Wi-Fi Myth Busters Series – Episode 3

                                                                                                                                 Figure 1                  Myth # 6 : Captive Portals are an effective ways to prevent unauthorized users

When WPA/WPA2 cannot be used, some organizations such as airports, hotels, shopping malls and universities tend to go for captive portals for authentication. It restricts access until a user authenticates through a web interface. Refer Figure 2. Actually, captive portals provide Layer 2 security which means it places authenticated users’ MAC addresses in a pool of authorized MAC addresses until users log off. So it can be considered as a dynamic MAC filter. But, how many utilities are there in market to spoof MAC addresses? So is it safe as people think?

Asiri’s Experience : When I was doing our rogue access point detection project, I could change MAC of my laptop easily using ‘ifconfig wlan0 hw ether 00:XX:XX:XX:XX:XX’ .

                                                                            Figure 2

As WPA/WPA2 is very common in most wireless devices, best solution is to go for it with a personal passphrase. Even though some security flaws are there with WPA, of course it is more secure than a captive portal.

Myth # 7 : Disabling SSID broadcast may protect network from intruders.

By disabling SSID broadcast, it stays hidden from users and whenever a user wants to connect, he has to enter parameters manually rather than auto detecting. When devices are connected to access point, they constantly probe for other networks with same SSID for roaming purposes. The response from AP’s are sent in clear text surprisingly and unfortunately.

Asiri’s Experience : I could reveal hidden SSID networks by using Kismet wireless sniffer within few seconds. Kismet is not the only tool which can be used for that task.

So moral of the story is SSID is hidden as long as network is dead.

References

Miller, B & Hill, G 2006, ‘Eleven Myths about 802.11 Wi-Fi Networks’, Expert Reference Series of White Papers , 18 August, pp. 5-6, Global Knowledge Training LLC., viewed 23 August 2010

‘Figure 1’ [image] in 2009, ‘The second day of the School on Low Cost Wireless’, school2009, viewed 23 Aug 2010, http://wireless.ictp.it/groups/school2009/wiki/8d8fe/Group_Two's_-_Day_Two.html

‘Figure 2’ [image],‘Captive Portal Guideline’, Wireless LAN service in UM, viewed 23 Aug 2010, http://ictoinfo.umac.mo/wireless/portal.html

The previous episode of this series has been posted on 16th Aug 2010 which can be found easily in here.

Please support to keep your favourite blog live and rich with contents !!!

It would be very helpful if you give your feedback for any post or about this blog using any of the following methods ;

1. - Post a comment by clicking on "x comments" link under each and every post
2. - Follow using your gmail account. Use the "Followers" panel at the right side of blog.
3. - Follow using Twitter. Use the "Twitter Updates" panel at the right side of blog
4. - Directly contact Asiri by email  support@asirirajapakse.com

Your feedback may help Asiri to post more valuable articles fine tuned as per your choices. Thank You for visiting Asiri's Blog.

Have you ever used /, + and – IOS commands in a router?

These commands are similar to last week’s ‘|’ command, but these can be used to parse output several times in a single show command. This is very handy in situations where you have to search for a particular portion of text in a lengthy output.

/   : Displays output from the next entry of search text

+   : Displays lines of output which contains search text

-   : Displays lines of output which does not contain search text

Examples

Sh run --> /bgp         = Output starting from “bgp”

Sh run --> +interface = Output lines containing “interface”

Sh run --> -line          = Output lines without “line”

As usual, keep in touch with ‘Asiri’s Blog’ for more cool tutorials and tips like this. Do not forget to follow this using your Google account and comment as well.

Bill Gates' Last Day at Microsoft

This time it is well known Bill Gates. May this become a tribute for the great man who spent his last full time day at Microsoft Corporation on 27 June, 2008. Now he serves as 'non-executive' chairman while Steve Ballmer acts as CEO since January 2000. [1,2]



References

[1] Bill Gates, Wikipedia, viewed 16 Aug 2010, < http://en.wikipedia.org/wiki/Bill_Gates >

[2] Steve Ballmer, Wikipedia, viewed 16 Aug 2010, < http://en.wikipedia.org/wiki/Steve_Ballmer >

As always, stay tuned with Asiri's Blog and feel free to comment on any post which you find interesting ...

Wi-Fi Myth Busters Series – Episode 2

                                                                                                                          Figure 1

Myth # 5 : Even with 802.11i (WPA2), there is a need of VPN still in order to provide enterprise level security to a wireless network.

