it-wireless

Friday, June 11, 2010

Captive Portal 101

http://en.wikipedia.org/wiki/Captive_portal
The captive portal technique forces an HTTP client on a network to see a special web page (usually for authentication purposes) before using the Internet normally. A captive portal turns a Web browser into an authentication device

.Software captive portals

Air Marshal, software based for Linux platform (commercial)

Amazingports, linux based software with integrated billing and payment implementing
Service Oriented Provisioning, free and commercial

ChilliSpot, open source Linux daemon [abandoned]

CoovaSpot, open source Linux daemon based on ChilliSpot
DNS Redirector, Windows based software solution (commercial)

FirstSpot, Windows based software solution (commercial)

HotSpotPA, open source Linux daemon based on OpenWRT, OpenVPN, and ChilliSpot
m0n0wall, FreeBSD based firewall distribution
PacketFence, Linux based Network Access Control software featuring a captive portal (open source)

pfSense, FreeBSD based firewall software derived from m0n0wall
Sputnik, Software as a service solution (commercial)

Untangle Captive Portal, Firewall featuring Captive Portal

WiFiDog Captive Portal Suite, small C based kernel solution (embeddable)

Wilmagate, C++ based and is executable both in Linux and Windows/Cygwin environments
Zeroshell, Linux based network services distribution

Thursday, July 07, 2005

Getting the ZoneCD configured

This is a guide to getting the ZoneCD configured. During the boot a series of dialog boxes will be presented to gather the required information needed to get the ZoneCD running. You only need to do this one time. After you complete the configuration it will be saved to floppy for the next boot.

Bash dialogs

Tab will change the selected option, field, or button.
Space Bar is used to make a selection from a group of choices
Enter is used to accept the selection and move to the next screen.
This guide is broken down into sections. The relevancy of each section depends on your selections during the boot. E.g., if you select Closed mode during configuration, the Open mode section will not be very helpful.

ZoneCD version 0.6-0 is displayed. Your display may vary.

The Boot
Open Mode
Closed Mode
Static IP Config
Finishing the Boot


The Boot

OK, here we go. This is the boot splash you will see when the CD starts to boot.




During the boot you will see a bunch of messages going by on the screen. If you see a lot or error messages that look like ":I/O error, dev f0:f1 (cloop), sector ..." you probably had a bad download. Sometimes a file will sustain damage during the download. If you see messages like this, you should delete the iso from your computer and get it again.

Otherwise, if you see none of these messages, just be patient and let the CD continue to boot...



If you are using a USB thumb drive to save your configuration then you may see this screen if the drive is not properly formatted or there is an error in the partition table on the disk. Select to have the zonecd automatically partition and format the drive. NOTE: You will lose all existing data on the drive.
This is a sample of normal output from the programs used to format the USB drive.

This is the Preamble to the GNU General Public License. This will only appear when an unconfigured system is booting. Say yes to continue with the configuration.




If you see this message, then you have not put the floppy or USB thumb drive in. Stick the floppy in the drive or plug your USB drive in, and hit "Enter" to continue. The ZoneCD will not boot without configuration media.




This screen shows up every boot. It gives you an opportunity to change your configuration. A bit of advise, pop the floppy out if you want to reconfigure. I always miss it and need to reboot. This dialog will only wait 5 seconds for you to respond. If you select nothing here on the first boot, the ZoneCD will boot in Closed mode with dhcp for your network configuration.




Select the mode you want your ZoneCD to run in. Closed mode requires that you have already created a login in Zone Control. NOTE: Master logins (email addresses) can not be used to boot the ZoneCD.




Select how you want the ZoneCD to run. This has nothing to do with WiFi, NoCat, or anything else. This is an option for the Operating System. Non - Linux geeks will probably be the most comfortable with GUI (Graphical User Interface).

GUI will give you a basic desktop with a web browser. LessX only starts the X server and a single rxvt session, no window manager. This is done because the ZoneCD boots to runlevel 5, without the rxvt session, you get a broken shell(no job control). NoX should be used on headless systems.


Select the way you want to configure the network for the wired side of the ZoneCD box (the wireless side is hard coded 10.10.10.1)



Open Mode

Enter a URL to redirect your users to after they click the button on the splash page. If you do not want your users to be redirected then select "No Redirect" to have them go to their normal homepage after the splash.




In Open mode you need to tell the ZoneCD to enable or disable the content filter.




Once you finish the Open mode configuration, a screen will display the configuration. Just hit Enter.



Closed Mode

Closed mode requires that you have already created a login in Zone Control. This is required to download your configuration and to send/receive updates from the Control server. Enter the login you created for this zone.

NOTE: Master logins (email addresses) can not be used to boot the ZoneCD.




Enter your password. This is a special dialog that will not display what is typed. This will keep the password from being seen.




OOPS! This dialog could be bad. If you don't get a successful authentication the second, or third time (if you have really fat fingers), then there is no Internet access available. Auto configuration probably failed to obtain an IP address for the wired network connection (eth0), or DNS is failing. But before you panic, switch the network cables and reboot. If this continues, hit the forum.




Once you finish the Closed mode configuration, a screen will display the configuration. Just hit Enter.



Static IP Config

Enter an IP address to use for the wired side network connection (AKA eth0).




Enter the subnet mask to use. Unless you have some special network setup, 255.255.255.0 is safe to use.




Enter the IP address of the gateway. In the example, this is the IP address of a router. This is the suggested setup. The ZoneCD box should be connected to a router, not directly to the Internet.




Enter the IP address of the primary nameserver In the example, this is the IP address of a router. You can also use the IP of your ISP's nameserver.




Enter the IP address of the secondary nameserver. This is optional, if you don't have a secondary nameserver, just leave it blank and hit Enter.



Finishing the Boot
Since the zonecd does not install to your hard drive the files system is mounted on a RAM disk. This requires additional RAM (minimum 128MB )to keep the zonecd running smoothly. You can use the next few dialogs to automatically reboot the zonecd to help keep memory resources optimized.
The ZoneCD uses UTC, aka GMT, to synchronize it's activities with the Control Server. To reboot the zonecd at the correct local time to must select your geographic location.
Select your city, or time zone.
Select the time you want the reboot.

After you complete the dialogs, you will see several messages that update you during the configuration and initialization of your setup.




