SecuritySkeptic.COM: Dave Piscitello's Security Journal

This page uses style sheets created by Ruthsarian Labs

Sun, 19 Nov 2006 00:00:00 00, 570

Chapter Excerpt: EAP Authentication Protocols for WLANs

Eric Garulay sent me a review copy of a chapter from Cisco Wireless LAN Security by Krishna Sankar, Sri Sundaralingam, Darrin Miller, and Andrew Balinsky, published by Cisco Press. The chapter covers all the important aspects of the WLAN access control authentication. I've asked Eric for a copy of the book, and Cisco Press has granted permission for me to offer you an HTML preview of Chapter 7 on my web site.

Let me know if you like what you read.

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID570 by Dave Piscitello

Fri, 19 Aug 2005 00:00:00 00, 443

Expanding Your WLAN Reach

What can you do when WLAN coverage is good in most areas, except for a few unfortunate users on the outskirts of your AP's current reach? Some off-the-shelf solutions that won't cost an arm and a leg, and will keep you on the friendly side of the FCC. More...

Originally published via WatchGuard LiveSecurity, 06 May 2005

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID443 by Dave Piscitello

Tue, 03 May 2005 00:00:00 00, 395

Expanding your Small Business Wireless LAN

To tap the potential of wireless, many small businesses will (eventually) require multiple APs to fulfill performance and coverage needs. This Watchguard Live Security column explains how to plan and deploy multi-AP (Extended SSID networks).

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID395 by Dave Piscitello

Wed, 16 Feb 2005 00:00:00 00, 365

WiFi High Gain Antenna or Range Extender: Which is Better?

My daughter's schoolhouse is radio-challenged.

First, it really is a house, a rancher about 120 by 26, having evolved from a 60 by 26 by the addition of two extensions. It's a temporary facility while a new school building is constructed.

On first appearance, it should be a piece of cake for wireless. The small biz LAN folks installed a Linksys WRT54G router in a closet located in the dead center of the building, to provide broadband access and bandwidth for 20 lightly-used PCs.

Unfortunately, the "wiring and wireless" closet is entirely composed of brick. It's essentially a 6 by 8 fireplace or mausoleum. Predictably, radio signal emission is weak; combined with the succession of interior walls dividing classrooms in both wings, the school was barely able to sustain 2 Mbps to the computers only 50 feet away.

There are probably other locations where we might position the wireless router, but I decided to take this *opportunity* to try a high gain antenna. Maybe I could brute force the signal from the closet. I purchased a pair of the Linksys 7dB High gain antennae for $40 and installed these. The result was a marginal improvement for stations within 30 feet, but no measurable change for the most remote stations.

I next purchased a Linksys wireless range extender for $70. The WRE54G is the WiFi equivalent of an Ethernet repeater. To install it, you choose a location and plug it in. The device is auto-configurable if you disable wireless security: it associates with the nearest AP, obtains an IP address, and becomes part of the network. You can then use a web administration page to enable wireless security on your now-extended WLAN.

Like any network equipment installation, even a repeater can be a challenge. As any seasoned network veteran would do, I avoided any possible multi-vendor incompatibility by buying a Linksys range extender for a network comprised of Linksys adapters and a wireless router. The mathematicians reading will appreciate that this was a necessary, but not sufficient solution.

Autoconfiguration didn't quite work as advertised. Neither did manual configuration. Eventually, convinced I had done everything by the book, I called Linksys support. Earlier, while upgrading the school computers to Windows XP Service Pack 2, I had called Linksys support to resolve an adapter problem, and they had suggested I upgrade the Linksys WRT54G firmware to 3.03.1. At the time, this did indeed solve the adapter problems I'd encountered. This support call, I was told I should "downgrade" the WRT54G firmware to 2.02.7 for "improved compatibility" with the wireless repeater. Experienced networkers already see where I'm being headed, right? I'm mumbling, "You can use service pack 2, or you can extend the range, but you can't extend the range and use SP2" while the support guy is holding his breath...

Surprise! Downgrading actually solved the problem (and this may be a networking first for me...). I downgraded the firmware, reset the range extender to factory defaults, and retried autoconfiguration. Range extender associated with the AP on the wireless router, and once I reconfigured wireless security, all the stations in the now "range-enhanced" wing of the school re-associated with the wireless network. The weakest signal among the computers in that wing is now 36 Mbps. Encouraged, I've ordered a second range extender for the other wing.

The story's not quite over. I swapped the high gain antennae out and re-installed the original equipment pair. The weakest signal among the computers in the wing with the wireless range extender dropped to 24 Mbps.

So the answer to the originally posited question is all of the above

But if you have to choose, go with the range extender.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID365 by Dave Piscitello

Thu, 20 Jan 2005 00:00:00 00, 355

Moving freely between WLAN access points

My partner, Lisa Phifer, has written an excellent article for SearchMobileComputing.com describing how wireless clients can travel from WLAN cell to WLAN cell. Moving freely between WLAN access points discusses transparent 802.11 reassociation, problems you may encounter, and how complex network topologies can throw even more challenges at net admins than you might expect.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID355 by Dave Piscitello

Mon, 27 Dec 2004 00:00:00 00, 340

Botbyl and Salcedo

Matthew Tanase's Security Blog entry about the sentencing of the Lowe's WiFi hackers reminded me that I hadn't commented on this important event. Matthew commented that he was initially surprised at the length of imprisonment, but then realized these were serious crimes that in the real world earn the offenders serious time.

