By Bruce Potter, Bob Fleck
Price: $34.95 USD
£24.95 GBP

Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: A Wireless World

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Wireless networking is revolutionizing the way people work and play. By removing physical constraints commonly associated with high-speed networking, individuals are able to use networks in ways never possible in the past. Students can be connected to the Internet from anywhere on campus. Family members can check email from anywhere in a house. Neighbors can pool resources and share one high-speed Internet connection.

Over the past several years, the price of wireless networking equipment has dropped significantly. Wireless NICs are nearing the price of their wired counterparts. At the same time, performance has increased dramatically. In 1998, Wireless Local Area Networks (WLAN) topped out at 2Mb/s. In 2002, WLANs have reached speeds of 54Mb/s and higher.

Unfortunately, wireless networking is a double-edged sword. Wireless users have many more opportunities in front of them, but those opportunities open up the user to greater risk. The risk model of network security has been firmly entrenched in the concept that the physical layer is at least somewhat secure. With wireless networking, there is no physical security. The radio waves that make wireless networking possible are also what make wireless networking so dangerous. An attacker can be anywhere nearby listening to all the traffic from your network—in your yard, in the parking lot across the street, or on the hill outside of town. By properly engineering and using your wireless network, you can keep attackers at bay.

This chapter serves as an introduction to wireless networking and some of the high-level security concerns. Building a secure wireless network requires a wide breadth of knowledge; from the low-level aspects of radio transmission to understanding how various applications interact with the network. By understanding how all aspects of the network interact, you can safely and freely use wireless networks.

The term wireless

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Is Wireless?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The term wireless means different things to different people. In general, the term reflects any means of communication that occurs without wires. In this buzzword-compliant time, many of the following terms are synonymous with the word wireless:

• PCS
• WAP
• WTLS
• WML
• 802.11b
• Wi-Fi
• HomeRF
• Bluetooth

While all these terms mean "wireless" to some, most refer to different technologies. Personal Communication Systems (PCS) is a standard for cellular communication. Wireless Application Protocol (WAP) is mechanism of distributing data to lightweight wireless devices. Wireless Transport Layer Security (WTLS) performs for WAP the same role SSL does for web traffic. Wireless Markup Language (WML) is a lightweight markup language similar to HTML but designed to be rendered on small screens with low bandwidth use.

HomeRF and the 802.11 standards are competing wireless LAN protocols. They are analogous to protocols such as 802.3 Ethernet on wired networks. 802.11 is a standard developed and ratified by the Institute of Electrical and Electronics Engineers (IEEE). 802.11 products approved by the Wireless Ethernet Compatibility Alliance, are branded with the Wi-Fi mark to certify interoperability. HomeRF on the other hand is a standard developed by a group of corporations and lacks international recognition. Intel, one of the primary backers of HomeRF, stopped producing HomeRF equipment in late 2001 in favor of 802.11. In general, the majority of WLANs in use today are based on the 802.11 standard.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Radio Transmission

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Wireless networking is accomplished by sending and receiving radio waves between a transmitter and receiver. The theory behind RF data transmission can get very complicated and is outside the scope of this book. However, there are some basic concepts you should understand when you implement a WLAN.

A radio wave consists of electromagnetic energy. Visible light, television transmissions, and cosmic radiation are all forms of radio waves. Regardless of the type or purpose of the electromagnetic energy, these waves can be measured by several metrics. The frequency of a radio wave is how often the waveform completes a cycle in a given amount of time. The most common unit of measurement of frequency is the Hertz (Hz). A 1 Hz signal completes one cycle per second while a 10 Hz signal completes 10 cycles per second. Figure 1-1 shows the difference between the waveforms of a 10 Hz signal and a 1 Hz signal.

Figure 1-1: A 10 Hz signal (top) and 1 Hz signal (bottom)

Generally, the faster the frequency, the more information you can transmit and receive. The method of encoding (or modulating) the data affects the amount that can be transmitted. Some encoding techniques are more resilient to errors but end up with lower data rates. Conversely, high data rate modulation mechanisms may be more susceptible to outside interference.

In the most general sense, the strength of a signal is the amplitude of its radio waveform. The unit of measurement of amplitude (or power) of a radio wave is a watt (W). WLAN devices typically transmit with a power of 30 milliwatts.

