Dont Set Your Laptop Auto-Connect to Open/Public Wi-Fi Networks

By: Jaiz Anuar

Connecting to an open or public Wi-Fi network such as a free wireless hotspot at mamakStall/CoffeeBean/McD/Kopitiam exposes your laptop to security risks. Any bad guy can simply snift your transaction data. Although it is not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user)… sometime it depend on brand… This default setting should not be enabled except in temporary situations with your (the user’s) awareness. Minimize your activity when connecting to public wifi.

My advice.. Never.. never… never perform any confidential activity such read email, Maybank2U, Open Personnal Social network Application when you’re connecting via public wifi…  use it for normal browsing activity such as read website, online newpaper etc… unless you use secured 3G connection from Celcom or Maixs… then you can trust your service provider for secured transaction.

To verify whether automatic connections to open Wi-Fi networks are allowed, check the computer’s wireless configuration settings. For example, on Windows XP computers having Wi-Fi connections managed by the operating system, the setting is called “Automatically connect to non-preferred networks.” To check this setting, follow these steps: 

1. From the Start Menu, open Windows Control Panel

2. Inside Control Panel, click the “Network Connections” option if it exists, otherwise first click “Network and Internet Connections” and then click “Network Connections.”

3. Right-click “Wireless Network Connection” and choose “Properties.”

4. Click the “Wireless Networks” tab on the Properties page

5. Click the “Advanced” button in this tab

6. Find the “Automatically connect to non-preferred networks” setting. If checked, this setting is enabled, otherwise it is disabled. 

While Windows XP does not enable automatic non-preferred connections by default, some users enable it in an attempt to simplify connecting to their own home network. Users should instead configure these as Windows XP Preferred networks which allows automatic connection to the home equipment yet still prevents auto-connection to other networks.

Source: ERM Blog

Securing Wireless Network

The security of wireless local area network (WLAN) solution works better with Wi-Fi Protected Access (WPA) WLAN protection compared to Wired Equivalent Privacy (WEP). 

Currently, ITD have to admit there are some potential difficulties faced by IIUM user with using WPA, which include: 

• Manual configuration of WPA settings: The support for setting Windows XP client WPA settings using group policy is not available in the versions of Windows earlier than Windows Server™ 2003 Service Pack 1. Until Service Pack 1 is available and you have deployed it in your organization, you will have to configure your clients manually (there is no way to script WLAN settings for Windows XP). You need to install Service Pack 1 only on the server on which you are editing the WLAN settings Group Policy object (GPO); it is not required on the clients, domain controllers, or IAS servers.

• Restricted availability of WLAN clients: At the time of writing, Microsoft only provides WPA support for Windows XP Service Pack 2 and later. PDA and Smart Phone operating systen running on Windows Mobile and Symbion does not support WPA yet. The only operating system that really support secured wireless environment is MacOS for iPhone and iPod. For those who want to get connected through SSID iium-gadgetmust comply with WPA requirement.

• Availability of WPA compliant hardware: Although WPA support is now mandatory for all Wi-Fi certified hardware, existing network equipment may need to be upgraded to support WPA. You will need to obtain firmware updates for any access points or network adapters that do not currently support WPA. In some (rare) cases, you may need to replace equipment if the manufacturer does not produce WPA updates. Again, it is a common problem to the low-end Microsoft product.

Manually Configuring Windows XP WLAN Settings for WPA
Until GPO support becomes available in Windows Server 2003 Service Pack 1, you must configure WPA settings on the client manually. WPA is supported on Windows XP Service Pack 1 with the WPA client download installed (or on Windows XP Service Pack 2).

Note: When GPO support becomes available, you can also use the following procedure to create a Wireless Network Policy using the same settings.

To manually configure WPA WLAN settings:

1. Open the properties of the Wireless Network interface. If the WLAN is displayed in the Available Networks list, select it, and click Configure…, otherwise click Add (in the Preferred Networks section).

2. Type the WLAN name into the Network Name (SSID) field (if it is not already displayed there) and, in the Description field, enter a description of the network.

Note: If you have an existing WLAN and you intend to run this side–by–side with the 802.1X–based WLAN of this solution, you must use a different Service Set Identifier (SSID) for the new WLAN. This new SSID should then be used here.

3. In the Wireless Network Key section, select WPA (not WPA PSK) as the Network Authentication type and TKIP as the Data Encryption type. (If your hardware supports it, you can choose the higher strength Advanced Encryption Standard (AES) in place of TKIP).

