Re: Wireless Network in Public Places Options

From: Floyd L. Davidson (floyd_at_barrow.com)
Date: 02/13/05 

Date: Sun, 13 Feb 2005 01:58:05 -0900

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>On Sat, 12 Feb 2005 11:01:53 -0900, floyd@barrow.com (Floyd L.
>Davidson) wrote:
>
>>>Using routeing to keep wireless clients seperated will only work if
>>>the clients can be trusted.
>
>>Not necessarily true.
>
>Yeah, sorta maybe. If I can get the access point to bridge between
>two client radios, none of the packets will go through the router.
>Therefore tweaking the routing will do nothing to prevent this. I can

If you *can't* get the AP to bridge, then all this esoteric
techie "commentary" of yours means nothing. The appropriate
hardware *is* available, your point is has no merit, and all you
are saying is that installing the wrong equipment will provide
the wrong results. That's not news, and not interesting to me
or probably to the OP either.

>There is no wireless to wireless "route" but there is a wireless to
>wireless "bridge".

If you install the *wrong* equipment.

>I'm not sure how the WRT54G works.

So I noticed.

>>Your description is not clear (it looks like a bit of editing
>>went astray, so I'm guessing about what you meant, and may well
>>be wrong). It sounds as if you mean you can set up another AP
>>(not a wireless laptop), and operate it as a repeater to the
>>real AP. That is a threat to a wireless network no matter what
>>hardware is used.
>
>Nope. It can be done with a single laptop and single radio. I really
>didn't want to get into implementation. However, if you insist.

Yep. You merely use different terminology. It makes no difference,
the point is the same, and un-interesting. You've got "another
AP (not a wireless laptop), and operate it as a repeater", no
matter what you want to call it.

>>So is passive sniffing.
>
>Actually, you'll find passive sniffing to be somewhat of a challenge.

It isn't.

>The problem is finding a location that can hear both the access point
>and the client at the same time in order to capture both sides of the

Which is even less critical than locating the above "access
point simulator". You can't argue one is easy and the other is
not easier.

>traffic. That's fairly easy in a small cafe, but there are plenty of
>other locations where it would be difficult to find a suitable
>location.

No provider will go to the expense required to counter that
possibility, nor should they. There are better ways to deal
with it, and those are at the customer's discretion.

>>That is one reason the OP should 1)
>>be considering physical security as well, and making efforts at
>>limiting the signal coverage of his AP to the conference room;
>
>Got it. Wifi absorbant wallpaper:
> http://www.newscientist.com/article.ns?id=dn6240

Now we are down to where every hotel conference room needs to be
Tempest proof... ;-)

>>and 2) advise customers that they are responsible for encrypting
>>their data sufficiently if industrial spying is a significant
>>concern to them.
>
>Groan...another warning label. Click here [ ] to approve the terms of
>service, acceptable use policy, and general repudiation of
>responsibility.
> "Warning. Unencrypted WiFi may be dangerous to your security".

I'm sure the hotel's General Counsel would approve, once another
line is added:

  "The customer is responsible for their own data encryption."

>>(I would also point out that detection of the Man-in-the-Middle
>>exploit would be only slightly above trivial... the provider
>>can do sniffing too!)
>
>Well, a simple traceroute will usually detect the extra hop.

Traceroute won't even show that the WRT54G is there, never mind
an intruder.

>Sigh. AP's don't route...they bridge. AP's don't have routers. AP's

Sigh. The WRT54G is an AP that routes. Probably others do to.

>Think bridging, not routing.

Think wrong equipment, get wrong results. Don't install a
bridge, install a router. (Get one with an AP built in... :-)

>It's possible that your customized firmware WRT54G firmware does it
>correctly. However, I'm suspicious. It's easy enough to test.

I'm suspicious myself. That's why I checked to see if your
analysis was correct, by testing it for myself. The difference
is that I did the testing *before* I started writing...

>I just
>tried it with my BEFW11S4 and my laptop can easily see the other
>wireless clients on the LAN.

Wrong equipment, wrong results.

>>>(The system WEP keys were cracked long ago). So, I just
>>Fine, but what I described is hardware that *does* run the
>>wireless to wireless traffic through the router.
>
>Nope.

What do you mean "Nope."??? I described hardware that *does* do
exactly that. The number of _other_ equipments that you've
looked at which do not, has no significance.

>I can do the same thing with just an access point, which
>doesn't even have a router attached. Again, think bridging (as in
>layer 2) and forget about routing.

Wrong equipment, wrong results. And as long as you want to use
a bridge rather than a router, you still won't get the right
results.

>Sorry. I missed the example. How do you control broadcasts by
>routing? Without a destination address, there's no way to direct
>broadcasts anywhere. That's why it had to be done on Layer 2 with
>VLAN 802.1q.

So tell us what happens when the broadcast packet hits a router?
Is that done in Layer 2, according to VLAN 802.1q???

>>Well, I'm not guessing about the functionality that I described.
>>I did guess that it had that capability, but before I spoke up I
>>reconfigured a WRT54G as described and tried it.
>
>Please pardon my suspicious nature.

Read the previously provided description.

You responded to the OP's summary dismissal of your technically
_useless_ detail with a rebuke, which you claimed would "sting".
Yet you don't seem willing to read the *pertinent* technical
details provided to demonstrate where your analysis was
incomplete.

>How did you test?
>Could the clients "see" each other?
>Could you ping other clients? (No fair using personal firewalls).

See above. 

-- 
Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com