WLAN product sales for businesses are up, as high as 175%, and will continue to grow another 60% in 2002. Revenues will only increase 7% this year as the price on 802.11-based equipment, even the newer 802.11a products, continues to plummet. Cisco's domination of the business WLAN hardware market is shifting somewhat as Linksys, Agere, and Buffalo Technologies top the total units shipped and 802.11a/b combo NICs will be the driving force for network adapters going forward.
The network has five Cisco access points, a handful of deliberately vulnerable computers as bait, and two omnidirectional high-gain antennas for added range. On the back-end, a logging host gathers detailed connection data from the access points, while a passive 802.11b sniffer with a customized intrusion detection system monitors activity in the wireless neighborhood.
The project hasn't reported significant intrusion attempts in the 6 weeks it has been in operation. However, it is generating enthusiasm in the honeypot community, and may spawn similar projects in other cities.
It's a cool idea, and getting real-world data on black-hat attempts to hack into wireless nets is very important, especially as WiFi use continues to come in the back door of corporate networks. Good intrusion detection tools that use the data gained in these honetpot situations will increase overall wireless LAN security, and projects like this will serve to further inform the world on the security aspects of wireless networks.
However, this also further exposes a nest of legal questions. For example, as Russ Nelson asks on the BAWUG mailing list, "So if I park within range and open up my Win/XP laptop and it DHCPs an address with no intervention on my part, am I guilty of a crime?" In other words, how does one judge intent?
This is not a simple matter to brush off - People like Randall Schwartz got convicted for intrusion, even though he was actually trying to fix a security problem, and a recent report that a computer security expert living in Houston, TX was indicted on two counts of fraud because he demonstrated to a county official and a newspaper reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.
One final question: As these honeypot hotspots proliferate, will we call them "Honeyspots"?
In the end, this is about business models; HereUare's assumed a strong thriving market where:
"WiFi for customer use only"
PALO ALTO, Calif. -- Bermai, a developer of integrated semiconductor systems for indoor wireless LAN and outdoor fixed access applications, has raised an additional $5 million in its Series A round of financing. The company plans to announce the funding next week, closing the round at $20 million.
Read the full story (registration required)
First off, Microsoft confirmed in the article that the PEAP extension is in Windows XP Service Pack 1. So that moves the discussion out of the rumor category. Second, the folks at Microsoft explained how to set up PEAP and MS-CHAP V2 with an authentication server, simply using the AP as a pass through device.
That eliminates the need for a beefier AP, since the TLS sessions will get set up between the authentication server and the client. It also plays well into Microsoft's best interests, including its "digital hub" strategy, and its recent announcements about "Soft WiFi" where AP functionality will be built into a beefier computer that has an 802.11 radio installed. These strategies hinge on the house having at least one PC sitting on the wired net next to the cable modem/DSL box, and that PC acts as the "digital hub" of the house. Now that box can function as the RADIUS and MS-CHAP-V2 server for secured 802.1x authentication as well. This only fails to work if you've got one computer and a wireless combo box with no home PC in the equation. Hmmm, potential trouble for the combo box manufacturers.
There are a number of issues surrounding the use of a PEAP scheme to protect a home wireless network. First off is the issue of a valid TLS (aka SSL) certificate on the AP; most home networks don't have an internal Certification Authority, which menas that MS would have to preinstall a certificate on each box they build, or offer a deal through one of the known public CAs, like Verisign or Baltimore, etc. That costs the end user $$$. Second is the issue of complexity - one of the biggest problems we had even before we found out that WEP was broken was that about 80% of people weren't even using WEP - they just plugged in the AP and didn't change a single out-of-the-box setting. Of course, you can blame the user in that instance, but I think tha opening up a new significant vulnerability in a network is something that the vendor should not do, even in the name of simplicity and user friendliness. You gotta work harder than that to make a really compelling product - it should be simple, user friendly, AND secure out-of-the-box.
Next comes the issue of legacy device interoperability. You know, legacy devices like your new Mac TiBook, your Linux box, or that handspring Treo. The problems with implementing a new handshake protocol into the network connection phase is that all of the devices that haven't been built with that capability obviously can't get on to the network. I'm sure that if MS stays true to form, they'll put out a release of the Pocket PC OS that will have PEAP capabilities.
Of course, you've still got the whole trusted certificate issue to deal with, so if I was Microsoft, I'd start selling inexpensive renewable certificates for these mini-IAS servers. The other option for a home user is to self-sign their certificate, and then go through a manual process of accepting the certificate on each client that will be part of the network. This opens you up to some man-in-the-middle attacks, especially for people who are connecting for the first time, but it is certainly a level of protection higher than what is out there today. The big problem remains is the geekiness factor - you have to be a geek to use this stuff, sign your own certificates, walk new users through accepting the certificates, and so on, which menas that for most home users, this will remain a feature that they leave turned off, fitting squarely into the "silly bunch of checkboxes on that security tab that I just leave unchecked".
Of course, that fits nicely into MS' strategy as well - in order to really secure your home network, you need to have a desktop PC plugged into the wall - after all, it is holding all of the music and movies you downloaded off of that cable modem, right? :-)
And your Mac or Linux box won't work, at least not until they have PEAP clients that authenticate against MS-CHAP-V2, and do they have patents on that protocol? Gotta go ask someone on the Samba team...
Sorry, I really have to watch my evil empire bashing. :-)
All in all, considering the market power that Microsoft wields, this is pretty good news - PEAP is an IETF draft standard, and the world does need big players to help push standard strong authentication and security over wireless networks. And of course, that means more people will need good tools to manage those networks.
The 32-point order says those who have already set up WAN services via satellite link or by other technologies must apply for a license, which will be approved or rejected by the communications ministry.
Offenders face seven to 15 years in jail, according to the order published Friday in the state-run Myanmar Ahlin daily.
Will the local Pringles distributor face charges as well? I'll let the chips fall where they may. (OK, enough bad puns for one day)
So, a few comments: First of all, this does solve a significant problem present today with 802.11 wireless communication, that of performing authentication in a secured fashion, even over an insecure channel. There are a few problems - first of all, each access point must now have a TLS certificate, which is fine if you're VeriSign or if you're shelling out the dough for Microsoft's CA implementation across your organization. Second, it means that the APs need to have the ability to handle multiple TLS sessions at one time, which means significantly more CPU horsepower than is currently associated (sorry, bad pun) with the APs out there. Lastly, it implies that you have PEAP support on the client, which is fine if you're running Windows XP SP1 (rumored to have a PEAP client incluided in its upcoming release) but is not so good if you're using a more commodity device.
Let's call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.