Re: Wireless Network in Public Places Options
From: Floyd L. Davidson (floyd_at_barrow.com)
Date: 02/12/05
- Next message: Richard G. Harper: "Re: LAN Cunnection gets disabled by itself"
- Previous message: Steven L Umbach: "Re: DHCP And Security"
- In reply to: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Next in thread: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Reply: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 12 Feb 2005 11:01:53 -0900
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>On Fri, 11 Feb 2005 13:55:37 -0900, floyd@barrow.com (Floyd L.
>Davidson) wrote:
>
>>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>>
>>>Again, this cannot be done at the IP level by tweaking the routing
>>>table even if every client were trustworthy. There would be nothing
>
>>A WRT54G router with the correct route table does it quite well.
>
>Using routeing to keep wireless clients seperated will only work if
>the clients can be trusted.
Not necessarily true.
>For example, I can easily setup a phony
>DHCP server on a wireless laptop that will deliver a creative IP
>address and gateway.
The server on your wireless laptop can't provide an IP or a
gateway route through the router. Hence, regardless of what it
served up, the results would still be exactly the same... no
route to another wireless client through the AP. Routing on the
client makes no difference at all, nor does the IP address used.
There simply is no wireless-to-wireless route.
And of course that *does* presume an AP/router which in fact
routes wireless packets. As pointed out, that is the way it
works with the WRT54G, which does not blindly send wireless
packets to the ethernet switch.
>I think route that IP address to the real
>wireless access point and router going to the internet. Instant "man
So just how do you route "to the real wireless access point and
router"??? There is exactly one AP/router. It routes everything
to the Internet...
>in the middle" exploit. I can capture traffic going in both
>directions and not even bother with removing the 802.11 encapsulation
>required by wireless sniffing.
Your description is not clear (it looks like a bit of editing
went astray, so I'm guessing about what you meant, and may well
be wrong). It sounds as if you mean you can set up another AP
(not a wireless laptop), and operate it as a repeater to the
real AP. That is a threat to a wireless network no matter what
hardware is used.
So is passive sniffing.
I agree that can be done. That is one reason the OP should 1)
be considering physical security as well, and making efforts at
limiting the signal coverage of his AP to the conference room;
and 2) advise customers that they are responsible for encrypting
their data sufficiently if industrial spying is a significant
concern to them.
(I would also point out that detection of the Man-in-the-Middle
exploit would be only slightly above trivial... the provider
can do sniffing too!)
>Methinks you're missing my point. If the packets do not go to the
>internet, as in a wireless to wireless attack, then there is NOTHING
>that a router can do to stop such an attack as it's not even in the
>data path.
That is true, but hardly an insurmountable problem. If the
attacker can sniff... so can the provider!
However, I'm unclear about exactly what you are referring to,
given the above description fits one scenario and the below
description is not at all the same. The one above, if I
understood you correctly, requires adding hardware between the
desired AP and the desired Client, while below you describe an
example of poor administration.
If by "wireless to wireless" above you also meant the same
thing, it ain't gonna happen! The AP *won't* route from one
wireless client to another in the example that I gave, and the
route *is* in the data path.
>Last year, I got a call to see if I could do something about lousy
>thruput at a WISP. They thought they had an RF interference problem.
>After a day of useless RF sniffing, I started looking at the router
>traffic. Nothing unusual or excessive. Eventually, I connected a hub
>at where the access points came together and found LOTS of traffic
>between access points or being repeated out of a single access point.
>(The reason this wasn't done before is the access points were located
>at 40ft on a tower). The system was being used as a repeater between
>a bunch of gamers. All their traffic was wireless to wireless with
>nothing going via the router to the internet. The problem was that
>the access points on the tower had no provision for preventing their
>use in this manner. They would merrily bridge between connected
>clients.
Which is to say, that is unrelated to the method that I
described, which *does* have a provision to prevent use in that
manner.
>(The system WEP keys were cracked long ago). So, I just
>blocked the MAC addresses involved, which slowed them down long enough
>to fix the configuration. I dunno what was done to fix it as I only
>did the RF part. They had a qualified and clueful service company
>that only required that I explain 4 times why tweaking the router
>isn't going to fix traffic problems that don't go through the router.
Fine, but what I described is hardware that *does* run the
wireless to wireless traffic through the router.
>>>Also, without any control, everyone would also get everyone else's
>>>broadcasts.
>>
>>If they are indeed on the same network, that is exactly what is
>>supposed to happen.
What I said there is in error. That won't happen if there is no
route to the client.
>In a common shared network, broadcasts go to every machine on the
>network.
They go to every machine on the subnet, if there is a route.
(In the example I gave, there is no route.)
>They even go through some routers. However, on a VLAN, they
>stay within the confines of the VLAN. You could make each client a
>seperate VLAN. I vaguely recall that this was done by some WISP's
>with problems. Not every cheapo home router can handle the oversized
>802.1q tagged packets.
>
>In my hypothetical implimentation of a broadcast domain, the broadcast
>packets would NOT propogate to every machine on the network, but only
>go to/from the connected router. That will prevent spoofing DHCP
>servers, Windoze browsing, and fake ARP replies.
>
>>>Therefore, it has to be one at with a bridge/switch at
>>>the MAC level.
>>
>>Typically, yes. Where the hardware is as you've described.
>>Obviously there is more to it than that.
>
>Methinks is "less" to it than that. It's not like one needs to add
>features to the MAC layer of an access point. One needs to remove
>features. A wireless bridge that only sends packets to one port (i.e.
>the router to the internet port), is a very simple device. Nothing
>fancy or complex required that isn't already in the firmware. One
>only needs to disable a few functions to get this. I suspect it's
>already been done in some products, but I don't have any info on which
>ones.
Well, I'm not guessing about the functionality that I described.
I did guess that it had that capability, but before I spoke up I
reconfigured a WRT54G as described and tried it.
-- Floyd L. Davidson <http://web.newsguy.com/floyd_davidson> Ukpeagvik (Barrow, Alaska) floyd@barrow.com
- Next message: Richard G. Harper: "Re: LAN Cunnection gets disabled by itself"
- Previous message: Steven L Umbach: "Re: DHCP And Security"
- In reply to: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Next in thread: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Reply: Jeff Liebermann: "Re: Wireless Network in Public Places Options"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
