The view from the trenches Fall 2002
Below is an email I sent to MacLabManagers mail list in late September 2002. Our discussions of wireless security had just begun at that time. The wireless landscape has changed a lot since then, but the responses have information that remains valid and useful to us today.
Howdy,
We’re using wireless in many locations here, but somebody just got scared about security. Until now we haven’t been using WEP, nor have we cloaking the network name for wireless base stations that serve mobile classrooms on campus.
« long question » I’m wondering how wireless is being used on other campuses, how security concerns may play on that, and what the philosophy about security is? « abreviated question » Do you use WEP? Yes/no, why?
Thank you in advance,
Casey Bisson
These are the responses I received (in chronological order):
Zach’s response came first, but it turned out to express the typical philosophy of those that followed. He cautions us against trusting WEP. “Network-level security is designed to keep unauthorized users from getting on the network, not to secure sensitive data.”
From: “Zachary Kotlarek”
Date: Tue Sep 24, 2002 2:01:01 PM US/Eastern
Subject: Re: Wireless Usage?
Casey Bisson said:
« long question » I’m wondering how wireless is being used on other
campuses, how security concerns may play on that, and what the
philosophy about security is? « abreviated question » Do you use WEP?
Yes/no, why?
No, because it’s not any different than the wired access. Data on a
hub-based network is no more secure than on a wireless network. Someone
could walk up with a patch cable and read all the network traffic. With
switch-based networks this isn’t exactly true, but basically the only way
that wireless is less secure than wired is insofar as you don’t need an
Ethernet jack to get on the network.
If you were a corporation with trade secrets, WEP might be desirable, but
even then it doesn’t really provide security. The only way to provide real
security is with secure connection protocols. HTTPS, File Sharing wrapped
in SSH, things like that. Network-level security is designed to keep
unauthorized users from getting on the network, not to secure sensitive
data.
Take Wal-Mart for example. They have had wireless point-of-sale and
inventory systems for years. They don’t try to secure the network — you
can sit outside the store and listen to it — they encrypt data at the
protocol level.
WEP is one of those security-through-obscurity measures. Yes, it makes
access moderately more difficult for an attacker. But it’s not a valid
security measure in and of itself. Only in association with protocol and
application level security measures is it worthwhile.
Zach
IT Head, Department of Music
Iowa State University
Sellers followed up soon after with the greatest endorsement of WEP that I was to find among the responses. Even then, s/he doesn’t vouch for its reliability.
From: sellers
Date: Tue Sep 24, 2002 2:47:10 PM US/Eastern
Subject: Re: Wireless Usage?
Western Michigan University just did a wireless project, and other universities in Michigan are working on proposals. (can’t say specifics)
REgarding security, WEP is more a deterrent than a protection. It’s not completely secure like a lan line with SSL is, but it’s better than hello world my password is blank. Reasonable Measure of security is WEP IMO. I think western has some details about the project on their website (www.wmich.edu/oit) . I don’t remember where, but they had an announcement about 8 months ago.
🙂
Sellers
I looked up Western Michegan’s policy and found a number of very detailed web pages. Among them, the following:
You may see literature saying that the 802.11b standard includes provisions for optional 40- or 128-bit link-level encryption over the air, however, current implementations require the encryption key to be shared by all users of the wireless LAN, effectively eliminating the usefulness of this security feature in an open campus environment such as WMU’s. What this means to you is that if the application you are executing on your wireless device does not have application level encryption (ask your application provider if you aren’t sure) then the information that is being passed back and forth between your wireless device and the application’s server is at risk of being intercepted. This is especially important to know when executing applications that contain student, employee, alumni, financial, personal, and/or other sensitive data.
Gene’s response was limited to forwarding a URL. After searching the website he points to, I found that they do not use WEP, though they do suppress SSID broadcasts (but they also publish the SSID on the website (look at the connection instructions ).
From: Gene Hastings
Date: Tue Sep 24, 2002 3:11:41 PM US/Eastern
Subject: Re: Wireless Usage?
See « www.cmu.edu/computing/wireless/ » for history deployment and present policies.
