Voice of VOIPSA

Over on the Best Practices mailing list, I have now issued a last call for comments on the structure of the document. The document structure question is outlined on the Development Process page in the VOIPSA wiki. Right now all signs point to a near-consensus on using proposal #2 to structure the document around functional areas… but I asked yesterday for any final comments.  Barring any last-minute cascade of outrage and desire for another structure, I’ll make the decision tomorrow morning and we’ll get down to work.  Comments can be left here on the blog, if you want, but the best place to probably route them is the mailing list.  Thanks.

At the IET Secure Mobile conference last week, Dr Philip Nobles from Cranfield University in the UK spoke about the subject of wireless LAN security.  He showed the output of a tool running on his laptop on a 40 mile train ride into London.  He had captured a large number of WLANs on the way, of which perhaps 60% were completely unsecured.  In addition, you could see that many were using factory default settings, for example SSIDs (LAN identifier) of ‘netgear’.  So all these sites can be compromised in terms of network sniffing, router hijhacking and theft of bandwidth.

Dr Nobles also spoke about WEP (Wired Equivalent Privacy), the first attempt to introduce encryption to WiFi networks.  I had known that WEP was compromised at least in an academic sense, but I was surprised that practical tools exist for breaking WEP in a very short time. “My router gave up its key in 3 minutes”, Nobles said of his own home router.

In view of this, here are a few ideas for securing your WLAN in the home or the office:

1. Use WPA encryption (WiFi Protected Access) if this is available on your router/client setup.  If not, use WEP in preference to leaving the router ‘open’.  Use keys (passphrases) that will not be easy to guess.

2. Most routers have an option to hide the SSID, i.e. not broadcast the name.  This means that the clients have to know the name explicitly.  This is is good idea to switch on, and makes you look much less interesting on the Netstumbler display.

3. Don’t use the default SSID, and it is better to use a name that will not be vulnerable to dictionary attack, and one that doesn’t hint at your physical location.

4. Similarly, set an admin password on your router, again one difficult to guess or get by dictionary attack.  For example, at one time I used “astro0cosmo0.”

5. Often you can block admin logon to the router from the Internet side, which is a good idea if you don’t need to remote manage it.

6. Some routers have the facility to “lock down” access to the router by only accepting connections from specific MAC addresses.  In my experience this can be inconvenient to manage (for example if a WiFi card is replaced, or if a friend comes to visit with his machine), but it does limit the options for attackers.

7. Similarly, with some routers you can assign IP addresses to specific MAC addresses, and use the firewall to block unknown IP clients.  As above, this can be inconvenient to manage, but it does limit access.

I am pleased to announce that the VOIPSA Best Practices project will be kicking off this week. As noted in the project description, the goal is to gather into one document the core set of “best common practices” that can be used to address the threats to VoIP that were outlined in the VoIP Security Threat Taxonomy project. I’m still making some changes to the wiki in advance of the formal project kickoff, but right now you can subscribe to the best practices email list if you would like to assist in the project. All are welcome, regardless of experience level. If you don’t want to join a mailing list, updates will be posted here on this blog from time to time.