LessX (shown) only starts the X server and a single rxvt session, no window manager. This is done because the ZoneCD boots to runlevel 5, without the rxvt session (NoX) you get a broken shell(no job control).



GUI will start a desktop session that gives you access to a web browser and a few other goodies.
Your Done! HAVE FUN!!
Everything that needs to be running is configured and ready to go... You don't need to do anything. All that's left is setting up your AP. If you haven't already reviewed the setup guide, you can check it out here...

Setting Up the ZoneCD

The LiveCD is built on Debian Linux. It is helpful, but not a requirement, to have basic knowledge of Linux in order to understand this 'how to'.

You will need the following

High-speed Internet connection
A router for network connection to the Internet (not wireless)
Any WiFi compliant wireless router or access point
A few Ethernet cables
Computer with:
An Intel-compatible CPU
Minimum 128 MB RAM.
Bootable CD-ROM drive.
Floppy Drive
2 Network Interface Cards (NIC's)
Login for Zone Control
I have made the setup of the physical gateway unit as simple as humanly possible. The network configuration of the gateway is something that you should be aware of during your hotspot network and gateway setup.

This is one way to setup the network. There are other ways of doing this as well... This is a very simple guide to help those of you without a lot of experience in networking or WiFi

Network Interface Cards
The gateway(ZoneCD) machine needs to have two NIC's or Ethernet cards. You can imagine the "Internet" flowing through one to the other. For clarity we will label the cards Eth0 and Eth1. Eth0 is the network card that connects to the Internet via your router. Eth1 is the network card that connects to your access point(AP) or wireless router.

During boot time the ZoneCD makes a DHCP client request on both cards, this is part of the Knoppix and Morphix boot config. Eth0 can get an IP address assigned via DHCP from your Internet router or it can be configured during boot to get assigned a static ip. Eth1 will not get an IP via DHCP, it will be assigned a static IP address of 10.10.10.1 later during the boot (10.10.10.1 is the IP address of the network gateway for your wireless clients).

DHCP Server
The ZoneCD runs it's own DHCP server. This is very important in the setup of your wireless network. The AP or wireless router must have the DHCP server shutdown! The AP or wireless router must have the DHCP server shutdown! The DHCP server on the ZoneCD will allow up to 100 clients to connect in the range of 10.10.10.100 to 10.10.10.200. You may use 10.10.10.2 to 10.10.10.99 for any hardware on the wireless network segment... namely the AP. Assign the LAN of the AP a static IP in this range. A good example would be to assign the AP's LAN a static IP of 10.10.10.2. Please visit the forum or check other documentation for configuration of additional "un-authenticated" hardware.

Network Connections
Connect the ZoneCD machine(Eth1) to the AP or wireless router using an Ethernet cable. Connect the cable to the AP's LAN port not the WAN port . If you are using a wireless router, pick a LAN port (usually four LAN ports grouped together and a single WAN port) and plug it in. Do not use the WAN port.

Connect the gateway machine(Eth0) to your router that maintains your Internet connection. This router should be running a DHCP server. If not, the ZoneCD must be assigned a static IP address during boot.



Boot-it-up
With the physical network all hooked up, it is now time to bootup and let the ZoneCD do it's thing. During the bootup you will see a lot of Knoppix/Morphix stuff going-on, you really don't need to be concerned with most of what you will see... just let the CD continue to boot. About half way through the boot, you will be asked a few questions and you'll be done! See How to Configure the ZoneCD for help during the boot of the ZoneCD.

Wednesday, July 06, 2005

Using m0n0wall to create a Wireless Captive Portal

How To: Using m0n0wall to create a Wireless Captive Portal

By David Cook – September 29, 2004
Updated 2 October 2004

Introduction

The freedom of wireless networking is now a reality for everybody with a suitably equipped device. At one time too expensive for everything other than corporate use on a business network, Wi-Fi is now mainstream. In many respects, this is due to Intel's extensive marketing of its Centrino brand, launched in mid-March 2003.

Despite concerns over the relative insecurity of WEP encryption, wireless networks are everywhere. The speed increase and value for money offered by 802.11g has only accelerated the take-up, increasingly by home users attracted by being able to network computers together and share broadband Internet connections.

It is not just home users that now want to share access. Taking lead from the big-boys such as Starbucks, Costa Coffee and McDonalds among others, even the small coffee shop and diner owner wants to provide wireless Internet access as a value-added service to their laptop PC and PDA using customers. The D-Link Airspot and SAGEM F@st range of Hotspot Gateways are two of a number of commercial devices that have been developed specifically for this growing market complete with user control, ticket printers and billing.

However there is another more altruistic group of wireless Internet providers such as NYCwireless (New York City), Socal Free Net (San Diego) in the USA and Airwan (Cardiff) and Pier To Pier (Brighton) in the UK. These community projects are driven by people willing to share spare bandwidth on their Internet connections with the public at large for free.

Here though, free is as in 'free beer', rather than free as in 'freedom'. While members of these groups are more than happy for their spare bandwidth to be used, the last thing they want is for their bandwidth to be abused. The functionality in m0n0wall can assist in giving a degree of control over this.

So what is a Captive Portal?

The m0n0wall [reviewed here] implementation of a Captive Portal was introduced in one of the early betas of m0n0wall v1.1 earlier this year. This was largely the work of Dinesh Nair with assistance from Manuel Kasper and the other m0n0wall developers.

Basically, the Captive Portal is a web page that users/clients are forced to visit before they are granted access to the Internet. This web page can have a number of purposes, but primarily it allows you to:

• Notify users of your Acceptable Use Policy (AUP) which they have to agree to before they are granted access to the Internet.
• Tell users anything else relevant to the access they are being granted, ports and services that are restricted, details of sponsors, who they should buy beer for in thanks :-) etc.
Alternatively, the Captive Portal can configured to authenticate users with a UserID and Password against a RADIUS server before they are granted Internet access. RADIUS is a standard protocol for remote user authentication and accounting used in "enterprise" grade networks and by some ISPs.

This has given rise to widespread support for RADIUS by most Unixes and Unix-like operating systems. MS Windows Server also has an implementation called Internet Authentication Services which authenticates against both local accounts and a centralised NT4 Domain or Active Directory.

