Wi-Fi optimize

Wi-Fi thief's tale reminds IT to enforce home office security

Network security is only as good as its weakest link--often users' home Wi-Fi networks. IT managers must examine their exposure to unsecured Wi-Fi networks and take steps to mitigate any risks, such as helping users protect their networks, implementing a good remote access policy, and addressing any compliance issues.

Network security is only as good as its weakest link--often users' home Wi-Fi networks. IT managers must examine their exposure to unsecured Wi-Fi networks and take steps to mitigate any risks, such as helping users protect their networks, implementing a good remote access policy, and addressing any compliance issues.-------------------------------------------------------------------------------------------------------------------

In his Time.com article, "Confessions of a Wi-Fi Thief," Lev Grossman describes a Wi-Fi filching scenario IT pros are all too familiar with. Grossman wrote:

When I moved into my apartment three years ago, the first thing I did after I tipped the movers was sit down on a box, crack open my laptop and sniff the air for wi-fi signals. And I found them: my apartment was chock-full of delicious, invisible data, ripe for the plucking. ... For the next three years, I didn't pay for Internet access. Instead, I got online via the unsecured wireless networks of my neighbors.

I'll leave the ethical and philosophical argument for and against Wi-Fi theft for another post, but Grossman's article reminds us that the chains we put around our networks are only as strong as their weakest links--often our end-user's home offices.

Using a VPN and strong access control and authentication procedures are a must, but IT departments must also stress the importance of end-users securing their own wireless networks. And, we should provide assistance, even if it's just informational, if possible. Now don't get all up in arms about supporting end-users home equipment. I'm not suggesting you taken on the often impossible task of manually configuring each user's home networking equipment. Instead, I suggest an information campaign that helps users understand the importance of and common methods for securing their home networks.

Establish, distribute and enforce a good remote access policy

Your information should start with a good remote access policy, which every remote user should received and sign (manually or electronically). The following TechRepublic policies are a great place to start when creating a policy for your organization:

Provide information on general W-Fi security techniques

Whether you include them as part of your remote access policy, post them on your IT department's Intranet site or send them out in an e-mail, the following Wi-Fi security tips are a good place for your users to start:

  • Use WPA or WPA2 wireless encryption--not WEP.
  • Don't broadcast your SSID.
  • Use a firewall.
  • Use a strong passphrase.
  • Regularly monitor network access.

Check out the following resources for complete descriptions of these and other security measures:

Consider special requirements for data protect by regulation (healthcare, educational, etc.)

If your organization handles data protected by specific government regulations (HIPPA, FERPA, GLBA), you may need to take extra precautions. The following resources can help you decide what security practices are necessary in your environment:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

28 comments
mjd420nova
mjd420nova

I use WPA-2, the firewall on the unit and MAC filtering. The SSID is not broadcast and unless your MAC address is on the list, you can't get in. I monitor the logs daily and will even capture some users MAC address if they try to get in and add it to the blocked list. Once they quit trying I'll empty the blocked list but they still can't get in. The firewall is effective for spoofing and have had a couple attempts but the MAC address didn;t let them in. Check the logs daily.

pjboyles
pjboyles

"Dont't broadcast the SSID." 1. Not a good idea from the workstation side of the equation. This leaves every system you have setup to automatically connect to this network with a visible SSID probe. 2. This is only 1 of 5 methods to discover your network. It only gives the impression of security without any real benefits. - Better... Set up your AP with WPA or WPA2 and a strong pass phrase. Uncheck the "connect even if not broadcasting" on your client for all wireless network connections. See George Ou's articles on wireless security. One of the items he writes with which I completely agree. A couple of good starter articles. The six dumbest ways to secure a wireless LAN http://blogs.zdnet.com/Ou/index.php?p=43 Wireless LAN security myths that won?t die http://blogs.zdnet.com/Ou/?p=454