The strength of the signal decreases as it travels through its transmission medium—in this case, the air. This process of power loss is called

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Inherent Insecurity

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Data in conventional networks travels across wired mediums. Coaxial cable, twisted pairs of copper wire, and strands of fiber optics have been the foundation for networks for many years. In order to view, interrupt, or manipulate the data being transmitted, the wires or switching equipment have to be physically accessed or compromised.

An attacker does not need to physically tap into wired communication in order to eavesdrop on it. Wired communication that uses electrons to transmit data (such as phone calls and 10BaseT Ethernet) radiates small amounts of electromagnetic energy. With highly sophisticated equipment, an attacker can reconstruct the original data stream from the radiated energy. The skill required to pull off this attack as well as the relative proximity the attack requires, however, makes it highly unlikely.

Restrictions on physical access to network cables have been a cornerstone of information security. While physical protection of cables obviously does not solve all the network security problems, it helps mitigate the risk of certain man-in-the-middle (MITM) attacks. Wires are relatively easy to keep physically secure. Placing wires inside of a controlled space such as a data center keeps the physical layer secure from the majority of attackers.

When using radio frequency (RF) communication channels such as a WLAN, users lose the fundamental physical security given to them by wires. WLANs use high frequency radio waves to transmit their data. These RF waves travel through the air and are difficult to physically constrain. RF waves can pass through walls, under cracks in doors, across streets, and into other buildings. Even if a wireless access point is located inside a physically controlled data center, the wireless data may leave the bounds of the data center into uncontrolled spaces, as shown in Figure 1-3.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

802.11

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Wireless networks are showing up everywhere. Corporations are deploying WLANs to allow employees to roam freely around corporate campuses without leaving the network. Some airports offer wireless access so business travelers can be continue to be productive while waiting for plane departures. Communities are banding together to provide wireless Internet access to homes that may not have direct access to wired broadband networks.

This rapid and widespread adoption would not be possible without a well-documented and structured set of protocols. The 802.11 family of protocols provides the basis for interoperability between equipment from different vendors. A PC card that utilizes the 802.11b specification from vendor A can communicate with an 802.11b-compliant access point from vendor B.

The IEEE is an internationally recognized standards setting body. The IEEE has a long history of approving and maintaining standards that set the stage for industry innovation.

The IEEE breaks their standards into various committees. The IEEE 802 Committee deals with Local and Metropolitan Area Networks. The 802 series of standards is broken into working groups that focus on specific issues within the overall discipline of LANs and MANs.

The following is a list of some of the working groups within the 802 series:

802.1

Bridging and Management

802.2

Logical Link Control

802.3

CSMA/CD Access Method

802.4

Token-Passing Bus Access Method

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Structure of 802.11 MAC

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Regardless of the underlying PHY used, the MAC is the same for all currently deployed 802.11 wireless technologies. The 802.11 MAC provides several functions: access to the wireless medium, joining and leaving a network, and security services.

Access to the wireless medium is controlled by a contention-based protocol called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). This is a similar method to the one used in wired Ethernet. Like wired Ethernet, 802.11 devices are contending for the same physical transmission medium. If two or more devices are transmitting at the same time, their signals collide and it is impossible for the receiving station to discern the one signal from the other. CSMA/CA provides a way for 802.11 devices to probe the medium to see if it is in use and then lock the medium while they transmit.

Since 802.11 wireless networks use a shared medium, the more devices that are trying to access it, the lower the effective throughput will be. This is similar to standard wired Ethernet. When an 802.11 device is transmitting, no other device in the network may transmit data. If there are multiple devices trying to send large amounts of data, there will be heavy contention for the airwaves. This congestion gets worse as more machines are added or more data is being transmitted.

The core unit of an 802.11 network is called a Basic Service Set (BSS). A BSS consists of a central access point (AP) and client stations. The AP coordinates all of the activities within the BSS. Due to this centralized control, BSS networks are sometimes called infrastructure networks. A BSS is identified by a service-set identifier (SSID). This can generally be thought of as the name of the wireless network.

