on what analysts are saying about WLANs in the next few years. Some
WLAN product sales for businesses are up, as high as 175%, and will
continue to grow another 60% in 2002. Revenues will only increase 7%
this year as the price on 802.11-based equipment, even the newer 802.11a
products, continues to plummet. Cisco’s domination of the business WLAN
hardware market is shifting somewhat as Linksys, Agere, and Buffalo
Technologies top the total units shipped and 802.11a/b combo NICs will
be the driving force for network adapters going forward.
SecurityFocus Online reports
on a system built by government contractor
SAIC that sets up a wireless
honeypot in order to research and track the
hacking methods used in the wild to break into 802.11b networks.
The network has five Cisco access points, a handful of deliberately
vulnerable computers as bait, and two omnidirectional high-gain antennas
for added range. On the back-end, a logging host gathers detailed
connection data from the access points, while a passive 802.11b sniffer
with a customized intrusion detection system monitors activity in the
The project hasn’t reported significant intrusion attempts in the 6
weeks it has been in operation. However, it is generating enthusiasm in
the honeypot community, and may spawn similar projects in other cities.
It’s a cool idea, and getting real-world data on black-hat attempts to
hack into wireless nets is very important, especially as WiFi use
continues to come in the back door of corporate networks. Good
intrusion detection tools that use the data gained in these honetpot
situations will increase overall wireless LAN security, and projects
like this will serve to further inform the world on the security
aspects of wireless networks.
However, this also further exposes a nest of legal questions. For
example, as Russ Nelson
on the BAWUG mailing list, “So if I park within
range and open up my Win/XP laptop and it DHCPs an address with no
intervention on my part, am I guilty of a crime?” In other words, how
does one judge intent?
This is not a simple matter to brush off – People like Randall Schwartz
got convicted for intrusion,
even though he was actually trying to fix a security problem, and a
recent report that
a computer security expert living in Houston, TX was indicted on two
counts of fraud because he demonstrated to a county official and a
newspaper reporter how easy it was to gain access to the court’s system
using only a laptop computer and a wireless LAN card.
One final question: As these honeypot hotspots proliferate, will we call them “Honeyspots”?
News.com’s Ben Charney reports on HereUare’s inability to raise more funding, and it’s openly frank executive team
discussing the sale of the company. Unless a miracle occurs, this
probably spells the end of HereUare (and subsidiary WiFiMetro) from an
investor point-of-view. When you have two weeks of cash left and your
current investors have shut their wallets, you don’t have much leverage
to negotiate with potential buyers. My prediction: expect a sale of
HereUare’s assets, somewhere in the $10-20 million (aka fire sale)
In the end, this is about business models; HereUare’s assumed a strong
thriving market where:
- People were willing to pay for hotspot wireless access
- People wanted to do this from multiple locations (roaming)
- People were willing to pay enough to support multiple revenue shares
(cafe owner, WISP, HereUare, roaming WISP)
In the end, hotspot access isn’t compelling enough for this large a
value chain, and it will collapse as carriers move in and offer WiFi
public access, probably as part of a mobile voice/data plan. Another
option is that smart location owners will use WiFi as a way to pull
people into their location by offering it for free. Bandwidth will
become a location amenity similar to electricity or bathroom access;
Know anyone selling pay toilets any more?
“WiFi for customer use only”
PALO ALTO, Calif. — Bermai, a developer of
integrated semiconductor systems for indoor wireless
LAN and outdoor fixed access applications, has raised
an additional $5 million in its Series A round of
financing. The company plans to announce the funding
next week, closing the round at $20 million.
Read the full story (registration required)
John Lettice over at The Register has written a follow-up article confirming Microsoft’s security enhancements to its 802.11 offerings. Funny, I must have been out of coffee last night when I wrote my original post on the subject, but after looking over Microsoft’s Cable Guy column again this morning, I saw 2 important points that I had missed.
First off, Microsoft confirmed in the article that the PEAP extension is in Windows XP Service Pack 1. So that moves the discussion out of the rumor category. Second, the folks at Microsoft explained how to set up PEAP and MS-CHAP V2 with an authentication server, simply using the AP as a pass through device.
That eliminates the need for a beefier AP, since the TLS sessions will get set up between the authentication server and the client. It also plays well into Microsoft’s best interests, including its “digital hub” strategy, and its recent announcements about “Soft WiFi” where AP functionality will be built into a beefier computer that has an 802.11 radio installed. These strategies hinge on the house having at least one PC sitting on the wired net next to the cable
modem/DSL box, and that PC acts as the “digital hub” of the house. Now that box can function as the RADIUS and MS-CHAP-V2 server for secured 802.1x authentication as well.