Neon Samurai
Neon Samurai

If I may, as a brain excersise for my own practice.. An access point SSID can be sniffed off the air with the first packet captured between your router and client computer. At the same time, the packet will provide a valid MAC which is allowed on the router. The router response will provide the access point's MAC. It may also provide the IP which can be handy but is not required. This has all been passive so you have no entry in your log, foreign MAC or strange IP showing. You might spot the MAC but it will be like any other wifi device belonging to another network in broadcast range. The foreign node can now wait until your client seems to be shut down and "borrow" your MAC in an attempt to connect but the initial detection would also have told the foreign node that your using encryption. A casual cracker or skript kiddie will move on too something easier. A motivated cracker (by challenge or employ) will continue to capture all traffic between your router and any valid clients you have. For a WEP key, the required amount of traffic can take as little as five minutes if your moving a lot of data; there are ways if your not moving a lot of data too though. WPA is much harder and takes a whole lot more traffic where WPA2 takes even more traffic and effort if it's possible in a reasonable amount of time at all. Currently, it seems to take an unreasonable amount of time to do so WPA2 is considered safe; it is the lock providing the actual security protection of your network. If the firewall is able to detect a spoofed MAC where the client machine is only broadcasting your valid MAC and connects only with the valid encryption key then that is providing some good protection too. If it's just the router firewall blocking ports and telling you when someone tries to get in; it's about as smart as most. I couldn't resist baning my brain against a theoretical audit. :) In my own network, I broadcast SSID: - hopefully people setting up routers will see my SSID and choose a less populated channel; I still have to change channels from time to time when it get's too noisey. - my own client systems that have the SSID recorded will not spend there time away form my network anouncing my SSID too the world in hopes that my router will answer back; they already know it's broadcast and should instead simply wait to see it before trying to connect. - SSID, broadcast or not, can be captured in seconds so hidding my SSID does nothing but make other's think the channel I'm on is less populated. I use MAC filtering: - this is like telling your children not to talk to strangers. If they think they recognize the person or the person has an "Aunty Thelma" descise on, then the child will talk to them. My intent is only to reduce the amount of noise my router listens too by having it ignore MAC it doesn't think it recognizes; it will talk to devices that put on a recognized MAC costume though. I use WPA/WPA2: - this is the real security mechanism that would hold the fort if all other settings where left wide open. WEP isn't even a speedbump and wide open is far worse but WPA/WPA2 are currently considered safe. I use staticly assigned IP and ranges: - My machines get an assigned name.lan domain name so I can use the machine name within my own network. I can change assigned IP without having to change all my connection addresses. - My machines get an assigned IP. If the router internal DNS gives me grief, I know the IP and can use that instead. - A connected machine's type can be identified by IP range (this is actually a reduction in my security level but I'm willing to accept it). I can see in the connected list if a machine is a workstation, server, wireless, guest, ...; any machine I know has an IP issued so "guest" means I have a stranger who want's to play. I'm usually keep a browser open on my router's status page just to see how the WAN side is doing and what LAN clients I have live inside. I'd like to have the router forward it's logs to a server inside once I get the hardware put together and running. (I talk openly about my setup because the security mechanisms are what keep it safe rather than thinking the secrecy of my network layout provides any protection.)

NickNielsen
NickNielsen

I'll provide the complete list of actions in its original sequence, just in case you missed it: * [b]Use WPA or WPA2 wireless encryption?not WEP.[/b] (my emphasis) * Don?t broadcast your SSID. * Use a firewall. * Use a strong passphrase. * Regularly monitor network access. It appears you saw womething you didn't like and skipped right to it, only to embarass yourself by duplicating the previous line.

Dumphrey
Dumphrey

is to force the valid user to loose connection to the AP, and capture all the renegotiation traffic. Tons o packets. Once again, freely available tools on a *nix platform. Requires a wifi card capable of a "true" passive state under linux (prism etc).

rkuhn040172
rkuhn040172

So all my tin foil walls and doors aren't working? Darn! I only recently stopped wearing my tin foil underwear. I think it did a great job of protecting me from cancer, but man, it was uncomfortable.

