Blog

• CWNP
• August 05, 2009
• 

Wireless (In)Security: 5 WiFi Client (Mis)Uses

My previous post (WiFi Rogue AP: 5 Ways to “Use” it) talked about the (mis)uses of a Rogue AP. This post looks at the other challenge – security issues with WiFi clients. WiFi clients come from different vendors and are available in several flavors. They are embedded in today’s notebooks which often carry sensitive enterprise and personal data. By their very nature, such clients are highly dynamic. I am sure that network administrators managing even moderate sized enterprises can relate to the following two issues.

• CWNP
• August 04, 2009
• 

The Beginning of Knowledge is the Discovery of Something We Do Not Understand

Back when good ‘ole Netstumbler was introduced, WLAN discovery was a novelty.  Good protocol analysis tools were few and far between, and a little bit of information about the frames traversing the air was like informational gold, especially for the occasional hackers.  Nowadays, serious Wi-Fi troubleshooting is done with high performance—and usually high cost—sniffers  with wicked decoders, filters, aggregators, and simulators that make casual WLAN discovery tools like Netstumbler look like an alley cat next to a lion. 

• CWNP
• August 03, 2009
• 

Wireless (In)Security: 5 WiFi Client (Mis)Uses

My previous post (WiFi Rogue AP: 5 Ways to “Use” it) talked about the (mis)uses of a Rogue AP. This post looks at the other challenge – security issues with WiFi clients. WiFi clients come from different vendors and are available in several flavors. They are embedded in today’s notebooks which often carry sensitive enterprise and personal data. By their very nature, such clients are highly dynamic. I am sure that network administrators managing even moderate sized enterprises can relate to the following two issues. First, the hassle of maintaining an accurate list of enterprise WiFi clients and second, controlling the WiFi profile of a client (WiFi profile of a client determines its mode of operation, wireless networks it will try to connect to and its security settings). Although controller based wireless LAN (WLAN) infrastructure can mitigate the first issue, it may not be of much help in controlling the WiFi profile of enterprise clients. Hence, every enterprise can potentially have such “mis-configured” WiFi clients. They can be exploited by an attacker in the following 5 ways.

• CWNP
• July 28, 2009
• 

WiFi Rogue AP: 5 Ways to Use It

“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.”  -- What Firewalls Cannot Do, Firewalls and Internet security

Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the authority owning the network. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.

• CWNP
• July 24, 2009
• 

AirHORN is a Blast!

Upon first inspection, this unassuming little gadget (AirHORN from NutsAboutNets.com) doesn't seem like "all that"...but give it more than 2 minutes, and you'll be hooked.  Forgetting its intended purposes for a second, this gadget is just plain fun to play with.  The first thing I did was to pull out my fancy-smancy AirMagnet Spectrum Analyzer to monitor what AirHORN was doing.  It not only did what it was intended to do, but it also had me laughing out loud at the cool things it does and how useful it can be for a variety of things.  I started a spectral recording in AirMagnet, put AirHORN in Fast Traverse mode, and just sat there laughing at the prospect of sending it to some expert friends who pride themselves on their troubleshooting skills.  With slanted white lines repeating across the swept spectrogram, I can only imagine what BS they'll speculate that this "system" is! :-)

• CWNP
• June 24, 2009
• 

Much Ado About Where 2.0 - LBAC

Dang it's nice to be right every once in while. If you didn't read my 1.0 version (dated 10-NOV-08) . I'm referring to that last paragraph about RTLS being the end-game. I believed it then, and I believe it now. Let's talk about what's changed since my 1.0 post. This time... Trapeze brought a gun to a knife fight.  They came up with the coolest new authentication technology since PPSK/DPSK. It's generically called Location Based Access Control (LBAC). It's the first cousin of, and best friend to Role Based Access Control (RBAC). RBAC rocks, but with RBAC/LBAC, it's a whole new ballgame. Welcome to the big leagues folks.

• CWNP
• June 21, 2009
• 

Sharkfest!

Last week I had the chance to attend the 'Sharkfest' conference held on the Stanford campus in Palo Alto. Last year I was busy with other work and missed it... this year I had a gig fall through at the last minute. I'm glad it did! Continue reading...

• CWNP
• June 05, 2009
• 

Protection Mechanisms Run Amuck

I thought since I posted about golf yesterday, I'd throw you a technical blog today.  Enjoy!

There are four HT Protection modes.  There are at least a dozen protection mechanisms.  Dual CTS, Non-HT Duplicate Mode, PCO Mode, RTS/CTS, CTS-to-Self, L-SIG TXOP, Dual Beacon, 40 MHz Intolerance, 20 MHz BSS Width Requests, and others.  It's ridiculous.  Does an analyst have to learn all of this?  I know you're hoping my answer is a big fat NO, but unfortunately...my answer is a big fat YES.  Manufacturers will tell you that their system magically 'handles' and 'optimizes' all of this stuff.  Well, it might be able to do the right thing according to the standard, but that's where the problem lies to begin with.  When it comes to protection mechanisms, modes, and operating methodologies, the standard is hideously bloated and confusing. 

• CWNP
• May 18, 2009
• 

PHAT APs

Dude.  PPSK.  'nuff said.

Well, actually, I have lots more to say, but you get my point.  My friends at Aerohive would have you believe that their new solution, 'Private PSK' (let's just call it PPSK), was designed to:

1.  Incease security on enterprise-class devices that either don’t support 802.1X/EAP or don’t support it very well (e.g. no fast/secure roaming)

2.  Offer secure hotspot services

While on both counts they are right on the money, the story doesn't end there.  When combined with their Virtual HiveManager (vHM), this stuff becomes the coolest thing since...well, the last Aerohive solution I wrote about: HiveUI.  See my blog article called ‘Collectonomous’ and another cool article from Lisa Phifer here: http://www.wi-fiplanet.com/reviews/article.php/3812366 .  There are SO many things you can do this type of, ‘half way between 802.1X/EAP and PSK’ solution!  vHM is an online WNMS that manages their PHAT APs (my new term for describing the coolest, fastest, smartest APs I've ever seen).  You just connect each AP, let it pull an IP (DHCP), SSH into it using the default un/pw, issue one command - 'hivemanager x.x.x.x' - and then 'save config'.  Poof, you're off and running.  Just log into vHM with your personal login, and you have control of your APs.  SOOOOO simple.  Now, where was I?  Ah yes, PPSK...

• CWNP
• May 09, 2009
• 

Are You Smarter Than A Fourth Grader?

Warning: this blog might make you whine...or perhaps weep.

I have twin girls, Abbey and Hannah.  They're in the 4th grade, and just the other day they brought home a graded science exam.  I was in shock when I looked it over.  In so many ways, it was CWNA-level material.  I just couldn't believe my eyes...  I went through each of the questions, making sure I could answer and explain each of them and found myself explaining some of the same concepts to my 4th graders as I explain in seminars and CWNA classes.  Abbey...Abbinator...my OCD rocket scientist child, scored 95.  I was thinking of giving this same 4th grade exam as a pre-class assessment to CWNA students. :-)