Brandon Darling

I was working with a client yesterday.  The IT guy that they employ had setup three access points around the office.  He’d created three SSIDs and three separate WEP keys.

So, not everyone out there knows everything about wireless.

He wanted a way to roll out WEP keys in a script - like a login script.  Never mind that the laptops won’t get the login script if they’re not associated to the network….

So, I bite: “Why do you need to roll out WEP keys with a script?” I then get the long and detailed description of a wireless network that’s an administrator’s nightmare.

So here we go kids: if you are running out of range, the solution is NOT a more “powerful” access point.  First off, if you’re buying your access points from Best Buy or Circuit City, please let me know so I can come by your office and steal all your information.  Second, the solution to wireless coverage is more access points - not repeaters, antennas, or more “powerful” access points.

If you have a building, you need to ensure that you have one access point for roughly every 1000 square feet.  Now, some may see that and think I’m crazy - wireless can reach 100 feet and that can cover 30,000 square feet!  Mind you, it probably can, in a warehouse with one laptop.  Two things here: wireless never ever goes as far as you think it does, and the point with wireless is that you want saturation.  This is because even the most robust access points can only support 10-12 devices at any one time.

Some may see that and still think I’m crazy.  The fact is this, 54 megabit-per-second 802.11g (with which we’re all familiar) runs at a 54 megabit signaling rate - NOT actual bandwidth.  802.11g provides roughly 22 megabits of actual network throughput.  Go ahead - try it yourself.  With 10 associated users, everyone gets about 2 meg, which is fine for Internet access, but network applications will die.

More access points not only provides a stronger, more saturated signal, but it has the added benefit of providing more bandwidth for users.  One 802.11g access point has 22 megs of available bandwidth, while two access points have 44 megs - twice as much bandwidth because you have twice as many access points!

The analogy is very simple: an access point is a switchport on a network switch.  Having one access point is like hanging an eight-port switch off of a wall jack - everyone on that small switch competes for the one switchport back at the equipment rack.  Not a good idea.  So say to your access points, “be fruitful - and multiply!”
Next, make sure that all of your access points have the same SSID!!!  Yes, this is a correct configuration and you can do it!  Wireless clients are designed to detect one SSID and multiple MAC addresses of a group of access points that all have the same SSID - so DO THIS!  Save yourself, and me, the headache.

Finally, here are pointers for securing your network - which you absolutely need to do or I will steal all your data:

1. Do NOT use MAC filters.  They provide a false sense of security and they’re a pain to administer.  Banish this technique from your mind.  I can - and have - connected to MAC filtered networks in under 20 seconds.  Cain & Able, and etherchange - look them up.  You CAN change your MAC address on your wireless card with great ease - at that point, you have circumvented what some people use as their only line of defense.

2. WEP is crackable.  Easily crackable.  Don’t use it - you’re inviting attack if you do.  Simply don’t use it.  Get rid of devices that do not support higher-grade authentication, or if you must use older WEP-only devices, create a second SSID and tie it to a separate VLAN that is isolated on your network.  If you don’t know how to do this, CALL ME for a consultation: www.orbistechnology.com.

3. WPA is crackable.  It’s better than the above options, but if you’re a business - especially a hospital or a bank - you simply can’t rely on WPA or WPA2 - it’s not secure.

4. Get Elektron RADIUS from Periodik Labs.   Yes, it’s pricey but remember that you get what you pay for.  That $60 Linksys access point with WPA2 - you want to run your credit card over THAT connection?  Let me know when and where you’ll be - I’ll be sniffing your bank account and email in no time.  $750 is dirt cheap security.  It provides point-and-click configuration, dead simple administration, it works with Active Directory, yadda yadda.  Get it - it is the best wireless security solution bar none.

So, I’ve already fielded a half-dozen phone calls this morning configuring an IPSec VPN for one remote user.

One.

5 years ago, VPN was the greatest thing in the world, and I was happy to hammer on IKE configuration parameters all day, gleefully knowing I was providing a solution for my clients that no one else could.

Well, it’s 2008 now.  IPSec is a drag.  Even SSL VPN isn’t all that sexy anymore.  Let’s face it: web technology has allowed secure, authenticated and encrypted communications since the late ’90s.   Why I have to beat my h.a.t.w. (head against the wall) over IPSec at all seems draconian.

While there is still a need for site-to-site IPSec (namely, the ability to avoid telco low-monthly-extortion-fees for their “managed” VPN services) to interconnect physical site networks, VPN is a real bother for the teleworker.  Not only do I now have to ensure that the remote endpoint is secure (it never is) but that I keep the VPN client software updated (it never is) across *all* the teleworkers.   Oh, and I can no longer willy-nilly update my VPN concentrator firmware on schedule because some new “feature” will break half the old software VPN clients that are still reporting their version numbers in Roman numerals.