4. Click the IEEE 802.1x tab, and select Protected EAP (PEAP) from the EAP Type drop–down list. 

5. Click the Settings… button to modify the PEAP settings. From the Trusted Root Certificate Authorities list, select the root CA certificate for the CA. 

Important: If you ever need to re–install your CA from scratch (not just restore from backup), you will need to edit the client settings and select the root CA certificate for the new CA. 

6. Ensure that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method and check the Enable Fast Reconnect option.

7. Close each properties window by clicking OK.

Configuring Pocket PC 2003/PDA/Smart Phone for WPA
WPA was not supported natively in Pocket PC 2003 using Windows Mobile and Symbion at the time of writing; however, this may be implemented in the future. Support for WPA on other type of Pocket PC available from other vendors such Mac OS (iPhone and iPod),

Original Post : ERM Blog

Wireless Authentication Solutions

Authentication and Access Control

As is the case with any valuable resource, there must be limitations on who can access and use your wireless medium.  In some situations, such as when offering wireless access to attract customers, these limitations will be minimal.  In others, we want the greatest possible protection available.  Controlling access to computer resources is best illustrated in the AAA framework: Authentication, Authorization, and Accounting.

Authentication is the ability to identify a system or network user through the validation of a set of assigned credentials.  If you have ever been prompted for a username and password when turning on your computer, you have experienced authentication first hand.  Authorization defines the ability of a specific user to perform certain tasks, such as deleting or creating files, after the authentication process has taken place.  Finally, accounting allows us to measure and record the consumption of network or system resources.  The AAA framework lends itself well (as it does to any computer resource) to wireless network access control.

RADIUS

Based on the AAA framework, RADIUS is a popular[1] client\server approach for authenticating remote users.  In order to do this, the RADIUS protocol challenges, or prompts, end users for their credentials through a Network Access Server, or NAS.  The NAS is actually a client of a RADIUS server, which centrally controls user access to its client’s (the NAS) services.  A RADIUS server is responsible for receiving end user requests, authenticating the user, and then providing the NAS with all of the information necessary for it to deliver services.  RADIUS can use several Database Management Systems and directory protocols to manage the list of network users and their privileges.  As you can see, this method of authentication provides a secure and centralized way to control access to network resources.  But what does it have to do with wireless networking?

EAP

Extensible Authentication Protocol is used by wireless access points to facilitate authentication.  When a user requests access to an AP, EAP (if enabled) will challenge the user for his or her identity.  EAP then passes the credentials to an authentication server such as RADIUS, which will allow or deny access to its resources. 

EAP can be easily implemented because it can be used with a back-end authentication server such as RADIUS, and it supports multiple authentication methods such as Kerberos and Public Key Infrastructure (PKI). 

There are several different types of EAP, which employ different methods of passing authentication information, but for our purposes it is only important to know that EAP is the component of the authentication process that lies on the wireless tier.

LDAP

Lightweight Directory Access Protocol, or LDAP, is a straightforward technology that defines the way information is organized and accessed.  As a protocol, it is inherently a set of rules for communication.  By implementing LDAP, network administrators can centralize and secure user information for easy management.  LDAP can work in conjunction with RADIUS in order to authenticate users.

RADIUS, EAP, and LDAP:  Solid Wireless Authentication

Though there are other solutions for authenticating wireless clients, the combination of RADIUS, EAP, and LDAP is the most common and available solution in use in business today.  Each component has associated open-source software that is freely available for network administrators to download, configure, and use. Thus, with the hardware in place, installation of an authentication system is inexpensive. 

Other Solutions

There are other authentication frameworks and methods that you can employ that will perform in different ways.  Another popular method is NoCat[2], which was initially developed as a project for community and as an amateur wireless network authentication scheme that does not require time and resource-consuming RADIUS server and user database setup (Vladimirov, Gavrilenko, Mikhailovsky). NoCat uses a wireless access point and a Linux router or gateway box to control access.

Whatever authentication method you decide to employ, if you decide to employ one at all, remember that the number one goal is to protect your valued resources effectively and within your specific business’ constraints.

---

[1]  According to SearchSecurity.com RADIUS is “a de facto industry standard used by a number of network product companies and is a proposed IETF standard”

[2]  “Community Supported 802.11b Wireless Network in Sonoma County, CA” http://nocat.net (accessed November 2004).