Elsewhere at the CMU website ( in the wireless FAQ ) it reveals an important limitation of WEP: Even without being cracked, WEP traffic can still be sniffed by authorized nodes on the network.
Pascal tells us that Purdue uses VPN to secure the network from intruders and traffic from sniffers, and offers his conspiracy theory about why WEP is so insecure.
From: Pascal Meunier
Date: Tue Sep 24, 2002 3:12:38 PM US/Eastern
Subject: Re: Wireless Usage?
Purdue Univ. uses a Cisco VPN 3000 with a license for 5000 clients, which forces a login before access to anything is granted; this is tied in to Purdue’s I2A2 authentication service. WEP is not secure enough (and the encryption slows down some cards), and maintaining a list of MAC addresses is just too time consuming. Besides, MAC addresses can be faked. I think there are many good reasons to be scared, starting with accountability (for negligence) if people launch attacks from your networks.
Of course, the main problem of Cisco VPNs from the point of view of mac users is that only MacOS X is supported. I think it’s very short (or too long)-sighted of Cisco to do this. If you really want MacOS 9 VPNs that work with Cisco you can buy them from a third party (linked to from Cisco’s web pages), but Purdue decided that it was too expensive <sniff , I love running OS 9 on my clamshell ibook!> or got the bait and switch maneuver with the now obsolete 5000 Cisco series which used to support OS 9 (I don’t know which happened, maybe both).
If you’re a conspiracy buff, you might think that WEP was designed knowing full-well that it was inadequate and that companies like Cisco would make money selling VPNs to remediate the manufacturing defect that is WEP. That is, WEP was designed so it would not compete with VPNs. Proof would be that people on the 802.11b committee publicly admitted knowing about most of the WEP vulnerabilities a year or so before they were found independently.
Cheers,
Pascal
Gary, who appears to head up the Wireless Access Team at his institution, offered another detailed missive. According to his analyses WEP is too insecure to bother with, and recommends instead using end-to-end encryption.
From: Gary Franz
Date: Tue Sep 24, 2002 4:28:33 PM US/Eastern
Subject: Re: Wireless Usage?
Casey,
The biggest risk in leaving your network “unsecured” is that anyone can utilize your network connection for casual use, possibly monopolizing the shared 11Mbit bandwidth, or for the launch of network attacks on hosts local to your network or any host that is accessible from your network. Wireless traffic, by its radio nature, is inherently insecure, since anyone with a wireless card and wireless traffic collecting software can accumulate your data and have access to anything you have transferred across the network, be it clear-text passwords, email messages, web page requests, or documents you’ve copied to/from a server.
Unfortunately, WEP is not terribly secure, taking anywhere from 30 seconds to 45 days to crack, depending on network traffic, the encryption type used (64(40bit) or 128(104bit) encryption), and the hardware a cracker has to apply to the attack, and only secures traffic as it travels from the client to the access point.
CU Boulder is not currently using WEP due to its lack of security, the absence of security in any kind of key distribution scheme for thousands of users, and the need for compatibility with a wide range of client platforms. We are using a routing scheme that requires all users to register the wireless card’s hardware (MAC) address, which is admittedly not unbreakable access control, but it does provide us with basic access control and usage information. We also encourage everyone using a wireless connection to use secure clients and protocols (SSH, SSL, kFTP (where available) sftp, and VPN where available). We are investigating the possibility of requiring all wireless clients to utilize a VPN connection for network access, which is revealing a severe shortage of options for handheld devices, as there are few, if any, software packages that provide Palm or Pocket PC clients with the ability to make an IPSec connection. VPN is currently the most secure solution for protecting data and access, but it can also be the most costly solution for a sizable network with thousands of users.
Best of luck in your pursuit! Wireless security isn’t necessarily an oxymoron, it is simply something you must pursue with the understanding that the transport medium offers no security whatsoever. From there, you can only get more secure! 😉
Gary
————————————————
Gary Franz
Information Technology Services
MicroSystems Group, Apple/Network Support
Team Leader
ITS Wireless Access Team
University of Colorado, Boulder
Also see my roundup of threats to wireless, with special emphasis on the failings of WEP.