So, I aim this squarely at the development community: c’mon guys - learn just a little about TCP/IP, SSL, and code your application to not require 100MB chunks of data to traverse between client and server when someone resizes the client window.

Getting a remote client software to connect to the server “back end” should involve me pointing 443 on the firewall at HQ to the application server, and giving all the teleworkers the URL to the application, like “appserver1.company.com.”

Of course, that would mean optimizing transactions between client and server (which you should be doing anyway) and it means you’ll HAVE to learn something about infrastructure.

A few software companies get it.  Some coders actually realize that eventually someone will buy their software and use it in the real world - absent from the original development laboratory where it was hastily complied on a machine running the database engine on which the entire application depends.

If you’re a coder - get with it.  Learn what a TCP port is, dig into the SSL stack (or just buy a plugin that provides SSL integration for your IDE) and make the rest of the world a better place.  Your client software should only need a URL (or IP address, give me that option).  After that, give me an application/database server with an integrated CA (look it up) and the ability to publish client certificates.  Now I can rest assured that only my clients will be able to establish communications with my server - and that all data transmissions are authenticated and encrypted.  No VPN, no IPSec, no VPN client, just pure administrative bliss.

Oh, and in the name of everything that’s good and holy, stop being lazy and figure out how to use integrated OS security and authentication.  Make the Herculean effort required to resist the temptation to build a username/password database into your application, thinking that your security somehow rivals that developed over millions-of-man-hours by a company with more money than most developing countries.  You think Microsoft is insecure?  Give me 30 seconds with your application and I’ll not only have your data tables, but I’ll have your personal SSN and credit card information.

Build me a set of Windows security groups that represent different parts of your application.  All I’ll have to do is link other groups I already have, or just populate the ones you give me.  That way, if I create a new account for our new accountant, Bob, I only do that ONCE, and he has network, email, wireless, AND rights to your application.  Also, make your data files easy to move and your database engine easy to install.  If you’re going to modify the schema in SQL, give me the script or build an installer that works - every - time.  Then, let it be as easy as moving an MDF file, reattaching to a new instance or new server, and starting the service.  Since your client is coded to only need a URL (Riiiiiiiiiiiiight?!) I can name my server whatever I want and give it what IP address I want.  I can even put it behind a DMZ (where it belongs) because your application only needs that ONE, SSL-protected port to get data.  Riiiiiiiiiiiiight?!

Or in this case, a set of screencasts online at
http://www.netometer.com.

On their website is a collection of videos covering Exchange, NT server through 2003, Active Directory, and other complicated tasks that are often easy to understand when you watch what’s going on, rather than read a step-by-step guide than inevitably omits or duplicates a step.

Another “holy grail” product - deploy applications to heterogeneous desktops without installation.  Sandbox multiple versions of software on the same machine.  Publish application patches/updates with ease.  Run web browsers in isolated space that prevents any changes or modifications to the system.

http://www.thinstall.com

If you have a Microsoft Small Business Server and want to move to the full version of Windows, SQL, and Exchange, I recommend you first go to http://www.sbsmigration.com and learn about Swing Migrations.

I really discourage the Microsoft Transition Pack process, however, you should PURCHASE the Microsoft Transition Pack Licenses.  Why?  The license costs for the full version of Windows Server 2003, SQL 2000, and Exchange plus FULL CALs will exceed the cost of the Transition Pack and associated Transition Pack CALs.  Trust me, I’ve been around this block at least a dozen times since the first of the year.

However, I would not RUN the Transition Pack upgrade process - purchase and download the SBS Swing Migration documentation kit and use your new full-media CDs (that you need to order with the Transition Pack licenses) and “swing” your SBS system to a brand new box with a clean load of the full versions of Server 2003, SQL, and Exchange.

If DNS is a mystery to you, find answers to questions here.

If you haven’t ever used the File Server Migration Toolkit (FSMT) from Microsoft, you can download it for FREE here.

Once you use it, you will find yourself rather infuriated with the fact that FSMT attempts to think for you, and changes the UNC paths for nested shares.  @#$%!

Relax - here’s the fix.

I’ve used two free utilities from Sniff-em software - Harden-IT and Secure-IT.

Both utilities are well documented but are for advanced users only.  If you need help with these programs, contact me.

Gibson Research Corporation is the business face to Steve Gibson and his relentless research efforts.  While I find Steve a hugely positive force in the IT industry, he can be somewhat verbose and doting for my tastes.  To the rest of you who love him: don’t hate me!

I use GRC’s “perfect passwords” for VPN and WPA2 keys.  The password generator page is hard to find on grc.com, so I provide this link https://www.grc.com/passwords.htm.

By the way, if you do NOT currently own a copy of SpinRite 6, swallow the $89 and BUY IT.  It is truly indispensable for anyone who has a computer.

As the site says “because newer is not always better.”  Sure, sometimes programs need security fixes, but for the most part I prefer good-old Winamp 2.95 over 5.X.

http://www.oldversion.com