User Authentication is of more relevance on a private network as a way of controlling access to the Internet. So for this article, I will concentrate on configuring the Captive Portal for unauthenticated access.


Using a Captive Portal to access the Internet

For the purposes of this article, let's imagine a Community Cafe. In the Cafe, there are a number of open access PCs connected to an Ethernet network. The Cafe also provides a wireless network for customers visiting with laptop PCs and other wireless devices.

I'm using the straightforward scenario of a Cafe, but this could just as easily be someone sharing broadband Internet with their immediate neighbours, or a school or other educational institution.

Figure 1 shows a diagram of my hypothetical Cafe network. The Internet connection is some sort of broadband, cable, xDSL etc. and the Cafe network is physically connected by a router on the WAN interface of a m0n0wall firewall (grey).


Figure 1: Community Cafe Network
(click on the image for a larger view)

The m0n0wall firewall has two further interfaces: the LAN interface that connects PCs used in the administration and day-to-day running of the Cafe (green); and the PORTAL interface that connects to a wired Ethernet LAN (in green) and wireless LAN via an access point (in orange) to provide client devices managed access to the Internet.

In running this network for the Cafe we need to:

protect PCs used for running the Cafe (connected on the LAN interface) from both the Internet and clients on the PORTAL interface
protect clients connected on the PORTAL interface from the Internet
control the Internet ports and services clients connected on the PORTAL interface can use
ensure that clients using the Internet first agree to an Acceptable Use Policy before granting access
You'll see that m0n0wall provides all the necessary functionality to meet these requirements.

Connecting the Cafe Admin and Open Access PCs is relatively straightforward. All that's required is a couple of Ethernet hubs or switches—one is connected to the LAN interface of the m0n0wall firewall for the Cafe Admin PCs, the second to the PORTAL interface for the Cafe Open Access PCs and wireless access point.

Customers of the Cafe could then use one of the fixed Open Access PCs provided which would already be configured for using the Internet. Customers with their own notebooks would have to do some simple configuration so they can use the wireless hotspot:

Configure the wireless adapter to be a DHCP client (Obtain IP address automatically)
Select the Captive Portal's SSID to connect
Both groups of customers would find that initially, general access to the Internet would be blocked. To access the Internet, they would need to launch a web browser. When the browser attempts to connect to its Home Page, it will be redirected to the Portal's Terms and Conditions or Acceptable Use Policy on the Portal Page. Internet access will be granted by simply clicking on an "I Accept" or similar button on this page until the alloted connection time expires.

Tip: If we were only providing a wireless hot-spot for customers with laptop PCs etc, the wireless access point could be connected directly to the PORTAL interface of the m0n0wall using a CAT5 cross-over cable in place of a hub/switch and two normal CAT5 cables.

Tip: A managed switch supporting 802.1Q VLANs could be used in place of two unmanaged hubs/switches and separate LAN and PORTAL interfaces. m0n0wall would then only need two physical network interfaces, one for the WAN and another for both the 802.1Q LAN and PORTAL virtual interfaces. See this post from the m0n0wall mailing list for an example.

Setting it all up

We've had a quick look at the structure of a network where the Captive Portal may be useful and how it will allow us to control access to the Internet. Let's now look at the detail of getting it configured and running.

The basics of m0n0wall were covered in my previous article covering v1.0 of the software. If you are new to m0n0wall, this covers hardware installation and getting m0n0wall up and running. The set up process below assumes you already have a version of m0n0wall v1.1 running on either a standalone PC or one of the embedded PC platforms I discussed in my m0n0wall review.

The steps are:

Configure the PORTAL network interface
Configure DHCP to hand out a suitable IP configuration to clients (PCs and other devices)
Configure the Captive Portal itself, connection time-outs etc.
Upload the HTML for the portal page
Step 1: Configure the PORTAL network interface

m0n0wall requires a minimum of two physical network interfaces for the LAN and WAN. You could run the captive portal on the LAN interface, however this would allow anonymous users access to any of your PCs/Servers on the LAN as well as your Internet connection unless you connected those users via a VLAN-capable switch.

A more secure method is to put the Captive Portal on a separate interface in the same way as it is good practice to put Internet-facing servers on a separate interface, normally referred to as a DMZ (demilitarised zone). As I pointed out previously, this has the benefit of letting you establish separate firewall rules for the two classes of users.

m0n0wall handles additional network interfaces as Optional interfaces. In my case, I'm using a PC Engines WRAP, so I have a third physical Ethernet interface that I am going to use for the Captive Portal. As you can see in Figure 2, m0n0wall allows you to rename the interface for ease of identification.


Figure 2: Configuring the PORTAL interface
(click on the image for a larger view)

Note that the network address / subnet used isn't too important as long as it is not the same as your LAN and either:

a private network that meets RFC 1918 (10/8, 172.16/12, 192.168/16), typically a network between 192.168.1.0/24 and 192.168.254.0/24
or
a subnet of public IP addresses assigned by your ISP and routed to your m0n0wall
I used 192.168.11.0/24 (subnet mask 255.255.255.0) which allows 254 valid IP addresses. Of those I have assigned:

192.168.11.1 to the Portal interface of m0n0wall
192.168.11.2 to the wireless AP
To provide wireless access, I am going to use a stand-alone access point instead of trying to use m0n0wall's built-in wireless support. This lets us use any off-the-shelf access point instead of limiting us to the relatively small set of WLAN chipsets supported by m0n0wall (and FreeBSD). It also frees us from having to use a mini-PCI WLAN card with either the Soekris or PCEngines WRAP embedded platforms or having to add a PC Card / CardBus adapter so that we can use a CardBus WLAN card with a desktop.

I used a BuffaloTech WLA-G54C-1 G54 Compact Access Point while writing this article. It's relatively inexpensive (I paid around $74) and supports both 802.11b and 802.11g standards. For more details, please have a look at Tim Higgins' review. Since I didn't have a cross-over cable handy, I simply plugged the Portal interface of the WRAP and the AP into a 10mbps hub.

I won't be covering the configuration of the AP itself in this article, since that's adequately covered by your AP's user manual and there is nothing in particular that needs to be set for use with the m0n0wall Captive Portal.

