Site Map |

Search InfoNet:

For the Public

• About InfoNet
• Find a Maine Library
• Maine Library Catalogs
• MARVEL!
• Wireless Libraries
• Delivery Service
• Digital Library Projects
• Internet Service Providers (ISPs)

For Librarians

• MaineCat
• Minerva
• SOLAR
• URSUS
• MaineCat Contacts
• Library Listservs
• MARVEL Resources/Stats
• Wireless Support/Info
  • Equipment
  • FAQs
  • MeWireless-L
  • Policies
  • Related Tech Links
  • Security
  • Wireless Libraries
• Automation Information
• Archives

Walk-In-Wireless Security Considerations

First, it should be understood that network security is relative. There is no such thing, at the modest level of funding available for this project, as 100% iron-clad security for a wireless connection. Moreover, the need for patron convenience in a public access situation, and the need to minimize staff time involved in maintaining wireless availability weigh against the more restrictive and more secure approaches.

Second, security considerations can seem confusing and complex. However, a general understanding of the issues is absolutely necessary if one is to make good decisions about public access wireless services.

This document seeks to explain the issues from several perspectives. The first section, User Security Considerations, was drafted in early 2004. It is still valid, as far as it goes. The second section, Security and Anonymity, is newer and has been prompted by concerns on the part of UNET, the manager of the Maine School and Library Network.

User Security Considerations

Wireless communication between a wireless client computer and the wireless access point is susceptible to eavesdropping, using a variety of readily available "sniffer" software tools. A site may choose to set up public access wireless in any of several ways. The configuration determines the relative vulnerability of a wireless connection to eavesdropping. Here are the major choices:

Wide Open

Both users and library staff encounter a minimum of complexity in setting up and using a wireless connection if the link is set up as "wide open". The access point's name is broadcast, encryption is turned off, and no attempt is made to restrict access on the basis of client card MAC (Media Access Code) address. Normally, a user with an active 802.11b or 802.11g client wireless card can simply sit down and start using the connection. In such an environment, the user should be extremely wary of sending username, password, credit card numbers and other sensitive material, unless communicating with a site that supports a secure encryption scheme such as SSL (Secure Sockets Layer) that takes care of encryption. Most browsers show a lock icon, often on the lower right, indicating an active SSL link. Note, however, that most POP mail servers and clients do not support SSL. Hence, checking your mail on an unencrypted connection to your mail server may send your email username and password out for any eavesdropper to see.

WEP (Wired Equivalency Protection)

WEP encryption uses a "key" or password to code and decode wireless data traffic. It puts a significant barrier in the way of eavesdroppers. The WEP key, usually a long string of meaningless letters and numbers, will need to be entered by the user in the appropriate wireless configuration screen. Moreover, tools for breaking what is a flawed encryption scheme, are readily available. Given enough traffic, these tools can determine the WEP key in one to several hours and capture the content of subsequent traffic. Sites with relatively low, non-constant traffic will likely be protected better by WEP than those with constant and high levels of traffic. However, if WEP is to be supported, library staff must set and regularly change WEP keys, and users must change the WEP key whenever it is changed on the access point. Library staff will likely need to provide assistance to users in doing this.

WPA

A new and much more effective security standard called WPA is now available. However, client network cards must be upgraded or replaced in order to support it, and no access point is fully secured if even one user with a pre-WPA client card is allowed to connect. This will be a problem for the next several years given the number of 802.11b, non-WPA client cards in use. To take full advantage of the new capabilities, an access point should be set up to only connect to WPA-enabled clients. Sites that wish to implement WPA for enabled clients may choose to do this, and set up a second, separate access point that only works with old, non-WPA clients. Note, however, that assistance to users may be called for.

Secret SSID

Security can be enhanced without encryption, on the basis that if an access point is "invisible" it cannot be as easily spied upon. The access point can be set to not "broadcast" its name, or SSID. Without special software, the presence of the access point will go undetected. In order to work with the access point, a user will need to manually define a new wireless access point using client software and specify its name as provided by library staff. Of course library staff will need to set and periodically change the SSID.

