Note: This is the beginning working copy of a presentation given by AdamShand, BrucePotter and TonyKapela at Defcon9. You can find the actual slides of the presentation online in HTML or Power Point. -- AdamShand

Wireless Security and Captive Portals

  1. Intro of Speakers

    1. Who we are and why you should care
      1. Bruce Potter
        1. The Shmoo Group
        2. Security guy and Network hack
      2. Adam Shand
        1. Personal Telco (and the Shmoo Group)
        2. Unix Sysadmin and Open Network Weenie
    2. What that talk will and WON'T cover
      1. Will: Your Mom ...
      2. Won't: Your dad ...

  2. Wireless 101

    1. History of Wireless Communications
      1. Analog
      2. Digital
    2. Different Digital Wireless technologies
      1. PCS
      2. Microwave
      3. 3G (heh)

      4. 802.11 <- our focus

  3. 802.11

    1. History
      1. Evolution as an 802.x protocol
      2. The security shoehorn
    2. Technical structure
      1. Framing
      2. DSSS
    3. Modes
      1. Ad Hoc (iBSS)
      2. Infrastructure (BSS)
      3. Other vendor specific modes (Ad-Hoc demo etc)
    4. Other stuff?

  4. Current State of 802.11 Security

    1. Wireless is inherently non-private
      1. Your signal goes places you don't want it to
    2. Wired Eqivelant Privacy
      1. What it is (set of pre-shared secrets)
      2. What it was intended to solve
      3. What it doesn't solve
      4. What is being done to improve it
        1. Proprietary Extensions (Cisco's Dynamic WEP)
        2. 802.1x / EAP (Extensible Authentication Protocol)
          1. Lack of vendor support (but it's coming)
          2. Provide
    3. Other mechansims (with Pros/Cons)
      1. End to End
        1. VPN's
          1. Pros
            • Best from security standpoint (fully encrypted tunnel)
            • Application independant
          2. Cons
            • Requires clue to find an end point
            • Not a be all end all for security (remember PPTP fiasco?)
            • Crappy inter-OS support
            • Lack of Win/Mac free clients
        2. Encrypted Protocols (SSH, HTTPS, POP3S, IMAPS etc)
          1. Pros
            • Easier to find an end point for then for VPN
            • Decent application support
            • Provides decent security
          2. Cons
            • Hard to find providers for some services
            • Requires clue to use safely (multiple end points vulnerable to man in the middle attacks etc)
            • Temptation to cheat ...
      2. End to AP
        1. WEP
          1. Pros
            • Provides a standard, hardware supported way of getting link level encyption
            • 40 bit key part of Wifi standard
          2. Cons
            • Shared Key (ugg, doesn't scale)
            • Anything greater then 40 bit encryption is vendor specific
            • Doesn't protect past the access point
        2. EAP/LEAP
          1. Pros
            • Uses authentication server for it's back end (currently Radius), no more shared keys!
          2. Cons
            • Requires hardware vendor to support the new 802.1x protocol
        3. MAC Filters (restricted access not "security")
          1. Pros
            • Not many, it's easy?
          2. Cons
            • No encryption
            • Easy to spoof
            • Does scale much better then WEP
      3. End to Middlepoint
        1. SOCKS
        2. Encrypted Application Proxys
        3. Web Based Portals (Captive, Forced and Active

  5. The Captive Portal

    1. What it tries to solve
      1. Uses existing OS software and some elbow grease
      2. End to Middlepoint security
    2. The architecture
      1. Web based authentication via SSL
      2. Flexible back end authentication server (Radius, LDAP, Kerberos, etc)
      3. Interaction with egress Firewall
        1. Punch hole
        2. Setup IPSec tunnel
        3. Set timer
    3. Strengths
      1. Can use IPSec for traffic on wireless network
      2. Authentication of connection via arbitrary protocols
      3. All open source
      4. Can scale to enterprise size
    4. Weakness
      1. Interoperablity of IPSec
    5. Existing Implementations
      1. Open Source
        1. Lan Roamer
        2. Terrapin Shield
        3. Net Logon
        4. SLAN
        5. NOCAT
      2. Commercial
        1. Cisco and Nortel (for managing DSL cusomters)
        2. Surf 'n Sip (proprietry)
        3. Mobilestar (aka. Microsoft/Starbucks/Mobilestar)

  6. The Active Portal (with NycWireless)

    1. What it tries to solve
      1. Threats to the node operator
        1. Network abuse
          • Bandwidth hogging
        2. Legal Abuse
          • Illegal Hacking/Cracking
          • Spamming
          • Bandwidth providers wrath
          • Other illegal activities
      2. Leverage Wiki's notion of soft security into a network
        1. What do usernames buy you?
          1. Depends on if they are self provisioning or not
            • If they are then not much (eg. Slashdot)
            • If they aren't then quite a lot but you now have restricted who can use your network by how you provision accounts.
    2. The architecture
      1. Similar to Captive Portal but no authentication
        1. Welcome banner (You've reached The Personal Telco Project)
        2. Acceptable Use Agreement
        3. Issue Cookie (to track user statistics)
        4. Quality of Service rules
        5. Extrusion Detection
        6. Triggers to deny access
        7. Possibly use freedom or some other anonymous net supplier
    3. Strengths
      1. Protects the node operator (and thus the node)
      2. Doesn't require a user database

      3. Maintains an open network

    4. Weaknesses
      1. Makes it harder to track abuse
      2. It's reactive instead of proactive

  7. Where to go from here

    1. Continue to refine
    2. Drink heavily

DCSchpeel (last edited 2002-03-27 01:28:16 by AdamShand)