Simple wireless security Lab.

Use Ethereal to sniff the the traffic on the hotel's wired network. There's a good chance the hotel is only using a hub, and you'll be able to see the network traffic from all the other hotel guests--both wired and wireless.

Now that's scary!

Lol....you are exactly right JD. I actually saw the closet, the guys figured I did "something with computers" for a living and asked me to take a look to see why the wireless sometimes drops. (Probably had something to do with a radio sitting on top of the Aironets they use..lol). I noticed this radio is plugged into their PBX (probably for music on hold). Also I noticed at the front desk they have 2.4ghz cordless phones. Most cordless phones use FHSS and most of the WLAN equipment they have at this hotel is 802.11b, which is not a good combination. And of course, the AP's are wide open with no security controls in place. I'm finding this to be the norm, now that's really scary!!!

Interesting stuff. I recently installed Wififofum2 you suggested on my PPC. Just walking around in my appartement shows dozens of unprotected wireless networks. Actually, only mine is secured. What's scary here is that several of those open wireless network (not even wep or mac filtering) are installed by the ISP who installed an ADSL connection. Scary and sad at the same time.

strauchr

No wonder why so many companies are nervous about installing wireless! I do plan on messing around with this when I go for my CWSP. Got to get through CCNA first though

Reminds me of one of the major causes for Windows getting a reputation of being unstable: incompetence of those who install and configure it.

I bet there are quite a few companies who get rid of (some part of) their wireless networks after an incident has occured, rather than security. There'll be plenty of people saying "I told you wireless network is not secure".

TeKniques

Hey guys I have a quick question. After reading this thread (very much informative btw) I am wondering something: What is the best method of making a wireless network secure?

Seems like there is every tool available to crack whatever you do. Where I work we use ACL's with MAC addresses. As I was reading the thread I thought I was magically being transported into an episode of 24.

drainey

It is scary how unsecure an AP is at a hotel, but as the primary support for 60 field reps (most over 50) I understand the hotel's need for ease of use to satisfy the majority of unskilled customers who just want to click and connect. Not to mention most hotels don't have a IT support staff handy to answer questions.

The security is a concern but it sure makes my life easier, especially as I've spent over an hour trying to walk one rather "computer stupid" (his words) rep through the process of setting up a connection with a secured AP at a Radisson hotel. I just make sure they have a good firewall installed and AV gets updated whenever they connect via VPN.

Hotels are notorious for poor network security. They often use very old equipment that was recycled from corporate junk sales. Their on-site IT people are ill-trained or non-existent, preferring to out-source all their IT services.

TeKniques, these days you should run a minimum security of WPA-PSK (Pre-Shared Key), aka WPA Personal. There's no reason to use WEP anymore. If you are using wireless devices whose firmware can't be upgraded to use at least WPA (and preferably WPA2), then they should be immediately replaced with newer devices that can. 802.11 networking has changed so much over the last three years that junking old equipment is the safest thing you can do.

Another thing to realize is that wireless security measures only protect the communication on the wireless side of the access point. The wired side needs it own security from something more conventional to wired networks, such as a VPN.

I'm sure Keatron and JD (edit: I see he just did) can give you a better answer, but I would look at 802.1x authentication (using PKI with digital certificated for client auth) and using WPA2 when available.

TeKniques

Thanks for the advice guys. I actually haven't updated my Router's firmware at home in a while so I'm going to check that out later.

jdmurray wrote:

Another thing to realize is that wireless security measures only protect the communication on the wireless side of the access point. The wired side needs it own security from something more conventional to wired networks, such as a VPN.

And I'll add to this comment by pointing back to JD's original response to my post. He said that I should use ethereal to sniff the wired side of the network. This is a perfect example of the point he made above. And JD is dead on about using old equipment. Those 802.11b AP's in that place look like they're as old as dirt. They are HUGE! And listen to JD's warning again about using WPA or WPA2. As I pointed out in the initial post MAC filtering WILL NOT protect you. I'll eventually post something on ARP spoofing. In the office we were able to poison an AP arp table then have traffic intended for one workstation sent to another, which was then fowarded to the original intended station. So the intended station never knew the traffic was "proxied" through a rogue station before it got there. You can do this and sniff for keys, and passwords all day, and no one will know the wiser. This is why MAC filtering should only be considered ONE LAYER of your protection. If you've ever used a packet analyzer or sniffer, you'll notice that one of the first peices of useful information you'll find is MAC information

drainey wrote:

It is scary how unsecure an AP is at a hotel, but as the primary support for 60 field reps (most over 50) I understand the hotel's need for ease of use to satisfy the majority of unskilled customers who just want to click and connect. Not to mention most hotels don't have a IT support staff handy to answer questions.