Neon Samurai
Neon Samurai

I liked the article especially with the included "how I stole Internet" part. The only bit I can't agree with is hiding the SSID. I actually started out believing this improved my system security (If I don't announce myself, I'm being more sneaky.) It was George Ou pointing out that clients that connect to a hidden SSID have to constantly broadcast it rather than silently listen for it. All the other points and in that order are solid though. Using WPA/WPA2 (preferring the latter) with a strong passphrase or random passkeys is definitely the strongest part of the lock. I've actually been considering using a random 8 character SSID in combination with the long random generated passphrase just as a "yeah, my router is here but screw-off unless I know you anyhow". hehe.. I've also been thinking of using my extra router with a SSID like "crackmeshmuck" , WEP and honeyd just to see what turns up. That one has to wait until I have enough extra hardware to setup a completely air-gapped network though. ;)

Neon Samurai
Neon Samurai

There's usually only one specific frame attribute I'm looking for when I make use of that toy. The fun of having an extra router handy. I was trying to leave out enough detail but that's the very tool I was thinking of and it runs great on an N810 too. What was that called.. arb.. alfr.. "a" something.. ;) Ah, what fun we can have with those little control frames..

Neon Samurai
Neon Samurai

Why didn't you just go the other route home; downhill both ways? I still had to walk barefoot through twenty foot snowdrifts in June being up here in Canada but I caught on too the reverse route pretty quick.

rkuhn040172
rkuhn040172

Didn't you have to kill a bear with your spiral notebook too?

Dumphrey
Dumphrey

have these nifty extension cords with big white switches that can be placed on the floor, and you just gently step on em to turn on or off the device on the other end. I use em all over (yes, I am that lazy).

Dumphrey
Dumphrey

when I was little we ran around all day in 1000 F weather, up hill, both ways, while wearing a full tin foil suit. And we loved it!

Neon Samurai
Neon Samurai

I can sure admit that it was the icing on the cake that sent me off more than once. It was always hard to take a comment that could go either way in good faith with that sucker stairing at you. Something about fish and bait comes too mind..

rkuhn040172
rkuhn040172

That I only chose the anti-penguin just to piss people off. And apparently, for a time, it worked. It just sent some people off the deep end. But like all things, they have their time and place and the old profile pic had to go.

Neon Samurai
Neon Samurai

I do miss the standing "permission to breach" we had among the local POTS area BBS ops; those where some fun times. The best one was configing an extra protocol on the BBS too send the user.dat file by zmodem instead of any arbitrary file; that one kept a SysOp hunting bugs for a week. You did spot something in my setup too; I tend to leave my wifi radio on most of the time. I'll have to concider how many other wifi clients I have in the house and see about turning that off more often. I love being able to config the "easy setup" physical button on the Linksys routers as a wireless radio toggle. Need wirless on; hit the button. Done with it; hit the button. It's one of the first things I set when I install a newer ddWRT version. I can't afford the enterprise class hardware but ddWRT get's me a little closer while the consumer Linksys fit my hardware budget. With my N810 now replacing my PalmT5 as "data symbiote", wifi is pretty much always on if I'm within range of the house. Usually the router get's unplugged if we're away. (Competely unrelated but; nice choice of new profile image. The postitive pro-Windows image is much better than the overtly negative image used in the past. I couldn't very well complain about the previous profile pic and not recognize the new one. That's just one random geeks opinion though of course.)

rkuhn040172
rkuhn040172

However, just like the safest PC is the one disconnected and turned off, the safest AP is one that is turned off while not in use. My short list of AP security: IP/MAC filtering firewall WPA or better encryption static IPs (not security but organizational) SSID broadcasting Other than that, unless you have some kind of business class equipment with more features than the everyday home user does, that's about all you can do.

