Category Archives: Network Design

Adding an additional layer of authentication to websites with HTTP Reverse Proxies

Posted by Walter Goulet on January 31, 2012 No comments

For my last client engagement, I was tasked with adding an additional layer of authentication to a publicly accessible website without actually modifying the website’s application code or web server configuration. After doing a little research, I came upon the idea of using a HTTP reverse proxy to intercept requests to the website and perform additional authentication before letting end users access the target web application.

If you are not familiar with the concept of a HTTP reverse proxy, think of it as a specialized web server that inspects incoming HTTP requests, forwards them to another (usually internal) web server after any local processing is completed, and makes sure that HTTP responses sent back to the client contain proper host names. The following diagram illustrates the typical processing flow when using a SSL enabled reverse proxy server that is acting as a front end to an internal web server.

In this diagram, the reverse proxy server is performing 3 major tasks:

  • Performing an additional level of authentication for client connections.
  • Proxying HTTP requests and rewriting hostnames in HTTP responses.
  • Terminating SSL connection requests from clients.

In addition to the tasks above, it is possible to use a reverse proxy server  as a poor mans web application firewall by filtering HTTP requests that contain invalid characters that could be used for basic SQLi attacks. Reverse proxy functionality is provided by external modules such as mod_proxy for Apache and URL Rewrite/Application Request Routing for IIS.

To get clients to connect to the reverse proxy server instead of the internal application server, the reverse proxy server is usually configured with a public DNS hostname and publicly routable IP address. Thus, any links that are made available to users will resolve to the public IP address/DNS hostname of the reverse proxy server. The reverse proxy server will then perform the job of mapping the external HTTP requests to the proper internal web server.

With that introduction out of the way, let’s discuss how a HTTP reverse proxy can be used to add an additional layer of authentication to a web application. As pointed out earlier, a HTTP reverse proxy is really nothing more than a dedicated web server with additional modules that decide when and how to forward traffic to another web server. Thus, when a user connects to a HTTP reverse proxy server, any authentication method that is supported by the reverse proxy server’s web server platform can be used to authenticate users.

For my engagement, I used IIS 7.5 with URL Rewrite 2.0 as my reverse proxy server. To provide an additional layer of authentication, I used the RSA Web Authentication Agent 7.0 along with Authentication Manager Express. After installing the web authentication agent, I configured the agent to protect all resources on the reverse proxy server. This has the effect of forcing all HTTP requests that are accepted by the reverse proxy server to be intercepted and processed by the web authentication agent. Once the web authentication agent completed the authentication sequence with the client, a record of the authentication is stored in the client’s browser as a cookie. Immediately after the authentication sequence completes, the agent redirects the user back to their original destination which again points to the reverse proxy server. Since authentication is now complete, the web authentication agent will no longer intercept the request and will instead forward the request over to the URL rewrite module. The URL rewrite module will then simply forward requests to the internal web server per the rewrite rules that were configured.

As for the rewrite rules themselves, when using the RSA web authentication agent on the reverse proxy server I found it necessary to write 2 rules for incoming HTTP requests to ensure that the reverse proxy server did not forward requests for the web authentication agent to the internal web server. To handle requests that should be processed by the web authentication agent, I created an inbound URL rewrite rule that matched the URL path for requests to the web authentication agent. The action for this rule was to simply not process it, which permitted the request to drop out of the URL rewrite module and be handled by the web authentication agent. Any other request that did not match the agent’s URL path was forwarded to the internal web server. The following snippet from my web.config file illustrates the rules that were used:

  <rules>
     <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
       <add input="{CACHE_URL}" pattern="^(https?)://" />
       <add input="{REQUEST_URI}" pattern="(.*IISWebAgentIF.dll.*)" />
      </conditions>
      <action type="None" />
     </rule>
     <rule name="ReverseProxyInboundRule2" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
       <add input="{CACHE_URL}" pattern="^(https?)://" />
      </conditions>
       <action type="Rewrite" url="http://www.example-internal.com:8080/{R:1}" logRewrittenUrl="true" />
      </rule>
   </rules>

For fans of open source solutions, the same functionality could easily be provided with Apache’s mod_proxy module using the ProxyPass and ProxyPassReverse directives. The virtual servers that contain these directives would then need to be configured to require authentication at which point any of the standard Apache user authentication methods such as mod_auth or mod_auth_ldap. Apache has the additional advantage of supporting the mod_security web application firewall, so the mod_proxy directives could be easily combined with mod_security to provide both additional client authentication and a transparent WAF.