IPSec and SSL VPNs are famous solutions to protect networks linked with WAN connections. So people may choose same to protect their wireless networks too. WPA fixed flaws of WEP by introducing TKIP and 802.1x/EAP or WPA-PSK as secure authentication methods. Unfortunately, TKIP is based on same cipher as WEP (RC4). When WPA2 was released it came with CCMP (Counter Mode CBC-MAC Protocol) encryption. The cipher used in CCMP is AES which is considered as strongest among IPSec VPNs. The end result is WPA2 provides same strong encryption as IPSec VPNs.

But WPA-PSK and 802.1X/EAP-LEAP authentications are both vulnerable to brute force attacks surprisingly. Even though vulnerable WPA2 authentication methods do exist, some secure methods are there too such as EAP-TLS, EAP-TTLS or PEAP which keeps credentials securely using tunnelling similar to SSL. Like that it satisfies WPA2 Enterprise Standards. WPA2 Enterprise secures the wireless link in Layer 2 but if consider about layer 3 technologies such as IPSec to protect it too, it would become less scalable and manageable.

So this myth also can be taken as partially correct.

References

Miller, B & Hill, G 2006, ‘Eleven Myths about 802.11 Wi-Fi Networks’, Expert Reference Series of White Papers , 18 August, pp. 4-5, Global Knowledge Training LLC., viewed 15 August 2010

‘Figure 1’ [image] in 2009, ‘The second day of the School on Low Cost Wireless’, school2009, viewed 15 Aug 2010, http://wireless.ictp.it/groups/school2009/wiki/8d8fe/Group_Two's_-_Day_Two.html

The previous episode of this series was posted on 8th Aug 2010 which can be found easily in this blog.To be continued…

Have you ever used | (Pipe) IOS command in a router?

This is a really cool way to filter text in output commands of Cisco routers. Please note that expressions you type with | commands are case sensitive (Typing serial0/1 instead of Serial0/1 will not work). In this tutorial a Cisco 3640 router has been used. Some | commands are not available in some routers depending on IOS version and model.

Type ‘show run | ?’ in order to see what are the available commands. Refer figure 1.

                                                                          Figure 1

Following ‘show run’ output has been used to explain commands ‘append, begin, redirect, section and tee’. Refer figure 2

                                                                              Figure 2

Append

This command can append an output of a show command into an existing file somewhere (ex: ftp, nvram). Give command ‘sh run | append ?’ to see what are the supported formats. Then issue ‘sh run | append '<'path to existing file'>'’. Refer figure 3

                                                                             Figure 3

Begin

This command can display an output starting from the given expression in it. As an example, if you want to display all lines after ‘Serial’ in show run output, command should be issued as ‘sh run | begin Serial’. Again remember that expressions are case sensitive. Refer figure 4

                                                                                   Figure 4

Tee

This command is similar to ‘append’ command but this creates a new file in given destination. Give command ‘sh run | tee ?’ to see what are the supported formats. Then issue ‘sh run | tee '<'path to new file'>'’. And also output is displayed on console at the same time. Refer figure 5

                                                                              Figure 5

Redirect

This command is similar to ‘tee’ command but output is not displayed on console at the same time. Give command ‘sh run | redirect ?’ to see what are the supported formats. Then issue ‘sh run | redirect '<'path to new file'>'’. Refer figure 6

                                                                             Figure 6

Section

This command can display a particular section of a show command. As an example, the section which is relevant to an interface in show run output can be viewed with ‘sh run | section '<'Interaface name'>'’. Refer figure 7

                                                                               Figure 7

The following ‘show ip route’ output has been used to explain commands ‘include and exclude’. Please note there are 2 ‘BGP’ routes and 3 ‘Connected’ routes in figure 8.

                                                                                Figure 8

Include

This command can display lines which include the given expression. As an example ‘sh ip ro | include B’ may filter out and display all BGP routes. Again remember that expressions are case sensitive. Instead of characters you can use numbers such as IP addresses too. Refer figure 9

                                                                             Figure 9

Exclude

This command can display lines which does not include (exclude) the given expression. As an example ‘sh ip ro | exclude B’ may filter out and display all routes except BGP routes. Again remember that expressions are case sensitive. Refer figure 10

                                                                               Figure 10

Hope you learned something new and valuable today. Make sure you practice them in order to learn where to apply correctly.

As usual, keep in touch with ‘Asiri’s Blog’ for more cool tutorials and tips like this. Do not forget to follow this using your Google account and Twitter as well.