Metro WiFi and security?

Archived from groups: alt.internet.wireless (More info?)

Anyone familiar with how Houston, Philly, et.al., are going to manage
security on their metro WiFi schemes?

Should be interesting.

They need something. WEP is out. WPA-TKIP/PSK would mean having preshared
keys all over the place.

How about enterprise level WiFi security such as EAP? Does that have
applicability?

tnx
jtm
5 answers Last reply
More about metro wifi security
  1. Archived from groups: alt.internet.wireless (More info?)

    On Tue, 28 Sep 2004 19:39:56 -0400, "Jim Miller"
    <jim@removethisjtmiller.com> wrote:

    >Anyone familiar with how Houston, Philly, et.al., are going to manage
    >security on their metro WiFi schemes?
    >Should be interesting.

    Yeah, sorta.

    >They need something. WEP is out. WPA-TKIP/PSK would mean having preshared
    >keys all over the place.
    >
    >How about enterprise level WiFi security such as EAP? Does that have
    >applicability?

    WPA? Whazzat? Most of the existing and proposed metro WiFi system
    are using WEP and MAC address filters.
    http://www.tropos.com/pdf/Tropos_Security_WP.pdf
    However, the real security is end to end tunnels using IPSec VPN
    tunnels.

    A big headache in a mesh network is that each poletop access point has
    to talk to each other access point. Individual encryption keys
    between poletops is an administrative nightmare. Therefore, the entire
    system has to use one common encryption key or pass phase. Changeing
    the key regularly is not impossible but rather tricky. In addition,
    with a store-n-forward, single radio type poletop, the client radios
    must also have the encryption key or pass phrase configured. So much
    for system wide security. The ones that I've seen, that are actually
    deployed, use a trivial WEP key to keep the casual tourists out, MAC
    address filtering, IDS (intrustion detection system), and lots of
    system monitoring. Only one I know about provides VPN termination
    services at the ISP gateway. Since over half the client radios
    currently in service do not have WPA capabilities, WEP is the common
    denominator.

    There are some proprietary schemes being tested. Sorry, I can't talk
    about them.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  2. Archived from groups: alt.internet.wireless (More info?)

    i'm having a little trouble understanding how a city providing universal
    access to the net will implement mac address filters for every citizen. also
    these networks are hyped as a means for commerce to develop that wouldn't
    have otherwise. what happens when vendors from out of town come to visit and
    expect to connect?

    it just seems a little half baked...

    bwdik

    jtm
  3. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 29 Sep 2004 06:56:31 -0400, "Jim Miller"
    <jim@removethisjtmiller.com> wrote:

    >i'm having a little trouble understanding how a city providing universal
    >access to the net will implement mac address filters for every citizen. also
    >these networks are hyped as a means for commerce to develop that wouldn't
    >have otherwise. what happens when vendors from out of town come to visit and
    >expect to connect?
    >
    >it just seems a little half baked...

    The security issue with metro wireless is in 3 almost seperate areas.
    1. Mesh network security. The idea is to keep the hackers (like me)
    out of the mesh and backbone. Impersonating a poletop is a good
    example.
    2. Client security to prevent sniffing of passwords.
    3. Traffic security, to prevent gamers from using the poletops as
    their private repeaters.

    There are others, but these are the main issues. Unfortunately, the
    encryption issues are different in all cases, with little overlap.
    For example, the correct way to deal with email security is to have
    the ISP's provide an IPSec VPN termination at their gateway. The
    customer can then create their own individual secure tunnel. Locally,
    I only know 1 ISP that's actually doing that and 2 more that are
    considering it. Everyone else says to use webmail with SSL
    encryption. Yech. It's not like such boxes are difficult to find or
    impliment:

    http://www.nokiausa.com/business/mobility/mobileconnectivity/nokiaipvpn/nokiaipvpngateways/1,2888,,00.html

    From what I've seen, most metro wireless systems are not for the GUM
    (great unwashed masses). They are primarily for municipal services
    (police, fire, roads, utilities, etc) and whatever excuse was used to
    fund it in the name of anti-terrorism. These can make effective use
    of VPN's and MAC address security. The GUM is on their own.

    Traffic security is interesting in that most WISP's don't appreciate
    the problem until it hits them. Turning a public poletop into a
    private network repeater is fairly simple. It comes under "theft of
    bandwidth" or some such security buzzword. No need to connect to the
    internet, just your friends and neighbors.

    I'm not really sure how these metro wireless systems are going to be
    managed, who's gonna get the support headache, and how they're going
    to deal with enforcement. One funding proposal I've seen had zero
    dollars for management. Just turn it on and walk away. It's no
    different than an ISP or WISP, but on a much larger scale. I guess it
    should be handled the same way with the added enjoyment of municipal
    bureacracy. Dunno.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  4. Archived from groups: alt.internet.wireless (More info?)

    from the news reports philly and houston are specifcally targetted at the
    GUM.

    jtm
  5. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 29 Sep 2004 12:02:54 -0400, "Jim Miller"
    <jim@removethisjtmiller.com> wrote:

    >from the news reports philly and houston are specifcally targetted at the
    >GUM.

    Hint: It's an election year, where the politicians have to make
    grandiose promises to the GUM. After November, I would not be
    surprised if the whole idea hits some "unexpected obstacle" such as
    pressure from the cellular companies or some type of legal challenge
    against municipalities competing against private enterprise. However,
    it hope it happens as we do need at least one good solid disaster as
    an incentive to clean up the technology.

    Incidentally, Tropos Networks is "considering" the use of WPA and
    802.1x authentication in their systems. Progress blunders onward.


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # jeffl@comix.santa-cruz.ca.us
    # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
Ask a new question

Read More

Security WiFi and Home Networking Wireless Networking