MAC Address Filtering

It is also possible to "register" users based on the unique MAC (Media Access Code) address of the client interface card. The access point will accept up to 40 entries for devices allowed to connect. If the SSID is broadcase and encryption is turned off, this approach offers relatively little inconvenience to the user. However, library staff will need to insert the MAC address into the AP via a web page interface the first time someone comes in. Once all 40 slots have been used, the oldest entries, or at least those that are known not to be used often, will have to be overwritten. Moreover, if one can determine the MAC address of an authorized machine, it is relatively easy to "spoof" or imitate that address on another computer and gain access in that manner.

Combinations

WEP, secret SSID and MAC Address filtering can be applied together or any any permutation to enhance security beyond what is provided by any one measure. Whether and how to do this will be determined by the balancing of ease of use for patrons, time and expertise requirements for staff, and expectations of confidentiality of wireless data traffic.

Site Security Considerations

Libraries are concerned with the security of their existing network. Depending on your network provider and the hardware device used in conjunction with that connection, it may be possible to define a new subnet that effectively prevents wireless users from linking to resources on the regular wired network. Even absent this protection, use of a combination access point / router with Network Address Translation (NAT) should make the existing network invisible to users.

The Bottom Line

The Wide Open approach is the easiest for libraries and for library users and is attractive where one can establish a full separation of wireless and wired traffic via network segmentation or some other method. Users must be made aware of the vulnerability of their connection, however. For its modest additional defense against casual hackers, the WEP approach in conjunction with a public SSID seems attractive. Sites seeking the "registration moment", but without getting involved in maintaining and helping users set up WEP keys may opt for the Secret SSID approach.

---

Anonymity and Security

The Walk In Wireless in Public Libraries Project has always aimed at giving libraries a running start in offering public wireless internet access to its clientele. We realized from the start that the technology would evolve and that needs would change as public usage and library needs became clearer. Fortunately, most of the electronic components of wireless technology are relatively inexpensive, and therefore might be replaced after just a couple years of service with products offering more capabilities.

One year after the first 45 WiW installations, with 15 libraries in the second wave yet to be set up, it is worth revisiting the choices available -- not just to the new libraries but also, potentially, to existing sites.

The motivating factor is "security".

Wireless security issues are of at least 3 kinds:

• Security for the wireless user against interception of personal information by identity thieves or others with nefarious intent.
• Security for the library's wired network against intrusions by wireless machines, either intentionally or under control of some undetected network worm that has infected the wireless users machine.
• Security for the wide area network and its users, indeed for the Internet generally, against the intentional or worm-driven actions of wireless users.
• Security For The Wireless User

WiW libraries have always had the option to enhance security for the wireless user by turning on WEP encryption. The downside is that users will need to open a wireless networking applet and accurately type the current WEP key or key phrase before having access to the network. Moreover, library staff will need to be ready to assist some significant percentage of users who are unfamiliar with this procedure. There exists a small risk that inadequately trained staff could inadvertently change something that would then cause the laptop not to work the way it normally would in other wireless environments, or that unskilled user configuration efforts could come to a similar result.

Nearly all WiW sites currently run "wide open", without any wireless encryption, and warn users that they should not enter passwords or send confidential information. Note, however, that most commercial web sites utilize browser level encryption whenever credit card numbers, usernames and passwords and similar information is requested. Such secure HTML features are actually more secure than WEP encryption for those transactions during which they are active.

Security For The Wired Network

Security for the library's wired network is usually achieved by using hardware to divide the network into a wired segment and a wireless segment. In a great many installations, MSL has inserted a utility switch downstream of the MSLN (or other ISP) router. The wireless access point was attached to one port on the switch. If the library already had a hardware firewall, it was connected to another port on the switch. If the library lacked a hardware firewall, MSL generally supplied a utility router with SPI (Stateful Packet Inspection) firewall capabilities.

Security For The Wide Area Network

It is the responsibility of an ISP to conform to norms of acceptable network behavior dictated by providers of wide area network connectivity. If the source of a large-scale denial of service attack is traced back to a machine within an ISPs network, the ISP is expected to cause the attack to stop by cutting off connectivity to that machine. Unacceptable behavior calling for a cut-off of connectivity to the source machine might include distribution of illegal drugs or child pornography, launching of network worm software that attempts to break into remote systems, massive distribution of spam advertisements, and origination of illegally harassing email.

