from: Network Computing Asia

Koh Chee Yong, 1-Jun-2003

Checking or eavesdropping on neighbours is usually not my cup of tea, but as I was commuting to work one morning, I was tempted to do one thing-to "war drive".

War driving-in hacker terms-is to discover wireless networks while moving around in an area. Not surprisingly, I managed to uncover quite a number of wireless access points. Most of these hotspots were not even wired equivalent privacy (WEP)-enabled, and if anyone had chosen to hack them it would have been as easy as 1, 2, 3.

I was only armed with a Dell Latitude D600, an Intel Centrino integrated wireless 802.11b system and a free copy of Network Stumbler, with one of those homemade war driving tools (e-mail me if you wish to know which are the more popular wireless vendors around, statistics, etc.).

With the wireless radio on, I could find out the manufacturer, service set identification (SSID), media address control (MAC), signal strength, channels and whether authentication and encryption (WEP) were set on or off for the various wireless access points out there. These vital statistics are what "war drivers" look for, as they allow potential launch of denial-of-service (DoS) attacks that overload the access point, thus making it unable to service requests of wireless clients who are requesting for authentication.

Currently, WEP and MAC filtering (the latter is a lot of tedious work) alone may not be enough for securing your wireless network. However, when combined with more robust methods of authentication, such as 802.1x using extensible authentication protocol (EAP) and remote authentication dial-in user service (RADIUS), Windows NT LAN manager (NTLM) challenge-response, Kerberos, Active Directory/LDAP, PPTP, L2TP over IPSec, and pure IPSec, you can get a more reliable and secured communication channel.

SMC 2504W EliteConnect WLAN Secure Server

The setup of SMC2504W EliteConnect Layer 3 WLAN secure server was extremely simple. With a hardened FreeBSD on an Intel-based platform, it took five steps to chisel a direct Internet connection across the corporate network-all that while authenticating the login users on a built-in database without using encryption.

Even by turning on authentication and encryption, the Web GUI offered the familiar click and drop sequence with ease through the likes of Kerberos, LDAP, 802.1x and RADIUS. A VPN will use PPTP, L2TP over IPSec, and pure IPSec for hash key algorithms like SHA-1, RC4 and MD5 to secure the airwaves. Third-party IPSec clients such as NetScreen, SafeNet and PGP were also supported.

Once the appliance was set up, I pointed my browser to an external Web site and was brought immediately to a SSL-enabled logon screen, orchestrated by the security server.

I created a "test1" user which should have been assigned the appropriate rights, based on location, groups, time and methods of authentication prior to logon. What happened in the background was a password-challenge with a shared key exchanged during the SSL-enabled login from the server to my client.

The server then granted me entry and I continued to surf the Internet. Only by closing the Web browser would my session be terminated. However, administrators should ensure that the time-to-expire is set appropriately so that users who are inactive will time-out.

The 64-bit or 128-bit WEP feature at the wireless access point can also be enabled to give further protection over the username and password.

In some secured environments, using WEP with a strong open or shared key is sufficient, but the encryption and decryption can cause performance degradation.

To provide for more wireless access points and users, combine the secure server with a few access manager servers (SMC 2502W) for increased scalability. With such a set up, roaming among multiple access points can be allowed or restricted.

Bluesocket WG-2100

Bluesocket WG-2100's QoS feature was improved in the shipping version of 3.0. Both incoming and out-going traffic can be set through bandwidth management, and each user was limited on the amount of bandwidth allocated.

Administrators can assign the amount of bandwidth accordingly so that every wireless users will not hog the total bandwidth assigned for the rest of the corporate users. This is known as prioritisation.

Users were created and defined-based on location and time-based polices through fine-grained control. Its reporting feature also exhibited the capturing of WLAN statistics, users' bandwidth, system bandwidth and performance through a Web GUI.

Authentication methods, such as 802.1x, RADIUS, NTLM challenge-response, Kerberos, Active Directory, LDAP and PPTP, L2TP/IPSec, and pure IPSec were supported. Bluesocket also included a self-developed IPSec tool to help create Microsoft 2000/XP native IPSec policies for the clients. SSH Sentient and PGP Net are some of the third-party VPN clients that can work with this platform.

Setting up the appliance was not as smooth-sailing as the SMC 2504W; I had to understand what both managed and protected interfaces meant, and apparently the protected interface was to be connected to the enterprise network which must be protected at all cost. I finally found out that the managed interface was where you have to manage the wireless clients and access points.

When I pointed the URL to an external Web site, the appliance started up the main logon page. Registered users who logged on successfully would be allowed to carry on surfing or to reach the protected side of the network for e-mail, Intranet, database and other internal services.

Roaming guests were required to key in their e-mail addresses to access the Internet. I tried an invalid e-mail address but it still allowed me entry.

The WG-2100's secure mobility also allowed users to roam from one spot to another without re-authenticating to the network, even with an active IPSec session. This was made possible due to the establishing of a master and many slaves relationship-the master was always active but the slaves were on standby.

SonicWALL SOHO TZW

With an integrated 802.11b wireless access point, Sonic-Wall SOHO TZW can fit into smaller offices and branch offices. RADIUS and over-the-air authentication such as L2TP/IPSec and pure IPSec are supported.

For Windows users using VPN, SonicWall's own Global VPN client can be downloaded from its Web site.

Its wizard-driven tools helped to set up the appliance quickly. Note that the wireless guest service must be enabled to allow for Internet service-both for guest and user accounts. If you miss this step, be prepared to spend a lot of time looking at firewall rules and users' policies.

During the test, the first thing I did was to deny all outgoing services from the LAN interface because it was a managed and admin interface. This meant that to man the appliance I had to attach it to this port. This was to prevent hackers from tapping into the interface and scanning for vulnerabilities in the network. Only the WLAN access point was eligible for outgoing services.

When I directed the browser to an outside URL, the appliance showed the main logon page. Once authenticated, I could continue to access the Internet. A small window dialog box showed the session time-out, and also provided the logon user with additional privileges if the user was granted more rights by the administrator.