Matt's reaction initial reaction is a pretty common one. I think it's more than partly attributable to how the 4^th Estate popularizes cracking and thus creates an artificial distinction between real and virtual crime. Today, sympathy abounds for the clever computer geek whose adolescent prank went too far, yes?

No sympathy here, folks. These guys were trying to steal credit cards. One (Salcedo) has an earlier conviction. The motive was monetary gain at someone else's expense. Internet, WiFi and lax security practices provided the opportunity . The means, whether sniffing airwaves and phishing today, or dumpster diving for carbon copies some years ago, is relevant only as a matter of how law enforcement gathers evidence.

Rest assured that if more cases like this one are successfully prosecuted, interest in computer crackers will plummet. When was the last time you read about cases involving corner crack dealers? And the difference between the two is ...?

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID340 by Dave Piscitello

Thu, 18 Nov 2004 00:00:00 00, 330

Wireless Deployment Checklist for SMBs

Small and medium businesses are often faced with implementing security at a fraction of the cost larger enterprises might invest. In some cases, SMBs must make do with consumer-grade technology. Wireless vendors are beginning to recognize the untapped market SMBs represent, and wireless solutions with large enterprise features are more affordable.

Lisa Phifer and I periodically compare notes on small and medium business wireless deployment. Enough has changed - for the better! - that we've updated our security checklist for SMB wireless deployment. Find it here.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID330 by Dave Piscitello

Mon, 15 Nov 2004 00:00:00 00, 329

IEEE 802.1x and EAP Primer, redux

During a presentation I gave at IPcomm 2004, I was asked so many questions about IEEE 802.1x and the Extensible Authentication Protocol, I have re-posted a handout Lisa Phifer and I prepared for an ISSA meeting some time ago. Enjoy!

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID329 by Dave Piscitello

Sun, 16 May 2004 00:00:00 00, 251

Isolating a home office network dead spot

After installing a WiFi card on a laptop I recently purchased, I discovered I could not roam in my home. Confirming my SSID and TCP/IP settings were correct, I monitored AP signal. Both APs in my home were working correctly, on separate channels with a common SSID.

My home APs are bridged using HomePlug Ethernet (see blog 171). I first confirmed that my problem wasn't a simple matter of uplinking the HomePlug adapter in my office to the wrong network. I then plugged a laptop directly into one of the HomePlug adapters. I discovered that my signal over power line was weak, a modest 2.95 Mbps. This was a noticeable drop from the 9.2 Mbps I'd experienced when I installed this network, so I returned to my office and recalled that I'd moved the HomePlug adapter from one outlet to another when juggling to add yet another piece of equipment to my office. Moving the HomePlug adapter in my office to the original outlet restored my home network. When I have an electrician install an additional, dedicated circuit to my office this summer, I'll make certain to have him test all my outlets for proper grounding and termination.

The morale of this story: WLANs aren't always the culprit when network connections fail.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID251 by Dave Piscitello

Wed, 14 Apr 2004 00:00:00 00, 230

Hotspot recommendation in Charleston, SC

If you visit Charleston, SC and want wireless access, soft jazz, cozy and relaxed atmosphere, and of course, good coffee, try Kool Beanz on 433 King Street, Charleston, SC 29403.

Art on the walls. Music, including some guitar licks by owner C. David Hall. WiFi from Boingo. A Coffee Cake breakfast muffin that's actually worth the calories. Ethiopian blend for a $1.29 with fifty cent refills.

BTW, if you haven't tried Boingo, you should. Boingo software stumbles for you, and provides you with a listing of locations by city and state. The service is cheaper than T-Mobile @ Starbucks if you'll be online for a long session.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID230 by Dave Piscitello

Wed, 12 Nov 2003 00:00:00 00, 160

Wireless LAN Security White Paper

Kudos to Cisco Systems for publishing a truly informative and comprehensive white paper on wireless LAN security. Even the discussion of Cisco Wireless Security Suite is professionally done.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID160 by Dave Piscitello

Tue, 14 Oct 2003 00:00:00 00, 143

WLAN Security Checklist for SMBs

Compiled, updated and improved over time, this "form" lists the security considerations small and medium businesses should consider when deploying wireless LANs. We distinguish SMB from large enterprise by an assumption of security budget: SMBs have stricter budgets and satisfy security requirements with smaller staff and less expensive equipment. Small office budgets in particular tend to make consumer WLAN products tempting substitutes for more expensive but more secure APs and firewalls.

