Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.internet.wireless
Re: Hotspot Security?

Re: Hotspot Security?

Re: Hotspot Security?. Discuss Re: Hotspot Security?, on Wireless Forums.

Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 07-06-2007, 11:57 PM
Jeff Liebermann
Guest
  
Posts: n/a
Default Re: Hotspot Security?
On Fri, 6 Jul 2007 04:39:32 -0400, louis-m
<louis-m.2takq7@no-mx.wirelessforums.org> wrote:

>i have had to implement a wireless hotspot in my friends hotel a month
>or two before i planned. obviously, this hasn't allowed me the time to
>study up on the security of the hotspot.
>
>the equipment we are using is:
>
>AP's are colubris cn3200 with cn320 for repeaters
>switches are dell powerconnects 2724's which are managed
>router is draytek 2950 (their latest enterprise class)

Good hardware. Unfortunately, I'm only familiar with the switches.

>1. secure encrypted access for hotel lan & staff. easily implemented
>with mac & wpa. this goes to vlan1 which allows access to the hotels
>private lan and internet
>
>2. guest access to just the internet. again, it is easily implemented
>using dhcp and a https logon with no mac or wep/wpa encryption. this
>goes to vlan2 which only allows access to the internet.
>
>all of the above clients cannot talk to each other and can only talk to
>the access point itself. all AP's are firewalled.
>
>the question then......
>am i as secure as i can be?

Quite good or rather good enough. A few suggestions. Please note
that security cannot be assumed and needs to be tested.

1. You don't appear to have a RADIUS server. Therefore the hotel
staff machines are using a shared WPA-PSK key. The problem with
shared keys is that they are easily leaked and/or recovered from the
client machines. See:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
for how it's done. If you don't have physical security, or suspect
the staff may be leaking the key, I suggest you implement a RADIUS
server. This will deliver a unique, one time, per session encryption
key, instead of the common shared key.

2. MAC address filtering is a waste of time. MAC address are NOT
encrypted and can therefore be sniffed. It doesn't take much work to
extract a valid MAC address and use it.
<http://www.irongeek.com/i.php?page=security/changemac>

3. VLAN's are a great way to isolate separate networks on shared
media. Isolation is guaranteed, but needs to be tested. Run a
sniffer, such as Ethereal or Wireshark on each network and see if any
wrong MAC addresses are appearing on the wrong side of the VLAN. I
had a misconfigured ethernet switch do something weird. It would
correctly not pass normal traffic between VLAN's, but would pass
broadcasts for some odd reason. I never could figure out why, so I
just threw in a better switch.

4. Access Point isolation is mandatory for such a system. You
apparently have that running. Again, you should verify that it's
working. Simply not "seeing" other clients is not sufficient. Sniff
the traffic and look for MAC addresses that don't belong on the VLAN
segment.

5. I suggest you install some manner of SNMP traffic monitoring,
probably at the router and the switches. Using MRTG or RRDTool,
you'll get graphs that will give you some clue as to what "normal"
traffic looks like. When something goes wrong, you can usually tell
where and when something changed. You need this because nothing you
mentioned is suitable for abuse detection or mitigation. I'll spare
you my horror stories, but you do need to do something about detecting
and isolating abuse and abusers.

6. The last time someone asked me about wireless security, I retorted
that they really should be concerned about wired and physical
security. They had bought the best wireless hardware but had left
live ethernet ports all over the place, with no NAC security (network
access control) or MS NAP (network access protection). I left the
ports live, but implement NAC. Does the hotel have any customer
accessible open ethernet ports? Most do.
<http://sslvpn.breakawaymg.com/nac/NACindex.php>

7. My guess(tm) is that you haven't enabled any QoS or bandwidth
management features. Without QoS or BW, one user can monopolize the
entire system. At the least, you should reserve some dedicated
bandwidth for the office to prevent the visitors from hogging it all.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
Reply

« Re: reinstalled XP | Re: Lmr-400 Crimping pliers »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Vulnerability in ... Security Alert comp.security.misc 0 01-26-2007 11:40 AM
Corrupt NTFS filesystem Citizen Bob alt.comp.hardware 144 11-11-2006 08:38 PM
FBI Monitoring Your Computer And Reading Material re. Patriot Act tightwad alt.computer.security 2 11-08-2005 10:21 AM
The Sidewinder G2 Security Appliance includes the only firewall that has never had a CERT advisory posted against it Ipeefreely alt.computer.security 5 10-08-2005 10:15 PM
Call For Chapter - Book in Enterprise IT Security : Invitation for chapter proposal Francine HERRMANN comp.security.misc 0 08-29-2005 06:00 PM


All times are GMT. The time now is 12:19 PM.

Contact Us - Wireless Support Forum - Archive - Top - Bike Forums - Cooking Junkies Forums

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45