Step 2: Configure DHCP

The next step is to configure DHCP on the PORTAL interface to allow Captive Portal users to automatically pick up their IP configuration when they connect. Here you need to allocate a range of IP addresses which will be leased. Figure 3 shows that I allocated 192.168.11.101 to 192.168.11.150, effectively restricting the captive portal to 50 concurrent users. You also need to enable the DHCP server on the PORTAL interface using the 'check-box' at the top of the screen.


Figure 3: Portal Interface DHCP configuration
(click on the image for a larger view)

As I am not expecting lots of users, I have left the DHCP lease times at their default settings. On a busy Captive Portal with many users you may want to set the lease time similar to the hard timeout.

Step 3: Configure the Captive Portal

Now we need to configure the Captive Portal itself. Figure 4 shows there are three tabs for this: Captive Portal; Pass-though MAC; and Allowed IP Addresses.

The first thing to do is choose the interface to run the Captive Portal on. You can see I've chosen the optional interface, PORTAL, that I previously configured. Next are the timeouts—idle and hard—that disconnect a client from the portal. The timeouts are just a tidying-up process, since in our no-authentication setup, clients are able to immediately reconnect to gain access to the Internet. The idle timeout disconnects a client after the defined period of network inactivity and the hard timeout forces client disconnection after the programmed period from the start of the current connection.


Figure 4: Captive Portal Configuration
(click on the image for a larger view)

The Logout popup window checkbox controls whether a popup window with a logout button comes up when clients are first allowed through the portal. It allows clients to manually disconnect themselves before the timeouts occur.


Figure 5: Captive Portal Logout Popup

The RADIUS server and Authentication error page areas are used to configure the Portal to authenticate users with a username and password before they are granted access. These aren't relevant for enabling open access, so I won't cover them here.

Step 4: Create the Captive Portal Page

This brings us to the Portal page contents. The Portal page is displayed when a client first attempts to connect through the Portal. Access to the Internet is blocked until the user brings up a web browser and clicks the Submit button on the webpage that will appear. Clicking the Submit button indicates that they have read and understood the contents of the page. The user is then allowed access to the Internet via the Portal, still restricted by any firewall rules that may be in place until either the idle or hard timeout is reached.

The Portal page contents are customisable and you can upload any valid HTML from a file as long as it contains the following form HTML





Note that while the example above shows the value of the submit button to be "I Agree", it can be anything you like. Typically the Portal page would contain information regarding any restrictions in place and an Acceptable Use Policy (AUP).

You might notice that there is no way of uploading content files such as images to m0n0wall for the Portal page. As discussed in the previous article, m0n0wall is designed to run completely from RAM so images, Flash objects, etc. would quickly start eating into available memory. You can, however, host content files elsewhere, such as a webserver on the LAN interface or on the Internet and reference them in your uploaded Portal Page contents HTML. These can be added using HTML syntax like:



This on its own isn't enough, however, since m0n0wall will block access to the webserver until the Submit button on the Portal page has been clicked! This would also be the case if you had whole websites that you would want Portal clients to be able to access before they were granted free access to the Internet. This could be an FAQ about the Portal service itself, or the websites of sponsors and advertisers.

Fortunately, the Allowed IP Addresses feature allows you to unblock access to specific IP addresses that clients can freely access without being required to pass through the Portal page. This functions in two ways.

To IP addresses - allowing access to remote websites and such
From IP addresses - which could be used to allow known clients with statically configured IP access to the Internet
Updated 2 October 2004
Figure 6 shows that I have allowed access to my webserver on the LAN for the Portal page images and to two other Internet websites that I am promoting on the Portal page. Configuring access to websites with IP addresses, rather than their DNS name, can cause problems if the sites move IP addresses frequently or like www.tomshardware.com, have multiple IP addresses which would all have to be configured separately.

The final entry is in the opposite direction, allowing my wireless access point to addresses beyond the Captive Portal. This is so that I can use its web adminstration from the LAN network, without this reponses to my connection attempts from the LAN network would be blocked by the Captive Portal.


Figure 6: Captive Portal - Allowed IP Addresses
(click on the image for a larger view)


Access to known clients can also be granted by MAC address using the Pass-through MAC page. This is a better method than static IP addresses, as it allows the client to still pick up their IP configuration by DHCP.

As an example, my finished Portal page is shown in Figure 7. It is not going to win any prizes for website design, but all the basic elements are there. The Acceptable Use Policy (AUP) was created by amending the AUP in place at www.piertopier.net. If you want to use it as a starting point it downloadable here as a text file, and the page HTML here.


Figure 7: Finished Portal Page
(click on the image for a larger view)

Captive Portal Management

Once the Captive Portal is set up, there is little to do in the way of ongoing management. You can keep an eye on how many clients and who have connected via the Status -> Captive Portal page. You can also forcibly disconnect clients, though there is no way of permanently barring them from the Portal.


Figure 8: Captive Portal Status
(click on the image for a larger view)

If you really had a problem client, you could attempt to stop them from using the Portal by statically allocating an IP address to their MAC address and then blocking this IP address with a firewall rule. Not elegant, but it could work with someone with little technical knowledge. However, this is easily circumvented by somebody either manually configuring a valid static IP in the same range and connecting with that, or 'spooifng' the MAC address of their wireless interface so they appeared to the portal to be another client, something relatively simple to do under MS Windows 2000 and XP.

Security

Something you have to pay attention to when allowing unknown clients access to your networks and Internet connection is security. m0n0wall is relatively secure by default, however there are a few things to consider:

Don't allow the portal subnet access to ANY in a firewall rule
Using ANY will grant access to all networks connected to the firewall, including the network on your LAN interface and any other optional interfaces.
Block direct access to your PORTAL interface IP address and your WAN interface IP address from your portal network
This will prevent Portal clients from being able to access the m0n0wall administration GUI.
Block access to SMTP (port 25) from the Portal network
Since most people have access to web mail, this will prevent users from intentionally (Spammers) or unintentionally (those inadvertently infected with Viruses, Trojans and Worms) sending out bulk email from your Internet connection.
Limit the bandwidth available to your portal network with Traffic Shaping
If you are using your Internet connection for other purposes than the Captive Portal—providing Internet access to your LAN for example—limit the bandwidth available to your Portal network with m0n0wall's Traffic Shaping features. This will prevent clients on the portal network from using all available bandwidth.
Figure 9 shows the firewall rules I placed on the PORTAL interface that adequately protect my network while still allowing fairly free access to the Internet for the portal clients. The first three rules block all NetBIOS traffic—an essential practice on all Internet-facing connections. These are followed by a rule blocking all outbound SMTP (Port 25) connections.