Most WiW public access sites are set up to automatically pass out a temporary and internal IP address to wireless users. As a result, message traffic originating with a wireless user cannot be identified as coming from a particular machine. The Network Address Translation (NAT) function of the wireless access point makes the user machine anonymous. Hence, neither MSLN nor the local library have a way of pinning down which machine or user is responsible for a prohibited activity, and therefore no way to prevent the recurrence of the activity. If compelled to do something, all MSLN can do is close down the entire wireless network segment. This will stop any further activity, for sure. However, there is no assurance that the same user won't come back and resume the same activity when the wireless segment is re-enabled.

What is needed is a way to "de-anonymize" user machines so that any machine violating network acceptable use can be blocked without blocking access by other users.

De-Anonymizing Options

Operating a public access wireless hotspot involves both technical and policy choices. MSL plays a role in both areas. It provides equipment and configuration expertise to deal with the technical considerations. It provides general information about the policy choices so that local library staff and trustees are in a position to make well-informed policy decisions, both initially and as needs and expectations evolve.

In the past, we have focused on configuration choices that bear on the security of the existing wired network, and choices that relate to the relative security of communications between wireless users and the internet. Security of the wired network can generally be enhanced by introducing a network switch and a utility router between the wired network segment and the main premises router, and then attaching the wireless access point to the new switch. Patron security could be enhanced by use of WEP encryption. However, the logistics of use are such that most libraries opt for public disclaimers and running wide open.

However, there is a third and equally important security dimension to be considered: the library's responsibility to its Internet provider and its acceptable use policies. If your ISP is MSLN (Maine School and Library Network), then you should be aware of its concerns in this area.

Everything hinges on anonymity. In a typical wide open installation, the wireless access point assigns temporary internal addresses to wireless users using NAT (Network Address Translation) and DHCP. These addresses are visible only to the access point and are re-used as needed. They cannot be associated with a particular computer or user, either by the library or by MSLN.

If a network worm or a denial of service attack originates with a wireless machine, whether as an intentional act of the user or due to a virus that has infected the user's computer, and if this is detected and reported to UNET, its first obligation is to stop the attack from recurring. In such a case it probably will be easy to trace the attack back to the wireless network at a particular library. However, since wireless machines receive temporary addresses, no one is in a position to be able to exclude just the machine causing the problem. UNET would have to shut down the entire wireless network to meet its obligations to prevent a recurrence of a problem. Moreover, once this has been done there is no clear path to turning Internet access back on, short of changing local procedures to somehow removing anonymity from the equation.

With this in mind, here are the choices available to libraries:

1. Run wide open until a problem arises, then adopt one of the options below.
2. Determine the the MAC address of each laptop the first time it is used and register it using the MSLN Network Management tool. Disadvantages: Look up of MAC addresses, accurate transcription into NM tool database can be tricky. Some libraries may prefer that the database be local rather than centralized.
3. Change the SSID (the name of the wireless network) every day and require users to "sign in" in order to get it. User will need to enter the value in a wireless setup screen. Disadvantages: Staff must change name; users must open applet to enter SSID. Frequent users will prefer to not have to change each time. Sign up sheet is only approximate indicator of who was using network when.
4. Acquire a public/private gateway device such as the D-Link DSA-3100 that supports up to 250 user accounts. Log file tracks username, MAC address, internal IP, time of use, amount of data transferred for current day and 3 previous days. Log can be automatically emailed. Captive Portal forces customizable sign on screen when browser is opened. Access is by username and password. If necessary, discontinue an account to prevent future abuse. Disadvantages: Cost. $500 is typical cost.
5. Dedicate a computer with two network cards to the role of network access controller using any of a variety of Linux or Windows hotspot management software packages. Disadvantages: Too complex and variable to be deployed by MSL. Appropriate if library has access to networking techie, preferably one with understanding of Linux tools.
6. Register MAC addresses on the access point. Only machines with a registered MAC address are able to connect. Disadvantages: users must look up MAC address, often asking for staff help. Staff must accurately transcribe MAC address into table using access point admin menu. Limit of 40 MAC addresses means that users who may return soon may need to be displaced from the table to make room for the latest user. Would work much better if limit were not so low. Disadvantages: Look up of MAC addresses may be hard for some users, staff members. Small number of login slots means that deleting old users then re-entering them will be necessary, potentially time consuming and confusing.

Maine.gov | InfoNet Home | Maine State Library | UMaine System | Site Policies | Feedback