A station that wants to join a BSS network will look for available APs. Some APs send beacons to inform stations of the AP's existence. Other APs suppress beacons for security reasons. Without a beacon, a station must know the SSID of the AP a priori.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

WEP

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Interception of radio communications has been a problem for as long as radios have been used to transmit sensitive information. Radio-based communication can be used to transmit instructions to troops during warfare, credit-card info from a cell phone, or passwords from a laptop to a remote web site. Since radio transmissions travel in unsecured areas, interception of these radio signals by an attacker is a real threat. In order to protect the data from eavesdroppers, various forms of encryption have been used to scramble the data. Sometimes these encryption mechanisms have been successful; other mechanisms have been compromised, thereby subverting the security of the data.

The 802.11 MAC specification describes an encryption protocol called Wired Equivalent Privacy (WEP). The goal of WEP is to make WLAN communication as secure as wired LAN data transmissions would be. If WEP were to meet this goal, it would allow network architects to deploy wired and wireless LANs interchangeably without regard to different security risks.

WEP provides two critical pieces to the wireless security architecture: authentication and confidentiality. WEP uses a shared key mechanism with a symmetric cipher called RC4. The key that a client is using for authentication and encryption of the data stream must be the same key that the AP uses. The 802.11 standard specifies a 40-bit key, however most vendors have also implemented a 104-bit key for greater security.

Encryption of the data stream provides confidentiality of the data transmitted between two WLAN devices. The encryption mechanism used in WEP is a symmetric cipher; this means that the key that encrypts the data is the same key that will decrypt the data. If both WLAN devices do not have the same encryption key, the data transfer fails.

When WEP is used for communication, the original data packet (P) is first checksummed (c). Then the checksum is added to the data to form the data payload. Then the transmitting device creates a 24-bit random initialization vector (IV). The device uses the IV and the shared key (K) to encrypt the data (E

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Problems with WEP

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Unfortunately, the WEP specification within the 802.11 standard does not provide wired-equivalent privacy. There are many problems with WEP that greatly reduce its advertised security.

The WEP standard completely ignores the issue of key management. This causes problems with WLANs as the number of users grows. Using pre-shared secret keys means that every client who has the key material must be fully trusted to use that material in a legitimate way. This level of trust is not realistic. If everyone on a network uses the same key, then anyone on the network can decrypt traffic intended for any other device on the network. Also, an uneducated but otherwise trustworthy user may give the key material to another person (i.e., a friend or business associate who has stopped by the office). This new user is outside the initial trusted group of individuals who were issued the key material and could potentially compromise the network.

As the number of WLAN users grows and time passes, the amount of trust placed in secrecy of the key declines. In order to overcome this reduced trust, keys must be rotated periodically to reset the network to a trusted level. WEP provides key enumeration to allow users and administrators to rotate through a set of pre-shared keys. However, this does not drastically increase the security of the network. Instead of one key being issued to users, several keys are issued at one time. All keys are still known by the users.

Vendors are beginning to implement a per-user shared key so that each end-user device has a unique key that is shared with the access point. This protects each user from the other users on the network. By giving away their key to a friend, the only traffic they compromise is their own.

The IEEE selected 40-bit encryption because it is exportable under most national encryption laws. If the standard had only implemented 104-bit encryption, many vendors would not have been able to ship their WLAN products to other countries. Unfortunately, keys for 40-bit RC4 encryption can be found through exhaustive searching (brute force) on modern commodity PCs. A 40-bit key has just over a trillion possible values. A modern PC can search that range to find the secret key in a matter of an hour or two.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Is It Hopeless?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The wireless revolution is continuing forward, but from the picture painted so far, it may seem as if wireless networks are doomed to be large security problems. Fortunately, by understanding the risks involved in using wireless networks and properly architecting your WLAN, you can safely use wireless networks. The next step in building a secure network is understanding what an attacker can and cannot do to your network, which we'll cover in Chapter 2.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Attacks and Risks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

802.11 networks have unique vulnerabilities that make them an ideal avenue of attack. Wireless networks cannot be physically secured the same way a wired network can be. An attack against a wireless network can take place anywhere: from the next office, the parking lot of your building, across the street in the park, or a bluff many miles away.