Our checklist identifies features that should help SMBs make an informed decision.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID143 by Dave Piscitello

Mon, 13 Oct 2003 00:00:00 00, 144

802.1x and EAP Primer

Provided as a handout at the ISSA South Carolina Chapter meeting (October 13), this article explains the IEEE 802.1x features, services, and message flow.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID144 by Dave Piscitello

Thu, 02 Oct 2003 00:00:00 00, 136

Legal View of WiFi Scanning ("netstumbling")

The subject of whether scanning for WiFi networks was an illegal act came up three times in casual conversation this week. I recall having saved a post to the pen-test mailing list hosted by SecurityFocus.com. According to the posting, it's not illegal to scan RF and stumble upon SSIDs, channels in use, etc. However, once a theft of service, denial of service, or theft of information occurs, then the act becomes a federal violation. See Title 18, Chapter 47, Section 1030 of the US Criminal Code .

So if you stumble onto a WiFi network while performing a site survey, you are not violating a law. If you join an open system for a "free ride", capture or interfere with traffic on a network you've stumbled upon, you can find yourself in a heap o' trubble of the "fine or imprisonment or both" kind.

The posting claims that this is an FBI response garnered from a San Francisco office special agent, who is also an Infraguard coordinator.

I'm now comforted that I won't be 'cuffed and hauled away next time I'm in the Atlanta Marriott Marquis hotel trying to legitimately avail myself of the iBahn WiFi services by stumbling because neither the concierge, desk staff, or business office can offer anything other than a blank stare when I ask about for the SSID (BTW, it's STSN).

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID136 by Dave Piscitello

Sat, 16 Aug 2003 00:00:00 00, 104

Securing Small Office WLANs
WLANs play as prominent a role at a small business or home office as a large enterprise. I could argue that they are even more prevalent. My partner Lisa Phifer's written a very good "basics" column on Securing the Small All Wireless Network. We have reposted it at Core Competence, courtesy of WatchGuard Technologies.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID104 by Dave Piscitello

Tue, 05 Aug 2003 00:00:00 00, 94

Wireless Firewall White Paper

My partner Lisa Phifer and I have written a white paper that explains how secure, integrated wired/wireless networks can be created using WatchGuard's Firebox� SOHO 6 Wireless, a security appliance with integrated access point and IPsec support. You must register to acces the PDF (no big thing, honest...).

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID94 by Dave Piscitello

Fri, 25 Jul 2003 00:00:00 00, 86

Enterprise Class WLAN Switches

You can now read my Wall Street Trade Association "Ticker" article entitled Enterprise-Grade Solutions for WLAN Integration online.

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID86 by Dave Piscitello

Wed, 21 May 2003 00:00:00 00, 55

Wi-Fi-Protected Access is coming to a WLAN near you

My partner, Lisa Phifer, evaluates WLAN products constantly, and keeps track of many aspects of wireless LAN standards, product innovation, and deployment.

Lisa tells me that

"Wi-Fi Protected Access (WPA), a snapshot of 802.11i is firm. The Wi-Fi Alliance has announced WPA will be required for Wi-Fi certified products starting August, 2003.

"The IEEE 802.11i standard is still under development, however, and won't be ratified until mid-2004. WPA takes the stable elements of the 802.11i specification to create a short-term fix for legacy equipment. The elements included are:

Temporal Keys (TKIP)
new crypto key derivation
802.1x for base key delivery and authentication in enterprise networks, and
a new preshared secret to serve as a base key in home networks.

"There will no doubt be some bug fixes to this in the final 802.11i standard, but the big difference between next year's standard and WPA will be an entire replacement for WEP that's based on AES instead of RC4. In other words, the final 802.11i standard will support both WPA and AES, intended for legacy and next-generation radio hardware, respectively."

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID55 by Dave Piscitello

Tue, 13 May 2003 00:00:00 00, 47

Locking down the airwaves - SC Magazine Article

The April 2003 issue of SC Magazine presents an article I wrote on Wireless LAN Security.

The lead time for publishing is sometimes maddening. In the 8-10 weeks since I submitted copy for editing, WLAN switches have emerged, with features that are enterprise-class. Ironically, I just submitted copy to the Wall Street Ticker Association on WLAN switches, where I explain that they "identify, bound, and manage APs and WLAN radio frequencies (RF) in the same way they structure and create hierarchy to LAN hubs, switches and cabling today. Input floor, building, and campus plans, describe the WLAN coverage you desire, and certain WLAN switches will automatically perform a site survey, recommend access point placement, and generate work orders for installation. Nearly all WLAN switches will detect rogue APs, nearby APs operating in channels you've selected, and track users as they roam your WLAN infrastructure."

That's all the teaser I can offer, I'll post a notice when the article is online.

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID47 by Dave Piscitello

Dave Piscitello is president and principal consultant at Core Competence, Inc.. A 30-year network, Internet and security veteran, Dave provides advisory and consulting for security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published books on Internetworking and VoIP Security, and has written hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, Network World, ISSA Journal, ENISA, and Information Security Magazine. Dave is currently a Senior Security Technologist at ICANN. He serves on ICANN's Security and Stability Advisory Committee and is a member of the APWG. Dave maintains a personal security blog at www.securityskeptic.com .

The Security Skeptic