 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Mac Forum / General / Networking / January 2005Airport Security / Encryption
I use my iBook on the wireless network at my school, yet lately I see other students using packet sniffers like Ethereal to scan for things like passwords, e-mails, etc. Is there a simple way to secure Airport and prevent this kind of thing from happening, or is this just the price you pay for using wireless? * posted via http://mymac.ws > I use my iBook on the wireless network at my school, yet lately I see > other students using packet sniffers like Ethereal to scan for things [quoted text clipped - 3 lines] > > * posted via http://mymac.ws There are ways to do this, but it would have to be done on the network (base station) side. AFAIK, you cannot decide for yourself to use encryption if it hasn't been set up on the base station(s) in the network. OTOH; they really ought to do that, for these exact reasons. The network could be kept "open" in the sense of being visible, but you would need an ID/pw combo to log on. Any student in the school could be given the same ID/pw or separate ones, but in any case this would encrypt the communications channel of each machine. The advantage of separate logins would be that the sys.admin could see who does what.  Signature/Z > > I use my iBook on the wireless network at my school, yet lately I see > > other students using packet sniffers like Ethereal to scan for things [quoted text clipped - 6 lines] > encryption if it hasn't been set up on the base station(s) in the > network. except that doesn't do anything to prevent watching network traffic and snarfing passwords and whatever else looks interesting. if someone can connect to the basestation, they can sniff the whole subnet and watch every other wireless user and perhaps some wired ones too. it really is quite easy to do, and very eye opening. encryption just makes it harder for someone who *can't* connect to the basestation to watch the radio traffic. also, wep is easily cracked, so even if it is encrypted, it just slows down the dedicated. wpa is much more difficult to crack and therefore preferable. but as i said, if you can connect legitimately in the first place, you can easily watch all the other users. to remedy this, use ssh wherever possible. most isps provide for encrypted email authentication and just about any website that wants personal information is encrypted. however, there is still a *lot* left that is sent in the clear. ideally, one should set up an ssh or vpn tunnel to their isp or a known secure network. then, everything goes through that, and anyone sniffing won't get too far. > ideally, one should set up an ssh or vpn tunnel to their isp or a known > secure network. then, everything goes through that, and anyone sniffing > won't get too far. I agree. However, one needs to consider what is practical in a school setting. Where's the crossover between convenience (lack of which will make students & faculty not use the network) and security. I don't have an answer to this, but at least WEP and separate IDs would make life harder for the not-too-sophisticated wannabe cracker. WPA, as you say, is better still, by a long shot. Nothing is impossible to crack in the long run (PGP seems to aiming at a _really_ long run, though), but there has to be a meeting point somewhere that makes security and convenience balance acceptably to most parties. That said, it's pretty obvious that one _always_ needs to be conscious about _really_ sensitive information. But there I don't think I'm talking about high school hand-ins. At least I hope not. Signature/Z > except that doesn't do anything to prevent watching network traffic and > snarfing passwords and whatever else looks interesting. if someone can [quoted text clipped - 8 lines] > you can connect legitimately in the first place, you can easily watch > all the other users. This is true for plain WEP, but my understanding of WPA is that it uses a different encryption key for each client during a session, so that merely knowing the password (or "pre-shared secret") and joining the network is not enough to allow decryption of other users' traffic. > > except that doesn't do anything to prevent watching network traffic and > > snarfing passwords and whatever else looks interesting. if someone can [quoted text clipped - 13 lines] > merely knowing the password (or "pre-shared secret") and joining the > network is not enough to allow decryption of other users' traffic. once you connect to the base station, you can watch all traffic on the subnet (unless the network is designed to prevent that, which is not that likely in my experience). that means, traffic from *every other person* who is also connected to the basestation (and possibly other