Understanding the details of various attacks against your wireless infrastructure is critical to determining how to defend yourself. Some attacks are easy to implement but aren't particularly dangerous. Other attacks are much more difficult to mount but can be devastating. Like any other aspect of security, wireless security is a game of risk. By knowing the risks involved in your network and making informed decisions about security measures, you have a better chance at protecting yourself, your assets, and your users.

Throughout this book, we will work toward the creation of the example network illustrated in Figure 2-1. This network is split into three segments: the Internet, a wireless network containing access points and wireless clients, and a wired network containing workstations, servers, and other devices. A gateway mediates the traffic between these three segments. The focus of this book is the security of the gateway, access points, and wireless clients. We will also investigate the effects the security of these components has upon the rest of the network and the external security issues that originate from outside the wireless network.

All of these network components must work together, and implement complimentary security, to establish a secure network. With that in mind, we will begin by examining the classes of threats to the wireless network.

Figure 2-1: Architecture of example network

Denial-of-Service (DoS) attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

An Example Network

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Throughout this book, we will work toward the creation of the example network illustrated in Figure 2-1. This network is split into three segments: the Internet, a wireless network containing access points and wireless clients, and a wired network containing workstations, servers, and other devices. A gateway mediates the traffic between these three segments. The focus of this book is the security of the gateway, access points, and wireless clients. We will also investigate the effects the security of these components has upon the rest of the network and the external security issues that originate from outside the wireless network.

All of these network components must work together, and implement complimentary security, to establish a secure network. With that in mind, we will begin by examining the classes of threats to the wireless network.

Figure 2-1: Architecture of example network

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Denial-of-Service Attacks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Denial-of-Service (DoS) attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network.

DoS attacks can target many different layers of the network. In order to understand the risk of a DoS attack to a wireless network, you must first understand the difference between various types of DoS attacks.

An application-layer DoS is accomplished by sending large amounts of otherwise legitimate requests to a network-aware application, such as sending a large amount of page requests to a web server, swamping the server process. The goal of this type of attack is to prevent other users from accessing the service by forcing the server to fulfill an excessive number of transactions. The network itself may still be usable, but since the web server process cannot respond to the users, access to service is denied. (This can occasionally happen, innocently, when a web site receives a sudden boost in popularity due to a link from a high-traffic site, such as http://slashdot.org.)

A transport-layer DoS involves sending many connection requests to a host. This type of attack is typically targeted against the operating system of the victim's computer. A typical attack in this category is a SYN flood. In a SYN flood (SYN packets are the first step of a TCP connection), an attacker sends an excessive number of TCP connection requests to a host hoping to overwhelm the operating system's ability to track active TCP sessions. Most operating systems have a limit to the number of connections per second they will accept and a limit on the maximum number of connections they will maintain. A successful SYN flood will overwhelm the operating system on one of these two limits, thereby denying access to the services running on that host. As is the case in the application-based DoS, the network is usually still functional, but the target host is unresponsive.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Man-in-the-Middle Attacks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Man-in-the-middle (MITM) attacks have two major forms: eavesdropping and manipulation. Eavesdropping occurs when an attacker receives a data communication stream. This is not so much a direct attack as much as it is a leaking of information. An eavesdropper can record and analyze the data that he is listening to. A manipulation attack requires the attacker to not only have the ability to receive the victim's data but then be able to retransmit the data after changing it, as shown in Figure 2-4.

Figure 2-4: Eavesdropping versus manipulation

MITM attacks on a wired network generally require access to a network that the victim's traffic transits. This can mean physical access to a wire to "tap" into the wire for interception. It can also mean being on the same LAN as the victim and forcing traffic to go through the attacker's host. An attacker can force traffic through a malicious machine on a LAN by performing an ARP poisoning attack.

ARP (Address Resolution Protocol) is the mechanism that IP-enabled Ethernet devices use to determine which device on a network has a particular IP address. When a host wants to communicate with another host, it will send out an ARP request asking, "Who has IP address 192.168.0.1?" All hosts on the LAN receive the question, and the device that has 192.168.0.1 replies with its MAC address. The initial host then uses that MAC address to send datagrams to 192.168.0.1.

