OpenBSD Journal

Securing 802.11 transmissions

Contributed by jose on from the mobile-networking dept.

IBM developerworks has a pair of articles on ways to secure 802.11 communications and improvements since the days of WEP. Part 1 looks at 802.11x, an access control mechanism for network communications that has some promise. Part 2 covers cryptography in 802.11 and looks at WAP and secure Point-to-Point communications. Again, some promising technology that could change things for the better (or for the worse). Have a look at this emerging technology.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    What's all the fuss about securing WiFi? I just don't get it. Secure the communications from my laptop to the access point and then send it over a wire where someone else can see it. To me the whole thing about securing WiFi is only to restrict access to the network and the biggest advantage to WiFi is access everywhere... So now how do I achieve that with all these secure access points? Forget about securing WiFi, instead secure host to host communications. After all, how are we going stop all those ISP/goverments who are running tcpdump 24/7.

    Comments
    1. By vincent () on

      well, maybe to _you_ having access everywhere is the biggest advantage, but some people actually want to restrict access to their network, if only not to have their network be a source of attacks by machines they're not responsible of, or for bandwidth use, etc.

      that doesn't mean the wire communications have to be insecure because the wifi itself is secured...

      Comments
      1. By Anonymous Coward () on

        I understand what you’re saying. I still secure my wireless network with WEP only because I don't want to get in trouble with my ISP. If I didn't have that limitation, I would just open it up. Now of course I would use OpenBSD to create a DMZ zone for it.

    2. By Anonymous Coward () on

      Fool. I want to stop poeple driving down my street from accessing my office LAN but I don't care (so much) that point-to-point traffic on my wired LAN is clear beacuse the theory is that it is physically secured.

      Why assume all problems are identical to your own?

      Comments
      1. By Anonymous Coward () on

        Why do you assume that your LAN is secure? Did you know that most security breaches come from the inside and not the big bad people on the outside? All you’re doing is relying on a false sense of security and not addressing the security of the systems you do have. Plus, you can always put your access points on your DMZ networks and not your precious internal ones.

  2. By Anonymous Coward () on http://openvpn.sourceforge.net/

    I really like this one:

    http://openvpn.sourceforge.net/

    Easy to be set up, multiplatform, very good support if something is not in the documentation. My selfmade access point is running this one for authentication and transport security.

    Comments
    1. By Erik () on

      It is rather unfortunate that openvpn is imposing a very heavy load on the machines running it. Much, much more than when using ipsec.

      It works nice though.

      Comments
      1. By earx () on

        have you details ?

        Comments
        1. By Erik () on

          100% load on a wireless conection 500 kB/s, P1 233 MHz, 64 MB ram, wireless in hostap mode routed to another system on lan through fxp interface.

          ipsec performs much better (max 50% load same configuration)

          Comments
          1. By earx () on

            i just see something interesting:

            www.wavesec.org

            Oportunistic encryption.

            Comments
            1. By AnonymousCanuck () on

              Wavesec.org is based heavily off of the more general opportunistic encryption work done by the Linux IPSec group: http://www.freeswan.org/ It is worth taking a look at. Especially any of you hackers out there. Please implement Opportunistic Encryption for KAME/BSD.

  3. By earx () on

    "Note: Over the length of time it took to write this article, 802.1x has been reported as vulnerable to attack.) "

    Better use authpf and ipsec even if it is not 100% secure too.

  4. By sickness () s i c k n e s s -at- s i c k n e s s -dot- i t on http://www.sickness.it

    What about WEP+ipsec+sshtunnel all the connections? :P
    In this way you will have 3 levels of crypto between
    the hosts :P
    (a bit tricky and even a bit slower... but very geek and paranoid ;)

    Comments
    1. By Michael Anuzis () on

      when all the messages you send through that encryption could be stegonographic images with hidden text in them that have been encrypted via GPG?

      Comments
      1. By earx () on

        but you can hijack or DDOS, or cut session, with forged paquets because all the low level layer are clear.

        Your data could be safe not the quality of the connection ;)

        Comments
        1. By sickness () s i c k n e s s -at- s i c k n e s s -dot- i t on http://www.sickness.it

          sure, you can also spoof the ip address and so on, for every type of attack you need to find a way to protect yourself, for example filtering on the mac address and so on... there are a lot of cool and fun things if you are addicted to networking, otherwise you can safely ignore all this crap and use win98+IE happily with C$ open like 99% of italians do :)
          (i'm italian too :)

      2. By espo () on

        stegonograhy is usefull when you're trying to hide data transmissions - it's like a covert channel. It wouldn't make sense to use stegonography on a link lower than application layer - because everyone knows you're transmitting data at that point.

        This is another reason stegonography isn't very useful. If a person was hatching some plot, and then all the sudden starts transmitting pictures or audio files - anyone evesdropping is going to see through the smoke & mirrors. Not to say that it doesn't have uses, but you gotta be aware that just because an attacker can't read the actual data from your link doesn't mean they can't figure out what's really going on.

        Comments
        1. By Anonymous Coward () on

          That's why the pictures need to be porn being that it already generates enough traffic to piggy back your massages in.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]