nearby basestations, depending on the network setup). try it sometime at a public hotspot. this is a seperate issue from picking up the wireless signal and listening to what is being transmitted between a user and the basestation. if this link is not encrypted, anyone can 'listen in,' within wireless range (which can be far if they are using special antennas). if it is encrypted, then one must crack the encryption to sniff packets (or legitimately connect, as mentioned above). wep and wpa slow down people who want to watch the radio traffic for passwords or whatever. wpa is harder to crack, but not impossible. unless you specifically are being targetted, its good enough for most purposes. ideally, one should set up vpn to somewhere trusted, but that is not practical for most people. short of that, use ssh wherever possible. > once you connect to the base station, you can watch all traffic on the > subnet (unless the network is designed to prevent that, which is not > that likely in my experience). that means, traffic from *every other > person* who is also connected to the basestation (and possibly other > nearby basestations, depending on the network setup). try it sometime > at a public hotspot. Unless they are using switches in which case all you can see from any given machine is it's own traffic and broadcast traffic. SignatureClark Martin Redwood City, CA, USA Macintosh / Internet Consulting "I'm a designated driver on the Information Super Highway" >> I use my iBook on the wireless network at my school, yet lately I see >> other students using packet sniffers like Ethereal to scan for things [quoted text clipped - 15 lines] >communications channel of each machine. The advantage of separate logins >would be that the sys.admin could see who does what. Hello, What you should be doing is using ssh for everything. Imaps (imap/ssh) for e-mail. ssh for shell access to other systems. And scp for file transfer. Nothing passes in the clear. --Louis >>>I use my iBook on the wireless network at my school, yet lately I see >>>other students using packet sniffers like Ethereal to scan for things [quoted text clipped - 19 lines] > for e-mail. ssh for shell access to other systems. And scp for file > transfer. Nothing passes in the clear. I would second all the advice given here... but you should be aware that even with ssh, a determined cracker performing an ARP-based attack with e.g. ettercap will *still* be able to dissect all your traffic. I would qualify that by adding that most probably wouldn't bother - you'd have to be quite unlucky - and that there may be complications with performing ARP attacks over wireless of which I am unaware, which could make this even less likely. Marcus >> What you should be doing is using ssh for everything. Imaps (imap/ssh) >> for e-mail. ssh for shell access to other systems. And scp for file [quoted text clipped - 3 lines] >even with ssh, a determined cracker performing an ARP-based attack with >e.g. ettercap will *still* be able to dissect all your traffic. SSH, when properly configured and correctly used, is not vulnerable to ettercap or other man-in-the-middle tools. SSL connections might be vulnerable to such attacks, depending on how (or if!) certificates are handled in the initial negotiation, but that still seems a bit far-fetched. Louis Jones's initial suggestion is still valid: just assume that your wireless connections are wide open, and that everyone can read them. A number of protocols can be hardened by running them through SSL-wrapped connections or tunneling them through SSH. Still others (like SSH itself) are inherently secure, at least if used correctly. Beware tools like AIM when using wireless or foreign networks, as they don't provide any protection for your passwords. SignatureGregory Pratt usenet@gp.users.panix.com (forwarded to /dev/null) "The only good spammer is a dead spammer." awk '{split($0,a,"@");split(a[2],b,".");print b[1] "@" b[3] "." b[4]}' PGP Key Fingerprint: DC60 FCDE 91E2 3D41 91A3 45DB B474 3D3A 3621 AAFE > OTOH; they really ought to do that, for these exact reasons. The > network > could be kept "open" in the sense of being visible, but you would need > an ID/pw combo to log on. Each student/faculty member already has a separate logon for using the network. I don't think encryption is included in this setup, though. > What you should be doing is using ssh for everything. Imaps (imap/ssh) > for e-mail. ssh for shell access to other systems. And scp for file > transfer. Nothing passes in the clear. Okay, that sounds pretty good, how can I set this up? Will it work for web browsing as well, or do you just mean shell access like the kind you get from the terminal window? * posted via http://mymac.ws |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.