In order to reduce the number of ARP requests, many modern operating systems implement a lazy technique to learn MAC addresses. If a host receives a packet from another host on the same LAN (say, 192.168.0.1), it assumes that the MAC address on the packet is the MAC address for 192.168.0.1. It will then enter the MAC/IP address combination into its local MAC address table and use that MAC address for all future communication with

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Illicit Use

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Illicit use of a wireless network involves an attacker using the network because of its connection to other networks. Attackers may use a network to connect to the Internet or to connect to the corporate network that lives behind the AP. Illicit use may not cause any operational problems, but it still may be unwanted and unlawful use of the wireless network. An attacker in this case may simply be someone who drove up near the AP, associated to the network and is checking his mail. Alternatively, the attacker may be sending spam to thousands of email addresses. The attacker may even be attempting to exploit a file server that lives on the same network as the AP or use the AP as a mask to hide the source of illegal actions, such as hacking other networks.

No matter what the attacker is doing, his use is unacceptable. However, the different types of illicit use pose varying degrees of problems for the organization running the WLAN. Again, in a wired network, illicit use is not a likely problem. In order to use a wired network, an attacker must have physical access to the network infrastructure. For reasons already outlined, this is unlikely and generally risky for an attacker to do. However, in most wireless networks, an attacker has much more freedom and is less likely to be caught attempting to use the network. (Illicit use by authorized users is a different matter. They already have proper access to the network but are using it for activities that are forbidden by a network-usage policy.)

Access points are not difficult to find. An attacker can simply drive around an area looking for unprotected APs using war-driving software such as NetStumbler. Once an attacker finds an open AP, he can use it for whatever illicit use he desires.

Databases of APs have been created, removing the war-driving step. Some databases such as Cisco's Hotspot Locator (http://www.cisco.com/pcgi-bin/cimo/Home) provide the location of closed APs that require payment to access outside resources. Other databases such as The Shmoo Group's Global Access Wireless Database (

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Wireless Risks

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Many security professionals fall into the trap of dealing only with the theory and not the practice of defending a network. While it would be great to be protected from all potential attacks that a wireless network may come under, that level of protection may not be practical.

When securing your network, you must consider the risk associated with each attack and address it accordingly. The topic of risk assessment and risk management is one that could fill a book on its own. However, it is important that you understand the basics of risk assessment so you spend your time and money wisely addressing the real issues rather than waste resources on topics that present no risk.

Figuring out your risk boils down to questions like: "What can happen?", "How likely is it to happen?", "What occurs when it happens?", and "How hard is it to defend against?". The "What can happen" question has already been answered in this chapter. Determining the likelihood of any particular attack is the next step.

The likelihood of an attack depends on factors such as:

How easy it is to launch the attack?

An attack that is theoretical today may be widely distributed in "script kiddie" code tomorrow. The problems with WEP started out as a paper that described the theoretical problems with the protocol. Very few people had the ability to take the vulnerability and write code to exploit it. Within a few months, several different exploit programs had been developed and were publicly available on the Internet. Once that code became available, the likelihood of WEP encrypted traffic being cracked became much higher

What is the risk to the attacker?

Home WLANs are great jumping-off points for hackers because home users tend not to be as diligent as larger corporations. An attacker may stay off large corporate WLANs for fear of being discovered by full-time security systems such as IDS systems and observant network engineers.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Knowing Is Half the Battle

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Now that you are familiar with the kinds of attacks that an attacker may commit, you know what you're protecting against. Once you've defined your risk in reference to these attacks, you need to know what tools are at your disposal to protect you and your users. The next step in setting up a secure wireless infrastructure is laying down a strong foundation in your wireless clients.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Station Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Connecting to a wireless network puts your computer at risk. Eavesdroppers may intercept traffic sent between client stations and the access point. Malicious access points may attempt to force associations in order to perform man-in-the-middle attacks. Hackers using the same access point may try to exploit your computer. Due to the shared, physically unsecured nature of an 802.11 network, client stations are more likely to be the target of an attack.

Establishing proper security on stations connecting to a wireless network is the first step to creating a secure wireless infrastructure. The security of an entire infrastructure is like a chain; it is only as secure as its weakest link. Typically, wireless stations are laptops or workstations controlled by an individual, not by a team of security professionals. These stations may not be under the same scrutiny as a fileserver or firewall would be. Unfortunately, an unsecured wireless workstation can be an excellent vector for an attack on an entire infrastructure.

