You can secure that wireless net

NASA's Dave Tweten, front, and contractors Nichole Boscia and Derek Shaw created a secure wireless network from open-source apps knitted together with custom code.

NASA's Tweten says he was shocked to find that wireless security in the Ames Advanced Supercomputing Division was 'pretty much nonexistent.'

Kim Kulish/Corbis SABA

Team at Ames Research Center uses freeware to lock down a WLAN

Researchers at NASA's Ames Research Center found the wireless LAN security they sought in freeware.

Using an ordinary PC running the OpenBSD operating system, three open-source applications and a bit of custom code, a trio at Moffett Field, Calif., last year built a secure IEEE 802.11b wireless LAN gateway that serves an average of 30 users daily. During conferences, up to 10 guest users can log in at once.

The wireless firewall gateway for the Advanced Supercomputing Division at Ames uses the encryption and authentication already present in the division's IT systems.

'We had begun to discover people bringing in wireless access points and connecting them to their machines without authorization,' said Dave Tweten, the division's computer security official.

Instead of forbidding the wildcat devices, the division approved setting up a managed wireless LAN. Its networking staff briefed Tweten on the state of the 802.11b wireless fidelity standard, known as WiFi.

'I was shocked to realize that wireless security was pretty much nonexistent,' Tweten said.

Even though WiFi has encryption and address authentication, they didn't look very reliable to Tweten. So he and colleagues started looking around for ways to build a reasonably secure wireless LAN without a lot of administrative overhead. The network would have to be open enough for visitors' use while denying hackers a platform for launching cyberattacks.

After the initial planning, Tweten went to the DefCon 9 and Black Hat 2001 computer security conferences. 'What I saw there confirmed for my taste that we were headed in the right direction,' he said.

His gateway quarantines the wireless network behind a firewall controlled by the division staff. The key application is an open-source Dynamic Host Configuration Protocol server, which 'leases' temporary IP addresses to users with wireless network cards. Tweten got the beta DHCP Version 3 server application from the Internet Software Consortium, at www.isc.org.

Mobile users of DHCP clients must renew their leases periodically or lose their authentication.

The gateway also uses the open-source Apache Web Server and IP Filter, a customizable firewall included with many versions of OpenBSD.

The wireless network gives two classes of service. One class accesses the division's machines and the Ames virtual private network server. The other class gives authenticated users a gateway to the Internet as well as to Ames systems.

The first class of service uses the encryption in the division's VPN software and the Secure Shell protocol. The end-to-end encryption services bypass the relatively poor security of the Wired Equivalent Privacy protocol.

'In fact, we turned off WEP encryption because in our circumstance it's fairly useless,' Tweten said.

Easy access

The WiFi LAN is accessible through common network cards and Web browsers with Secure Sockets Layer security, Tweten said, because most visiting colleagues have them already.

Division employees are automatically included in the authentication database. Visiting researchers can arrange to be authenticated for a fixed period of time.

'We tried to keep down the overhead and particularly the response time involved in providing legitimate access, while still preventing unauthorized access,' Tweten said.

Users log in to the gateway from their notebook PCs by giving names and passwords, said Derek G. Shaw, a senior security analyst for Advanced Management Technology Inc. of Arlington, Va.

Shaw and Nichole K. Boscia, a Computer Sciences Corp. network engineer who also works at the division, wrote a short program that the Web server runs to make the firewall access rules dynamic.

Boscia modified the DHCP code to contact the firewall and remove a rule when a lease expires.
'Once a user's authenticated, the door opens to the Internet or other resources, and when they're done, the door closes,' Shaw said.

'It's really not a wireless solution per se. It's nothing new. What's fairly new and innovative for us, and maybe for the wireless community, is that we took a lot of open-source software and built our own firewall gateway that can be extended with additional features. It's just that nobody ever thought of doing that with wireless or modifying the DHCP code to make things work.'

Shaw said vendors are working to resolve the insecurities in WEP, 'but we took the approach that wireless is insecure, period. We built around the insecurities.'

The firewall gateway project took three months to reach a working prototype stage. Boscia and Shaw spent about 40 hours total writing the code that ties the freeware components together.

The division now has 20 WiFi wireless access points from Avaya Inc. of Basking Ridge, N.J. Adding more access points would require more computing power for the wireless gateway, Tweten said.

Version 2 of the gateway'with active intrusion detection, code cleanup and bug fixes'will debut in the next few months, Shaw said. The group also hopes to get a faster host. At the moment it's a 400-MHz Pentium II PC with an Ethernet card. The next host will have to accommodate more users and bandwidth.

Officials from other parts of NASA Ames have expressed interest in the wireless strategy, Tweten said, but haven't yet decided to try the open-source approach.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above