[BBLISA] Wired to wireless?

Dewey Sasser dewey at sasser.com
Mon May 3 10:00:36 EDT 2010 

On 05/03/2010 06:46 AM, Scott Ehrlich wrote:
> A question for the comm techies out there -
>
> You have a wired network via a major provider - comcast, verizon, rcn,
> etc, at your home.
>    
I have Charter Cable.
> Your neighbor (someone on your street) also subscribes to the same
> provider.   Can they see your traffic?    Can you see theirs?
>
>    

I just captured 5 minutes of packets and after filtering out traffic to 
my network the only thing I saw was DHCP broadcasts and arp.

So, the short answer is "No, I can't."  Traffic seems to be isolated.  
For my provider.  In my neighborhood.  Right now.  As long as no one is 
poisoning the arp cache.  YMMV :-)

This is an improvement because some years ago I recall seeing peoples 
NETBIOS traffic -- to the point where I put an explicit ignore line in 
my firewall rules to avoid filling up my disk with dropped packet logs.

None the less, paranoia....er....good security practices require me to 
assume that someone at Charter will fat finger a configuration and 
traffic will be visible or someone will intentionally crack in upstream 
some where.

> Thanks for any good educational insight on this.   Depending on the
> answer, it _might_ help sway me to consider wifi at home.
>    

I'm going to spend a bit more time talking about the question you didn't 
really ask -- WiFi security.

Overview:

    * You can't make WiFi bullet-proof
    * You can make the vulnerability irrelevant
    * It's likely not necessary unless you live in Cambridge or Berkeley
      or similar environment.


I haven't updated myself on state-of-the-art WiFi cracking in about a 
year but I have done enough WiFi pen testing against my own networks to 
realize that many of the common "just do this and you'll be secure" bits 
of advice are effectively useless.

Take, for example, lack of SSID broadcast -- that only helps you when 
you have no other traffic.  My net always has some traffic, so a WiFi 
sniffer (e.g. Netstumbler) will pick up network existence  regardless of 
SSID broadcast.

WEP is like securing your house by locking a screen door.  WPA2 is more 
like a solid front door, which means you'll keep out casual attackers 
but anyone sitting nearby (such as a neighbor) has plenty of time to 
crack in using a variety of detectable and undetectable methods.

There are some things you can monitor -- such as MACs appearing on your 
net that you don't own -- that are a give-away for an attack.  You can 
also whitelist your own MACs and use a default exclude policy and feel 
all warm and cozy until someone clones an existing MAC and gets on your 
net anyway.  There are some things which you theoretically could monitor 
(such as WiFi retransmission rates) that could detect an attack but I 
haven't found available to monitor in a home level WiFi device (though I 
did not search exhaustively, because...)

I think the biggest problem in WiFi security is that home-class devices 
have very slow patch cycles so any newly discovered vulnerability will 
take a huge amount of wall time to patch and vendors aimed at the home 
market have very little incentive to release security patches.  A 
secondary consideration is that they have a relatively low 
power/transistor budget for complex security protocols.

My conclusion is that WiFi is inherently insecure and I should treat it 
as such.

Therefore I put it on the *outside* of my firewall and use OpenVPN for 
all clients I want to allow in to my network.  I started down this path 
when I got a TiVo Series 2 and discovered it didn't support WPA.

Doing this requires a bit more routing/firewalling than a typical home 
WiFi router from Staples can handle out of the box.  I use a book size 
C7 based dual-NIC PC from NewEgg running Ubuntu Server to which I added 
an extra USB NIC.  This also gives me a good point to run various 
monitoring apps, intelligently filter out IRC and outbound SMTP (except 
from my mail server) and shape/control traffic.

However, I think you should be able to achieve this with alternate 
firmware such as DD-WRT as well if you're willing to spend the time 
figuring it out -- the hardware underlying e.g. a Linksys WRT series 
router is pretty capable.

This setup means I can just "lock the screen door" and do nothing fancy 
with MAC excludes (which are a pain), post my network key on the frig 
for any of my geek friends who just have to have WiFi for their iPhone 
when they come over, and incidentally because I don't take a lot of 
steps to keep out the neighbors I can easily monitor for people who try 
to break in to my system using the easy methods.

There are only a few problems with this setup:
1) I have to generate an OpenVPN key for all of my devices and install 
OpenVPN.  I had it deployed anyway for remote access, so it is 
relatively small incremental cost.
2) My Mom was confused at why she could get to Google but her mail 
server kept timing out and spent a few hours before she asked me
3) This is really all for my own amusement and that of 2 network savvy 
neighbors -- other than my own pen testing, this neighborhood is either 
so tame that no one has even tried to launch a break-in against my 
network, or I've been totally pwned by the prep-school kiddies down the 
street who's idea of amusement is swapping neighborhood lawn ornaments 
after midnight.
4) I believe the threat environment for home WiFi (as opposed to 
corporate WiFi) is much less harsh.  There's little reason for a 
knowledgeable attacker to try an individual home network and script 
kiddies are should be fairly easy to detect.

Hope this helps,
--
Dewey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20100503/01253450/attachment-0001.htm

More information about the bblisa mailing list