The evils(?) of self signed certificates

Posted by Walter Goulet on March 2, 2011 No comments

I consider myself largely a lurker on most security mail lists that I subscribe to, including the closed SANS Advisory Board mail list. However, a recent discussion on that list prompted me to think about the supposed risks of self signed certificates, especially in an enterprise network.

Like nearly any other security technology out there, self signed certificates can be evil or perfectly acceptable depending on the context in which they are used. In a nutshell, self signed certificates alone provide confidentiality and integrity to any protocols which use them to establish connections. Self signed certificates alone do not provide authentication in the traditional sense of a PKI, because the certificate has not been issued by another trusted party (such as a centrally managed PKI infrastructure).

So, the question is, does this lack of authentication make self signed certificates evil? I don’t believe that it does. A certificate can be authenticated by other means. For example, if the self signed certificate is installed on a end user system by some other trusted mechanism (such as a centralized directory/management server), the centralized management server is vouching for the self signed certificate. In another extreme example, a user could contact the administrator of a system that is using a self signed certificate and verify the certificate fingerprint being presented by the self signed certificate.

The real risks of self signed certificates are that end users will become accustomed to simply adding self signed certificates to their browser’s trusted certificate store and will ignore the security warnings presented by their browsers over time. The sanctity of browser errors generated by untrusted certificates must be preserved to ensure that users view those errors as exceptional events and respond accordingly.

The Chicken and the Egg Problem; Trusting Wireless Networks

Posted by Walter Goulet on December 1, 2010 No comments

It’s been quite a while since I’ve posted; since then my job has changed and I’m back to system design work. In my new role, one of the problems that I’ve had to solve recently is a familiar chicken and egg problem that anyone who’s had to deploy wireless networks that use enterprise authentication methods (EAP-TLS/EAP-TTLS) has had to face.

The issue surfaces when using an enteprise authentication method that relies on X.509 certificates for server authentication (like EAP-TLS, EAP-TTLS, and PEAP). When a wireless device (here wireless can mean WLAN and wireless broadband technologies) connects to an AP and begins the authentication process, the supplicant on the device needs to verify that the authenticator (typically the RADIUS server behind a wireless AP) is a trusted endpoint. This is done by verifying that the authenticator’s X.509 certificate has been issued by a trusted root certificate authority and is valid (digital signature is valid, cert hasn’t expired, plus any other local policy checks). However, these checks won’t properly handle the case where the authenticator’s certificate has been revoked by the issuing CA. While this is a low risk in most enterprises, in high security or mobile deployments (like the system I’m currently working on), the risk of the AAA server being compromised may be great enough to justify implementing some sort of countermeasures. The typical solution for checking for revoked certificates is to use certificate revocation lists or online certificate status protocol (OCSP). However, both of these methods are problematic in a wireless system for different reasons:

  • CRLs have a defined validity period after which the CRL should no longer be trusted (certificates revoked after the CRL expiration date will naturally not appear in the CRL). While this is normally not a problem, if a wirelss device does not attach to the network regularly, it could potentially fail to download new CRLs and cause the existing CRLs on the device to expire.
  • OCSP is a simple request/response protocol where a device can send a request to a OCSP responder immediately after obtaining a certificate to check that the certificate is valid. However, during the wireless network entry process, the wireless device has to trust the authenticator’s certificate to even obtain an IP address which means that the device cannot use OCSP to validate the certificate until it has already ‘trusted’ the certificate (hence, the chicken and egg problem).

There are a couple of solutions to this problem; ask the authenticator to contact an OCSP responder on the device’s behalf to find out if the authenticator’s certificate has been revoked, or connect to the network temporarily to download CRLs and then reconnect to the network to validate the authenticator’s certificate with the newly downloaded credentials.

The first solution above is implemented via a technique called OCSP Stapling (RFC 4366). OCSP stapling defines a means for an authenticator to contact an OCSP responder to get a OCSP response containing the server certificate’s revocation status. Wireless supplicants which support OCSP stapling will then expect to get a OCSP response in the certificate payload messages that they obtain from servers. However, OCSP stapling is relatively new and has not been widely deployed.