Neon Samurai
Neon Samurai

I wouldn't recommend wet wool underoos either; itchy with no rf blocking at all. (tinfoil walls may actualy work as would rf blocking paint but one is expensive and the other is only apealing in old sci phi) the theoretical audit was fun but overall, his network is safe due too WPA2. do you see anything further in his or my setup? this used too be great fun between us SysOps in the BBS days. (n810 does not lend itself well too spelling and grammar)

Neon Samurai
Neon Samurai

My order of testing once I got my old parts into a chassis and booting again was going to be: FreeNAS ClarkConnect Mandriva

Neon Samurai
Neon Samurai

With the exception of a very few, any tool someone is going to be using decloaks SSID by default. The tools an attacker are going to use definately do unless they are incompetant and use a windows platform with only netstumbler. (I don't know if decloak has been added recently but I seem to recall that it didn't previously.) My eight character random SSID mentioned was limited to eight since it's only a SSID. The passphrase isn't remotely human readable, memorable or short. As for WEP, that would only be on my secondary router while it's being used infront of a honeyd box; just to see who's around and playing. WEP on a production netowrk; hell no. I wouldn't even downgrade too it so my T5 could connect. I'd rather live without the device being attached when around home.

Dumphrey
Dumphrey

check out http://www.openfiler.com/community/download http://www.freenas.org/ FreeNAS I have set up and configured to use Active Directory for authentication. 30ish meg footprint on the disk, web based configuration screen. They may suit you better in the long run then a simple samba share. This is like samba on steroids with a slick web config screen (SWAT doesn't really count =\).

Dumphrey
Dumphrey

that goes in its global config area along the lines of masterbrowser = true A little googleing will turn it up, or some browsing of the Samba Bible.

Dumphrey
Dumphrey

takes a few seconds, even when its not broadcast. Many tools are freely available to do just that. Its at best like locking a screen door to your mountain cabin and expecting it to keep out intruders to stupid to cut the screen. And even wep is crackable if the key is weak or dictionary based. Why stop at 8 characters? Heck, go up to 64 and copy em to a text file on a flash drive with a title like PIdigit356 or quadratic equations and cyclic functions.txt.

Neon Samurai
Neon Samurai

with my lack of sleep, the lines are a little blury today anyhow.

DanLM
DanLM

Don't worry about it... I have my work around, and I really just don't care no more. My music drive, audio book drive, and iso drives are mapped to my windows machines. I can get at home directories for both machines and for both accounts. I just don't care anymore... I don't want to yuk with something that is working and spend a day trying to fix it.. is it perfect, nope... Is it what I wanted... Nope.. But it works, and thats what counts... Drives are mounted to the windows machines without passwords being asked for. Just don't care anymore. Unless someone knows the paths... Knows the users and knows those passwords, they arn't going to get access. Sorry to bother ya... I was asking for when I go into my next. If in doubt, throw the mothers out and start over phase. Dan

Neon Samurai
Neon Samurai

I'll paste up an example out of my own samba.conf when I'm back home tonight now that I know what direction your working in. As I mentioned, I prefer to use the network \\ path or mount directly under a drive letter depending on my frequency and need. (in some cases the network path is too long so mapping a drive letter lower down works better.) Off the top of my head, you specify the share name and path on the *nix machine plus the uname/passwd allowed. I think there is then a username file that get's created to hold the name and encrypted passwd but that may only be for *nix to mount other samba shared machines. There is a setting that tells Samba to be the master then Windows and the Samba deamon are supposed to work out any conflicts the same way two Windows machines would. You may also be able to disable Master under the Samba config and have it pop up like any other nonMaster Windows box with a share. Smbclient should be what you'd use for checking Master and similar listing of available machines and shares though it's an area I still use mount or KDE's native support to work with. (mount means non-Samba aware programs like Amarok get access also.) I'm surely not the most expert with Samba around here but I'll post back with what I have and see if it get's you up and running. (edit; my seplling is awsome today ;) )

