> Cover Story
wireless security without WEP
is no longer sufficient to ensure data safety using the
802.11b WLAN standard. And with the details behind 802.11a,
802.11g, 802.11i and 802.11e still murky, here’s a better
and cost-effective solution to secure your wireless networks.
by Seamus Phan
Aug 14, 2001, a new attack designed by three well-known
cryptographers and re-created by a team of AT&T Labs
researchers, enabled an eavesdropper to capture a small
amount of network traffic and recovered the user's secret
key in less than one hour.
is the last straw for WEP (Wired Equivalent Privacy),"
said Adam Stubblefield, a summer intern at AT&T's famed
lab who wrote the code used to compromise WEP. "WEP
is basically useless," he said.
If that is so, what of the thousands of 802.11b WLANs out
there in the world today? Are we adopting a second-rate
technology, or is there a better way to build wireless walls?
We can take a cue from NASA, and look at how they approach
WLAN security, and also explore the use of Unix workstations
to increase security and reduce costs. In addition, these
techniques also facilitate the migration to faster WLAN
technologies, including 802.11g and 802.11a.
Further, as the 802.11i security standard for WLANs finally
emerges (hopefully early next year), it will serve to improve
802.11's basic security measures which is currently served
by WEP. However, as with other security implementations,
only time will tell if 802.11i will be as secure as IEEE
Unix Base Stations
Here is a money-saving tip. You can leverage your Unix
workstations as base stations to reduce WLAN expenditure,
without losing seamless connectivity. Workgroups that have
spare Unix boxes (FreeBSD, OpenBSD, NetBSD, Linux and other
Unixes) or even stock G3 or G4 workstations running Mac
OS X, can set them up as base stations. If you prefer Linux,
you can even set up Yellow Dog Linux (www.yellowdoglinux.com)
on your Mac as a base station. Yellow Dog Linux also offers
the BriQ, a pre-configured PowerPC architecture server appliance,
that can be used for this purpose.
A wireless base station is akin to an IP router, and by
setting up your BSD box properly, you can get it to work
as a base station. Basic Service Set or BSS "infrastructure"
mode allows true base station functionality and several
Unix coders have developed ways to allow BSS mode for Lucent
and Prism adapters. For NetBSD workstations to work in BSS
mode, use the ifconfig command (please note that specific
adapters and environments may demand different parameters):
# ifconfig wi0 media DS11 do not use mediaopt adhoc)
# ifconfig wi0 nwid yourname (substitute "yourname"
with the WLAN network name)
If it is not possible to run in BSS infrastructure mode,
then run your adapter on your box in IBSS (independent BSS),
which is peer-to-peer, functioning like a shared Ethernet
cable. The command for NetBSD is:
# wiconfig wi0 -c 1
According to coders, you have to ensure that your adapter's
firmware is as recent as possible because older firmware
does not allow IBSS operations. Also note that laptops need
to support WLAN adapters,while desktops must support wireless
The NASA Hack
On Aug 20, 2001, the US-based National Aeronautics
and Space Administration (NASA) described a method, using
a wireless firewall gateway, to secure standard 802.11b
networks without WEP.
A white paper by Nichole K. Boscia from NASA proposed the
use of a wireless firewall gateway as a router between a
wireless and external network, with the ability to dynamically
change firewall filters, as users authenticate themselves
for authorized access.
It also operates as a server responsible for handing out
IP addresses to users, running a website in which users
can authenticate, and maintaining a recorded account of
who is on the network and when. To make things accessible
to users of any client platform, only a Web browser and
DHCP client software are required.
There are three components to such a wireless firewall gateway
design: a DHCP server, an IP filtering mechanism, and a
Web authentication system.
NASA used a beta DHCPv3 open source server from the International
Software Consortium (www.isc.org). This differs from older
DHCP servers, in that it can dynamically remove hosts from
the firewall access list when the DHCP releases a lease
for any reason (including client-initiated requests, time
outs, and expiration).
NASA configured the DHCP server running on Unix or Unix-like
platforms to only listen on the subnet interface of the
WLAN, thus preventing users from the wired network from
obtaining a wireless IP address from the DHCP server. NASA
also installed a packet filter to stop requests from any
For IP filtering, NASA used OpenBSD's IPF software (www.openbsd.org),
a stateful filtering mechanism. IP routing is enabled in
the kernel state allowing for the packet filtering to occur
between the wireless and external network interfaces. Static
filters are configured on boot up in the /etc/ipf.rules
file and are designed to minimize remote access to the wireless
Packet filtering is done at the transport layer (UDP or
TCP) so that stateful inspection can be effected, again
raising security by not explicitly permitting dynamic or
private port sessions into the WLAN. NASA restricts traffic
to essential protocols such as NTP, DNS, DHCP, and ICMP.
In the NASA implementation, there are two kinds of users-authenticated
and non-authenticated. Non-authenticated users can be granted
to specific services such as e-mail, VPN and Web.
In order to prevent succeeding users from being allowed
trusted access when the IP address is recycled, the in-memory
database software removes the firewall filter permit rule
whenever the user's next lease binding state is set to free,
expired, abandoned, released, or reset.
The DHCP server will not issue the same IP address until
it frees the lease of the last client. This overcomes the
security issue of someone hijacking an IP address that's
been authenticated and using it after the valid user is
no longer using the wireless service.
For authentication, NASA used a script system running on
a Web browser so that clients from any platform will not
be excommunicated. The script system is a combination of
PHP (www.php.net) and Perl (www.perl.org) scripts for easy
maintenance and updates. Unlike some authentication schemes
which restrict clients to using Microsoft Windows, this
method allows users from Unix, Mac, Windows and Linux to
enter easily and yet securely.
NASA simply used an Apache (www.apache.org) Web server running
Secure Sockets Layer (SSL) for client/server public-and-private
key RSA encryption. When a user logs on using http, he/she
will automatically be redirected to the https Web page for
When the user enters his/her username and password, the
session will be encryption and all transport will be encrypted
text. NASA also ensured that its SSL certificate was signed
by Verisign, a trusted certificate authority (CA). This
prevents intruders from mimicking a user's information.
When a user logs on, his/her IP address will be displayed
and logged by the PHP script, with ample warnings against
illegal access. When the username and password are entered,
the Perl script will communicate with a Radius server with
RSA's MD5 digest encryption to check if the information
submitted is legitimate.
Then the IP number of the user is authenticated and added
to the IPF access rules and the user is passed through with
on-screen notification of their user privileges. If the
details are not legitimate, the user is denied access.
The waters of 802.11a, 802.11g, 802.11i and 802.11e
are still murky, with no ratification in the short term
coming from the IEEE working groups.
Meanwhile, those of us who cannot wait can explore alternative
implementations. And you may want to clean the dust off
those Unix boxes and get busy with turning them into base
stations and secure gateways for your 802.11b WLANs.
Seamus Phan is research director at KnowledgeLabs News
Center (www.knowledgelabs.net), an independent technology
news bureau and writes for Network Computing-Asian Edition.
He can be reached at
Send your feedback to email@example.com