Please note that this article is several years old and things at both institutions have changed alot over the years. I may update this document later on, however, for the moment, consider it's information depreciated. It's still a good comparison of methods though.
Abstract:
Universities are installing wireless networks to provide Internet access
for students and staff in non-traditional, hard to wire, or economically
unfeasable areas. These networks are often setup with much excitement and
bravado about the use of 'cutting edge technology', but looking past that, there
seems to be a severe lack of effort in informing users of the implications
of using these nets. Analysis shows that even though universities
take measures to protect themselves, they could do more to protect
their users.
Introduction:
Wireless networks are all around us. Most people don't realize that as they go about their day-to-day business they are
walking through the invisible clouds thrown out by these networks. Building these networks is becoming easier, cheaper
and more useful with every passing day. However, there seems to be very little attention paid to security in small
home installations and small/medium business. In a quest to find out how high the problems went, the Renderman and
RenderVan went to the University of Alberta.
As a Wardriver I have been continually shocked and amazed at the complete lack of security with wireless networks. WEP flags in broadcast packets sent out by access points usually indicate outward signs of security. These are picked up by programs like Netstumbler and used to determine statistics such as can be found on my site here. From these stats I can get a rough guess as to the state of security, however these stats fail to take into account 3rd party and proprietary security measures that don't always make themselves apparent. Further research is required to investigate these.
In a large wireless network installation, managing WEP keys can become quite un-managable. A static key must be changed whenever staff changes occur to keep unauthorized users out. There is also the problem of the shared key creating a shared environment where all authorized users share the same key and can read each other's data. All it takes is one bad apple to create an incident.
The traditional method of securing a large installation abandons WEP and instead uses either 3rd party (RADIUS, VPN's, etc) or proprietary (Cisco's LEAP or other EAP methods). While these methods are much more secure, Cash strapped universities cannot often afford them and must make due if they want to provide wireless. This often leads to 'home grown' methods that while effective, are may not always provide the sought after security.
The University of Alberta:
The University of Alberta has provided wireless net access in the Students Union Building, V-wing, and in the Business building for students and staff to connect up in more comfortable areas than offices and classrooms (The Students union building study area is very nicely furnished, complete with gas fireplace).
The network uses a wall mounted patch antenna to direct the signal to the areas where it is needed, predominantly, the study areas of the Students Union main floor, but with signal leakage all the way out to the Stadium car park and Van Vilet Center.
This wireless setup is based upon OpenBSD's authPF function in a captive portal setup. The access points are broadcasting beacons and do not require WEP to connect. When a user fires up a web browser, however, all traffic is directed to a static web page with instructions on what to do to authenticate and various warnings about security. In this particular setup it requires you to SSH into the server, located at 10.0.0.1 with a valid GPU (General Purpose Unix) account to dynamically create an allowed connection to the outside world. This setup is quite effective, relativley cheap (Free software) and secure since it uses encrypted channels to send the authentication. It also provides an access control limited to students and staff, providing audit trails if nefarious activities are need to be traced back.
From the point of view of networking services and the legal department, their butts are covered.
The problems with this setup become apparent when you start looking at the topology of the network and where the barriers are placed. There is that thin space between the client device and the access point where data is un-encrypted that the University forgot about or ignored. This space is not controlled by any method of security and provides quite a frightening look at the problems with wireless security in this particular type of setup
Using a laptop with standard wireless and networking tools on Windows and Unix, I decided that since this was a public network, I could connect ethically/legally, but since I was not a student I could not access the Internet. The airspace between the AP and the client was all the room I could work in. That was all I needed.
Upon connecting to the Access point I was re-directed with the captive portal to the login screen to gain Internet access. After checking that EVERYTHING was blocked from going out and not possessing an ID, I went no further. Instead I decided to look at what everyone else was doing.
Using various programs like Ethereal, ettercap, Kismet and dsniff I set about find out how security conscious the students and staff clients were.
The nature of a wireless network is very much as it sounds, Broadcast. When information is transmitted by the access point it is radiated in all directions to any and all clients within range, meaning that everyone recieves the signal, not just the intended recipient. On a wired network, the use of a switch instead of a hub keeps traffic going only to the intended recipient. On a radio though, that is somewhat impossible.
It is worth noting though that this setup was very easily applied to the wired ports that are also available to students in the lounge. The same authentication procedure is required to get Internet access on the wired ports, however with their usage of wired switches, traffic sniffing used later in this report is not very useful.
Dsniff is a Unix program that scans all the traffic flowing to and from a network card (namely my own), looking specifically for username/password combinations for a variety of common programs (Email, FTP, remote admin, etc) and dumps them to the screen. In the span of 1 hour using dsniff while sitting at the students union I was able to harvest 6 FTP logins for university servers, 2 email logins for web mail services outside of the university, and 1 MSN instant messenger password. (All these were dumped to console and not recorded in any file or transcribed anywhere but my own head). What would be interesting would be to see how many people used similar passwords for their university (secure) authentication as well as their non university (insecure) authentications (email and the like)?. (Note: this does not nessecarily mean that the programs were able to get access, only that the passwords were sent in the clear. Insecure protocols might be blocked at the firewall, but automated login features still send out passwords.)
