OpenBSD Journal

Seven Security Problems of 802.11 Wireless

Contributed by jose on from the no-cat dept.

OReilly's network has published a couple of interesting articles on 802.11b security in the past year, but I don't think we have published them before. The first is Seven Security Problems of 802.11 Wireless , covering a broad range of topics. Notice that OpenBSD based solutions can help mitigate some of those risks (ie authpf, IPSec devices, etc). A second article worth looking at is A Technical Comparison of TTLS and PEAP , which are two authentication protocols proposed for networks. An interesting overview of the ideas.

And last but not least, ISS maintains the ISS Wireless Security FAQ , which is a useful collection of resources.

No sense not deploying OpenBSD based solutions to help keep your WLAN secure.

(Comments are closed)

  1. By Anonymous Coward () on

    Are there any good docs about setting an AP up on OpenBSD? I have tried the examples listed in the wi manpage, but my laptop can't find the network...

  2. By kremlyn () on

    OpenBSD has some excellent characteristics for WiFi use. I've written a paper (something I did in my last semester of University) outlining how to effectively use OpenBSD to circumvent the limitations of WEP and the further inadequacies of 802.11b in terms of AAA (Authentication, Authorisation and Accounting).

    I've been told it's a great read, and I'd love to make this paper available to the community - but I only have a dial-up 33.6kbps connection at home. If someone would like to offer some hosting space, I'd be happy to make it available to the readers of

    You can find me on #openbsd on the freenode network, nickname 'kremlyn'


  3. By Anonymous Coward () on

    Given that consumer devices are starting to ship with 802.11a+g support, it would be really great to see some host AP support for those. Last I heard, most hardware vendors were keeping pretty tight lipped even about drivers for non windows (-maybe- linux binary drivers iirc) - any word on if this has made any progress?

    Albeit, if they are on the way soonish, ideal hardware (like soekris gear) will still need to put out some faster revisions for wirespeed IPsec.

    That's the biggest drawback to OBSD AP's right now - but it's not really anyone but the hardware vendors faults for keeping a+g drivers hushed up.

  4. By Jim () on

    My Mom works out of her house, so I set up an OpenBSD-based wireless network for her.

    The server is an OpenBSD 3.1 machine with 2 3c905B cards (XL driver) and a 3crwe777a wireless card (WI driver). The 3crwe777a was the only PCI card I could find that wasn't a crippled PCMCIA-to-PCI bridge (you didn't have to buy a PCMCIA card with it).

    One 3c905B connects to the internet via PPPoE, the other 3c905B provides NAT translation for her desktop computers. The wireless card is running in HOSTAP mode (so it can act as an access point), is on a seperate network, and cannot communicate with the wired network or internet. Also, it has rather strict firewall rules:
    block in on wi0 from any to any
    pass in on wi0 inet proto tcp from to any port = 22
    pass in on wi0 inet proto tcp from to any port = 1723 flags S keep state
    pass in on wi0 inet proto gre from to any flags S keep state

    Unfortunately the wireless client is a Windows 98 machine, which precludes the use of IPSec. Also, for some strange reason, WEP would not work at all. The laptop would not associate itself with the access point whether 40-bit or 128-bit encryption was used. The 3crwe777a apparently is a discontinued card, perhaps it had problems with WEP.

    Anyway, I was not planning on depending on WEP for security. As you may be able to tell from my firewall rules, I set up a VPN using PPTP. It took some research and fiddling around, but I managed to get Poptop running under OpenBSD. This VPN is yet 4th network the OpenBSD machine is connected to (the other 3 are the internet, the wired network, and the wireless network). This VPN network is NAT'ed to the internet and bridged to the wired network, so she can access her shares on those computers. This allows the laptop to connect to the internet and wired network using 128-bit encryption.

    In addition to the other security measures, I only allow one IP address (the one assigned to the laptop) to connect to the VPN, and also the access point will only associate with clients with a really strange SSID. I also have a script set up that e-mails me if a Wi-Fi card with a different MAC address than my Mom's laptop associates with the access point. I don't really depend on those things, however, I depend on PPTP.

    Also I have squid running with some banner filtering software, and have samba acting as a master browser on the OpenBSD box. I showed my Mom how to use PuTTY, and she sshes in and runs "sudo halt" every night. Then she just turns it back on in the morning. Very low maintenance and very useful for her!

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]