The second solution is somewhat more attractive than OCSP stapling because it does not require the authenticator to implement any additional functionality and requires only minor changes in the wireless supplicant. In this solution, the wireless supplicant will first connect to the network and will trust the authenticator’s certificate for the purposes of obtaining CRLs (or to optionally contact a OCSP responder and cache the response). After the supplicant has obtained the revocation information, the supplicant will immediately disconnect from the network and will peform another wireless association and authentication sequence. However, this time the supplicant can use the freshly obtained revocation information to validate that the authenticator’s certificate has not been revoked before permitting full network entry.

Neither of these solutions are perfect of course; they both require the wireless supplicant to trust the authenticator to a certain extent and don’t protect against the threat where the wireless device is associating with a “complete” rogue wireless network (where the AAA server, DNS server, CRL server and OCSP responder functions have all been spoofed). However, in both cases the overall system security has been improved rather significantly by providing a way for wireless network operators to revoke AAA server certificates with assurance that wireless supplicants will just ‘do the right thing’.

WLAN Strategy – Segmented and Guest Networks

Posted by Jon Janego on August 26, 2010 No comments

Continuing my small series on WLAN deployment strategy, now I’ll cover the two more uses for wireless networks in a business.

Segmented Mobile Data

Segmented Mobile Data networks can be found in retail environments for mobile point of sale, hospitals for critical bedside services, warehouses for inventory and logistics, or many other types of environments.  The main idea behind the use of a segmented mobile data network remains to isolate critical data; or to isolate weaker security technologies from the rest of the wireless network.  Regardless of the reasoning, the goal is the same: keep these networks separated from everyone else.  The most critical design decision, therefore, needs to be on the backend – deciding how exactly to segment these networks off.

Professional grade wireless infrastructure like the Cisco 5500 or Motorola RFS7000 is capable of two completely separated WLANs using the same equipment, which is a commonly used technique in such a design.  The infrastructure has an internal firewall that is used to prevent traffic from crossing between the two networks, and can use VLAN tagging to carry back to the main network using a shared WAN connection, or can use two entirely separate WAN connections.  Either way, the infrastructure is functioning as the separation device.  This also generally needs to be backed up with a firewall on the wired infrastructure side, restricting the data flows from the segmented WLAN into the enterprise.

Another alternative is to use two entirely separate pieces of hardware, with two separate physical connections back to the enterprise.  Depending on the needs of your organization, this may be required; if two physically separated wired LANs are deployed, bridging them with a WLAN device may not align with the networking vision.

The type of protection necessary for the the segmented data network again comes down to the technology available.  For data subject to technical compliance concerns, such as PCI-DSS or HIPAA, the stronger the better.  At minimum, WPA2-AES with pre-shared keys can suffice, although a certificate-based authentication solution is always preferable from a strict data security perspective.

If the network is being segmented due to equipment that cannot support strong encryption and authentication technologies, use the strongest available.  Unfortunately, many types of legacy equipment used in warehouses today cannot support WPA2-AES, or even WPA-TKIP – some may be stuck using WEP!  The weaker the level of protection, the more careful your segmentation on backend should be.

Guest Internet Access

Guest internet access generally is provided by a “hotspot”.  Users connect to an unencrypted network, and are sent to a captive portal page, where they can either login with pre-assigned credentials, or accept a terms of service and proceed without any credentials necessary.  Either way, authentication on such a network is accomplished only at the application-level, and there is no data protection provided by the WLAN itself.  As such, these networks should be treated as untrusted and kept firmly segmented from the enterprise, using the techniques described above.

A popular alternative deployment method for hotspot guest wireless networks is to use an entirely separate physical network for guests.  This can dramatically increase the infrastructure costs, but it accomplishes pure segmentation.  A typical use case for this type of physical segmentation would be a cafe or retail environment that wants to provide guests internet access, but doesn’t want to expose any of their business network.  Purchase a separate internet backhaul and configure a Wireless LAN dedicated to this network only.