The security is a concern but it sure makes my life easier, especially as I've spent over an hour trying to walk one rather "computer stupid" (his words) rep through the process of setting up a connection with a secured AP at a Radisson hotel. I just make sure they have a good firewall installed and AV gets updated whenever they connect via VPN.

What you're really referring to is the CIA triad. Confidentiality, Integrity, and Availability. Yes, the trick is to balance these three to end up with a workable and applicable solution, however to completely ignore/abandon either of these three is NEVER the best way to go about it. For example, every military client we work with is focused on Confidentiality first, Integrity second, and then Availability as almost an after thought. This thinking stands until something crucial is not available when it needs to be, then the thought process begins to slowly shift. I've seen it happen many times. Same thing with hotel type establishments. Security is more of an after thought until something major happens (like some guy who knows a little about network security sniffs the wired portion of the network using ethereal to get customer guest info and credit card information, SINCE the front desk computer which holds and scans all guest and credit card info is connected to the same Cisco 1720 router that the rest of the guest who are given wireless internet access is connected to).

I wonder if they've VLAN'd off that portion of the network????? Not a chance..

keatron wrote:

This is why MAC filtering should only be considered ONE LAYER of your protection.

Amen. I have spent so much time trying to reason with people that there is no such thing as a single, perfect security mechanism. Security is increased by employing many different mechanisms to thwart attackers, and not relying on just one layer of security.

If your car were stolen you'd never honestly say "but I locked the doors!" Locked doors are a deterrent, but are simply no guarantee that theft of your car is impossible. Locks doors, a car alarm, a steering wheel lock, and parking in a closed garage is a much better, multi-layered security solution.

Webmaster wrote:

I would look at 802.1x authentication (using PKI with digital certificated for client auth) and using WPA2 when available.

The problem with 802.1X, PKI, RADIUS, Kerberos, VPNs, etc. is that they all require dedicated servers, which can be a pain for SOHO setups. Many of the higher-end access points have the server services built in, but they also cost a higher-end price.

Yeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.

TeKniques

Well I planned on using all the advice here at work and at home so rest assured that everyone's advice is good advice

Webmaster wrote:

Yeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.

I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!!

keatron wrote:

I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!!

Those must be the Windows/AD/Kerberos shops.

jdmurray wrote:

keatron wrote:

I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!!

Those must be the Windows/AD/Kerberos shops.

keatron wrote:

Webmaster wrote:

Yeah, I realized my suggestion was of little use when TeKniques mentioned 'at home' in his second reply.

I agree to an extent, but you'd be suprised at how many decent sized IT shops have no idea how to configure radius and the likes. Some don't even know what it is!!!!!!!!!!!!

No, not surprised at all.

But I wasn't implying 802.1x is 'the' way to go for non-home networks, just that it's an option to consider.

drainey

Keatron wrote:

What you're really referring to is the CIA triad. Confidentiality, Integrity, and Availability. Yes, the trick is to balance these three to end up with a workable and applicable solution

I haven't heard it put in those terms before but that is the goal of our IT dept. Unfortunetly we are viewed as overhead while the reps (Salesmen) are viewed as our bread and butter so we are relegated to making sure everything is as easy to work for them as possible.

This is slowly changing as younger people move up the corporate ladder but it will be a very slow process.

The CIA (or AIC) triad is one of the absolute foundations of information security. You can't pick up an InfoSec book that doesn't reference it in some way. All InfoSec technologies and methodologies are describe by how they make information more confidential, integral, and available.

Danman32

I don't understand the hubbub about a hotel's guest access wireless internet access being in the clear. That's the purpose of it; to provide easy internet access for the guests.

If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.

Now I will grant you that there's no excuse for using hubs on the network, or having the guest internet access being connected to the hotel staff network. Switches are cheap now, though granted the managed ones are a little more money. If they are managed, then VLAN could be employed to isolate the guest connection from the staff connection.

Also, even if the internet access is isolated from the staff network, guests should be made aware that wireless by its very nature is visible to anyone (it is a broadcast radio after all), and internet itself is not secure so the client should employ measures of security if they are to communicate sensitive information, including but not limited to online credit card purchases, and emails.

Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well. Any further security such as WPA would be more effort than a hotel would be willing to employ (or even expected to employ) just to give internet access to the guests.

Danman32 wrote:

I don't understand the hubbub about a hotel's guest access wireless internet access being in the clear. That's the purpose of it; to provide easy internet access for the guests.

People (i.e., non-computer networking professionals) do not understand that their email, passwords, web traffic, etc. can be eavesdropped upon by anyone on the hotel's wired or wireless network. People have a certain assumption and expectation of privacy, such as when mailing a letter or speaking on the telephone.

Danman32 wrote:

If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.

Once again, the average hotel quest doesn't know how their data is visibly multiplexed on a computer network; the average homeowner with Internet access on their cable box doesn't understand this either.

