Wednesday, January 17, 2007

Super Basic Network Security 'n' Stuff

Matt G over at Better'n'Better writes of his glorious new wireless networking experiences with his new laptop, and it brings out the techie in me at about the same level as the newbie sweeping the room with a .45 of unknown provenance brings out the firearms instructor in a lot of us.

*CRINGE*

Wireless is pretty neat stuff in all its many and exciting flavors (802.11a/b/g/n, bluetooth, etc), and like a lot of other neat things has both upsides and downsides of both a legal and practical nature. The below is very basic, very fast, and touches only on the high points...and I do answer questions :)

For the sake of simplicity and sanity, we'll stick with the 802.11's with a brief side riff on the notion of cellular wireless access later on in the chat...

802.11a/b/g/n/etc

802.11 is a broad standard that includes a bunch of mutually incompatible sub-standards - in other words, an "A" access card won't talk to an "N" Wireless Access point, G doesn't talk to B, B doesn't talk to A, etc ad nauseum. That's why most Wireless Access Points or Routers are combo boxes that if you look carefully are labelled "802.11a/b/g/n" or some combination thereof...and what each of those funky letters describe are different ways of sending and getting data...with some faster than others, and others that do better at penetrating ground clutter than sending data at the highest possible speed.

What all of them share is that unless the user has got encryption set up at *both* ends of the wireless piece (i.e., in most 802.11 setups, the route is Wirelessly Connected Laptop>>Wireless Access Point/Router>>Wired Network), that you are:

  1. Sending data in the clear, readable by anyone driving by with a receiver. Zero Encryption.
  2. Providing random wandering laptops with an access point to the 'net for which YOU are liable, at least conceivably...
  3. Theft of Wireless Service
Regarding #1, what that means is when you order some cool new leather gear from Gall with your very own Visa card...with no encryption, that "anybody with a receiver" can simply sit there, grab the data off the air, and then call up Gall and re-direct your delivery..and take the credit card information over to "Sam's House of Kink & Adult Pleasure" and use said information enthusiastically. But credit card information is *thinking small*, when complete ID theft is possible.

If you haven't set up a software firewall on your laptop, you can get *visitors* coming in and romping through your hard drive...something that is equally true if you take your laptop visiting random wired networks...in the same general sense as "firewall=good", right up there with "antivirus=good", and "anti-spyware=good". Essentially every time your laptop or PC touches a wired OR wireless network, it is vulnerable to whatever critters linger thereupon.

On to point #2, and only after clearly stating that I am neither a lawyer nor do I play one on television....there have been several recent cases of less tech-savvy Law Enforcement sorts doing the door-kicker waltz on a Child Porn or other internet offense bust, and on arrival (after seizing all hardware and hauling it off to LE-friendly geek) discovering no evidence of said offenses - what gives?

One way down this ugly little path is the unsecured wireless access point. Our little wide-open WAP sits there on our innocent critters network, available for any little old wireless passerby to grab signal and access the net...and any of that wireless passerby's network traffic (Say, to "Sam's House of Carnality and Severely Objectionable Naughtiness") will show up to an outside investigator as originating on the network of our innocent critter...which will likely be enough to persuade a judge to authorize a Blue Light Morris Dance and Search of our innocent critters premises, with seizure of any electronics more complicated than a toaster. Not fun.

Finally, option #3, we have our our innocent end-user new to the wonderful world of wireless with a bright shiny new laptop, who in turn discovers the existence of delightfully insecure wireless networks ("I can click and hook up! WOOHOO! WHO NEEDS DSL?") in neighborhood, workplace, and out on patrol. There's a couple things our newbie should be aware of...this sort of hook-up is insecure per se, and second, that more and more jurisdictions have defined rightly or wrongly this kind of hook up as theft of services, piggy-backing on someone elses connection w/o permission not unlike hanging an unauthorized feeder line off someone elses power meter w/o permission in order to power your house.

Finally, with all this fun behind us, we'll move on to the promised discussion of cellular internet access, an entirely different creature. Where the 802.11? family of wireless require hotspots with hookups to the internet from each hotspot, with cellular, the cell phone company in question acts as the "link to the 'net" and access is available wherever you can get cell phone coverage on the carrier to which you subscribe. Cost is roughly $50-80 a month, depending on what you sign up for, and coverage is roadworthy in most areas..and in most senses, it's safe to treat it with only the degree of paranoia that you'd utilize on a standard internet connection (recall that on the new digital cellular networks, the signal is digitally encrypted anyway), though like with guns, more is better - feel free to add more levels of encryption/safety as your skill levels allow.

Wireless is darned convenient stuff, but not without its' little downfalls...but the convenience of going all-wireless (including printers, scanners, etc) is horribly seductive. Different situations will give you different answers, so...

Makes your choices, takes your chances.

4 comments:

Diamond Mair said...