Figure 9: m0n0wall Firewall Rules on the PORTAL interface
(click on the image for a larger view)

The fifth rule down blocks HTTP connections to the PORTAL interface itself (m0n0wall will allow Web Admin on all interfaces if firewall rules allow). This is followed by a similar rule that blocks HTTP connections to the small subnet between the WAN interface of the firewall and the inside interface of my DSL router, again stopping Web Admin access on both the m0n0wall and my DSL router.

Second to last is a rule that allows access to my LAN, but only for HTTP to a server (HOMER) that hosts the images for the portal page. The last rule allows any connection (if not previously blocked) to anywhere other than the LAN network.

Tip: Blocking SMTP on a Captive Portal has been the subject of discussion on the m0n0wall mailing lists in recent weeks. While some see it as protecting the network they are providing from being used for spamming, others see it as being at odds with providing free, unrestricted access to the Internet.

Dana Spiegel, director of the community-based organization NYCwireless, has stated: "NYCwireless has a totally unrestricted network where we've never seen a spammer send out millions of spam messages".

One approach suggested is to severely limit the bandwidth available for SMTP mail to discourage anyone from sending bulk email. In the end, it is the decision of whoever provides the Portal / HotSpot and what they are comfortable with.

Conclusion

I have shown how m0n0wall v1.1 can be used to allow free, but controlled, access to the Internet. Like m0n0wall in general, the implementation is relatively simple but very flexible, as one user pointed out when I was researching this article:

"What I like is that you can build a wireless DMZ using completely different types of APs (wireless access points) and it doesn't make a difference because the m0n0wall is doing all of the authentication and firewalling. So really those APs become nothing more then dumb bridges."
In the true spirit of a Open Source project, the m0n0wall Captive Portal doesn't provide any functionality for metering and billing the Captive Portal clients. If you want these features, you'll have to look to commercial products.

The main potential difficulty of providing 'open access' is the inability to permanently prevent a persistent abuser connecting to the Captive Portal. This is not a limitation particular to the m0n0wall implementation, just of the anonymous way you are allowing clients to connect and the relative ease of pretending to be somebody different with a simple change of MAC address.

The most common abuse is going to be the persistent 'bandwidth hogger'. This should be relatively easy to control with a combination of sensible firewall rules, blocking bandwidth-intensive services such as peer-to-peer networks, and controlling the amount of bandwidth in use with m0n0wall's Traffic Shaping feature. So I'll show you how to use m0n0wall's very powerful Traffic Shaping capability in my next article.







Copyright © Tom's Guides Publishing LLC 1996 - 2005 and printed from TomsNetworking
http://www.tomsnetworking.com/
All rights reserved.
It is illegal to copy or redistribute this information in any way without the expressed written consent of Tom's Guides Publishing.

Please use the Content Permission Form (http://www.tomshardware.com/site/submission/content.html) for such requests.

Thursday, February 10, 2005

Wireless pentest - crack WEP

Based on recent mails regarding articles found here for wireless pentesting. Using all the tools desribed here requires capturinginteresting packets (unique RC4 IV) in a packet capture.http://www.securityfocus.com/infocus/1814

The problem relates to creating traffic on a wireless network in caseyou dont find a lot of traffic for a good capture. Is there any wayyou can create traffic on a WEP network without knowing- the IP Address (address range) the Access Point and wireless clientsare using- the WEP key being used (makes sense - that is why you are running a WEP crack)

IP Address of gateway: Use Ettercap
Create Traffic- ICMP Ping Flood Tool
WEP Key being used: Aircrak or Snort

Hope that helps, collecting enough WEP IV's in aircrack can take sometime, you will need approx. 200k-500l; depending on the amount oftraffic is on the network, that is where the ICMP ping flood toolcomes in. Aircrack will crack the WEP key in a few seconds, if youtell it how long the WEP key is, it will do it faster, otherwise youwill need to wait a few more seconds

Sunday, January 30, 2005

Open vs shared key authentication

Associating with the AP

Access points have two ways of initiating communication with a client Shared Key or Open Key authentication.
Open key allows anyone to start a conversation with the AP.
Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates.

How Shared Key Auth. works

Client begins by sending an association request to the AP AP responds with a challenge text (unencrypted) Client, using the proper WEP key, encrypts text and sends it back to the AP If properly encrypted, AP allows communication with the client.

Is Open or Shared Key more secure?
Ironically enough, Open key is the answer in short Using passive sniffing, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text
Simply plugging these two values into the RC4 equations will yield the WEP key!