If your business is subject to compliance regulations, such as PCI, I would strongly recommend using a physically segmented network for guest access.  While this increases capital expenses, it makes scoping activities related to compliance dramatically simpler.  When dealing with auditors, it is always advisable to have clear-cut boundaries around your critical data, and physically isolating any guest network is an easy way to do so.

Summary

Both of these network types rely on the network administrator segmenting the WLAN from the rest of the network.  It’s temping to plug an access point into an unmanaged switch and have the wireless “just work”, but this can open the network to many avenues of attack.  Assume the worse case at the beginning – that your WLAN is compromised – and design its place in the overall enterprise network to minimize the damage that an attacker could do from there.

WLAN Enterprise Mobility Strategy

Posted by Jon Janego on July 23, 2010 No comments

Continuing my series on deployment strategies for enterprise WLAN, today I’m covering the most common type of WLAN deployment – extending the enterprise to mobile users.

Basic Enterprise Mobility – Strategy

Extending the enterprise’s wired LAN to wireless is one of the more straightforward tasks from a network design perspective, but the authentication piece for the Wireless LAN needs to be strictly controlled.  Fortunately, wireless can benefit from the widespread deployment of another technology in the enterprise world – centralized authentication servers.

Many enterprise environments utilize a centralized authentication system to manage their user accounts, with Microsoft Active Directory being one of the most common.  This system can also be leveraged to provide authentication to the Wireless LAN.  Active Directory can serve as an 802.1X authenticator, allowing the wireless network to use EAP technology to authenticate users.  The two EAP methods most worthy of consideration in a WLAN environment are EAP-TLS, and PEAP.

EAP-TLS provides full mutual authentication, using a public key infrastructure to create and manage certificates for both client devices and the authenticating server.  In practice, it will allow users to seamlessly authenticate to the wireless network, because the certificate exchange occurs behind the scenes.  In an Active Directory environment, the certificates used in authentication can be deployed remotely by the Domain Controllers.  This works especially well with laptop users, but can be a challenge with mobile devices that do not have a wired connection to the network.  Certificates can be pushed to mobile devices in several ways, such as by use of a dedicated management WLAN or physical installation via memory cards or barcode scanning, but in a large environment with many mobile devices, it may be wise to look into alternatives.

Fortunately, a worthy alternative to EAP-TLS exists with PEAP authentication.  PEAP provides for similar levels of security to EAP-TLS, but does not rely on client certificates to authenticate devices to the network.  Instead, PEAP uses a more traditional username & password combination.  These credentials can be integrated with an Active Directory environment, allowing administrators granular control over what users get access to the WLAN.  PEAP also mitigates the potentially expensive maintenance cost of managing certificates on mobile devices.

EAP-TLS and PEAP, combined with WPA2-AES, provide the strongest authentication and encryption solutions available in WLAN, and as such should be used to protect any critical data traveling over the network.  While integration with Active Directory is not mandatory, because many organizations have such an environment already deployed, extending its use to cover WLAN authentication is an attractive option.  If your organization does not have a centralized authentication system in place already, the deployment of a WLAN can be a strong motivation to do so.  Several free alternatives to Active Directory also exist, such as FreeRADIUS.  Some enterprise-grade WLAN infrastructure also provides the ability to generate and manage certificates using an internal server hosted on the access point.  Given the easy integration with common authentication systems, and the availability of free alternatives, there really is no reason not to deploy a centralized authentication solution to secure your enterprise WLAN.

Pre-Shared Keys – also known as “Personal” authentication – are generally not appropriate for enterprise environments.  WPA2-AES using pre-shared keys does not have any documented vulnerabilities, but any PSK solution relies on sharing authentication credentials between multiple users and devices.  This can affect the integrity of the network, and doesn’t provide any traceability to activities of users on the network.  It should be avoided in a mission-critical environment.

WLAN In the Enterprise – Use Cases and Strategies

Posted by Jon Janego on July 21, 2010 No comments

Continuing from my first post in the series, today I hope to cover the common use cases and general strategies for securing an enterprise WLAN.

Depending on the size and business needs of the enterprise, a WLAN can be used in a few different ways:

Basic Mobility – the most common use of WLAN is simply to extend the existing wired LAN to wireless users.  This can have a very positive impact on productivity, allowing users more flexibility throughout the workspace.