There are two main security considerations for safe usage of a client computer on a wireless network. The first is preventing a compromise of the client itself. A compromise of the client could lead to stolen or corrupted data, and provide an entry point for the attacker into the wider network. The second main consideration is using secure methods to communicate with other network services from the client.

The client needs to be protected from attack over the network. The primary means of accomplishing this is through the use of a firewall. A firewall on a client should block all unknown incoming traffic and allow for outbound connections. Connections directly to or from other computers on the wireless network should also be blocked. The exact means of accomplishing this for a specific OS will be covered in the five chapters that follow.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Client Security Goals

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There are two main security considerations for safe usage of a client computer on a wireless network. The first is preventing a compromise of the client itself. A compromise of the client could lead to stolen or corrupted data, and provide an entry point for the attacker into the wider network. The second main consideration is using secure methods to communicate with other network services from the client.

The client needs to be protected from attack over the network. The primary means of accomplishing this is through the use of a firewall. A firewall on a client should block all unknown incoming traffic and allow for outbound connections. Connections directly to or from other computers on the wireless network should also be blocked. The exact means of accomplishing this for a specific OS will be covered in the five chapters that follow.

In addition to establishing a firewall, unneeded services on the client should be disabled. If there is a pressing reason to run a specific service from a client, firewall rules need to be modified to allow traffic to that service. It is vital that any exposed services are run using up-to-date software. Outdated software with security vulnerabilities is the primary entry point for attackers.

In addition, we'll discuss the use of static ARP to protect against layer 2 man-in-the-middle attacks. These attacks can lead to eavesdropping or manipulation of network sessions. The use of static ARP entries can prevent these attacks from succeeding, since the host will not modify its ARP table when it receives malicious information. Static ARP tables can be overwhelmingly complex to administer in large networks but can be a useful and easy tool in a smaller network. For more information on ARP attacks, see ARP Poisoning.

The manner in which you access services across the network is just as important as host security. It does not matter how bulletproof your firewall is if send your username and password in the clear every time you check your email with an IMAP request. Remember that an attacker can be passively listening to the network and not necessarily actively attacking your host.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Audit Logging

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Even on client computers, it is very important to pay attention to the logs generated by the system. These logs can provide notification of attempted or successful compromises of system security. The location and format of these logs can vary from OS to OS. Monitoring of system logs can be tedious, and it is easy to become complacent. Because of this, we cover the installation of swatch, a basic tool to automate log monitoring.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Security Updates

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

After the system is set up, it is important to monitor the vendor web site for security patches. Most operating system vendors regularly discover or are notified of new security issues. Make it a habit to regularly check and download the latest patches, or use an automated updating system to gather them for you. When doing a fresh OS installation, it is a good idea to download any security patches on another machine and install them from a burned CD before connecting the fresh computer to the network.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: FreeBSD Station Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter demonstrates how to lock down FreeBSD workstations for use on a wireless network. It will explain required and recommended kernel tuning, secure configuration of the wireless card, locking down the operating system, and adding third-party software to further enhance the security of the machine. Many of the security practices documented in this chapter are general best practices that should be applied to any workstation (but rarely are). However, without mechanisms geared for wireless security, standard wired network best practices alone are not enough.

FreeBSD has a long history of wireless networking support. FreeBSD had robust support for the original 802.11 cards and has continued to support 802.11b cards. As of this writing, several 802.11a cards have experimental support under FreeBSD-current. Unless otherwise noted, the examples given in this chapter are for FreeBSD 4.5-RELEASE. For information regarding this release or for questions on FreeBSD in general, please see http://www.freebsd.org/.

As in any other discussion of setting up a secure platform, the steps outlined below are governed by the Principle of Least Privilege. The Principle of Least Privilege means that a user or system should be given only the required amount of privilege to perform the required tasks. This principle can be extended to configuring an operating system. Only required services, kernel configuration options, users, and files should be installed. By having unneeded interfaces on a machine (such as ppp0) or leaving unnecessary services running, you provide an attacker potential vectors for compromising your machine.

