RealTime IT News

Beware Thieves! - part 2

In the an earlier article in this space [Beware, Thieves!], we began a two-part examination of the theft of wireless service. The consensus is that while the risk of theft may not be huge, ISPs need to take "moderate and sensible" precautions against it.

In this issue, we look at some of those basic precautions and what one leading manufacturer is doing about wireless security.

Considerable safeguards
BreezeCOM, manufacturer of equipment used by many 2.4GHz-based wireless ISPs, has gone above and beyond moderate and sensible precautions, says director of product management Duane Buddrius. With its BreezeACCESS and BreezeNET PRO products, the company has added significant new security features that were not included in earlier BreezeCOM equipment.

The first line of defense for a network operator is the access code or Extended Service Set ID (ESSID) assigned to each wireless station adapter. At the very least, the network should be set up to deny access to stations with invalid access codes.

The easiest way for a hacker to steal service is to hack the access code of a legitimate user—perhaps a friendly neighbor who provides physical access to his equipment or who already knows the code.

Wandering passages
With older BreezeCOM equipment, and also other vendors' equipment, anyone with technical knowledge of the station adapter units can reprogram the access code. But with the newer BreezeCOM gear, you'll need an engineering password to change an access code.

Buddrius suggests operators can further increase security by implementing a regime of constantly changing access codes—to prevent hackers guessing valid codes, which is not impossible to do. Changing the codes regularly can be done remotely from a network operations center.

BreezeCOM has also implemented something called VLAN tagging. A few data bits identifying the originating user are added to each data frame. This feature was designed to allow operators to set up virtual private networks (VPNs).

The newer products also include VLAN tag management systems that allow operators to filter data frames by VLAN tag and block traffic with invalid tags. This may be more than most ISPs will be willing to implement, though, especially those not planning to offer VPN service.

Confined portholes
Two other new features make it even more difficult for hackers to access station adapters to make configuration changes.

Potential intruders can no longer gain access to the adapter through the station's Ethernet port, only through the RF port. So hackers can't access the station adapter via the attached PC. And the operator can set up his network management system so that only certain machines at the network operations center, identified by IP address, have the engineering authorization to access those RF ports.

BreezeCOM has even made it possible for operators to encrypt access codes using RC4 authentication—so even if a hacker found a way to read codes from the hardware or scan the airwaves for legitimate codes, they'd be useless.

Is it enough? Nothing is ever completely hack proof, Buddrius concedes. "But I think this is 99.99 percent foolproof. And this is just stuff on the access side. Then there are layers of security that are part of the network itself that are standard practice for ISPs."

The trouble is that many wireless ISPs are still using older BreezeNET gear and older equipment from other vendors that is similarly unprotected. And many may continue to do so because the older equipment is less expensive.

But while wireless ISPs we talked to agree the kind of protection BreezeCOM is building in against hacking of access codes is a good and necessary thing, they say it may not be the most important thing.

Obstructing traffic
Louisiana-based ShreveNet Inc. already has a system in place to remotely change access codes on a regular basis, says president Allen Marsalis. In fact, his company won't support wireless access PC cards—as opposed to external station adapters connected through an Ethernet NIC because card products don't support the Simple Network Management Protocol (SNMP) required to change codes via remote access.

But Marsalis and others say filtering traffic by the Media Access Control (MAC) address of the Ethernet adapter, which is unchangeable, is far more important. Operators can simply block traffic that does not originate at a network interface card (NIC) with a known MAC.

"When you move up to the MAC addresses, that's where the real security is," says Marsalis.

It's possible to filter for MAC addresses at two places in the network, he points out, at the radio at the access point or at a router at the network operating center. Most radios have some form of MAC filtering, he claims. And some routers—certainly the Cisco units his company is using—also do.

There is one drawback to the security system if the customer changes his NIC without warning—the new MAC address won't be valid and the customer will be denied access. It's an easy enough problem to troubleshoot, of course. And it's easy enough to fix as well, simply by amending the network management system's table of valid MAC addresses.

Core modifications
Paul Farber, owner of Farber Technology in rural Pennsylvania, another independent wireless ISP we polled, says MAC filtering can also be done at the firewall. The latest version of Linux will include a MAC filtering capability in the kernel, he says.

"As new the products roll out, most of the small [wireless access] providers will probably look at some sort of NT or Linux firewall that has MAC address filtering," Farber says. "Because that's the only way to be sure. You can't change MAC addresses."

Is MAC filtering on its own an adequate way to protect your wireless network against theft of service? It sure sounds like it to us, but we'd love to hear other opinions on the subject.