NASA's 802.11b Wireless Security Solution

[Warren Togami]

http://www.nas.nasa.gov/About/Media/announcements.html#alert_8_23_01

This is NASA's solution to 802.11b wireless security.  Their method is very
similar to mine, except it uses the OpenBSD operating system instead of
Linux.  OpenBSD is perhaps the most secure version of Unix, with over four
years without a remote security hole in default install.  If I am
understanding their implementation details correctly, it appears that only
their login authentication is encrypted via SSL to the web server (https),
but all other traffic is unencrypted.  They also choose to disable WEP due
to ease of circumvention and lowered performance.

The only thing I would do differently is 100% encrypted VPN links from
client computers, through several access points isolated with VLAN, to a
Linux firewall from which it would route to the final destination only after
passing through very restrictive Netfilter rulesets.

Or perhaps I am too paranoid...

August 23, 2001
NAS Division Overcomes 802.11b Wireless Security Flaws
The network security group in the NASA Advanced Supercomputing (NAS)
Division at Ames Research Center, in California's Silicon Valley has
successfully installed a secure interoperable wireless network that
addresses the well-known problems of the 802.11b standard wireless
systems -- with a minimum of time and investment.

"Wired equivalent privacy isn't the equivalent of wired privacy," said Dave
Tweten, computer security official at NAS. Tweten's group started with the
premise that the network itself provides no reliable authentication and no
security from eavesdropping, and decided not to depend on any security
provisions bundled with 802.11b products.

Why? Recent conference results have established that 802.11b wireless
systems provide no substantial security protection in any of three important
respects: 1) The signal coverage perimeter cannot be easily limited to
conform to an organization's physical control perimeter; 2) Wireless card
hardware addresses cannot be trusted as tools to identify a user; and 3)
Wired Equivalent Privacy (WEP) encryption of data sent between a laptop and
an access point can be cracked, regardless of key length.

In addition, said Tweten, the means to derive a WEP encryption key from
eavesdropped ciphertext and a method for decrypting WEP traffic without ever
needing to derive the key are well documented.

The NAS Division chose to secure its wireless network while assuming that it
would be accessible from areas outside the division's control. The team also
assumed that all information on the network would be subject to
eavesdropping, and that no identification information built into 802.11b
could be trusted. "All 802.11b security features were disabled on the
grounds that they only consume resources without delivering any real
security," Tweten said.

For minimum administrative overhead, basic use of the wireless network is
possible without authentication. This is possible because the services that
can be reached require authentication and perform encryption themselves. At
the same time, users are protected from an attack launched on the Internet
at large.

In the NAS Division, all this is accomplished by an off-the-shelf PC running
the OpenBSD operating system, an Apache web server, the Internet Software
Consortium DHCP server, the IPF firewall software -- all freeware. Network
and security team members Nicole Boscia and Derek Shaw developed the "glue"
software to make the rest of the components work together -- in about 40
hours.
For more information, contact Dave Tweten at tweten at nas.nasa.gov, (650)
604-4416.

Implementation details:
http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html

Warren Togami
warren at togami.com