Segmented Mobile Data - this type of WLAN is one where the network is dedicated to use of a specific type of data that is segmented from the main enterprise network.  Typical use cases here are in hospitals or retail stores, where compliance regulations provide strict guidance on data protection and segmentation.

Guest Internet Access – common in cafes and large businesses, this type of WLAN typically provides only internet access and is entirely segmented from the enterprise wired LAN.

Wired LAN Replacement - this type of network is becoming a feasible alternative to the hassle of running cable, and will likely continue to grow in popularity as time goes by

These use cases can blend together in any number of ways.  A well thought-out design at the beginning, along with the right hardware planning, can accomidate these uses and even more.

General Strategy

Like other networking strategies, the use of proper segmentation at the Layer 2 level is critical when designing a WLAN.  Your most critical data flows should have their own segment, protected by methods like VLAN segmentation, firewalling, private IP spaces, and routing tables.  Regardless of the authentication and encryption method used for the WLAN itself, properly designing its location within the enterprise wired LAN is critical.

Data encryption in 802.11 is accomplished by a combination of the authentication type with an underlying encryption method.  Use of WPA2-AES encryption should be considered mandatory in any new WLAN deployment.  This encryption technology has no documented vulnerabilities and widespread hardware and software support.  If your enterprise has devices that do not support WPA2-AES, strongly consider replacing them.  When designing a network, its security should not be determined by the weakest link.  Unless there is a business case for doing something otherwise, use the strongest encryption and authentication methods available.

My next post will get into some specifics about these different use cases!

Deploying A World-Class WLAN in Your Enterprise

Posted by Jon Janego on July 16, 2010 1 comment

In the last decade, 802.11 Wireless LAN technology has had a dramatic impact on the technology world.  Reliable, high-bandwidth networking is now easily available to anybody who wants it, and the number of WiFi enabled devices continues to grow at a dramatic rate.  So naturally, businesses ranging from basic office environments, to complicated co-located warehousing/retail/office operations have begun leveraging the technology as well.  Unfortunately, the ease of setup that WLAN offers has led to some confusion among even seasoned IT practitioners.  In this series of  posts, I hope to provide some simple guidance to help clarify how to securely and efficiently manage an enterprise Wireless LAN.

Some History

I will not go into the history of the 802.11 standard in too much detail here, although there are a couple of important points to recognize when thinking about how to deploy a WLAN in your business.  The most important thing to know is this – many of the WLAN security technologies that were being used in deployment until three or four years ago are vulnerable to several well-known attacks.  If your business has a WLAN that has “just been working” for a while – it should probably get some attention.

To elaborate on this a bit further, the most common Wireless LAN encryption method used until late 2003, WEP, has been subject to some very public weaknesses, almost since its inception.  Its temporary replacement, WPA-TKIP, has similar (although not as dramatic) weaknesses, that have been public since at least 2008.

Adding insult to these platform-common weaknesses, some of the alternate, “more secure” based authentication methods advised by vendors have also been picked apart and had their vulnerabilities shown to the world.  I’m looking at you, LEAP.

To sum it up briefly – many networks that people thought were secure in 2003 or 2004 are definitely not secure today.  And unfortunately, WLAN sometimes is treated like a part of the physical infrastructure – if it ain’t broke, don’t fix it!

Current Tech

Fortunately, 802.11 is really starting to come into its own lately, and can be an extremely secure – in some ways more secure – piece of critical infrastructure.  The extremely solid (and so far unbroken) WPA2-AES encryption standard defined by 802.11i has had widespread vendor support since 2007.  And certificate-based authentication methods such as EAP-TLS, PEAP, and EAP-TTLS have similarly experienced a growth in support, among not just desktop OS platforms, but mobile operating systems as well.  And Wireless Intrusion Detection Systems are hitting their stride, ranging from several robust and effective professional solutions from vendors like AirTight, Cisco, and Motorola, to fantastic open-source applications like Kismet.  And robust infrastructure management software is now making the administration of Wireless LANs more simple and effective.

In short, today it is possible to deploy a WLAN that will meet all the use cases an enterprise can throw at it, and that is as secure as a typical wired LAN infrastructure.

In the next post, I’ll cover typical enterprise WLAN use cases, and the strategies for designing and securing them.

