Security in a Community Wireless Network

One of the inherent features of wireless technology is that the RF signals don’t stop at your walls. From an enterprise perspective, this is viewed as a weakness. However, from a community wireless networking perspective, this is viewed as our primary advantage and benefit. RF signals know no boundaries.We can’t see them, but they’re everywhere.This means that the wireless network that provides bandwidth to users in a community also has some inherent security risks that need to be considered.

Every Computer Needs to Be Protected

Firewalls placed between the DSL/Cable connection and the community wireless network can be configured to block typical attacks coming from the “outside world.” For example, the wireless network can be protected from port scanning, worm attacks, and other malicious activity coming from the Internet by enabling a firewall at the point of entry of the DSL/Cable connection.

However, computers inside the wireless cloud are all still visible to each other. It’s as if they are all plugged into the same hub and operating on the same network. If the computer has an IP address, it
is “visible” to the other computers in the same wireless network. Therefore, each and every computer needs to protect itself with a host-based firewall.Windows XP and all Linux/Unix flavors have this
functionality built in. However, other operating systems can add it using third-party applications such as Zone Alarm or Norton (Symantec) Personal Firewall.
Even if you “trust” all of your neighbors, you simply never know when an attacker will come driving through your neighborhood and will be unable to resist the temptation to sniff the traffic and start probing visible machines on the network. Installing a personal firewall will limit your risk of exposure to these kinds of attacks. Most consumer-grade APs include firewall functionality; however, it is important to note that this firewall exists between the WAN port and all the LAN/Wireless devices. In other words, most APs treat the LAN (typically a four-port switch) as if it is on the same subnet as the other computers connected wirelessly.The firewall does not protect the LAN computers from attacks generated on the wireless segment, nor does it protect wireless devices from attacks generated by other wireless devices. In most cases, the AP simply considers the LAN and wireless segments to be “trusted.”This is another reason why each computer on your network should have its own host-based firewall: to protect itself from other unauthorized devices.
In addition to installing a firewall, it is always a good security practice to make sure your computer’s system patches are up-to-date. Further, you should utilize anti-virus and anti-spyware applications and always update the definition files for those applications.These steps will help to protect your system against virus and worm attacks.
Wireless users need to be concerned about any user who is in range of their Access Points. However, the common misconception is that this threat is limited to nefarious individuals lurking in the parking lot. In reality, the threat is much greater, as wireless signals could potentially be intercepted (or injected) from miles away.With line of sight and the right equipment (a high-gain directional antenna and an amplifier), it is possible for an attacker to pick up wireless signals 20 to 25 miles away.

Legal Liability

One of the unfortunate downsides to any open wireless Access Point is the potential for it to be abused for illegal and immoral activities. Community wireless networks need to be concerned about activities such as hacking attacks, virus/worm launching, SPAM, e-mail fraud, and illegal downloads (this includes child pornography, copyrighted materials like music and movies, and so on). Anytime you consider deploying an open AP, there are both legal and moral issues that need to be considered and addressed.
Most community wireless networks use Network Address Translation (NAT) as their gateway between the wireless network and the wired backbone. NAT’ing is used to share the single IP address typically provided by the DSL or cable company. During an investigation, law enforcement will typically obtain logs from the victim’s computer and attempt to trace the activity back to the suspect using the IP address as a starting point. By serving the ISP with a search warrant, the name and address of the individual owner of the Internet account can be obtained. Because of NAT’ing, all of the traffic from the wireless network appears to come from a single IP address, thus providing the
cloak of anonymity to the perpetrator. Unfortunately, the illegal traffic appears to come from the IP address of the DSL/Cable modem. Therefore, the innocent owner of the AP becomes the unknowing suspect of an investigation.
A variety of investigative techniques are used by law enforcement to avoid kicking in the door of the wrong “suspect,” who is, in actuality, really a victim themselves. On the other hand, law enforcement is concerned about criminals who claim to be a victim simply because they are running an open Access Point. Good computer forensic work can usually provide evidence and help determine additional facts in a particular case. Serving a search warrant and arresting the wrong person is a nightmare scenario for law enforcement since it creates unnecessary liability for the investigative agency and also puts agents in harm’s way during the search. For example, what would happen if a search warrant was served and it resulted in a physical altercation or unintentional discharge of side arms? Accidents can happen and safety is always a concern for both citizens and members of law enforcement.

Defending the Neighborhood

Builders of community wireless networks are motivated by creating community resources and sharing bandwidth in safe and legal ways. As such, these builders (almost always volunteers) have no interest in
seeing their hard work being used as a safe harbor for criminal activities. Nobody wants the network used as a tool for illegal downloads or hacking activities.Therefore, it is very important to establish and maintain good relationships with the law enforcement community.
Building bridges with law enforcement agencies helps them to understand the mission of community wireless networks, and helps us to understand the needs of law enforcement during an investigation. If illegal activity occurs on a community wireless network, law enforcement should not need to kick in any doors. Rather, a simple phone call to the designated contact should yield a willing partner to assist in an investigation.To facilitate this kind of community partnership, we recommend the establishment of a “Wi-Fi Neighborhood Watch” program. Following the model of the traditional neighborhood watch program, established to protect the neighborhood from burglary and violent crime, the mission of a Wi-Fi Neighborhood Watch should be to keep the Internet safe and serve as a powerful message that your neighborhood is not a place to perpetrate Internet crimes. Community wireless networks are part of the public domain. As such, there is no expectation of privacy (no different then a community park or a public sidewalk).
To protect your network, there are a number of steps you can take.The first is to establish a captive portal. A captive portal is a method whereby, when a client opens a Web browser, the captive
portal directs them to a specific Web page, regardless of what Web page is initially requested by the browser. So, when the user opens a browser, instead of going to their start page, it automatically redirects them to a page where the network’s Terms of Service (ToS) are displayed.Typically, at the bottom of the page is an OK or I Agree button, which the user must click before they can continue. Unless they agree to the terms of service, the user cannot gain access to any Internet resources. Once they click OK, they have acknowledged the ToS and access is granted.