DanLM
DanLM

Samba setup. Shares are built through swat. I added the layer of security for those shares by globally only allowing specific user id's. That and only allowing specific ip's. Users have been defined with the same user names and passwords they have in windows. Windows - Windows XP Pro and Windows XP Media Neither of these machines shows any of the shares that samba is broadcasting in the network neighborhood. My samba setup shows it's the os of samba at 255. This [b]should[/b] put it in first place with regards to machines announcing themselves as master browsers. It's not... Samba logs show otherwise. Also, even though I don't have the command at my fingertips... I know that there is a way to check from each machine the master browser list... That showed otherwise also. There is a registry change you can make for your windows machine to not announce itself at all... But, don't know have that at my fingertips either. Both windows machines have full access to the samba server. I have the drives mounted... But I had to provide full network path in the mounting questions for this to work. I am never asked for a password, so the passwords are being transmitted to the samba server properly. Ie: Log into windows, click your drive listings. Your network drives that you had previously mounted show up and you have full access. Thank you for the answer Neon. Dan

Neon Samurai
Neon Samurai

Both are seporate bits of information operating on seporate layers unless I understand incorrectly. The SSID is an identifier so you know what AP your connecting too. If you have three routers sitting beside each other on a table, you want to know which of those three your trying to attach too. It's only an arbitrary name given to the AP's wifi radio. Once you've established the connection between AP and your client NIC radio it does nothing more. The connection should be no different than wire or fibre other than being more suseptible to interferance from other 2.4ghz broadcasts. http, ftp, dns, samba and the rest of your more visible progocols used to get the data between matchines are working on layers above the networking medium. You should be able to set any name you like as a workgroup or multiple to group machines together within "network neibourhood". Really, you don't even need the workgroup name unless you are browsing the neibourhood listings. \\IP\share or \\hostname\share should get you directly to where you want to go; I prefer \\ip\share myself. Your wifi issues could be 2.4ghz (cordless phone?) overpowering your router signal, too many other networks on the same channel, building interference or something similar. Provided the problem is connectivity in general where other connections also give you grief rather than just Samba/CIFS protocols. Your Samba issues could be a misconfiguration. I remember win2k having a lot of problems talking to winXP, win98 and older NT through CIFS. On winXP, you can set "simply network sharing" if your not using uname/passwd or an AD server in the middle. With my Samba, I'm spoiled by Mandriva's network sharing drake tool. It's just easier to use the tool when I'm creating a mounted share that requires a uname/passwd (so, always for me ;) ). My local shares that other machines will attach too, I usually create directly in the Samba config file. Give it a name, point it at the correct directory and list what user accounts are alloud to make use of it. On the Windows or osX remote box, I then do the normal setup for connecting to a share with the addition of specifying the correct uname/passwd. On Windows specifically, I usually map the share too a drive letter if I'm going to use it regularily. There is an option to use a different uname/passwd than you logged into Windows with so I specify the correct information that way. If you simply open the run box and type \\IP\sharename it should prompt you for a uname/passwd I believe. If you like, list the OS for the two machines and what setup you've tried. When I have more time, I can post an example out of my own samba.conf - it's nice weather here today also and I'm being called back out of my cool basement for a walk in the warm sun. (I'm the last person who should ever complain about speeling or gramur ;) )

DanLM
DanLM

JungleJim as a SSID doesn't cut it hu. BUT, that brings me to my question. When I first set up my home network(SAMBA) under wifi. I had all kinds of issues getting things to work. I ended up setting it up so that both the SSID and my workgroup were name the same. Still have issues, but it's because my windows machines keep broadcasting as master browsers... I got tired of trying to fix that one, and just absolute pathed my drive mountings. But............ If you went with an 8 random character SSID, which you changed on a regular basis. Would you/do you have to worry about work group names. Are they 2 separate entities which do not rely on each other at all? Dan Yeaaaaaaaaa, I know... I should know this. But, I just don't. [edited to add] Be thankful that I have cut back on my postings because of nice weather. You don't have to be bombarded now with my typo/spelling errors as much now.