I would be interested in hearing what people are doing for security.

If I could have anything, I would use one wep key per customer, and use their mac address as the way to identify the customer. So in effect, the mac address is the user "name" and the wep key is the password (as well as the encryption key).

This would keep users from sniffing each other's traffic, and make any wep hack more difficult. Of course I'm talking about using wep plus, which should be as difficult to hack as any other 128 bit encryption.

I heard mention that wep reduces thruput by 50%, but in my own tests this does not seem to be true.... comments?

However in absence of per-user-keys we have to use an external security mechanism. PPTP is the easiest to support on the customer end, but on the ISP end there are a dozen or more ways to implement PPTP. I would like to hear what other's are doing in this regard.

Some people tell their customers to use ssl, ssh, and other mechanisms, and do nothing further for them... People in this camp should speak up too, as I would like to understand the full rational behind this approach.

In particulat I am personally looking for something that protects the customer, but still allows them to surf at megabit speeds. At the same time I would like to be able to limit the number of encryption servers to one or two, and still be able to have a few thousand users. I know this is asking too much, but I am building an ISP based on the same products as you all are, so these should be questions we all have on our mind.

Some of you have been doing this for a long time, so your experience will be helpful for the rest of us.

George

Most 802.11b cards have little to no speed impact for WEP, except for the original Prism 2 cards (such as the XI-300) using the old firmware such as v0.8.3.

There are a few protocols for dynamic / per-user WEP that some manufacturers are using, including Radius-based EAP and 802.1x authentication which requires a special authentication client on the customers machine. (EAP can be designed into the customer radio driver to hide this fact though).

In any case, you will require a special windows, linux, MAC, Palm, etc driver or 802.1x client that can handle the Dynamic keys, even if we take the simplest approach and devise a proprietary implementation method.

Probably the easiest method with the least compatibility problems is to get your customer to use a VPN firewall if they are worried about over-the-air attacks.

Yup, windows has built in 128 bit pptp vpn. Older windows machines need the dialup networking update. Windows 2000 needs service pack 2 or 3, sp1 is 64 bit. We have a seperate 64 bit vpn server, so when we are doing installs we can hook up the wireless and download SP2 or 3 from their computer.
On our newest tower, we are going to test out some WEP (deny unencrypted data) along with our VPN.
Bob C

I saw that buffalo was supporting 802.1x/EAP... what does this mean exactly? Do they have this in their client drivers already? What is the state of the 802.1x standard? Do we really even have a standard yet?

When I was a voting member of the modem standards comittee working on fax and 28k standards, most of the manufacturers would vote down everything untill they had it implemented themselves, in order to not be "last". This prevented work from being done, and drug out the standards process for years longer than required. USR jumped ahead by implementing their own proposal despite everyone else, and of course their proposal was voted down by everyone for that reason. The standards process got in the way more than it helped. With the memory of this in mind, I'm fearful that 802.1x may be years away still...

PPTP is fine and all, but there seems to be a huge performance penalty. Of those of you using PPTP, what are you using exactly, and how much performance does it cost you? Can a client run at megabit speeds through pptp?

George
(competing with T1 speeds on DSL and cablemodems)

George

I hold lonnie's point of view: Encryption is the customer's responsibility. If you accept any responsibility at all for encryption, that makes you extremely liable for anything they can come up with. If they mention something about dsl/cable modem being more secure, I haven't tried it but I'm sure cable modem traffic is as sniffable as regular ethernet. Then the 3rd approach is the whole 'nothing is secure on the internet unless you make it' approach, then offer some sort of end-to-end vpn package for an additional cost, with a signed best-effort type disclaimer. That's the direction I'm headed, I won't guarantee any security at all unless I control both ends of the connection, then the protocol of choice can be implemented in software on both ends, regardless of the way they're connected.

Ok, say for the sake of discussion, I'm one of your customers.

I want to surf the net, without my neighbor being able to monitor the sites I surf. Most of the sites don't have ssl, so encryption is not available.

What would you suggest this customer do?

George

There are two things here. For starters, EAP, 802.1x are designed as an Authentication mechanism, and not to strengthen security (other than preventing war drivers, but MAC ACL will prevent that with no change to the customer's machine). These protocols still ride on RC4 encryption from the regular 802.11b card, so can still be 'cracked' via over-the-air sniffers, regardless if it dishes out per-user keys or not.

Now, for the security part, the best bet in this case would be to enable 128-Bit encryption using ORiNOCO GOLD cards to take advantage of WEP-PLUS, which is quite a bit more difficult to crack than the Intersil implementation, yet is fully compatible with them. Make sure your client-side card has firmware v8.10+ to make use of this feature.

Anybody on your local AP (say the house next to you) that is associated can use a *nix box and 'tcpdump' the link to see what you are doing, regardless of EAP, 802.1x, etc as it is now network, not RF level. To get around this problem, disable the Inter-BSS relay option on the AP, which will prevent other customers from 'sniffing' your traffic.

The overall best solution all round would be to use an encrypted IP protocol in addition to WEP-PLUS, and other security measures. This can be done via PPTP on Windows, so you can build a PPTP server at your NOC for your clients to log into. This would encrypt all traffic to your T1 through a tunnel.

Thanks!

aha, but if when you started your wisp venture a year ago you had been deploying orinoco silver usb clients, they can't do 128bit, right? Or can they with firmware 8.10?
Bob C

aha, but if when you started your wisp venture a year ago you had been deploying orinoco silver usb clients, they can't do 128bit, right? Or can they with firmware 8.10?
Bob C

The silver cards are stictly 40-bit, but still capable of WEP-PLUS using the 8.10+ firmware, which is better than nothing.

The new Ruby cards from YDI (~$49) also have 128-bit WEP. I'm not sure on the FCC regs for them though, but they do work well.

Remember, the question is what you would tell me, the wireless customer, not me the ISP. Dkii suggested that the ISP provide no encryption at all. In this case the customer has the "responsibility" of providing his own solution, except that unless the ISP provides free colocations for encryption machines, the customer has no choices.

As for Wep plus and turning off IBSS relay, those help for sure, as long as the customers cannot see each other.

But of course I agree that providing a PPTP server is the only way an ISP can provide any help.

But frankly I was hoping for a discussion of PPTP servers... what people are using and how it is working for them.


George

We use a freeBSD pptp server

What does turning off IBSS relay accomplish? You could still see everything coming out of the AP, you just wouldn't be able to talk to your neighbor.

What does turning off IBSS relay accomplish? You could still see everything coming out of the AP, you just wouldn't be able to talk to your neighbor.

The AP itself sees all traffic (as it should), however as you mentioned, your neighbor cannot see any traffic but their own with the BSS Relay disabled.

We use http://www.HotSpotVPN.com.

Clients can use it from anywhere. All of the client's os's support pptp so setup is easy.

I'm trying to come up with a PPTP server solution.

I started with the FreeBSD solution based on netgraph, and while it works, it was dog slow.

I've got a snapgear box that is fast, but it will only handle 33 simultaneous connections.

Soekris makes a encryption accelerator, but the driver is beta, and I have only see one person say he got it working... and with the limited support soekris offers, it is hardly exciting to spend the time to test it out.

Does anyone have a PPTP solution that can do at least a megabit per customer in bursts, at least 5 megabits total aggergate thruput, and can handle a large number of mostly idle users?

George

Here's a free and quick solution for PPTP tunnel termination:

http://www.poptop.org/

Thank you for the info.

Anyone running MPD, another PPTP server on FreeBSD for VPN access?