This only fails to work if you’ve got one computer and a wireless combo
box with no home PC in the equation. Hmmm, potential trouble for the combo box manufacturers.
There are a number of issues surrounding the use of a PEAP scheme to
protect a home wireless network. First off is the issue of a valid TLS (aka SSL)
certificate on the AP; most home networks don’t have an internal
Certification Authority, which menas that MS would have to preinstall a
certificate on each box they build, or offer a deal through one of the
known public CAs, like Verisign or Baltimore, etc. That costs the end user $$$.
Second is the issue of complexity – one of the biggest problems we had
even before we found out that WEP was broken was that about 80% of
people weren’t even using WEP – they just plugged in the AP and didn’t
change a single out-of-the-box setting. Of course, you can blame the
user in that instance, but I think tha opening up a new significant
vulnerability in a network is something that the vendor should not do,
even in the name of simplicity and user friendliness. You gotta work
harder than that to make a really compelling product – it should be
simple, user friendly, AND secure out-of-the-box.
Next comes the issue of legacy device interoperability. You know,
legacy devices like your new Mac TiBook, your Linux box, or that handspring Treo. The
problems with implementing a new handshake protocol into the network
connection phase is that all of the devices that haven’t been built with
that capability obviously can’t get on to the network. I’m sure that if
MS stays true to form, they’ll put out a release of the Pocket PC OS
that will have PEAP capabilities.
Of course, you’ve still got the
whole trusted certificate issue to deal with, so if I was Microsoft, I’d
start selling inexpensive renewable certificates for these mini-IAS
servers. The other option for a home user is to self-sign their
certificate, and then go through a manual process of accepting the
certificate on each client that will be part of the network. This opens
you up to some man-in-the-middle attacks, especially for people who are
connecting for the first time, but it is certainly a level of protection
higher than what is out there today. The big problem remains is the
geekiness factor – you have to be a geek to use this stuff, sign your
own certificates, walk new users through accepting the certificates, and
so on, which menas that for most home users, this will remain a feature
that they leave turned off, fitting squarely into the “silly bunch of
checkboxes on that security tab that I just leave unchecked”.
Of course, that fits nicely into MS’ strategy as well – in order to
really secure your home network, you need to have a desktop PC plugged
into the wall – after all, it is holding all of the music and movies you
downloaded off of that cable modem, right?
And your Mac or Linux box won’t work, at least not until they
have PEAP clients that authenticate against MS-CHAP-V2, and do they have patents on that protocol? Gotta go ask someone on the Samba team…
Sorry, I really have to watch my evil empire bashing.
All in all, considering the market power that Microsoft wields, this is pretty good news – PEAP is an IETF draft standard, and the world does need big players to help push standard strong authentication and security over wireless networks. And of course, that means more people will need good tools to manage those networks.
The Associated Press reports that Myanmar’s military government has made it illegal for companies to operate unlicensed private computer networks linked to their overseas offices.
The 32-point order says those who have already set up WAN services via
satellite link or by other technologies must apply for a license, which
will be approved or rejected by the communications ministry.
Offenders face seven to 15 years in jail, according to the order
published Friday in the state-run Myanmar Ahlin daily.
Will the local Pringles distributor face charges as well? I’ll let the chips fall where they may. (OK, enough bad puns for one day)
The Register reports
that Microsoft may ship its newly announced home and office 802.11 gear
with Protected Extensible Authentication Protocol (PEAP) support in
order to provide secure authenticated access over the wireless
connection. PEAP is a form of EAP negotiation that essentially wraps
TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft
also has posted its July “Cable Guy” article, entitled “PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access” which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.
So, a few comments: First of all, this does solve a significant problem present today
with 802.11 wireless communication, that of performing authentication in a
secured fashion, even over an insecure channel. There are a few
problems – first of all, each access point must now have a TLS
certificate, which is fine if you’re VeriSign or
if you’re shelling out the dough for Microsoft’s CA implementation
across your organization. Second, it means that the APs need to have
the ability to handle multiple TLS sessions at one time, which means
significantly more CPU horsepower than is currently associated (sorry,
bad pun) with the APs out there. Lastly, it implies that you have PEAP
support on the client, which is fine if you’re running Windows XP SP1
(rumored to have a PEAP client incluided in its upcoming release) but is not so good if you’re
using a more commodity device.
Let’s call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.