of users, authenticated and non-authenticated. Non-authenticated users can be granted to specific services such as e-mail, VPN and Web.

In order to prevent succeeding users from being allowed trusted access when the IP address is recycled, the in-memory database software removes the firewall filter permit rule whenever the user’s next lease binding state is set to free, expired, abandoned, released, or reset. The DHCP server will not issue the same IP address until it frees the lease of the last client. This overcomes the security issue of someone hijacking an IP address that’s been authenticated and using it after the valid user is no longer using the wireless service. For authentication, NASAused a script system running on a Web browser so that clients from any platform will not be excommunicated. The script system is a combination of PHP (www.php.net) and Perl (www.perl. org) scripts for easy maintenance and updates. Unlike some authentication schemes which restrict clients to using Microsoft Windows, this method allows users from Unix, Mac, Windows and Linux to enter easily and yet securely.

NASA simply used an Apache (www.apache.org) Web server running Secure Sockets Layer (SSL) for client/server public-and-private key RSA encryption. When a user logs on using http, he/she will automatically be redirected to the https Web page for authentication. When the user enters his/her username and password, the session will be encryption and all transport will be encrypted text. NASAalso ensured that its SSL certificate was signed by Verisign, a trusted certificate authority (CA). This prevents intruders from mimicking user’s information.

When a user logs on, his/her IP address will be displayed and logged by the PHP script, with ample warnings against illegal access. When the username and password are entered, the Perl script will communicate with a Radius server with RSA’s MD5 digest encryption to check if the information submitted is legitimate

Then the IP number of the user is authenticated and added to the IPF access rules and the user is passed through with on-screen notification of their user privileges. If the details are not legitimate, the user is denied access.

The Painful Wait

The waters of 802.11a, 802.11g, 802.11i and 802.11e are still murky, with no ratification in the short term coming from the IEEE working groups. Meanwhile, those of us who cannot wait can explore alternative implementations. And you may want to clean the dust off those Unix boxes and get busy with turning them into base stations and secure gateways for your 802.11b WLANs.

Editor’s note: Dr. Seamus Phan is a world-renowned authority on the technical security aspects of the Internet. Dr. Phan serves the BWW Society as Founder and Chairman of the Internet Security Committee, which is designed and concieved to gather and share information on the latest computer and Internet threats, to provide immediate information on technology’s newest developments in the prevention of Internet-related security problems, and to increase and enhance all forms of Internet Security.

[ back to "Publications & Special Reports" ]
[ BWW Society Home Page ]