In order to use wireless NICs, the kernel must be configured to support the networking card. Complete instructions for compiling a kernel are outside the scope of this book. The information below is meant to supplement a normal kernel configuration. For information on compiling a new kernel, see

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

FreeBSD Client Setup

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

FreeBSD has a long history of wireless networking support. FreeBSD had robust support for the original 802.11 cards and has continued to support 802.11b cards. As of this writing, several 802.11a cards have experimental support under FreeBSD-current. Unless otherwise noted, the examples given in this chapter are for FreeBSD 4.5-RELEASE. For information regarding this release or for questions on FreeBSD in general, please see http://www.freebsd.org/.

As in any other discussion of setting up a secure platform, the steps outlined below are governed by the Principle of Least Privilege. The Principle of Least Privilege means that a user or system should be given only the required amount of privilege to perform the required tasks. This principle can be extended to configuring an operating system. Only required services, kernel configuration options, users, and files should be installed. By having unneeded interfaces on a machine (such as ppp0) or leaving unnecessary services running, you provide an attacker potential vectors for compromising your machine.

In order to use wireless NICs, the kernel must be configured to support the networking card. Complete instructions for compiling a kernel are outside the scope of this book. The information below is meant to supplement a normal kernel configuration. For information on compiling a new kernel, see /usr/share/doc/en/books/handbook/kernelconfig.html on your FreeBSD system, or go to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html.

Before adding wireless and security options to your kernel, first remove all extraneous entries in your kernel configuration file. The GENERIC kernel that ships with FreeBSD contains many options that are not required for operation of most workstations. For example, if your workstation does not have any SCSI devices, remove all the SCSI devices and options from your kernel. Usually a configuration file for a workstation can be reduced to less than 100 lines. Once you have reached a minimal configuration, build a kernel and boot it. Verify that all devices are working as expected before adding the options specified in this section. The kernel parameters documented in this section are meant to supplement an existing kernel configuration file, not serve as a stand-alone kernel configuration.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 5: Linux Station Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computers on a wireless network are at risk of attack from anyone nearby. Since there are not the same physical bounds to network access that there are in a wired network, clients are at a much higher risk of attacks. Linux is a powerful, complex operating system. Properly configured, a Linux host can withstand sustained attacks from dedicated attackers. Unfortunately, a poorly configured Linux machine can be a dangerous weapon for an attacker and a liability to you as an individual.

Wireless support in Linux has progressed dramatically over the past several years. FreeBSD used to be the operating system of choice for WLAN usage, but the support now available under Linux makes it a great operating system for wireless networking. Linux supports many common 802.11b cards. Many vendors developing 802.11a and 802.11g equipment are developing Linux drivers at the same time as their Windows drivers. Other vendors are deploying embedded Linux systems with wireless support.

Unless otherwise noted, the examples given in this chapter are performed on RedHat Linux 7.2 with kernel 2.4.18. The examples should work on most recent Linux distributions, but may require small changes to the scripts or file locations. For more information regarding RedHat Linux, see http://www.redhat.com. For more information on kernel 2.4.18, see http://www.kernel.org.

In order to securely use a wireless network, you must start with a secure host configuration. At the heart of any secure host is a solid, well-planned kernel configuration. A secure kernel must be governed by the Principle of Least Privilege. The Principle of Least Privilege indicates that a user or system should only be given the minimum amount of privilege in order to achieve the desired tasks. This means that a kernel should be stripped of all unneeded configuration options. If you don't have any SCSI devices, then you shouldn't have any SCSI devices specified in your kernel configuration.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Linux Client Setup

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Wireless support in Linux has progressed dramatically over the past several years. FreeBSD used to be the operating system of choice for WLAN usage, but the support now available under Linux makes it a great operating system for wireless networking. Linux supports many common 802.11b cards. Many vendors developing 802.11a and 802.11g equipment are developing Linux drivers at the same time as their Windows drivers. Other vendors are deploying embedded Linux systems with wireless support.

