securing wireless network

[ajbritton]

It depends how secure you want it. I don't think MAC address filtering is generally considered to be highly secure as any MAC address can be spoofed. A determined hacker should be able to get past MAC address filtering without much trouble. Having said that, it might slow down and possibly deter the casual opportunist.

There's really no excuse for not using the highest level of WEP encryption available on you APs and Laptops. WEP adds another layer which, although no longer considered secure, will deter all but the serious hacker.

[indie]

If you're just using MAC address authentication on your wireless LAN the packets can still be sniffed with something like Ethereal as they are being transmitted unencrypted. This means all manner of data could be looked at by anyone! Yes MAC addresses can be spoofed fairly easily, but remember the attacker needs to know the MAC addresses on the allowed list first.

At the very least I would encrypt the Wireless LAN with WEP and use MAC filtering!

WEP does have weaknesses though, with enough time the key can be cracked, the last time I tried it though it took almost 2 weeks of packet sniffing! Still it is possible, look at what other encryption methods your AP's offer, something like WPA2 would be better as long as all your clients support it!

[Geoff]

WEP decryption with the newest version of the (Linux!) cracking tools takes around an hour or a few million packets. Which ever comes first.

[ajbritton]

WEP decryption with the newest version of the (Linux!) cracking tools takes around an hour or a few million packets. Which ever comes first.

Right... at which point you get the WEP key. So now you can sniff packets and get free Internet and potentially use password cracking tools.

My point being that there is (or at least should be) a whole lot more security still to get through if you are after the serious data (pupil files, financial info). I think I'm right in saying that Windows passwords no longer travel across the wire unencrypted, so it should not be a trivial matter to obtain a password. I also believe it is possible to encrypt all network traffic using IPSec between Windows clients and servers. Doing that would mean that even if the wireless network was compromised, the data on the network and servers should still be safe. Don't know what kind of hit this would have on performance though. I assume encryption would be done symmetrically (same key to encrypt/decrypt) and key exchange using some form of public key transfer. (Bit out of my depth here!!)

[_Bob_]

I managed to get radius workin with a standard windows 2003 server domain. Its a bit of a pain tho' as you have to find AP and cards that support it (ours are a bit old and naff). The only thing you can't do without enterprise is automatic user certificate enrollment. So again, slight PITA cos you have to manually install user certs. on client machines.

[Geoff]

I also believe it is possible to encrypt all network traffic using IPSec between Windows clients and servers. Doing that would mean that even if the wireless network was compromised, the data on the network and servers should still be safe.

Well, access to the internet bandwidth is an end in itself.

Even so, that doesn't protect you against people brute forcing account passwords. While passwords do use NTLMv2, usernames generally fly around in cleartext. Once you have a list of usernames to work with its much easier to find the ones with bad passwords. Once you have "Domain User" access you can thing about cracking Admin.

Hopefully your IDS would of detected the intrusion long before things got to point though.

Remeber not to discount other attack vectors though. Print Servers, Routers, Managed Switches, Standalone PCs not on the domain and Systems running other OS's need to be audited too as they are perfectly valid targets for an intruder.

I prefer not letting people in in the first place. WPA with RADIUS is the way forward I think.

One thing with your Certificate server. Its good practice to have it on a small laptop or other form of portable so you can physically lock it in your schools fireproof safe. Physical access to this machine basically gives full access over your entire network infrastructure.

[u8dmtm]

It is quite easy to spoof a MAC address - pretend to be something on your allowed list but is better than nothing. Couldn't you also use WEP / WPA or 802.11.x? WEP will work most widely but is the least secure. WPA requires that all your clients support it.

[Geoff]

Yes, I think really the only way forward is to phase out your older equipment that won't do WPA/WPA2 and only buy new stuff that will.