My spousal unit wants, in the worst way, satellite 'Net access - not 'do-able' right now due to finances ........................ I don't want it, because of the security issues, as you mention with wireless - as a "step-up" he wants to install wireless routing in the house from our cable modem - again, for security reasons, I don't want that .................... I understand the speed/broadband issues that make all these things appealing - and if he insists, I'll probably go along - after we establish that any credit card/financial info will be limited to pre-paid Visa cards, and no checking of account balances of our 'regular checking account' online ..................... ;-)

Gay_Cynic said...

I've yet to have studied up on the security side of satellite 'net access - with adequate encryption, I don't see it as an issue, but what stopped me when I last looked at it for a remote install was expense (high) and data speeds (comparatively cruddy).

Wireless routing in the house or office is a different critter, and at risk of diving into jargon, secure-able - out of the box, though, isn't secure, and securing it properly isn't a novice adventure.

Your approach re cc/fin data is a good one on either a wired or wireless network unless you know the level of security end-to-end.

If the new house still has the walls open or semi-open, it's a great time to pull Cat5 wire at the same time as you pull the phone wires into rooms, always remembering "more jacks=better" for both phones and Ethernet. That, combined with a patch panel in an obscure closet someplace (kept company by a hardware firewall and/or NAT router) can give you a fairly secure site...

The best analogy I have for this kind of situation is to think of the 'net as a series of pipes of varying size/capacity and security (leak-proofing). Each pipe between you and I can be fatter (carrying more data, faster) or skinnier (less data, slower) and some of those pipes are easier to get into than others.

All that said, even if I have cruddy security on the connection itself..if I use a virtual private network with encryption to access a server on the home network (reasonably secure) and then the home network relays on the SSL security out to our remote website..say, Bank of America, and it then responds back...I can, using my bouncing baby VPN have a reasonable level of security using the unsecured hotspot at the local laundromat because I'm providing fairly intense security (SSL over encrypted VPN) entirely separate from whatever the laundromat is or isn't doing.

Nothing in this world is failsafe, but at that point our little driveby critter is harvesting only gibberish from my signal between my laptop THRU the coffeeshop WAP (which then goes wired)through the various links to my VPN server at the house, and finally, on out to Ultimate Destination. As a bonus, once he's *1* found my signal, and assume *2* he somehow cracks IPSEC VPN security (unlikely), he must *3* crunch through the SSL encryption.

A good home install of Wireless involves *a* encryption, *b* machine address code (MAC)limiting on the WAP (i.e., even if they guess the encryption, if the MAC is wrong they still have no access), *c* a good firewall, *d* NAT, and *e* a good VPN server.

Granted, I tend to be a little bloodthirsty when it comes to security :)

Thanks for the link, BTW :)

Diamond Mair said...

We have a family member who works for DirectTV, installing the dishes - he told us, last time Mike was saying he wanted it, to ask about the "Blue Sky" {"Sky Blue"?} program DirectTV is now offering - luckily, {^..^} @ $300.00+, it's still out of our reach right now ................
Thank you for your primer on what to get - I'm printing it out, so when "the Gunny" decides to do it, I can hand him that & say ONLY if you meet all these suggestions! ;-)
Along the lines of security - in the movie {I think it was Enemy of the State, with Will Smith & Gene Hackman}, Hackman's character's 'bolthole' was surrounded by copper screen, to preclude 'eavesdropping' - would that be effective for wireless 'Net stuff {this is in my dreams, when I win the lottery & we build our dream home on a 100 acres or 2, and cost is just a 4 letter word ................ ;-) }

Gay_Cynic said...

What you are talking about is a "Faraday Cage" - a cage made of conductive mesh and then grounded, acting to obstruct transmission/reception of all radio/tv/etc signal.

Thus, not only will you be safe from *eebil hacker*, but also from watching David Letterman, using a cell phone, or listening to the local weather radio station. Some might consider this a downside. "Movie=Movie Magic" :)

Encryption (ideally multi-layer) and Access control are actually the best answers in most Wireless environments.

In building a new structure, there are some *really* neat cabling options (sample: http://www.hometech.com/techwire/combo.html#HT-COMBO6 )and in general, if we're starting with open walls, I *like* wired installations a whole bunch - but understand the convenience of wireless (on which I'm typing this critter on a laptop, coincidentally).

My home wireless is set up with Access Control (it will talk to a total of three specific wireless equipped computers in the whole wide world, unless I change the settings)and embarrassingly light 128bit encryption. On the list of "things to do" is build a VPN server (IPSEC, thank you) to hang on the wired network that I will be able to access when at the house OR when I'm out and about at a hotspot (creating a 2nd level of encryption, or a 2nd layer on the cake).

Finally, even with the current light encryption (I want 1024bit, thank you) I can easily upgrade when I want secure communications with, for instance, my servers - I never, ever, use Telnet...I use SSH, an encrypted and upgraded version of Telnet...providing an additional level of security on the wireless segment of the "pipe", and significant end-to-end security by using SSH alone on the pipe segments between my laptop and eventual connection with the server.

Hope that helps clarify...