Creating wireless security without WEP - Network Magazine India - Focus Page 1 of 3
Home Home > Cover Story
Creating wireless security without WEP
Feedback WEP is no longer sufficient to ensure data safety using the 802.11b WLAN
Subscribe standard. And with the details behind 802.11a, 802.11g, 802.11i and
802.11e still murky, here’s a better and cost-effective solution to secure
your wireless networks. by Seamus Phan
Our other sites
On Aug 14, 2001, a new attack designed by three well-known
cryptographers and re-created by a team of AT&T Labs researchers,
enabled an eavesdropper to capture a small amount of network traffic and
recovered the user's secret key in less than one hour.
quot;This is the last straw for WEP (Wired Equivalent Privacy),quot; said Adam Stubblefield, a
summer intern at AT&T's famed lab who wrote the code used to compromise WEP. quot;WEP
is basically useless,quot; he said.
If that is so, what of the thousands of 802.11b WLANs out there in the world today? Are
we adopting a second-rate technology, or is there a better way to build wireless walls?
We can take a cue from NASA, and look at how they approach WLAN security, and also
explore the use of Unix workstations to increase security and reduce costs. In addition,
these techniques also facilitate the migration to faster WLAN technologies, including
802.11g and 802.11a.
Further, as the 802.11i security standard for WLANs finally emerges (hopefully early next
year), it will serve to improve 802.11's basic security measures which is currently served
by WEP. However, as with other security implementations, only time will tell if 802.11i
will be as secure as IEEE claims.
Unix Base Stations
Here is a money-saving tip. You can leverage your Unix workstations as base stations to
reduce WLAN expenditure, without losing seamless connectivity. Workgroups that have
spare Unix boxes (FreeBSD, OpenBSD, NetBSD, Linux and other Unixes) or even stock
G3 or G4 workstations running Mac OS X, can set them up as base stations. If you prefer
Linux, you can even set up Yellow Dog Linux (www.yellowdoglinux.com) on your Mac as a
base station. Yellow Dog Linux also offers the BriQ, a pre-configured PowerPC
architecture server appliance, that can be used for this purpose.
A wireless base station is akin to an IP router, and by setting up your BSD box properly,
you can get it to work as a base station. Basic Service Set or BSS quot;infrastructurequot; mode
allows true base station functionality and several Unix coders have developed ways to
allow BSS mode for Lucent and Prism adapters. For NetBSD workstations to work in BSS
mode, use the ifconfig command (please note that specific adapters and environments
may demand different parameters):
# ifconfig wi0 media DS11 do not use mediaopt adhoc)
# ifconfig wi0 nwid yourname (substitute quot;yournamequot; with the WLAN network name)
If it is not possible to run in BSS infrastructure mode, then run your adapter on your box
in IBSS (independent BSS), which is peer-to-peer, functioning like a shared Ethernet
Creating wireless security without WEP - Network Magazine India - Focus Page 2 of 3
cable. The command for NetBSD is:
# wiconfig wi0 -c 1
According to coders, you have to ensure that your adapter's firmware is as recent as
possible because older firmware does not allow IBSS operations. Also note that laptops
need to support WLAN adapters,while desktops must support wireless PCI cards.
The NASA Hack
On Aug 20, 2001, the US-based National Aeronautics and Space Administration (NASA)
described a method, using a wireless firewall gateway, to secure standard 802.11b
networks without WEP.
A white paper by Nichole K. Boscia from NASA proposed the use of a wireless firewall
gateway as a router between a wireless and external network, with the ability to
dynamically change firewall filters, as users authenticate themselves for authorized
It also operates as a server responsible for handing out IP addresses to users, running a
website in which users can authenticate, and maintaining a recorded account of who is on
the network and when. To make things accessible to users of any client platform, only a
Web browser and DHCP client software are required.
There are three components to such a wireless firewall gateway design: a DHCP server,
an IP filtering mechanism, and a Web authentication system.
NASA used a beta DHCPv3 open source server from the International Software
Consortium (www.isc.org). This differs from older DHCP servers, in that it can
dynamically remove hosts from the firewall access list when the DHCP releases a lease
for any reason (including client-initiated requests, time outs, and expiration).
NASA configured the DHCP server running on Unix or Unix-like platforms to only listen on
the subnet interface of the WLAN, thus preventing users from the wired network from
obtaining a wireless IP address from the DHCP server. NASA also installed a packet filter
to stop requests from any other interface.
For IP filtering, NASA used OpenBSD's IPF software (www.openbsd.org), a stateful
filtering mechanism. IP routing is enabled in the kernel state allowing for the packet
filtering to occur between the wireless and external network interfaces. Static filters are
configured on boot up in the /etc/ipf.rules file and are designed to minimize remote
access to the wireless firewall gateway.
Packet filtering is done at the transport layer (UDP or TCP) so that stateful inspection can
be effected, again raising security by not explicitly permitting dynamic or private port
sessions into the WLAN. NASA restricts traffic to essential protocols such as NTP, DNS,
DHCP, and ICMP. In the NASA implementation, there are two kinds of users-
authenticated and non-authenticated. Non-authenticated users can be granted to specific
services such as e-mail, VPN and Web.
In order to prevent succeeding users from being allowed trusted access when the IP
address is recycled, the in-memory database software removes the firewall filter permit
rule whenever the user's next lease binding state is set to free, expired, abandoned,
released, or reset.
The DHCP server will not issue the same IP address until it frees the lease of the last
client. This overcomes the security issue of someone hijacking an IP address that's been
authenticated and using it after the valid user is no longer using the wireless service.
For authentication, NASA used a script system running on a Web browser so that clients
from any platform will not be excommunicated. The script system is a combination of PHP
(www.php.net) and Perl (www.perl.org) scripts for easy maintenance and updates. Unlike
some authentication schemes which restrict clients to using Microsoft Windows, this