Unless otherwise noted, the examples given in this chapter are performed on RedHat Linux 7.2 with kernel 2.4.18. The examples should work on most recent Linux distributions, but may require small changes to the scripts or file locations. For more information regarding RedHat Linux, see http://www.redhat.com. For more information on kernel 2.4.18, see http://www.kernel.org.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Kernel Configuration

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In order to securely use a wireless network, you must start with a secure host configuration. At the heart of any secure host is a solid, well-planned kernel configuration. A secure kernel must be governed by the Principle of Least Privilege. The Principle of Least Privilege indicates that a user or system should only be given the minimum amount of privilege in order to achieve the desired tasks. This means that a kernel should be stripped of all unneeded configuration options. If you don't have any SCSI devices, then you shouldn't have any SCSI devices specified in your kernel configuration.

In order to use wireless NICs, the kernel must be configured to support the networking card. The process of compiling a Linux kernel is outside the scope of this book. For more information on compiling a kernel, see /usr/src/linux-2.4/README on your Linux system or http://www.tldp.org/HOWTO/Kernel-HOWTO.html. Configure and compile a kernel with as few configurations options as possible. Once you have a bare-bones kernel for your machine, continue with the steps in the rest of this chapter.

There are many ways to configure a kernel. Whether you use make menuconfig, make xconfig, or simply make config, the changes are saved to a configuration file. This file is typically in /usr/src/linux-2.4/configs/kernel-[ver].config. The configuration options specified in this chapter are directives in that file. How they get written to the file is up to you; you can edit it directly, or use the make *_config scripts.

Wireless NICs are generally connected to either an internal PCI connector or a PCMCIA (PC-card) interface. You must first enable whichever interface type you are going to be using. PCI support, probably already compiled in your kernel, is enabled with the following:

CONFIG_PCI=y

There is support in the Linux kernel for various PCI-based wireless cards including those made by Lucent, Cisco, and Linksys. Consult the kernel documentation to determine how to add support for your particular card.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

OS Protection

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A secure kernel is only part of the solution for using a wireless network securely. A station on a wireless network is in a hostile environment. Anyone nearby can launch an attack against the station. The station should not rely on other network defenses to keep these attacks at bay; it must defend itself from hostile activity.

The firewall configuration on a wireless client is relatively simple. Most clients are not running any services such as web or mail servers. The only new connections should be outbound from the host; there should be no inbound connection requests. If you do have services running on your client, you will need to modify your firewall configuration appropriately.

The Netfilter firewall included in Linux 2.4 is controlled by the program iptables. In a nutshell, Netfilter uses a list of firewall rules called chains to process packets. There are three different chains in a Netfilter firewall:

INPUT

Packets destined for the host machine are handled by the INPUT chain. If a host is running a web server, packets destined for port 80 on the host's public IP address would be handled by the INPUT chain.

OUTPUT

The OUTPUT chain processes packets generated by the host for another host. A request by your workstation for a web page from a remote web server would be handled by your workstation's output chain.

FORWARD

The FORWARD chain processes packets that are sourced by a non-local host and destined for a non-local host. This type of action is typical of a firewall protecting an entire network where traffic is moving through the host, not actually destined for the firewall itself.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Audit Logging

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

No matter how strong your security mechanisms are, if you are not logging and monitoring your logs, you are vulnerable to unforeseen attacks. Diligent logging and monitoring gives you the ability to react to attacks in real time, protecting yourself and your resources.

Due to the lack of physical security in a wireless network, low-level attacks are of a much greater concern than they would be on a wired network. ARP poisoning, as discussed in Chapter 2, allows a malicious host to act as a man in the middle for machines on the network. The static ARP settings discussed earlier in this chapter are one way to protect yourself from ARP-based problems.

However, being able to detect ARP issues on the network gives you a window into the overall security of the network. If someone on the network is attempting ARP spoofing attacks, it is safe to assume your packets are being sniffed and your data is a risk. A program called arpwatch will watch the network for you and report any unusual activity. In order to use arpwatch, the program must have access to raw frames being sent across the wire. This requires CONFIG_PACKET support in your kernel.

For a complete discussion of arpwatch and how to configure it, see Section 4.1.6.1.

syslog is a common audit facility that any application on a host can use. Many standard applications as well as the kernel log send very useful information to syslog. Being able to direct syslog data to a desired location and monitor it gives you a view into what your system is doing as well as what others are trying to do to it.

Different Linux distributions have different syslog configurations. In general, they are configured to send syslog to many different logfiles based on

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Secure Communication

Content preview·Buy PDF of this chapter|