Wednesday, September 15, 2004

Wireless Security FAQ
Providing mobile IT pros with remote access to all business apps may put a company's vital information at risk. Read Security in the Wireless Revolution to find out about today’s available wireless systems and the type of security you need to avoid costly and dangerous security concerns.
Going wireless is a big step, and maintaining wireless security is an ongoing process. So it's little surprise that IT pros have so many questions about wireless technology. We've gathered some of those most frequently asked and invited our wireless expert, Brien Posey, to answer them. The FAQ list will be constantly evolving, so you're invited to send us other questions you may have. Just mail them to us or post them in the discussion area at the end of this FAQ.
Table of contents
Is it true that WEP can be easily hacked?.............................................................................................2
Can a Pringles can be used as an antenna by hackers?......................................................................2
Can a VPN ensure wireless privacy?....................................................................................................2
If WEP encryption is so insecure, then why does 802.1x rely on it?.....................................................2
Is it true that wireless network users are themselves vulnerable to security breaches even when connected to a corporate LAN via a wireless VPN connection?...........................................................2
Is it safe not to tunnel traffic that is ultimately destined for the Internet?...............................................3
How can a wireless workstation be subject to buffer overflow attacks?................................................3
How does public key security work?......................................................................................................3
Can a hacker attack an access point?...................................................................................................3
Is SSID broadcasting a security threat?................................................................................................4
Does MAC filtering work as a security measure?..................................................................................4
Is DHCP a security threat?....................................................................................................................4
Is signal jamming a security issue?.......................................................................................................4
Can adjusting the signal strength help secure a wireless network?......................................................4
If I have implemented all of the standard security mechanisms, can I guarantee network security?...4
Should I use SNMP to manage my wireless network?..........................................................................5
I can’t adjust the power level on my access point, and the antenna is not removable. Is there any way to help to prevent the signal from leaving the building?........................................................................5
How can I audit a wireless network?.....................................................................................................5
How can I detect rogue access points on my wireless network?..........................................................5
Page 1 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Is it true that WEP can be easily hacked?
Anyone with a laptop and a wireless network card can sniff encrypted packets as they flow across a wireless network. Depending on the content and structure of captured packets, a hacker simply needs to capture anywhere from 100 MB to 1 GB worth of packets. Such a sampling size guarantees that the hacker will have all of the information he needs to break the WEP encryption. Once the necessary volume of data has been captured, the hacker can simply run a freeware utility against the captured packets to derive the WEP key.
Can a Pringles can be used as an antenna by hackers?
Yes. Although a typical wireless NIC has a range of 100 to 300 feet, faint radio signals are transmitted far beyond the network’s operational area. By investing about ten dollars for a few parts from Radio Shack and for a can of Pringles, you can easily build an antenna that can intercept a signal from as far as 10 miles away (assuming that there is a clear line of sight). Other industrial-strength antennas can intercept a signal from even further away.
Can a VPN ensure wireless privacy?
Setting up a VPN greatly enhances the privacy of a wireless network, especially when used in conjunction to WPA or WEP encryption. If you are considering implementing a wireless VPN though, there are a couple of issues that you need to consider. First, if the wireless signal drops for a second, users' connections will be terminated, and they will have to reestablish their VPN connections. Second, a wireless VPN offers no protection against rogue access points. Third, a wireless VPN doesn’t provide wireless users the same seamless network access as wired users have since they will usually have a separate login for the VPN connection.
If WEP encryption is so insecure, then why does 802.1x rely on it?
802.1x by itself is not secure. 802.1x only becomes secure when combined with the Extensible Authentication Protocol (EAP). EAP makes it possible to securely distribute WEP keys. Rather than relying on static WEP keys, the 802.1x and EAP combination allow each session to have a unique WEP key. Additionally, WEP keys automatically expire every ten minutes. Since each session is frequently rekeyed, it makes it impossible for a hacker to collect the necessary volume of packets between key changes.
Is it true that wireless network users are themselves vulnerable to security breaches even when connected to a corporate LAN via a wireless VPN connection?
Yes, there are three primary ways in which wireless users are at risk. First, if volumes or folders on the users' machines are shared, it is possible for other users within the subnet to access the contents of those shares. Second, someone on the same subnet as the user could perform a buffer overflow attack against the user. Finally, not all traffic is routed over the VPN. Traffic related to Internet usage is routed over the Internet. This traffic is subject to capture through the usual methods.
Page 2 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
If I have never shared any files or folders on my hard disk, is my information still vulnerable to compromise while I am using a wireless connection?
Yes. Even if you never create a share point, Windows has a few shares of its own. There is a share called Admin$ and another share for each hard drive (C$, D$, etc.). You can’t disable these shares because Windows depends on them. To prevent these shares from being exploited, make sure that the system is running a personal firewall. Also change the local Administrator’s username and password to further reduce the chances of these shares being exploited.
Is it safe not to tunnel traffic that is ultimately destined for the Internet?
When a wireless user is connected to the corporate network via a VPN link, it may seem that since traffic destined for the Internet must be first routed through the corporate network that it will pass through the VPN. However, this isn’t always the case. VPN tunnels can become congested rather easily. To conserve bandwidth, some VPN implementations transmit traffic destined for the Internet over the wireless network but outside of the VPN tunnel. This means that Internet traffic is unencrypted. This shouldn’t be a problem since nothing sensitive should be flowing across the Internet. However, some users use the same password for Web sites as they use for access to the corporate network. If such a site doesn’t encrypt passwords, it might be possible for someone to steal a password and use it to gain access to the corporate network.
How can a wireless workstation be subject to buffer overflow attacks?
Unless a workstation is running a personal firewall, other machines on the same subnet as the workstation can communicate with the system across all TCP and UDP ports. The corporate firewall only blocks malicious traffic from the outside world; it does nothing to prevent attacks from within.
How does public key security work?