In another experiment, ettercap was used to determine various statistics about clients on the local network. Many student laptops were found to be woefully insecure, including several with NetBios (windows networking) shares with null passwords (probably left enabled from their home network), allowing an intruder to wander around the contents of the client computer. As well, several were running WindowsXP and Windows 2000 and did not seem to realize that they had left on the very vulnerable personal web server.
The University has taken necessary steps to provide an audit trail for themselves and limit their liability and secure their responsibilities, but has done surprisingly little to make students aware of how much information they are leaking. The Universities assets have been secured (secure web mail, use of ssh, etc) but students are not realizing that if they are signing onto a web mail account or ftp site, their passwords are being sent in the clear in all directions. The University could go a lot further to extend security to protect the students, and not just themselves.
A good comparison case is the Northern Alberta Institute of Technology (NAIT). NAIT build a brand new building on their campus with a grant from Hewlett Packard for their computer studies. As part of this setup, a wireless network was installed in the 'commons' area, a general study area with computer terminals, couches, etc.
On a visit to the campus to speak about wardriving I took the opportunity to check out this setup, namely while walking by with my laptop running in my bag.
The first thing I noticed about this network was the insanely high range. On normal wardriving runs I pick up their network from nearly a kilometer away. I found that this is due to the high power of the Cisco units they are using, and the structure of the commons area (mostly glass).
The lack of WEP initially surprised me but further investigation revealed that they were actually using CISCO LEAP (A proprietary extension to WEP) to secure their networks. Each student must have a compatible CISCO wireless card and username/password. Each student's connection is then encrypted separately with a different key, rather than the same one as in a WEP environment. This key is also rotated on a time basis, making security end-to-end and much tighter. Since each user has a separately encrypted session, eavesdropping and snooping are much harder.
The drawbacks to this setup though are significant to note. Firstly is cost. CISCO equipment is very expensive and not cheap to maintain, however, being a school that teaches CISCO courses, I'm sure there was a deal struck. However, the costs also extend to the student. Each client (staff or student) must be using a compatible CISCO card in order to connect in the LEAP environment. The cost of these cards can be almost double the cost of cheaper, more common cards (Linksys, D-link, etc).
The other drawback is that this environment is not extended to the wired ports, also available in the commons area. These ports are 'plug and go', with no encryption/authentication. This leads many to question the logic of so much security on the wireless side and the extreme cost of the cards necessary to do it.
The NAIT network is, in my mind, much more security conscious, in that they have addressed the air gap between the AP and the client. However, the cost passed onto the student is rather high and many students can't afford it
Conclusion
The University of Alberta's wireless implementation is rather ingenious in that it's use of free software and local
talent for OpenBSD have created a very usable and sensible method for controlling access. Their usage of
non-proprietary protocols leaves the maximum flexibility for connecting different types of equipment. However, the lack
of an end-to-end security by leaving the air gap open, leaves client computers very easily available to snooping and
other nefarious activities. This hole could come around and bite them in the near future.
The NAIT network, while much more secure and reliable, comes at a cost of compatibility. Having to expand with only higher priced CISCO gear makes growth a harder (more expensive) task, and the cost of the cards mean that while students might buy a laptop with integrated wireless, they now have to spend more on another card in order to use the wireless network.
Recommendations
The University of Alberta should not ignore the security problem that the air gap situation creates. Many people (often
students) hear about vulnerabilities in wireless and decide to look for themselves. Most will look but won't touch, but
a percentage will get a thrill from the power and decide to do something stupid. Often, the best security in not
technical though. The University would be wise to increase the amount of education they do about security. If
students/staff avoid sending un-encrypted passwords and data, then there wouldntt be a problem. The University of
Michigan undertook a project to do just that by showing a practical example using dsniff of the passwords that could be
plucked out of the air. More details at http://www.citi.umich.edu/dsniff.html . A few public signs in wireless areas
and some practical (none of this 'may be able to' stuff) examples and language could dissuade people from the
use of insecure communications for anything important.
Further improvements could be made with the upcoming WPA upgrade for WEP (should be common by fall '03). This technology address's a lot of the concerns about WEP and will provide an extra layer of protection.
Closing
This analysis/experiment was done in the spirit of raising security awareness and protecting students and faculty data.
I have great respect for the CNS staff at the University and I hope they can see that spirit. Wireless technology
is insanely useful but as with any new technology, is unfortunately not understood by the end users for far too
long.
All data was purged at the end of the experiment and no hosts were compromised or accessed.
RenderMan
RenderLab.net
5/12/03
This Document is Copyleft under the GNU Public License
Thoughts, improvements, critiques, flames? Just Mail render (AT) renderlab (DOT) net, All comments are welcome