in reply to Designing a sophisticated wireless application with perl.

Just a few ideas to to ccnfigure the wireless network to be secure, you can do this pretty easy:
1. Like you said use WEP.
2. Lock down the AP to MAC addresses that should be allowed on the network.
3. Put a firewall between the AP and the internal network.
4. In addition to WEP (which is breakable) use a VPN solution from client to the Firewall. PTPP or IPSEC clients and servers are fairly available for most platforms.
5. Consider using SSL on the web server.
6. Set up snort or some other IDS on the inside of the firewall -- and _look_ at the reports.

The multiple levels of encryption add overhead but make it much more secure -- WEP is very breakable without vpn encapsulation and or SSL once an intruder breaks WEP they can get valuble information to gain access to your network.

-Waswas
  • Comment on Re: Designing a sophisticated wireless application with perl.

Replies are listed 'Best First'.
Re: Re: Designing a sophisticated wireless application with perl.
by UnderMine (Friar) on Dec 04, 2002 at 09:39 UTC
    To extend this further I have even seen suggestions of using SSH Tunneling as yet another layer but this can be counter productive as with a VPN and a good firewall you can lock down the ports that are open within the VPN tunnel (ie only SSL) but if you allow ssh port forwarding you have less control (counter anguments welcome as I would love to be able to lock down port forwarding under SSH).

    A good VPN tunnel should thave 3DES encription or stronger with Dynamic keys. These rules and tunnels are a pain to set up but worth it in the long term.

    Another thing you can do while locking down MAC address at the AP is allocate each a fixed IP which sometimes helps if you want to setup Bidirectional VPNs. This is nice if your software needs to be able to push from the server rather requiring the data to be pulled from the client or even if you want to SSH onto the client machine to upgrade the software.

    Don't just look at the server side of security locking down the client is as important as locking down the server. If I hack the client and get it to spool data to a file and then email me that file....

    And for the ultra paranoid that can afford it a nice firewall between your web server and database server can help a lot.

    Making Wireless LAN Security Air Tight is an interesting read. location-based services has some interesting points in relation to this also

    Homeland security waiting for Wi-Fi might be of interest. also Wi-Fi gets a security boost contains more info on WFA a more secure version of WEP

    Hope that ramble helped
    UnderMine

    Update: Added client side issues

    Update: Added report link

    Update: Added new security realted report link

    Update: Added WFA report link

[reply]
Re: Re: Designing a sophisticated wireless application with perl.
by hardburn (Abbot) on Dec 04, 2002 at 16:25 UTC

    Like you said use WEP.

    I wouldn't bother with WEP at all. Like you said, it's broken, and can only serve to give the illusion of security.

    Lock down the AP to MAC addresses that should be allowed on the network.

    I'm not a big fan of restricting by MAC addresses. An attacker can just sniff your network for a while to figure out what MAC addresses are being allowed and then change the MAC address on their own card.

    In addition to WEP (which is breakable) use a VPN solution from client to the Firewall. PTPP or IPSEC clients and servers are fairly available for most platforms.

    Now we're getting somewhere. VPN, IPSec, and SSH tunnelling are probably the only good ways to secure a wireless network.

    I've also heard of a project that, using two or more anttenas, it triangulates the position of a client on the wireless network. This allows you to restrict people on your network by their physical location. (Sorry, I heard about this from a LUG meeting, so I don't have a link. The theory is sound, though.)

[reply]
      I suggest using WEP because it will add a hurdle to a possible attack, even with 40bit WEP it can take quite a while to gather enough weak packets to break the key. Most APs have updates that lower the amount of weak packets that are generated. MAC address filtering on the AP only makes the solution more secure by requiring the attacker (after breaking WEP) to _see_ an active client bound to the AP to know its MAC, It adds a small step but for little amount of work it takes to set up it is worth it IMHO. As far as triangulation of the client I have seen some demos and logic behind it but I am not sure that that would fit in with the original poster's concept of "outside the building" =)

      I guess my bottom line is:
      Make as many hurdles for an attacker to jump over as possible -- With the items I suggested all in place the three "weakest links" in the whole picture are the laptop being used as the client, the person with the password using the laptop, and the physical server.

      -Waswas
[reply]

In Section Seekers of Perl Wisdom