The basic idea behind public key security is that every user has two mathematical encryption keys, a public key and a private key. A user’s public key is accessible to anyone, but the private key is accessible only to the user. When someone needs to encrypt traffic before sending it to a specific user, the encryption process begins by downloading the user’s public key. The public key is used to encrypt the packets, but is useless for decrypting it. The packets can only be decrypted by the corresponding private key, which is only held by the recipient.
Can a hacker attack an access point?
Absolutely. Almost all access points ship from the factory set to use either 192.168.0.0 or 192.168.1.1 as their IP address. Furthermore, the default login credentials are usually Administrator or Admin and "PASSWORD" or a blank password. Of course, the credentials vary among brands of access points, but it is very easy to perform a simple query against an access point to find out its make and model. From there, it’s simply a matter of looking up the default login credentials on the manufacturer’s Web site. Unless the default password has been changed, the attacker will be able to gain full control over the access point.
Page 3 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Is SSID broadcasting a security threat?
Have you ever tried to connect to your wireless network only to have a neighbor’s network show up on the list of available wireless networks? The reason your neighbor’s network displayed as an available choice is because SSID broadcasting was enabled. SSID broadcasting causes the wireless access point to tell all available clients the name of the network. If SSID broadcasting is disabled, hackers can still hack the network, but they will have to figure out what the SSID is rather than having it handed to them.
Does MAC filtering work as a security measure?
Many access points allow you to enable MAC filtering so that only clients with specific MAC addresses can connect to the wireless network. MAC filtering works to an extent as a security measure, however, it is fairly easy to spoof a MAC address. You can make it a bit harder by enabling MAC filtering. That way, before a hacker can spoof a MAC address, he must first figure out which MAC addresses are authorized to use the wireless network, which can be done by sniffing packets. So, while MAC filtering will protect you against less skilled hackers, it won’t stop a really determined one. It will only slow him down.
Is DHCP a security threat?
Almost all access points have DHCP (Dynamic Host Configuration Protocol) enabled by default so that they will automatically hand out IP addresses to any workstation that connects to them. In a way, DHCP is an indirect security issue because you are simply handing a hacker an IP address related to your network. On the other hand though, most access points will not issue an IP address until a station’s WEP (Wired Equivalent Privacy) pass phrase has been verified.
Is signal jamming a security issue?
While there have been a few reports of signal jamming being used as a denial of service attack, signal jamming often comes from other sources. 802.11B networks operate in the 2.4-GHz frequency range. This is the same frequency range used by many cordless phones. It is possible for a wireless network signal to be disrupted by a cordless phone, a microwave oven, or another wireless network. In the past, one solution was to upgrade to a wireless network that used the 5.8-GHz frequency range. However, cordless phones now exist that operate on the 5.8-GHz frequency. Further, the signal from a 5.8-GHz network has a tougher time penetrating walls than the signal from a 2.4-GHz network.
Can adjusting the signal strength help secure a wireless network?
When you install a wireless network, it’s tempting to use a big antenna and the highest available transmitting power so that everyone gets a great signal. However, it’s often better to turn down the power in an effort to prevent the signal from leaving the premises. After all, you don’t want people in the parking lot snooping on you.
If I have implemented all of the standard security mechanisms, can I guarantee network security?
Although it’s relatively safe to assume that the network will be secure, it’s important to put your security to the test through penetration testing. Penetration testing is basically hacking your own network to see if vulnerabilities exist.
Page 4 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Should I use SNMP to manage my wireless network?
SNMP is a double-edged sword. If an access point supports SNMP, then you will be able to manage it in the same way that you would manage any other SNMP-enabled device. At the same time though, if your access point were to be hacked, then the hacker could use SNMP to gain all sorts of information about your network. I recommend disabling SNMP on your access point unless you really need it.
I can’t adjust the power level on my access point, and the antenna is not removable. Is there any way to help to prevent the signal from leaving the building?
Place the access point near the middle of the facility. Avoid having it near a window at all costs and try not to place it near an exterior wall.
How can I audit a wireless network?
You would audit a wireless network in the same way that you audit any other network. The exception is that many access points also compile logs of which stations have connected to them and when. If your access point offers such a feature, then I recommend taking a quick look at the logs at least once a day.
How can I detect rogue access points on my wireless network?
There are a number of free utilities available, such as NetStumbler and WaveRunner, that will scan for wireless devices for you. You can also use commercial products such as RogueWatch that offer more features.
Page 5 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
TechRepublic books and CDs:
Wireless Networking Survival Guide
802.11 Wireless Networking Resource Guide
Downloads:
Wireless Equipment Checkout Tool
Wireless policy template
Articles and columns:
At last, real wireless LAN security
VPNs are good but not perfect
Final step in security audit process
How to troubleshoot your wireless network
Related TechRepublic resources:
Page 6 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
TechRepublic communities engage IT professionals in the ultimate peer-to-peer experience, providing actionable information, tools, and services to help members get their jobs done. TechRepublic serves the needs of the professionals representing all segments of the IT industry, offering information and tools for IT decision support and professional advice by job function.
CIO Republic: Get analysis and insight on e-business, leadership, executive careers, business strategy, and technology.
IT Manager Republic: Access technology insights, project and personnel management tips, and training resources.
NetAdmin Republic: Get tips on Windows, NetWare and Linux/UNIX administration, infrastructure design, and network security.
Support Republic: Obtain detailed solutions to desktop hardware, software, and end-user support problems.
IT Consultant Republic: Find information and advice on client and vendor relations, project management, and technology.
TechRepublic site features
Free e-newsletters: Keep up-to-date on any aspect of the IT industry with e-newsletters—from tech stocks to daily software tips, from IT careers to hot trends—delivered right to your e-mail Inbox.
Free downloads: We've collected resources to make your job easier, including ready-to-use IT forms and templates, checklists, tools, executables, Gartner product analyses, and white papers.
TechRepublic's books and CDs: Find the latest books and CDs about today's critical IT topics, including PC troubleshooting, VPN, TCP/IP, Windows client and server issues, and Cisco administration.
Discussion center: Open a discussion thread on any article or column or jump into preselected topics: career, technology, management, and miscellaneous. The fully searchable Discussion Center brings you the hottest discussions and threads and allows you to sort them by topic and by republic.
Try our premium subscription product, TechProGuild, free for 30 days. Our online IT community provides real-world solutions and the latest articles, resources, and discussions affecting frontline IT pros. Get access to more than 250 full-text IT books, along with exclusive downloads and in-depth articles on network and system administration, PC troubleshooting, help desk and support issues, and more.
TechRepublic:
The collective voice of IT professionals
Page 7 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.