Integrated vs. Standalone RADIUS Servers in WLAN Deployments

Posted by Walter Goulet on June 29, 2009 2 comments

Several popular WLAN infrastructure vendors include lightweight RADIUS servers directly in their access points. These lightweight servers are typically designed for use by vendors as a backup solution in the event that connectivity to an off-board RADIUS server is lost.

I recently had the opportunity to speak with a WLAN network administrator and we briefly discussed the merits of using an integrated RADIUS server on APs vs using an external RADIUS server for authentication. After thinking about it for a few days, I realized that relying solely on the integrated RADIUS server for wireless authentication is rarely a good idea.

  • Integrated RADIUS servers on APs are typically minimal servers that are designed to serve a small number of clients. If the WLAN network grows in size, the number of users that will need to be configured could easily exceed the limits of the integrated RADIUS servers.
  • Some integrated RADIUS servers do not offer support for accounting services. This can be either a non-issue or a serious disadvantage depending on the purpose of the WLAN.
  • Integrated RADIUS servers typically use proprietary local database engines/management interfaces to administer the user database, which makes it difficult to do certain operations like import/export user databases between APs or switch to APs from a different vendor.
  • Standalone RADIUS servers offer advanced capabilities such as integrating with LDAP or Exchange servers to provide single sign-on capabilities. Integrated RADIUS servers in APs don’t have such capabilities due to the complexities and necessary protocol support required to interact with other authentication servers.
  • Integrated RADIUS servers can only support the EAP methods that are built into it, restricting the set of EAP methods that can be used in the WLAN. Standalone RADIUS servers can typically support a much larger number of EAP methods and therefore provide the WLAN administrator with a great deal of flexibility. Note that APs which are acting only as a NAS are only relaying EAP messages between clients and the RADIUS server and therefore don’t need to have support for the different EAP types built-in.

However, even with all of the advantages a standalone RADIUS server offers over an integrated RADIUS server, there are some compelling advantages of the integrated solution: the integrated server is likely only to fail when the AP itself physically fails, the authentication sequence may be slightly faster since there is no extra hop between the AP and a RADIUS server, and of course it doesn’t require any additional capital expense for your network. In short, the decision between a integrated and standalone server solution should carefully consider short term and long term costs/network growth as well as flexibility in supporting both existing and future requirements of the network.

Responsible Home Wi-Fi

Posted by Jon Janego on January 28, 2009 3 comments

Wi-Fi.  Everyone’s got it nowadays.  Your Comcast or Verizon broadband connection at home probably comes with a wireless router.  But do you really know how to set it up??  Better yet – do you really know how yours is set up currently?  Or does it “just work”?

I want to briefly share my thoughts on the subject and give you some advice on making a secure – or perhaps intentionally insecure – wireless network at home.

Let me explain some fundamentals.  The first thing that you need to keep in mind is that all wireless traffic is visible to everybody.  Your XBOX live session.  Your online banking from your laptop.  Your IM sessions.  It’s all out there, just waiting to be listened in on, on a very well-defined and well-understood protocol, 802.11.

Before you panic, you need to remember the second important thing – nearly all wireless traffic can be well-protected.  Walter has been doing a nice series on encryption, and even if you don’t follow all the details, the major takeaway can be that data can be wrapped up pretty tightly if you set it up correctly.

For most people, I am going to advocate running a closed network – encrypting your traffic and only allowing authorized users to use your home access point (AP).  This is the subject of some debate among the security community, most notably from Bruce Schneier (who advocates for keeping your wireless network open), but I’ll say that for the “average user” it’s better to close it off.

Your network can be secured through a combination of obscurity, exclusions, and encryption.  Obscurity is not openly advertising the name of the AP.  Exclusions are preventing unauthorized network cards from joining your network.  Encryption is wrapping the traffic in a difficult-to-break code that can only be understood by your wireless devices and your wireless router.  The first two methods are relatively trivial to subvert – any ‘serious’ attacker could get themselves onto your network if they were the only two barriers to entry.  But the third is the most important, and here your choice is pretty clear – definitely encrypt!

But which encryption and authentication method to choose?  Home APs commonly come with a couple varieties of encryption options – WEP, WPA-PSK, and WPA2-PSK.  WEP has had known vulnerabilities since almost its inception, and is now easily broken in less than 10 minutes of work.  So don’t use it. Use WPA or WPA2, although WPA2 is relatively new and supported by less devices than WPA.