Danman32 wrote:

Switches are cheap now, though granted the managed ones are a little more money.

Hotels have little incentive to spend money even on inexpensive switches unless their customers demand secure network access.

Danman32 wrote:

Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well.

This is true. For individual security, each guest would need to logon to the hotel's network using an assigned password and an electronic token that would be used to encrypt their network traffic in the hotel's LAN. However, their network traffic would need to be decrypted prior to it being routed to the Internet.

This problem doesn't only exists for hotels; all public hotspots, such as airports, libraries, coffee houses, and now even entire cities, are not secure. The only good solution is for the individual network users to provide their own VPN by using a service, such as Hamachi (www.hamachi.cc) and HotSpotVPN (hotspotvpn.com).

Danman32 wrote:

If the guest needs security on that channel, use SSL or VPN. It is really no different than broadband cable internet where traffic is shared on the cable. That's why that modem light (or WAN light on the router) keeps blinking even though all your hosts are off.

This is a fundamentally wrong assumption. First of all, pulling someone's data stream from a wired or "controlled" medium is NOT the same, legally or technically as doing the same on an un-controlled medium. Secondly, usually the reason you see the "modem light" blinking when no hosts are connected is related to communications between your modem and the providers infrastructure whether it be the CO, DNS servers, or any number of other things. But it has little if nothing to do with other users traffic. Another reason you would see activity (depending on how much) could be indicative of a malicous software or in some cases improper configuration. I can tell you my friend for certain, I have cable and SDSL and when I'm not connected with any of my nodes to internet, I have NO activity lights flashing. I would suggest reading up on the 802.11 standards concerning wireless (http://standards.ieee.org/getieee802/802.11.html). This will help you in seperating myth from reality, and will also aid you in peeling through vendor specific marketing twists.
.

Danman32 wrote:

Even if the hotel decided to use WEP, they would have to give the client the shared key, which all other hotel guests would have as well. Any further security such as WPA would be more effort than a hotel would be willing to employ (or even expected to employ) just to give internet access to the guests.

And if WEP were used, that would mean that someone driving to the hotel parking lot and authenticating with the hotel's AP will have had to circumvent some form of access control. And I can tell you as someone who travels often.....very often, that some hotels are good about it (I'm in Vegas now at a nice hotel, and you do have to authenicate before using the WLAN here). The truth of the matter is, as with most other things, money is the motivating factor. More and more hotels have stopped providing free access and now charge a daily rate for it. And guess what, you have to athenticate with your room number and password. Why? because it now brings a profit and since a user not paying could hurt their profit margin, it's important to implement some type of access control.

sprkymrk

The truth of the matter is, as with most other things, money is the motivating factor. More and more hotels have stopped providing free access and now charge a daily rate for it. And guess what, you have to athenticate with your room number and password.

I travel several times in a year as well, and I have noticed the exact opposite of what you describe. (Not trying to be disagreeable, just surprised our experiences differ). However, I have been to Vegas 3 times in the last year and a half, having stayed at Harrah's once, The Hilton once, and Embassy Suite once. I was charged for Internet at each one. Everywhere else I traveled in the last 2 years - from Florida to Arizona to DC, all provided free high speed access. All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.

sprkymrk wrote:

All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.

Authentication to their LAN is just a method of accounting so they can charge you $10/day for access. It has NOTHING to do with securing your wireless LAN traffic.

sprkymrk

jdmurray wrote:

sprkymrk wrote:

All of the hotels did require some sort of authentication to access the LAN - usually a room number. One hotel provided free wireless access from the lobby which did not require authentication.

Authentication to their LAN is just a method of accounting so they can charge you $10/day for access. It has NOTHING to do with securing your wireless LAN traffic.

Understood. WLAN was in the clear.

Danman32

I have had the same experience: less and less hotels charging for internet. It seems the cheaper hotels are less likely to charge. Same for parking I have heard. Expensive hotels often charge for parking too.

All the hotels I went to that offered free access had no authentication mechanism. The AP was in the clear. Now what was behind the AP I had not explored, such as whether the guest internet was integrated into the staff network.

I still say though that it is not the reponsibility of the provider to guarantee confidentiality on a public access network, and this is especially true on a wireless connection. I would agree though that it would be prudent to disclose the fact that the network does not guarantee confidentiality to the public network since most guests would be unaware of this fact. Heck, I am just discovering that RoadRunner doesn't seem to offer secure POP3 connections so I can download my email.

As for cable, it is a bus topology so everyone gets everyone's communications at the cable end of the modem. The modem may filter out uinicasts not directed to me, but broadcasts will get through. I had discovered that the cable broadband uses a 10. address on the MAN. I'll experiment though by connecting my PC directly to the modem rather than through the router that has NAT blocking most traffic and run ethereal on it. By the way my router's WAN port is blinking too, not just the modem activity light (separate devices).