In the an earlier article in this space [Beware,
Thieves!], we began a two-part examination of the theft of
wireless service. The consensus is that while the risk of theft may not
be huge, ISPs need to take “moderate and sensible” precautions against
it.
In this issue, we look at some of those basic precautions and what one
leading manufacturer is doing about wireless security.
Considerable safeguards
BreezeCOM,
manufacturer of equipment used by many 2.4GHz-based wireless ISPs, has
gone above and beyond moderate and sensible precautions, says director
of product management Duane Buddrius. With its BreezeACCESS
and BreezeNET
PRO products, the company has added significant new security features
that were not included in earlier BreezeCOM equipment.
The first line of defense for a network operator is the access code or
Extended Service Set ID (ESSID) assigned to each wireless station adapter.
At the very least, the network should be set up to deny access to stations
with invalid access codes.
The easiest way for a hacker to steal service is to hack the access code
of a legitimate user—perhaps a friendly neighbor who provides physical
access to his equipment or who already knows the code.
Wandering passages
With older BreezeCOM equipment, and also other vendors’ equipment, anyone
with technical knowledge of the station adapter units can reprogram the
access code. But with the newer BreezeCOM gear, you’ll need an engineering
password to change an access code.
Buddrius suggests operators can further increase security by implementing
a regime of constantly changing access codes—to prevent hackers guessing
valid codes, which is not impossible to do. Changing the codes regularly
can be done remotely from a network operations center.
BreezeCOM has also implemented something called VLAN tagging. A few data
bits identifying the originating user are added to each data frame. This
feature was designed to allow operators to set up virtual private networks
(VPNs).
The newer products also include VLAN tag management systems that allow
operators to filter data frames by VLAN tag and block traffic with invalid
tags. This may be more than most ISPs will be willing to implement, though,
especially those not planning to offer VPN service.
Confined portholes
Two other new features make it even more difficult for hackers to access
station adapters to make configuration changes.
Potential intruders can no longer gain access to the adapter through
the station’s Ethernet port, only through the RF port. So hackers can’t
access the station adapter via the attached PC. And the operator can set
up his network management system so that only certain machines at the
network operations center, identified by IP address, have the engineering
authorization to access those RF ports.
BreezeCOM has even made it possible for operators to encrypt access codes
using RC4 authentication—so even if a hacker found a way to read
codes from the hardware or scan the airwaves for legitimate codes, they’d
be useless.
Is it enough? Nothing is ever completely hack proof,
Buddrius concedes. “But I think this is 99.99 percent foolproof. And
this is just stuff on the access side. Then there are layers of security
that are part of the network itself that are standard practice for
ISPs.”
The trouble is that many wireless ISPs are still using older BreezeNET
gear and older equipment from other vendors that is similarly unprotected.
And many may continue to do so because the older equipment is less expensive.
But while wireless ISPs we talked to agree the kind of protection BreezeCOM
is building in against hacking of access codes is a good and necessary
thing, they say it may not be the most important thing.
Obstructing traffic
Louisiana-based ShreveNet
Inc. already has a system in place to remotely change access codes
on a regular basis, says president Allen Marsalis. In fact, his company
won’t support wireless access PC cards—as opposed to external station
adapters connected through an Ethernet NIC because card products don’t
support the Simple Network Management Protocol (SNMP) required to change
codes via remote access.
But Marsalis and others say filtering traffic by the Media Access Control
(MAC) address of the Ethernet adapter, which is unchangeable, is far more
important. Operators can simply block traffic that does not originate
at a network interface card (NIC) with a known MAC.
“When you move up to the MAC addresses, that’s where the real security
is,” says Marsalis.
It’s possible to filter for MAC addresses at two places in the network,
he points out, at the radio at the access point or at a router at the
network operating center. Most radios have some form of MAC filtering,
he claims. And some routers—certainly the Cisco
units his company is using—also do.
There is one drawback to the security system if the customer changes
his NIC without warning—the new MAC address won’t be valid and the
customer will be denied access. It’s an easy enough problem to troubleshoot,
of course. And it’s easy enough to fix as well, simply by amending the
network management system’s table of valid MAC addresses.
Core modifications
Paul Farber, owner of Farber
Technology in rural Pennsylvania, another independent wireless ISP
we polled, says MAC filtering can also be done at the firewall. The latest
version of Linux will include a MAC filtering capability in the kernel,
he says.
“As new the products roll out, most of the small [wireless access] providers
will probably look at some sort of NT or Linux firewall that has MAC address
filtering,” Farber says. “Because that’s the only way to be sure. You
can’t change MAC addresses.”
Is MAC filtering on its own an adequate way to protect your wireless
network against theft of service? It sure sounds like it to us, but we’d
love to hear other opinions on the subject.