PortForward.com has an excellent guide to the details of setting up security on many wireless routers.  I would personally recommend against masking the SSID (the “name” of the wireless network) and implementing MAC address filtering, just because they’re easily compromised anyways, and make the network a hassle to administer.  The slight tradeoff in security is worth it for the increased usability.  As long as you’re using WPA or WPA2 with a relatively long pre-shared key – at least 15 characters – you’re better off than many networks.

Finally, if you choose to run an “open network” – a network that freely allows any client to associate with it, with no encryption – there are a few ways to still be safe.  First, keep in mind, that while the wireless traffic may be easily ‘sniffed’, if the data itself has already been encrypted via SSL (look for the ‘lock’ icon displayed in your browser) or a VPN tunnel, it’s a moot point – it’ll be garbage to an attacker.  So even though I menacingly mentioned that your bank traffic is visible earlier in this post – it’s only visible as encrypted gobbledygook, so no reason to panic just yet.

Summary – use WPA or WPA2.  Don’t bother with MAC filtering or SSID masking.  Don’t use WEP unless you really have to.  And you probably don’t want to run a wide-open network, but if you do so, don’t panic too much – most ‘important’ traffic is probably encrypted anyways.

In another post I’ll go into some ideas for running a secure, yet open home wireless network.  But until then, keep my simple recommendations in mind and you’ll be just fine!

The case (for/against) filtering subscriber to subscriber network traffic

Posted by Walter Goulet on December 31, 2008 No comments

Part of my job is to help customers decide when and where it’s appropriate to deploy firewalls and other security devices in their networks. One point that has come up in discussion with my colleagues has been whether or not it is a good design principle to filter peer to peer traffic in service provider networks. Let me first clarify what I mean by service provider networks. I am referring to networks that are specifically designed to provide connectivity for subscribers, either to the Internet, to private intranets, or to each other. The owner of this network (the service provider) is essentially providing ‘pipes’ for his customers. Service providers earn money by creating and meeting service level agreements (SLA) with subscribers that guarantee bandwidth and availability to customers.

I define subscriber to subscriber traffic filtering as a network design which explicitly prohibits the exchange of packets directly between subscribers without first passing those packets through a firewall or access control lists. An example of this type of network is a typical cable or DSL service network provider where subscriber packets are filtered through a network access server (NAS) prior to being forwarded to their destinations. A metro Ethernet network is an example of a network that does NOT perform peer to peer traffic filtering (metro Ethernet provides layer 2 connectivity between subscribers).

From a pure service provider business perspective, you care little about the types of traffic that subscribers exchange as long as you are able to meet the SLAs that you have established. If the traffic that is exchanged happens to contain malicious information (viruses, malware etc.), the service provider isn’t really going to care as the type of traffic exchanged doesn’t affect their ability to provide service to subscribers.

From a subscriber perspective, you care a lot about whether or not your home/business network is subjected to malicious traffic originating from your outside network connection. However, you also care about having the freedom to use your outside network connection as a raw pipe and being able to exchange any kind of network traffic with anybody that you can connect to (especially home users who use BitTorrent and other P2P protocols).

From a regulatory perspective, as a service provider you care about meeting the legal requirements to provide service in the regions you operate in order to avoid penalties etc. Certain governments impose restrictions on the types of traffic that network users are allowed to exchange (China being a prime example with strict requirements on which websites can be viewed by Chinese residents).

As can be seen from these 3 different perspectives, the need to implement filtering controls to restrict subscriber to subscriber traffic is not immediately evident. From a security threat perspective, most service provider networks are designed to provide clean seperation of bearer data (subscriber traffic) and control/management data used by the provider to run their network. So the risk of subscribers actually accessing the service provider’s infrastructure is quite low. A slightly more obvious security threat is the risk of being non-compliant to regulatory requirements. In this case, the risk of non-compliance can be quite high depending on each country’s regulations.

In conclusion, when considering whether or not to implement peer to peer traffic filtering and whether or not the lack of this filtering is a security risk, consider the network design and the regulatory requirements governing the network operation. You may be surprised to find that there is in fact little to no security risks to the service provider by NOT performing peer to peer traffic filtering.