Saturday, September 04, 2004

802.11i, WPA, RSN and What it all Means to Wi-Fi Security

802.11i, WPA, RSN and What it all Means to Wi-Fi Security

In the Beginning: 802.11i The long-anticipated 802.11i specification for wireless LAN security was finally ratified by the IEEE in June 2004. It had been in the works for years. Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer. The new spec offers significant improvements over the old standard, Wired Equivalent Privacy (WEP). The specifications were developed by the IEEE’s TGi task group, headed by David Halasz of Cisco. However, during 802.11i’s long, long gestation period, WPA emerged as an interim solution. WPA Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow-moving 802.11i standard. The industry consortium’s consensus was that an alternative to WEP was needed quickly, and WPA was the result. To avoid multiple “standards” and conflicts later on, WPA was designed from the get-go to be compatible with 802.11i and was based on its early draft specifications. This sets WPA apart from a number of proprietary Wireless LAN security solutions that were developed by Proxim, Funk and other vendors. WPA provides several security advantages. First, it uses a stronger key management scheme, by implementing the Temporal Key Integrity Protocol (TKIP). TKIP creates encryption values that are mathematically derived from a master key, and changes these encryption keys and IV values automatically (and transparently to the user) so to prevent key stream reuse. This is important because WEP keys have to be changed manually, and this can be an administrative hassle, leading to administrators not changing the keys often enough (or not at all). TKIP also uses a Message Integrity Code called Michael that uses a 64 bit key. The integrity checker is designed to block forged messages. There are two methods for generating the master key, and WPA operates in two different modes, depending on whether pre-shared keys are used or a central authentication server is available. For home users, WPA offers easy setup (one big problem with WEP was that many users found it too difficult or confusing to set up and manage, so they didn’t). Authentication is based on the Extensible Authentication Protocol (EAP) and can use pre-shared keys that make it simple to configure on the WAP and clients in small network settings: you manually enter a password, and then TKIP does its thing, automatically changing the keys periodically. This is called PSK (for PreShared Key) mode. Tip: It is recommended that when using PSK mode, you should set a password with at least 20 characters. At the large network level, operating in Enterprise mode, WPA supports RADIUS so that users can be authenticated through a centralized server. WPA 802.1x authentication methods include EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP and other implementations of EAP. WPA uses the same encryption algorithm for encrypting data that WEP uses: the RC-4 cipher stream algorithm. However, TKIP uses a 48 bit initialization vector, as opposed to the weaker 24 bit IV used by WEP. The Wi-Fi Alliance started certifying WPA-capable wireless equipment in April 2003. You can find a list of certified products on the Wi-Fi Alliance Web site at http://www.wi-fi.org/OpenSection/certified_products.asp?TID=2. To use WPA, older WAPs must have a firmware upgrade applied. Some WAPs can support both WEP and WPA clients simultaneously. The client computer’s operating system and wireless network adapter must support WPA. The Windows WPA client is available from Microsoft for Windows XP (with SP1) and Server 2003 systems. The WPA update is included in the Wireless update rollup package for XP (See http://support.microsoft.com/default.aspx?kbid=826942). You can download the WPA patch for XP Professional and Home at http://www.microsoft.com/downloads/details.aspx?FamilyID=009D8425-CE2B-47A4-ABEC-274845DC9E91&displaylang=en. After you install the update and reboot, there will be new dialog boxes added to the Network configuration window, for configuring WPA. Note: If you’re using an operating system other than XP/2003, you must install a third party client program called a supplicant, such as the one available from Funk Software (www.funk.com). You may need to get updated drivers for your wireless network card from the NIC vendor. For step-by-step instructions on upgrading your WAP and network card, see http://www.pcmag.com/print_article/0,3048,a=107756,00.asp. RSN Another element of the 802.11i is Robust Security Network (RSN), which dynamically negotiates the authentication and encryption algorithms to be used for communications between WAPs and wireless clients. This means that as new threats are discovered, new algorithms can be added. RSN uses the Advanced Encryption Standard (AES), along with 802.1x and EAP. The security protocol that RSN builds on AES is called the Counter Mode CBC MAC Protocol (CCMP). AES supports key lengths up to 256 bits, but is not compatible with older hardware. However, there is a specification designed to allow RSN and WEP to coexist on the same wireless LAN; it’s called Transitional Security Network or TSN. It’s important to note, however, that a WLAN on which some devices are still using WEP is not optimally secured. Tip: Current handheld devices (Pocket PCs and Palms) don’t have enough processing power to support AES, so WPA is the best security choice if you have users who store and transmit sensitive data via handhelds. A WPA/802.1x client for Pocket PC 2002/2003 and Palm is available from Meetinghouse (http://www.mtghouse.com/company/index.shtml). Tying it All Together 802.11i takes WPA a step further. For one thing, it requires the use of AES. The good news is that AES meets government security criteria and provides stronger encryption than WPA/TKIP. The bad news is that AES has to have its own coprocessor, which means older existing wireless hardware can’t just be upgraded via software as with the transition to WPA; instead, it will have to be replaced. Hardware purchased in late 2003 and 2004 may be upgradeable via software or firmware to support 802.11i. Now that the specification has been ratified, new equipment that supports AES out of the box should soon become available. In addition, 802.11i will encrypt the whole data frame with AES. In WEP and WPA, the RC4 cipher encrypts the data payload only. The Wi-Fi Alliance refers to the new 802.11i standard as WPA2. Despite the potential costs of implementing it, the new wireless security standard is welcomed by most in the industry as the next, and necessary, step in protecting data that is transmitted over the airwaves. However, those with a large investment in existing hardware this isn’t compliant with AES/802.11i might find it more cost effective to implement WPA at present and transition to 802.11i more slowly.

Wireless LAN security glossary

Wireless LAN security glossary
(1)WEP weak=static key+short IV 24bit reused+ weak RC4 implement.

(2)WPA=TKIP+802.1x(EAP)+MIC

(3)WPA subset of = 802.11i(AES encryption).

(4)802.1X is based on EAP which encompassess many types; like TLS,LEAP,SecureID,MD5, PEAP,SIM,TTLS. It has mutual authentication and key mtg. It is a authentication framework which requires 3 entities -wireless client, AP and radius.

(7) Cisco Wireless Security suite = 802.1X+LEAP+TKIP
i.e.

(i) 802.1X = mutual authentication + key mtg, but didn't specify any authentication algorithm.

(ii) LEAP =user-based authentication+dynamic WEP keys

(iii)TKIP=MIC+per packet keying+dynamic key rotation for broadcast and multicast.
MIC= for frames authenticity.
Per-packet Keying= each frame with unique WEP key
RC4 stream cipher, dynamic key encryption, 48bit IV. It uses diff key to encrypt each wireless packet.

Wireless LAN security glossary

802.1X IEEE 802.11 standard for authentication, which supports multiple authentication modes, including RADIUS, that can be used in wireless and wireline networks.

802.11i IEEE standards group effort that involves “fixing” perceived weakness in 802.1X and WEP (see below).

LEAP Lightweight Extensible Authentication Protocol, which includes Cisco’s proprietary extensions to 802.1X to share authentication data between Cisco Aironet wireless LAN access points and the Cisco Secure Access Control Server.

PEAP Protected Extensible Authentication Protocol, which was developed by Microsoft, Cisco and RSA Security, is now an IETF draft standard. PEAP encrypts authentication data using a tunneling method.

TKIP Temporal Key Integrity Protocol, which was developed by the IEEE 802.11i standards committee as a WEP improvement.

TTLS Tunneled Transport Layer Security, which was developed by Funk Software and Certicom, now is an IETF draft standard. It is an alternative to PEAP.

WEP Wired Equivalent Privacy, a wireless encryption standard, which was developed by the IEEE 802.11 standards committee.