My suggestions were basic security measures that, again, are apart of
most wireless routers at no additional cost to the original poster minus
a little over head.
Implementing a RADIUS server would be more like adding a Security Guard
- Higher Cost but Higher Security.
(most) My suggestions were, IMHO, easy to implement, and increased the
security for a typical "war driving" idiot. If the network calls for
more advanced things I pointed out some things that I hadn't seen
someone else say (at the time) .. which excluded RADIUS because it was
already mentioned - although I didn't (and couldn't, lack of
information) go into details on how.. and also were more "Damage
Mitigation" like what Ansgar said. Be equivalent to changing the type
and style of lock on every room inside the house.
Eric's Analogy worked for Disabling the SSID. Moving your door and
painting it blue is about the same as trying to mask your signal and
changing the name. IMHO, this takes all of 2 minutes to select "Hide
SSID" radio button.. and if it stops even 1 joe-idiot from getting on
(or attempting to) it was worth it - this takes no "overhead". This
makes it so those "passer-by's" don't choose your house on a whim.
Note: if you use a 50-Character WPA2 Pass phrase consisting of 5
Numbers, 5 Specials, 5 Lower, 5 Upper, and 10 random; Never Write it
down or store it on anything that can be accessed except your brain,
this becomes moot - even if they see your network there's not much they
are going to be doing on it for a while - But how many people "really"
use pass phrases that high - and if they do - don't write it down for
the next time they have to add a machine to the network.
However I wouldn't exactly blanket Static DHCP assignments (or no DHCP),
IP and MAC Filtering, equivalent to "moving your door". That's more
equivalent to giving your 10 best friends 10 unique key's so that they
may use your house at will and hope an attacker doesn't steal it, copy
it, and give it back so your friend never noticed it was missing. This
requires more overheard to maintain (your friend might lose his key, or
you get a new friend that needs a new key) - and will stop a little
better attackers than those that stopped when they saw you "didn't have
a door". (Ansgar does not find this overhead worth the benefit - that's
fine. That's his opinion/call.)
I can -possibly- see larger networks that utilize wireless not liking
MAC and IP filtering.. but I still stand by it. I have probably 8k
users at my current job across the US - and my Previous job with the
Navy had.. well.. every Navy and Marine Corps individual in the US.. and
they both use them. They won't touch wireless with a 30-ft pole - but
they have Port Security, Static DHCP, MAC, and various other
filters/traps all over the place. But this is government.. lots of
money - lots of SA's to maintain it. Users literally cannot move their
own computer 5 ft to move to a new Desk. They have to call their local
SA Department - who will do it for them. (there are also multiple
level's of SA's.. I personally couldn't move the desk either, I was the
on site-tech but I could only "start the process" that could take more
than a week to actually get a desk moved :))
Ansgar's biggest issue - I think - was that if you Enable Filtering and
Hide the SSID... an attacker runs a sniffer (say he uses Kismet); he
will receive all 3 things at once. Valid IP, Valid MAC, And your SSID.
Then 1 ifconfig command, accompanied with 1 iwconfig command will then
put all three things into play - and if you have NO encryption - you
stopped him for about a total of 10 minutes (including boot up time for
his laptop.) But the attacker first has to know that you have filtering
on both IP and MAC. My guess is he'll first try an available IP on the
subnet. But again.. stop him for maybe another couple minutes to figure
it out (if he's intelligent).
My personal setup at home I have a Wireless LAN behind a Wireless Router
that NAT's the ip to my firewall's Internal LAN. My firewall denies
-all- outgoing access to that NAT'd IP. So I then have to open an SSH
(keys) tunnel to a third machine as a Proxy that has IPTables configured
to forward the ports to the firewall (Nat'd as if they are coming from
the third box.) And I use WPA, and MAC Filtering - and Hide the SSID
for fun. Root is not allowed to login the third machine at all, through
SSH or any TTY. And only My username is allowed to su up. I'm in an
apartment with 20+ SSID's floating around and all but 2 of us Use WPA -
and some idiot is unencrypted. I'm Good. :). (my wife hates opening
Putty whenever she wants online - but she got over it.) Overkill??
Maybe.. But I like it.
But Anyway, The original poster has probably long since fixed their
issues by now :). And Eric tried warning not to take his analogy too
far - as I'm sure he intended it as a simple example to clarify to some
that might have got Lost in Translation.
-FatalSaint
David Gillett wrote:
Eric didn't say *layered defence* was painting the door blue and
moving it around the side. He said that Ansgar's view of the
measures which FatalSaint offered -- and which FatalSaint *called*
"layered defence" (calling it doesn't necessarily make it so!) --
were like painting and moving the door.
Layered defence is an important and valuable concept. But to be
useful, the individual layers need to actually constitute defences,
and Ansgar and Eric are saying that FatalSaint's suggestions don't
really measure up to that requirement.
If FatalSaint had suggested measures analogous to a guard and bars
and a dog, I don't think anyone would have argued. The question then
is: What measures are available to the admin of a wireless network
that are more analogous to these sorts of physical measures than the
suggestions that were offered? (All of my authorized wireless points
are behind firewalls that filter traffic and log activity, and the
new one can triangulate client location as well. But that's probably
out of the original poster's budget range.)
David Gillett
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Francois Yang
Sent: Tuesday, December 12, 2006 9:36 AM
To: Eric Furman
Cc: security-basics@securityfocus.com
Subject: Re: About War Driving ..
I actually disagree with this analogy.
layered defense in this scenario would be; add a security
guard to the front door, add bars to the windows and add a
watch dog inside the house.
So the entry points are the same they didn't move, you just
added some extra security to these entry points. So now if
someone wanted to get in the house, they would have to get
past the security guard before reaching the door, or get past
the bars on the windows before getting to the windows, and
once they get past those, hopefully the guard dog would catch him/her.
On 12/9/06, Eric Furman <ericfurman@fastmail.net> wrote:
On 8 Dec 2006 14:28:21 -0000, krymson@gmail.com said:
Ansgar -59cobalt- Wiechers and
FatalSaint:
Just want to say I'd watched this thread and I wanted to quickly
point out something I felt was kind of a poignant thing
in our field.
You both have good points and, in my mind, you both have rather
correct approaches. One of you believes that a layered
defense with
multiple hurdles will slow down attackers and stop a lot of
non-savvy attackers, and the other prefers to shoot for the
highly-skilled attacker and focus his efforts.
I believe both approaches are just fine, and just depends on the
people, business/network, and needs.
I disagree. ;-) I do agree with layered defenses, if they're real.
Ansgar -59cobalt- Wiechers objects to FatalSaint's security
measures
because they amount to the following analogy; I want to
keep burglars
out of my house. Everyone knows that the entrance to houses
is in the
front and all doors are painted red.
To increase my security I am going to move the entrance to the side
and I am going to paint my door blue. Yes, to the casual person,
walking by, this will work, but not to any determined
attacker. All I
have really done is make thing more inconvenient for me,
the resident.
Do not push this analogy to far, but it is essentially
correct. IMHO.
----------------------------------------------------------------------
----- This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildet
ect
----------------------------------------------------------------------
-----
--------------------------------------------------------------
-------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=s
fmaildetect
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
